exploring the iot attack surface
play

Exploring the IoT attack surface Breaking || Liberating the brave - PowerPoint PPT Presentation

Nov 30, 2022 •167 likes •725 views

Exploring the IoT attack surface Breaking || Liberating the brave new IoT world. doc.dr.sc. Tonimir Kiasondi Sponsored by http://iot.foi.hr Why should i listen to you and not go out for coffee? Well, IoT is the next big hotness

  1. Exploring the IoT attack surface Breaking || Liberating the brave new IoT world. doc.dr.sc. Tonimir Kišasondi

  2. Sponsored by http://iot.foi.hr

  3. Why should i listen to you and not go out for coffee? Well, IoT is the next big hotness… Everyone and their grandma is crowdfunding the next big smart thing, and it runs GNU/Linux or has a arduino in it! - It’s like the 90s of INFOSEC, but with gadgets and the startup mentality!

  4. IoT? What is that? The Internet of Things (IoT) is the network of physical objects—devices, vehicles, buildings and other items—embedded with electronics, software, sensors, and network connectivity that enables these objects to collect and exchange data. … creating opportunities for more direct integration of the physical world into computer-based systems, and resulting in improved efficiency, accuracy and economic benefit...

  5. IoT…

  6. Trustwave SpiderLabs research: http://www.forbes.com/sites/kashmirhill/2013/08/15/heres- what-it-looks-like-when-a-smart-toilet-gets-hacked-video/

  7. Source: http://www.symantec.com/connect/blogs/how-my-tv-got-infected-ransomware-and-what-you-can-learn-it

  11. Architecture of IoT ecosystem (simplified) 802.11 / xBee Thing Network http / MQTT 802.11 / ethernet BLE / xBee Mobile / Cloud / Hub Server / Broker/

  12. OWASP IoT Top 10 I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption/Integrity Verification I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security

  13. Architecture of IoT ecosystem (simplified) 802.11 / xBee Thing Network http / MQTT 802.11 / ethernet BLE / xBee Mobile / Cloud / Hub Server / Broker/

  14. So? What’s the attack surface on the thing? 1. Obtaining system access with physical access a. UART, JTAG? 2. Obtaining firmware, filesystem or local data storage/images a. In-Situ, JTAG, eMMC, USB, WTF 3. Analyzing firmware images 4. Software and firmware vulnerabilities

  15. What i won’t cover: 1. Software analysis (Well, a little bit anyway...) 2. Radio / RF analysis 3. A lot of other stuff… We are looking for easy victories...

  16. Why am i doing this? It’s simple: because i can :) 1) How do you measure security of a thing? 2) Do we have a testing methodology for embedded/IoT? 3) Is the IoT top 10 relevant?

  17. OK, what do i need? BusPirate / Shikra - 30$ FTDI cable -> 15ish EZ-Hooks - 30$ … SDR (HackRF, Ubertooth, YS1, RfCat...) Jtagulator...

  18. Why should i bother hacking my (smart blub|toilet |fridge)? - Jailbreak or Security analysis 1) Factory set credentials like passwords 2) GPG signing keys and password in the firmware updates 3) Full access to binaries, source files for web applications - Usually written by EE devs.

  19. I have a cunning plan! -> Variant for noobs 1) Find UART with serial console 2) Connect to UART (screen + buspirate) 3) Root shell 4) ??? 5) Profit!

  20. How to find UART ports?

  30. setenv bootargs 'console=ttyS0,115200 init=/bin/sh' saveenv boot Plan B -> NAND Glitch

  31. No UART/Shell… Let’s try another approach... Plan A -> Fetch a image from the vendor’s page Plan B -> Intercept OTA update Plan C -> NVRAM dump (still under 30$-100$) Plan C+½ -> Unsolder Chip, read in an adapter - Aliexpress is fun, they have all kinds of stuff... Plan C -> JTAG (30-150$) Plan Arduino -> avrdude -p m328p -P usb -c usbtiny -U flash:r:flash.bin:r

  36. Useful software tools FlashRom - https://www.flashrom.org OpenOCD - http://openocd.org/ QEMU - http://wiki.qemu.org/Main_Page

  37. # flashrom -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M # flashrom -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -r firmware-tikmap.bin

  38. OK, i got a image, what now? Binwalk - http://binwalk.org/ Sasquatch - https://github.com/devttys0/sasquatch Firmwalker - https://github.com/craigz28/firmwalker And:

  39. ~/Downloads > binwalk tik-map.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 4096 0x1000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 9460162 bytes, 1173 inodes, blocksize: 262144 bytes, created: 2016-05-02 10:47:08 9465991 0x907087 Executable script, shebang: "/bin/bash" 9466452 0x907254 Executable script, shebang: "/bin/bash" 9466533 0x9072A5 ELF, 32-bit MSB MIPS64 executable, MIPS, version 1 (SYSV) 9496929 0x90E961 Unix path: /sys/devices/system/cpu 9501329 0x90FA91 ELF, 32-bit MSB MIPS64 executable, MIPS, version 1 (SYSV) 9578451 0x9227D3 xz compressed data 9578479 0x9227EF xz compressed data 10651796 0xA28894 xz compressed data 10748985 0xA40439 Unix path: /var/pdb/system/crcbin

  42. $ ls -alh /etc/init.d total 52 drwxr-xr-x 2 root root 904 May 12 12:11 . drwxr-xr-x 17 root root 3.0K May 1 21:14 .. -rwxrwxrwx 1 root root 2.2K Jul 24 2015 1S41wifi -rwxrwxrwx 1 root root 2.0K Jul 24 2015 S10udev -rwxr-xr-x 1 root root 6.7K Oct 29 2015 S11init -rwxrwxrwx 1 root root 6.4K Mar 18 10:38 S11init.bak -rwxrwxrwx 1 root root 1.4K Jul 24 2015 S12syscfg -rwxrwxrwx 1 root root 1.3K Jul 24 2015 S20urandom -rwxrwxrwx 1 root root 2.0K Jul 24 2015 S30dbus -rwxrwxrwx 1 root root 340 Jul 24 2015 S40network -rwxrwxrwx 1 root root 405 Jul 24 2015 S50app -rwxrwxrwx 1 root root 1.6K Jul 24 2015 S90demo -rwxrwxrwx 1 root root 776 Jul 24 2015 rcS

  43. ? master ~/4tools/firmwalker > ./firmwalker.sh ~/2dev/5learn/XXX ***Search for password files*** ##################################### passwd 1/squashfs-root/etc/passwd 1/squashfs-root/usr/bin/passwd ##################################### shadow 1/squashfs-root/etc/shadow ##################################### *.psk ***Search for Unix-MD5 hashes*** /Users/tony/2dev/5learn/XXX/squashfs-root/etc/shadow:$1$mtjRWsdG$JOSdnKQhULmqnV ajxi7LQ0 ***Search for SSL related files*** ##################################### *.pem 1/squashfs-root/etc/zxv10.pem ***Search for configuration files*** ##################################### *.conf 1/squashfs-root/etc/ath/topology_ap.conf 1/squashfs-root/etc/ath/topology_sta.conf 1/squashfs-root/etc/ath/wpa-ap.conf 1/squashfs-root/etc/ath/wpa-sta.conf 1/squashfs-root/etc/inetd.conf ***Search for ip addresses*** ##################################### ip addresses 0.0.0.0 127.0.0.1

  44. LG Smart Refrigerator (LFX31995ST) ​ 1 - UART drops into root shell 2 - eMMC tapping https://www.exploitee.rs/index.php/LG_Smart_Refrigerator_(LFX31995ST)

  45. eMMC tapping https://www.exploitee.rs/index.php/LG_Smart_Refrigerator_(LFX31995ST)

  46. Other possibilities: Unsolder the chip and throw it in a USB MS reader

  47. Other possibilities: Internal USB drive Micro USB ports that are actually USB-OTG Internal USB networks (think Moto RAZR / DROID)

  48. Meh, hardware hacking, is there anything i can do from the script kiddie side? Remember OWASP IoT Top 10? The most common vuln is? Insecure web interface… ● Guess what’s the most common OWASP Top10 vuln? Command injection The idea is simple - use the idea behind fuzzing: ● Crawl the webif ● Use a web vuln scanner ● Leave it overnight ● Profit!

  49. You can find all kinds of interesting stuff… Like remote RCE for some devices http://<IP>/stainfo.cgi?ifname=ath0&sta_mac=00:1 1:22:33:44:55|<URLENCCMD>&mode=ap

  50. Meh, why should i care? - The smart device is just the implant you need in a network! - Ideal pivot point - Remember how hacking team got hacked? A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit. Since the vulnerabilities still haven’t been patched, I won’t give more details […] - Phineas Fisher

  51. When you start some lateral thinking… Pretty much when you have LAN access, you have better chances of 0wning that network. (More on that if that’s a windows domain) - Responder - Bettercap - Backdoor factory - BeeF framework Write once, deploy your malware everywhere. Also, code reuse...

  52. So? The IoT fad is coming, and from a security/privacy standpoint, we are not ready. Well, own some of the stuff you own! You will be amazed what runs GNU/Linux ;) Before buying, inform yourself if the vendor did some of the mortal security sins…

  53. So, what’s the moral of this and open source? If you develop FLOSS embedded things, take note: “open by default” is broken, build security into the stuff you develop. Embedded people should get more security knowledge. If some vendor wants to lock your device. There is always a way to free it. Just think… :)

  54. Questions? tonimir.kisasondi@foi.hr @kisasondi

  55. Thank you!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The cyber attack surface of the aerospace industry Andy Davis, Transport Assurance Practice

The cyber attack surface of the aerospace industry Andy Davis, Transport Assurance Practice

The cyber attack surface of the aerospace industry Andy Davis, Transport Assurance Practice Director Global experts in cyber security &amp; risk mitigation Agenda Space attack surface overview Attacks against terrestrial assets

310 views • 30 slides
TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

Introduction Motivation SAP compression algorithms Archive file programs SAP archive file formats CAR SAR v2.00 SAR v2.01 Relative/absolute paths TCPDB.DAT case Archive file signatures Attack surface Attack vectors

913 views • 49 slides
BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay,

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay,

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay, Joseph Nash, Yeoul Na, Stijn Volckaert, Herbert Bos, Michael Franz, Cristiano Giuffrida October 19, 2018 Attack Surface Reduction x =

2.55k views • 62 slides
Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems Nothing is in isolation Attack surface An attack surface is the total number of possible attack vectors Think of a house, with the

309 views • 15 slides
Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript

Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript

Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript Imperial College, March 2018 Risk as Attack Surface a Expected Risk: likelihood * damage Potential damage Likelihood of exploitable

592 views • 48 slides
Windows Metafiles An Analysis of the EMF Attack Surface &amp; Recent Vulnerabilities Mateusz

Windows Metafiles An Analysis of the EMF Attack Surface &amp; Recent Vulnerabilities Mateusz

Windows Metafiles An Analysis of the EMF Attack Surface &amp; Recent Vulnerabilities Mateusz j00ru Jurczyk PacSec, Tokyo 2016 PS&gt; whoami Project Zero @ Google Low-level security researcher with interest in all sorts of

1.62k views • 150 slides
Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared DeMott Dr. Richard Enbody @msu.edu Dr. William Punch Black Hat 2007 www.vdalabs.com VDA Labs, LLC Agenda Goals and previous works (1)

683 views • 54 slides
Moritz Jodeit moritz.jodeit@nruns.com Twitter: @moritzj Agenda Attack Surface Firmware

Moritz Jodeit moritz.jodeit@nruns.com Twitter: @moritzj Agenda Attack Surface Firmware

Moritz Jodeit moritz.jodeit@nruns.com Twitter: @moritzj Agenda Attack Surface Firmware Analysis Device Rooting System Architecture Vulndev Environment Remote H.323 Exploit Post Exploitation Who am I? From Hamburg,

1.13k views • 80 slides
TSX-V: V:CA CAY Exploring for Near-Surface Gold in Nunavut 08-24-2017 Forward Looking

TSX-V: V:CA CAY Exploring for Near-Surface Gold in Nunavut 08-24-2017 Forward Looking

TSX-V: V:CA CAY Exploring for Near-Surface Gold in Nunavut 08-24-2017 Forward Looking Statement All statements in this presentation, other than statements of historical fact, are &quot;forward-looking information&quot; with respect to Cache

508 views • 18 slides
GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface

GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface

GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface NIIBE Yutaka &lt;gniibe@fsij.org&gt; FOSDEM 2018 This is a talk of my experience to have better control (by its user) of computing for privacy

610 views • 37 slides
NTRU Prime A field-based system that reduces (potential) attack surface, while still being fast

NTRU Prime A field-based system that reduces (potential) attack surface, while still being fast

NTRU Prime A field-based system that reduces (potential) attack surface, while still being fast and compact Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal 29 June 2018 Bernstein, Chuengsatiansup,

1.18k views • 36 slides
Scaling up baseband attacks: More (unexpected) attack surface Black Hat USA 2012 2012-07-25

Scaling up baseband attacks: More (unexpected) attack surface Black Hat USA 2012 2012-07-25

Scaling up baseband attacks: More (unexpected) attack surface Black Hat USA 2012 2012-07-25 36.117038, -115.174562 Ralf-Philipp Weinmann SnT, University of Luxembourg &lt;ralf-philipp.weinmann@uni.lu&gt; Security issues with SUPL

769 views • 38 slides
Using seccomp to limit the kernel attack surface Michael Kerrisk, man7.org c 2015 man7.org

Using seccomp to limit the kernel attack surface Michael Kerrisk, man7.org c 2015 man7.org

LinuxCon.eu 2015 Using seccomp to limit the kernel attack surface Michael Kerrisk, man7.org c 2015 man7.org Training and Consulting http://man7.org/training/ 6 October 2015 Dublin, Ireland Outline 1 Introductions 2 Introduction and

1.1k views • 55 slides
Using seccomp to limit the kernel attack surface c 2016 Michael Kerrisk man7.org Training

Using seccomp to limit the kernel attack surface c 2016 Michael Kerrisk man7.org Training

ContainerCon Europe 2016 Using seccomp to limit the kernel attack surface c 2016 Michael Kerrisk man7.org Training and Consulting http://man7.org/training/ @mkerrisk mtk@man7.org 5 October 2016 Berlin, Germany Outline 1 Introduction

671 views • 53 slides
Using seccomp to limit the kernel attack surface Michael Kerrisk, man7.org c 2015 man7.org

Using seccomp to limit the kernel attack surface Michael Kerrisk, man7.org c 2015 man7.org

LPC 2015 Using seccomp to limit the kernel attack surface Michael Kerrisk, man7.org c 2015 man7.org Training and Consulting http://man7.org/training/ 19 August 2015 Seattle, Washington, USA Outline 1 Introductions 2 Introduction and

815 views • 54 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day &gt;&gt; exploitation of the device &gt;&gt; the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Chapter 6: Noun Phrases and Agreement Syntactic Constructions in English Kim and Michaelis (2020)

Chapter 6: Noun Phrases and Agreement Syntactic Constructions in English Kim and Michaelis (2020)

Chapter 6: Noun Phrases and Agreement Syntactic Constructions in English Kim and Michaelis (2020) Syntactic Constructions Chapter 6 1 / 65 Classification of Nouns 1 Syntactic Structures 2 Common Nouns Pronouns Proper Nouns 3 Agreement

783 views • 65 slides
Refactoring Your Code A Key Step to Agility Venkat Subramaniam (svenkat@cs.uh.edu)

Refactoring Your Code A Key Step to Agility Venkat Subramaniam (svenkat@cs.uh.edu)

Refactoring Your Code A Key Step to Agility Venkat Subramaniam (svenkat@cs.uh.edu) Refactoring your code - 1 Refactoring Your Code Why Refactor? Whats Refactoring Before Refactoring Lets Refactor Refactoring

512 views • 15 slides
Refactoring Good design vs. Over design Heres something from production code (changed to

Refactoring Good design vs. Over design Heres something from production code (changed to

Refactoring Good design vs. Over design Heres something from production code (changed to protect privacy!) REF- 2 Do you see the smell in that code? Not quite obvious at first sight May make sense if extensibility is needed But, there

298 views • 11 slides
Whats up? Reflect on todays VCE Seminar Think about what you want to achieve from

Whats up? Reflect on todays VCE Seminar Think about what you want to achieve from

Whats up? Reflect on todays VCE Seminar Think about what you want to achieve from today / Further / VCE / life in general Further Mathematics Past-student perspective Take a moment to say hi! Hayley Short Recent VCE

703 views • 41 slides
Topics Grounding the mind in life Self-directed neuroplasticity The power of

Topics Grounding the mind in life Self-directed neuroplasticity The power of

Buddhas Brain: Strengthening the Neural Foundations of Mindfulness and Compassion Compassionate Wellbeing Derby, United Kingdom June 6, 2014 Rick Hanson, Ph.D. The Wellspring Institute for Neuroscience and Contemplative Wisdom

637 views • 46 slides
Analysis of Derby Performance Staff Engineer Olav Sandst Senior Engineer Dyre Tjeldvoll Sun

Analysis of Derby Performance Staff Engineer Olav Sandst Senior Engineer Dyre Tjeldvoll Sun

Analysis of Derby Performance Staff Engineer Olav Sandst Senior Engineer Dyre Tjeldvoll Sun Microsystems Database Technology Group This is a draft version that is subject to change. The authors can be contacted at Olav.Sandstaa@sun.com or

362 views • 34 slides
The Diabetes Rollercoaster Dr Emma Wilmot Consultant Diabetologist, Derby Nick Rycroft Derby

The Diabetes Rollercoaster Dr Emma Wilmot Consultant Diabetologist, Derby Nick Rycroft Derby

The Diabetes Rollercoaster Dr Emma Wilmot Consultant Diabetologist, Derby Nick Rycroft Derby Type 1 diabetes group Supported by a restricted educational grant from Abbott Dr Emma Wilmot Chair, Diabetes Technology Network UK Consultant

241 views • 8 slides
Embedded Databases MicroBenchmark Team CodeBlooded Refinement of goals Try and understand

Embedded Databases MicroBenchmark Team CodeBlooded Refinement of goals Try and understand

Embedded Databases MicroBenchmark Team CodeBlooded Refinement of goals Try and understand the usefulness of a DB in terms of a particular application domain Goal : Build a DB calculator that works with the micro-benchmark Embedded

349 views • 33 slides

More recommend