Harnessing the Power of IoT Security Assessment Tool Plugins

The Keysight IoT Security Assessment platform is a powerful suite of tools for testing many different types of IoT devices and protocols. Out of the box, it has the ability to fuzz Bluetooth, WIFI, and Ethernet at the protocol level, as well as hundreds of specific assessments targeting just about any type of device communication method you could think of including CAN bus and cellular. However, even with all the built-in functionality, it is impossible to cover every aspect of the IoT ecosystem, which is why the IoT Security Assessment tool was designed to be quickly and easily extended with custom plugins. Through the use of plugins, you can leverage your own existing scripts and test harnesses, add coverage for unique devices, and generally make the IoT Security Assessment Tool work in any custom environment.

Anatomy of a Plugin

Under the hood, plugins for the IoT Security Assessment Tool are essentially just tar archives that contain a few boiler-plate script files, a config file, and a docker image. The purpose of these files can be briefly summarized as:

And that is basically all that is needed to create your own custom plugin to extend the functionality of the IoT Security Assessment Tool. Now let’s take a look at an example.

Recreating a Bluetooth Prank from DEFCON 31

If you were at DEFCON 31 earlier this year, and made the unfortunate mistake of neglecting to disable Bluetooth on your iPhone while walking around the conference, you may have been treated to an interesting dialog pop-up:

Of course, there was no Apple TV in the area, and if you had, against your better judgement, clicked on the Continue button in the dialog, it wouldn’t have actually done anything. What was really happening was someone on the conference floor was blasting out specific types of BLE advertisement messages. These advertisements spoofed certain accessories or actions that would be recognized by Apple devices and cause them to display messages like the one pictured above. It was just the advertisement beacon and nothing else, so there was nothing malicious about it. It was simply some DEFCON hijinks that spread awareness about this Apple “proximity pairing” functionality and also served as a nice reminder to turn your Bluetooth off. It also happens to be a perfect way to show what a custom IoT Security Assessment Tool plugin is capable of.

Thanks to the work done by ECTO-1A and others, we have a fairly extensive list of BLE advertisement messages that will trigger the proximity pairing response. Using this information, I wrote a python script that will take a given message and call out to the `hcitool` BLE linux utility in order to send out the beacon on one of our supported Bluetooth dongles, specifically the LM1010. I used this script as my `runner.py` and set it to the ENTRYPOINT of a docker image based on python:3.9-slim, making sure to install any extra packages needed for the hcitool utility such as bluetooth, bluez, rfkill, etc. In my config file, I defined a drop-down list variable of all the different types of accessory beacons that correlated with my python script. I also specified that this module would be using the LM1010 as its interface. Once my docker image was built and saved as a .tar.gz archive, I combined it with my config file and the other installer scripts and packaged the entire thing up as a tar archive with a .pkg.tar file extension. Now that it was ready for installation, there was one other small caveat to take care of first. On the file system of the IoT Security Assessment Tool there is a json file that keeps track of module compatibility. In order for my plugin module to be seen as compatible with the current version of the tool, I had to add an entry to the bottom of the `/srv/pentestsw/config/compatibility_db.json` file using the name of my plugin and the build number, a value chosen by me (by convention this is usually a timestamp of when the plugin was built) and declared in the config file from earlier. Once all of this was done, the plugin package I created was able to be installed and all of the audits I had defined showed up seamlessly in the UI, appearing just like all the built-in funtions.

Selecting the new custom plugin from the Configure Scenario Audits window

The variables and other config file data show up naturally in the UI

And the end result of running the new test looks like this:

As you can see, the ability to write custom plugins for the IoT Security Assessment Tool really makes the possibilities endless. You can pull in your existing test tools and scripts, write new ones that make use of our tool’s infrastructure, and generally make the IoT Security Assessment Tool a seamless addition to any IoT testing environment.

limit
3