Harnessing the Power of IoT Security Assessment Tool Plugins

The KEYSIGHT IoT Security Assessment platform is a powerful suite of tools for testing many different types of IoT devices and protocols. Out of the box, it can fuzz Bluetooth, WIFI, and Ethernet at the protocol level, as well as hundreds of specific assessments targeting just about any type of device communication method you could think of including CAN bus and cellular. However, even with all the built-in functionality, it is impossible to cover every aspect of the IoT ecosystem, which is why the IoT Security Assessment Tool was designed to be quickly and easily extended with custom plugins. Through the use of plugins, you can leverage your own existing scripts and test harnesses, add coverage for unique devices, and generally make the IoT Security Assessment Tool work in any custom environment.

Anatomy of a Plugin

Under the hood, plugins for the IoT Security Assessment Tool are essentially just tar archives that contain a few boiler-plate script files, a config file, and a docker image. The purpose of these files can be briefly summarized as:

· Script files – These contain generic instructions for installing and registering the plugin within the system. There is also a script for defining how to run the included docker image file if needed. These do not vary from plugin to plugin except for changing a named reference here or there, and I would not be surprised if these were moved out of the individual plugins in the future in favor of universal scripts run from the backend system instead.

· Config file – This is a json file used to define how the plugin appears in the UI and any underlying system dependencies. This is also, more importantly, where you define the audits included in the plugin. The audit definitions contain all the declarations of variables used for interacting with your test scripts inside the docker image as well as what communication protocol the audit will use.

· Docker image – This is a docker image saved as a .tar.gz file. As with any docker image, this can be pretty much whatever you need it to be. You build your docker image with a Dockerfile just like normal but with the one caveat that you need a special `runner.py` file as the ENTRYPOINT to interact with the backend and get access to the variables defined in the config file. From there you are free to call out to any other script or binary you would like. Once you have your docker image created, you save it using `docker save` and gzip compress it for inclusion in the plugin archive.

And that is all that is needed to create your custom plugin to extend the functionality of the IoT Security Assessment Tool. Now let’s take a look at an example.

Recreating a Bluetooth Prank from DEFCON 31

If you were at DEFCON 31 earlier this year and made the unfortunate mistake of neglecting to disable Bluetooth on your iPhone while walking around the conference, you may have been treated to an interesting dialog pop-up:

Of course, there was no Apple TV in the area, and if you had, against your better judgment, clicked on the Continue button in the dialog, it wouldn’t have done anything. What was happening was someone on the conference floor was blasting out specific types of BLE advertisement messages. These advertisements spoofed certain accessories or actions that would be recognized by Apple devices and caused them to display messages like the one pictured above. It was just the advertisement beacon and nothing else, so there was nothing malicious about it. It was simply some DEFCON hijinks that spread awareness about this Apple “proximity pairing” functionality and also served as a nice reminder to turn your Bluetooth off. It also happens to be a perfect way to show what a custom IoT Security Assessment Tool plugin is capable of.

Thanks to the work done by ECTO-1A and others, we have a fairly extensive list of BLE advertisement messages that will trigger the proximity pairing response. Using this information, I wrote a Python script that will take a given message and call it out to the `hcitool` BLE linux utility to send out the beacon on one of our supported Bluetooth dongles, specifically the LM1010. I used this script as my `runner.py` and set it to the ENTRYPOINT of a docker image based on python:3.9-slim, making sure to install any extra packages needed for the hcitool utility such as bluetooth, blues, rfkill, etc. In my config file, I defined a drop-down list variable of all the different types of accessory beacons that correlated with my Python script. I also specified that this module would be using the LM1010 as its interface. Once my docker image was built and saved as a .tar.gz archive, I combined it with my config file and the other installer scripts and packaged the entire thing up as a tar archive with a .pkg.tar file extension. Now that it was ready for installation, there was one other small caveat to take care of first. On the file system of the IoT Security Assessment Tool, there is a json file that keeps track of module compatibility. For my plugin module to be seen as compatible with the current version of the tool, I had to add an entry to the bottom of the `/srv/pentestsw/config/compatibility_db.json` file using the name of my plugin and the build number, a value chosen by me (by convention this is usually a timestamp of when the plugin was built) and declared in the config file from earlier. Once all of this was done, the plugin package I created was able to be installed and all of the audits I had defined showed up seamlessly in the UI, appearing just like all the built-in functions.

The end result of running the new test looks like this:

As you can see, the ability to write custom plugins for the IoT Security Assessment Tool makes the possibilities endless. You can pull in your existing test tools and scripts, write new ones that make use of our tool’s infrastructure, and generally make the IoT Security Assessment Tool a seamless addition to any IoT testing environment.