Project Argus: Explorations in IoT Security

Argus Panoptes, Greek Mythology, Argus Panoptes (Ἄργος Πανόπτης), guardian of the heifer-nymph Io and son of Arestor,[1] was a primordial giant whose epithet, “Panoptes”, “all-seeing”, led to his being described with multiple, often one hundred, eyes.

Disclaimer: This is my personal research, ideas and rants are of my own. No IoT devices were harmed nor manipulated during this research.

TL; DR:

1. By now everyone is aware of the challenges in securing consumer-grade Internet of Things (IoT) devices. These are the smart devices you can easily buy from Home Depot, Walmart and other retailers.

2. Even the most basic tenets of security such as basic authentication and authorization are difficult to embed due to the constrained environment these devices operate in. (Low processing power, low storage, and battery-life constraints)

3. This quick research (Completed in one day) is a simple demonstration how easy to discover Internet-connected home devices, and how easy a bad actor can conduct information gathering or reconnaissance on a specific individual by simply extracting information from the device.

4. As a consumer, practice due diligence by reviewing consumer reports about the smart device you are going to purchase. Is it from a reputable brand? Do they value consumer security and privacy as stated on their website? Did you read all the Amazon Reviews about the product?

Why Project Argus?

In Greek Mythology, Argus Panoptes is a giant with many-eyes, making it “all-seeing”. The analogy with this security research is once exploited, the bad actor has the capability to see everything the device offers, such as who is knocking at your doorstep, pictures, device logs and other basic device information that may lead to serious privacy issues.

Constrained Application Protocol (CoAP)

CoAP is an Internet Standard (RFC 7252) and one of the leading protocols running in low-powered IoT devices. It can be considered as a HTTP over UDP for resource constrained devices. CoAP borrows ideas from HTTP, e.g. links to related resources. CoAP is considered practical on devices with at least 10 Kbytes RAM and 100 Kbytes of secondary storage (e.g. Flash). By protocol specification, CoAP operates on UDP Port 5683.

Figure 1. Tiny resource-constrained devices courtesy of Matthias Kovatsch and Julien Vermillard’s presentation “Hands-on with CoAP”

CoAP devices are using Representational State Transfer (RESTful) architecture that is common in today’s web applications. Well-known Uniform Resource Identifiers (URIs) is defined as default entry point for requesting the links or resource requested hosted by a server. In our case, the links are hosted by the IoT device.

As an example, an Internet-enabled device that monitors your house temperature can be accessed by CoAP-aware browsers using the following link:

coap://example.com:5683/~sensors/temp.xml

  • CoAP = Protocol replacing HTTP
  • 5683 = Well-known port for CoAP devices
  • ~sensors/temp.xml = the resource you are trying to access on the device
Figure 2. CoAP Protocol Layers courtesy of Matthias Kovatsch and Julien Vermillard’s presentation “Hands-on with CoAP”

(Note: Latest browsers do not support CoAP protocol yet, the URL will not work on your browser. Instead, there are CoAP browser plugins you can use for navigating CoAP endpoint resources)

Shodan.io: The Search Engine for the Internet of Things

https://www.shodan.io/ is an easy to use browser-based research tool to discover devices that are connected to the Internet, where they are located and who is using them. Think of it as Google for IoT devices, a dedicated search engine. Simply searching for the keyword “CoAP” will yield the results below:

Figure 3. Shodan search results for “CoAP”

So we have a list of Internet-accessible CoAP devices, what’s next?

One would think that despite being broadcasted to the public Internet, the vendors of these devices would apply a minimal security feature so only authorized users can view information or manipulate configurations on these devices. Unfortunately, this is not the case yet.

CoAP being a relatively new protocol, does not have a standard way of authorizing users to access these resources yet. An authentication and authorization framework for constrained devices is still being actively developed by the IETF. The framework proposes the re use of OAuth 2.0 protocol to secure access to IoT devices due to its widespread deployment in today’s web applications.

CoAP being a relatively new protocol, does not have a standard way of authorizing users to access these resources yet

Using Firefox Add-On Copper (CU) To Explore CoAP Devices

Using Copper (CU) add-on for Firefox browser, anyone can easily navigate to an IoT device running CoAP by simply supplying the IP address discovered in a Shodan.io search, using the correct format below:

coap://<IP address of the device>:5683/

Press “Discover” in Copper (CU) after providing the URL and you should be able to see the available resources on the IoT device retrievable via GET.

Figure 4. There’s a lot of things a bad actor can do here. Even if you 404 access to some of those resources, the information available to everyone is enough to plan the next attack.

So as it stands, some vendors are free to implement simple access-control features on these devices, or none at all.

I am not expecting consumers to be security-savvy enough to place these devices behind firewalls, if they do have one in their homes.

So if you are one of the 194 users of this Wi-Fi enabled device you put on your door, maybe it’s best to remove it for now. Call the manufacturer and ask if it’s secure enough not to be seen by anyone from the Internet before you put it back.

In today’s Internet-powered economy, consumer privacy is an expensive commodity.

Like what you read? Give Ron Flores Del Rosario a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.