By: Ryan Corbin
It is no secret that IoT devices are becoming more and more prevalent in society. These devices can be anything from a smart light bulb to an earwax removal device. The security of such devices should be considered and analyzed to protect the end users’ confidentiality and privacy. Although we are still in the adoption phase of IoT devices in our everyday lives, the security of current IoT devices should be questioned so that improvements can be made. The device being analyzed in this project is called the Bebird Ear Wax Removal System. This IoT device is a small tool used to view the inside of the ear canal to aid in extracting ear wax. Analysis of this device will be done by looking at traffic to and from the device from the perspective of an attacker. The purpose of the following experiment is to bring light to the lack of security considerations for IoT devices.
Materials and Software
|iPhone 11 Pro||Apple||Hardware||IOS 15.4.1|
|Bebird Mobile Application||Bebird||Software||5.0.30|
|Ear Wax Removal System||Bebird||Hardware||Model M9|
|Kali Linux VM||Kali Linux||Software||2021.2|
|Wireless USB Adapter||Netgear||Hardware||A6210|
Table 1: The hardware and software that was used to conduct the experiment.
- iPhone 11 Pro: A mobile device used to run mobile applications.
- Bebird Mobile Application: The software runs on the phone so that it can interact with the device.
- Ear Wax Removal System: The IoT device that will transmit a live feed of a small camera embedded in the tip of the device.
- Aircrack-ng suite: The tools used to analyze and attack networks.
- Kali Linux VM: Contains wireless monitoring/attacking tool suite.
- Wireless USB Adapter: Device used to sniff wireless traffic in monitor mode.
- Configuring the VM to sniff wireless traffic
The initial setup for sniffing wireless traffic is to start the Kali Linux VM and plug in the wireless adapter. The wireless interface should then be put in monitor mode to be able to monitor wireless traffic.
Figure 1: Monitor mode enabled on the wireless interface wlan0.
Setting up the IoT device
To connect to the IoT device, the Bebird application should be installed on the mobile device. This app will be how the user will connect to the IoT device and view the live feed. The cap should be removed to turn on the ear wax removal system device and the access point is created.
Figure 2: The application will inform the user to connect to the devices access point it makes after the cap is removed from the IoT device.
Capturing Bebird Traffic
After the usb device has been configured in monitor mode, it can be used to sniff wireless traffic to and from the IoT device. The built-in Kali Linux application airodump-ng can be used to scan all available access points in the proximity of the wireless adapter. Due to the Bebird device creating its own access point for the user to connect to, it will show up with this scan.
airodump-ng –write iotcapture wlan0mon
Figure 3: Airodump-ng command output that shows the bebird access point’s SSID, along with other important information.
After the BSSID of the IoT device is found, airmon-ng can be configured to directly look for traffic to and from the device. An attacker can attempt to break the encryption algorithm to reveal the password. In this case, WPA2-PSK is the vulnerable wireless security protocol. To crack WPA2, the attacker must capture ivs that will show up in the connection between the user and the device. Airodump can be configured to gather these ivs with the ‘–ivs’ argument.
airodump-ng –ivs –channel 11 –bssid AC:5F:01:08:2C:C6 -w captureivs wlan0mon
Figure 4: Airodump-ng command output showing the status of the collected packets and other information.
After the scan has started, the attacker can generate more traffic by de-authenticating the client. This causes the client to reauthenticate to the device and the attacker can capture more ivs. These ivs will be used later with a tool to crack the password for the access point created.
aireplay-ng –deauth 1 -a AC:5F:01:08:2C:C6 -c 6A:D9:2D:1B:1B:5C wlan0mon
Figure 5: Deauthenticate client to provide more ivs for the airodump scan.
After a sufficient number of ivs have been captured, the attacker can attempt an offline dictionary attack. This is when the attacker brute force attacks the WPA2 encryption algorithm to reveal the correct key. The wordlist used for this attack is a built-in “rockyou.txt” file that contains commonly used passwords.
aircrack-ng -w /usr/share/wordlists/rockyou.txt captureivs-01.ivs
Figure 6: Password cracked using aircrack-ng and ivs file.
This experiment highlights the severe lack of consideration for security and privacy in the IoT device ecosystem. A password of “12345678” should be deemed unacceptable and the security of IoT devices should be taken more seriously. After further review, the creators of these IoT devices do not enable the user to change the default password for the access point created by the device. This causes serious security implications because it is trivial to replicate the attack performed in this experiment. A quick google search will reveal that the default password (12345678) is consistent across all their devices and provides zero uniqueness. It is highly recommended that strong passwords be used for WPA2 to create obstacles for attackers.
To have a better understanding of a greater set of IoT device security, more devices should be assessed using the same methods shown in this experiment. One shortcoming of this experiment is that it may not be consistent with the majority of all IoT devices. To fix this, several different mainstream companies should be assessed to generate a better understanding of the security of IoT devices. This topic is important because the IoT field will continue to grow as technology continues to advance and security must be a major concern as new technologies proliferate. If new technologies advance and are released faster than security can catch up, attackers will continue to attack those that are vulnerable to exploit victims.