When conducting intrusion tests, knowledge of endpoints and exchanged data is mandatory to test targeted applications, devices, and remote servers.
If the target provides an Android, or iPhone application, it is possible to extract some URLs, and with any luck some secrets by disassembling the application or/and capturing the generated network traffic.
But when no Android nor iPhone applications are available, attackers need to be more creative, and use other tricks to get any interesting inputs/content/behavior.
Moreover, secrets exchanged between a targeted device and its servers could be totally different from those exchanged between an application and its servers, as well as contacted URLs.
Indeed, pentesters are in certain cases confronted to devices with hardcoded credentials, certificates, or any other information giving further access to intrude the system.
In addition, the level of trust could be overestimated by vendors/constructors, who give more privileges to devices compared to basic users.
So breaking into the device or/and directly intercepting its communication could be a real change during intrusion tests.
This article is about getting those information from IoT devices that use the mobile network to exchange data and commands.
Different techniques will be introduced:
- RF way: use of mobile data interception techniques;
- Hard way: dump and analysis of a firmware.
To illustrate these attacks, examples will be based on a 3G intercom well deployed in France, which is powered with a PIC24FJ micro-controller.