SlideShare uma empresa Scribd logo

KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha

Y
Yogesh Ojha

Getting started with IoT Security, Hardware Hacking, Penetration Testing the IoT Devices, Firmware Reverse Engineering

Tecnologia
1 de 47
Baixar para ler offline
Doing the IOT Penetration Testing – The right Way! Yogesh Ojha
USER INFORMATION ____________________________________ Yogesh Ojha From Nepal Cyber Security Analyst Tata Consultancy Services India ------------------------------------ Primary Research area includes IoT Security, Hardware Hacking and mobile application security ------------------------------------ Medium https://medium.com/@yogeshojha /Speaker/yogeshojha/KazHackStan> whoami
● Understanding the basics of IoT Security ● Trends in IoT Security ● Attack Surface Mapping for IoT devices ● Understanding Effective penetration testing methodology for IoT ● Common vulnerabilities in IoT components ● Some Demos Expectations/Agenda
Definition of IoT Wikipedia: system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human to human or human to computer interaction IBM: concept of connecting any device to the Internet and to other connected devices. The IoT is a giant network of connected things and people – all of which collect and share data about the way they are used and about the environment around them Gartner: network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment
Definition of IoT IOT+ + + + = Hardware Web Mobile Cloud Internet
Things in the Internet of Things
Current IoT security Problems 7
Current IoT security Problems 8 IoT Security ≠ Device Security
IoT at the moment 9
Where to start?
Scope of IoT Testing RadioCloud Device Firmware Interface like JTAG, UART, SPI, and I2C, Chipset, Memory etc Hardware Software Web Mobile Wireless, BLE, ZigBee, MQTT, Bluetooth Classic
Current IoT security Problems 12 Firmware Missing encryption, Missing Firmware validation, Hardcoded Sensitive information inside Firmware
Current IoT security Problems 13 Firmware Missing encryption, Missing Firmware validation, Hardcoded Sensitive information inside Firmware Hardware Open debug ports, plain text communication in Bus, Insecure Storage
Current IoT security Problems 14 Firmware Missing encryption, Missing Firmware validation, Hardcoded Sensitive information inside Firmware Hardware Open debug ports, plain text communication in Bus, Insecure Storage Web Good old XXE, XSS, CSRF etc
Current IoT security Problems 15 Firmware Missing encryption, Missing Firmware validation, Hardcoded Sensitive information inside Firmware Hardware Open debug ports, plain text communication in Bus, Insecure Storage Web Good old XXE, XSS, CSRF etc Mobile Insecure API, Missing Authentication, Lack of Obfuscation
Current IoT security Problems 16 Firmware Missing encryption, Missing Firmware validation, Hardcoded Sensitive information inside Firmware Hardware Open debug ports, plain text communication in Bus, Insecure Storage Web Good old XXE, XSS, CSRF etc Mobile Insecure API, Missing Authentication, Lack of Obfuscation
Current IoT security Problems 17 Firmware Missing encryption, Missing Firmware validation, Hardcoded Sensitive information inside Firmware Hardware Open debug ports, plain text communication in Bus, Insecure Storage Web Good old XXE, XSS, CSRF etc Mobile Insecure API, Missing Authentication, Lack of Obfuscation IoT = Hardware + Software + Cloud + internet
Effective IoT Pentesting Methodology ● Evaluation ● Device Reconnaissance ○ Without Teardown ○ Teardown ● Mobile, Cloud & Web APIs ● Firmware reverse engineering ● Network ● Non-Invasive Hardware Attacks ● Radio (RF)
Evaluation & Device Reconnaissance 19 Evaluation Understanding what the device does… Any Visible ports? USB, UART, Anything else? Find out the different components(Mobile, Web, Any Sensors, whatever component) and the communication medium they interact through (BLE, Internet, ZigBee, MQTT) Are there any web end points? Your mobile app communicating to device via internet? Map out features, functions, components, and communication path Probably an architecture diagram?
Evaluation & Device Reconnaissance 20 Device Reconnaissance without tearing up the device Component version, Hardware version, Software version, Operating System Used(Mostly Linux) Find out Chipset Used Once you have the chipset name/number, look for the datasheet FCC Data -> https://fccid.io/ many times, this will reveal wealth of information about the device Circuitry connection ● UART ● JTAG ● SPI #A quick Demo
Teardown Get your screwdriver! Look for the screws behind the rubber pads or labels Have a look at the chipsets used, use phone’s flashlight to read the component’s name/number Use google to find out more information on chipset used and look for datasheet
Evaluation & Device Reconnaissance 22 Device Reconnaissance after tearing up the device Look for Physical Ports ● USB ● Serial ● Ethernet Circuitry Connection ● UART - Usually 3-4 pins ● JTAG - 6,12,13,20 pin header ● SPI - indicates the presence of a flash chip De-Solder the IC for extracting firmware
Firmware 23 Firmware Any software on your IoT device, responsible for running the IoT Obtaining the firmware ● Dumping from Device ● Vendor’s Website ● Support Groups & forums ● RE Mobile Application ● Download from vendor FTP server or search on ftp index sites ● Capture the firmware during update, traces of DFU from wireshark Analysis of firmware before exploiting any hardware or software is important
What to look for in Firmware? 24 ● Sensitive information about device ● Hardcoded SSIDs ● Hard-coded Passwords ● API tokens & endpoints ● Vulnerable services ● Firmware OTA update URLs ● Configuration files ● Source code ● Private keys ● Watch out for 3rd party libraries and SDKs
Firmware Analysis Trying to identify as many security issues as possible Firmware: bootloader + kernel + filesystem + additional resources Find out the file system: $ hexdump - C firmware.XX | grep -i ‘hsqs’ hsqs is magic byte for squashfs Use dd and unsquashfs to dump the contents of the firmware once squashfs is confirmed Do this automatically using binwalk $ binwalk -e yourFirmware.bin Firmware Analysis Use Firmwalker : https://github.com/craigz28/firmwalker to look for interesting entries Firmware Analysis Toolkit From Attify https://github.com/attify/firmware-analysis-toolkit 25
Firmware Analysis FAQ Can I emulate the firmware? Yes, use Qemu and Chroot. There are tools built on top of Qemu like firmadyne, FAT by attify that does almost everything like finding CPU architecture, running binwalk etc automatically for you. Can I modify the firmware? Yes, use Firmware-Mod-Kit FMK Find out if device detects firmware modifications? If yes, it is missing firmware integrity verification
Firmware Emulation DEMO Using Firmadyne and FAT.
Scope of IoT Testing RadioCloud Device Firmware Interface like JTAG, UART, SPI, and I2C, Chipset, Memory etc Hardware Software Web Mobile Wireless, BLE, ZigBee, MQTT, Bluetooth Classic
UART Identification 29 Actually being used by manufacturers for debugging/diagnostic purpose UART - 3 or 4 pins VCC, GND, TX, RX Goal is to Identify TX, RX, GND and VCC GND and VCC are pretty easy to identify Identifying TX Get your multimeter ● One probe of your multimeter in the one of the pins and another probe in GND ● Reboot the device & measure the voltage between the remaining pins and GND (other than the Vcc and GND) ● Significant data transfer during bootup, notice the huge fluctuation in the voltage on one of the pins during boot process → TX Identifying RX ● The remaining pin with lowest voltage fluctuation → RX
UART Exploitation 30 Once you have identified the pinouts for the Serial interface ● identify baud rate and use attify badge or any cheap usb2ttl Use Minicom to login to shell ● If you obtain the Shell ● Find out what all can be done from here ● Try dumping the firmware ● Try controlling the device components via the shell ● If the shell is authenticated, try brute forcing ;) If UART is missing from PCB, look for the datasheet of the chipset used, trace the circuit, use multimeter to find TX and RX
JTAG Identification & Exploitation 31 JTAG- 6,12,13,20 pin header Use JTAGulator Use it to dump firmware or write new firmware Provides direct access to RAM and flash Look for Test Data in (TDI),Test Data Out(TDO, Test Clock (TTCK) and test mode select (TMS) sudo screen /dev/ttyUSBX baudRate
SPI Firmware/BIOS/Context Extraction 33 SPI and I2c falls under serial communication Use flashrom and USB programmer to extract firmware or contents of SOIC8 SPI chip sudo apt-get install flashrom List possible chipset name flashrom -p deviceXXXX Extract Firmware/Contents flashrom -p deviceXXX -c chipset
NAND Glitching 34 Used to bypass security measures (if no root shell on UART console) Short circuit one of the I/O pins of the device's NAND flash to a GND pin This has to be performed as soon as the bootloader has booted and the kernel is about to boot up If shorting works! kernel will fail to boot and thus causing you to drop to the default bootloader prompt Further reading: ● https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic1-final/report.pdf ● https://www.cl.cam.ac.uk/~sps32/ECRYPT2011_1.pdf ● https://www.blackhat.com/docs/eu-15/materials/eu-15-Giller-Implementing-Electrical-Glitching-Attacks.pdf
Scope of IoT Testing RadioCloud Device Firmware Interface like JTAG, UART, SPI, and I2C, Chipset, Memory etc Hardware Software Web Mobile Wireless, BLE, ZigBee, MQTT, Bluetooth Classic
Identifying vulnerabilities in web console 36 Look for the good old bugs like XSS, SQLi, XXE, XSRF, IDOR etc Use Burp Proxy to intercept, view and alter web traffic Check for permission level bugs user, root, admin Watch out for Command Injection
Identifying vulnerabilities in Mobile app 37 Mobile Reverse engineer the mobile application, you may find entire logic on how device communicates with mobile app Use jadx and apktool to RE mobile app Use MobSF for static Analysis Try Understanding the Java code Common issues found in Mobile app ● hardcoded firmware download URLs ● Hardcoded SSIDs ● Hardcoded encryption keys ● Hardcoded username and password ● API URLS, port and much more I would be surprised if you didn’t find anything useful after RE mobile app. Many times, the mobile applications will have firmware required for DFU
Scope of IoT Testing RadioCloud Device Firmware Interface like JTAG, UART, SPI, and I2C, Chipset, Memory etc Hardware Software Web Mobile Wireless, BLE, ZigBee, MQTT, Bluetooth Classic
Identifying issues in Radio 39 Radio analysis requires special hardware and software Different protocol require different h/w and s/w Most commonly used are: BLE and ZigBee What could be done with RF signals? ● Jamming based attacks ● Modifying and replay attack ● Sniffing the radio packets
Identifying issues in BLE 40 Straightforward process Reverse Engineer the mobile app, this should give you enough information on which handle is data being written BLE Sniffer - Ubertooth $$$ , Adafruit BLE Sniffer $$ Android HCIdump: $0 Use gatttool to rewrite those values on handles. How I hacked Mi Band: https://medium.com/@yogeshojha/i-hacked-xiaomi-miband-3-and-here-is-how-i-did-it-43 d68c272391 Tools available: BTLeJuice, Gattacker
Identifying issues in BLE 41 Straightforward process Reverse Engineer the mobile app, this should give you enough information on which handle is data being written BLE Sniffer - Ubertooth $$$ , Adafruit BLE Sniffer $$ Android HCIdump: $0 Use gatttool to rewrite those values on handles. How I hacked Mi Band: https://medium.com/@yogeshojha/i-hacked-xiaomi-miband-3-and-here-is-how-i-did-it-43 d68c272391 Tools available: BTLeJuice, Gattacker
Identifying issues in BLE 42 Services: Set of provided features and associated behaviors to interact with the peripheral. Each service contains a collection of characteristics. Characteristics: Characteristics are defined attribute types that contain a single logical value. You can use nrftool app to identify Services and Characteristics Scan for LE 3 devices, out of 5 devices that I tested, did not have authentication!!! Use 2 of these BLE 4.0 CSR Dongles with BTLEJuice to intercept BLE traffic What to look for? ● Is replay possible? ● Is jamming possible? ● Is it possible to write in the handle using gatttool? ● Look for sensitive information being sent in clear text. (PIN in BLE Lock)
Identifying issues in Zigbee 43 2.4 GHz, 868 MHz(EU) or 944 MHz (US and AU) Find ZigBee channel in which DUT is being operated Use CC2532 $$ cheap ZigBee Sniffer Also, Capture communication using zb_dump and analyze in Wireshark Most of the times, communication could be encrypted Capture the key exchange or find the key inside device or firmware Try decrypting the communication What to look for? ● Is replay possible? ● Sniff, MiTM possible? Hardware: Atmel RzRaven USB Stick KillerBee: Framework and Tools for Attacking ZigBee https://github.com/riverloopsec/killerbee
Attacker Tools - Software 44 ● Software Disassemblers ○ Ghidra ○ IDA ○ Binary Ninja ● Firmware Reverse Engineering ○ Binwalk ○ Any Extraction tools ● Fuzzing ○ QEMU ○ OpenOCD ○ Flashrom ● Minicom ● Protocol specific tools like can-utils ● Packet Inspection ○ Wireshark ● HTTP Proxy ○ Burp Suite - Yayy!!! ● Bluetooth ○ Bluehydra ○ Gattacker ○ BTLEJuice ● RF ○ Wireshark ○ GNU Radio ○ SDR ● Mobile reverse engineering ○ Apktool ○ jadx
Attacker Tools - Hardware 45 ● General Toolkits ○ Screwdriver ;) ○ Multimeter ○ Soldering iron ○ Connectors/Cable/Wires ● Interface Tools ○ USB2UART ○ Flash Dumper ● RF Tools ○ Bluetooth Sniffing ■ Ubertooth One ■ Bluefruit/Nordic Sniffer ■ Commercial Sniffers $$$ ○ Software Defined Radio ■ RTL-SDR ■ HackRF ■ BladeRF ○ Zigbee ■ CC2531 Sniffer
Conclusion 46 ● Hardware Best Practices ○ Disable UART in production Case Study: One of the Xiaomi router enables the UART during the first boot after firmware is flashed, then completely disables it. Possible Solution ○ Disable JTAG in production ○ Encrypt firmware and data by using Trusted Platform module ● Software Best Practices ○ Data in transit must be encrypted end to end using SSL/TLS ○ Data in rest should be stored encrypted and stored in Tamper-resistant chips ○ Harden the RE process
Thanks Further Reading Follow these awesome people/talk/group/organization/blog/books for IoT Security ● Attify ● Pentesting Hardware And IoT by Mark Carney ● DEF CON 23 - IoT Village - Daniel Miessler - IoT Attack Surface Mapping ● IoT Penetration Testing by KreischerMiller ● IoT Penetration Testing Cookbook ● http://iotpentest.com/ ● https://www.iotpentestingguide.com ● https://github.com/V33RU/IoTSecurity101 ● https://www.exploitee.rs/ Practice on https://github.com/Vulcainreo/DVID

Recomendados

IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...Seungjoo Kim
 
Wireless Penetration Testing
Wireless Penetration TestingWireless Penetration Testing
Wireless Penetration TestingMohammed Adam
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Fatih Ozavci
 
SSL Sertifikalarından Phishing Domain Tespiti
SSL Sertifikalarından Phishing Domain TespitiSSL Sertifikalarından Phishing Domain Tespiti
SSL Sertifikalarından Phishing Domain TespitiBGA Cyber Security
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodann|u - The Open Security Community
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesomeSumedt Jitpukdebodin
 
Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)Eduardo Arriols Nuñez
 

Recomendados

IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...Seungjoo Kim
 
Wireless Penetration Testing
Wireless Penetration TestingWireless Penetration Testing
Wireless Penetration TestingMohammed Adam
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Fatih Ozavci
 
SSL Sertifikalarından Phishing Domain Tespiti
SSL Sertifikalarından Phishing Domain TespitiSSL Sertifikalarından Phishing Domain Tespiti
SSL Sertifikalarından Phishing Domain TespitiBGA Cyber Security
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodann|u - The Open Security Community
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesomeSumedt Jitpukdebodin
 
Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)Eduardo Arriols Nuñez
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
WEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesiWEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesiBGA Cyber Security
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Ch 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewCh 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewSam Bowne
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Brent Muir
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breachSumedt Jitpukdebodin
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Snort IPS(Intrusion Prevention System) Eğitimi
Snort IPS(Intrusion Prevention System) EğitimiSnort IPS(Intrusion Prevention System) Eğitimi
Snort IPS(Intrusion Prevention System) EğitimiBGA Cyber Security
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreveerababu penugonda(Mr-IoT)
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxJasonOstrom1
 
Virtual machine and javascript engine
Virtual machine and javascript engineVirtual machine and javascript engine
Virtual machine and javascript engineDuoyi Wu
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to SnortHossein Yavari
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation Cysinfo Cyber Security Community
 
Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Price McDonald
 

Mais conteúdo relacionado

Mais procurados

MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
WEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesiWEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesiBGA Cyber Security
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Ch 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewCh 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewSam Bowne
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Brent Muir
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breachSumedt Jitpukdebodin
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Snort IPS(Intrusion Prevention System) Eğitimi
Snort IPS(Intrusion Prevention System) EğitimiSnort IPS(Intrusion Prevention System) Eğitimi
Snort IPS(Intrusion Prevention System) EğitimiBGA Cyber Security
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxJasonOstrom1
 
Virtual machine and javascript engine
Virtual machine and javascript engineVirtual machine and javascript engine
Virtual machine and javascript engineDuoyi Wu
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 

Mais procurados (20)

MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
WEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesiWEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesi
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Ch 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewCh 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts Review
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breach
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
Snort IPS(Intrusion Prevention System) Eğitimi
Snort IPS(Intrusion Prevention System) EğitimiSnort IPS(Intrusion Prevention System) Eğitimi
Snort IPS(Intrusion Prevention System) Eğitimi
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAM
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
 
Virtual machine and javascript engine
Virtual machine and javascript engineVirtual machine and javascript engine
Virtual machine and javascript engine
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to Snort
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 

Semelhante a KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha

Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Price McDonald
 
BSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode EnabledBSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode Enabledpricemcdonald
 
Iot forensics
Iot forensicsIot forensics
Iot forensicsAbeis Ab
 
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...Priyanka Aash
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
BSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsBSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsPrice McDonald
 
MicroEJ OS and Edje: the software foundation for IoT devices
MicroEJ OS and Edje: the software foundation for IoT devicesMicroEJ OS and Edje: the software foundation for IoT devices
MicroEJ OS and Edje: the software foundation for IoT devicesMicroEJ
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillageagmoneyy
 
IoT Security Risks and Challenges
IoT Security Risks and ChallengesIoT Security Risks and Challenges
IoT Security Risks and ChallengesOWASP Delhi
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceFatih Ozavci
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
 
Eclipse Edje: A Java API for Microcontrollers
Eclipse Edje: A Java API for MicrocontrollersEclipse Edje: A Java API for Microcontrollers
Eclipse Edje: A Java API for MicrocontrollersMicroEJ
 
IOT Forensic Challenges
IOT Forensic ChallengesIOT Forensic Challenges
IOT Forensic ChallengesAnukaJinadasa
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
 

Semelhante a KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha (20)

IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Bsides Puerto Rico-2017
Bsides Puerto Rico-2017
 
BSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode EnabledBSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode Enabled
 
Iot forensics
Iot forensicsIot forensics
Iot forensics
 
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
 
BSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsBSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the Things
 
IoT Session Thomas More
IoT Session Thomas MoreIoT Session Thomas More
IoT Session Thomas More
 
Cc internet of things @ Thomas More
Cc internet of things @ Thomas MoreCc internet of things @ Thomas More
Cc internet of things @ Thomas More
 
MicroEJ OS and Edje: the software foundation for IoT devices
MicroEJ OS and Edje: the software foundation for IoT devicesMicroEJ OS and Edje: the software foundation for IoT devices
MicroEJ OS and Edje: the software foundation for IoT devices
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillage
 
IoT Security Risks and Challenges
IoT Security Risks and ChallengesIoT Security Risks and Challenges
IoT Security Risks and Challenges
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
 
IOT Forensics
IOT ForensicsIOT Forensics
IOT Forensics
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to Chat
 
Eclipse Edje: A Java API for Microcontrollers
Eclipse Edje: A Java API for MicrocontrollersEclipse Edje: A Java API for Microcontrollers
Eclipse Edje: A Java API for Microcontrollers
 
IOT Forensic Challenges
IOT Forensic ChallengesIOT Forensic Challenges
IOT Forensic Challenges
 
What is being exposed from IoT Devices
What is being exposed from IoT DevicesWhat is being exposed from IoT Devices
What is being exposed from IoT Devices
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
 

Último

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 

Último (20)

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 

KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha

  • 1. Doing the IOT Penetration Testing – The right Way! Yogesh Ojha
  • 2. USER INFORMATION ____________________________________ Yogesh Ojha From Nepal Cyber Security Analyst Tata Consultancy Services India ------------------------------------ Primary Research area includes IoT Security, Hardware Hacking and mobile application security ------------------------------------ Medium https://medium.com/@yogeshojha /Speaker/yogeshojha/KazHackStan> whoami
  • 3. ● Understanding the basics of IoT Security ● Trends in IoT Security ● Attack Surface Mapping for IoT devices ● Understanding Effective penetration testing methodology for IoT ● Common vulnerabilities in IoT components ● Some Demos Expectations/Agenda
  • 4. Definition of IoT Wikipedia: system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human to human or human to computer interaction IBM: concept of connecting any device to the Internet and to other connected devices. The IoT is a giant network of connected things and people – all of which collect and share data about the way they are used and about the environment around them Gartner: network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment
  • 5. Definition of IoT IOT+ + + + = Hardware Web Mobile Cloud Internet
  • 6. Things in the Internet of Things
  • 7. Current IoT security Problems 7
  • 8. Current IoT security Problems 8 IoT Security ≠ Device Security
  • 9. IoT at the moment 9
  • 11. Scope of IoT Testing RadioCloud Device Firmware Interface like JTAG, UART, SPI, and I2C, Chipset, Memory etc Hardware Software Web Mobile Wireless, BLE, ZigBee, MQTT, Bluetooth Classic
  • 12. Current IoT security Problems 12 Firmware Missing encryption, Missing Firmware validation, Hardcoded Sensitive information inside Firmware
  • 13. Current IoT security Problems 13 Firmware Missing encryption, Missing Firmware validation, Hardcoded Sensitive information inside Firmware Hardware Open debug ports, plain text communication in Bus, Insecure Storage
  • 14. Current IoT security Problems 14 Firmware Missing encryption, Missing Firmware validation, Hardcoded Sensitive information inside Firmware Hardware Open debug ports, plain text communication in Bus, Insecure Storage Web Good old XXE, XSS, CSRF etc
  • 15. Current IoT security Problems 15 Firmware Missing encryption, Missing Firmware validation, Hardcoded Sensitive information inside Firmware Hardware Open debug ports, plain text communication in Bus, Insecure Storage Web Good old XXE, XSS, CSRF etc Mobile Insecure API, Missing Authentication, Lack of Obfuscation
  • 16. Current IoT security Problems 16 Firmware Missing encryption, Missing Firmware validation, Hardcoded Sensitive information inside Firmware Hardware Open debug ports, plain text communication in Bus, Insecure Storage Web Good old XXE, XSS, CSRF etc Mobile Insecure API, Missing Authentication, Lack of Obfuscation
  • 17. Current IoT security Problems 17 Firmware Missing encryption, Missing Firmware validation, Hardcoded Sensitive information inside Firmware Hardware Open debug ports, plain text communication in Bus, Insecure Storage Web Good old XXE, XSS, CSRF etc Mobile Insecure API, Missing Authentication, Lack of Obfuscation IoT = Hardware + Software + Cloud + internet
  • 18. Effective IoT Pentesting Methodology ● Evaluation ● Device Reconnaissance ○ Without Teardown ○ Teardown ● Mobile, Cloud & Web APIs ● Firmware reverse engineering ● Network ● Non-Invasive Hardware Attacks ● Radio (RF)
  • 19. Evaluation & Device Reconnaissance 19 Evaluation Understanding what the device does… Any Visible ports? USB, UART, Anything else? Find out the different components(Mobile, Web, Any Sensors, whatever component) and the communication medium they interact through (BLE, Internet, ZigBee, MQTT) Are there any web end points? Your mobile app communicating to device via internet? Map out features, functions, components, and communication path Probably an architecture diagram?
  • 20. Evaluation & Device Reconnaissance 20 Device Reconnaissance without tearing up the device Component version, Hardware version, Software version, Operating System Used(Mostly Linux) Find out Chipset Used Once you have the chipset name/number, look for the datasheet FCC Data -> https://fccid.io/ many times, this will reveal wealth of information about the device Circuitry connection ● UART ● JTAG ● SPI #A quick Demo
  • 21. Teardown Get your screwdriver! Look for the screws behind the rubber pads or labels Have a look at the chipsets used, use phone’s flashlight to read the component’s name/number Use google to find out more information on chipset used and look for datasheet
  • 22. Evaluation & Device Reconnaissance 22 Device Reconnaissance after tearing up the device Look for Physical Ports ● USB ● Serial ● Ethernet Circuitry Connection ● UART - Usually 3-4 pins ● JTAG - 6,12,13,20 pin header ● SPI - indicates the presence of a flash chip De-Solder the IC for extracting firmware
  • 23. Firmware 23 Firmware Any software on your IoT device, responsible for running the IoT Obtaining the firmware ● Dumping from Device ● Vendor’s Website ● Support Groups & forums ● RE Mobile Application ● Download from vendor FTP server or search on ftp index sites ● Capture the firmware during update, traces of DFU from wireshark Analysis of firmware before exploiting any hardware or software is important
  • 24. What to look for in Firmware? 24 ● Sensitive information about device ● Hardcoded SSIDs ● Hard-coded Passwords ● API tokens & endpoints ● Vulnerable services ● Firmware OTA update URLs ● Configuration files ● Source code ● Private keys ● Watch out for 3rd party libraries and SDKs
  • 25. Firmware Analysis Trying to identify as many security issues as possible Firmware: bootloader + kernel + filesystem + additional resources Find out the file system: $ hexdump - C firmware.XX | grep -i ‘hsqs’ hsqs is magic byte for squashfs Use dd and unsquashfs to dump the contents of the firmware once squashfs is confirmed Do this automatically using binwalk $ binwalk -e yourFirmware.bin Firmware Analysis Use Firmwalker : https://github.com/craigz28/firmwalker to look for interesting entries Firmware Analysis Toolkit From Attify https://github.com/attify/firmware-analysis-toolkit 25
  • 26. Firmware Analysis FAQ Can I emulate the firmware? Yes, use Qemu and Chroot. There are tools built on top of Qemu like firmadyne, FAT by attify that does almost everything like finding CPU architecture, running binwalk etc automatically for you. Can I modify the firmware? Yes, use Firmware-Mod-Kit FMK Find out if device detects firmware modifications? If yes, it is missing firmware integrity verification
  • 27. Firmware Emulation DEMO Using Firmadyne and FAT.
  • 28. Scope of IoT Testing RadioCloud Device Firmware Interface like JTAG, UART, SPI, and I2C, Chipset, Memory etc Hardware Software Web Mobile Wireless, BLE, ZigBee, MQTT, Bluetooth Classic
  • 29. UART Identification 29 Actually being used by manufacturers for debugging/diagnostic purpose UART - 3 or 4 pins VCC, GND, TX, RX Goal is to Identify TX, RX, GND and VCC GND and VCC are pretty easy to identify Identifying TX Get your multimeter ● One probe of your multimeter in the one of the pins and another probe in GND ● Reboot the device & measure the voltage between the remaining pins and GND (other than the Vcc and GND) ● Significant data transfer during bootup, notice the huge fluctuation in the voltage on one of the pins during boot process → TX Identifying RX ● The remaining pin with lowest voltage fluctuation → RX
  • 30. UART Exploitation 30 Once you have identified the pinouts for the Serial interface ● identify baud rate and use attify badge or any cheap usb2ttl Use Minicom to login to shell ● If you obtain the Shell ● Find out what all can be done from here ● Try dumping the firmware ● Try controlling the device components via the shell ● If the shell is authenticated, try brute forcing ;) If UART is missing from PCB, look for the datasheet of the chipset used, trace the circuit, use multimeter to find TX and RX
  • 31. JTAG Identification & Exploitation 31 JTAG- 6,12,13,20 pin header Use JTAGulator Use it to dump firmware or write new firmware Provides direct access to RAM and flash Look for Test Data in (TDI),Test Data Out(TDO, Test Clock (TTCK) and test mode select (TMS) sudo screen /dev/ttyUSBX baudRate
  • 32.
  • 33. SPI Firmware/BIOS/Context Extraction 33 SPI and I2c falls under serial communication Use flashrom and USB programmer to extract firmware or contents of SOIC8 SPI chip sudo apt-get install flashrom List possible chipset name flashrom -p deviceXXXX Extract Firmware/Contents flashrom -p deviceXXX -c chipset
  • 34. NAND Glitching 34 Used to bypass security measures (if no root shell on UART console) Short circuit one of the I/O pins of the device's NAND flash to a GND pin This has to be performed as soon as the bootloader has booted and the kernel is about to boot up If shorting works! kernel will fail to boot and thus causing you to drop to the default bootloader prompt Further reading: ● https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic1-final/report.pdf ● https://www.cl.cam.ac.uk/~sps32/ECRYPT2011_1.pdf ● https://www.blackhat.com/docs/eu-15/materials/eu-15-Giller-Implementing-Electrical-Glitching-Attacks.pdf
  • 35. Scope of IoT Testing RadioCloud Device Firmware Interface like JTAG, UART, SPI, and I2C, Chipset, Memory etc Hardware Software Web Mobile Wireless, BLE, ZigBee, MQTT, Bluetooth Classic
  • 36. Identifying vulnerabilities in web console 36 Look for the good old bugs like XSS, SQLi, XXE, XSRF, IDOR etc Use Burp Proxy to intercept, view and alter web traffic Check for permission level bugs user, root, admin Watch out for Command Injection
  • 37. Identifying vulnerabilities in Mobile app 37 Mobile Reverse engineer the mobile application, you may find entire logic on how device communicates with mobile app Use jadx and apktool to RE mobile app Use MobSF for static Analysis Try Understanding the Java code Common issues found in Mobile app ● hardcoded firmware download URLs ● Hardcoded SSIDs ● Hardcoded encryption keys ● Hardcoded username and password ● API URLS, port and much more I would be surprised if you didn’t find anything useful after RE mobile app. Many times, the mobile applications will have firmware required for DFU
  • 38. Scope of IoT Testing RadioCloud Device Firmware Interface like JTAG, UART, SPI, and I2C, Chipset, Memory etc Hardware Software Web Mobile Wireless, BLE, ZigBee, MQTT, Bluetooth Classic
  • 39. Identifying issues in Radio 39 Radio analysis requires special hardware and software Different protocol require different h/w and s/w Most commonly used are: BLE and ZigBee What could be done with RF signals? ● Jamming based attacks ● Modifying and replay attack ● Sniffing the radio packets
  • 40. Identifying issues in BLE 40 Straightforward process Reverse Engineer the mobile app, this should give you enough information on which handle is data being written BLE Sniffer - Ubertooth $$$ , Adafruit BLE Sniffer $$ Android HCIdump: $0 Use gatttool to rewrite those values on handles. How I hacked Mi Band: https://medium.com/@yogeshojha/i-hacked-xiaomi-miband-3-and-here-is-how-i-did-it-43 d68c272391 Tools available: BTLeJuice, Gattacker
  • 41. Identifying issues in BLE 41 Straightforward process Reverse Engineer the mobile app, this should give you enough information on which handle is data being written BLE Sniffer - Ubertooth $$$ , Adafruit BLE Sniffer $$ Android HCIdump: $0 Use gatttool to rewrite those values on handles. How I hacked Mi Band: https://medium.com/@yogeshojha/i-hacked-xiaomi-miband-3-and-here-is-how-i-did-it-43 d68c272391 Tools available: BTLeJuice, Gattacker
  • 42. Identifying issues in BLE 42 Services: Set of provided features and associated behaviors to interact with the peripheral. Each service contains a collection of characteristics. Characteristics: Characteristics are defined attribute types that contain a single logical value. You can use nrftool app to identify Services and Characteristics Scan for LE 3 devices, out of 5 devices that I tested, did not have authentication!!! Use 2 of these BLE 4.0 CSR Dongles with BTLEJuice to intercept BLE traffic What to look for? ● Is replay possible? ● Is jamming possible? ● Is it possible to write in the handle using gatttool? ● Look for sensitive information being sent in clear text. (PIN in BLE Lock)
  • 43. Identifying issues in Zigbee 43 2.4 GHz, 868 MHz(EU) or 944 MHz (US and AU) Find ZigBee channel in which DUT is being operated Use CC2532 $$ cheap ZigBee Sniffer Also, Capture communication using zb_dump and analyze in Wireshark Most of the times, communication could be encrypted Capture the key exchange or find the key inside device or firmware Try decrypting the communication What to look for? ● Is replay possible? ● Sniff, MiTM possible? Hardware: Atmel RzRaven USB Stick KillerBee: Framework and Tools for Attacking ZigBee https://github.com/riverloopsec/killerbee
  • 44. Attacker Tools - Software 44 ● Software Disassemblers ○ Ghidra ○ IDA ○ Binary Ninja ● Firmware Reverse Engineering ○ Binwalk ○ Any Extraction tools ● Fuzzing ○ QEMU ○ OpenOCD ○ Flashrom ● Minicom ● Protocol specific tools like can-utils ● Packet Inspection ○ Wireshark ● HTTP Proxy ○ Burp Suite - Yayy!!! ● Bluetooth ○ Bluehydra ○ Gattacker ○ BTLEJuice ● RF ○ Wireshark ○ GNU Radio ○ SDR ● Mobile reverse engineering ○ Apktool ○ jadx
  • 45. Attacker Tools - Hardware 45 ● General Toolkits ○ Screwdriver ;) ○ Multimeter ○ Soldering iron ○ Connectors/Cable/Wires ● Interface Tools ○ USB2UART ○ Flash Dumper ● RF Tools ○ Bluetooth Sniffing ■ Ubertooth One ■ Bluefruit/Nordic Sniffer ■ Commercial Sniffers $$$ ○ Software Defined Radio ■ RTL-SDR ■ HackRF ■ BladeRF ○ Zigbee ■ CC2531 Sniffer
  • 46. Conclusion 46 ● Hardware Best Practices ○ Disable UART in production Case Study: One of the Xiaomi router enables the UART during the first boot after firmware is flashed, then completely disables it. Possible Solution ○ Disable JTAG in production ○ Encrypt firmware and data by using Trusted Platform module ● Software Best Practices ○ Data in transit must be encrypted end to end using SSL/TLS ○ Data in rest should be stored encrypted and stored in Tamper-resistant chips ○ Harden the RE process
  • 47. Thanks Further Reading Follow these awesome people/talk/group/organization/blog/books for IoT Security ● Attify ● Pentesting Hardware And IoT by Mark Carney ● DEF CON 23 - IoT Village - Daniel Miessler - IoT Attack Surface Mapping ● IoT Penetration Testing by KreischerMiller ● IoT Penetration Testing Cookbook ● http://iotpentest.com/ ● https://www.iotpentestingguide.com ● https://github.com/V33RU/IoTSecurity101 ● https://www.exploitee.rs/ Practice on https://github.com/Vulcainreo/DVID