3. SACON 2020
Agenda
• IoT Architecture & Intro to IoT Security
• Security Paradigms for the Building Blocks
• Wireless Protocols
• Hands-on Exercises
• Security Development Life Cycle (SDLC) for
IoT
• Fun Hacking Activities
• Summary
Hacking Zigbee-style
Wireless Sensor Networks
Breaking Bluetooth
Security
Attacking Consumer IoT
Ecosystems
AWS IoT Core & Cloud
Services
Hands-on Exercises
4. SACON 2020
Internet Of Things
• Network of devices connected
to Internet
• Connect, Collect and Exchange
• Part of the fast growing electronic culture
• Revolution in all the fields
Connected People
Connected Fleets
Connected Infra
Connected Markets
Connected Assets
Connected Products
Network Data
5. SACON 2020
Messy World of IoT Security
• “Let me get the product out first”
• “I’m paying a supplier for hardware/software. Security is their
responsibility”
• “We don’t store any confidential information”
• “Let me worry about it if/when we get hacked”
• “We are 100% secure (!)”
• …
7. SACON 2020
IoT Security & Businesses
• Security is often seen as zero ROI
• Impedes rapid prototyping and delivery (doesn’t have to)
• Consumers will buy anyway
• Poor awareness; Sometimes, lack of options
• Liability laws are almost non-existent
• Few that exist don’t hold water
8. SACON 2020
Range / Power of protocols for IoT
Protocol Power Range
WiFi High Long
Zigbee / Z-Wave Low Short to Mid
BT / BLE Low Short
LPWAN Low Long
9. SACON 2020
Zigbee
• Low data rate wireless applications
• Smart energy, medical, home automation, IIoT
• Two bands of operation: 868/915MHz and 2450MHz
• Simpler & less expensive than Bluetooth
• 10-100m range
• Zigbee Alliance
10. SACON 2020
Zigbee Security Model
• Open Trust model (Device Trust Boundary)
• Crypto protection only between devices
• All services employ the same security suite
13. SACON 2020
802.15.4
• IEEE standard for low-rate wireless personal
area networks (LR-WPANs)
• 6LoWPAN for IPv6 over WPANs
• Zigbee extends 802.15.4
(wrapper services)
Application
Presentation
Session
Transport
Network
Data Link
Physical
Logical Link Control
Media Access Control
ZigbeeSpec
14. SACON 2020
Attacking WSN
• IoT product simulator
• 802.15.4-based network
• Packet sniffing, manipulation and injection
• Goals:
• Understanding basic packet header formats
• Security models for protecting communication
• Hardware and software tools for packet sniffing & injection
15. SACON 2020
Challenges
• Insufficient security research and documentation
• Few testing/debugging platforms
• Reliable ones are very expensive or obsoleted
• Beta quality hardware at best
• Took us weeks, studying blogs, asking questions, trial-
and-error, …
• Lots of future work possible. Wanna collaborate?
20. SACON 2020
Approach
• We care about:
• Integrity of data transmitted (bi-directional)
• Confidentiality (sometimes)
• Device attestation in the WSN
• Crypto
• IoT Platform Constraints
• RAM and flash memory are often in KBs
• Traditional crypto is way too intensive
• Libraries — Few and proprietary
21. SACON 2020
• Protecting data integrity is (should be) a key security objective
• Use Crypto
• Challenges
• Need for HW Acceleration
• Key provisioning and exchange
• Traditional Public Key Crypto is often unacceptable
• Nonce-based approaches are easy but insecure
• We did not discuss:
• Device Security Measures (Secure Boot, Secure FOTA, etc.)
• Out of the box provisioning, device mapping and reuse
• Key Management
Summary
23. SACON 2020
Agenda
• Consumer IoT
• Case Study: “X” Fitness Band & “X” Wearable Technology device
• Weaknesses in Smartphone Platforms <—> Wearables channels
• Hands-on hacking of Bluetooth and BLE protocols
• Hardening BLE
• AWS IoT Core
• Secure by Design and SDLC for IoT Platforms
25. SACON 2020
Introduction
• Wireless protocol for short range data exchange
• BT: 1-100m
• BLE: 10-600m
• BLE is Light-weight subset of classic Bluetooth with low power
consumption
• RF range: 2.4 - 2.485 GHz
• Maintained & Governed by the Bluetooth Special Interest Group (SIG)
• Popular use cases: wearable devices, smart pay systems, healthcare,
smart security systems etc
26. SACON 2020
Bluetooth 5
Feature Bluetooth 5 Bluetooth 4.2
Speed Supports 2 Mbps Supports 1 Mbps
Range 40m indoor 10m indoor
Power Requirement Low High
Message capacity 255 bytes 31 bytes
• Latest version of BT and BLE Spec
• Improvements to BLE
• Aimed at IoT (especially consumer)
27. SACON 2020
Bluetooth LE security
Secure Simple Pairing (SSP)
• Just Works: very limited/no user interface
• Numeric Comparison: devices with display or yes/no button
• Passkey Entry: 6 digit pin as the pass key
• Out Of Band: Out of the band channel for key exchange to
thwart MITM attacks
• Network traffic is encrypted with AES-128
32. SACON 2020
Summary
• BT/BLE network packet analysis is easy
• Market-available HW and SW
• Many products do not enable the existing
encryption mechanisms offered by the BT spec
• At the very least, enable LTK-encryption
36. SACON 2020
Agenda
• IoT Services from Modern Cloud Vendors
• AWS IoT Core
• Setting up IoT Core with device simulators
• Secure configuration
• AWS Cloud Security Checks
37. SACON 2020
• Managed cloud service for connected devices to interact with
cloud applications
• Amazon FreeRTOS — open-source OS for MCUs (low power
& memory)
• Connect and manage devices
• Secure the communication
• Process and Act
• Monitor
What is it?
39. SACON 2020
Security Development Life Cycle
Security
Architecture,
Privacy
Requirements
Threat Modeling,
Attack Trees &
Data Access
Reviews
Focused Security
Code Reviews &
Privacy Planning
Fuzzing,
Penetration
Testing, Privacy
Sign-off
Fix verification,
Incident
Response
Planning
Delta Security
Assessment,
Security for
Continuous
Integration/
Delivery
Program Conception Design Implementation Pre-Launch Deployment Maintenance
Reviews
Reviews &
Reports
Reports
Resolution &
Sign-off
Reports
Device
Mobile
Cloud
40. SACON 2020
Privacy
• Why worry?
• Global Markets
• Country-specific guidelines
• Ecosystems and overlapping policies
GDPR!
41. SACON 2020
Summary
• Plethora of protocols & standards make IoT security
messy
• Make hardware & software for IoT comms undergo
penetration testing
• RZUSBStick works great. Also, ApiMote
• Not much else
• BT/BLE sniffing is very sketchy
• Cloud Services giants & increasing number of IoT
services
• SDLC and Shift-left
Ecosystem
Protocols
Integration
Interoperability