Improve IoT architecture $12

- Rename "IoT hacking" to "IoT overview" as the document does not talk
  about hacking there.
- For layered architecture follow CEH terminology closer.
- Add more information regarding IoT footprinting.
- Add more attacks.

README.md

@@ -135,7 +135,7 @@
     2. [Mobile attack vectors](./chapters/17-mobile-platforms/mobile-attack-vectors.md)
     3. [Mobile attacks](./chapters/17-mobile-platforms/mobile-attacks.md)
 18. IoT and OT
-    1. [IoT hacking](./chapters/18-iot-and-ot/iot-hacking.md)
+    1. [IoT overview](./chapters/18-iot-and-ot/iot-overview.md)
     2. [IoT security](./chapters/18-iot-and-ot/iot-security.md)
 19. [Exam readiness](chapters/19-exam-readiness/exam-readiness.md)
 

chapters/02-footprinting/search-engines-and-online-resources.md

@@ -93,15 +93,22 @@
 
 ### IoT search engines
 
-- Shodan, Censys, and Thingful
 - Can allow finding e.g. manufacturer details, geographical location, IP address, hostname, open ports
+- E.g. [Shodan](#shodan), Censys, and Thingful
+- See [Information Gathering | IoT security](./../18-iot-and-ot/iot-security.md#information-gathering)
 
 #### Shodan
 
 - Online [search engine](https://shodan.io)
 - Finds specific types of IoT (webcams, routers, servers, etc.) connected to the internet using a variety of filters.
 - 📝 You can e.g. search for open ports `port: 1433`
 
+#### Censys
+
+- Online [censys](https://censys.io/)
+- 📝 Provides internet asset discovery i.e. scanning for unknown internet resources.
+- Available on [search.censys.io](https://search.censys.io/)
+
 ### Netcraft
 
 - Allows you search web by domain (DNS) through [search DNS](https://searchdns.netcraft.com/) service.

chapters/18-iot-and-ot/iot-hacking.md → chapters/18-iot-and-ot/iot-overview.md

@@ -1,4 +1,4 @@
-# IoT hacking
+# IoT overview
 
 ## IoT basics
 
@@ -61,63 +61,111 @@
 - Access are granted to the uploaded data to third-parties
 - E.g. [Map My Fitness](https://www.mapmyfitness.com/app) that compiles data from other applications
 
-## Five layer IoT architecture
-
+## Layered architecture
+
+- IoT architecture can be categorized into different layers.
+- There's no consistency regarding naming of layer.
+  - Different methodologies are used but the concepts they represent are very similar.
+- 📝 It usually consists of 5 layers:
+  1. [Edge technology layer](#edge-technology-layer) the "IoT objects collecting data"
+  2. [Access gateway layer](#access-gateway-layer) the "data transporter"
+  3. [Internet layer](#internet-layer) the "endpoint connector"
+  4. [Middleware layer](#middleware-layer) the "data analyzer and processor"
+  5. [Application layer](#application-layer) the "user interface"
+- Some sources also name sixth layer:
+  6. [Business layer](#business-layer) the "core logic"
 - Each layer is utilized by layer below without knowledge of other layers
 - ![IoT 5 Layered Architecture](./img/iot-5-layer-architecture.png)
 - Read more: [IoT Elements, Layered Architectures and Security Issues: A Comprehensive Survey](https://www.mdpi.com/1424-8220/18/9/2796/htm)
 
-### Business layer
+### Five-layers of IoT architecture
 
-- Includes business models
-- System management
-- **Key security components**: privacy protection
+#### Edge technology layer
+
+- Also known as **perception layer** or **hardware layer**
+- Physical objects (hardware components)
+  - Covers IoT capable devices
+  - E.g. sensors, actuators, heat sensor, RFID tags, readers, device itself
+- Connects devices within network and server
+- Gathers environment data
+- **Key security components**
+  - Encryption and key agreement
+  - Sensor data protection
 - **Vulnerabilities**
-  - Business logic attack: exploits a programming flaw
-  - Zero-day attack: exploits security hole unknown to the vendor
+  - Eavesdropping: real time attack to intercept privacy communications.
+  - Node Capture: capturing a key node such as gateway to reveal information.
+  - Fake Node and Malicious: adding node to input fake data to stop transmitting real information
+  - Replay (play back) attack: eavesdrops a communication and reusing it to authenticate.
+  - Timing Attack: Extract secrets by observing respond time
 
-### Application layer
+#### Access gateway layer
 
-- Graphic data representation
-- Application specific services
-- **Key security components**: authentication, key agreement
+- Also known as **network layer** or **transport layer**
+- Handles data transmission i.e. transferring the data through network
+- E.g. Wi-Fi, bluetooth
+- Enables communication
+  - Connects two endpoints e.g. a clients with a device.
+  - Includes the initial data handling.
+  - Through e.g. message routing, message identification, and subscriptions.
+- **Key security components**
+  - Encryption
+  - Identity authentication
 - **Vulnerabilities**
-  - Cross site scripting: injecting code through e.g. JavaScript
-  - Malicious code attack: can activate itself or require user attention to perform an action.
-  - Dealing with Mass Data
-    - Caused by massive amount of data transmission
-    - Can lead to data loss and network disturbance
+  - Denial of Service (DoS) Attack with redundant requests
+  - Main-in-The-Middle (MiTM) Attack: to intercept and manipulate data in real-time
+  - Storage Attack: Changing data stored in device or cloud
+  - Exploit attack: Exploits vulnerabilities in an application, system or hardware
+
+#### Internet layer
 
-### Processing (middleware) layer
+- Responsible for end-points connectivity.
+- Carries out communication between two endpoints.
+  - E.g. device-to-device, device-to-cloud, device-to-gateway and back-end data-sharing.
 
-- Data analytics: storing, processing and analysis of data
-- **Key security components**: key security layer, secure cloud computing, antivirus
+#### Middleware layer
+
+- Also known as **processing layer**
+- Responsible for device and information management.
+- Handles data analytics
+  - I.e. storing, processing and analysis of data.
+  - E.g. data analysis, data aggregation, data filtering, device information discovery, and access control.
+- Behaves as interface for two-way communication between
+  - [Application layer](#application-layer) (the user interface).
+  - [Edge technology layer](#edge-technology-layer) (the hardware).
+- **Key security components**
+  - Key security layer, secure cloud computing, antivirus
 - **Vulnerabilities**
   - Exhaustion: Can disturb memory, battery e.g. after effect of a DoS
   - Malware
 
-### Network (transport) layer
+#### Application layer
 
-- Data transmission: Transfer the data through network
-- E.g. Wi-Fi, bluetooth
-- **Key security components**: encryption, identity authentication
+- The user interface for
+  - Graphic data representation
+  - Controlling, managing and commanding IoT devices.
+- Responsible for delivering *service* and *data* to users.
+  - A service is application-specific e.g. industrial, manufacturing, automobile, security, healthcare...
+- **Key security components**
+  - Authentication
+  - Key agreement
 - **Vulnerabilities**
-  - Denial of Service (DoS) Attack with redundant requests
-  - Main-in-The-Middle (MiTM) Attack: to intercept and manipulate data in real-time
-  - Storage Attack: Changing data stored in device or cloud
-  - Exploit attack: Exploits vulnerabilities in an application, system or hardware
+  - Cross site scripting: injecting code through e.g. JavaScript
+  - Malicious code attack: can activate itself or require user attention to perform an action.
+  - Dealing with Mass Data
+    - Caused by massive amount of data transmission
+    - Can lead to data loss and network disturbance
 
-### Perception layer
+### Other IoT layers
 
-- Physical objects that gather environment data
-- Sensors, actuators e.g. heat sensor
-- **Key security components**: encryption and key agreement, sensor data protection
+#### Business layer
+
+- Includes business models
+- System management
+- **Key security components**
+  - Privacy protection
 - **Vulnerabilities**
-  - Eavesdropping: real time attack to intercept privacy communications.
-  - Node Capture: capturing a key node such as gateway to reveal information.
-  - Fake Node and Malicious: adding node to input fake data to stop transmitting real information
-  - Replay (play back) attack: eavesdrops a communication and reusing it to authenticate.
-  - Timing Attack: Extract secrets by observing respond time
+  - Business logic attack: exploits a programming flaw
+  - Zero-day attack: exploits security hole unknown to the vendor
 
 ## IoT connectivity
 

chapters/18-iot-and-ot/iot-security.md

@@ -59,6 +59,19 @@
 
 ## IoT attacks
 
+## IoT attack surface areas
+
+- **Device memory**: Credentials
+- **Ecosystem access control**: Implicit trust between components
+- **Device physical interfaces**: Privilege escalation, CLI
+- **Device web interface**: SQL injection, XSS
+- **Device firmware**: Sensitive data exposure, hardcoded credentials
+- **Device network services**: Unencrypted/poorly encrypted services.
+- **Administrative interface**: SQL Injection, XSS
+- **Local data storage**: Data encrypted with discovered keys, lack of integrity checks.
+
+## IoT attack types
+
 - **Access control**
   - E.g. remote access control or gaining access to administration panels
 - **BlueBorn Attack**
@@ -72,17 +85,25 @@
     - Reconstruct a visual and textual representation of network information to support real-world Internet of Thingl
 - **HVAC attack**
   - Takes place when one hacks IoT devices in order to shut down air conditioning services.  
+  - Can allow access to a corporate systems.
 - [Backdoor](./../07-malware/malware-overview.md#backdoor) (not just IoT related)
 - [Exploit kits](../07-malware/malware-overview.md#exploit-kit)
+  - Malicious scripts used to exploit poorly patched devices.
 - [Replay attack](./../06-system-hacking/cracking-passwords-overview.md#replay-attack)
+  - Attackers send intercepted messages to target device to perform DoS.
+  - See also [SDR-based attacks](#sdr-based-attacks)
 - [Ransomware](./../07-malware/malware-overview.md#ransomware) attack
+  - Type of malware that uses encryption to block user's access to his/her device.
 - [Privilege escalation](./../06-system-hacking/escalating-privileges.md)
 - [Side channel attack](./../16-cloud-computing/cloud-security.md#side-channel-attacks)
+  - Attackers extract info about encryption keys by observing the emission signals (side channels) from IoT devices.
 - [Web application attacks](./../13-web-applications/hacking-web-applications.md), [web server attacks](./../12-web-servers/web-server-threats-and-attacks.md)
 - [Cloud computing attacks](./../16-cloud-computing/cloud-security.md#cloud-computing-attacks)
 - [Mobile application threats](./../17-mobile-platforms/mobile-attacks.md)
 - [DoS / DDoS](./../13-web-applications/denial-of-service.md)
-- Forged malicious devices
+  - Can be done by converting devices into an army of botnet.
+- **Forged malicious devices**
+  - Attackers replace authentic IoT devices  with malicious device.
 - Resetting to an insecure state
 - Removal of storage media
 - Firmware attack
@@ -92,7 +113,8 @@
 - Malicious updates
 - Insecure APIs
 - Eavesdropping
-- Sybil attack
+- **Sybil attack**
+  - Attacker uses multiple forged identities to create strong illusion of traffic congestion.
 
 ### Rolling code attack
 
@@ -101,8 +123,22 @@
 - Attacker capture signal from transmitter device, simultaneously blocking the receiver to receive the signal
 - Attacker uses the signal to gain unauthorized access
 - E.g. stealing car with captured signal
+  - Attacker jams and sniffs the signal to obtain the code transferred to vehicle's receiver
 - Tools include [HackRF One](https://greatscottgadgets.com/hackrf/one/) hardware tool.
 
+### SDR-based Attacks
+
+- Attackers use Software Defined Radio (SDR) to examine the communication signals in the IoT network and sends spam content or texts to the interconnected devices.
+- Can also change the transmission and reception of signals between the devices.
+- Includes
+  - **Replay attack**
+    - The attacker obtains frequency used for data sharing between devices and captures data.
+  - **Cryptanalysis Attack**
+    - Attacker uses same procedure as replay attack and also reverse engineering of the protocol to capture the original signal.
+  - **Reconnaissance attack**
+    - Attacker obtains info about the target device from the device's specification.
+    - See also [information gathering](#information-gathering)
+
 ### Firmware extraction
 
 - Allows looking for data in filesystem or reverse engineering it for vulnerabilities.
@@ -116,16 +152,43 @@
 - Allows pushing firmware updates
 - Enables usage of devices to other devices in the network
 
+### Fault injection attacks
+
+- Also known as **perturbation attacks**
+- Occur when a perpetrator injects any faulty or malicious program into the system to compromise the system security.
+- **Optical, Electro Magnetic Fault Injection (EMFI), Body Bias Injection (BBI)**
+  - Injection using projecting lasers and electromagnetic pulses.
+- **Power/clock/reset/glitching**
+  - Injections into power supply and clock network of the chip.
+- **Frequency/voltage tampering**
+  - Tampering with clock frequency of the chip
+- **Temperature attacks**
+  - Attackers alter the temp for the operating the chip.
+
+### DNS rebinding
+
+- Done by compromising browsers as traffic tunnels to exploit private services.
+- Done through malicious script in a webpage to manipulate resolution of domain names.
+- Can help to gain access over the target's router using a malicious JavaScript code injected on a web page.
+  - After that, an attacker can assault any device activated using the default password.
+
 ## Hacking Methodology
 
 ### Information gathering
 
-- IP address
-- Running protocols
-- Open ports
-- Type of device
-- Vendor
-- [Shodan](https://www.shodan.io/) is a helpful search engine for IoT
+- Also known as **IoT footprinting**
+- Includes collecting [information](./../02-footprinting/footprinting-overview.md#footprinting-information) regarding target IoT devices
+- Information can include e.g. IP address,running protocols, vendor, type of device, hostname, ISP, device location, banner of the target IoT device.
+- Can involve using
+  - [IoT search engines](./../02-footprinting/search-engines-and-online-resources.md#iot-search-engines) to find manufacturer or device information.
+  - Searching for hardware registrations in regulating bodies
+    - Can help to find information regarding compliance standards, user Manuals, documentation, wireless operating frequency, and photos
+    - E.g.
+      - 📝 [FCC ID search](https://fccid.io/) by "United States Federal Communications Commission registry"
+      - [IC ID Search](https://industrycanada.co/) by "Industry Canada (IC)"
+      - [KCC identifier search](https://fccid.io/KCC.php) by  Korean Communications Commission
+      - [CMII/CMIIT search](https://fccid.io/CMIIT-ID.php) by China Ministry of Industry and Information Technology
+- See also [Footprinting](./../02-footprinting/footprinting-overview.md)
 
 ### Vulnerability scanning
 
@@ -156,15 +219,30 @@
 - Clearing logs
 - Covering tracks
 
-## Countermeasures
-
-- Firmware update
-- Block unnecessary ports
-- Disable telnet as it's insecure protocol
-- Use encrypted communication (SSL/TLS)
-- Use strong password
-- Encrypt drives
-- Periodic assessment of devices
-- Secure password recovery
-- Two-Factor Authentication
-- Disable UPnP
+## IoT attack countermeasures
+
+- **Encrypt**
+  - Use encrypted communication (SSL/TLS)
+  - Implement end-to-end encryption
+  - Use VPN architecture
+  - Encrypt drives
+- **Password policies**
+  - Use strong password
+  - Ensure secure password recovery
+- **Update devices**
+  - Patch vulnerabilities
+  - Firmware update
+- **Restrict access**
+  - Prevent the devices against physical tampering
+  - Allow only trusted IP's to access device from internet
+  - Implement strong authentication mechanisms.
+    - E.g. two-Factor Authentication
+  - Use Lockout feature to disable multiple login attempts
+- **Monitor**
+  - Implement IPS/IDS in the network
+  - Periodic assessment of devices
+- **Disable unused or unnecessary ports and services**
+  - Disable UPnP port on routers
+  - Monitor traffic on port 48101 for infected traffic
+  - Disable telnet as it's insecure protocol
+  - Disable Guest or Demo user accounts