Project Argus: Explorations in IoT Security
Disclaimer: This is my personal research, ideas and rants are of my own. No IoT devices were harmed nor manipulated during this research.
1. By now everyone is aware of the challenges in securing consumer-grade Internet of Things (IoT) devices. These are the smart devices you can easily buy from Home Depot, Walmart and other retailers.
2. Even the most basic tenets of security such as basic authentication and authorization are difficult to embed due to the constrained environment these devices operate in. (Low processing power, low storage, and battery-life constraints)
3. This quick research (Completed in one day) is a simple demonstration how easy to discover Internet-connected home devices, and how easy a bad actor can conduct information gathering or reconnaissance on a specific individual by simply extracting information from the device.
4. As a consumer, practice due diligence by reviewing consumer reports about the smart device you are going to purchase. Is it from a reputable brand? Do they value consumer security and privacy as stated on their website? Did you read all the Amazon Reviews about the product?
Why Project Argus?
In Greek Mythology, Argus Panoptes is a giant with many-eyes, making it “all-seeing”. The analogy with this security research is once exploited, the bad actor has the capability to see everything the device offers, such as who is knocking at your doorstep, pictures, device logs and other basic device information that may lead to serious privacy issues.
Constrained Application Protocol (CoAP)
CoAP is an Internet Standard (RFC 7252) and one of the leading protocols running in low-powered IoT devices. It can be considered as a HTTP over UDP for resource constrained devices. CoAP borrows ideas from HTTP, e.g. links to related resources. CoAP is considered practical on devices with at least 10 Kbytes RAM and 100 Kbytes of secondary storage (e.g. Flash). By protocol specification, CoAP operates on UDP Port 5683.
CoAP devices are using Representational State Transfer (RESTful) architecture that is common in today’s web applications. Well-known Uniform Resource Identifiers (URIs) is defined as default entry point for requesting the links or resource requested hosted by a server. In our case, the links are hosted by the IoT device.
As an example, an Internet-enabled device that monitors your house temperature can be accessed by CoAP-aware browsers using the following link:
- CoAP = Protocol replacing HTTP
- 5683 = Well-known port for CoAP devices
- ~sensors/temp.xml = the resource you are trying to access on the device
(Note: Latest browsers do not support CoAP protocol yet, the URL will not work on your browser. Instead, there are CoAP browser plugins you can use for navigating CoAP endpoint resources)
Shodan.io: The Search Engine for the Internet of Things
https://www.shodan.io/ is an easy to use browser-based research tool to discover devices that are connected to the Internet, where they are located and who is using them. Think of it as Google for IoT devices, a dedicated search engine. Simply searching for the keyword “CoAP” will yield the results below:
So we have a list of Internet-accessible CoAP devices, what’s next?
One would think that despite being broadcasted to the public Internet, the vendors of these devices would apply a minimal security feature so only authorized users can view information or manipulate configurations on these devices. Unfortunately, this is not the case yet.
CoAP being a relatively new protocol, does not have a standard way of authorizing users to access these resources yet. An authentication and authorization framework for constrained devices is still being actively developed by the IETF. The framework proposes the re use of OAuth 2.0 protocol to secure access to IoT devices due to its widespread deployment in today’s web applications.
CoAP being a relatively new protocol, does not have a standard way of authorizing users to access these resources yet
Using Firefox Add-On Copper (CU) To Explore CoAP Devices
Using Copper (CU) add-on for Firefox browser, anyone can easily navigate to an IoT device running CoAP by simply supplying the IP address discovered in a Shodan.io search, using the correct format below:
coap://<IP address of the device>:5683/
Press “Discover” in Copper (CU) after providing the URL and you should be able to see the available resources on the IoT device retrievable via GET.
So as it stands, some vendors are free to implement simple access-control features on these devices, or none at all.
I am not expecting consumers to be security-savvy enough to place these devices behind firewalls, if they do have one in their homes.
So if you are one of the 194 users of this Wi-Fi enabled device you put on your door, maybe it’s best to remove it for now. Call the manufacturer and ask if it’s secure enough not to be seen by anyone from the Internet before you put it back.
In today’s Internet-powered economy, consumer privacy is an expensive commodity.