Attify Badge IoT Hacking Device Usage

From Embedded Lab Vienna for IoT & Security
Revision as of 16:29, 21 December 2020 by JOppitz (talk | contribs)
Jump to navigation Jump to search

Description

The Attify Badge IoT Hacking Device is a hardware security assessment tool created by Attify that is used to communicate between a PC and an embedded device using various hardware communication protocols. The device was initially built to aid in pentests for IoT devices, but the immense potential was soon recognized. The Attify Badge uses an FTDI chip that can speak a wide variety of communication protocols and standards such as UART, SPI, I2C, 1-Wire and JTAG. This way one can interact with any IoT / embedded device for which one or more hardware communication ports are available. It supports both 3.3V and 5V, making it suitable for a large number of target devices. You don't need any special connection wires or cables to use the Attify Badge, but the standard Dupont jumper wires (also included in all Attify Badges). Attify Badge has a micro-USB port that allows it to be easily connected to your PC using a micro-USB cable. This is also included when you order an Attify Badge. The Attify Badge uses an FTDI chip that can speak a wide variety of communication protocols and standards such as UART, SPI, I2C, 1-Wire and JTAG. This way one can interact with any IoT / embedded device for which one or more hardware communication ports are available. It supports both 3.3V and 5V, making it suitable for a large number of target devices. You don't need any special connection wires or cables to use the Attify Badge, but the standard Dupont jumper wires (also included in all Attify Badges). Attify Badge has a micro-USB port that allows it to be easily connected to your PC using a micro-USB cable. This is also included when you order an Attify Badge.

Firmware

Firmware is software that is embedded in electronic devices and performs basic functions there. It occupies an intermediate position between hardware (i.e. the physical components of a device) and the application software (the possibly exchangeable programs of a device). It is mostly stored in a flash memory, an EPROM, EEPROM or ROM and cannot be exchanged by the user or can only be exchanged with special means or functions. The term is derived from the fact that firmware is functionally permanently connected to the hardware, which means that one cannot be used without the other.

Firmware is both the operating software of various devices or components (e.g. mobile phone, game console, remote control, hard drive, printer) and the basic software of a computer (e.g. the BIOS anchored in a flash memory in personal computers), which is necessary to load and operate the operating system kernel of the actual operating system

Usage

The Attify Badge Tool consists of 5 main modules that correspond to the 5 protocols supported by the Attify Badge:

  • UART
  • SPI
  • JTAG
  • I2C
  • GPIO

If the target device you want to test or exploit has one of these interfaces, Attify Badge should be the tool of choice for this purpose.

What's possible

With the help of UART communication you can get a serial root access to the target system, you can get debugging logs, U-Boot access and boot logs. It is also possible to save firmware, API keys or other confidential information stored on the flash chip via SPI or I2C. You can also write your own firmware to the device using Flash Write or perform JTAG debugging with OpenOCD and GDB. Attify provides several tutorials on its own website and also sells its own IoT Exploitation Learning Kit, which is not affordable for every hobby pentester is. They also provide a GitHub Repository with sample code.

IoT Vulnerabilities

Nowadays, IoT devices are everywhere, including at home, e.g. To be able to control lamps or the heating with the mobile phone. However, many of these devices are very unsafe because for a long time no value was placed on the security of these things. Weak points are for example:

  • Weak, easy to guess, or hard-coded passwords. Often the standard passwords are simply used.
  • Insecure network services
  • Lack of a secure update mechanism
  • Insecure data transmission and storage
  • and many more