Understanding what is IoT security
What is the scope of IoT security
Uses of IoT and where do we see it in our daily life
Possible attack surface and likelihood of IoT-related attacks
IoT specific security assessment (understanding approach, IoT protocols, how it is a combination of different type assessments)
The myths of IoT security and the way it has progressed in past few years and how far fetched it can be.
Available Resources and Tools
2. About Myself
Ankit Giri (@aankitgiri)
Security Consultant | Security
Compass
Web, Mobile Application and IoT
Security Researcher
Bug Hunter (Hall of Fame: EFF, GM,
HTC, Sony, Mobikwik, Pagerduty and
some more )
Blogger, Orator and an active
contributor to OWASP and null
Community
The Most Viewed Writer in Web
application Security, Network
Security and Penetration Testing on
Quora.
3. What is IoT?
IoT is computing devices that send data,
receive date or both on the internet.
The Internet of Things (IoT) refers to the ever-growing
network of physical objects that feature an IP
address for internet connectivity, and the
communication that occurs between these objects
and other Internet-enabled devices and systems.
Where do we see it in our daily life?
Source: Pubnub
5. The hardware is to be blamed!
Relatively modern 64-bit x86 CPU cores in IoT devices, they will still be substantially more complex than the
smallest ARM cores, and therefore will need more battery power.
Cheap and disposable wearables, appear to be the biggest concern, won’t be powered by such chips. We need
more powerful processors, such as Intel Atoms or ARMv8 chips, in smart products, like smart refrigerators or
washing machines with touchscreens, but they are impractical for disposable devices with no displays and with
limited battery capacity.
The industry needs is more unstandardized devices and more fragmentation.
6. The web application side of it!
TrendNet cameras that exposed a full video feed to anyone who accessed it. In this case, there
was enough of a “sign on” interface to make end users believe that only authorized people
could access the feeds remotely. However, a hacker group called Console Cowboys quickly
demonstrated that the authentication mechanism was just for show.
Challenges: IoT device web applications are that the apps are often on unusual ports (e.g., not
80 for HTTP or 443 for HTTPS), that the apps are sometimes disabled by default, and that
different apps (e.g., for device administrators and users, or two different applications) may
listen on different ports.
7. The web application side of it!
“Weak authentication,” might thinking of passwords that are easy to guess. Unfortunately, the bar
is much lower with many smart devices.
Generally IoT devices are secured with passwords like “1234”, put their password in client-side
Java code, send credentials without using HTTPS or other encrypted transports, or require no
passwords at all.
8. Insecure Network in IoT devices!
In your modern corporate network, you may think Telnet and FTP are dead, but the IOT smart device
world would disagree
August 2014, a sweep of more than 32,000 devices found “at least 2000 devices with hard-coded
Telnet logins.
October 2014 research that demonstrated more than a million deployed routers were vulnerable
to misconfigured NAT-PMP services.
9. Insecure Cloud and Mobile interface
Many IoT devices exchange information with an external cloud interface or ask end users to connect
to a remote web server to work with their information or devices. In addition to obvious
vulnerabilities such as a lack of HTTPS, the OWASP IoT Top Ten list asks you to look for
authentication problems such as username harvesting (“user enumeration”) and no lockouts after a
number of brute-force guessing attempts.
IoT devices may also act as wireless access points (WAPs).
10. Insecure Software/ Firmware
Real life examples of corrupt update files abound, especially when people use “jailbroken”
phones to disable the validation built in to their devices. MITM attacks using insecure update
sources, such as the HTTP-based update vulnerability that affected ASUS RT routers in October
2014.
To test whether or not a device is using insecure updates, you generally need to use a proxy or
sniffer to watch the data stream for use of secure transport, for example, an online utility called
“APK Downloader” lets you download and inspect Android installations and updates on any
platform.
11. Physical security of IoT devices
Five things to determine if a device’s exposed ports can be used for malicious purposes. These are
ease of storage media removal, encryption of stored data, physical protection of USB and similar
ports, ease of disassembly and removal or disabling of unnecessary ports.
12. Scope of IoT security
How many IoT devices do you own and use right now? How many does your business use?
That’s where the “Internet of NoThings” joke comes from, most people don’t have any. The numbers
keep going up, but the average consumer is not buying many, so where is that growth coming
from? IoT devices are out there and the numbers are booming, driven by enterprise rather than the
consumer market.
Verizon and ABI Research estimate that there were 1.2 billion different devices connected to the
internet last year, but by 2020, they expect as many as 5.4 billion B2B IoT connections.
14. IoT specific security assessment
How it is a combination of different type assessments:
Web interface
Network services
Secure Transport medium
Cloud and Mobile interface
Insecure Software/Firmware
Physical security
15. HEATHEN: Internet-Of-Things- Pentesting-
Framework
Heathen is a research project, which automatically help developers and manufacturers build more secure products in the Internet of
Things space based on the Open Web Application Security Project (OWASP) by providing a set of features in every fundamental era.
-Insecure Web Interface
-Insufficient Authentication/Authorization
-Insecure Network Services
-Lack of Transport Encryption
-Privacy Concerns
-Insecure Cloud Interface
-Insecure Mobile Interface
-Insufficient Security Configurability
-Insecure Software/Firmware
-Poor Physical Security
16. IoT Protocols
Rather than trying to fit all of the IoT Protocols on top of existing architecture models like OSI Model,
the protocols are segregated into the following layers to provide some level of organization:
Infrastructure (ex: 6LowPAN, IPv4/IPv6, RPL)
Identification (ex: EPC, uCode, IPv6, URIs)
Comms / Transport (ex: Wifi, Bluetooth, LPWAN)
Discovery (ex: Physical Web, mDNS, DNS-SD)
Data Protocols (ex: MQTT, CoAP, AMQP, Websocket, Node)
Device Management (ex: TR-069, OMA-DM)
Semantic (ex: JSON-LD, Web Thing Model)
Multi-layer Frameworks (ex: Alljoyn, IoTivity, Weave, Homekit)
17. Hardsploit: a Framework to audit IoT devices
security
Hardsploit is a tool with software and electronic aspects. This is a technical and modular plateform
(using FPGA) to perform security tests on electronic communications interfaces of embedded
devices. It’s a Framework !
“All-in-one tool for Hardware pentest”
The main Hardware security audit functions are”
Sniffer,
Scanner,
Proxy,
Interact,
Dump memory
19. Hardsploit: a Framework to audit IoT devices
security
Hard Sploit is a complete tool box (Hardware + Software), a Framework which facilitates the audit of electronic
systems Consultant, Auditor, Pentesters, product designer etc. and at the same time increases the level of
security (and trust!) of new communicating products designed by industry.
20. Hardsploit: a Framework to audit IoT devices
security
Hardsploit Modules will let Hardware pentester to intercept, replay and/or and send data via each
type of electronic bus used by the Hardware Target. The Level of interaction that pen-testers will
have depend on the electronic bus features…
Hardsploit ‘s modules enable us to analyse all sort of electronic bus (serial and parallel type)
JTAG, SPI, I2C‘s,
Parallel address & data bus on chip
21. Hardsploit: a Framework to audit IoT devices
security
It is an assisted visual wiring function to help, easier connect all wires to the Hardware target:
GUI will display the pin organization (Pin OUT) of the targeted chip.
GUI will guide you throughout the wiring process between Hardsploit Connector and the target
GUI will control a set of LED that will be turn ON and OFF to easy let you find the right Hardsploit Pin
Connector to connect to your target
The software part of the project will help conducting an end-to-end security audit. It will be
compatible (integrated) with existing tools such as Metasploit. The integration with other API is
expected to be introduced in future.
The framework is created with an ambition to provide a tool equivalent to those of the company
Qualys or Nessus (Vulnerability Scanner) or the Metasploit framework but in the domain of
embedded / electronic.
23. Available Resources:
https://iot-analytics.com/understanding-iot-security-part-1-iot-security-architecture/
http://resources.infosecinstitute.com/test-security-iot-smart-devices/
http://blog.attify.com/#
http://internetofthingswiki.com/iot-security-issues-challenges-and-solutions/937/
https://hardsploit.io/the-project/
http://electronicdesign.com/iot/understanding-protocols-behind-internet-things
http://www.postscapes.com/internet-of-things-protocols/
*Note: Refer to the links mentioned in the notes section of the slides.
24. Available Resources:
http://resources.infosecinstitute.com/getting-started-with-iot-security-mapping-the-attack-
surface/
http://resources.infosecinstitute.com/test-security-iot-smart-devices/
https://www.blackhat.com/eu-16/training/offensive-internet-of-things-iot-exploitation.html
http://www.pentesteracademy.com/course?id=27
http://nullcon.net/website/goa-2017/training/practical-iot-hacking.php
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
https://iotsecuritywiki.com/
*Note: Refer to the links mentioned in the notes section of the slides.
25. You can find me here:
https://twitter.com/aankitgiri
https://www.linkedin.com/in/ankitgiri/
aankitgiri@gmail.com
Thank You!
Notas do Editor
connected security systems, thermostats, cars, electronic appliances, lights in household and commercial environments, alarm clocks, speaker systems, vending machines and more.
To mitigate these challenges, you should plan on using a standard port scanner or (shudder) reading the manual to discover what web services a particular device offers.
Example, I have recently purchased an IP Camera from Edimax, the default credentials are as stupid as admin:1234.
At DEFCON 2014 an extensive hack of an “Internet kiosk” was made possible through a tiny USB port left exposed near the floor in the back of the appliance. A related presentation called “Hack all the things: 20 devices in 45 minutes” also demonstrated how to break into many devices using externally-exposed USB ports, USB headers on circuit boards, simple serial-based “terminal headers” (e.g., “RX” and “TX”) on circuit boards and bypasses of local storage components.
You must be thinking that There Weren’t That Many IoT Security Debacles?
Recent studies indicate that the majority of currently available IoT devices have security vulnerabilities. HP found that as many 70 percent of IoT devices are vulnerable to attack.
It can connect to any computing device via a USB port and it has 64 i/o pins.