GSOC'16 ideas on IoT discovery scripts

[Yernat Yestekov <yestekov () gmail com>]

[Estimated time to read: ~3 min]

Hello NMAP community,

my name is Yernat. I'm student from Kazakhstan with 3+ years work
experience in cryptography and information security (to save your time, I
put my background information at the end of the letter). I'm applying for
GSoC discovery scanning script developer position. I would like to discuss
my proposal and hear some feedback from you.

In general, my idea is to focus on IoT discovery, specifically on car
on-board systems. Many cars connected to internet through built-in systems
(e.g. Tesla, Jeep) or through peripheral devices (e.g. insurance or
tracking dongles). I'm quite familiar with latest. Such dongles are usually
connected to On-Board Diagnostic port (standard almost at any car), giving
possible access to the car's internal Controller Area Network (CAN). CAN
sends in and out an information to the electronic control units (ECUs) that
control the steering, brakes, transmission, and almost any other electronic
enabled system in the car. So, it should be a number of scripts that will
discover such dongles, their specs (OS, open ports, etc) and possible car's
internal information. Such information can give a nice attack surface for
pentesters. Currently, I'm not aware of any software or service doing
something like that (Shodan maybe?). It can become a nice, unique to NMAP
feature.

Moreover, I already secured the access to testing hardware. My friend is a
founder of the startup that uses such dongles to collect information from
cars in the cloud. He have a couple of dozens dongles from different
manufactures for testing purposes and ready to share them with me.

More detailed plans:

- fingerprinting all available to me devices. Based on preliminary research
I expect about 10-20 new fingerprints to nmap-os-db.

- classifying devices by OS, hardware, and other specs to look if there is
groups of similar devices like in CCTV market, where one manufacturer
produce cameras for 20+ different companies with slightly different
software and appearance (and bugs too :)

- script that would discover connected dongles and check what information
from the vehicle is available. It will require quite a lot of work to
translate OBD's raw information to human-friendly  format.

- maybe some exploitation scripts, something similar to [1] or [2].

- .... any other ideas or suggestions from community? I will appreciate
your help and mentoring.

*whoami:* I did my master's degree in CS with focus on cryptography at
University of North Texas. I hold several certifications as CCNA, NFOSEC
CNSS 4011 and 4013 (equivalent of CCNA Security), and others. I have worked
couple years as consultant on information security, mostly on applied
crypto stuff, and as engineer in telecom industry, so I'm quite familiar
with L2 and L3 networking. I'm also startup founder, a recently failed one.
So now I have some spare time for what I really like (3l337 ]-[@xx). Just
kidding, it is mostly coding and playing around with math. I'm available
via yestekov () gmail com and IRC: doublewhy at freenode.

Thanks and looking forward for your feedback!

Best regards,
Yernat

[1]
http://arstechnica.com/security/2010/05/car-hacks-could-turn-commutes-into-a-scene-from-speed/
[2] http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/