SlideShare a Scribd company logo

Io t slides_iotvillage

Download as PPTX, PDF
A
agmoneyy
1 of 59
Security the IoT World!
Hello! I am Aaron Guzman Pentester Chapter Leader for OWASP CSA HTCIA You can find me at: @scriptingxss
Agenda The Basics IoT? The concepts Digging a little deeper Supply Chain Push out those ideas to market The realities Numbers on the rise The issues Pfft...whats security? But wait, my privacy The Resolutions Saving the world
The Basics IoT What Exactly is IoT?
“The Internet of Things (IoT) is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment..Source: http://www.gartner.com/it-glossary/internet-of-things/
Source http://postscapes.com/what-exactly-is-the-internet-of-things- infographic
The Concepts IoT Digging a little deeper
Hardware
IoT OS and Frameworks
Platform = The Cloud
Protocols for Communication ❏ Zigbee ❏ Wi-Fi ❏ NFC ❏ Z-Wave ❏ CoAP ❏ 6LoPAN ❏ XMPP ❏ BLe ❏ SOAP ❏ REST ❏ MQTT ❏ Lutron ❏ RFID ❏ GSM
Hubs
4.9 Billion Connected Devices in 2015 Source:http://www.gartner.com/newsroom/id/2905717
Pads Leads Traces Silkscreens Analog vs Digital Layers (4) Reflow PCB source: https://learn.sparkfun.com/tutorials/electronics-assembly
❏ VxWorks ❏ Marvell ❏ Broadcom ❏ Texas Instruments ❏ Intel ❏ AMD ❏ NXP ★ Create the device drivers Board Support Packages (BSP)
Original Design Manufacturer (ODM) ❏ designs and manufactures a product ❏ eventually rebranded by another firm for sale ❏ allow the brand firm to produce (either as a supplement or solely) without having to engage in the organization or running of a factory. ❏ own cloud infrastructures for customers ❏ Provide SDKs ★ Many ODMs in China ★ A dime a dozen http://en.wikipedia.org/wiki/Original_design_manufa cturer
Cloud Service Providers ❏ Amazon ❏ Microsoft ❏ Google ❏ Thingsworx ❏ ODM Clouds ❏ Have their own SDKs ❏ Who knows where else? http://en.wikipedia.org/wiki/Original_design_manufa cturer
Original Equipment Manufacturer (OEM) ❏ Manufacturers who resell another company's product under their own name and branding. ❏ Offers its own warranty, support and licensing of the product. http://en.wikipedia.org/wiki/Original_design_manufa cturer
IoT Supply Chain Process BSP ODM OEM ★ Each likely to outsource development work and have multiple teams CSP
Keep in Mind
Hardware comes from everywhere
PMs Primary Roles Sales Engineers
Supply Chain Process (Cont) Sales ★ Get the business ★ Outreach ★ Create relationships PM’s ★ Prioritizes ★ Objective Based ★ Project specific to engineer team Engineers ★ Write Code ★ May not be a big team ★ Different workflows per dev team ★ Split up into features. I.E UI team, UX team, backend, Android, iOS
Anyone Looking at Security??
Vectors ❏ UART ❏ JTAG ❏ EEPROM ❏ SPI ❏ SOIC ❏ I2C Tools ❏ Shikra (UART SPI JTAG) ❏ Bus Pirate ❏ JTagulator ❏ GoodFET ❏ flashrom ❏ EE Tools ❏ Chipquick Hardware Security (Exploitation) Source:my linksys 1900ac :)
Common ❏ TCP ❏ ToolChains (Libs) ❏ UART ❏ JTAG ❏ Layer 7 ❏ EEPROM ❏ Bluetooth Less Common ❏ TCP ❏ Flash ❏ GSM ❏ GPS ❏ I2C ❏ Kernel (115 CVEs 2014) Embedded Security Source:http://lwn.net/talks/2015/kr-lca- 2015.pdf
Wireless Security aka RF ❏ Zigbee (2.4GHZ 915MHZ) ❏ Killerbee Framework ❏ Soon Xipiter’s “RFCat Zigbee” ❏ Atmel ❏ 802.11 ❏ Hundreds of tools ❏ Z-Wave ❏ Z-force ❏ Bluetooth LE ❏ nRF51822 - v1.0 ❏ Proprietary bands ❏ TI C1111
First time sniffing BLE traffic source:http://securityreactions.tumblr.com/
Android App Security ❏ Webview Security ❏ Privacy ❏ Client-side Inject ❏ AndroidManifest.xml ❏ Permissions ❏ Activities, Broadcast Receivers, Services ❏ Android APIs ❏ Memory Security ❏ addJavascriptInterface ❏ Secure Storage ❏ Transport Security ❏ SSL Pinning
iPhone App Security ❏ UIWebView Security ❏ Privacy ❏ Client-side Inject ❏ Data Protection ❏ Cloud API security ❏ iOS SDK API ❏ Memory Security ❏ Injection Attacks ❏ Memory Corruption ❏ Transport Security ❏ SSL Pinning ❏ Blackbox Assessments ❏ Logging ❏ Homekit
❏ Network Security ❏ ACLs ❏ Systems ❏ DB ❏ Web servers ❏ LBs ❏ Daemons ❏ Application Security ❏ Language ❏ Frameworks ❏ 3rd Party Libs Web App / Operational Security A lot of work!!!....
❏ Windows ❏ OSX ❏ Old School CD setup ❏ Data storage ❏ Data permissions ❏ Persistence Desktop Apps
source:http://securityreactions.tumblr.com/
source:http://securityreactions.tumblr.com/
Known Security Downfalls
source:http://securityreactions.tumblr.com/
“Because computers go through so many hands before they’re delivered to you, there’s a serious concern that anyone could backdoor the computer without your knowledge Source: Jonathan Brossard-http://resources.infosecinstitute.com/hardware-attacks- backdoors-and-electronic-component-qualification/
What not to do ❏ UART pins exposed unauthenticated or using simple passwords ❏ Manufacturing Debugging Scripts ❏ Backdoors using secret user agents ❏ Private Keys on devices (Dont rely on obscurity) ❏ Default Passwords ★ Ton of other backdoors from software down to HDL code in the chipset
Secure It Already (Embedded) ❏ Restrict Shell with tamper resistant epoxy and silk screen ❏ Very long passwds ❏ Update Kernel and Packages ❏ Harden OS by removing unused code ❏ Secure updates ❏ Secure C Functions ❏ Verify and test code
Regulatory Impact
“Implement “security by design.” Rather than grafting security on as an afterthought, build it into your products or services at the outset of your planning process Source:https://www.ftc.gov/system/files/documents/plain-language/pdf0199- carefulconnections-buildingsecurityinternetofthings.pdf
FTC and EU Commission ❏ Privacy By Design ❏ Security By Design ❏ Categorization of IoT devices ❏ Biggest Consumer Protection http://www.ftc.gov/news-events/press-releases/2013/04/ftc-seeks- input-privacy-and-security-implications-internet-things
Something is Missing
IoT Supply Chain How can we make it more secure?
Fixing The IoT ❏ LIABILITY! ❏ Security service agreements with ODMs ❏ Legal repercussions ❏ Community Projects ❏ Security Awareness ❏ Security Processes into SDLC ❏ A common certification standard (Wi-FI & Zigbee) ★ Realistic? ……… Maybe
Defense in Depth!!!
How to help
Thanks! Any questions? You can find me at: @scriptingxss aaron.guzman@owasp.org

Recommended

Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Chase Schultz
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
Firmware analysis 101
Firmware analysis 101Firmware analysis 101
Firmware analysis 101veerababu penugonda(Mr-IoT)
 
Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_finalPacSecJP
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Sessionveerababu penugonda(Mr-IoT)
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionveerababu penugonda(Mr-IoT)
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 

Recommended

Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Chase Schultz
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
Firmware analysis 101
Firmware analysis 101Firmware analysis 101
Firmware analysis 101veerababu penugonda(Mr-IoT)
 
Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_finalPacSecJP
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Sessionveerababu penugonda(Mr-IoT)
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionveerababu penugonda(Mr-IoT)
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreveerababu penugonda(Mr-IoT)
 
The art of android hacking
The art of android hackingThe art of android hacking
The art of android hackingAbhinav Mishra
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Zoltan Balazs
 
Firewalls (Distributed computing)
Firewalls (Distributed computing)Firewalls (Distributed computing)
Firewalls (Distributed computing)Sri Prasanna
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10 veerababu penugonda(Mr-IoT)
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackVladyslav Radetsky
 
Practical cryptanalysis for hackers
Practical cryptanalysis for hackersPractical cryptanalysis for hackers
Practical cryptanalysis for hackersHacks in Taiwan (HITCON)
 
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploitsvirtualabs
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a HouseSynack
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Mohammed Adam
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 
FRONTIERS IN CRYPTOGRAPHY
FRONTIERS IN CRYPTOGRAPHYFRONTIERS IN CRYPTOGRAPHY
FRONTIERS IN CRYPTOGRAPHYLINE Corporation
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Mender.io
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerProduct of Things
 
Machine learning in cybersecutiry
Machine learning in cybersecutiryMachine learning in cybersecutiry
Machine learning in cybersecutiryVishwas N
 

More Related Content

What's hot

The art of android hacking
The art of android hackingThe art of android hacking
The art of android hackingAbhinav Mishra
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Zoltan Balazs
 
Firewalls (Distributed computing)
Firewalls (Distributed computing)Firewalls (Distributed computing)
Firewalls (Distributed computing)Sri Prasanna
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackVladyslav Radetsky
 
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploitsvirtualabs
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a HouseSynack
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Mohammed Adam
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Mender.io
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 

What's hot (20)

IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
 
The art of android hacking
The art of android hackingThe art of android hacking
The art of android hacking
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
 
Firewalls (Distributed computing)
Firewalls (Distributed computing)Firewalls (Distributed computing)
Firewalls (Distributed computing)
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attack
 
Practical cryptanalysis for hackers
Practical cryptanalysis for hackersPractical cryptanalysis for hackers
Practical cryptanalysis for hackers
 
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a House
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to Chat
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
 
FRONTIERS IN CRYPTOGRAPHY
FRONTIERS IN CRYPTOGRAPHYFRONTIERS IN CRYPTOGRAPHY
FRONTIERS IN CRYPTOGRAPHY
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
 

Similar to Io t slides_iotvillage

Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerProduct of Things
 
Machine learning in cybersecutiry
Machine learning in cybersecutiryMachine learning in cybersecutiry
Machine learning in cybersecutiryVishwas N
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...AI Frontiers
 
Tsunami of Technologies. Are we prepared?
Tsunami of Technologies. Are we prepared?Tsunami of Technologies. Are we prepared?
Tsunami of Technologies. Are we prepared?msyukor
 
Embedded government espionage
Embedded government espionageEmbedded government espionage
Embedded government espionageMuts Byte
 
Staying Safe - Overview of FREE Encryption Tools
Staying Safe - Overview of FREE Encryption ToolsStaying Safe - Overview of FREE Encryption Tools
Staying Safe - Overview of FREE Encryption ToolsMicky Metts
 
IoT Security Risks and Challenges
IoT Security Risks and ChallengesIoT Security Risks and Challenges
IoT Security Risks and ChallengesOWASP Delhi
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoTWSO2
 
Trusted Computing _plate form_ model.ppt
Trusted Computing _plate form_ model.pptTrusted Computing _plate form_ model.ppt
Trusted Computing _plate form_ model.pptnaghamallella
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaYogesh Ojha
 
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...Codemotion
 
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...Codemotion
 
IoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architectureIoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architecturePaul Fremantle
 
A Reference Architecture for IoT: How to create a resilient, secure IoT cloud
A Reference Architecture for IoT: How to create a resilient, secure IoT cloudA Reference Architecture for IoT: How to create a resilient, secure IoT cloud
A Reference Architecture for IoT: How to create a resilient, secure IoT cloudWSO2
 
IoT mit Rust programmieren
IoT mit Rust programmierenIoT mit Rust programmieren
IoT mit Rust programmierenLars Gregori
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest Haydn Johnson
 

Similar to Io t slides_iotvillage (20)

Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
 
Machine learning in cybersecutiry
Machine learning in cybersecutiryMachine learning in cybersecutiry
Machine learning in cybersecutiry
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
What is being exposed from IoT Devices
What is being exposed from IoT DevicesWhat is being exposed from IoT Devices
What is being exposed from IoT Devices
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
 
Security Issues in Internet of Things
Security Issues in Internet of ThingsSecurity Issues in Internet of Things
Security Issues in Internet of Things
 
Tsunami of Technologies. Are we prepared?
Tsunami of Technologies. Are we prepared?Tsunami of Technologies. Are we prepared?
Tsunami of Technologies. Are we prepared?
 
Embedded government espionage
Embedded government espionageEmbedded government espionage
Embedded government espionage
 
Staying Safe - Overview of FREE Encryption Tools
Staying Safe - Overview of FREE Encryption ToolsStaying Safe - Overview of FREE Encryption Tools
Staying Safe - Overview of FREE Encryption Tools
 
IoT Security Risks and Challenges
IoT Security Risks and ChallengesIoT Security Risks and Challenges
IoT Security Risks and Challenges
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoT
 
Trusted Computing _plate form_ model.ppt
Trusted Computing _plate form_ model.pptTrusted Computing _plate form_ model.ppt
Trusted Computing _plate form_ model.ppt
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
 
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
 
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
Night of the living vulnerabilities: forever-days of IoT - Stefano Zanero, Ro...
 
IoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architectureIoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architecture
 
A Reference Architecture for IoT: How to create a resilient, secure IoT cloud
A Reference Architecture for IoT: How to create a resilient, secure IoT cloudA Reference Architecture for IoT: How to create a resilient, secure IoT cloud
A Reference Architecture for IoT: How to create a resilient, secure IoT cloud
 
IoT mit Rust programmieren
IoT mit Rust programmierenIoT mit Rust programmieren
IoT mit Rust programmieren
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 

Io t slides_iotvillage

  • 2. Hello! I am Aaron Guzman Pentester Chapter Leader for OWASP CSA HTCIA You can find me at: @scriptingxss
  • 3. Agenda The Basics IoT? The concepts Digging a little deeper Supply Chain Push out those ideas to market The realities Numbers on the rise The issues Pfft...whats security? But wait, my privacy The Resolutions Saving the world
  • 5. “The Internet of Things (IoT) is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment..Source: http://www.gartner.com/it-glossary/internet-of-things/
  • 9. IoT OS and Frameworks
  • 10. Platform = The Cloud
  • 11.
  • 12. Protocols for Communication ❏ Zigbee ❏ Wi-Fi ❏ NFC ❏ Z-Wave ❏ CoAP ❏ 6LoPAN ❏ XMPP ❏ BLe ❏ SOAP ❏ REST ❏ MQTT ❏ Lutron ❏ RFID ❏ GSM
  • 13.
  • 14. Hubs
  • 15. 4.9 Billion Connected Devices in 2015 Source:http://www.gartner.com/newsroom/id/2905717
  • 16. Pads Leads Traces Silkscreens Analog vs Digital Layers (4) Reflow PCB source: https://learn.sparkfun.com/tutorials/electronics-assembly
  • 17. ❏ VxWorks ❏ Marvell ❏ Broadcom ❏ Texas Instruments ❏ Intel ❏ AMD ❏ NXP ★ Create the device drivers Board Support Packages (BSP)
  • 18. Original Design Manufacturer (ODM) ❏ designs and manufactures a product ❏ eventually rebranded by another firm for sale ❏ allow the brand firm to produce (either as a supplement or solely) without having to engage in the organization or running of a factory. ❏ own cloud infrastructures for customers ❏ Provide SDKs ★ Many ODMs in China ★ A dime a dozen http://en.wikipedia.org/wiki/Original_design_manufa cturer
  • 19. Cloud Service Providers ❏ Amazon ❏ Microsoft ❏ Google ❏ Thingsworx ❏ ODM Clouds ❏ Have their own SDKs ❏ Who knows where else? http://en.wikipedia.org/wiki/Original_design_manufa cturer
  • 20. Original Equipment Manufacturer (OEM) ❏ Manufacturers who resell another company's product under their own name and branding. ❏ Offers its own warranty, support and licensing of the product. http://en.wikipedia.org/wiki/Original_design_manufa cturer
  • 21. IoT Supply Chain Process BSP ODM OEM ★ Each likely to outsource development work and have multiple teams CSP
  • 23. Hardware comes from everywhere
  • 25. Supply Chain Process (Cont) Sales ★ Get the business ★ Outreach ★ Create relationships PM’s ★ Prioritizes ★ Objective Based ★ Project specific to engineer team Engineers ★ Write Code ★ May not be a big team ★ Different workflows per dev team ★ Split up into features. I.E UI team, UX team, backend, Android, iOS
  • 26.
  • 28.
  • 29. Vectors ❏ UART ❏ JTAG ❏ EEPROM ❏ SPI ❏ SOIC ❏ I2C Tools ❏ Shikra (UART SPI JTAG) ❏ Bus Pirate ❏ JTagulator ❏ GoodFET ❏ flashrom ❏ EE Tools ❏ Chipquick Hardware Security (Exploitation) Source:my linksys 1900ac :)
  • 30. Common ❏ TCP ❏ ToolChains (Libs) ❏ UART ❏ JTAG ❏ Layer 7 ❏ EEPROM ❏ Bluetooth Less Common ❏ TCP ❏ Flash ❏ GSM ❏ GPS ❏ I2C ❏ Kernel (115 CVEs 2014) Embedded Security Source:http://lwn.net/talks/2015/kr-lca- 2015.pdf
  • 31. Wireless Security aka RF ❏ Zigbee (2.4GHZ 915MHZ) ❏ Killerbee Framework ❏ Soon Xipiter’s “RFCat Zigbee” ❏ Atmel ❏ 802.11 ❏ Hundreds of tools ❏ Z-Wave ❏ Z-force ❏ Bluetooth LE ❏ nRF51822 - v1.0 ❏ Proprietary bands ❏ TI C1111
  • 32. First time sniffing BLE traffic source:http://securityreactions.tumblr.com/
  • 33. Android App Security ❏ Webview Security ❏ Privacy ❏ Client-side Inject ❏ AndroidManifest.xml ❏ Permissions ❏ Activities, Broadcast Receivers, Services ❏ Android APIs ❏ Memory Security ❏ addJavascriptInterface ❏ Secure Storage ❏ Transport Security ❏ SSL Pinning
  • 34. iPhone App Security ❏ UIWebView Security ❏ Privacy ❏ Client-side Inject ❏ Data Protection ❏ Cloud API security ❏ iOS SDK API ❏ Memory Security ❏ Injection Attacks ❏ Memory Corruption ❏ Transport Security ❏ SSL Pinning ❏ Blackbox Assessments ❏ Logging ❏ Homekit
  • 35. ❏ Network Security ❏ ACLs ❏ Systems ❏ DB ❏ Web servers ❏ LBs ❏ Daemons ❏ Application Security ❏ Language ❏ Frameworks ❏ 3rd Party Libs Web App / Operational Security A lot of work!!!....
  • 36. ❏ Windows ❏ OSX ❏ Old School CD setup ❏ Data storage ❏ Data permissions ❏ Persistence Desktop Apps
  • 41. “Because computers go through so many hands before they’re delivered to you, there’s a serious concern that anyone could backdoor the computer without your knowledge Source: Jonathan Brossard-http://resources.infosecinstitute.com/hardware-attacks- backdoors-and-electronic-component-qualification/
  • 42. What not to do ❏ UART pins exposed unauthenticated or using simple passwords ❏ Manufacturing Debugging Scripts ❏ Backdoors using secret user agents ❏ Private Keys on devices (Dont rely on obscurity) ❏ Default Passwords ★ Ton of other backdoors from software down to HDL code in the chipset
  • 43. Secure It Already (Embedded) ❏ Restrict Shell with tamper resistant epoxy and silk screen ❏ Very long passwds ❏ Update Kernel and Packages ❏ Harden OS by removing unused code ❏ Secure updates ❏ Secure C Functions ❏ Verify and test code
  • 44.
  • 46. “Implement “security by design.” Rather than grafting security on as an afterthought, build it into your products or services at the outset of your planning process Source:https://www.ftc.gov/system/files/documents/plain-language/pdf0199- carefulconnections-buildingsecurityinternetofthings.pdf
  • 47. FTC and EU Commission ❏ Privacy By Design ❏ Security By Design ❏ Categorization of IoT devices ❏ Biggest Consumer Protection http://www.ftc.gov/news-events/press-releases/2013/04/ftc-seeks- input-privacy-and-security-implications-internet-things
  • 48.
  • 49.
  • 50.
  • 51.
  • 52.
  • 54. IoT Supply Chain How can we make it more secure?
  • 55. Fixing The IoT ❏ LIABILITY! ❏ Security service agreements with ODMs ❏ Legal repercussions ❏ Community Projects ❏ Security Awareness ❏ Security Processes into SDLC ❏ A common certification standard (Wi-FI & Zigbee) ★ Realistic? ……… Maybe
  • 58.
  • 59. Thanks! Any questions? You can find me at: @scriptingxss aaron.guzman@owasp.org

Editor's Notes

  1. In embedded systems, a board support package (BSP) is implementation of specific support code (software) for a given (device motherboard) board that conforms to a given operating system. It is commonly built with a bootloader that contains the minimal device support to load the operating system and device drivers for all the devices on the board. Some suppliers also provide a root file system, a toolchain for making programs to run on the embedded system (which would be part of the architecture support package), and configurators for the devices (while running). http://en.wikipedia.org/wiki/Board_support_package
  2. RTOS - vxworks
  3. http://www.ti.com/tool/packet-sniffer https://code.google.com/p/z-force/
  4. Common in cameras, routers malware worms?
  5. First, companies should build security into their devices at the outset, rather than as an afterthought. As part of the security by design process, companies should consider: (1) conducting a privacy or security risk assessment; (2) minimizing the data they collect and retain; and (3) testing their security measures before launching their products. Second, with respect to personnel practices, companies should train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization. Third, companies should retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers. Fourth, when companies identify significant risks within their systems, they should implement a defense-indepth approach, in which they consider implementing security measures at several levels. Fifth, companies should consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network. Finally, companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities.
  6. Liability
  7. lets keep rippin them!!!