Breaking the Air Gap Through Hardware Implants

> Performing security assessments against Internet of Things (IoT) devices exposes you to a wide range of technologies, use cases, and protocols. These days, the majority of such devices have a wireless component that allows interaction with them from a distance. Often, this will be WiFi, Bluetoothtm, or RFID / NFC. These wireless devices provide greater and more convenient functionality to the operators and can simplify many inconvenient tasks of the past. Over-the-air (OTA) updates are one example of the proliferation of wireless technology in these devices, which has dramatically reduced the operation burden. In the past, updating a device would mean learning about the update, finding it online, downloading it to your computer, finding the correct cable, trying the device port 3 times until you get the orientation correct, and then launching the correct desktop application all so you can finally update the device. With OTA and wireless communication, updates are now handled with the click of a button in an app or even fully autonomously by the device. But this increases the attack surface significantly. No longer is the threat model simply “an attacker with physical access to the device;” it’s now also “an attacker within wireless range of the device” and “an attacker with network access to the device.” The OTA update methods, in particular, are especially interesting to attackers as they suggest that if the attacker can control the wireless signals, they can put their own code on the device. > > Most IoT / Hardware risk-informed security assessments Praetorian performs have a wireless component, like most devices today. It is, after all, the thing that makes an IoT device an IoT device. But what happens when the device doesn’t have a wireless component? Barring supply chain attacks, the threat model is generally restricted to “an attacker with physical access to the device.” This was the situation faced by Praetorian recently on an engagement, and rather than settle on such a limited threat model, we asked ourselves the question: > > “What if we could make this device wireless?”