Internet of Things (IoT) OWASP Top 10 IoT Vulns and Exploits of - - PowerPoint PPT Presentation

Internet of Things (IoT)

OWASP Top 10 IoT Vulns and Exploits of Smart Devices

ITAC 2015 – 29 Sept 2015 Presen sented ed b by: Francis Brown & Steve Christiaens Bishop Fox, LLC www.bishopfox.com

Agenda

2

• Introd
• duction
• n/B

/Bac ackgr grou

• und
• IoT News and Current Landscape
• Corp concerns, Personal / Privacy Issues
• Examples: Cars, Fridges, TVs, Wearables, …
• Target

eting ng Io IoT T – vi via a Int Inter ernet net

• Google/Bing/SHODAN/Maltego Hacking
• Internet Census 2012, Scans.io, Zmap, MassScan, other mass scanning projects
• Target

eting ng Io IoT T – over er t the he Air Air

• Wi-Fi, Bluetooth, ZigBee, Z-Wave, RFID, NFC, etc.
• Hacking devices: Wi-Fi Pineapplers, Kali Tablets, RaspPis, Custom Gear
• Target

eting ng Io IoT T – up c close, e, Physically lly

• USB Rubber Duckies, Teensy Arduino Devices, BadUSB type attacks
• Def

efens enses es

O V E R V I E W

RickMote – Hacking TVs

3

DEMO MO - CHROMECAST - STREAMING DEVICE HACKING

Introduction/Background

4

GETTING UP TO SPEED

OWASP – IoT Top 10

T O P 1 0 L I S T – Internet of Things

5

IoT - Special Focus

B E W A A R R E E E Y E E S S A N D N D E A R R S … S … a and nd robot ha hand nds

• 1. Cameras / WebCams
• 2. Microphones
• 3. Robots … terminators…

6

Twitter Feed WebCams

C R E E P Y W E B C A M S V I E W E R S

#CAUGHTONNESTCAM

7

Baby WebCams

8

W O R S T N I G H T M A R E S Feb 2015

Smart TVs

9

L I S T E N I N G C L O S E L Y Feb 2015

ILLUSTRATIVE FOOTAGE

10

Video - DEMO

Plane Hacking

11

P a s s e n g e r 3 1 3 3 7 Apr 2015

Smart Watches

12

I N S E C U R I T Y O N T H E G O July 2015

“A study conducted by HP’s Fortify

• n security features implemented by

Smartwatches revealed that not even a single device found to be 100 percent safe.”

13

Vehicle Attacks

G O N E I N 6 0 S E C O N D S … July 2015

ILLUSTRATIVE FOOTAGE

14

Video - DEMO

15

Vehicle Attacks

… O R L E S S July 2015

16

Fridge Hacking

I N T H E H O M E Aug 2015

Microsoft IoT Big Push

I O T I N T H E M A I N S T R E A M Aug 2015

17

Baby Monitors

18

B O R N I N T H E U . S . A . Sept 2015

ILLUSTRATIVE FOOTAGE

19

Video - DEMO

FBI Warning - PSA

20

I O T I S D A N G E R O U S Sept 2015

IoT Legal Climate

21

S A M E O L D D E B A T E S Sept 2015

Targeting IoT Systems

22

OVER THE INTERNET – SEARCH ENGINES

Diggity Tools

23

S E A R C H E N G I N E H A C K I N G

IoT and Google

24

G O O G L E H A C K I N G

Google Diggity

25

D I G G I T Y C O R E T O O L S

IoT and Bing

26

B I N G H A C K I N G

Bing Diggity

27

D I G G I T Y C O R E T O O L S

N E W G O O G L E H A C K I N G T O O L S

28

SHODAN Diggity

SHODAN

29

I O T / H A C K E R S E A R C H E N G I N E

• Indexed service banners for whole Internet for HTTP (Port 80), as well as

some FTP (21), SSH (22) and Telnet (23) services - https://www.shodan.io/

IoT and SHODAN

30

S H O D A N H A C K I N G

IoT and SHODAN

31

S H O D A N H A C K I N G

IoT and SHODAN

32

S H O D A N H A C K I N G

• Mr. Robot

33

H V A C C O M P R O M I S E

ILLUSTRATIVE FOOTAGE

34

Video - DEMO

SHODAN Diggity

35

F I N D I N G S C A D A S Y S T E M S

SHODAN Alerts

36

S H O D A N R S S F E E D S

INTERNET MASS SCANNING

37

Scanning the Whole Internet

Internet Census 2012

38

N M A P O F E N T I R E I N T E R N E T

• ~420k botnet used to perform NMAP against entire IPv4 addr space!
• ICMP sweeps, SYN scans, Reverse DNS, and Service probes of 662 ports
• Free torrent of 568GB of NMAP results (9TB decompressed NMAP results)

Internet Census 2012

39

E X A M P L E - S N M P R E S U L T S

Internet Census 2012

40

E X A M P L E - S N M P R E S U L T S

HD’s Serial Offenders

41

D A T A M I N I N G C E N S U S

Scans.io – Huge Repo

42

R E G U L A R S C A N S O F I N T E R N E T

Masscan

43

S C A N T H E I N T E R N E T

Wireless Hacking Tools

44

IOT HACKING OVER THE AIR

RickMote – Hacking TVs

45

CHROMECAST - STREAMING DEVICE HACKING

Wi-Spy – Spectrum Analyzer

46

W I R E L E S S A N A L Y S I S Wi-Spy DBx Pro - USB Spectrum Analyzer with Chanalyzer Pro Software

NirSoft Wireless Tools

47

W I N D O W S H A C K I N G T O O L S

• NirSoft – WirelessNetView
• NirSoft – Wi-FiInfoView
• NirSoft – Wireless Network Watcher
• NirSoft – Wi-FiChannelMonitor

inSSIDer Wi-Fi Scanner

48

W I N D O W S H A C K I N G T O O L S

inSSIDer Wi-Fi Scanner

49

A N D R O I D H A C K I N G T O O L S

Aircrack-ng Suite

50

L I N U X H A C K I N G T O O L S

inSSIDer for Mac

51

M A C O S X H A C K I N G T O O L S

NetSpot for Mac

52

M A C O S X H A C K I N G T O O L S

Kali VM + USB Adapter

53

E A S Y W I R E L E S S A T T A C K P L A T F O R M

• Kali Linux VM + TP-LINK - TL-WN722N (USB) + Yagi

+

Pwn Pad 2014

54

N E X U S 7 P E N T E S T D E V I C E

Pwn Pad 2014

55

N E X U S 7 P E N T E S T D E V I C E

Kali NetHunter

56

N E X U S 7 P E N T E S T D E V I C E

Nexus7 (2013 – Wi-Fi) – Android Tablet – Non- PwnPad2014

Bluetooth Low Energy

https://hakshop.myshopify.com/products/ubertooth-one

57

Bluetooth – Other

58

• Bluetooth Modules:
• SparkFun BLE Mate 2
• Bluetooth Mate Gold - Sparkfun
• Bluetooth Module Breakout - Roving Networks (RN-41)
• Bluetooth Modem - BlueSMiRF Silver (RN-42)
• Bluetooth Bee for Arduino - Seeedstudio
• Bluetooth Bee Standalone with built-in Arduino
• KEDSUM Arduino Wireless Bluetooth Transceiver Module
• Bluetooth 4.0 USB Module (v2.1 Back-Compatible)
• SENA UD100 industrial Bluetooth USB adapter
• PwnPad 2014 - supports packet injection (up to 1000′)

Bluetooth – Pwn Pad

59

Bluetooth – NirSoft

60

• NirSoft - BluetoothCL v1.00 - dumps all current detected bluetooth devices
• NirSoft - BluetoothLogView - Creates a log of Bluetooth devices activity around you
• NirSoft - BluetoothView - Monitor the Bluetooth activity around you

ILLUSTRATIVE FOOTAGE

61

Video - DEMO

Wi-Fi Pineapple

62

WIRELESS PENETRATION TESTING ROUTER

Wi-Fi Pineapple

63

WHAT CAN IT DO?

Wi-Fi Pineapple

64

WHAT CAN IT DO?

Karma on Pineapple

65

R O G U E A C C E S S P O I N T

ILLUSTRATIVE FOOTAGE

66

Video - DEMO

Karma on Pineapple

67

R O G U E A C C E S S P O I N T

Auto-Association to Wi-Fi

68

M O B I L E P H O N E A T T A C K S

Dumping Wi-Fi Keys

69

CLIENT EXPLOITING

Raspberry Pi

70

F R U I T Y W I -F I

• Fruity Wi-Fi – Raspberry Pi version of the “Wi-Fi Pineapple”– cheap alternative (~$35

~$35)

Arduino

71

C U S T O M T O O L S

+

Arduino: Add-ons

72

W I R E L E S S M O D U L E S

• Arduino NFC Shield
• Arduino BlueTooth Modules
• Arduino WiFly Shield (802.11b/g)
• Arduino GSM/GPRS shields (SMS messaging)
• WIZnet Embedded Web Server Module
• Xbee 2.4GHz Module (802.15.4 Zigbee)
• Parallax GPS Module PMB-648 SiRF
• Arduino Ethernet Shield
• Redpark - Serial-to-iPad/iPhone Cable

IoT – Physical Testing

73

UP CLOSE AND PERSONAL

USB Rubber Ducky Delux

G A I N I N G A C C E S S

74

Brinks Smart Safes

75

P H Y S I C A L H A C K I N G The Brinks CompuSafe Galileo. Access to the USB port and 60 sec. is all that is needed by a prepared attacker. Adding “smarts” turned this safe into an “unsafe.”

ILLUSTRATIVE FOOTAGE

76

Video - DEMO

Pwn Plug

M A I N T A I N I N G A C C E S S

77

Pwn Plug

M A I N T A I N I N G A C C E S S

• Pwn Plug Elite: $995.00
• Power Pwn: $1,995.00

78

Raspberry Pi

79

M A I N T A I N I N G A C C E S S

• Raspberry Pi – cheap alternative (~$35

35) to Pwn Plug/Power Pwn

• Pwnie Express – Raspberry Pwn
• Rogue Pi – RPi Pentesting Dropbox
• Pwn Pi v3.0

Defenses

80

PROTECT YO NECK

Defenses

81

P R O T E C T I O N: I N T E R N E T

• Use a VPN or disconnect critical devices
• Use only encrypted management services (SSL/SSH)
• Employ strong encryption and authentication methods
• Use strong passwords and non-default usernames
• Use a password manager
• Secure wireless clients (laptops, phones, wearables, ...)
• Place untrusted devices on a separate network

Defenses

82

• Conduct regular wireless assessments
• Employ strong encryption and authentication methods
• Employ wireless IDS/IPS
• Secure wireless clients (laptops, phones, …)

P R O T E C T I O N: W i r e l e s s

Defenses

83

Use “wireless checks” of network vulnerability scanners

P R O T E C T I O N: W i r e l e s s

Defenses

84

Physically track down rogue access points and malicious devices

P R O T E C T I O N: W i r e l e s s

Thank You

85

Bi Bisho hop F Fox

www.bishopfox.com

Attributions (Images)

86

Bi Bisho hop F Fox

www.bishopfox.com Wi-Spy image Adapter image ASUS USB image Wi-Fi Antenna image Blue-Tooth USB adapter image Nexus 7 2013 image Kali Linux NetHunter image SparkFun Bluetooth image SparkFun BLE Mate 2 image Bluetooth Bee image Roving Networks image BlueSMiRF image Arduino BlueTooth image Raspberry Pi BlueTooth image O’Reilly BlueTooth Book image SENA Adapter image Wi-Fi Pineapple image Wi-Fi Pineapple infographic Raspberry Pi image Redpark Serial Cable image NFC Shield image BlueTooth Mate image BlueTooth Module Breakout image BlueTooth Bee image WiFly Shield image Xbee image Wiznet image tkemot/Shutterstock USB Rubber Ducky Diagram image USB Rubber Ducky Diagram II image Smart Safe Hacking illustration Smart Safe image PWN Plug Diagram image PWN Plug Book image First Release of PWN Plug image Power PWN image Power Strip image Raspberry Pi SSH Tunnel image Wi-Spy DBx Pro image Device Finder Directional Antenna image For Further Information: Smart Safe Hacking - BF Blog