O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)


Confira estes a seguir

1 de 49 Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Quem viu também gostou (9)


Semelhante a 逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai) (20)

Mais de HITCON GIRLS (17)


Mais recentes (20)

逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)

  1. 1. Ashley Shen, Belinda Lai
  2. 2. Senior Threat Analyst at Team T5 ashley@hitcon.org • Co-founder of HITCON GIRLS • Malware analysis, Advanced Persistence Threat research, campaign tracking • Speaker at HITCON CMT, HITCON ENT, CodeBlue, Troopers
  3. 3. Brocade Software Engineer • Co-founder of HITCON GIRLS • Speaker at HITCON CMT, HITCON ENT • Malware analysis
  4. 4. • • • • • • • • • • • • • • • • •
  5. 5. “The Internet of Things (IoT) is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.” - Definition of IoT by Gartner
  6. 6. Avg:122B? IHS Markit 2017 IoT Trend Report
  7. 7. • A world of connected everyday objects means a bigger attack surface for cybercriminals. • Security is often not considered at the design stage. • AT&T‘s Cybersecurity Insights Report surveyed more than 5,000 enterprises around the world and found that 85% of enterprises are in the process of or intend to deploy IoT devices. Yet a mere 10% of those surveyed feel confident that they could secure those devices against hackers. (2015)
  8. 8. IoT devices will increasingly penetrate the enterprise, leading to increased IoT DDoS attacks. The growth in IoT devices provides a newly available slew of poorly protected or monitored devices that can be coopted for malicious purposes. IoT devices will play a bigger role in DDoS attacks; IIoT systems in targeted attacks. Growth in the number and variety of Internet of Things devices will break some cloud security models, leading to successful attacks through these devices The risk of connecting everything, regardless — in 2016, need we say more?
  9. 9. 2015 Cloud Security Alliance - Security Guidance for Early Adopters of the Internet of Things (IoT)
  10. 10. 2013 2014 2017 • IoT security in Healthcare is life or death , specially implantable medical device. • Not just about the device, but also the environment. • Hacking into MRI through the hospital guest WI-FI. (ERNW)
  11. 11. Individual • Privacy • Physical Safety (Healthcare) • Personal identical data http://www.truste.com/blog/wp-content/uploads/smart-devices-circle-of-trust.png
  12. 12. Organization • Intellectual property • DDOS blackmail • Services stability • Financial
  13. 13. • Domestic security • Homeland security • Attacks on Critical Infrastructure security • Cyber espionage attack • Politic & Financial Nation • IoT leverage in cyber espionage attack. • 2015 – PLEAD the Phantom of routers by Charles & zha0
  14. 14. IoT Security != Device Security
  15. 15. IoT Ecosystem Sensors Network Application
  16. 16. IoT Ecosystem Attack Surface Sensors Hardware Network Connectivity Application
  17. 17. Hardware Connectivity Application Vendor Backend APIs Cloud Web InterfaceDevice Physical Interfaces Mobile ApplicationLocal Data Storage Update Mechanism Device Firmware Third-party Backend APIs Network Traffic Device Memory Device Web Interface Device Network Services Privacy Authentication/Authorization Ecosystem Communication Administrative Interface IoTAttackSurfaceAreas
  18. 18. Hardware Device Physical Interfaces Local Data Storage Update Mechanism Device Firmware Device Memory Device Web Interface Device Network Services Common Vulnerability Hacking Tools • Firmware extraction • Admin CLI • Privilege escalation • Reset to insecure state • Removal of storage media • Debug port • Web vulnerabilities • Backdoor accounts • Hardcoded credentials • Encryption keys (weak or crackable) • Encryption (Symmetric, Asymmetric) • Sensitive URL disclosure • Vulnerable services (web, ssh, tftp, etc.) • Unencrypted data • Mousejack - Injecting Keystrokes into Wireless Mice • Metasploit - vulnerabilities for iot (from smart fridges to smart cars) • Attify Badge Tool: hardware device used to hack IoT devices • Shikra: Hardware hacking tool box
  19. 19. • Mifare Classic is one of the most used RFID card. • The card utilize the standard ISO 14443 Type A protocol for communication on frequency 13.56 MHz (High Frequency). • The proprietary cryptography utilized in the Mifare Classic cards is CRYPTO1, with 48 bits key. • In October 2008 Radbond University published a Crypto-1 cipher implementation as Open Source (GNU GPL v2 license).
  20. 20. • Tools: • RFID Reader (about 900 NTD) • MFOC & MFCUK (Free) • UID Changeable Mifare (5 NTD) https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Almeida-Hacking-MIFARE-Classic-Cards-Slides.pdf
  21. 21. Connectivity Vendor Backend APIs Third-party Backend APIs Network Traffic Ecosystem Communication • Common Vulnerability • Hacking Tools • Weak authentication • Weak access controls • Protocol fuzzing • Injection attacks • Hidden services • Unencrypted PII sent • Encrypted PII sent • Device information leaked • Location leaked • Non-standard • Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA) • Inherent trust of cloud or mobile application • Wifi-hacking: aircrack-ng • BLE Hacking: Ubertooth One • Fluxion – WPA/WPA2 Security Hacked Without Brute Force • Cain and Abel - penetration tools • Fiddler - monitor, manipulate, and reuse HTTP requests • Kismet: network detector, packet sniffer for 802.11 a/b/g/n layers • GATTracker: BLE Man in the middle attack
  22. 22. • Bluetooth low energy (a.k.a Bluetooth Smart, Bluetooth 4.0), different from Bluetooth Classic and high speed • Designed to be power-efficient, different protocol BLE authentication design challenges on smartphone controlled IoT devices: analyzing Gogoro Smart Scooter by Chen-yu Dai [GD] & Professor Shi-Cho Cha [CSC]
  23. 23. • Security Procedures provided by Security Manager: • Paring: (Encrypt with Temp Key) • Security Manager Protocol • Just Work: No Passkey required. à Man in the Middle Attack • Passkey Display: Passkey required. • Out of Bound (OOB): Passing through non-BLE protocol. • Bonding: (Encrypt with permanent key) • Encryption Re-establishment (Support Bonding)
  24. 24. • Many BLE Devices do “FAKE PARING”: • Mi bracelet could be vibrated by anyone close to you • No authentication & Paring • Mi Smart Scale • Sending data without encryption • Anyone could see your weight when they are close to you • Tool: BLE Scanner (app on your phone)
  25. 25. Application Cloud Web Interface Mobile Application Administrative Interface Common Vulnerability Hacking Tools • SQL injection • Cross-site scripting • Cross-site Request Forgery • Username enumeration • Weak passwords • Account lockout • Known default credentials • Transport encryption • Two-factor authentication • Insecure password recovery mechanism • Two-factor authentication • SuperPutty : operate all your VPS • Hardcode : Android hacking • AndroRAT : Remote Administration Tool for Android • SpoofApp:spoof (Place) calls with any caller ID number • APK Inspector:reverse engineer any android app • dSploit :perform various attacks • AnDOSid : perform a DOS attack • SQLMap: Finding vulnerabilities on web application • Androbug: Finding android app vulunerbilities
  26. 26. • The process of finding targets and vulnerabilities. • Tools • Shodan • www.shodan.io • Censys • censys.io • ZoomEye • www.zoomeye.org • WHOIS • Netcraft • Nmap
  27. 27. • Consider security by design, rather than an afterthought. • Provide security trainings to developer. • Listen to security experts. • Do penetration testing before releasing.
  28. 28. • Know what and how much IoT devices you have. • Device management. • Know the IoT vulnerabilities. • Understand the threat (vulnerabilities, attack vector) and defend. • Securing IoT devices does NOT means simply securing the actual devices themselves. Companies also need to build security into software applications and network connections that link to those devices. • Creating a separate network segment is one option. • Requiring the vendors to assert that their products aren't vulnerable to common attacks.
  29. 29. • Understand the risk of your device. (Do not trust them) • Don’t use them if you don’t want to share your data • Ensure the default passwords on all devices are changed (using unique, complex passwords) to prevent them being remotely accessed. • Review the functionality of a smart device and disable any functions that you don’t actually need.
  30. 30. Internet of Threat!Things?
  31. 31. HITCON GIRLS Internet Security Group RFID Card Hacking WIFI Hacking Wall of Sheep BLE Device Hacking Pineapple Router Web Pentesting Android PentestingMalware AnalysisNewbie Group Recruiting !!! https://www.facebook.com/HITCONGIRLS/
  32. 32. • Internet of Things (IoT) History, http://www.postscapes.com/internet-of-things-history/ • 20 Billion Connected Internet of Things Devices in 2017, IHS Markit Says, http://electronics360.globalspec.com/article/8032/20-billion- connected-internet-of-things-devices-in-2017-ihs-markit-says • IoT-trend-watch-2017, https://cdn.ihs.com/www/pdf/IoT-trend-watch-2017.pdf • Sensing-as-a-Service - New Business Models for Internet of Things (IOT), https://www.slideshare.net/mazlan1/sensingasaservice-new- business-models-for-internet-of-things-iot • Connecting RFID to IoT, https://image.slidesharecdn.com/internetofthingsiot-160825065927/95/internet-of-things-iot-10- 638.jpg?cb=1472108952 • IoE vs. IoT vs. M2M: What’s the Difference and Does It Matter?, http://blog.aeris.com/ioe-vs.-iot-vs.-m2m-what-s-the-difference-and- does-it-matter • The Internet of Things By Samuel Greengard, https://books.google.com.tw/books?id=oyyyBwAAQBAJ&pg=PA16&lpg=PA16&dq=physical-first+digital- first+iot&source=bl&ots=IlVCfyMGMM&sig=OHCYXqPAs5FayJ5zcB6mzQ484pQ&hl=en&sa=X&ved=0ahUKEwij5fqwmq7SAhWBgLwK HdpaDwQQ6AEINzAF#v=onepage&q=physical-first%20digital-first%20iot&f=false • CISCO Internet of Everthing Infographic, http://internetofeverything.cisco.com/vas-public-sector-infographic/ • https://blog.trendmicro.com.tw/?p=10855 • QUESTIONS • AND ANSWERS: • FireEye - THE 2017 SECURITY LANDSCAPE – ASIA PACIFIC 2017, https://www2.fireeye.com/rs/848-DID-242/images/rpt-security- predictions-2017- apac.pdf?mkt_tok=eyJpIjoiTWpnNE1EUmlNbUZoWmpVeSIsInQiOiJDY3lUMXBYR2tXdVRIRW81bjlWNEZGREVXMUFwU3d1cmo3MHpM RG1qWHY4RlQ2N3JaSWQ0MVh3VWc1S3Nhb1JWZTRXTWJMUytjRFROVThRQ01VZDRZdHVYZDdHN1c3dmtEK1wvXC9PSlplN01kc2htN GxrbEdLRm5zMHZIbFRpNktTIn0%3D
  33. 33. • Security in 2017 and Beyond: Symantec’s Predictions for the Year Ahead, https://www.symantec.com/connect/blogs/security-2017- and-beyond-symantec-s-predictions-year-ahead • KASPERSKY_SECURITY_BULLETIN_2016, https://kasperskycontenthub.com/securelist/files/2016/12/KASPERSKY_SECURITY_BULLETIN_2016.pdf • McAfee Labs 2017 Threats Predictions, https://www.mcafee.com/us/resources/reports/rp-threats-predictions-2017.pdf • How the Internet of Things will affect security & privacy, http://www.businessinsider.com/internet-of-things-security-privacy-2016-8 • Hackers Remotely Kill a Jeep on the Highway—With Me in It, https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ • 比特幣集體勒索又來了,這次鎖定全臺4千校!不只大學,桃園3小學也出現駭客勒索信, http://www.ithome.com.tw/news/112282 • 2.5萬監視器成DDoS殭屍網路大軍,多數來自台灣 !, http://www.ithome.com.tw/news/106745 • Compromised clinics, hacked MRIs and online breach-traders | MassDevice.com On Call, http://www.massdevice.com/compromised- clinics-hacked-mris-and-online-breach-traders-massdevicecom-call/ • IoT in Healthcare: Life or Death, Dr. May Wang, https://webcache.googleusercontent.com/search?q=cache:PF0a41C3ttoJ:https://www.rsaconference.com/writable/presentations/file _upload/sbx2-r4-iot-in-healthcare-life-or-death.pdf+&cd=1&hl=en&ct=clnk&gl=tw • Internet of Things (IoT): Security, Privacy and Safety, https://datafloq.com/read/internet-of-things-iot-security-privacy-safety/948 • Does CCTV put the public at risk of cyberattack?, https://securelist.com/blog/research/70008/does-cctv-put-the-public-at-risk-of- cyberattack/ • University DDoS'd by its own seafood-curious malware-infected vending machines, https://www.theregister.co.uk/2017/02/13/university_ddosd_by_own_vending_machines/ • Bombs that can recognise their targets are back in fashion, http://www.economist.com/news/science-and-technology/21711012-new- generation-smart-weapons-development-bombs-can-recognise-their • Amazon's delivery drones may drop packages via parachute, http://money.cnn.com/2017/02/14/technology/amazon-drone-patent/
  34. 34. • https://www.cyberscoop.com/researchers-hack-robots-killer-industrial-machines/ • Hackers can hijack Wi-Fi Hello Barbie to spy on your children, https://www.theguardian.com/technology/2015/nov/26/hackers-can- hijack-wi-fi-hello-barbie-to-spy-on-your-children • Hacking Mifare Classic Cards, https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Almeida-Hacking-MIFARE-Classic-Cards- Slides.pdf • Mifare classic-slides, https://de.slideshare.net/nethemba/mifare-classicslides • 物聯網 BLE 認證機制設計的挑戰 以 Gogoro Smart Scooter 為例, https://hitcon.org/2016/CMT/slide/day1-r0-a-1.pdf • https://www.owasp.org/images/6/6f/OWASP2017_HackingBLEApplications_TalMelamed.pdf