Attify Badge IoT Hacking Device Usage
Description
The Attify Badge IoT Hacking Device is a hardware security assessment tool created by Attify that is used to communicate between a PC and an embedded device using various hardware communication protocols. The device was initially built to aid in pentests for IoT devices, but the immense potential was soon recognized. The Attify Badge uses an FTDI chip that can speak a wide variety of communication protocols and standards such as UART, SPI, I2C, 1-Wire and JTAG. This way one can interact with any IoT / embedded device for which one or more hardware communication ports are available. It supports both 3.3V and 5V, making it suitable for a large number of target devices. You don't need any special connection wires or cables to use the Attify Badge, but the standard Dupont jumper wires (also included in all Attify Badges). Attify Badge has a micro-USB port that allows it to be easily connected to your PC using a micro-USB cable. This is also included when you order an Attify Badge.
Usage Attify Badge Tool https://github.com/attify/attify-badge-tool
UART
Connect the Pins of the Attify Badge to the UART-device:
| Attify Badge | UART-device |
|---|---|
| D0 (TXD) | RX |
| D1 (RXD) | TX |
| GND | GND |
Run the following commands to install and start the Attify Badge Tool (Attify Serial Console)
git clone https://github.com/attify/attify-badge-tool cd attify-badge-tool pip3 install -r requirements.txt python3 serial-console.py
Set the serial port (e.g. COM6) and the baud rate and the click on connect. After that, you are connected to the UART.
Usage old Attify Badge Tool (deprecated) https://github.com/attify/attify-badge
The Attify Badge Tool consists of 5 main modules that correspond to the 5 protocols supported by the Attify Badge:
- UART
- SPI
- JTAG
- I2C
- GPIO
If the target device you want to test or exploit has one of these interfaces, Attify Badge should be the tool of choice for this purpose.
Exploit by UART
Register the external USB device connected to the system and add it to the combo box at the top left of the user interface.
Select the USB port to which the device is connected and the baud rate to be used.
Once you have selected the desired baud rate, press Enter to connect to the device. the data received from the UART device will be displayed in a black console window. You can use the input fields below it to interact with the device. In the combo box at the bottom right, you can select the line termination for each line you want to send to the device.
Exploit by SPI
Allows users to detect, read, write and erase SPI based memory of the target device connected to the Attify Badge.
Select the desired operation from the drop-down menu.
For read/write commands, enter the path of the file where the data will be saved or read. An example of a path is ~/files/firmware.bin.
Exploit by JTAG
Select the appropriate configuration file for the target device. (Custom configuration files can be placed directly in the cfg/ directory.)
Click "Start OpenOCD Server". Then you will see the message "Initializing OpenOCD Server in the background".
Click on the "Connect to OpenOCD Server" button to connect to the OpenOCD Server. This will launch a new terminal window with a Telnet session connected to the OpenOCD Server.
For further analysis (for example, to find and exploit firmware vulnerabilities). Enter the path of the sprite file in the path edit box and click "Run GDB" (you will need the appropriate elf file). This will start a gdb session for the tool to analyze.
Exploit by I²C
The I2C module can be used to find I2C devices and to read, write and erase the contents of I2C EEPROMs connected to the badge.
To do so, simply select the action you want from the drop-down menu, enter the file path if necessary, and click the "Run" button.
Exploit by GPIO
Output Mode: Selecting the check box next to each terminal will change the status of that terminal to "High", and unchecking the box will change the status of that terminal to "Low".
Input Mode If you want to use the pin in input mode, change the mode of the desired pin to input mode and check the box to enable the pin.
Click on the "Start input monitoring" button to start the input monitoring control.
Click the "Start" button in the "Input monitoring" widget to start monitoring the input of the selected pin.
What's possible
With the help of UART communication you can get a serial root access to the target system, you can get debugging logs, U-Boot access and boot logs. It is also possible to save firmware, API keys or other confidential information stored on the flash chip via SPI or I2C. You can also write your own firmware to the device using Flash Write or perform JTAG debugging with OpenOCD and GDB. Attify provides several tutorials on its own website and also sells its own IoT Exploitation Learning Kit, which is not affordable for every hobby pentester is. They also provide a GitHub Repository with sample code.
IoT Vulnerabilities
Nowadays, IoT devices are everywhere, including at home, e.g. To be able to control lamps or the heating with the mobile phone. However, many of these devices are very unsafe because for a long time no value was placed on the security of these things. Weak points are for example:
- Weak, easy to guess, or hard-coded passwords. Often the standard passwords are simply used.
- Insecure network services
- Lack of a secure update mechanism
- Insecure data transmission and storage
- and many more
References
https://blog.attify.com/hack-iot-devices-embedded-exploitation/