IOT SECURITY ERIK TEWS <E.TEWS@UTWENTEL.NL> THE INTERNET OF - - PowerPoint PPT Presentation

IOT SECURITY

ERIK TEWS <E.TEWS@UTWENTEL.NL>

30.04.2018 2

THE INTERNET OF THINGS

Systems Security – IoT Security

(cc) https://www.flickr.com/photos/wilgengebroed/8249565455/

30.04.2018 3

A NEW WORLD

Systems Security – IoT Security

(cc) https://en.wikipedia.org/wiki/Laptop#/media/File:Lenovo_G500s_laptop-2905.jpg (cc) https://commons.wikimedia.org/wiki/File:CERN_Server.jpg

30.04.2018 4

POWER! (OR POWERLESS)

Systems Security – IoT Security

Powerful Powerless

30.04.2018 5

WHAT IS RUNNING THERE

Systems Security – IoT Security

Linux / custom OS Real Time OS / custom OS

30.04.2018 6

COMMUNICATION

Systems Security – IoT Security

Wired Wireless

▪ Bluetooth(LE) ▪ ZigBee ▪ Zwave ▪ LoRa(WAN) ▪ Sigfox ▪ NFC

30.04.2018 7

NONE IP COMMUNICATION

Systems Security – IoT Security

30.04.2018 8

LPWAN

Systems Security – IoT Security

Haidine, Abdelfatteh & El Hassani, Sanae & Aqqal, Abdelhak & El Hannani, Asmaa. (2016). The Role of Communication Technologies in Building Future Smart Cities. 10.5772/64732.

30.04.2018 9

EXAMPLE: SIGFOX

Systems Security – IoT Security

▪ Mobile devices ▪ Cloud services ▪ Local infrastructure

30.04.2018 10

COMMUNICATION PARTNERS

Systems Security – IoT Security

30.04.2018 11

SMART LIGHTS

Systems Security – IoT Security

▪ Listen to the network traffic of this device ▪ Find out how the command for on an off looks like ▪ Is there any protection in the network protocol?

30.04.2018 12

ASSIGNMENT 1

Systems Security – IoT Security

30.04.2018 13

WHERE DO WE FIND THAT?

Systems Security – IoT Security

30.04.2018 14

VENDORS

Systems Security – IoT Security

Architecture Chip Reference board Software development framework Reference product OEM branded product

30.04.2018 15

DEVELOPMENT LIVECYCLE

Systems Security – IoT Security

30.04.2018 16

HOW STUFF BREAKS

Systems Security – IoT Security

▪ Lifecycle Security ▪ production, take ownership ▪ data flow and storage, device management ▪ Communication Security ▪ Application layer protocols, TLS, wireless security ▪ Device Security ▪ Embedded operating system, secure storage, anti tampering ▪ Cloud Security (not covered here)

30.04.2018 17

WHAT TO WORRY ABOUT

Systems Security – IoT Security

▪ Very often, there is no one locally responsible for the device ▪ Limited resources on the devices (CPU, RAM, ROM, Power) ▪ Very fast development lifecycle ▪ Many security features known from „full“ operating systems are missing ▪ Developers are from a different domain

30.04.2018 18

WHAT MAKES IT HARD

Systems Security – IoT Security

▪ Full control over the device ▪ Often full control of the backend service ▪ Often no legacy support ▪ Sometimes, two security zones on a device are possible

30.04.2018 19

WHAT MAKES IT EASY

Systems Security – IoT Security

30.04.2018 20

A SMART PLUG

Systems Security – IoT Security

30.04.2018 21

TWO SECURITY ZONES

Systems Security – IoT Security

Web Interface Alexa Integration Mobile App Main Functionality On/Off

30.04.2018 22

BACK TO THE SMART PLUG

Systems Security – IoT Security

▪ Again, we provide an access point to monitor the network traffic ▪ This device uses encryption ▪ Find a way to see what‘s in the connection ▪ Submit the plaintext of what is transmitted between the cloud and the device when it connects

30.04.2018 23

ASSIGNMENT 2

Systems Security – IoT Security

30.04.2018 24

WHAT IS IN THERE

Systems Security – IoT Security

▪ Rather low power microchip ▪ Not running Linux (usually some kind of RTOS) ▪ 0,5 – 4 MB flash memory ▪ 64+96 KB RAM ▪ Integrated WiFi ▪ Excellent developer support (Lua, Python, C/C++) ▪ Development board including shipping for less than 3€! ▪ New version (ESP32) also support BluetoothLE

30.04.2018 25

THE ESP8266 FAMILY

Systems Security – IoT Security

▪ We provide you with an ESP8266 development board ▪ You write a more secure firmware for the plug ▪ Later on, you can add a relay shield to the board ▪ And finally, you might flash your own firmware

• n the real plug

30.04.2018 26

ASSIGNMENT 3 (BONUS)

Systems Security – IoT Security

30.04.2018 27

WHY WE USE THE DEVELOPMENT BOARD

Systems Security – IoT Security

https://github.com/arendst/Sonoff-Tasmota/wiki/Hardware-Preparation

Prepare to react

30.04.2018

TXT

1 2

Internet

1 2 Posting messages is anonymous

The text on this slide will instruct your audience on how to post. This text will only appear once you start a free or a credit session. Please note that the text and appearance of this slide (font, size, color, etc.) cannot be changed.

Your favorite language

A. Python B. Lua C. C

# Votes: 0 Close d

The question will open when you start your session and slideshow.

Internet This text box will be used to describe the different message sending methods. TXT TXT The applicable explanations will be inserted after you have started a session.

Your favorite language

Close d

Internet This text box will be used to describe the different message sending methods. TXT TXT The applicable explanations will be inserted after you have started a session.

A. B. C. Python Lua C

33.3% 66.7% 100.0%

We will set these example results to zero once you've started your session and your slide show. In the meantime, feel free to change the looks of your results (e.g. the colors).

▪ Many wireless routers (OpenWRT/LEDE) ▪ Great for high end hardware ▪ ESP8266/32 based boards ▪ Medium range hardware ▪ Great for communication with WiFi and BLE ▪ Arduino family ▪ Suitable for ultra low power devices (but not all of them) ▪ Intel CPUs are not that wide spread

30.04.2018 31

HARDWARE (TO PLAY AROUND WITH)

Systems Security – IoT Security

▪ From the network side ▪ From the firmware side ▪ From the corresponding cloud service side/mobile app ▪ From the PCB

30.04.2018 32

HOW TO APPROACH AN IOT DEVICE

Systems Security – IoT Security

▪ Wireshark ▪ Nmap ▪ Mitmproxy ▪ Other proxies such as the burp suite

30.04.2018 33

THE NETWORK SIDE

Systems Security – IoT Security

▪ Great network sniffer ▪ Works best with you as a gateway or a mirroring device ▪ Can be extended with custom dissectors

30.04.2018 34

WIRESHARK

Systems Security – IoT Security

▪ Generic port scanner ▪ Fingerprinting ▪ Can also do service discovery

30.04.2018 35

NMAP

Systems Security – IoT Security

▪ Generic SSL/TLS proxy ▪ Works with plain HTTP too ▪ May log plain text of sessions ▪ Automatic rewriting of requets

30.04.2018 36

MITMPROXY

Systems Security – IoT Security

▪ Generic web proxy ▪ Useful to prepare attacks ▪ Works best when the device has an HTTP server

30.04.2018 37

BURP SUITE

Systems Security – IoT Security

▪ First you need to get the firmware ▪ Either extract it from the device ▪ Or get it from the update service ▪ Then analyse it ▪ Either use a decompiler ▪ Or maybe even boot it on a similar development board

30.04.2018 38

FROM THE FIRMWARE SIDE

Systems Security – IoT Security

▪ External flash is great ▪ When it‘s connected via SPI, connect a second device with an SPI interface (ESP8266/Arduino) ▪ Sometimes there is a debugging port ▪ Use it to dump the memory of the device

30.04.2018 39

GETTING THE FIRMWARE FROM THE DEVICE

Systems Security – IoT Security

▪ Your network results might indicate an auto update service ▪ Try to trigger a firmware update and capture the new firmware with your proxy ▪ Alternatively, you may edit the traffic (burb/mitmproxy) to act like you are running an older firmware ▪ And you might still just google for it when you find some useful strings in the network traffic ▪ Alternatively the mobile app is a good source for URL patterns

30.04.2018 40

GETTING THE FIRMWARE VIA THE NETWORK

Systems Security – IoT Security

▪ Unpacking might be hard -> http://www.firmware.re/ ▪ Decompile it ▪ Unfortunately the best tool is expensive: IdaPro ▪ Radare2 for the rescue: https://github.com/radare/radare2 ▪ Run it ▪ Try a development board that is not so different ▪ Finally, „strings“ is a powerful tool

30.04.2018 41

ANALYZING THE FIRMWARE

Systems Security – IoT Security

▪ Have a look at the mobile app ▪ Android is in general not so hard to reverse engineer ▪ Might reveal a lot of strings and additional API endpoints ▪ Also there might be some hidden features in there ▪ Then look at the cloud service ▪ The burp suite might be a good friend ▪ And python is often handy to implement an open source client

30.04.2018 42

CLOUD AND MOBILE APP

Systems Security – IoT Security

▪ Try to find out what is

• n there

▪ Sniffing internal communication can be interesting ▪ Side channels can be used for reverse engineering

30.04.2018 43

FINALLY THE PCB

Systems Security – IoT Security

▪ Use KALI Linux ▪ https://www.kali.org/

30.04.2018 44

A GOOD START FOR THE SOFTWARE TOOLS

Systems Security – IoT Security

▪ Think about the lifecycle of the device ▪ Use a chip with major security features ▪ Trusted Boot or Secure Boot might be interesting for you ▪ Use standardized network protocols and security services ▪ Protect your data flow and storage, use cryptographic protection wherever possible ▪ Avoid giving too much power to a single device ▪ Have continuous security updates and use a multi-zone security architecture

30.04.2018 45

HOW TO BUILD A SECURE IOT DEVICE

Systems Security – IoT Security

Anq questions?

• 1. Your

audience's responses will appear here. Please feel free to change the font, color etc. This text disappears after starting your session and slideshow.

• 2. Your

audience's responses will appear here. Please feel free to change the font, color etc. This text disappears after starting your session and slideshow.

• 3. Your

audience's responses will appear here. Please feel free to change the font, color etc. This text disappears after starting your session and slideshow.

# Messages: Internet This text box will be used to describe the different message sending methods. TXT The applicable explanations will be inserted after you have started a session.

30.04.2018 47

HAVING SECURED THE ENTIRE DEVICE IS NOT ENOUGH

https://www.youtube.com/watch?v=WjM2bdFb0fw

Systems Security – IoT Security