INTOTHECORE:IN-DEPTHEXPLORATIONOFWINDOWS10IOTCORE

PaulSabanal

IBMSecurityX-ForceAdvancedResearch

sabanapm[at]ph[dot]ibm[dot]com

@polsab

Abstract

TheInternetofThingsisbecomingareality,andmoreandmoredevicesarebeingintroducedintothemarketeveryday.Withthis,thedemandfortechnologythatwouldeasedevicemanagement,improvedevicesecurity,andfacilitatedataanalyticsincreasesaswell.

OnesuchtechnologyisWindows10IoTCore,Microsoft'soperatingsystemaimedatsmallfootprint,lowcostdevices.Itoffersdeviceservicingandmanageability,enterprisegradesecurity,and-combinedwithMicrosoft'sAzureplatform-dataanalyticsinthecloud.Giventhesefeatures,MicrosoftWindows10IoTCorewilllikelyplayasignificantroleinthefutureofIoT.Assuch,understandinghowthisoperatingsystemworksonadeeplevelisbecomingimportant.Methodsandtechniquesthatwouldaidinassessingitssecurityarealsobecomingessential.

InthistalkIwillfirstdiscusstheinternalsoftheOS,includingthesecurityfeaturesandmitigationsthatitshareswiththedesktopedition.IwillthenenumeratetheattacksurfaceofadevicerunningWindows10IoTCoreaswellasitspotentialsusceptibilitytomalware.IwillalsotalkaboutmethodstoassessthesecurityofdevicesrunningWindows10IoTCoresuchasstatic/dynamicreverseengineeringandfuzzing.IwillendthetalkwithsomerecommendationsonhowtosecureaWindows10IoTCoredevice.

1 Introduction.............................................................................................................................................3

1.1 Background......................................................................................................................................3

1.2 Overview..........................................................................................................................................4

2 Internals...................................................................................................................................................4

2.1 FastFlashUpdateImageFormat.....................................................................................................4

2.2 PartitionLayout...............................................................................................................................6

2.3 Bootprocess....................................................................................................................................6

2.4 Apps.................................................................................................................................................6

2.5 Security............................................................................................................................................7

2.5.1 What'snotinWindows10IoTCore?.......................................................................................7

2.5.2 ASLR,DEP,andControlFlowGuard.........................................................................................7

2.5.3 TrustedPlatformModule(TPM)..............................................................................................7

2.5.4 SecureBoot..............................................................................................................................8

2.5.5 BitLocker...................................................................................................................................8

2.5.6 WindowsUpdate......................................................................................................................8

3 AttackSurface..........................................................................................................................................9

3.1 NetworkServices.............................................................................................................................9

3.1.1 WindowsDevicePortal............................................................................................................9

3.1.2 SSH.........................................................................................................................................12

3.1.3 WindowsFileSharing.............................................................................................................12

3.1.4 WindowsIoTRemoteServer..................................................................................................12

3.2 DeviceDriversVulnerabilities........................................................................................................13

3.3 MalwareSusceptibility...................................................................................................................13

4 HackingWindows10IoTCore...............................................................................................................14

4.1 PassiveDeviceDiscovery...............................................................................................................14

4.2 PowerShell.....................................................................................................................................17

4.3 Staticanalysis.................................................................................................................................18

4.4 Dynamicanalysis............................................................................................................................19

4.4.1 KernelDebuggingusingWinDbg............................................................................................19

4.4.2 DebuggingusermodeprocessesusingWinDbg....................................................................22

4.4.3 Crashdumpanalysis...............................................................................................................25

4.5 Fuzzingapproaches........................................................................................................................26

5 Recommendations.................................................................................................................................28

5.1 Segmentyournetworks................................................................................................................28

5.2 Disableunnecessarynetworkservices..........................................................................................28

5.3 ChangeDefaultAdministratorPassword.......................................................................................28

5.4 UseadevicethatsupportsTPM....................................................................................................29

5.5 Takeadvantageofavailablesecurityfeatures...............................................................................29

6 Conclusion.............................................................................................................................................29

1 INTRODUCTION

1.1 Background

AstheInternetofThingsarebecomingmoreandmoreprevalent,theneedfortechnologiesthatwouldmakemanagingandsecuringthesedevicesbetterarebecomingmoreimportant.Oneofthethingsthatwouldfacilitatethisistheoperatingsystemrunningonthedevice.WhiletherearecurrentlyoperatingsystemsthataremorethancapableofhandlingtherequirementsofanIoTdevice,itssimplynotenough.IoTisnotjustaboutthedevice,it'salsoabouttheserviceecosystemthatprovidesmostofthevalueandfunctionalitytotheusers.That'swhyoperatingsystemsdevelopedfromthegroundupwithIoTinmindaregoingtobevaluable.

AcoupleoftheseIoT-focusedoperatingsystemswereannouncedlastyear-Microsoft'sWindows10IoT,andGoogle'sBrillo.Whileatthetimeofwritingtheseoperatingsystemsarenotyetfullyreleased,theylookpromisingandarepoisedtobecomemoresignificantinthefuture.

Thisalsomeanstheyarepotentiallyinterestingtargetsforsecuritymindedfolks,attackersanddefendersalike.

Forasecurityresearcher,investigatinganewtechnologyisasignificantpartofthejob.Understandingtheinnerworkingsofacomplextechnologysuchasanewoperatingsystem,especiallyinanexplodingfieldlikeIoT,isveryexciting.Italsogoeswithoutsayingthatassessingthesecurityofthesedeviceswillbecomeanimportantpartofasecurityresearchersjobinthefuture.

Whenassessingthesedevices,weneedtothinkabouttheirattacksurface.Typicallythiswouldincludebutwillnotbelimitedto,networkcommunicationsbetweenthedevicesanditsserviceecosystem,networkservicesrunningonthedevice,andtheapplicationsrunningonthedevice.Wehavetoknowifitcommunicatessecurelywiththecloud.Wehavetoknowwhatservicesarerunningonthedevices,oriftheyevenneedtoberunningatall.Intheeventthatanattackerhasgainedaccesstoadevice,wealsoneedtoknowtheextentofdamagetheycando.Todoallthis,weneedtobeabletoknowthetechniquesandmethodsofanalyzingadevice.Onlyafterunderstandinganddoingallthiscanwemakeeffectiverecommendationstothemanufacturersandusersalikeonhowtosecurethesedevices.

1.2 Overview

TherearethreeeditionsofWindows10IoT.

Edition Description TargetDevices

Windows10IoTEnterprise

UWPapps,Win32apps,desktopshell,x86,advancedlockdown

Kiosk,POS,ATM,Medicaldevices

Windows10IoTMobile

UWPapps,multiusersupport,lockdownfeatures

MobilePOS,Industryhandheldterminals

Windows10IoTCore

Forlow-cost,low-powerdevices.UWPappsonly.ARMandx86

Smarthomedevices,IoTgateway,digitalsignage

Windows10IoTCorewasfirstreleasedbyMicrosoftlastAugust2015.ThelastpublicreleasewaslastDecember2015.SincethenseveralWindowsInsiderPreviewbuildswerereleasedwithalotofimprovements,includingsupportfortheRaspberryPi3.ThereislittlepriorresearchonWindows10IoTCoresecurity,whichisunderstandablesinceitisstillinitsinfancy.TheonlyresearchthatweareawareofwasdonebyFFRI1andwaspresentedatCodeBlue2015.Alothaschangedsincethen,andthispaperwillreflectthosechanges.

Windows10IoTCorecurrentlysupportsfoursuggesteddevelopmentboards:

DeveloperBoard Architecture Details

RaspberryPi2 ARM 4xUSB2.0,Ethernet

RaspberryPi3 ARM 4xUSB2.0,Ethernet,OnboardWi-fiandBluetooth

MinnowboardMax x86 1xUSB2.0,1xUSB3.0,Ethernet

Dragonboard410c ARM 2xUSB2.0,OnboardWi-fiandBluetooth

Inadditiontothesesuggesteddevices,Windows10IoTCoremayalsosupportotherdevicesthatisbuiltonthesameSoCastheabovedevices.Unlessotherwisestated,theOSversiondocumentedhereisWindows10IoTCoreInsiderPreviewbuild14393.ThedevicesusedareRaspberryPis2and3.

2 INTERNALS

2.1 FastFlashUpdateImageFormat

Windows10IoTCoreimagesusetheFastFlashUpdate(FFU)imageformat.TheFFUformatisdocumentedhere2.Windows10IoTCoreusestheV2versionoftheformat.Youcanretrieveitscontents

1"ThreatAnalysisonWindows10IoTCoreandRecommendedSecurityMeasures"http://www.ffri.jp/assets/files/research/research_papers/Threat_Analysis_on_Win10_IoT_Core_en.pdf

2"FFUImageFormat"https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/mobile/ffu-image-format

byusingtheImgMount3tool,whichwillconverttheFFUfileintoaVirtualHardDrive(VHD)imageandmountit.

C:\>ImgMount.exe"c:\ProgramFiles(x86)\MicrosoftIoT\FFU\MinnowBoardMax\flash.ffu"WP8ROMImageToolsv.1.0.204htcROMImageEditor(⌐)2007-2012AnDim&XDA-DevelopersImgMountToolv.1.0.15(htcRIE)Mountingtheimagefile:'c:\ProgramFiles(x86)\MicrosoftIoT\FFU\MinnowBoardMax\flash.ffu'Loading.FFUimage...okCreatingvirtualdisk...okMountingMainOSpartitionas:'\\flash.mnt\'...ok(htcRIE)Successfullymountedanimagefile.

Ifthecommandwassuccessful,theresultingVHDimagewillbemounted.

Figure1. Windows10IoTCorefilesystemmountedbyImgMount

Ifyou'renotusingWindows,therearesomealternativetoolstodothis.ffu2img4andffu2dd5willbothconverttheFFUimageintoarawimagethatyoucanthenmountusingtheddtool.Ihaven'tusetheseasmuchthoughsoyourmileagemayvary.

3ImgMountToolv.1.0.15http://forum.xda-developers.com/showthread.php?t=2066903

4FFU2IMGhttps://github.com/t0x0/random

2.2 PartitionLayout

AWindows10IoTCoreimagecontains4partitions.

Partition FileSystem

MountPoint

Contents

EFISystemPartition FAT C:\EFIESP Bootmanager,bootconfigurations,UEFIapplications

Crashdumppartition

FAT32 D: Crashdumpdata

MainOS NTFS C: OS,registryhives,OEMapplications

Datapartition NTFS U: Applications,applicationdata,userdata

TheEFIsystempartitioncontainstheWindowsBootManager(bootmgfw.efi)andthebootconfigurationdatabase(BCD).Thecrashdumppartitionwillcontaincrashdumpswhenacrashedoccurthatcausedthedevicetorestart.TheMainOSpartitioncontainsallthecomponentsoftheOS.TheDatapartition,whichislinkedtoC:\Data,containsuserdata,installedapps,andappdata.

2.3 Bootprocess

ThetypicalbootprocessforWindows10IoTCorelookslikethis:

1. ThedevicepowersonandrunstheSoCfirmwarebootloader.

2. ThebootloaderlaunchestheUEFIenvironmentandUEFIapplications.

3. TheUEFIenvironmentlaunchestheBootManager,whichcanbefoundinC:.\EFIESP\EFI\Microsoft\boot\bootmgfw.efi.

4. TheBootManagerlaunchestheWindowsBootLoader,whichcanbefoundinC:\Windows\System32\Boot\winload.efi.

5. TheWindowsBootLoaderlaunchesthemainOS.

2.4 Apps

Windows10IoTCoresupportsdifferenttypesofapplications.FirstthereareUniversalWindowsPlatform(UWP)apps.UWPisthecommonappplatformusedinallWindows10editions.ItallowsthedevelopertotheoreticallydevelopanappthatcanrunonanyWindows10versionshemaychoosetosupport,withminimalchangesincode.InWindows10IoTCoreonlyoneappcanrunintheforegroundandiscalledthedefaultapp.Youcaninstallseveralappsonyourdevice,butonlyonecanbesetasthedefaultapp,anditislaunchwhenthesystemstarts.

BackgroundapplicationsareappsthathavenoUIandrunsonthebackground.Theyarelaunchedatdevicestartupandwillcontinuetodosoindefinitely,andwillberespawnedwhentheycrash.

Windows10IoTCorealsosupportsnon-UWPappssuchasconsoleapplications.InthiscaseyoucanonlyuseC++andWin32GUIAPIswon'tbeavailable.

5FFU2DDhttps://github.com/alxbse/ffu2dd

Windows10IoTCorecanalsobeconfiguredtorunoneitherheadedmodeorheadlessmode.InheadedmodethedefaultappdisplaysaUIandisfullyinteractive.Fordevicesthatdon'trequireanyuserinteraction,headlessmodeismoreappropriate.Youcansetyourdevicetoeithermodebyfollowingtheinstructionshere6

2.5 Security

InthissectionwewilldiscussthesecurityfeaturesimplementedinWindows10IoTCore.Windows10addednewsecurityfeaturesthatoffersignificantimprovementsoverearlierversions.Unfortunately,Windows10IoTCoredoesnotsupportallofthem.

2.5.1 What'snotinWindows10IoTCore?

Itmaybepossiblethatsomeofthesefeaturesmaybeaddedinthefuture,butatthetimeofwritingthesearenotsupported:

• SecurityfeaturesthatarebuiltontopofVirtualizationBasedSecurity(VBS)suchasCredentialGuard,DeviceGuard,andHypervisorCodeIntegrity(HVCI)

• WindowsDefender

• MicrosoftPassport

2.5.2 ASLR,DEP,andControlFlowGuard

CurrentIoTdevicesdonotusuallyimplementorenablemodernexploitmitigations,andthefacttheWindows10IoTCoreimplementsthesegivesitanadvantageoverotheroperatingsystems.ExecutablesincludedbydefaultarecompiledwithASLRandDEPenabled.Windows10IoTCorecurrentlyonlysupports32-bitboards,sotheASLRimplementationwillinherentlyhavelowerentropycomparedtothethe64-bitimplementation.ControlFlowGuard7isalsoenabledontheinstalledbinaries,andcanbebeenabledbythedeveloperontheirappbysettingthe/guard:cfswitchinthebuildconfiguration.

2.5.3 TrustedPlatformModule(TPM)

TheTrustedPlatformModule8(TPM)isasecurecrypto-processorthatprovidescryptographickeycreationandstorage.OthersecurityfeaturesimplementedinWindows10IoTCoresuchasSecureBootandBitLockerwillonlyworkwhenTPMisinstalled.

Type Description

FirmwareTPM TPMimplementedintheSoC

DiscreteTPM Chipmodulethatcanbeattachedtoaboard

SoftwareTPM SoftwareemulatedTPMusedindevelopment

6"HeadedandHeadlessmode"https://developer.microsoft.com/en-us/windows/iot/win10/headlessmode

7"ControlFlowGuard"https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx

8"TPMonWindowsIoTCore"https://developer.microsoft.com/en-us/windows/iot/win10/tpm

TherearethreetypesofTPMs.FirmwareTPMisenabledintheDragonboard410candMinnowboardMax(firmwareversion0.8orhigher),butit'snotavailableonRaspberryPis.OndevicesthatdonotsupportfirmwareTPM,youcanuseDiscreteTPMs,whichcanbeattachedonyourchosenboard.SoftwareTPMonlyprovidesthesoftwareinterfaceforyourappanddoesnotactuallyprovideanysecurity.ItallowsyoutodevelopyourapplicationonadevicewithoutTPM(liketheRaspberryPi),butthendeployitlateronadevicewithTPMwithouthavingtochangeyourcode.

TheinstructionstosetupTPMonWindows10IoTCoredevicescanbefoundhere9.YoucanalsoconfigureTPMontheWindowsDevicePortal's"TPMconfiguration"tab.

2.5.4 SecureBoot

SecureBootisafeaturethatpreventsadevicefrombeingtamperedwithduringboottime.Itstopsthesystemforrunningbinariesthatarenotdigitallysignedbythespecifiedauthority.Itisdesignedtoprotectthesystemfromrootkits,bootkits,andotherlow-levelmalware.SecureBootonWindows10IoTCorerequiresTPMtobeinstalled.InstructionstoenableSecureBootonWindows10IoTCorecanbefoundhere10.

2.5.5 BitLocker

Windows10IoTCoreimplementsalightweightversionofBitLocker11.BitlockerallowsautomaticencryptionoftheuserandsystemfilesontheOSdrive.BitlockeronWindows10IoTCorerequiresTPMtobeinstalled.InstructionstoenableBitLockeronWindows10IoTCorecanbefoundhere12.

2.5.6 WindowsUpdate

OneofthemostpressingproblemsinIoTsecurityisthedevicefirmwareupdateproblem.Vendorsusuallydonotimplementautomaticupdatefunctionalityandupdateshavetobedonemanually.Traditionally,devicefirmwareupdateisnotconsideredansimpleprocess,ofteninvolvingseveralstepssuchasdownloadingthefirmwareupdatefromthevendor'swebsite,connecttothedevice'swebmanagementinterface,uploadthefirmwareupdate,restartthedevice,etc.Insomecasesitmayeveninvolvepressingsomebuttoncombinationorsomesortofunusualprocedurejusttoputthedeviceinfirmwareupdatemode.Formostusers,thisisjusttoomucheffortandtheywilltendtoputoffapplyingupdates.Thisleavesthedeviceinaknowninsecurestateuntiltheupdateisapplied.

Anotherissueishowtomanagetheupdatesofalotofdevices.Ahomeofthefuturecanpotentiallyhavedozens,maybehundredsofIoTdevicesinstalledandmonitoringwhichdevicesneedupdatesanddoingtheupdateitselfwouldbeimpossibletomanage.

9"SetupTPMonSupportedPlatforms"https://developer.microsoft.com/en-us/windows/iot/win10/SetupTPM.htm

10"EnablingSecureBootandBitLockerDeviceEncryptiononWindows10IoTCore"https://developer.microsoft.com/en-us/windows/iot/win10/sb_bl

11"BitLockerOverview"https://technet.microsoft.com/en-us/itpro/windows/keep-secure/bitlocker-overview

12"EnablingSecureBootandBitLockerDeviceEncryptiononWindows10IoTCore"https://developer.microsoft.com/en-us/windows/iot/win10/sb_bl

WindowsUpdatesolvesthisproblemfordevicesrunningWindows10IoTCore,asitwasaddedinanInsiderPreviewBuildearlierthisyear.Updatesoccurautomatically,anditcan'tbedisabledeasily.Ifyouwanttodisable,orwanttohavescheduledupdates,youhavetoavailoftheProeditionofWindows10IoTCore.YoucancheckforupdatesusingtheWindowsDevicePortal's"WindowsUpdate"tab.

3 ATTACKSURFACE

Inthissection,wewillenumeratethedifferentpotentialentrypointsanattackercanleveragetogainaccesstoaWindows10IoTCoredevice.NotethatinthispaperwewillonlytalkabouttheattacksurfaceexposedbythedeviceorOSitself.Theattacksurfacewillbebiggerifyoufactorinthedevice'sconnectivitywithIoTplatformsandservicessuchasMicrosoftAzure.However,itisoutsideofthescopeofthispaper,andwouldwarrantawholepapertoitself.

3.1 NetworkServices

UsingNmap,wecanseetheopenservicesonafreshlyinstalledWindows10IoTCoredevice.

StartingNmap7.12(https://nmap.org)at2016-07-1301:33MalayPeninsulaStandardTimeNmapscanreportfor10.0.1.108Hostisup(0.020slatency).Notshown:996closedportsPORTSTATESERVICE22/tcpopenssh135/tcpopenmsrpc445/tcpopenmicrosoft-ds8080/tcpopenhttp-proxyMACAddress:B8:27:EB:B5:A9:E0(RaspberryPiFoundation)Nmapdone:1IPaddress(1hostup)scannedin3.24seconds

3.1.1 WindowsDevicePortal

EveryeditionofWindows10providesawebinterfacethatyoucanusetomanageandconfigureyourdeviceremotelycalledWindowsDevicePortal.It'senabledbydefaultinWindows10IoTCoreandrunsupondevicestartup.Youcanaccessitbyconnectingtohttp://<deviceip>:8080.ThefilesfortheWindowsDevicePortalcanbefoundinC:\Windows\WebManagement\wwwonthedevice.

Here'sasummaryofthetabscurrentlyavailable.

Utility Function

Home Deviceinformation,changedevicename/password,timezonesettings

Apps Install/uninstallofapps

AppFileExplorer Fileexplorerforinstalledappslocations

Processes Runningprocesseslist,processmemoryusage,andprocesstermination

Performance RealtimegraphicaldisplayofCPUandI/Ousage

Debugging StartingVSremotedebugger,downloadingoflivekernelandprocessdumps

ETW Eventtracing

PerfTracing TraceloggingofCPU,disk,andmemoryusage

Devices Devicemanagerforperipheralsattachedtothedevice

Bluetooth Bluetoothdevicesearch

Audio Devicespeakerandmicrophonevolumeadjustments

Networking WiFiconfiguration

WindowsUpdate Lastupdatetimestamp,checkforupdates

IoTOnboarding InternetConnectionSharingsettings,SoftAPsettings,AllJoynonboardingsettings

TPMConfiguration TPMinstallation,configuration,andprovisioning

Remote EnableWindowsIoTRemoteServer

Let'stalkaboutsomeofthemoreinterestingones.TheAppstaballowsyoutoinstall/uninstallanapponthedevice.Italsoshowsalistofthecurrentlyinstalledappsandtheirstatus.Youcanalsousethistabtosetanappasthedefaultapp.

TheProcessestabshowsalistoftherunningprocessesonthedevice.Italsoshowstheprocessowner,sessionid,CPUusage,andmemoryusage.Youcanalsoterminateaprocessfromthistab.Thereisalsoaboxwhereyoucanenteracommandandhaveitrunonthedevice.

TheDebuggingtabcontainsoperationsrelatedtodebuggingandcrashdumping.HereyoucanclickabuttontostarttheVisualStudioRemoteDebuggerwhenyouwanttodebugyourapprunningonthedevicefromVisualStudio.Therearealsobuttonsthatallowyoutodownloadlivekernelandprocessesdumps.WelookmoreintocrashdumpsintheDynamicAnalysissection.

TheWindowsUpdatetabshowsthelatestupdateinformationandabuttontocheckifanupdateforthedevice'sOSisavailable.

IntheTPMConfigurationtabyoucanselectwhichtypeofTPMyouwanttoenable.Dependingonthedevice,youcanselectfromfirmwareTPMs,variousdiscreteTPMs,andsoftwareTPM.

TheRemotetaballowsyoutoenabletheWindowsIoTRemoteServer.Wewilldiscussmoreaboutthisfeaturebelow.

WhiletheWindowsDevicePortalisusefulfordevicemanagement,itcanbeasecurityliabilityifnotconfiguredproperly.InWindows10IoTCore,thedefaultAdministratorpasswordishardcodedonthedevice.YoucanlogintotheWindowsDevicePortalusingthedefaultAdministratorcredentials(Username:Administrator,Password:p@ssw0rd).Ifyoudidnotbothertochangethedefaultpassword,yourdeviceissusceptibletounauthorizedaccess.Forexample,anattackercanuseShodan13tosearchfordevicesrunninganHTTPserveronport8080thatreturnsabannercontainingthestring"WindowsDevicePortal".ThatShodansearchwillyieldaresultsimilartothis:

13Shodanhttps://www.shodan.io/

Figure2. ShodanresultswhensearchingfortheWindowsDevicePortalbanner

NowtheattackercanconnecttothedeviceandattempttologinusingthedefaultAdministratorcredentials.

TheWindowsDevicePortalalsousesBasicAuthenticationbydefault,soanyonewhoissniffingonthenetworkcaneasilystealthecredentials.WecanfixbyusingHTTPSfortheWindowsDevicePortalinsteadofHTTP.Todoso,connecttothedevicethroughremotePowerShellorSSHandrunthefollowingcommands:

#EnableHTTPSRegaddHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\IoT\webmanagement/vUseHttps/tREG_DWORD/d1/f#SetHTTPSportRegaddHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\IoT\webmanagement

/vHttpsPort/tREG_DWORD/d<PORT>/f#Restartservicenetstopwebmanagement&netstartwebmanagement

ThefunctionalityoftheWindowsDevicePortalisbuiltonasetofRESTAPIsthatyoucanusetocontrolandconfigureyourdevicesprogrammatically.Asfarasweknow,therearecurrentlynotoolsavailabletocontrolorconfiguremultipledevicesatonce,sothisAPIisespeciallyusefulwhenwritingyourowntoolstodoso.There'ssomedocumentationsavailablehere14,butamoreupdatedversioncanbefoundbygoingto<deviceip>:8080/restdocumentation.htm,orbetteryetbyreadingtheJavaScriptsourcecodeinC:\Windows\WebManagement\www\iot\jsfolderonthedevice.

3.1.2 SSH

Windows10IoTCoreallowsremoteadministrationandconfigurationthroughSSH,anditisenabledbydefault.SSHloginalsousesthedefaultAdministratorcredentials,soiftheuserneglectedtochangethis,anattackercaneasilygainaccess.Itcanalsobesusceptibletopasswordguessingandbrute-forceattacks.

3.1.3 WindowsFileSharing

WindowsFileSharingstartsatboottime,andyouonlyneedtheIPaddressofthedeviceandusercredentialstoaccessit.Itisalsosusceptibletotheaforementioneddefaultlogincredentialsattack.

3.1.4 WindowsIoTRemoteServer

WindowsIoTRemoteServerisafeaturethatallowstheUIoftheUWPapplicationrunningonthedevicetobeviewedremotelythroughaclientapplicationrunningonatabletmobilephone,orPC.YoucanenableWindowsIoTRemoteServerbycheckingtheenableboxintheRemotetaboftheWindowsDevicePortal.Onceenabled,thefileNanoRDPServer.exewillbeexecutedonthedeviceandwillstartlisteningonport8000forincomingconnections.

Figure3. RemoteServertabintheWindowsDevicePortal

14"DevicePortalcoreAPIreference"https://msdn.microsoft.com/en-us/windows/uwp/debug-test-perf/device-portal-api-core

Tousethisremotedisplayfeature,youneedtoinstalltheWindowsIoTRemoteClientappthatcanbedownloadedfromtheWindowsStore.However,thisfeaturedoesnotuseanyauthentication,soanyonewhoknowstheIPaddressofthedevicecanconnecttoitusingtheremoteclientandremotelycontrolyourdevice.

3.2 DeviceDriversVulnerabilities

DevicedrivervulnerabilitiesareanotherpotentialattackvectoronWindows10IoTCoredevices.IoTdevicesobviouslyneedconnectivitywithotherdevicesinordertobeuseful.Tofacilitatethisdeviceswouldneedtousebuilt-inorexternalperipherals,andtheseperipheralsrequiredevicedriverstooperate.Thesedevicedriversmaycontainvulnerabilitiesthatcouldgiveanattackerremoteaccesstothedeviceifsuccessfullyexploited.

Driversforwirelessconnectivity,suchasforWifi,Bluetooth,Zwave,Zigbeeetc,areviabletargets.Oneadvantageoftargetingdriversisthatsuccessfullyexploitingthemwilloftenresultinkernellevelprivilege.

3.3 MalwareSusceptibility

MalwarethreatsagainstWindows10IoTCoredevicesisindeedpossible.Aswehaveshownabove,logincredentialsthatarehardcodedandarenotchangedafterinstallmakesyourdevicessusceptibletoattacks.ThisishowcurrentIoTmalwaretypicallyinfectanIoTdeviceandwethinkthatitwillstillbeoneofthemostcommoninfectionmethodusedbymalwareinthefuture.

Anotherpossibleinfectionmethodistheexploitationofvulnerabilitiesonthenetworkservicesrunningonthedevice.ThismaynotbeascommonasthelogincredentialsmethodbuttherearemalwarethatdoesthisagainstembeddedLinuxdevices.

AnotherpossiblewaythataWindows10IoTCoredevicemaybecompromisedbyamalwareisthroughlateralinfectioncomingfromanalreadyinfectedmachine.ThereareseveralwaysinwhichamalwarecangainaccesstoaWindows10IoTCoredeviceonthesamenetwork.

OnescenarioisforthemalwaretosniffonthenetworkandlookfortraffictotheWindowsDevicePortal.SincebydefaultitusesBasicHTTPAuthentication,thecredentials

Forexample,amalwarehasinfectedamachinethatwasusedtologintoaPowerShellsessiononaWindows10IoTCoredevice.Inthiscasetheattackerdoesn'tneedtoknowthelogincredentialsforthedevicebeforehand.Usingatoollikemimikatz15willyieldthefollowingresults:

C:\>mimikatz.exe.#####.mimikatz2.1(x64)builtonJul11201600:32:57.##^##."ALaVie,AL'Amour"##/\##/***##\/##BenjaminDELPY`gentilkiwi`(benjamin@gentilkiwi.com)'##v##'http://blog.gentilkiwi.com/mimikatz(oe.eo)'#####'with20modules***/

15"Mimikatz:AlittletooltoplaywithWindowssecurity"https://github.com/gentilkiwi/mimikatz

mimikatz#privilege::debugPrivilege'20'OKmimikatz#sekurlsa::sspAuthenticationId:0;247557(00000000:0003c705)Session:Interactivefrom1UserName:polsabDomain:DESKTOP-39HUL88LogonServer:(null)LogonTime:7/20/20166:15:59PMSID:S-1-5-21-4294890806-594742593-2658599142-1001ssp:[00000000]*Username:Administrator*Domain:10.0.1.108*Password:diwata

Inthisinstance,we'veloggedintotheAdministratoraccountonthedevicewithIPaddress10.0.1.108usingthepassword"diwata",andmimikatzcangetthisinfofromtheinfectedmachine'sRAM.

4 HACKINGWINDOWS10IOTCORE

Inthissection,wewilldiscussthevarioustechniquesthatwecanusewhentryingtoassessthesecurityofaWindows10IoTCoredevice.

4.1 PassiveDeviceDiscovery

Windows10IoTCoredevicesadvertisetheirpresenceinthenetworkbysendingoutmulticastUDPpackets.ThisishowtheIoTDashboardisabletolisttherunningdevicesinthelocalnetwork.

Figure4. IoTDashboarddisplayingthediscovereddevices

Wecanalsodothisbylisteningformulticastdatagramssentbythedevicesandparsingthedatapayload.Thedatagramsaresenttothemulticastgroup239.0.0.22andmulticastport6andcontainsthedevicename,IPaddress,OSversion,MACaddress,BIOSserial,devicetype,anddevicearchitecture.

Figure5. Multicastdatagrams

Thefixedlengthdatacontainsthedeviceinformation.AllstringsareinUnicode.

Offset Description

0 Devicename

0x42 IPaddress

0x64 MACaddress

0x96 BIOSserialnumber

0xe6 DeviceType

0x14a OSversion

0x1ae Devicearchitecture

4.2 PowerShell

Oneofmostusefulbuilt-infeaturesinWindows10IoTCoreisremotedeviceadministrationandconfigurationusingPowerShell.However,PowerShellisnotjustusefulforsystemadministration.Itisalsoapowerfultooltouseinsecurityassessments.TherearealotofexistingPowerShellmodules-bothbuilt-inandfromthird-partydevelopers-thatcouldassistinreversingandpenetrationtesting.NotallofthemwillworkinWindows10IoTCore,butsomeofthosethatwehaveusedareCimSweep16forremotelygatheringdeviceinformation,AutoRuns17tolistautorunentries.

Here'sanexampleusingCimSweeptolistAutostartentries:

PSC:\WINDOWS\system32>$CimSessionPi2=New-CimSession-ComputerName10.0.1.110-CredentialAdministratorPSC:\WINDOWS\system32>Get-CSRegistryAutoStart-CimSession$CimSessionPi2Path:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonAutoRunEntry:ShellImagePath:IotShell.exeCategory:LogonPSComputerName:10.0.1.110Path:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonAutoRunEntry:UserinitImagePath:userinit.exeCategory:LogonPSComputerName:10.0.1.110Path:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonAutoRunEntry:VMAppletImagePath:SystemPropertiesPerformance.exe/pagefileCategory:LogonPSComputerName:10.0.1.110Path:HKLM\SYSTEM\CurrentControlSet\Control\SessionManagerAutoRunEntry:BootExecuteImagePath:autocheckautochk*Category:BootExecutePSComputerName:10.0.1.110<snip>

Alternatively,youcanalsouseAutoRunswhichcanshowyoumoreautorunsentries.However,youcanonlyruniton-device.

16CimSweephttps://github.com/PowerShellMafia/CimSweep

17AutoRunsPowershellModulehttps://github.com/p0w3rsh3ll/AutoRuns

ToenableremotePowerShellsessions,followthestepsoutlinedhere18

4.3 Staticanalysis

ThereisgoingtobelittledifferenceinreversingaconsoleapplicationcompiledforWindows10IoTCoreversusonecompiledforthedesktop,buttherearesomethingstotakenotewhenreversingWindowsAppsakaUniversalWindwosPlatform(UWP)19apps.InstalledWindowsappscanbefoundintheDatapartition(U: \,alsolinkedwithC:\Data),specificallyintheU:\Programs\WindowsAppsfolder.Appinstallationfolderswillcontainatleastthefollowing:

Filename Description

<app_name>.exe Appstartupstub

<app_name>.dll Appcode

AppManifest.xml UWPapppackagemanifest

AppBlockMap.xml Cryptographicblockhashesforfilesinpackage

AppxSignature.p7x Apppackagedigitalsignaturefile

Inadditiontotheabovefiles,otherDLLsandXBF(binaryXAML)filesusedbytheapplicationmaybefoundintheappfolder.There'salsoanassetsfolderthatcontainsresourceslikeimagesandfontsthattheappuses.The<app_name>.exefileissimplyastubthatcallsthemainexportedfunctioninthefile<app_name>.dll.ThisDLLcontainstheapplication,.NETFramework,andthird-partylibrarycodes.

Here'show<app_name>.exelookslike:

Figure6. Appstartupstub

18"UsingPowerShelltoconnectandconfigureadevicerunningWindows10IoTCore"https://developer.microsoft.com/en-us/windows/iot/win10/samples/powershell

19"GuidetoUniversalWindowsPlatform(UWP)apps"https://msdn.microsoft.com/en-us/windows/uwp/get-started/universal-application-platform-guide

AllUWPbinariesarecompiledtonativecodeusing.NETNative20soallreversingwillbedoneagainstx86orARMcodedependingonthetargetdevice.Thecodewillbecompiledfromthesamesourcesooneadvantageofthisisthatyoucanchoosewhicharchitectureyou'remorecomfortablereversing,andthenchoosetheversionofthebinarycompiledforthatarchitecturebyinstallingitonadevicethatrunsonthatarchitecture.AnotherthingtoconsideristhatwhilewecandealwithcodewritteninC++likewe'vealwaysdone,ifthecodewaswrittenoriginallyinC#orVisualBasic,itwouldbedifferent.Binarieswrittenin.NETlanguagesarecompiledintoIL(intermediatelanguage)codeandwecandecompilethemusing.NETdecompilerslikeILSpy21or.NETReflector22.WithUWPappstheyarenowcompiledintonativecodesowecan'tusethosedecompilersanymoresowehavetodealwiththeidiosyncrasiesintheresultingnativecodeduetotheconversiondone.

4.4 Dynamicanalysis

Nowwe'lltakelookathowtodynamicallyanalyzeaWindows10Corebinaryusingadebugger.

4.4.1 KernelDebuggingusingWinDbg

Todynamicallyreversekernel-levelcodesuchasdevicedrivers,weneedtodokerneldebuggingusingWinDbg.Thegeneralinstructionstodothiscanbefoundhere23.

Let'susetheRaspberryPi3asanexample.WewillbeusingaShikra24asourUSB-to-UARTadapterbutfeelfreetouseanyofotheronesliketheBusPirate25.YoucangetthepinmappingsfortheShikrahere26andfortheRaspberryPi2&3here27.

First,connecttheShikra'sTXpintotheRaspberryPi'sRXpin,andtheShikra'sRXpintotheRaspberryPi'sTXpin.Connectthegroundpinsforbothaswell.

20"CompilingAppswith.NETNative"https://msdn.microsoft.com/en-us/library/dn584397(v=vs.110).aspx

21ILSpy.NETDecompilerhttp://ilspy.net/

22.NETReflectorhttp://www.red-gate.com/products/dotnet-development/reflector/

23"DebuggingWindows10IoTCoreDevicesUsingWinDbg"https://developer.microsoft.com/en-us/windows/iot/win10/windbg

24"UsingShikraToAttackEmbeddedSystems"http://www.xipiter.com/musings/using-the-shikra-to-attack-embedded-systems-getting-started

25BusPiratehttp://dangerousprototypes.com/docs/Bus_Pirate

26"Shikrapinouts"http://www.xipiter.com/uploads/2/4/4/8/24485815/shikra_documentation.pdf

27"RaspberryPi2&3PinMappings"https://developer.microsoft.com/en-us/windows/iot/win10/samples/pinmappingsrpi2

Figure7. ConnectingtheShikratoaRaspberryPi3'sUARTpins

Next,connecttoyourdeviceusingremotePowerShellorSSH.Youwillthenneedtoenableserialdebuggingandturnonturnondebuggingwiththefollowingcommands:

#Enableserialdebuggingbcdedit-dbgsettingsserial#Turnondebuggingbcdedit-debugon

YoucanfindouttheCOMportusedbyyourUSB-to-serialadapterbyusingtheDeviceManager,orbyrunningthefollowingPowerShellcommand:

Get-WMIObjectWin32_pnpentity|?Name-like"*Serial*COM*"

Here'sasampleoutput:

__GENUS:2__CLASS:Win32_PnPEntity__SUPERCLASS:CIM_LogicalDevice__DYNASTY:CIM_ManagedSystemElement__RELPATH:Win32_PnPEntity.DeviceID="FTDIBUS\\VID_0403+PID_6014+5&3278CBC5&0&3\\0000"__PROPERTY_COUNT:26__DERIVATION:{CIM_LogicalDevice,CIM_LogicalElement,CIM_ManagedSystemElement}__SERVER:DESKTOP-39HUL88__NAMESPACE:root\cimv2__PATH:\\DESKTOP-39HUL88\root\cimv2:Win32_PnPEntity.DeviceID="FTDIBUS\\VID_0403+PID_6014+5&3278CBC5&0&3\\0000"Availability:Caption:USBSerialPort(COM3)ClassGuid:{4d36e978-e325-11ce-bfc1-08002be10318}CompatibleID:ConfigManagerErrorCode:0ConfigManagerUserConfig:FalseCreationClassName:Win32_PnPEntityDescription:USBSerialPortDeviceID:FTDIBUS\VID_0403+PID_6014+5&3278CBC5&0&3\0000ErrorCleared:ErrorDescription:HardwareID:{FTDIBUS\COMPORT&VID_0403&PID_6014}InstallDate:LastErrorCode:Manufacturer:FTDIName:USBSerialPort(COM3)PNPClass:PortsPNPDeviceID:FTDIBUS\VID_0403+PID_6014+5&3278CBC5&0&3\0000PowerManagementCapabilities:PowerManagementSupported:Present:TrueService:FTSER2KStatus:OKStatusInfo:SystemCreationClassName:Win32_ComputerSystemSystemName:DESKTOP-39HUL88PSComputerName:DESKTOP-39HUL88

Intheaboveexample,theUSB-to-serialadapterusesCOM3.Youcannowremotelydebugthedevicefromyourmachinebyrunningthefollowingcommand(Makesureyouareusingthex86versionofWinDbg):

#PORTistheCOMportnumberusedbyyourUSB-to-serialadapterwindbg.exe-kcom:port=<PORT>,baud=921600

IfallgoeswellyouwillseeWinDbgspawnedlikethis:

Microsoft(R)WindowsDebuggerVersion10.0.10586.567X86Copyright(c)MicrosoftCorporation.Allrightsreserved.

Opened\\.\com3Waitingtoreconnect...

RestarttheRaspberryPiandyouwillseethis:

ConnectedtoWindows1014393ARM(NT)Thumb-2targetat(SunJul2419:32:43.1112016(UTC+8:00)),ptr64FALSEKernelDebuggerconnectionestablished.Symbolsearchpathis:srv*Executablesearchpathis:***ERROR:Symbolfilecouldnotbefound.Defaultedtoexportsymbolsforntkrnlmp.exe-Windows10KernelVersion14393MP(1procs)FreeARM(NT)Thumb-2Builtby:14393.0.armfre.rs1_release.160715-1616MachineName:Kernelbase=0x80c1b000PsLoadedModuleList=0x80e07c78SystemUptime:0days0:00:00.000Breakinstructionexception-code80000003(firstchance)**********************************************************************************Youareseeingthismessagebecauseyoupressedeither**CTRL+C(ifyourunconsolekerneldebugger)or,**CTRL+BREAK(ifyourunGUIkerneldebugger),**onyourdebuggermachine'skeyboard.****THISISNOTABUGORASYSTEMCRASH****Ifyoudidnotintendtobreakintothedebugger,pressthe"g"key,then**pressthe"Enter"keynow.Thismessagemightimmediatelyreappear.Ifit**does,press"g"and"Enter"again.*************************************************************************************ERROR:Symbolfilecouldnotbefound.Defaultedtoexportsymbolsforntkrnlmp.exe-nt!DbgBreakPointWithStatus:80c40d90defe__debugbreak

4.4.2 DebuggingusermodeprocessesusingWinDbg

Debuggingusermodeprocessesisabiteasierthankernel-modedebugging.Youonlyneedanetworkconnectiontoyourdevice.Wearegoingtousedbgsrv.exe(whichcanbefoundonthedevice'sC:\Windows\System32\Debuggersfolder)onthedeviceandWindbgonthedebugginghostmachine.Firstweneedtomakedbgsrv.exelistenonaportonthedevicesowecanconnecttoit.Onthedevice,runthefollowingcommandusingPowerShellorSSH:

#PORTisthelocalportyouwantdbgsrvtolistenondbgsrv.exe-ttcp:port=<PORT>

InWindbgrunningonthedebugginghost,gotoFile>ConnecttoRemoteStubandentertheIPaddressofyoudeviceandyourchosenportintheformatshown,thenclickOK:

GotoFile>AttachtoaProcessandselecttheprocessyouwanttoattachto:

Microsoft(R)WindowsDebuggerVersion10.0.10586.567X86Copyright(c)MicrosoftCorporation.Allrightsreserved.***waitwithpendingattachSymbolsearchpathis:srv*Executablesearchpathis:ModLoad:01110000011db000C:\windows\system32\WebManagement.exeModLoad:7740000077565000C:\windows\SYSTEM32\ntdll.dll

ModLoad:77270000773fe000C:\windows\System32\KERNELBASE.dllModLoad:76fc0000771cb000C:\windows\System32\combase.dllModLoad:76e6000076f0e000C:\windows\System32\ucrtbase.dllModLoad:76cb000076d2c000C:\windows\system32\msvcrt.dllModLoad:76f1000076fbe000C:\windows\System32\RPCRT4.dllModLoad:76e2000076e58000C:\windows\System32\kernel32legacy.dllModLoad:76dd000076e1a000C:\windows\System32\bcryptPrimitives.dllModLoad:772300007726c000C:\windows\System32\sechost.dllModLoad:7646000076489000C:\windows\system32\IPHLPAPI.DLLModLoad:76490000764ea000C:\windows\system32\WS2_32.dll<snip...>(69c.280):Breakinstructionexception-code80000003(firstchance)ntdll!DbgBreakPoint:77422740defe__debugbreak0:005>!pebPEBat00928000InheritedAddressSpace:NoReadImageFileExecOptions:NoBeingDebugged:YesImageBaseAddress:01110000Ldr774eb9e0Ldr.Initialized:YesLdr.InInitializationOrderModuleList:00c41738.00c4fcd0Ldr.InLoadOrderModuleList:00c41810.00c4fcc0Ldr.InMemoryOrderModuleList:00c41818.00c4fcc8BaseTimeStampModule111000057898ebeJul1609:32:462016C:\windows\system32\WebManagement.exe7740000057898ba5Jul1609:19:332016C:\windows\SYSTEM32\ntdll.dll7727000057898c4cJul1609:22:202016C:\windows\System32\KERNELBASE.dll76fc000057898c6dJul1609:22:532016C:\windows\System32\combase.dll76e6000057898b83Jul1609:18:592016C:\windows\System32\ucrtbase.dll76cb000057898fadJul1609:36:452016C:\windows\system32\msvcrt.dll76f1000057898cd8Jul1609:24:402016C:\windows\System32\RPCRT4.dll76e2000057898eb7Jul1609:32:392016C:\windows\System32\kernel32legacy.dll76dd000057898f49Jul1609:35:052016C:\windows\System32\bcryptPrimitives.dll7723000057898f0aJul1609:34:022016C:\windows\System32\sechost.dll7646000057898c40Jul1609:22:082016C:\windows\system32\IPHLPAPI.DLL7649000057898eafJul1609:32:312016C:\windows\system32\WS2_32.dll<snip...>0:005>u$exentry***ERROR:ModuleloadcompletedbutsymbolscouldnotbeloadedforWebManagement.exeWebManagement+0xa6631:011b6630e92d4800push{r11,lr}011b663446ebmovr11,sp011b6636f000fb65blWebManagement+0xa6d04(011b6d04)011b663ae8bd4800pop{r11,lr}011b663ef7ffbf25b.wWebManagement+0xa648c(011b648c)011b66420000movsr0,r0011b6644f24c6c64movr12,#0xC664011b6648f2c01c1cmovtr12,#0x11C

4.4.3 Crashdumpanalysis

CrashdumpscanbefoundintheC:\CrashDumpfolderonthedevice,butyoucanalsogeneratelivedumpsforthekerneloranyuser-modeprocessbyusingtheWindowsDevicePortal'sDebuggingtab.

Figure8. DebuggingtaboftheWindowsDevicePortal

Asanexample,let'sdownloadaliveprocessofdumptheusermodeprocessWebManagement.exe.Clickontheiconontheleftsideoftheprocessnametodownloadthedumptoyourbrowser'sDownloadfolder.FromWinDbggotoFile>OpenCrashDump,andyou'regoodtogo.

Microsoft(R)WindowsDebuggerVersion10.0.10586.567X86Copyright(c)MicrosoftCorporation.Allrightsreserved.LoadingDumpFile[d:\winiot\WebManagement.exe-LiveUM-2016-07-24-12-36-09.dmp]UserMiniDumpFile:Onlyregisters,stackandportionsofmemoryareavailableSymbolsearchpathis:srv*Executablesearchpathis:Windows10Version14376MP(4procs)FreeARM(NT)Thumb-2Product:WinNt,suite:SingleUserTSBuiltby:10.0.14376.0(rs1_release.160624-1700)MachineName:Debugsessiontime:MonJul2503:36:09.0002016(UTC+8:00)SystemUptime:notavailableProcessUptime:1days4:48:37.000........................................................................

Loadingunloadedmodulelist.CannotreadPEB32fromWOW64TEB32ffffffff-Win32error0n30UnabletoloadimageC:\Windows\System32\ntdll.dll,Win32error0n2***WARNING:Unabletoverifytimestampforntdll.dllntdll!NtWaitForSingleObject+0x6:***WARNING:UnabletoverifytimestampforKERNELBASE.dll77320ab64770bxlr{KERNELBASE!WaitForSingleObjectEx+0xc0(76fedf30)}0:000>|.0id:698examinename:C:\Windows\System32\WebManagement.exe0:000>!pebPEBat032f8000InheritedAddressSpace:NoReadImageFileExecOptions:NoBeingDebugged:NoImageBaseAddress:00a00000Ldr773eb9e0Ldr.Initialized:YesLdr.InInitializationOrderModuleList:034a1730.034ae758Ldr.InLoadOrderModuleList:034a1808.034ae748Ldr.InMemoryOrderModuleList:034a1810.034ae750BaseTimeStampModulea00000576dee48Jun2510:36:562016C:\windows\system32\WebManagement.exe77300000576deb18Jun2510:23:202016C:\windows\SYSTEM32\ntdll.dll76f20000576debe7Jun2510:26:472016C:\windows\System32\KERNELBASE.dll770b0000576debdaJun2510:26:342016C:\windows\System32\combase.dll76ce0000576deb16Jun2510:23:182016C:\windows\System32\ucrtbase.dll76e30000576ded32Jun2510:32:182016C:\windows\System32\RPCRT4.dll76de0000576dee1bJun2510:36:112016C:\windows\System32\kernel32legacy.dll76d90000576deeaaJun2510:38:342016C:\windows\System32\bcryptPrimitives.dll

4.5 Fuzzingapproaches

Fuzzingisoneofthemosteffectivewaysinfindingvulnerabilitiesinsoftware.It'sanobrainertoattempttothisonWindows10IoTCoreaswell.UnfortunatelyduetothelackofexistingtoolsforthisOStheapproachwehavebeendoingisfarfromefficient-spawningprocessesusingadebugger,nocoveragemeasurement,etc.Remotecontrol(devicerestart,processstart/stop,crashdumpcollection)isdonethroughtheWindowsDevicePortal'sRESTAPIs.It'sbasicallyfuzzinglikeits2007.Alsothedevice'slowCPUpowerseverelylimitstherateoffuzzingiterationswecando.

Figure9. Theauthor'slacklusterfuzzcluster

Oneinterestingapproachwouldbecorpusdrivenfuzzing28.WebelievethiswillbeeffectiveespeciallywhenfuzzingaUWPappwhichitispossibletogetholdholdofabuildfortheWindows10desktope.g.fromtheWindowsStore.Basicallywedon'tfuzzonthedevice.Wefuzztheappusingthedesktopversionusingwhatevermeansofinstrumentationtomeasurecodecoverageandwecollectthecorpora(samples)thatresultedinwidercodecoverageasmeasuredbytheinstrumentation.Aftercollectingthebestones,wecanthenapplythesecorporaontheapprunningonthedevicewithouthavingtoinstrumentit.Allwehavetotheniscollectthecrashesandanalyzethemforexploitability.ThiswaywecanatleasteasetheloadontheCPUandwon'tneedasmuchtooling.

28"TheArtofFuzzingWithoutFuzzing"https://github.com/bnagy/slides/blob/master/fuzzing_without_pub.pdf

Ofcourse,thisapproachwon'tbeapplicableifyouwanttofuzzdriversforperipherals,orfuzzappsthatinteractwithhardware.Inthosecasesyouhavetodoon-devicefuzzing.However,therearesomepromisingdevelopmentsrecentlythatmaymakethesituationbetter.OneofthoseisthereleaseofWinAFL29.WinAFLisaWindowsforkoftheverypopularfuzzerAFL30.WhileAFLusescompile-timeinstrumentation,WinAFLusesDynamoRIOfordynamicinstrumentationtomeasurecoverage.ThechallengerightnowistomakeDynamoRIOworkonanARMdeviceliketheRaspberryPi.Thisiscurrentlyanongoingprojectthatwehaveembarkedandhopefullywewillhavesomethingtoshowfortheeffortinthenearfuture.

5 RECOMMENDATIONS

Let'ssummarizethevariouswayswecanminimizetherisksagainstWindows10IoTCoredevices.

5.1 Segmentyournetworks

SegregatingyourIoTdevicesfromyourtraditionalcomputingdevicessuchaslaptopsandserversishighlyrecommended.Thisisespeciallyeffectiveincaseswhereoneofyourmachineshavebeencompromised,andtheattackerislookingtolaterallymovethroughnetwork.Thiswillalsoeffectiveinisolatingincidentsandconductingcleanups.

5.2 Disableunnecessarynetworkservices

Networkservicesthatarenotusedinproductionshouldbedisabled.ServicesthatareenabledbydefaultinWindowsIoTCoreincludeSSHandWindowsFileSharing.Todisablefilesharingonstartup,runthefollowingcommandusingSSHorPowerShell:

regaddHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lanmanserver/vStart/tREG_DWORD/d0x3/f

5.3 ChangeDefaultAdministratorPassword

TheAdministratorpasswordishardcodedintheWindows10IoTCoreimage.DefaultlogincredentialsthattheuserfailedtochangeisstillthemostcommonwayinwhichamalwareinfectsanIoTdevices.Changingthedefaultpasswordimmediatelyafterinstallwillgoalongwayinavoidingunauthorizedaccess.YoucanchangethedefaultAdministratorpasswordbyusingthefollowingcommandusingSSHorPowerShell:

netuserAdministrator<newpassword>

29"AforkofAFLforfuzzingWindowsbinaries"https://github.com/ivanfratric/winafl

30AmericanFuzzyLop(AFL)http://lcamtuf.coredump.cx/afl/

5.4 UseadevicethatsupportsTPM

UsingRaspberryPisforhobbyprojectsisfine,butifyouaregoingtobuildadevicethatisgoingtobeusedinmoresensitivesituationse.g.homesecurity,youshouldbeusingboardsthatsupportTPM.YourchoicesfornowshouldbebetweenaMinnowboardMaxandaDragonboard410c,oruseadiscreteTPMwithaRaspberryPi.

5.5 Takeadvantageofavailablesecurityfeatures

Sonowyou'reusingaboardwithTPM.MakesureyouenableandsetupsecurityfeaturessuchasSecureBootandBitLocker.

6 CONCLUSION

Inthispaper,welaidoutthevariousattacksurfacesthatmaybetakenadvantageofbyattackerstogainaccesstoaWindows10IoTCoredevice.WealsoenumeratedtechniquestogetyoustartedinanalyzingWindows10IoTCoredevices.Built-infeatureslikePowerShellandthemanysecurity-relatedtoolswritteninithelpsagreatdealinassessingthesecurityofadevice.Wealsolearnedthatleavingdeviceconfigurationsatitsdefaultsettings,amongotherthings,areasurefirewaytoleaveyourdevicesusceptibletoattacks,andwegavesomerecommendationsonhowtoavoidthis.

Windows10IoTCoreisstillinitsearlystage,butwebelievethatonceitsmaturesitwillbecomeamoreviablealternativetotheotherIoTfocusedOSesthatcurrentlyexist.AsidefromthemanyfeaturesthisOSoffers-includingthesecurityfeatureswediscussedearlierinthispaper-whatmakesthisOSattractiveisthattherearealotofenterprisesanddevelopersalreadyinvestedinMicrosofttechnologies,andtheycanleveragetheknowledgeandexpertisetheyalreadyhaveindevelopingtheIoTdevicesofthefuture.Assuch,weexpectWindows10IoTCoretobecomeoneofthemajorIoTOSesinthefuture.ThiswouldalsomeanthatthisOSwillbeamoreattractivetargetforattackers,anditisourhopethattocounterthis,morepeoplewillengageinsecurityresearchtargetingthisOS,andthatthispaperhassomehowhelpencouragedit.

Finally,anycorrections,questions,orcommentsregardingthispaperareverymuchappreciated.Theauthorcanbereachedatsabanapm[at]ph[dot]ibm[dot]com.