The purpose of this project was to conduct an external penetration test and vulnerability assessment of IoT devices that are discoverable on Drexel University’s network. We also created a reconnaissance tool for daily monitoring of open common and IoT-related ports on large networks.
DRAGOWND’s engagement focused primarily on penetration testing of IoT devices. An IoT device is any physical appliance with connection to a network. Security cameras, ventilation, HVAC controllers, and even refrigerators can be IoT devices. We chose to work with IoT devices because they are what connects a virtual network to the world around us, in real life. Say for instance, a HVAC controller can be adjusted remotely by an administrator, allowing someone to alter heating conditions without having to be on-site for a building. This is dangerous, because someone could potentially gain access to the device and change settings without ever setting foot in or near the building.
Unauthorized users could watch through security cameras, to try to track people of interest. Hackers could turn off your fridge when no one is home, and cause all of your food to perish. Working with IoT devices allows us to protect and secure this connection between a network and the outside world. At times, it is beyond just information security, as a breach in a critical appliance could be disastrous, depending on what is compromised.
In December of 2015, a Ukrainian power company had improperly secured control systems connected to their network. An attacker was able to compromise a power grid, shutting down power for over 225,000 people. These control systems were IoT devices, and had they been properly secured, this attack could have been prevented. The purpose of this engagement was to reveal the ease of compromising improperly secured IoT devices and the potential impact of such attacks.
Due to the sensitivity of our findings, we will not be displaying our Final Video Presentation publicly and will be securely sharing it with the judges.