an introduction to iot penetration testing
play

An Introduction to IoT Penetration Testing @libertyunix - PowerPoint PPT Presentation

Oct 14, 2022 •386 likes •923 views

An Introduction to IoT Penetration Testing @libertyunix www.kmco.com The Agenda n IoT Attack Surface l OWASP IoT Top 10 l -1 Ring in IoT n Wireless Topics in IoT n IoT Pen Testing Tools & Examples n Q&A 2 Getting Started in IoT

  1. An Introduction to IoT Penetration Testing @libertyunix www.kmco.com

  2. The Agenda n IoT Attack Surface l OWASP IoT Top 10 l -1 Ring in IoT n Wireless Topics in IoT n IoT Pen Testing Tools & Examples n Q&A 2

  3. Getting Started in IoT Penetration Testing 3

  4. OWASP IoT Top 10 www.kmco.com 4

  5. OWASP IoT Top 10 1. Weak, Guessable, or Hardcoded Passwords l Hard Code Everything 2. Insecure Network Services l Ecosystem services are vulnerable? 3. Insecure Ecosystem Interfaces l Account Lockout? l Credentials Exposed in Network Traffic 4. Lack of Secure Update Mechanism l More info in the clear & OTA 5

  6. OWASP IoT Top 10 Cont. 5. Insecure or Outdated Components l Supply Chain Risk Management 6. Insufficient Privacy Protection l GDPR for IoT? 7. Insecure Data Transfer & Storage l More info in the clear 6

  7. OWASP IoT Top 10 Cont. 8. Insufficient Security Configurability l Lack of Password Security Options l Security Monitoring & Logging? 9. Insecure Software/Firmware l Encryption Not Used to Fetch Updates l Update File not Encrypted l Update Not Verified before Upload 10. Poor Physical Security l USB l SPI l JTAG 7

  8. -1 Protection Ring in IoT* *Not an Official Term 8

  9. Software Defined Radio & FCC ID 9

  10. Amplitude l Vertical distance between crests 10

  11. Frequency, Cycles, and Hertz l The frequency determines how often a signal is seen l 1 cycle per second = 1 Hertz 11

  12. Modulation 12

  13. Digital Modulation Amplitude Doors, Bells, On Off Keying Shift Lights, Keys Keying(ASK) Frequency Digital Gaussian FSK BLE , ZWave Shift Modulation Keying(FSK) Offset Phase Shift Quadrature Zigbee Keying(PSK) PSK(OQPSK) 13

  14. IoT Networks 14

  15. IEEE 802.15.4 & ZigBee Customer Application API – “the software” Security ZigBee – Network, Security Alliance 32- / 64- / 128-bit encryption & Application Network layers Star / Mesh / Cluster-Tree IEEE 802.15.4 MAC IEEE – “the hardware” 802.15.4 PHY – Physical & Media 868MHz / 915MHz / 2.4GHz Access Control Stack layers Silicon App Source: http://www.zigbee.org/resources/documents/IWAS_presentation_Mar04_Designing_with_802154_and_zigbee.ppt

  16. Z-WAVE 16

  17. Z-WAVE Packet 17

  18. RFID LF - 125-134 kHz RFID HF - 13.56 MHz UHF - 433 MHz & 856-960 MHz 18

  19. Bluetooth Cross Compatibility 19

  20. BLE Application 20

  21. BLE - (Adaptive) Frequency Hopping n When in a data connection, a frequency hopping algorithm is used to cycle through the data channels n Access Addresses to avoid collisions 21

  22. BLE Stack 22

  23. GATT Example 23

  24. IoT Pen Testing Tools & Examples 24

  25. IoT Penetration Testing Physical Cloud & Mobile Wireless 25

  26. IoT Testing Roadmap Example • Technical IoT SME Discovery ID Attack • OWASP Surface IoT Top • Intelligence Technical Gathering Testing • Exploitation Vulnerability • ?? Ranking Reporting 26

  27. IoT Setup Laptop – USE LINUX § Preferably a dual boot or dedicated machine Hardware OS/Software § HackRF § Ubuntu LTS § BladeRF – Most common § Yardstick One § Kali Linux § Atmel RZ RAVEN – apt-get install kali-linux-all § Ubertooth One § Universal Radio Hacker § Proxmark3 Dev Kit § GNU Radio § Arduino Nano § Blue hydra § Every cable and adapter you § Bettercap can think of § KillerBee § PC Repair and Build Kit § Binwalk § Misc § Firmadyne § A patient wife § APKtool 27

  28. Access Control Systems 28

  29. CCTV System n The real time streaming protocol “RTSP” uses port 554 to connect via TCP n Locating cameras: l #nmap –p554 192.168.1.1/24 29

  30. Access Panel Discovery 30

  31. API Interaction 31

  32. API Interaction n There are three major fields analyzed : l EncodedNum, Card Format, and the Access Levels 32

  33. IoT On-Boarding 1. IoT Device Creates Wi-Fi Network 2. PC or Tablet joins open AP 3. IoT device is then registered to connect to the local Wi-Fi 33

  34. Fun with GNU Radio 34

  35. Zigbee “Smart” Home 35

  36. Sniffing BLE 36

  37. Sniffing BLE 37

  38. Exploring Services with Bettercap 38

  39. Extracting Sensitive Data 39

  40. Exploiting BLE 40

  41. Exploiting BLE 41

  42. Binwalk 42

  43. Firmadyne n An automated and scalable system for performing emulation and dynamic analysis of Linux-based embedded firmware n It includes the following components: l Modified kernels (MIPS,ARM) instrumentation of firmware execution l Ability to emulate a hardware NVRAM peripheral l An extractor to extract a filesystem and kernel l A small console application to spawn an additional shell for debugging 43

  44. Firmadyne 44

  45. Hard Coded Passwords www.kmco.com 45

  46. APKTool 46

  47. Locating Keys www.kmco.com 47

  48. Automotive Security 48

  49. Bypassing Rolling Codes 49

  50. Bypassing Rolling Codes www.kmco.com 50

  51. Vapor Trail –Data Exfiltration Tool of Tomorrow 51

  52. 52 libertyunix@protonmail.com Q & A www.kmco.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Testing Dr. Patrick McDaniel Meghan Riegel Fall 2015 What is Penetration Testing? Attacking

Testing Dr. Patrick McDaniel Meghan Riegel Fall 2015 What is Penetration Testing? Attacking

Introduction to Penetration Testing Dr. Patrick McDaniel Meghan Riegel Fall 2015 What is Penetration Testing? Attacking a system to find security vulnerabilities in order to fix them before a malicious party attacks the system Legal if

455 views • 9 slides
Penetration testing auditability Alexandros Tsiridis & Stamatios Maritsas What is the purpose

Penetration testing auditability Alexandros Tsiridis & Stamatios Maritsas What is the purpose

MSc System and Network Engineering Penetration testing auditability Alexandros Tsiridis & Stamatios Maritsas What is the purpose of penetration testing auditability? Research questions What are the sources of penetration testing

554 views • 13 slides
Web Application Penetration By: Frank Coburn & Haris Mahboob Testing Take Aways Overview

Web Application Penetration By: Frank Coburn & Haris Mahboob Testing Take Aways Overview

Web Application Penetration By: Frank Coburn & Haris Mahboob Testing Take Aways Overview of the web Web proxy tool Reporting Gaps in the process app penetration testing process Penetration testing vs vulnerability assessment What

301 views • 17 slides
Penetration Testing for Certification: What we care about Marcel Medwed marcel.medwed@nxp.com

Penetration Testing for Certification: What we care about Marcel Medwed marcel.medwed@nxp.com

Penetration Testing for Certification: What we care about Marcel Medwed marcel.medwed@nxp.com Outline Common Criteria Evaluation Assurance Levels JHAS Penetration Testing and Countermeasures 2 Design and security of cryptographic

523 views • 40 slides
Team Cymru Cymru Team Penetration Testing Ryan Connolly, ryan@cymru.com

Team Cymru Cymru Team Penetration Testing Ryan Connolly, ryan@cymru.com

Team Cymru Cymru Team Penetration Testing Ryan Connolly, ryan@cymru.com <http://www.cymru.com> Penetration Testing Agenda Pentesting Basics Pentesting Defined Vulnerability Scanning vs. Penetration testing Pentesting

879 views • 83 slides
Penetration Testing Engineering Secure Software Last Revised: July 28, 2020 SWEN-331:

Penetration Testing Engineering Secure Software Last Revised: July 28, 2020 SWEN-331:

Penetration Testing Engineering Secure Software Last Revised: July 28, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Testing That Digs Deeper Penetration testing is about attempting to exploit as much as possible

516 views • 18 slides
Simulated Penetration Testing: From Dijkstra to Turing Test++ J org Hoffmann June

Simulated Penetration Testing: From Dijkstra to Turing Test++ J org Hoffmann June

What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Simulated Penetration Testing: From Dijkstra to Turing Test++ J org Hoffmann June 26, 2015 J org Hoffmann Simulated Penetration Testing 1/58 What? Classical

2.44k views • 184 slides
World s first Machine- Based Penetration Testing Solution Take Control, Get CyBot CREST

World s first Machine- Based Penetration Testing Solution Take Control, Get CyBot CREST

World s first Machine- Based Penetration Testing Solution Take Control, Get CyBot CREST certified CREST Certified Cronus is the 1 st CREST certified Automatic Penetration Testing vendor One of top 12 tech companies transforming

611 views • 13 slides
Network Penetration Testing Toolkit NMAP, NETCAT, AND METASPLOIT BASICS DAY OF SHECURITY

Network Penetration Testing Toolkit NMAP, NETCAT, AND METASPLOIT BASICS DAY OF SHECURITY

Network Penetration Testing Toolkit NMAP, NETCAT, AND METASPLOIT BASICS DAY OF SHECURITY February 22. 2019 whoami AND HOW DID I GET HERE? Cecillia Tran Kelly Albrink External network pen testing & web Network pen testing,

882 views • 31 slides
CYBERSECURITY RISK ASSESSMENT AND PENETRATION TESTING FOR BOCES PARTICIPATING SCHOOL DISTRICTS

CYBERSECURITY RISK ASSESSMENT AND PENETRATION TESTING FOR BOCES PARTICIPATING SCHOOL DISTRICTS

CYBERSECURITY RISK ASSESSMENT AND PENETRATION TESTING FOR BOCES PARTICIPATING SCHOOL DISTRICTS RFP #2416 OUR DIFFERENTIATORS Global Risk Atlantic has a deep understanding of Risk Assessment and Penetration Testing on a Assessment global

519 views • 7 slides
Practical Penetration Testing 101 Look mom Im a hacker now! Words of warning Anything

Practical Penetration Testing 101 Look mom Im a hacker now! Words of warning Anything

Practical Penetration Testing 101 Look mom Im a hacker now! Words of warning Anything you do to a remote system without authorization is illegal Use common sense Federal prison is bad Overview of Today Brief overview

348 views • 13 slides
Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL

Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL

Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL Injection Vulnerabilities in Web Services Nuno Antunes, Marco Vieira PRDC 2009 nmsa@dei.uc.pt, mvieira@dei.uc.pt University of Coimbra

370 views • 24 slides
Multi-vendor Penetration Testing in the Advanced Metering Infrastructure: Future Challenges

Multi-vendor Penetration Testing in the Advanced Metering Infrastructure: Future Challenges

Multi-vendor Penetration Testing in the Advanced Metering Infrastructure: Future Challenges DIMACS Workshop on Algorithmic Decision Theory for the Smart Grid Stephen McLaughlin - Penn State University Systems and Internet Infrastructure

590 views • 33 slides
SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar Krishnan & Dr. Mingkui Wei Department of Computer Science Sam Houston State University, Huntsville, Texas ISDFS 2019 SC SCADA Ov Overv

635 views • 22 slides
Black Ops 2007: Design Review ing The Web Dan Kaminsky Director of Penetration Testing IOActive

Black Ops 2007: Design Review ing The Web Dan Kaminsky Director of Penetration Testing IOActive

Black Ops 2007: Design Review ing The Web Dan Kaminsky Director of Penetration Testing IOActive Inc. Three Interesting Things Slirpie: Come to my website, be my VPN P0wf: Automagically discovering the toolkits behind the web

407 views • 19 slides
Information Decay + POMDP Incorporating Defenders Behaviour in Autonomous Penetration Testing

Information Decay + POMDP Incorporating Defenders Behaviour in Autonomous Penetration Testing

Information Decay + POMDP Incorporating Defenders Behaviour in Autonomous Penetration Testing Jonathon Schwartz 1 , Hanna Kurniawati 1 , and Edwin El-Mahassni 2 1 1 Research School of Computer Science, ANU 2 Defence Science and Technology

698 views • 16 slides
Chapters 5-6 Discussion and exercises Deliverable Answer the following questions in Google Doc

Chapters 5-6 Discussion and exercises Deliverable Answer the following questions in Google Doc

Chapters 5-6 Discussion and exercises Deliverable Answer the following questions in Google Doc and share it with me: proserpi@usc.edu Recall that: The doc should include name, last name, USC ID, section number The file name should be

378 views • 5 slides
Artistic Stylization and Rendering Aaron Hertzmann Adobe Research San Francisco class

Artistic Stylization and Rendering Aaron Hertzmann Adobe Research San Francisco class

Artistic Stylization and Rendering Aaron Hertzmann Adobe Research San Francisco class Nullspace implements Constants, Cloneable { /** The rows of the nullspace */ Vector rows = new Vector(); /** A list of the variables currently contained

988 views • 88 slides
Sidharth Kumar ViSUS : IDX Data Format ViSUS : Technology to Analyze and Visualize

Sidharth Kumar ViSUS : IDX Data Format ViSUS : Technology to Analyze and Visualize

Towards Parallel Access of Multi-dimensional, Multi-resolution Scientific Data Sidharth Kumar ViSUS : IDX Data Format ViSUS : Technology to Analyze and Visualize Multi-dimensional data IDX : Data type generated by ViSUS i/o API iPhone

516 views • 28 slides
MMA Independent and Data Driven www. mma-research.com MMA Independent and Data Driven

MMA Independent and Data Driven www. mma-research.com MMA Independent and Data Driven

SEC Office of Municipal Securities: 2020 Municipal Disclosure Conference Municipal Event Disclosure During COVID-19 Lisa Washburn lwashburn@mma-research.com MMA Independent and Data Driven www. mma-research.com MMA Independent and Data

677 views • 5 slides
A passion for precision Theodor W. Hnsch Max-Planck-Institute for Quantum Optics, Garching,

A passion for precision Theodor W. Hnsch Max-Planck-Institute for Quantum Optics, Garching,

Stockholm 2005 A passion for precision Theodor W. Hnsch Max-Planck-Institute for Quantum Optics, Garching, and Ludwig-Maximilians-University, Munich Stockholm, Dec. 8, 2005 University of Heidelberg, 1964 - 1970 Ali Javan Bill Bennett

1.04k views • 70 slides
Convolutional Neural Nets CS447 Natural Language Processing (J. Hockenmaier)

Convolutional Neural Nets CS447 Natural Language Processing (J. Hockenmaier)

Lecture 8: Convolutional Neural Nets Convolutional Neural Nets CS447 Natural Language Processing (J. Hockenmaier) https://courses.grainger.illinois.edu/cs447/ 1 Convolutional Neural Nets (ConvNets, CNNs) [4 parameters, applied 3

615 views • 24 slides
NMR Spectroscopy Dr. Joshua Osbourn Dept. of Chemistry, West Virginia University 1. Theory of

NMR Spectroscopy Dr. Joshua Osbourn Dept. of Chemistry, West Virginia University 1. Theory of

NMR Spectroscopy Dr. Joshua Osbourn Dept. of Chemistry, West Virginia University 1. Theory of NMR Spectroscopy 2. Spectrum Basics 3. Chemically Equivalent and Distinct Hydrogen 4. Chemical Shift 5. Integration (Peak Height) 6. Coupling

960 views • 40 slides
Texture CS 419 Slides by Ali Farhadi What is a Texture? Texture Spectrum Steven Li, James

Texture CS 419 Slides by Ali Farhadi What is a Texture? Texture Spectrum Steven Li, James

Texture CS 419 Slides by Ali Farhadi What is a Texture? Texture Spectrum Steven Li, James Hays, Chenyu Wu, Vivek Kwatra, and Yanxi Liu, CVPR 06 Texture scandals!! Two crucial algorithmic points Nearest neighbors again and again

1.1k views • 80 slides

More recommend