2. About me
Founder of AppSec Labs
Application security expert
Book author
Managed Code Rootkits (Syngress)
Speaker & Trainer
Presented at BlackHat, Defcon, RSA, OWASP USA,
OWASP IL, etc..
Secure Coding / Hacking trainer
3. Agenda
Introduction to IoT security
IoT architecture
Common vulnerabilities
Common misconceptions
Demo – if time permits
7. Why would someone attack
the IOT?
Hack the product’s functionality
Break into the server side
Steal information from the system
Use the device as and entry point to the customer’s
network
Use the device to serve malware, send spam, etc.
12. Common misconception
“My server is protected. I have a firewall, a WAF, and
I use SSL!”
About half of the attacks cannot be stopped by
automatic tools – usually attacks that are related to
business logic, and in particular to the product
specifics
13. Mobile App Attacks
Implicitly trusted by device or cloud
Malicious app on the same device (side attacks)
Insecure data storage
Transport encryption
Insecure password recovery mechanism
15. Local Memory & Local storage
Cleartext usernames, passwords, Third-party credentials
Encryption keys
Data encrypted with discovered keys
Lack of data integrity checks
17. Device Physical Interfaces
Debug port (Serial, JTAG, etc)
Privilege escalation
Reset to insecure state
Removal of storage media
Device/sersor tampering
18. Common misconception
My code / secret value is “burned” on the PCB. No
one can access it since it is protected at the
hardware level”
19. Device Firmware
Insecure Firmware update - sent without encryption or
signing
Hardcoded credentials - URL, Encryption keys
Backdoor accounts
Vulnerable services (web, ssh, tftp, etc.)
21. Privacy
Insecure Storage of sensitive data (location, images, cc, PII,
PHI , etc.)
Inability to wipe device
Unencrypted PII sent to the cloud
Insecure network services
22. Common misconception
“my system enforce security right from the beginning,
at the client side - device or mobile app”
The network service assumes security had been
performed by the caller (device/mobile app)
23. Insecure network traffic
Weak authentication of the client side
Weak authentication of the server side
Lack of encryption
Replay attacks
Relying of “unknown” or “hard to understand” protocols
30. Denial of Service (DoS) attacks
Server side network DoS
RF (wifi, zigbee, BLE, etc) Jamming
Power attacks
CPU exhaustion
Mobile app Dos
31. Common misconception
“the attacker cannot disconnect the power source of a device without
physically touching it”
DoS attacks against battery operated devices by invoking a power
intensive task – over and over again
No power = DoS
Can be as trivial as causing a led to turn on!
Example – calculation of led power consumption
Device is operated by 2 AA batteries: 2700 mAh
the device is optimized to consume extremely minimal power - run for years since most
of the time it’s on standby
There’s a led that consumes about 20 mA when on
1 day = 480 mah.
Make it blink somehow and you can easily eat a battery in less than a week!
33. Summary
IoT security is NOT just device security
IoT requires a wide range of security coverage for all
of the components - Device, Cloud API, Web app,
Mobile App, Network protocols, etc.
IoT have a lot of special vulnerabilities and attacks
Assume attacker will take the device apart, read the
flash memory, disassemble the firmware, etc.
Assume the attacker will decompile your mobile app
Testing IoT requires special expertise