25
IoT Security Risks and Challenges Ankit Giri
IoT Security Risks and Challenges
Ankit Giri
About Myself
Ankit Giri (@aankitgiri)
Security Consultant | Security CompassWeb, Mobile Application and IoT Security ResearcherBug Hunter (Hall of Fame: EFF, GM, HTC, Sony, Mobikwik, Pagerduty and some more )Blogger, Orator and an active contributor to OWASP and null CommunityThe Most Viewed Writer in Web application Security, Network Security and Penetration Testing on Quora.
What is IoT?
IoT is computing devices that send data, receive date or both on the internet.
The Internet of Things (IoT) refers to the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems.
Where do we see it in our daily life?
Source: Pubnub
Understanding what is IoT security
The hardware is to be blamed!
Relatively modern 64-bit x86 CPU cores in IoT devices, they will still be substantially more complex than the smallest ARM cores, and therefore will need more battery power.
Cheap and disposable wearables, appear to be the biggest concern, won’t be powered by such chips. We need more powerful processors, such as Intel Atoms or ARMv8 chips, in smart products, like smart refrigerators or washing machines with touchscreens, but they are impractical for disposable devices with no displays and with limited battery capacity.
The industry needs is more unstandardized devices and more fragmentation.
The web application side of it!
TrendNet cameras that exposed a full video feed to anyone who accessed it. In this case, there was enough of a “sign on” interface to make end users believe that only authorized people could access the feeds remotely. However, a hacker group called Console Cowboys quickly demonstrated that the authentication mechanism was just for show.
Challenges: IoT device web applications are that the apps are often on unusual ports (e.g., not 80 for HTTP or 443 for HTTPS), that the apps are sometimes disabled by default, and that different apps (e.g., for device administrators and users, or two different applications) may listen on different ports.
The web application side of it!
“Weak authentication,” might thinking of passwords that are easy to guess. Unfortunately, the bar is much lower with many smart devices.
Generally IoT devices are secured with passwords like “1234”, put their password in client-side Java code, send credentials without using HTTPS or other encrypted transports, or require no passwords at all.
Insecure Network in IoT devices!
In your modern corporate network, you may think Telnet and FTP are dead, but the IOT smart device world would disagree
August 2014, a sweep of more than 32,000 devices found “at least 2000 devices with hard-coded Telnet logins.
October 2014 research that demonstrated more than a million deployed routers were vulnerable to misconfigured NAT-PMP services.
Insecure Cloud and Mobile interface
Many IoT devices exchange information with an external cloud interface or ask end users to connect to a remote web server to work with their information or devices. In addition to obvious vulnerabilities such as a lack of HTTPS, the OWASP IoT Top Ten list asks you to look for authentication problems such as username harvesting (“user enumeration”) and no lockouts after a number of brute-force guessing attempts.
IoT devices may also act as wireless access points (WAPs).
Insecure Software/ Firmware
Real life examples of corrupt update files abound, especially when people use “jailbroken” phones to disable the validation built in to their devices. MITM attacks using insecure update sources, such as the HTTP-based update vulnerability that affected ASUS RT routers in October 2014.
To test whether or not a device is using insecure updates, you generally need to use a proxy or sniffer to watch the data stream for use of secure transport, for example, an online utility called “APK Downloader” lets you download and inspect Android installations and updates on any platform.
Physical security of IoT devices
Five things to determine if a device’s exposed ports can be used for malicious purposes. These are ease of storage media removal, encryption of stored data, physical protection of USB and similar ports, ease of disassembly and removal or disabling of unnecessary ports.
Scope of IoT security
How many IoT devices do you own and use right now? How many does your business use?
That’s where the “Internet of NoThings” joke comes from, most people don’t have any. The numbers keep going up, but the average consumer is not buying many, so where is that growth coming from? IoT devices are out there and the numbers are booming, driven by enterprise rather than the consumer market.
Verizon and ABI Research estimate that there were 1.2 billion different devices connected to the internet last year, but by 2020, they expect as many as 5.4 billion B2B IoT connections.
IoT specific security assessment
Understanding approach
IoT specific security assessment
How it is a combination of different type assessments:
Web interface Network services Secure Transport medium Cloud and Mobile interface Insecure Software/Firmware Physical security
HEATHEN: Internet-Of-Things- Pentesting-Framework
Heathen is a research project, which automatically help developers and manufacturers build more secure products in the Internet of Things space based on the Open Web Application Security Project (OWASP) by providing a set of features in every fundamental era.
-Insecure Web Interface -Insufficient Authentication/Authorization -Insecure Network Services -Lack of Transport Encryption -Privacy Concerns -Insecure Cloud Interface -Insecure Mobile Interface -Insufficient Security Configurability -Insecure Software/Firmware -Poor Physical Security
IoT Protocols
Rather than trying to fit all of the IoT Protocols on top of existing architecture models like OSI Model, the protocols are segregated into the following layers to provide some level of organization: Infrastructure (ex: 6LowPAN, IPv4/IPv6, RPL) Identification (ex: EPC, uCode, IPv6, URIs) Comms / Transport (ex: Wifi, Bluetooth, LPWAN) Discovery (ex: Physical Web, mDNS, DNS-SD) Data Protocols (ex: MQTT, CoAP, AMQP, Websocket, Node) Device Management (ex: TR-069, OMA-DM) Semantic (ex: JSON-LD, Web Thing Model) Multi-layer Frameworks (ex: Alljoyn, IoTivity, Weave, Homekit)
Hardsploit: a Framework to audit IoT devices security
Hardsploit is a tool with software and electronic aspects. This is a technical and modular plateform (using FPGA) to perform security tests on electronic communications interfaces of embedded devices. It’s a Framework !“All-in-one tool for Hardware pentest”The main Hardware security audit functions are” Sniffer, Scanner, Proxy, Interact, Dump memory
Hardsploit: a Framework to audit IoT devices security
Hardsploit: a Framework to audit IoT devices security
Hard Sploit is a complete tool box (Hardware + Software), a Framework which facilitates the audit of electronic systems Consultant, Auditor, Pentesters, product designer etc. and at the same time increases the level of security (and trust!) of new communicating products designed by industry.
Hardsploit: a Framework to audit IoT devices security
Hardsploit Modules will let Hardware pentester to intercept, replay and/or and send data via each type of electronic bus used by the Hardware Target. The Level of interaction that pen-testers will have depend on the electronic bus features…
Hardsploit ‘s modules enable us to analyse all sort of electronic bus (serial and parallel type)
JTAG, SPI, I2C‘s,Parallel address & data bus on chip
Hardsploit: a Framework to audit IoT devices security
It is an assisted visual wiring function to help, easier connect all wires to the Hardware target: GUI will display the pin organization (Pin OUT) of the targeted chip. GUI will guide you throughout the wiring process between Hardsploit Connector and the
target GUI will control a set of LED that will be turn ON and OFF to easy let you find the right
Hardsploit Pin Connector to connect to your target The software part of the project will help conducting an end-to-end security audit. It will be
compatible (integrated) with existing tools such as Metasploit. The integration with other API is expected to be introduced in future.
The framework is created with an ambition to provide a tool equivalent to those of the company Qualys or Nessus (Vulnerability Scanner) or the Metasploit framework but in the domain of embedded / electronic.
the way it has progressed in past few years
Available Resources:
https://iot-analytics.com/understanding-iot-security-part-1-iot-security-architecture/ http://resources.infosecinstitute.com/test-security-iot-smart-devices/ http://blog.attify.com/# http://internetofthingswiki.com/iot-security-issues-challenges-and-solutions/937/ https://hardsploit.io/the-project/ http://electronicdesign.com/iot/understanding-protocols-behind-internet-things http://www.postscapes.com/internet-of-things-protocols/
*Note: Refer to the links mentioned in the notes section of the slides.
Available Resources:
http://resources.infosecinstitute.com/getting-started-with-iot-security-mapping-the-attack-surface/
http://resources.infosecinstitute.com/test-security-iot-smart-devices/ https://www.blackhat.com/eu-16/training/offensive-internet-of-things-iot-exploitation.ht
ml http://www.pentesteracademy.com/course?id=27 http://nullcon.net/website/goa-2017/training/practical-iot-hacking.php https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project https://iotsecuritywiki.com/
*Note: Refer to the links mentioned in the notes section of the slides.
You can find me here:https://twitter.com/aankitgirihttps://www.linkedin.com/in/ankitgiri/[email protected]
Thank You!
