SLIDE 1
@libertyunix
An Introduction to IoT Penetration Testing
www.kmco.com
2
The Agenda
n IoT Attack Surface
l OWASP IoT Top 10 l -1 Ring in IoT
n Wireless Topics in IoT n IoT Pen Testing Tools & Examples n Q&A
An Introduction to IoT Penetration Testing @libertyunix - - PowerPoint PPT Presentation
An Introduction to IoT Penetration Testing @libertyunix - - PowerPoint PPT Presentation
An Introduction to IoT Penetration Testing @libertyunix www.kmco.com The Agenda n IoT Attack Surface l OWASP IoT Top 10 l -1 Ring in IoT n Wireless Topics in IoT n IoT Pen Testing Tools & Examples n Q&A 2 Getting Started in IoT
SLIDE 2
SLIDE 3
3
Getting Started in IoT Penetration Testing
SLIDE 4
www.kmco.com
4
OWASP IoT Top 10
SLIDE 5
5
OWASP IoT Top 10
- 1. Weak, Guessable, or Hardcoded Passwords
l Hard Code Everything
- 2. Insecure Network Services
l Ecosystem services are vulnerable?
- 3. Insecure Ecosystem Interfaces
l Account Lockout? l Credentials Exposed in Network Traffic
- 4. Lack of Secure Update Mechanism
l More info in the clear & OTA
SLIDE 6
6
OWASP IoT Top 10 Cont.
- 5. Insecure or Outdated Components
l Supply Chain Risk Management
- 6. Insufficient Privacy Protection
l GDPR for IoT?
- 7. Insecure Data Transfer & Storage
l More info in the clear
SLIDE 7
7
OWASP IoT Top 10 Cont.
- 8. Insufficient Security Configurability
l Lack of Password Security Options l Security Monitoring & Logging?
- 9. Insecure Software/Firmware
l Encryption Not Used to Fetch Updates l Update File not Encrypted l Update Not Verified before Upload
- 10. Poor Physical Security
l USB l SPI l JTAG
SLIDE 8
8
- 1 Protection Ring in IoT*
*Not an Official Term
SLIDE 9
9
Software Defined Radio & FCC ID
SLIDE 10
10
l Vertical distance between crests
Amplitude
SLIDE 11
11
Frequency, Cycles, and Hertz
l The frequency determines how often a signal is seen l 1 cycle per second = 1 Hertz
SLIDE 12
12
Modulation
SLIDE 13
13
Digital Modulation
Digital Modulation Amplitude Shift Keying(ASK) On Off Keying Doors, Bells, Lights, Keys Frequency Shift Keying(FSK) Gaussian FSK BLE , ZWave Phase Shift Keying(PSK) Offset Quadrature PSK(OQPSK) Zigbee
SLIDE 14
14
IoT Networks
SLIDE 15
– “the software” – Network, Security & Application layers IEEE 802.15.4 – “the hardware” – Physical & Media Access Control layers
IEEE 802.15.4 & ZigBee
PHY
868MHz / 915MHz / 2.4GHz
MAC Network
Star / Mesh / Cluster-Tree
Security
32- / 64- / 128-bit encryption
Application API
ZigBee Alliance IEEE 802.15.4 Customer
Silicon Stack App
Source: http://www.zigbee.org/resources/documents/IWAS_presentation_Mar04_Designing_with_802154_and_zigbee.ppt SLIDE 16
16
Z-WAVE
SLIDE 17
17
Z-WAVE Packet
SLIDE 18
18
RFID
RFID
LF - 125-134 kHz HF - 13.56 MHz UHF - 433 MHz & 856-960 MHz
SLIDE 19
19
Bluetooth Cross Compatibility
SLIDE 20
20
BLE Application
SLIDE 21
21
BLE - (Adaptive) Frequency Hopping
n When in a data connection, a frequency hopping algorithm is used
to cycle through the data channels
n Access Addresses to avoid collisions
SLIDE 22
22
BLE Stack
SLIDE 23
23
GATT Example
SLIDE 24
24
IoT Pen Testing Tools & Examples
SLIDE 25
25
IoT Penetration Testing
Wireless Cloud & Mobile Physical
SLIDE 26
26
IoT Testing Roadmap Example
IoT SME
- Technical
Discovery
ID Attack Surface
- OWASP
IoT Top
Technical Testing
- Intelligence
Gathering
- Exploitation
Vulnerability Ranking
- ??
Reporting
SLIDE 27
27
IoT Setup
Laptop – USE LINUX § Preferably a dual boot or dedicated machine OS/Software § Ubuntu LTS – Most common § Kali Linux – apt-get install kali-linux-all § Universal Radio Hacker § GNU Radio § Blue hydra § Bettercap § KillerBee § Binwalk § Firmadyne § APKtool
Hardware § HackRF § BladeRF § Yardstick One § Atmel RZ RAVEN § Ubertooth One § Proxmark3 Dev Kit § Arduino Nano § Every cable and adapter you can think of § PC Repair and Build Kit § Misc § A patient wife
SLIDE 28
28
Access Control Systems
SLIDE 29
29
CCTV System
n The real time streaming protocol “RTSP” uses port 554 to connect via
TCP
n Locating cameras:
l #nmap –p554 192.168.1.1/24
SLIDE 30
30
Access Panel Discovery
SLIDE 31
31
API Interaction
SLIDE 32
32
API Interaction
n There are three major fields analyzed :
l EncodedNum, Card Format, and the Access Levels
SLIDE 33
33
IoT On-Boarding
- 1. IoT Device Creates Wi-Fi Network
- 2. PC or Tablet joins open AP
- 3. IoT device is then registered to connect to the local Wi-Fi
SLIDE 34
34
Fun with GNU Radio
SLIDE 35
35
Zigbee “Smart” Home
SLIDE 36
36
Sniffing BLE
SLIDE 37
37
Sniffing BLE
SLIDE 38
38
Exploring Services with Bettercap
SLIDE 39
39
Extracting Sensitive Data
SLIDE 40
40
Exploiting BLE
SLIDE 41
41
Exploiting BLE
SLIDE 42
42
Binwalk
SLIDE 43
43
Firmadyne
n An automated and scalable system for
performing emulation and dynamic analysis of Linux-based embedded firmware
n It includes the following components:
l Modified kernels (MIPS,ARM)
instrumentation of firmware execution
l Ability to emulate a hardware NVRAM
peripheral
l An extractor to extract a filesystem and
kernel
l A small console application to spawn an
additional shell for debugging
SLIDE 44
44
Firmadyne
SLIDE 45
www.kmco.com
45
Hard Coded Passwords
SLIDE 46
46
APKTool
SLIDE 47
www.kmco.com
47
Locating Keys
SLIDE 48
48
Automotive Security
SLIDE 49
49
Bypassing Rolling Codes
SLIDE 50
www.kmco.com
50
Bypassing Rolling Codes
SLIDE 51
51
Vapor Trail –Data Exfiltration Tool of Tomorrow
SLIDE 52
www.kmco.com
52