Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

HTTPS is becoming more and more standard with IoT devices. So, how do we modify/intercept traffic if we do not control the device itself? This is what the article is about.

This article goes through three tricks for intercepting traffic without having control on the device.

The first one: It Just Works. Simply put, just send the connection through a proxy that is controllable. This works because the library on the IoT device is not performing ANY validation on the certificate. This has worked 30% of the time, according to the article.

The second one: the look-alike attack. Essentially, this is abusing issues with validating the Root CA in a certificate chain. The attack works as the following:

1. Create a self-signed root certificate. Set certificate to be identical to Root CAs besides the self-signed aspect.
2. Insert this as the Root CA for the Proxy
3. Generate a new certificate from the Root CA and us this from the connection.

If the device does not validate the chain of trust properly, then this will work for interception. This works about 20% of the time. Luckily, Bishop Fox has a tool for setting up this attack for you (linked in the article).

The final one: the incorrect name attack. This one is also branded as the Ol' Switheroo. This works by generating a legitimate and valid certificate for something site. Then, simply using the valid certificate, just for the wrong domain.

To make the chances of the last attack better, it could be useful to get something similar to the device that you are attacking. For example, if the site is domain.com having the site domain.com.mydomain.com could bypass the validation. This attack only works about 10% of the time.