This blog is a two part series to IoT network forensics procedures. The first part explores the procedures for investigating network between the IoT Companion Apps and the backend cloud. The second part presents network investigation guideline for analyzing traffic between the hub device and the backend cloud.
Part 1 - Network investigation between IoT Companion App and Cloud
Companion Apps are smartphone apps developed to interact with IoT devices to manage the IoT device and data generated by the IoT devices. These companion apps are user interfaces to communicate to IoT devices ethier through the backend cloud or directly to the IoT devices through local networks. As such, they may exchange forensically relevant artifacts that can be potential evidence or artifacts that can be used to extract potential evidence from other IoT ecosystem. Therefore, investigating these source is necessity.
In general, during network investigation, network traffic analysis can be done either live or offline to pull out the following information (but not limited to these list):
- IP adresses (IoT device and Backend Cloud)
- Secuity methods
- Request headers
- Response headers
- Application Programming Interfaces (API)
- Encrypted or unencrypted data - JSON or XML
- Session cookies
- Authentication tokens
- Unencrypted username and passwords
- and so on
The network investigation can be done in two parts using two different tools. The first part is intercepting the traffic at the gateway using tools such as Wireshark and tcpdump. Using these intercepting tools investigators can obtain the protocol, the IP addresses, the Backend Cloud address and other information that can be used to perform further investigation. The second part involves, using the Man-in-the-middle (MITM) attack procedures and tools. Tools such as BurpSuite can be used to intercept the traffic between app and the backend cloud. Using this method, information such as APIs (official or unofficial), authentication tokens, sessions and cookies, parameters, decrypted and unencrypted user data and authentication credentials, and so on can be obtained.
However, there are challenges in using the man-in-the-middle attack based network analysis. The first challenge is that applications can pin their certificates into the code and does not accept other certificates. To bypass the certificate pinning technique, using tools such as Xposed Framework can be used. The second challenge is third party certificates are ignored by default on Android versions 7 and above. In order to overcome this, rooting the phone and installing the certificate at the system level is required. The other option is to reverse engineer the app and modify it at the code level in order to accept third party certificates.