CyberMoransđ¤
đ¤ IoT devices are notorious for having open ports, default (and often hard-coded) passwords, and other serious security flaws which anyone connected to the same Wi-Fi network could potentially exploitđ Today, I will show you how to disrupt IoT devices by kicking them out of a network --- Cameras, Sex toysđ, smart TVs etc ---đ¤Ş
Electronic warfare tactics work by jamming, disrupting, or disabling the technology a target uses to perform a critical function, and IoT devices are especially vulnerable to attacks. Wireless security cameras like the Nest Cam are frequently used to secure critical locations, but a hackerđ can surgically disable a webcam or other Wi-Fi connected device without disturbing the rest of the networkđ¤
In spite of the risk IoT devices pose, cameras and other Wi-Fi connected sensors are marketed as being capable of securing or monitoring many important things, making the Wi-Fi networks they're attached to a valuable target for hackersđ
You willl needđ¸ Kali Linux or another Linux distro like đŚ Parrot Security or BlackArch that has the ability to run Aireplay-ng. You can run this from a VM, a live USB, or a hard drive installationđ
Incase you are doing this on VM, you'll need a wireless network adapter that allows for packet injection and monitor mode, since you'll need be able to scan the area to locate the device you wish to disconnect. You'll also need to send packets that pretend to be from the access point the device is connected to đĽ¸
So Morans, Lets get to it...đ
đ Choose Your Weapon
The first step in identifying wireless targets is to conduct passive recon on the wireless environment. To do this, we have 2 âď¸ options;
âď¸ Kismet which can perform wireless signals intelligence in a passive and undetectable fashion. The advantage of this is that by simply being in proximity to your target, you can observe the wireless traffic in the areađ and later parse the information to find interesting devices. It also what we will be using today.
âď¸ The other is Arp-scan, which can be configured in a number of ways to filter information further about the networks you discover. While this does work, sometimes the output takes more work to decipher.
đ Set Wireless Adapter to Monitor Mode
To start scanning with either tool, we'll need to put our wireless network adapter into monitor mode. We can do so by typing the following, assuming wlan0 is the name of your wireless card. You can get the name of your wireless card by running ifconfig or ip a to list the available network interfaces.
sudo airmon-ng start wlan0Once the command runs, you can run ifconfig or ip a again to confirm the card is in monitor mode. It should now be named something like wlan0mon.
đ Start Up Kismet on the Network
Once monitor mode is taken care of, we can start Kismet byđ
kismet -c wlan0monIn this command, we are specifying which network adapter to use with Kismet with the -c (client) flag. We should see something like the output below. You can press Tab, then Enter, to close the console window and show the main screen đ
đ Discover Wireless CCTVs with Kismet
We can now scroll through the network and attempt to identify interesting devices. If you can't do this, you may need to enable more options under the "Preferences" menu to see the source of packets. You can access this through the "Kismet" menu đ
start to look up the manufacturer of any devices that look like they might be a security camera. Here, we have found a likely device, made by "Hangzhou." along with the name and BSSID đ
I was able to quickly look up the name of the company that makes this deviceđ§. Taking the full name of the company, in this case, Hangzhou Hikvision Digital Technology, a simple Google search reveals their products đ
Now we have three pieces of critical intelligence: the name and BSSID of the Wi-Fi access point the camera is on, the channel the network is broadcasting on, and the BSSID addresses of the camera itself. You can press Ctrl-C to close Kismet.
It's worth noting that if a security camera only starts to record or send data when it sees motion, a hackerđ could sit nearly 30 yards away (across the street/block) and just record when the camera is sending traffic to know when someone is moving in front of the camera, even if they couldn't see what the camera was seeing directlyđ§
With all this information, a discovery like a door being monitored by a cctv connected to a DVR would mean that we can expect the device to stop functioning when disconnected. We can take all of the information we found and use Aireplay-ng to disable the connection đ
đ Execute the Deauthentication Attack
To begin disrupting the connection to the device we are targetting, we'll need to lock our wireless network to the channel we observed traffic on. assuming we want to lock the network adapter to channel 6. We can do this by đ
airmon-ng start wlan0mon 6Now that our card is on the correct channel, we can direct the command which will disconnect the device we've located. The command we will use to do this is đ
aireplay-ng -0 0 -a <bssid of access point> -c <bssid of client device> <name of the adapter>To break down what the commands above are doing:
-0 (zero) đ will set the attack option to option 0, a deauthentication attack which will send authentication packets pretending to be from the access point to the device. The 0 that follows indicates to send a continuous stream of deauthentication packets, but you can also choose a fixed number to send here.
-a đ will set the BSSID of the Wi-Fi access point that the device is connected to.
-c đ will set the BSSID of the device we are attacking.
Our final command for our example would be đ
aireplay-ng -0 0 -a f2:9f:c2:34:55:64 -c a4:14:37:44:1f:ac wlan0monOnce this command executes, it will continue to jam the Wi-Fi connectionâ ď¸ between the two devices until you cancel the command by hitting the Ctrl-C key
đ Defending Against This Type of Attack â ď¸
To prevent your network devices from being targeted, the best solution is using Ethernet. While a lot less convenient than Wi-Fi, it doesn't allow the connection to be manipulated or suddenly cut off at critical times from an outsider without physical access. Because this is always a possibility with Wi-Fi, it's just not very well suited to doing this kind of job in a setting where it may be attacked â ď¸
While some users try tactics like making your network "hidden" to evade these sorts of attacks, this will simply invite much more attention and curiosity than it will actually protect your network. Any camera or device actively using Wi-Fi will betray its connection to a tool like Kismet, meaning the best solution is to simply not use Wi-Fi when possible.
Finally, reducing the power of your Wi-Fi access point to prevent the signal from reaching needlessly far can help make it more difficult to read this information, but most IoT devices do not include this functionalityâ ď¸
đ On the issue of sex toys and other IoTs
With the ability to selectively disable any Wi-Fi dependent device, hackers can exploit this ability to take advantage of situations relying on these devices for security. It's up to people using and deploying these devices to keep them updated and in roles that are appropriate for their abilities. In this case, it's clear that a Wi-Fi dependent security camera cannot be relied upon to provide continuously streamed coverage of important areas.
While you would expect to see Wi-Fi security cameras, connected thermostats, music players, TV streaming devices, Wi-Fi remotes, and printers, there are less common Wi-Fi connected devices Like đSex Toys. This is illustrated by the ability to identify and map the location of Wi-Fi enabled sex toys đŻby pentestpartners (called "screwdriving"đŠ) which either use an app over Wi-Fi for to control the device or, more horrifically, to stream video from a camerađ¨
The tactics I showed today will disable any of these devices. Before you ask, yes, this means you could hypothetically build a script that freezes all Wi-Fi-controlled sex toys in range everywhere you go. This can be funđ especially if you are a hacker coupleđđ, or worse if you are in the region of the Taliban....or Iranđ¨â ď¸
đConclusion đ¤
Subscribe to receive notifications of similar posts đ where we will be reverse engineering malware, vulnerabilities as well as hacking vectors, stories, tutorials and other Infosec stuff...đ
Follow me on twitter for daily Infosec Memes and shenanigansđ
Morans,
Thank you for taking time and hope you learned something new, Like and leave a comment/review and as always, stay awesome! đđ đŞ