IoT SSL/TLS MITM Attack

# IoT SSL/TLS MITM Attack The following figure depicts the experimental setting. ![](https://i.imgur.com/7qwEB8c.png) ## Ettercap Install the latest version of Ettercap from its [GitHub repository](https://github.com/Ettercap/ettercap). Installation details are described in README and INSTALL in the repository. Edit Ettercap configuration file, so that... - During operation, Ettercap remains with root privilege. - SSL/TLS packets are forwarded to the Ettercap SSL dissection component. ``` sudo vim /etc/ettercap/etter.conf ``` ![](https://i.imgur.com/m2QQm8c.png) ![](https://i.imgur.com/Ey4yTd1.png) Run Ettercap with superuser privilege. - `-L`: log all packets sniffed by Ettercap, together with all the passive information (e.g. host info., useranem, and password) it can collect. - `-G`: run in GUI mode. ``` sudo /path/to/ettercap -L ettercap -G ``` Note: by default, Ettercap forges SSL certificates in order to intercept HTTPS traffic. This feature can be disabled by specifying `-S` option. **Start sniffing** - Choose the network interface to be sniffed. - Click "Accept" button to start sniffing. ![](https://i.imgur.com/yiQVPSX.png) **Scan hosts in the LAN** - Click "Scan for hosts" button. - Click "Hosts list" button to see the hosts found by Ettercap. ![](https://i.imgur.com/4OvRKLH.png) **Select targets to be spoofed** - In the "Host List" tab, - Select the row which corresponds to the Wi-Fi router, and click "Add to Target 1" button. - Select the row which corresponds to the IoT device, and click "Add to Target 2" button. ![](https://i.imgur.com/WDOq1hk.png) - Select "Options" -> "Targets" -> "Current targets" to examine the targets selected. Note: there is no concept of SOURCE nor DESTINATION. The two targets are intended to filter traffic coming from one to the other and vice-versa (since the connection is bidirectional). ![](https://i.imgur.com/RUljpXU.png) **Perform ARP spoofing** - Select "MITM menu" -> "ARP poisoning..." ![](https://i.imgur.com/kjbwMTx.png) - Tick "Sniff remote connections." checkbox, and click "OK" button. ![](https://i.imgur.com/FgKSIWR.png) **Stop MITM attack** 1. Click "Stop MITM" button to stop the attack. ![](https://i.imgur.com/2mlpYEV.png) Examine log files created by Ettercap. ``` etterlog ettercap.ecp etterlog ettercap.eci ``` ## Wireshark On the attacker machine, use Wireshark to capture packets exchanged between the IoT device and the IoT server. ``` sudo wireshark ``` It can be observed that the authentic server certificate has been replaced by Ettercap with a forged one, and sent to the IoT device. ![](https://i.imgur.com/UNFunLp.png)