Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Mobile, IoT, Clouds…
It’s time to hire a Risk Manager!
YURY CHEMERKIN
MULTI-SKILLED SECURITY EXPERT
CJSC ADVANCED MONITORI...
YURY CHEMERKIN
I have ten+ years of experience in information
security. I‘m a multi-skilled security expert on
security & ...
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
UNDERSTANDING THINGS
IoT TAXONOMY & FRAGMENTATION
Source: https://www.cbinsights.com/research/internet-of-things-periodic-table/
IoT TAXONOMY
 Wearable Tech
 Connected Home
 Building Blocks & Platforms
 Industrial Internet
 Healthcare
 In-store ...
NARROW THINGS
Wearable Tech
Connected Home
Healthcare
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
WATCHES
WEARABLE TECH
SMARTWATCHES – APPLE WATCH
MITM
Jailbreak
Backup
APPLE WATCH
MITM
The Apple Watch Series communicates via Bluetooth with the owner’s iPhone. If
this is not available via B...
APPLE WATCH
BREAKING THE LOCKSCREEN
Remove the Passcode Using Your iPhone
Go to a “Settings->General->Reset”
“Erase Apple...
APPLE WATCH
BREAKING THE LOCKSCREEN
Removing Your Passcode Without an iPhone
Power Menu  Press & hold the side button
I...
APPLE WATCH
BREAKING THE LOCKSCREEN
Unpair iWatch via Apple Watch app & Apple Password
Keep your Apple Watch and iPhone c...
APPLE WATCH
JAILBREAKS
Jailbreaks for USB
 Apple Watch series 1- 4 & watchOS 5 – no jailbreak
 watchOS 4.0 - 4.1
 v0rte...
APPLE WATCH - BACKUP
 /mobile/Library/DeviceRegistry.state
/properties.bin
 Binary Plist File – Contains Paired Apple
Wa...
APPLE WATCH - BACKUP
 Plist contained installed apps on Apple
Watch (2 places)
 /mobile/Library/DeviceRegistry/<GUID>/Na...
APPLE WATCH
BACKUP
 Email -
/mobile/Library/DeviceRegistry/<
GUID>/NanoMail/registry.sqlite
 Voicemails -
/mobile/Librar...
APPLE WATCH
BACKUP - PASSBOOK
/mobile/Library/DeviceRegistry/<
GUID>/NanoPasses/nanopasses.sqli
te3
Pass table
Unique_ID...
APPLE WATCH – BACKUP
APPLE HEALTH
 Encrypted (.hfd) in password-protected
/ encrypted backups only
 No data out of non-e...
APPLE WATCH
ACCESS ATTACK LOGIC
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
APPLE WATCH
SUMMARY
Apple Watch communicates via Bluetooth or Wi-Fi if BT is not available
Online communication (over Wi-F...
WEARABLE TECH
SMARTWATCHES – ANDROID WATCH
Forensics: Physical, Logical, Network Acquisition
Screen Lock Bypassing Techniq...
ANDROID WATCH
FORENSICS OF WEARABLE TECH
Physical Acquisition
Logical Acquisition
Network Acquisition (omitted here)
ANDROID WATCH
IMAGING A SMARTWATCH DEVICE
 The ADB tool should be used to image and explore the Android
smartwatch.
 The...
ANDROID WATCH
BREACHING A LOCK SCREEN
 Google account credentials is known  remote unlock of connected watches via Googl...
ANDROID WATCHES
ROOT
Root:
 5.1.1 - SuperSU-5.1.1.zip https://supersu.apk.gold/android-5.1.1
 6.0.1 - SuperSU-6.0.1.zip ...
ANDROID WATCH
WEAR OS
 Tizen OS - Samsung
 Android Wear OS
 Asus Zenwatch, Huawei Watch, LG
Watch and many other
 Many...
ANDROID WATCHES
SAMSUNG GEAR – ALL OF THEM (TIZEN)
Tizen OS, Bluetooth, USB, No Wi-Fi, Optional Password
Protection
#1 Gai...
ANDROID WATCHES
SAMSUNG GEAR – ALL OF THEM
#2 Get Data as an image:
 Requires root (see step #1)
 Use anything to image ...
ANDROID WATCHES
SAMSUNG GEAR – ALL OF THEM
#3 Results:
 Messages - apps.com.samsung.message.data.dbspace/msg-
consumer-se...
ANDROID WATCHES
LG WATCH – ALL OF THEM
Android Wear, USB, Bluetooth, No Wi-Fi
#1. Gain Root: Turn on ADB, use LG G Watch R...
ANDROID WATCHES
LG WATCH – ALL OF THEM
#2 Get Data as an image:
 Requires root (see step #1)
 Use anything to image the ...
ANDROID WATCHES
LG WATCH – ALL OF THEM
Results:
 Events/Notifications -
data.com.android.providers.calendar.databases/cal...
ANDROID WATCHES
ANDROID WEAR
Mobile device paired with all watches in this app
/com.samsung.android.app.watchmanager
/aut...
ANDROID SMARTWATCHES
ACCESS ATTACK LOGIC
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
ANDROID WATCH
SUMMARY
 Forensics
 No forensics tools are NOT available for devices, such as Elcomsoft, Cellebrite
 Fore...
HUAWEI WEAR & HONOR BAND 3-9C7
• Фотки браслета и приложения (ссылки на магазины)
• Картинки на списки в круглые формы вст...
FITNESS TRACKERS
HUAWEI WEAR. HONOR BAND 3-9C7
Device Mac Address & Crash log: DevInfo, debug info - /Documents/hms/oclog/...
CRASH LOG: DEVINFO, DEBUG INFO -
/DOCUMENTS/HMS/OCLOG/CRASH
CRASH: *** -[__NSArrayM replaceObjectAtIndex:withObject:]: ind...
HUAWEI WEAR – LAST VALUES
/DOCUMENTS/<*.ARCHIVER> FILES
<string>{
"sleepTotalData":{"shallowSleepTime":0,"totalSleepTime":...
HUAWEI WEAR: FIRMWARE
/DOCUMENTS/<*.ARCHIVER> FILES
<string>
 {"fireWareMd5":"33E44F1B02292C8B9D00A5DEB91B72AB","firmware...
HUAWEI WEAR: GEO, SPEED
/DOCUMENTS/<*.ARCHIVER> FILES
<string>
{"speed":0.63999998569488525,"timestamp":"2018-06-
09T05:12...
HUAWEI WEAR: USER INFO
/DOCUMENTS/<*.ARCHIVER> FILES
<string>
{"headImgLocal":"/var/mobile/Containers/Data/Application/
9B...
HUAWEI WEAR:
/DOCUMENTS/<*.ARCHIVER> FILES
Account
 Account details stored in protected way
Device Mac Address
<string...
HUAWEI WEAR: PERSONAL DETAILS
/DOCUMENTS/<WEAR*.DB> FILES
User goals
Device details
User measures
 m_7_DataSourceTable_te...
HUAWEI WEAR: PERSONAL DETAILS
/DOCUMENTS/<WEAR*.DB> FILES
User measures
 m_14_HeartRateByDay_temp_user
 m_14_SportDataBy...
HUAWEI WEAR: PERSONAL DETAILS
/DOCUMENTS/<WEAR*.DB> FILES
User measures
 m_133_SingleMovementStatistic_temp_user
 m_133_...
HUAWEI HONOR
SUMMARY
Local data
 Credentials is protected
 Personal and medical info – plaintext / as it
Communication
...
XIAOMI MI BAND 2 & MI FIT
Online communication
 AWS storages in Ireland (EU) mainly, secondary US
 TLS 1.2, No SSL Pinni...
FITNESS APPS
ROAD BIKE, MOUNTAIN BIKE, …
GPS Data: longitude, latitude, altitude, accuracy, distanceInMeter,
upward/downwa...
FITNESS APPS
DOCUMENTSDATABASE.SQLITE3
Where to search data:
 GPS & location
 HeartRate (requires special devices)
 Ses...
FITNESS APPS
LOCATION, MAPS AND USER INFO
 Location and geo snapshots -
DocumentsMapOpenCycleMap.sqlite
 User info - Doc...
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
FITNESS TRACKERS
SUMMARY AMONG TRACKERS & APPS
Local data
 Credentials is usually protected
 Personal and medical info –...
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home 5. Security & Tips
6. Risk
Management
APPLE HEALTH СЮДА КАРТИНКИ
УСТРОЙСТВ
HEALTHCARE
APPLE HEALTH
Valuable data encrypted and no public cracks is known
Small amount of data not encrypted in backup...
APPLE HEALTH
WHERE TO FIND DATA?
HealthDomainMedicalIDMedicalIDData.archive
HealthDomainHealthhealthdb.sqlite
HealthDomain...
APPLE HEALTH
DATA IN DETAILS
Name, User Pic, height (in cm), and mass (in kg)
Geo Tracking (Mainland/City), iOS version
De...
APPLE HEALTH
HEALTHDOMAINMEDICALIDMEDICALIDDA
TA.ARCHIVE
 Name  Height  Weight  Medical implants
APPLE HEALTH
HEALTHDOMAINHEALTHHEALTHDB.SQLITE
 Bundle_id, app_name
 Device name, device model, vendor, hardware and sof...
APPLE HEALTH
HEALTHDOMAINHEALTHHEALTHDB_SE
CURE.SQLITE
APPLE HEALTH
RAW EXPORT
Recorded by the any Apple Devices & accessed through the Health App.
Detailed activity log with ti...
APPLE HEALTH - RAW EXPORT
PERSONAL, FITNESS, MEDICAL INFO
Date of birth, sex, blood group, skin type, height (in cm), and ...
APPLE HEALTH - RAW EXPORT
IN EXAMPLES & DETAILS
APPLE HEALTH - RAW EXPORT
IN EXAMPLES & DETAILS
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
HEALTHCARE
SUMMARY
Apple Health App is good protected
Basic info - Date of birth, sex, blood group, skin type,
height (in...
PICOOC MINI (BT) –
BODY COMPOSITION SMART SCALE
• Vertical fat index, body fat
Fat indexes
• Body weight, bone mass, muscl...
PICOOC MINI (BT) –
BODY COMPOSITION SMART SCALE
BT Logs: Peripheral Info of nearby devices, and mac of itself (picooc scal...
PICOOC BT LOGS
PICOOCDOCUMENTSBLUETOOTHLOG.TEXT
 DISCOVER INDIRECTLY WHAT DEVICES DOES YOUR NEIGHBORS HAVE 
 扫描到设备 – me...
PICOOC BT LOGS
PICOOCDOCUMENTSBLUETOOTHLOG.TEXT
04-14 13:31:36:003 .扫描到设备 name:Peripheral Info:Name: [TV] Samsung 6
Series...
BODY VALUES
PICOOCDOCUMENTSPICOOC.SQLITE
CREATE TABLE `body_indexs` (
`id`
`weight`
`body_fat`
`visceral_fat_level`
`muscl...
PICOOC
DEVICE AND PREFERENCES
Dev Info - picoocdocumentspicooc.sqlite
Preferences - picoocLibraryPreferences com.picooc.in...
USER BASIC INFO – MAIN USER
PICOOCDOCUMENTSPLISTFILEUSERINFO.PLIST
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist ...
USER EXTENDED INFO – LAST ADDED USER ONLY
PICOOCLIBRARYSENSORSANALYTICS-
SUPER_PROPERTIES.PLIST
 current_age_characterist...
PICOOC SENSOR VALUES
PICOOCLIBRARYSENSORSANALYTICS-
MESSAGE-V2.PLIST.DB
• {"time":1537632555035,"_track_id":2682421375,"ev...
PICOOC
MITM - NOT SSL-PINNED
• Profile URL (public accessible)
https://cdn2.picooc.com/head/201810/03/20181003_181034000_5...
PICOOC
MITM - NOT SSL-PINNED
https://api2.picooc-int.com
GET /v1/api/email/getVerifyStatus?appver=i3.6.1.0&device_id=EC640...
PICOOC
MITM - NOT SSL-PINNED
https://api2.picooc-
int.com/v1/api/role/updateRole?sign=2A082A983A3238FBEA7B66AEBF88B706&url...
PICOOC
MITM - NOT SSL-PINNED
https://api2.picooc-
int.com/v1/api/account/updateUserPa
ssword?sign=41EE8B396970992A85E
9259...
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
PICOOC
SUMMARY
Body indexes and changes day-by-day
 Fat indexes, Mass
 Productivity, Delta
Dev Info, Friends results, Us...
~30 mHEALTH APPS
 Google Fit
 MyFitnessPal
 RunKeeper - GPS
 Nike+ Running
 WebMD
 Blood Pressure (BP) Watch
 Water...
~30 mHEALTH APPS
MYFITNESSPAL
User profile Pics  com.myfitnesspal.android/cache/Picasso-cache
User profile Pics /sdcard/...
~30 mHEALTH APPS
RUNKEEPER
 User profile Pics / fitnesskeeper.runkeeper.pro /cache/Picasso-cache
 / fitnesskeeper.runkee...
~30 mHEALTH APPS
PERIOD CALENDAR
• Personal info –/data/data/ fitnesskeeper.runkeeper.pro
/databases/PC.db. Tables
• User ...
~30 MEDICAL/FITNESS/HEALTH APPS
 User credentials: Apps may require users to login using their user credentials (e.g. use...
~30 MEDICAL/FITNESS/HEALTH APPS
App Name / Data
User credentials
and pins
Personal details
of users
User
activities
User
l...
~30 MEDICAL/FITNESS/HEALTH APPS
App Name / Data
User credentials
and pins
Personal details
of users
User
activities
User
l...
~30 MEDICAL/FITNESS/HEALTH APPS
App Name / Data
User credentials
and pins
Personal details
of users
User
activities
User
l...
~30 MEDICAL/FITNESS/HEALTH APPS
THE VALUE IS HIGHER, THE MORE DATA STORED LOCALLY)
3
9
6
8
1
5
2
0
3
4
6
8
5
4
7
9
8
3
7
3...
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
HEALTHCARE
SUMMARY
Native Health App is good protected, however not a basic information
 Basic info - Date of birth, sex,...
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
APPLE TV – FIVES GENERATIONS
MacOS X, iOS, tvOS
Common ways to break into
Jailbreak tools
Password management
USB Acquisit...
APPLE TV – I GENERATION
EASILY TO BREAK
First edition of TV, Mac OS X & HDD makes breaking much easier
All possible ways t...
APPLE TV – II-V GENERATION
EASILY TO BREAK TOO
 Perform breaks in the same way like any other Apple Mobile device (iPhone...
APPLE TV
DATA EXAMINATION & FORENSICS
 Apple TV jailbreak support https://pangu8.com/appletv.html
 Apple TV 1 – scripts,...
APPLE TV
DATA EXAMINATION & FORENSICS
 USB port is reserved for “service and support” purpose
Vanished since Apple 5th G...
APPLE TV – 2TH – 4TH GEN
USB ACQUISITION (USB, MICRO, USB-C)
5TH GEN IS OUT OF SCOPE (NO USB)
AFC (Apple File Conduit) ser...
APPLE TV
BACKUP
 Real Time Log
 Crash Log
 MediaLibrary.sqlitedb
 iCloud Account Name
 iCloud ID
 Wi-Fi networks
 D...
APPLE TV – 2TH – 5TH GEN
JAILBREAK
Timezone
 /private/var/db/timezone/localtime
Network tcp/ip lease
 /private/var/db/dh...
APPLE TV – 2TH – 5TH GEN
JAILBREAK
Keyboard dictionary
 /private/var/mobile/library/keyboard/dynamic-
text.dat
Accounts
...
APPLE TV – 2TH – 5TH GEN
JAILBREAK
iCloud synced preferences
 /var/mobile/Library/SyncedPreferences/
Wi-Fi Access Points
...
APPLE TV – 2TH – 5TH GEN
JAILBREAK
Headboard
 /private/var/mobile/library/com.apple.headboard
/apporder.plist
 /private/...
APPLE TV – 2TH – 5TH GEN
JAILBREAK
App snapshots
 /private/var/mobile/library/caches/com.app
le.pineboard/assetlibrary/sn...
APPLE TV – 2TH – 5TH GEN
JAILBREAK
Installed applications
 /private/var/db/lsd/com.apple.lsdidentifiers.plist
Installed a...
APPLE TV – 2TH – 5TH GEN
JAILBREAK
Country, last activity
App snapshots
Youtube
APPLE TV – ANY GEN
PROFILING AS A KIND OF PROTECTION
TV Remote Payload
The TV Remote payload is designated by specifying ...
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
APPLE TV
SUMMARY
Lot of jailbreaks
 Except Apple TV 3
 Apple TV 1 is based on Mac OS X, so breaking is the same way like...
AMAZON TV: PREREQUISITE
Amazon Fire TV Stick
Amazon account plus other accounts per app
MITM is out of scope, but wait for...
AMAZON TV
BREAK OPPORTUNITIES
No support of Forensics tools
Sideloading is allowed, ADB exists and is off by default
Ro...
AMAZON TV
ROOT, BOOTLOADER, SIDELOADING
Non-root things
 Sideloading is allowed without root like on Android
 Bootloader...
AMAZON TV
ROOTED TV
 browser.db – Browser History & navigating to websites using
Mozilla Firefox
 [root]/data/com.amazon...
AMAZON TV
ROOTED TV
 /data/data/ = All application data is stored in this directory
 com.amazon.venezia/ = Amazon appsto...
FORENSIC ANALYSIS METHOD FOR
THE AMAZON FIRE TV STICK
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
AMAZON TV: SUMMARY
 Several older firmwares are affected by rooting tools
 Rooting requires BT-keyboard that’s is not a ...
AMAZON ECHO DOT
• Картинки и спецификацию
AMAZON ECHO DOT
Local access
Bootloader
MITM: SSL, MITM, Firmware MITM
Credentials breaks
AMAZON ECHO DOT
LOCAL ACCESS, LACK OF ROOT
 Alexa doesn’t have ADB, but have a MTK
 bus 001 Device 010: ID 0ed8d:2000 Me...
AMAZON ECHO DOT
MITM. WHAT ABOUT SSL?
Self signed certificates is allowed on Alexa for devs
 https://developer.amazon.com...
AMAZON ECHO DOT
MITM. FIRST TIME SETUP
 Navigate via browser https://alexa.amazon.com
 Up to end of 2017 a redirect to A...
AMAZON ECHO DOT
MITM. FIRMWARE
Intercepting firmware updates is possible
Here is a bin-firware http request
 GET /obfusca...
AMAZON ALEXA APP
Alexa app has a good a solid protection
No sensitive data stored locally
Well encrypted communication (on...
AMAZON ECHO DOT
ALEXA APP – MITM, NOT PINNED
Credentials
 {"Credentials":{"AccessKeyId":"ASIAXHE6EPSWNVIGFBVP","Expiratio...
AMAZON ALEXA APP
LOCAL
 LibraryApplication Supportdevice.sqlite – device list with
ID, serials
 LibraryMETRICS_NORMAL* -...
AMAZON ECHO DOT
ALEXA APP
Alexa and Echo allow many users to manage devices
 Echo has no voice differentiation capabiliti...
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
AMAZON ECHO DOT & ALEXA APP
SUMMARY
Intercepting firmware updates is possible
Alexa allows to use self-signed SSLs but not...
READYFORSKY - ???
a
CONNECTED HOME
READYFORSKY
Backup
MITM: Hub, Remote
BT MITM: out of scope
READYFORSKY
DOCUMENTSR4S.SQLITE
Device list, models, pairing text
Receipts per device (how to cook, basic details &
requ...
READYFORSKY
MITM
 Firmware version – 2.29 -
http://service2.readyforsky.com/firmware/list/148/["2.29"]
 Device Pic - htt...
READYFORSKY
MITM
Credentials, password, tokens
 https://content.readyforsky.com/headless/change-password
 {"current_pass...
READYFORSKY
MITM
User details - https://content.readyforsky.com/api/user/current
 "username": "yurychemerkin",
 "usernam...
READYFORSKY
MITM
Device details
 https://content.readyforsky.com/
api/device/user
 “name": "RK-G200S",
 "address": "E7:...
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
REDMOND
SUMMARY
Communications & MITM
 App, Hub, Device IP, Ports including internal info, Device info (name,
model, netw...
LIGHTNING
Lightify
IKEA TRÅDFRI
Philips HUE
LIGHTIFY
 Lightify is the IoT platform with a simplest integration of wireless lighting.
 Need to have an Lightify-accou...
IKEA TRADFRI
Smart lightning and assistant to control it
No online communications except firmware requests in plaintext
 ...
PHILIPS HUE
 HUE light, lamps and other with a smart assistant and bridge to works over Philips servers
 The list of pai...
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
LIGHTNING
SUMMARY
IoT platforms: Lightify, IFTTT
 One account to access all tokens & credentials to manage services, devi...
CONNECTED HOME
SUMMARY
Jailbreaks & roots
 Available for popular devices
 Sideloading apps are possible
 New in-house m...
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
IoT
HOW TO SECURE
Risk Management
 Device Profiling – divide your devices according to a critical info & risk score
 Use...
IoT
HOW TO SECURE
Software Management
 Settings – change it to default privacy policies & security settings
 Features – ...
MOBILE, IoT, CLOUDS…
IT’S TIME TO HIRE A RISK MANAGER!
HOW TO CONTACT ME ?
ADD ME IN LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN...
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Upcoming SlideShare
Loading in …5
×

of

Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 1 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 2 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 3 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 4 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 5 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 6 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 7 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 8 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 9 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 10 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 11 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 12 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 13 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 14 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 15 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 16 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 17 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 18 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 19 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 20 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 21 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 22 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 23 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 24 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 25 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 26 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 27 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 28 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 29 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 30 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 31 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 32 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 33 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 34 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 35 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 36 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 37 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 38 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 39 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 40 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 41 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 42 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 43 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 44 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 45 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 46 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 47 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 48 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 49 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 50 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 51 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 52 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 53 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 54 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 55 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 56 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 57 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 58 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 59 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 60 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 61 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 62 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 63 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 64 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 65 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 66 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 67 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 68 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 69 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 70 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 71 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 72 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 73 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 74 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 75 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 76 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 77 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 78 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 79 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 80 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 81 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 82 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 83 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 84 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 85 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 86 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 87 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 88 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 89 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 90 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 91 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 92 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 93 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 94 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 95 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 96 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 97 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 98 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 99 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 100 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 101 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 102 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 103 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 104 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 105 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 106 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 107 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 108 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 109 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 110 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 111 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 112 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 113 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 114 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 115 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 116 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 117 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 118 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 119 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 120 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 121 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 122 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 123 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 124 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 125 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 126 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 127 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 128 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 129 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 130 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 131 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 132 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 133 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 134 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 135 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 136 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 137 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 138 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 139 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 140 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 141 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 142 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 143 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 144 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 145 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 146 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 147 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 148 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 149 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 150 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 151 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 152 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 153 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 154 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 155 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 156 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 157 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 158 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 159 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 160 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 161 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 162 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 163 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 164 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 165 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 166 Mobile, IoT, Clouds… It’s time to hire your own risk manager! Slide 167
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

Mobile, IoT, Clouds… It’s time to hire your own risk manager!

Download to read offline

Yury Chemerkin in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The videos and other presentations can be found on https://def.camp/archive

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Mobile, IoT, Clouds… It’s time to hire your own risk manager!

  1. 1. Mobile, IoT, Clouds… It’s time to hire a Risk Manager! YURY CHEMERKIN MULTI-SKILLED SECURITY EXPERT CJSC ADVANCED MONITORING
  2. 2. YURY CHEMERKIN I have ten+ years of experience in information security. I‘m a multi-skilled security expert on security & compliance and mainly focused on privacy and leakage showdown. Key activity fields are EMM and Mobile &, Cloud Computing, IAM, Forensics & Compliance. I published many papers on mobile and cloud security, regularly appears at conferences such as CyberCrimeForum, HackerHalted, DefCamp, NullCon, OWASP, CONFidence, Hacktivity, Hackfest, DeepSec Intelligence, HackMiami, NotaCon, BalcCon, Intelligence-Sec, InfoSec NetSysAdmins, etc. LINKEDIN: HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN TWITTER: @YURYCHEMERKIN EMAIL: YURY.S@CHEMERKIN.COM
  3. 3. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  4. 4. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  5. 5. UNDERSTANDING THINGS
  6. 6. IoT TAXONOMY & FRAGMENTATION Source: https://www.cbinsights.com/research/internet-of-things-periodic-table/
  7. 7. IoT TAXONOMY  Wearable Tech  Connected Home  Building Blocks & Platforms  Industrial Internet  Healthcare  In-store Retail  Connected Car  Venture Capital Firms  Corporate Investors  Angel Investors  Crowdfunding  Accelerators/Incubators  IoT Acquirers  Notable acquisitions
  8. 8. NARROW THINGS Wearable Tech Connected Home Healthcare
  9. 9. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  10. 10. WATCHES
  11. 11. WEARABLE TECH SMARTWATCHES – APPLE WATCH MITM Jailbreak Backup
  12. 12. APPLE WATCH MITM The Apple Watch Series communicates via Bluetooth with the owner’s iPhone. If this is not available via Bluetooth, Wi-Fi is used for synchronization to Apple servers and the iPhone. Online communication (over Wi-Fi)  [iPhone apps  iCloud] – prevents MITM, SSL Pinning  [Apple Watch iCloud] – prevents MITM , SSL Pinning  No way to install SSL to Apple Watch
  13. 13. APPLE WATCH BREAKING THE LOCKSCREEN Remove the Passcode Using Your iPhone Go to a “Settings->General->Reset” “Erase Apple Watch Content & Settings” “Keep Plan” if iWatch has a Cellular Plan Otherwise just “Erase All Content & Settings” Pair it again
  14. 14. APPLE WATCH BREAKING THE LOCKSCREEN Removing Your Passcode Without an iPhone Power Menu  Press & hold the side button Instead of sliding "Power Off", press on it Tap "Erase all content and settings," Tap the green checkmark to confirm Pair it again
  15. 15. APPLE WATCH BREAKING THE LOCKSCREEN Unpair iWatch via Apple Watch app & Apple Password Keep your Apple Watch and iPhone close together. Open the Apple Watch app on iPhone Tap “My Watch tab”, “iWatch name”, “Unpair Apple Watch” Press “Keep Plan” for a cellular iWatches Enter your Apple ID password and tap confirm
  16. 16. APPLE WATCH JAILBREAKS Jailbreaks for USB  Apple Watch series 1- 4 & watchOS 5 – no jailbreak  watchOS 4.0 - 4.1  v0rtex jailbreak for developers only https://github.com/tihmstar/jelbrekTime  Apple Watch series 1- 2 & watchOS 3.0 – 3.2.3  OverCl0ck jailbreak – still in development https://github.com/PsychoTea/OverCl0ck Jail & Bluetooth Connection over SSH  https://speakerdeck.com/mbazaliy/jailbreaking-apple-watch
  17. 17. APPLE WATCH - BACKUP  /mobile/Library/DeviceRegistry.state /properties.bin  Binary Plist File – Contains Paired Apple Watch Specifics incl: Watch Name, Make, Model, OS, GUID  Synced Data Path with GUID, date, local  Serial Number, UDID, WiFi MAC, SEID (Secure Element ID), Bluetooth MAC
  18. 18. APPLE WATCH - BACKUP  Plist contained installed apps on Apple Watch (2 places)  /mobile/Library/DeviceRegistry/<GUID>/Na noPreferencesSync/NanoDomains/com.apple.C arousel  /mobile/Library/DeviceRegistry/<GUID>  Example: /mobile/Library/DeviceRegistry/<GUID>/ AddressBook/
  19. 19. APPLE WATCH BACKUP  Email - /mobile/Library/DeviceRegistry/< GUID>/NanoMail/registry.sqlite  Voicemails - /mobile/Library/DeviceRegistry/< GUID>/PreferencesSync/NanoDo mains/com.apple.mobilephone  Records containing Phone Numbers and paths to synced voicemail files
  20. 20. APPLE WATCH BACKUP - PASSBOOK /mobile/Library/DeviceRegistry/< GUID>/NanoPasses/nanopasses.sqli te3 Pass table Unique_ID Type_ID (boarding pass, loyalty pass) Encoded pass (value/data)
  21. 21. APPLE WATCH – BACKUP APPLE HEALTH  Encrypted (.hfd) in password-protected / encrypted backups only  No data out of non-encrypted backup  Export in raw/plaintext  But take a time, we will back to Health app soon 
  22. 22. APPLE WATCH ACCESS ATTACK LOGIC
  23. 23. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  24. 24. APPLE WATCH SUMMARY Apple Watch communicates via Bluetooth or Wi-Fi if BT is not available Online communication (over Wi-Fi)  [iPhone apps  iCloud] – prevents MITM, SSL Pinning  [Apple Watch iCloud] – prevents MITM , SSL Pinning  No way to install SSL to Apple Watch Local data  Not many but jailbreaks are available  Backup still works to access the data  Wallet contains booking, card and other info  Apple Health app  Contains a lot of medical user data  Encrypted if backup is password-protected and out of backup otherwise  Contains non-encrypted basic medical user data and list of app-sources
  25. 25. WEARABLE TECH SMARTWATCHES – ANDROID WATCH Forensics: Physical, Logical, Network Acquisition Screen Lock Bypassing Techniques Root opportunities Android wear app
  26. 26. ANDROID WATCH FORENSICS OF WEARABLE TECH Physical Acquisition Logical Acquisition Network Acquisition (omitted here)
  27. 27. ANDROID WATCH IMAGING A SMARTWATCH DEVICE  The ADB tool should be used to image and explore the Android smartwatch.  The dd command, dd if=/dev/block/mmcblk0p12 of=/sdcard/tmp.image can be used to copy the entire device to an inserted SD card.  If time is a factor, investigators can copy specific directories by utilizing the following commands: DD if = /dev/block/mmcblk0p12/data of = /storage/extSdCard/data.dd DD if = /dev/block/mmcblk0p8/cache of = /storage/extSdCard/cache.dd DD if = /dev/block/mmcblk0p3/efs of = /storage/extSdCard/efs.dd DD if = /dev/block/mmcblk0p09/system of = /storage/extSdCard/system.dd
  28. 28. ANDROID WATCH BREACHING A LOCK SCREEN  Google account credentials is known  remote unlock of connected watches via Google’s Android Device Manager  Deleting / altering the gesture.key & settings.db files  to remove the lock screen entirely  adb.exe shell; cd /data/system; rm gesture.key  The “settings.db” file contains system settings and can cause system wide changes if modified  update system set value =0  Flashing a modified ROM / a reboot in safe mode - to leverage a third-party lock screen  Utilize adbkey and adbkey.pub files from other computers that have been previously synchronized with the examined device to create a trust relationship with a new device  /.android/<ADB keys> - those files are an SSH key-pair that allow me to mark my computer as "trusted" to my phone.  Copy of ADB keys stored on synchronized devices in users/<user name>/.android folders
  29. 29. ANDROID WATCHES ROOT Root:  5.1.1 - SuperSU-5.1.1.zip https://supersu.apk.gold/android-5.1.1  6.0.1 - SuperSU-6.0.1.zip https://supersu.apk.gold/android-6.0.1  Wear 2.0 - SuperSU-Wear  Wear-SuperSU 2.4 - https://androidfilehost.com/?fid=24269982086990060 Recovery:  TWRP - https://eu.dl.twrp.me/bass/  5.1.1 twrp-3.1.0-0.img  6.0.1 и Wear 2.0 twrp-3.0.0-0.img
  30. 30. ANDROID WATCH WEAR OS  Tizen OS - Samsung  Android Wear OS  Asus Zenwatch, Huawei Watch, LG Watch and many other  Many root tools & images for Android Wear up to 2.0  Lack of tools for 2.1 and beyond  Wear app to access data Android Wear Version Android base version Release date 4.4W1 4.4 June 2014 4.4W2 4.4 October 2014 1.0 5.0.1 December 2014 1.1 5.1.1 May 2015 1.3 5.1.1 August 2015 1.4 6.0.1 February 2016 1.5 6.0.1 June 2016 2.0 7.1.1 Feb 2017 2.6 7.1.1 Nov 2017 2.6 7.1.1/8.0.0 Dec 2017 2.7 7.1.1/8.0.0 Dec 2017 2.8 7.1.1/8.0.0 Jan 2018 2.9 7.1.1/8.0.0 Feb 2018 Wear OS Version Android base version Release date 1.0 7.1.1/8.0.0 Mar 2018 1.1 7.1.1/8.0.0 April 2018 1.2 7.1.1/8.0.0 May 2018 1.3 7.1.1/8.0.0 June 2018 1.4 7.1.1/8.0.0 July 2018 1.5 7.1.1/8.0.0 August 2018 1.6 7.1.1/8.0.0 September 2018 1.7 7.1.1/8.0.0 October 2018 2.0 7.1.1/8.0.0 August 2018 2.1 7.1.1/9.0.0 September 2018
  31. 31. ANDROID WATCHES SAMSUNG GEAR – ALL OF THEM (TIZEN) Tizen OS, Bluetooth, USB, No Wi-Fi, Optional Password Protection #1 Gain root:  turn on SDB ‘Smart Development Bridge‘,  find a ROM, uses Odin,  reboot to ‘download’ mode – hold down the main button through the turn off prompt Sdb shell, sdb root
  32. 32. ANDROID WATCHES SAMSUNG GEAR – ALL OF THEM #2 Get Data as an image:  Requires root (see step #1)  Use anything to image the watches, like a Toybox http://landley.net/toybox/  adb push toybox /sdcard/download  adb shell; su  mv /sdcard/download/toybox /dev/  chown root:root toybox;  chmod 755 toybox  cd /dev/block/platform/msm_sdcc; ls -al by-name  /* image partition with dd and pipe to netcat, -L puts netcat in listening mode */  dd if=/dev/block/mmcblk0p21 | ./toybox nc -L  /* Port number being listened to on the watch displayed for user */  44477 port displayed  adb forward tcp:44867 tcp:44867  /* Send request to watch on port number 44867 and send it to image file */  nc 127.0.0.1 44867 > Samsung.IMG Here is a user partition
  33. 33. ANDROID WATCHES SAMSUNG GEAR – ALL OF THEM #3 Results:  Messages - apps.com.samsung.message.data.dbspace/msg- consumer-server.db  Health/Fitness Data - apps.com.samsung.shealth/shealth.db  Email - apps.com.samsung.wemail.data.dbspace/wemail.db  Contacts/Address book - dbspace/contacts-svc.db
  34. 34. ANDROID WATCHES LG WATCH – ALL OF THEM Android Wear, USB, Bluetooth, No Wi-Fi #1. Gain Root: Turn on ADB, use LG G Watch Restore Tools, reboot to bootloader & unlock it, and push image adb reboot-bootloader fastboot oem unlock adb push <SuperSU>.zip /sdcard/download adb reboot-bootloader fastboot boot <twrp>.img Install <SuperSu>.zip, wait for reboot
  35. 35. ANDROID WATCHES LG WATCH – ALL OF THEM #2 Get Data as an image:  Requires root (see step #1)  Use anything to image the watches, like a Toybox http://landley.net/toybox/  adb push toybox /sdcard/download  adb shell; su  mv /sdcard/download/toybox /dev/  chown root:root toybox;  chmod 755 toybox  cd /dev/block/platform/msm_sdcc; ls -al by-name  /* image partition with dd and pipe to netcat, -L puts netcat in listening mode */  dd if=/dev/block/mmcblk0p21 | ./toybox nc -L  /* Port number being listened to on the watch displayed for user */  44477 port displayed  adb forward tcp:44867 tcp:44867  /* Send request to watch on port number 44867 and send it to image file */  nc 127.0.0.1 44867 > LG.img Here is a user partition
  36. 36. ANDROID WATCHES LG WATCH – ALL OF THEM Results:  Events/Notifications - data.com.android.providers.calendar.databases/calendar.db  Contacts/Address book - data.com.android.providers.contacts.databases/contacts2.db  Health/Fitness Data - data.com.google.android.apps.fitness.databases/pedometer.db
  37. 37. ANDROID WATCHES ANDROID WEAR Mobile device paired with all watches in this app /com.samsung.android.app.watchmanager /auto_update.xml - a timestamp of the day the Samsung Gear was last updated. /com.samsung.android.app.watchmanagerstub/shared preferences/hmonlinehelppref.xml /data/com.google.android.wearable.app/databases/devices.db list of devices using Android wear which listed the LG G Watch.
  38. 38. ANDROID SMARTWATCHES ACCESS ATTACK LOGIC
  39. 39. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  40. 40. ANDROID WATCH SUMMARY  Forensics  No forensics tools are NOT available for devices, such as Elcomsoft, Cellebrite  Forensics techniques are still available for devices  Forensics of wear-apps works too but no many useful data  Known techniques of breaking Android screenlock works  OS  Tizen OS - Samsung  Android Wear OS - Asus Zenwatch, Huawei Watch, LG Watch and many other  Root & Recovery  Many root tools & images for Android Wear up to 2.0  Lack of tools for 2.1 and beyond  SDB, ADB, Fastbook, OEM Unlock  Data  Contacts, Fitness, Health, Email – in the device
  41. 41. HUAWEI WEAR & HONOR BAND 3-9C7 • Фотки браслета и приложения (ссылки на магазины) • Картинки на списки в круглые формы вставить??
  42. 42. FITNESS TRACKERS HUAWEI WEAR. HONOR BAND 3-9C7 Device Mac Address & Crash log: DevInfo, debug info - /Documents/hms/oclog/<crash>,<log> Last Wear’s values: sleep (many params), wakeup (many params), distance (steps, ride, climb,…), heart rate, calories Firmware: Path to locally stored firmware, URL to download firmware (HTTP !!! ), Change log, Options Geo: Speed, Timestamp, Longitude, Latitude, Distance, Course, Duration, Altitude User Info: Picture, Name, Birthday, Height, Weight, Gender, Age Account Details: UDID, Security Token, UserID, SessionID Bluetooth Keys
  43. 43. CRASH LOG: DEVINFO, DEBUG INFO - /DOCUMENTS/HMS/OCLOG/CRASH CRASH: *** -[__NSArrayM replaceObjectAtIndex:withObject:]: index 9223372036854775815 beyond bounds [0 .. 6]Stack Trace: ( 0 CoreFoundation 0x00000001834d317c <redacted> + 148 1 libobjc.A.dylib 0x000000018271c528 objc_exception_throw + 56 2 CoreFoundation 0x000000018346bc9c _CFArgv + 0 3 CoreFoundation 0x00000001833a0324 <redacted> + 0 4 HuaweiWear 0x0000000100319064 HuaweiWear + 315492 5 HuaweiWear 0x000000010030ffdc HuaweiWear + 278492 6 libdispatch.dylib 0x0000000182e52a54 <redacted> + 24 7 libdispatch.dylib 0x0000000182e52a14 <redacted> + 16 8 libdispatch.dylib 0x0000000182e5f698 <redacted> + 1016 9 CoreFoundation 0x000000018347b344 <redacted> + 12 10 CoreFoundation 0x0000000183478f20 <redacted> + 2012 11 CoreFoundation 0x0000000183398c58 CFRunLoopRunSpecific + 436 12 GraphicsServices 0x0000000185244f84 GSEventRunModal + 100 13 UIKit 0x000000018caf15c4 UIApplicationMain + 236 14 HuaweiWear 0x00000001005b13f8 HuaweiWear + 3036152 15 libdyld.dylib 0x0000000182eb856c <redacted> + 4)iPhone:iPhone8,4 ClientVersion:21.0.12 OSVersion:11.2.6
  44. 44. HUAWEI WEAR – LAST VALUES /DOCUMENTS/<*.ARCHIVER> FILES <string>{ "sleepTotalData":{"shallowSleepTime":0,"totalSleepTime":0,"deepSlee pTime":0,"wakeupTimes":0,"wakeupDuration":0,"type":0,"sleepStartTim e":0}, "distance":3940,"lastHeartRate":0,"steps":4623,"lastHRTimeStamp":0," calories":216,"date":1537867958.8875299,"totalClimb":0,"daySport Info":[] }</string>
  45. 45. HUAWEI WEAR: FIRMWARE /DOCUMENTS/<*.ARCHIVER> FILES <string>  {"fireWareMd5":"33E44F1B02292C8B9D00A5DEB91B72AB","firmwareDownloadFilePath": "Nyx_1.5.35.bin.apk","identify":"38:37:8B:B8:C9:C7","firmWareSize":1410023,"deviceTyp e":13,"workMode":2,"forceUpdateFlag":false,"netFirwareVersion":"1.5.35",  "firmwareLocalPath":"/var/mobile/Containers/Data/Application/9B666199-342F-4897- 9577-59B68F5CF40F/Documents/DownloadData/dfu_image_OTA.dfu_Nyx",  "changeLogContent":"[Optimizations]nOptimizes calorie counting accuracy while swimming.nFixes an issue where exercise sessions would suddenly exit due to accidental touches.nFixes an issue where fitness data would be occasionally cleared.nOptimizes the TrusleepTM data syncing speed on IOS.n[Notes]n1. New features require that Huawei Health APP is updated to version 8.0.1.302 or later for IOS, and 8.0.2.327 or later for Android.n2. Before updating, make sure the band is charged to at least 20%.n","status":1,  "baseURL":"http://update.hicloud.com:8180/TDS/data/files/p7/s131/G3533/g3039/v1 55123/f1/"} </string>
  46. 46. HUAWEI WEAR: GEO, SPEED /DOCUMENTS/<*.ARCHIVER> FILES <string> {"speed":0.63999998569488525,"timestamp":"2018-06- 09T05:12:19+0300", "longitude":41.512356810310401,"latitude":52.571571199272356, "totalDistance":0,"verticalAccuracy":4, "course":10.546875,"duration":0,"distance":0, "altitude":147.71790409088135,"distanceFilter":0,"horizontalAccuracy":5 } </string>
  47. 47. HUAWEI WEAR: USER INFO /DOCUMENTS/<*.ARCHIVER> FILES <string> {"headImgLocal":"/var/mobile/Containers/Data/Application/ 9B666199-342F-4897-9577- 59B68F5CF40F/Documents/temp_user/temp_user.jpg", "age":29,"unitType":0,"nameIsNil":false,"isDefault":true, "weight":78,"userName":"Yury Chemerkin","walkStepLen":77.28, "birthday":19880605,"height":184,"modifyTime":0,"runStepLen":92.7 36,"gender":0} </string>
  48. 48. HUAWEI WEAR: /DOCUMENTS/<*.ARCHIVER> FILES Account  Account details stored in protected way Device Mac Address <string>deviceMacAddress</string> <string>38:37:8B:B8:C9:C7</string> Bluetooth Keys
  49. 49. HUAWEI WEAR: PERSONAL DETAILS /DOCUMENTS/<WEAR*.DB> FILES User goals Device details User measures  m_7_DataSourceTable_temp_user  m_7_FitnessMergedDataTable_temp_user  m_14_FineSleepDayMergeTable_temp_user  m_7_MotionGoalTable_temp_user
  50. 50. HUAWEI WEAR: PERSONAL DETAILS /DOCUMENTS/<WEAR*.DB> FILES User measures  m_14_HeartRateByDay_temp_user  m_14_SportDataByDay_temp_user  m_133_MotionPathDetail_temp_user  m_7_MotionGoalTable_temp_user
  51. 51. HUAWEI WEAR: PERSONAL DETAILS /DOCUMENTS/<WEAR*.DB> FILES User measures  m_133_SingleMovementStatistic_temp_user  m_133_SingleMovement_temp_user
  52. 52. HUAWEI HONOR SUMMARY Local data  Credentials is protected  Personal and medical info – plaintext / as it Communication  Local – encrypted  Online – SSL Pinning for all possible connections, registration, login and synchronization
  53. 53. XIAOMI MI BAND 2 & MI FIT Online communication  AWS storages in Ireland (EU) mainly, secondary US  TLS 1.2, No SSL Pinning Local data  Action Log with details incl. URLs  https://api-mifit.huawei.com/v1/user/manualData.json?r=f8a9d00c3433&t=1512648130831  https://api- mifit.huawei.com/users/70000054661/heartRate?r=f8a9d00c3433&t=1512648130848  https://api-mifit.huawei.com/v1/data/band_data.json?r=f8a9d00c3433&t=1512648130805
  54. 54. FITNESS APPS ROAD BIKE, MOUNTAIN BIKE, … GPS Data: longitude, latitude, altitude, accuracy, distanceInMeter, upward/downward (meters), timestamp local, timestamp gps Session Data: timestamp (start, end), distance, duration, avg & max speed, upward/downward, heartZone values (need special device) Speed Data: timestamp, speed, duration, distance User Data: email, password, weight, height, gender, name, birthday
  55. 55. FITNESS APPS DOCUMENTSDATABASE.SQLITE3 Where to search data:  GPS & location  HeartRate (requires special devices)  Session Data  Speed  User Data
  56. 56. FITNESS APPS LOCATION, MAPS AND USER INFO  Location and geo snapshots - DocumentsMapOpenCycleMap.sqlite  User info - Documentsdatabase.sqlite3
  57. 57. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  58. 58. FITNESS TRACKERS SUMMARY AMONG TRACKERS & APPS Local data  Credentials is usually protected  Personal and medical info – plaintext / as it Communication  Local – encrypted  Online – SSL Pinning for all possible connections
  59. 59. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  60. 60. APPLE HEALTH СЮДА КАРТИНКИ УСТРОЙСТВ
  61. 61. HEALTHCARE APPLE HEALTH Valuable data encrypted and no public cracks is known Small amount of data not encrypted in backup List of app-sources (look here for non-encrypted original data) However, secure built-in app-aggregator does not mean other app is a secure in the same way  ofc not 
  62. 62. APPLE HEALTH WHERE TO FIND DATA? HealthDomainMedicalIDMedicalIDData.archive HealthDomainHealthhealthdb.sqlite HealthDomainHealthhealthdb_secure.sqlite HealthDomainHealthhealthdb_secure.hfd Exported Raw Data – any place chosen by user
  63. 63. APPLE HEALTH DATA IN DETAILS Name, User Pic, height (in cm), and mass (in kg) Geo Tracking (Mainland/City), iOS version Device Info: UDID, Name, Last connection time Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg) Medical implants
  64. 64. APPLE HEALTH HEALTHDOMAINMEDICALIDMEDICALIDDA TA.ARCHIVE  Name  Height  Weight  Medical implants
  65. 65. APPLE HEALTH HEALTHDOMAINHEALTHHEALTHDB.SQLITE  Bundle_id, app_name  Device name, device model, vendor, hardware and software, timestamp
  66. 66. APPLE HEALTH HEALTHDOMAINHEALTHHEALTHDB_SE CURE.SQLITE
  67. 67. APPLE HEALTH RAW EXPORT Recorded by the any Apple Devices & accessed through the Health App. Detailed activity log with timestamps Data can be exported in .xml file format without encryption (!) and even without encrypting of zip file Extracted data can be stored anywhere
  68. 68. APPLE HEALTH - RAW EXPORT PERSONAL, FITNESS, MEDICAL INFO Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg) Heart rate data (in count/min) or beats-per-minute (BPM) Steps, distance covered (in km), active energy burned (in kJ), and exercise time (in mins) Blood Pressure Diastolic, Systolic The exact activity log time (creationDate), and activity start and end times (startDate, endDate) XML Parser (Free): https://github.com/tdda/applehealthdata
  69. 69. APPLE HEALTH - RAW EXPORT IN EXAMPLES & DETAILS
  70. 70. APPLE HEALTH - RAW EXPORT IN EXAMPLES & DETAILS
  71. 71. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  72. 72. HEALTHCARE SUMMARY Apple Health App is good protected Basic info - Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg) Exported data is not protected at all List of app sources & these app’s data is not protected well
  73. 73. PICOOC MINI (BT) – BODY COMPOSITION SMART SCALE • Vertical fat index, body fat Fat indexes • Body weight, bone mass, muscle, skeletal muscle Mass • BMR, body water, protein, Metabolic Age Productivity • Tracking changes, charts, reports Delta
  74. 74. PICOOC MINI (BT) – BODY COMPOSITION SMART SCALE BT Logs: Peripheral Info of nearby devices, and mac of itself (picooc scaler) Body scale values: body, muscles, productivity, date & time, device mac Dev Info: Mac, model name, user ID, Device Picture Friends info: name, account_id, user_id, phone_id, sex (have to have them as PICOOC users) User Info: nick name , userID, height, age, sex, race, type Sensor values: time, age, OS, race, type, screen size, mobile device info model, environment, language Preferences: Local Password, Unlocking method, last active day
  75. 75. PICOOC BT LOGS PICOOCDOCUMENTSBLUETOOTHLOG.TEXT  DISCOVER INDIRECTLY WHAT DEVICES DOES YOUR NEIGHBORS HAVE   扫描到设备 – means “Device scanning”  04-14 13:31:36:003 .扫描到设备 name:Peripheral Info:Name: [TV] Samsung 6 Series (49) RSSI: -85 UUID: 592ABA7A-F4A4-D687-7E2A- 45F9DDB731D6 ---- .  04-14 13:31:36:453 .扫描到设备 name:Peripheral Info:Name: honor band A1 RSSI: -84 UUID: 626E22D2-AE05-4695-A0D3-0099CF82DF96 ---- .  04-14 13:31:37:408 .扫描到设备 name:Peripheral Info:Name: PICOOC-CQ RSSI: -66 UUID: 8C8E3EDA-7B8C-189F-3865-0A3B9B2C5744 ---- .  info.macAddress = D0:49:00:1D:87:8A
  76. 76. PICOOC BT LOGS PICOOCDOCUMENTSBLUETOOTHLOG.TEXT 04-14 13:31:36:003 .扫描到设备 name:Peripheral Info:Name: [TV] Samsung 6 Series (49) RSSI: -85 UUID: 592ABA7A-F4A4-D687-7E2A-45F9DDB731D6 ---- Connect a Galaxy S7 to your Samsung TV with Bluetooth to have a fun and spread your content   TV with enabled Bluetooth & Samsung Galaxy S7  Open the notification pane on your handset.  Select Quick Connect and then Scan for nearby devices  Select Register TV, Tap the new icon with a TV and an arrow  Tap the Share button and then Smart View to play any media you play on your phone on the TV
  77. 77. BODY VALUES PICOOCDOCUMENTSPICOOC.SQLITE CREATE TABLE `body_indexs` ( `id` `weight` `body_fat` `visceral_fat_level` `muscle_race` `body_age` `bone_mass` `basic_metabolism` `bmi` `local_time` `water_race` `abnormal` `day_intValue` `time_period` `electric_resistance` `mac` `body_fat_reference_value` `skeletal_muscle`);
  78. 78. PICOOC DEVICE AND PREFERENCES Dev Info - picoocdocumentspicooc.sqlite Preferences - picoocLibraryPreferences com.picooc.international.plist  <key>PasswordLockType</key>  <integer>2</integer>  <key>PasswordNumherLockContnet</key>  <string>7124</string>  <key>currendDay</key>  <string>20180922</string>  <key>kStartupUserIdKey</key>  <integer>4611483</integer>
  79. 79. USER BASIC INFO – MAIN USER PICOOCDOCUMENTSPLISTFILEUSERINFO.PLIST <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>nickName</key> <string>Yury Chemerkin</string> </dict> </plist>
  80. 80. USER EXTENDED INFO – LAST ADDED USER ONLY PICOOCLIBRARYSENSORSANALYTICS- SUPER_PROPERTIES.PLIST  current_age_characteristic  current_role_is_athlete  current_role_height  current_language  current_role_age  current_role_sex  app_type  time_zone  current_role_race  current_role_type  3  false  178  英语  58  男  PICOOC国际版  Europe/Moscow  白  使用者  As is  As is  As is  English  As is   Man   PICOOC Worldwide Version  As is   White   User
  81. 81. PICOOC SENSOR VALUES PICOOCLIBRARYSENSORSANALYTICS- MESSAGE-V2.PLIST.DB • {"time":1537632555035,"_track_id":2682421375,"event":"$AppStart","distinct_id":"9144 339","properties":{"current_role_age":30,"$os":"iOS","current_role_race":"白 ","current_role_type":"主角色 ","current_role_is_athlete":false,"$screen_width":320,"event_type":"1","$app_version":"3.6. 1","current_age_characteristic":3,"$is_first_day":false,"$model":"iPhone8,4","$device_id":"E C640161-EC87-4A90-AD99-5B29A3F86700","$network_type":"WIFI","$carrier":"Mobile TeleSystems","$resume_from_background":true,"$wifi":true,"current_role_height":184,"curren t_language":"英语","$screen_height":568,"app_type":"PICOOC国际版 ","time_zone":"Europe/Moscow","$lib_version":"1.9.3","$os_version":"12.0","$is_first_time": false,"$lib":"iOS","$manufacturer":"Apple","current_role_sex":"男 ","current_role_id":"9144339"},"type":"track","lib":{"$lib_version":"1.9.3","$lib":"iOS","$app _version":"3.6.1","$lib_method":"code"}}
  82. 82. PICOOC MITM - NOT SSL-PINNED • Profile URL (public accessible) https://cdn2.picooc.com/head/201810/03/20181003_181034000_50589.png • Request URL - https://api2.picooc- int.com/v1/api/role/updateRole?sign=3DCE33B1B07E4639394F555F1D95C623&urlOfGetReque st=https://api2.picooc- int.com/v1/api&roleId=9144339&timestamp=1538579449&version=i3.6.1&appver=i3.6.1.0&re questByChildThread=0&os=iOS&userId=4611483&lang=en&timezone=Europe/Moscow&push_to ken=iOS::019290ade677be79f5fbded930b2435fa81eef103d89347108e265c0cd984cf2&devi ce_id=EC640161-EC87-4A90-AD99-5B29A3F86700&device_mac=&method=update_role& • Same URL (public accessible) https://picoocheadportrait.oss-cn- beijing.aliyuncs.com/head%2F201810%2F03%2F20181003_181034000_50589.png • Request URL - https://picoocheadportrait.oss-cn-beijing.aliyuncs.com
  83. 83. PICOOC MITM - NOT SSL-PINNED https://api2.picooc-int.com GET /v1/api/email/getVerifyStatus?appver=i3.6.1.0&device_id=EC640161-EC87-4A90-AD99- 5B29A3F86700&device_mac=&lang=en&method=meishayong&os=iOS&push_token=iOS%3A%3AEC640161- EC87-4A90-AD99- 5B29A3F86700&roleId=9144339&sex=1&sign=5FB8BF2A5A7664591ECFFC52F5810E84&stimezone=Europe /Moscow&timestamp=1538579363&userId=4611483&verifyUserId=4611483&version=i3.6.1&webver=6 HTTP/1.1
  84. 84. PICOOC MITM - NOT SSL-PINNED https://api2.picooc- int.com/v1/api/role/updateRole?sign=2A082A983A3238FBEA7B66AEBF88B706&urlOfGetRequest=https://ap i2.picooc- int.com/v1/api&roleId=9144339&timestamp=1538580721&version=i3.6.1&appver=i3.6.1.0&requestByChildT hread=0&os=iOS&userId=4611483&lang=en&timezone=Europe/Moscow&push_token=iOS::019290ade677b e79f5fbded930b2435fa81eef103d89347108e265c0cd984cf2&device_id=EC640161-EC87-4A90-AD99- 5B29A3F86700&device_mac=&method=update_role&
  85. 85. PICOOC MITM - NOT SSL-PINNED https://api2.picooc- int.com/v1/api/account/updateUserPa ssword?sign=41EE8B396970992A85E 9259B134B96BE&urlOfGetRequest=ht tps://api2.picooc- int.com/v1/api&roleId=9144339&tim estamp=1538581202&version=i3.6.1 &appver=i3.6.1.0&requestByChildThre ad=0&os=iOS&userId=4611483&lan g=en&timezone=Europe/Moscow&pus h_token=iOS::019290ade677be79f5f bded930b2435fa81eef103d893471 08e265c0cd984cf2&device_id=EC64 0161-EC87-4A90-AD99- 5B29A3F86700&device_mac=&metho d=update_user_password&
  86. 86. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  87. 87. PICOOC SUMMARY Body indexes and changes day-by-day  Fat indexes, Mass  Productivity, Delta Dev Info, Friends results, User data Network  Data stored on Alibaba servers  Profile, Device Info, Credentials, additionally passw on pass-change tab  Bonus: Bluetooth scanner of near located devices Preferences: Local Password, Unlocking method, last active day
  88. 88. ~30 mHEALTH APPS  Google Fit  MyFitnessPal  RunKeeper - GPS  Nike+ Running  WebMD  Blood Pressure (BP) Watch  Water Your Body  Instant Heart Rate  Drugs.com Medication Guide  Runtastic Pedometer  Noom Walk Pedometer: Fitness  Strava Running and Cycling GPS  Bleep Fitness Test  Fitness Buddy: 300+ Exercises  BodySpace- Social Fitness  Walk with Map My Walk  Endomondo Running Cycling Walking  FitNotes – gym Workout Log  Period Calendar  Period Tracker  My Pregnancy Today  My Baby Today  Calorie Counter by FatSecret  MyNetDiary Calorie Counter PRO  My Diet Diary Calorie Counter  Calories! Basic – cal counter  Calorie Counter  Lifesum- Calorie Counter  User credentials and pins  Personal details of users  User activities  User location  Activity timestamps  Images
  89. 89. ~30 mHEALTH APPS MYFITNESSPAL User profile Pics  com.myfitnesspal.android/cache/Picasso-cache User profile Pics /sdcard/ /data/data/com.myfitnesspal.android/databases/myfitnesspal.db  User details including time zone, gender, date of birth and email - in tables <user_properties, users> - see a pic  User profile pictures - in table <images>  User personal notes - in table <diary_notes>  User records of exercises, food habits and personal measurements - in tables <exercise_entries; exercises; food_entries; foods; measurement_types; measurements>  User last synched items with the server - in table <last_sync_pointers>  User food search history - in table <search_history>
  90. 90. ~30 mHEALTH APPS RUNKEEPER  User profile Pics / fitnesskeeper.runkeeper.pro /cache/Picasso-cache  / fitnesskeeper.runkeeper.pro /databases/RunKeeper.sqlite  User details including activities, trips  Trips deleted by user - in table <deleted_trips>  Activities posted by user - in table <feed>  List of user’s friends - in table <friends>  Images uploaded during trips by user - in table <status_updates>  User settings for each trip - in table <trip_settings>  Places visited during all the trips - in table <points>  Information about each trip - in table <trips>  More tables  The points table is to locate the map coordinates of a user’s route
  91. 91. ~30 mHEALTH APPS PERIOD CALENDAR • Personal info –/data/data/ fitnesskeeper.runkeeper.pro /databases/PC.db. Tables • User - List of the users with passwords (Plaintext passwords, secret questions and answers ) • Period - Period start time and length of users • Note - Diary notes inserted by users • Personal info –/data/data/ fitnesskeeper.runkeeper.pro /databases/PC_PILL.db. Tables • pill - Pills used by users including date and time • pill_record - Details about the pills
  92. 92. ~30 MEDICAL/FITNESS/HEALTH APPS  User credentials: Apps may require users to login using their user credentials (e.g. username and password, PIN, and authentication tokens) in order to use the apps. Therefore, user credentials should be an artefact that forensic investigators seek to locate during the app forensic process (e.g. determine whether the credentials are stored in and can be recovered from the app’s databases).  User personal details: User personal details include name, gender, date of birth, email address, height, weight and other personal data would be helpful for forensic investigators to positively identify the app or device users.  User activities: The mHealth apps require users to enter their day-to-day food habit, health conditions, activity or exercise details, diagnosis details, medication details and symptom details, etc.  User location: Fitness apps allow users to keep track of their exercise, running, jogging, cycling and other activities. These apps generally store the geographical coordinates of the user location during these activities which can provide useful evidence to the investigators.  Activity timestamps: Another important artefact is the timestamp of the user activity. For example, linking activity timestamps with corresponding user locations (e.g. geographical coordinates) and other relevant information (e.g. CCTV feeds) would provide useful information in an investigation.  Images: This artefact includes profile images, and images taken and posted from a location.
  93. 93. ~30 MEDICAL/FITNESS/HEALTH APPS App Name / Data User credentials and pins Personal details of users User activities User location Activity timestamps Images Google Fit N N P N F N MyFitnessPal P F F N F F RunKeeper - GPS N N F F F N Nike+ Running N F F N F F WebMD N N P N N N Blood Pressure (BP) Watch N P F N F N Water Your Body N N F N N N Instant Heart Rate N N N N N N Drugs.com Medication Guide N F N N P N Runtastic Pedometer N N F N F N
  94. 94. ~30 MEDICAL/FITNESS/HEALTH APPS App Name / Data User credentials and pins Personal details of users User activities User location Activity timestamps Images Noom Walk Pedometer: Fitness N N F N F F Strava Running and Cycling GPS N F F F F N Bleep Fitness Test N F F N P N Fitness Buddy: 300+ Exercises N N F N F N BodySpace- Social Fitness N F F N P F Walk with Map My Walk N F F F F P Endomondo Running Cycling Walking N N F F F F FitNotes – gym Workout Log N N F N P N Period Calendar F F F N P N Period Tracker N N F N P N My Pregnancy Today P N N N N F My Baby Today N F N N P N
  95. 95. ~30 MEDICAL/FITNESS/HEALTH APPS App Name / Data User credentials and pins Personal details of users User activities User location Activity timestamps Images Calorie Counter by FatSecret N N F N P N MyNetDiary Calorie Counter PRO N N N N N F My Diet Diary Calorie Counter N P F N F N Calories! Basic – cal counter N N P N F N Calorie Counter N F F N F N Lifesum- Calorie Counter N P F N F F
  96. 96. ~30 MEDICAL/FITNESS/HEALTH APPS THE VALUE IS HIGHER, THE MORE DATA STORED LOCALLY) 3 9 6 8 1 5 2 0 3 4 6 8 5 4 7 9 8 3 7 3 3 3 3 2 5 3 6 7 0 1 2 3 4 5 6 7 8 9 10 Average Issue Index
  97. 97. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  98. 98. HEALTHCARE SUMMARY Native Health App is good protected, however not a basic information  Basic info - Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg)  Exported data is not protected at all Source apps (medical, fitness, health, …)  Data contains everything with GPS, timestamp and lot of day-by-day changes  Usually stores data locally, but basic activity over network is intercepted and credentials gained Pseudo health apps – usually requires user to handle all data by himself  Friend list, Credentials, secret questions & answers  Body values, timestamp, visited places & geo  Medical periods, schedule, pills and so on  Preferences, searches
  99. 99. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  100. 100. APPLE TV – FIVES GENERATIONS MacOS X, iOS, tvOS Common ways to break into Jailbreak tools Password management USB Acquisition Backup Jailbroken acquisition Profiling
  101. 101. APPLE TV – I GENERATION EASILY TO BREAK First edition of TV, Mac OS X & HDD makes breaking much easier All possible ways to break into the first Apple TV 8 years ago:  “Hacking the Apple TV and Where Your Forensic Data Lives”, Kevin Estis and Randy Robbins, Def Con 2009 https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17- kevin_estis-apple_tv.pdf https://www.youtube.com/watch?v=z-WCy3Bdzkc
  102. 102. APPLE TV – II-V GENERATION EASILY TO BREAK TOO  Perform breaks in the same way like any other Apple Mobile device (iPhone, iPad)  Backup contains valuable data (forensics tool works too)  Find a jailbreak to obtain the whole OS  Look for user content: Netflix, iTunes, NHL, NBA, Vimeo, YouTube  Get access to App’s data and reveal credentials, card – depend on application  Why Apple TV can be jailbroken (why men jail it)? Outdated compromised TV 2 with OpenSSH and default password https://www.tvaddons.co/appletv2-jailbreak-threat/ Direct access to filesystem and file management beyond the backups & cloud Stream media from devices beyond AirPlay or iOS devices Sideloading 3rd party tools  Kodi, Hulu, LastFM, XBMC, Nito TV, , Pandora Radio, and other apps.  Don’t pay $100 for dev license and get access to hundreds, of music, TV, movies
  103. 103. APPLE TV DATA EXAMINATION & FORENSICS  Apple TV jailbreak support https://pangu8.com/appletv.html  Apple TV 1 – scripts, ssh, HD extraction and other way  Apple TV 2 – Seas0npass jail for TV running tvOS 4.3 - tvOS 5.3 (untethered) & tvOS 6.1.2 (tethered)  Apple TV 3 – No jailbreak, many scams, probably Snow3rd jail works for TV running 5.0, 5.0.1, and not beyond 5.0.2  Apple TV 4  Pangu9 jail for TV running tvOS 9.0 - tvOS 9.0.1  LiberTV jail for TV running tvOS 9.1 - tvOS 10.1  GreenG0blin jail for TV running tvOS 10.2.2  Apple TV 4 / 5  LiberTV jail for TV running tvOS 11.0 and 11.1  Apple TV 4 / 5 – Electra jail for TV running tvOS 11.2 - tvOS 11.3
  104. 104. APPLE TV DATA EXAMINATION & FORENSICS  USB port is reserved for “service and support” purpose Vanished since Apple 5th Gen (4k)  No password management – we trust you, breakers   Seriously, No Password or Passcode protection at all ! Restrictions instead: Use Restrictions on your Apple TV https://support.apple.com/en-md/HT200198 Allow all by default Restrict blocks by passcode purchases, apps, content, settings and remote pairing (no one blocks pairing usually) Account-Password requires for purchases in a way like any Apple device (https://support.apple.com/en-us/HT204030)
  105. 105. APPLE TV – 2TH – 4TH GEN USB ACQUISITION (USB, MICRO, USB-C) 5TH GEN IS OUT OF SCOPE (NO USB) AFC (Apple File Conduit) service works here  /private/var/mobile/Media USB Acquisition gives:  Basic device information  Real Time Log (Syslog), Crash Logs  Part of the file system (“Media” folder) Device information  MAC – WiFi, Bluetooth, Ethernet  Name, Timezone, Serial ID, Model Ideviceinfo, idevicesyslog http://www.libimobiledevice.org/
  106. 106. APPLE TV BACKUP  Real Time Log  Crash Log  MediaLibrary.sqlitedb  iCloud Account Name  iCloud ID  Wi-Fi networks  Device usage timeline  Shopping database
  107. 107. APPLE TV – 2TH – 5TH GEN JAILBREAK Timezone  /private/var/db/timezone/localtime Network tcp/ip lease  /private/var/db/dhcpclient/leases/ Network wi-fi history  /private/var/preferences/com.apple.wifi.plist
  108. 108. APPLE TV – 2TH – 5TH GEN JAILBREAK Keyboard dictionary  /private/var/mobile/library/keyboard/dynamic- text.dat Accounts  /private/var/mobile/library/accounts/  /private/var/mobile/library/preferences/com.apple.ids .service.com User email User info: email + phone yury.chemerkin@icloud.com +79851719122 Network
  109. 109. APPLE TV – 2TH – 5TH GEN JAILBREAK iCloud synced preferences  /var/mobile/Library/SyncedPreferences/ Wi-Fi Access Points  com.apple.wifid.plist Weather Cities  com.apple.nanoweatherprefsd.plist Moskva, Lianozovo Dictrict 55.800149, 37.565483
  110. 110. APPLE TV – 2TH – 5TH GEN JAILBREAK Headboard  /private/var/mobile/library/com.apple.headboard /apporder.plist  /private/var/mobile/library/caches/com.apple.tvic onscache/com.apple.headboard  /private/var/mobile/library/caches/com.apple.hea dboard/fscacheddata
  111. 111. APPLE TV – 2TH – 5TH GEN JAILBREAK App snapshots  /private/var/mobile/library/caches/com.app le.pineboard/assetlibrary/snapshots/ Cached video  /private/var/mobile/library/caches/appletv /video/
  112. 112. APPLE TV – 2TH – 5TH GEN JAILBREAK Installed applications  /private/var/db/lsd/com.apple.lsdidentifiers.plist Installed applications  /private/var/mobile/containers/bundle/ Installed applications  /private/var/mobile/containers/data/application/
  113. 113. APPLE TV – 2TH – 5TH GEN JAILBREAK Country, last activity App snapshots Youtube
  114. 114. APPLE TV – ANY GEN PROFILING AS A KIND OF PROTECTION TV Remote Payload The TV Remote payload is designated by specifying com.apple.tvremote as the PayloadType value. If not present, or the list is empty, any device will be allowed to connect. Availability: Available in tvOS 11.3 and iOS 11.3 and later  AllowedRemotes  AllowedTVs  RemoteDeviceID  TVDeviceID https://developer.apple.com/enterprise/documentation/Configuration- Profile-Reference.pdf
  115. 115. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  116. 116. APPLE TV SUMMARY Lot of jailbreaks  Except Apple TV 3  Apple TV 1 is based on Mac OS X, so breaking is the same way like Mac Password management  No password  No restrictions by default  Restrictions handle the content only Apple TV 2 – 5  Apple TV 2 – 4 equipped with USB that gives dev info, timelog, crashlog, media folder  Apple TV 5 does not have USB ports Jailbroken TV  Timezone, Network Info & History, Keyboard & Account Info  iCloud preferences, Wi-Fi Accent Point, Weather cities (list) easy to remap geo  TVs - Headboard, App snapshots, Cached video  App List, App Data, App Snapshots
  117. 117. AMAZON TV: PREREQUISITE Amazon Fire TV Stick Amazon account plus other accounts per app MITM is out of scope, but wait for Amazon Dot  Forensics tools (no support atm) Known ways to break into Root Data acquisition (streaming, photo, app, sideloaded Android app)
  118. 118. AMAZON TV BREAK OPPORTUNITIES No support of Forensics tools Sideloading is allowed, ADB exists and is off by default Rooting many root-apps (like KingRoot) is around of outdated FireOS such as 5.0.5 but not limited it The rooting requires a keyboard, no support for TV remote devices Use dd command to obtain an image of Fire TV
  119. 119. AMAZON TV ROOT, BOOTLOADER, SIDELOADING Non-root things  Sideloading is allowed without root like on Android  Bootloader: 51.1.x.x – non-locked, 5.x.x.x – locked but 5.0.x are unlockable (no info about older versions)  Downgrading might be possible Roots  Fire TV 1 – rootable for 51.1.0.0 - 51.1.6.3, 5.0.3, 5.0.5, and no root for 5.0.5.1, 5.2.1.0 - 5.2.6.3  Fire TV 2 – rootable for 5.0.0 – 5.2.1.1, no root for 5.2.4.0 – 5.2.6.3  Fire TV 2 – 5.2.6.6 – pre-rooted ROM (http://www.aftvnews.com/pre-rooted-5-2-6-6-rom- is-now-available-for-the-fire-tv-2/)  Fire TV 3, Fire TV Cube – no root or pre-rooted ROM  Fire TV Stick 1 – rootable for 5.0.0 - 5.2.1.1 and no root 54.1.2.3 and older, 5.2.1.2 - 5.2.6.3  Fire TV Stick 2 – no root, except hardware rooting to direct access to the device eMMC storage (http://www.aftvnews.com/amazon-fire-tv-hardware-root-demonstrated/)  Fire TV Edition television – rootable for 5.2.5.0 and no root for 5.2.5.1 - 5.2.6.3
  120. 120. AMAZON TV ROOTED TV  browser.db – Browser History & navigating to websites using Mozilla Firefox  [root]/data/com.amazon.bueller.photos/files/cmsimages – Pictures from Amazon cloud drive but formatted for better viewing up to Fire TV Stick  [root]/data/com.amazon.device.controllermanager/ databases/devices – Bluetooth Devices and their names, MAC paired with Fire TV (such as, keyboard mouse, Amazon Fire TV remote)  [root]/data/com.amazon.device.logmanager/files – Amazon Logs including Log.amazonmain
  121. 121. AMAZON TV ROOTED TV  /data/data/ = All application data is stored in this directory  com.amazon.venezia/ = Amazon appstore data /cache/ = thumbnails & previews for appstore apps /databases/ = sqlite files in each folder /contentProvider = Table "Apps" contains app-names("key") with relation thumbnails("thumbnailUri"), Preview("previewUri") found in ../cache directory /locker = workflow, orders, wishlist, applications, cache, content tokens. /logging = logs for appstore application  com.android.cloud9/ = Amazon browser data /cache/webviewcache/ = any cache data /databases/ = sqlite files in each folder /webview.db = webview cookies & form data. /webviewCache.db = association of files in ../cache/webviewcache/ directory to urls. /browser.db = history & bookmarks also have path to page previews and thumbnails stored in ../files /files/ = page previews & thumbnails stored as JPEG (crosslink to ‘browser.db’ above) /shared_prefs = preferences for a cross-access  com.amazon.provid ers.contacts/databases/conta cts2.db = All contacts
  122. 122. FORENSIC ANALYSIS METHOD FOR THE AMAZON FIRE TV STICK
  123. 123. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  124. 124. AMAZON TV: SUMMARY  Several older firmwares are affected by rooting tools  Rooting requires BT-keyboard that’s is not a big deal for TV  Sideloading is allowed without root  ADB is possible  Downgrading the Fire TV Stick software/firmware might possible  Personal data is revealed  Credentials of streaming services is found Netflix, NHL, NBA, Vimeo, … Kodi to get access to hundreds, of music, TV, movies  No way to restrict connection and bind TV and device to themselves only  FireOS ver 5.x is based on Android 5.1.1 Lollipop, ver 6.x is based on Android 7.1 Nougat
  125. 125. AMAZON ECHO DOT • Картинки и спецификацию
  126. 126. AMAZON ECHO DOT Local access Bootloader MITM: SSL, MITM, Firmware MITM Credentials breaks
  127. 127. AMAZON ECHO DOT LOCAL ACCESS, LACK OF ROOT  Alexa doesn’t have ADB, but have a MTK  bus 001 Device 010: ID 0ed8d:2000 MediaTek Inc. MT65xx Preloader  However a SP Flash Tool does not work atm  Bootloader – press and keep ‘Uber’ while it is loading, but bootloader is locked and no unlocking key is available  Bus 001 Device 019: ID 0bb4:0c01 HTC (High Tech Computer Corp.) Dream / ADP1 / G1 / Magic / Tattoo  # fastboot devices fastboot  # fastboot getvar all lk_build_desc: c1….. prod: 1 unlock_status: false serialno: […..] product: BISCUIT version-preloader: 0.1.00 version: 0.5
  128. 128. AMAZON ECHO DOT MITM. WHAT ABOUT SSL? Self signed certificates is allowed on Alexa for devs  https://developer.amazon.com/docs/custom- skills/configure-web-service-self-signed-certificate.html  https://www.amazon.com/gp/help/customer/display.ht ml?nodeId=201589180 Change endpoint configuration and region Make your Alexa installs a SSL from Intercepting tools  No lack, Alexa Echo Dot as a device prevents this shit   Try with Alex app that comes installed by default on the Kindle Fire Tablets, or download for Android or iOS devices even (!)
  129. 129. AMAZON ECHO DOT MITM. FIRST TIME SETUP  Navigate via browser https://alexa.amazon.com  Up to end of 2017 a redirect to Alexa setup was a http URL (!)  Expected credentials stolen in plaintext & expiring in 2036 like before, but no lack before  POST /ap/signin?ie=UTF8&pf_rd_r=yyyyyyy&pf_rd_m=xxxxxx& pf_rd_t=6301&pf_rd_i=amzn_dp_project_dee&pf_rd_p=x xxxx&pf_rd_s=signin-slot HTTP/1.1  Host: www.amazon.com  Content-Length: 1349  “name”: “Set-Cookie”,  “value”: “session-token=”xx/y//zz==”; Version=1; Domain=.amazon.com; Max-Age=630720000; Expires=Sat, 01-Nov-2036 22:39:37 GMT; Path=/” Now  HTTPS, prevents MITM attack  Certificate expires every 2 years
  130. 130. AMAZON ECHO DOT MITM. FIRMWARE Intercepting firmware updates is possible Here is a bin-firware http request  GET /obfuscated-otav3-9/…/update-kindle-full_biscuit-XXXX_user_[XXXXXXXXX].bin HTTP/1.1  Host: amzdigitaldownloads.edgesuite.net  Connection: close  User-Agent: AndroidDownloadManager/5.1.1 (Linux; U; Android 5.1.1; AEOBC Build/LVY48F) Firmware contains build.prop = designed as a Android & have .APKs  ro.build.version.fireos=5.5.0.3  ro.build.version.fireos.sdk=4 Non-Encrypted bin-firmware -rw-r--r-- boot.img; file_contexts drwxr-xr-x images; META-INF -rw-r--r-- ota.prop drwxr-xr-x system -rw-r--r-- system.new.dat; system.patch.dat; system.transfer.list
  131. 131. AMAZON ALEXA APP Alexa app has a good a solid protection No sensitive data stored locally Well encrypted communication (online, internal) and used the TLS 1.2 However, MITM is possible, because no SSL Pinning used  Credentials and all communication compromised
  132. 132. AMAZON ECHO DOT ALEXA APP – MITM, NOT PINNED Credentials  {"Credentials":{"AccessKeyId":"ASIAXHE6EPSWNVIGFBVP","Expiration":1.538588872E9,"SecretKey":"+8gS x7/H.....U="},"IdentityId":"us-east-1:503e25f6-2302-4dcd-8cb2-64a0e888f76b"}  Email, Password from POST action ‘https://www.amazon.com/ap/signin’  Device Info plus token Metrics - https://device-metrics-us-2.amazon.com/metricsBatch  HTTP_USER_AGENTDAMZN(SmartPhone/iPhone/A2IVLV5VM2W81,iOS/12.0,Alexa//2.2.233205,DCM)"  CountryCode RU" Profile  Name, Billing Address, Shipping Address  Device IDs, types, Account ID, Device capabilities First answer in .mp3 (https://tinytts.amazon.com/) stored for a long time (at least couple months)
  133. 133. AMAZON ALEXA APP LOCAL  LibraryApplication Supportdevice.sqlite – device list with ID, serials  LibraryMETRICS_NORMAL* - Logs & MetricsHTTP_USER_AGENT(SmartPhone/iPhone/A2IVLV5VM 2W81,iOS/12.0,Alexa//2.2.233205,DCM)  LibraryPreferencescom.amazon.echo.plist – Account Info  DocumentsLocalData.sqlite – settings of devices
  134. 134. AMAZON ECHO DOT ALEXA APP Alexa and Echo allow many users to manage devices  Echo has no voice differentiation capabilities nor protection against non-human or repeated speech Each device locks by 4 digit PIN  The Set of PINs is ~10k values  Two attempts and have to restart but no limit the number of total attempts  Bruteforce it for 2 days How to break 1. Computer says “wake word” followed by the command to order an Amazon Echo Dot 2. Alexa responds with top Amazon search for and asks if user wants to place the order 3. Computer confirms order 4. Alexa asks for 4-digit PIN 5. Computer guesses next PIN in numerical order 6. Alexa accepts or rejects PIN 7. Computer guesses next PIN in numerical order Repeat until you break it  take up to 48h max
  135. 135. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  136. 136. AMAZON ECHO DOT & ALEXA APP SUMMARY Intercepting firmware updates is possible Alexa allows to use self-signed SSLs but not accepts Burp/Charles certificate?  True for Alexa Echo Dot  Alexa app that relies on TLS 1.2 but affected to MITM attack with self signed cert Not everything is HTTPS FireOS is based on Android - https://en.wikipedia.org/wiki/Fire_OS  ver 5.x – Android 5.1.1 Lollipop. Alexa is still on 5.x  ver 6.x – Android 7.1 Nougat Even hardware root is possible https://vanderpot.com/Clinton_Cook_Paper.pdf
  137. 137. READYFORSKY - ??? a
  138. 138. CONNECTED HOME READYFORSKY Backup MITM: Hub, Remote BT MITM: out of scope
  139. 139. READYFORSKY DOCUMENTSR4S.SQLITE Device list, models, pairing text Receipts per device (how to cook, basic details & requirements) Username, email User devices & Mac
  140. 140. READYFORSKY MITM  Firmware version – 2.29 - http://service2.readyforsky.com/firmware/list/148/["2.29"]  Device Pic - http://image- server.readyforsky.com/i/1899/200x200.png  Recipes – BlackTea, GreenTea, Others  Do smth with a Kettle  https://content.readyforsky.com/api/program/catalog/id:IN:90,9 7?locale=en  "id": 90,  "protocol_id": 0,  "value": "BOILING", / HEATING  "value": "40", | "value": "55", | "value": "70", | "value": "85", | "value": "95",
  141. 141. READYFORSKY MITM Credentials, password, tokens  https://content.readyforsky.com/headless/change-password  {"current_password": "1", "plainPassword": "1"}  { "error": "invalid_grant", "error_description": "The access token provided is invalid."}  { "access_token": "YjNhYmEwOWM1ZDcwYTk0ODU1ODhmZDZiMDRjNjA5NzUyN2YzM2VhN GUyMjBhYzc0ZjBhYWRhY2IzZmNjMzdiOA",  "expires_in": 86400, "token_type": "bearer", "scope": "r4s", "refresh_token": "YzE4ZGUwN2NkMzdiMDBlYmM5NGQwMGVjYmU4YThkYTVkMGE1ZTc4 ODQ2MDRkNjhhZWY4NGIxZjlkODRhZGI3MQ“ }
  142. 142. READYFORSKY MITM User details - https://content.readyforsky.com/api/user/current  "username": "yurychemerkin",  "username_canonical": "yurychemerkin",  "email": "yury.chemerkin@gmail.com",  "last_login": null,  "enabled": true,  "locked": false,  "expired": false,  "id": 527679 Client Address 192.168.1.38:50654 | this port changes Remote Address content.readyforsky.com/178.62.194.132:443 | fixed port
  143. 143. READYFORSKY MITM Device details  https://content.readyforsky.com/ api/device/user  “name": "RK-G200S",  "address": "E7:7F:BC:60:C2:2A",  "name": "Gateway XIAOMI Redmi 4X",  "address": "77d3efcf-f627- 402e-bbed-4ee0c8290417", Client Address 192.168.1.38:50654 | this port changes Remote Address content.readyforsky.com/178.62.194.132:443 | fixed port
  144. 144. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  145. 145. REDMOND SUMMARY Communications & MITM  App, Hub, Device IP, Ports including internal info, Device info (name, model, network info)  Actions, receipts, to-do  Credentials, password, tokens  User details & Login details Local  Device list, models, pairing text  Receipts per device (how to cook, basic details & requirements)  Username, email  User devices & Mac
  146. 146. LIGHTNING Lightify IKEA TRÅDFRI Philips HUE
  147. 147. LIGHTIFY  Lightify is the IoT platform with a simplest integration of wireless lighting.  Need to have an Lightify-account  Online communication uses QUIC-protocol with encryption over UDP  Wireshark does not support QUIC decryption at the moment. The drafts at tools.ietf.org/wg/quic are also not really detailed on the ciphers.  Lightify Gateway communicates over TCP completely unencrypted locally, but via a binary protocol https://github.com/noctarius/lightify-binary- protocol#basics-about-the-protocol and here a plugin to manage the light https://github.com/tfriedel/python-lightify  Credentials stored in a local folder – shared preferences
  148. 148. IKEA TRADFRI Smart lightning and assistant to control it No online communications except firmware requests in plaintext  GET http://fw.ota.homesmart.ikea.net/feed/version_info.json  User-Agent: HertzClient/1.0  Host: fm.ota.homesmart.ikea.net  Connection: close  Response : No response Local communication is DTLS (SSL over UDP)  Pairing via QR code (Serial Number = Mac Address, Security Code/ pre-shared key)  QR code can be revealed for further decryption Locally stored data  Encrypted QR-code and store in keystore – need root to get an access  Keystore doesn’t work for outdated Android (< 4.3)  AES encryption alg for outdated Android and built APK with encryption key “Bar12345Bar12345” as a resource in “key_file.txt”  The Issue here is a patched APK file with a removed strong encryption
  149. 149. PHILIPS HUE  HUE light, lamps and other with a smart assistant and bridge to works over Philips servers  The list of paired Apps and services with timestamp sent across Hue apps  Online communication  [BridgeServers] works over HTTP with additional layer of AES-encryption. Guess they store secret key somewhere but no lack to find it  [AppServers] works over HTTPS with SSL Pinning  Local communication works over HTTP  PUT http://192.168.1.38/api/Ds7KfNjjYtC8uN mU8azGBiOSj-uacXI0q0JKaTs/groups/1/action  Host http://192.168.1.38  Accept *.*  Content-Type: application-json  Content-Length: 11  Json {“on:true”}  Loading malicious firmware over-the-air http://iotworm.eyalro.net/  In 2016, researchers hacked Hue lights via ZigBee over a distance of more than 200 meters http://iotworm.eyalro.net/iotworm.pdf
  150. 150. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  151. 151. LIGHTNING SUMMARY IoT platforms: Lightify, IFTTT  One account to access all tokens & credentials to manage services, devices and data Communication  Online – usually encrypted, MITM sometimes possible  Local – non-protected, custom protocols & encryption – usually analyzed  Firmware – plaintext usually, malicious attacks are possible Local  Credentials, log, data
  152. 152. CONNECTED HOME SUMMARY Jailbreaks & roots  Available for popular devices  Sideloading apps are possible  New in-house manager devices, such as Alexa Dot doesn’t have root tools Backup & Data  Works for many devices  Works for synchronizing apps, like Alexa In-house smart manageable things works over app-manager that, in turn  Allow itself to be manageable by any devices BT, Wi-Fi, e.g. cast video or other content  Doesn’t have a good protection and available over Internet  Has a firmware issues with malicious over-air-attacks  Locally stored lot of data in app installed on the mobile device  Moved in an user’s pocket everywhere
  153. 153. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  154. 154. IoT HOW TO SECURE Risk Management  Device Profiling – divide your devices according to a critical info & risk score  Use cases – define where and what for are you going to use devices  Compatibility - use devices that are compatible with existing technology stack, and security equipment and software  Lost of smartphones – avoid devices to be lost or left unattended In-home Secured Network  Obscure name – NOT for vendor & model names or revealing user identity e.g. personal  Encryption – use up-to-date devices with the latest & strongest encryption schemes  Guest network – setup it if you’re sure but better to Disable guest network access entirely  Two or more different Wi-Fi networks (logically or physically) – one for typical activities (networking, messaging, etc.), second for IoT, third for critical banking, shopping  Firewall - a stand-alone software or shipped with the router, allow traffic on those specific ports & no others  Limit of public network usage – avoid pairing device or using device apps over public network due to lack of encryption of data Password Management  Default credentials – change it for router’s , IoT devices’ password  Unique passwords - use unique, complex passwords made up of letters, numbers, and symbols
  155. 155. IoT HOW TO SECURE Software Management  Settings – change it to default privacy policies & security settings  Features – disable features you don’t need, such as a remote access  Apps – avoid use apps that don’t encrypt data locally or while it’s transferring  Patches – keep all devices & software up-to-date  VPN – stand alone software or shipped with router to protect connections of IoT device that working over Internet  Multifactor & Hubs – use all security settings that require additional actions before it’s being easily hacked Data  Data Analysis - analyzing data generated by IoT devices to understand what data might be monetized  Activity Analysis – identifying unusual activity of IoT devices to understand what data might be leaked Breaking tools  Risky app – avoid apps out of store, junk apps from app store  Broken - don’t break any device in a chain of devices, rely on supported vendor ROMs  Flashed – flash clean & secure ROMs to remove unwanted apps but rely on well-known supported ROMs Cloud & third party tools  IoT clouds – audit it before using for your personal/business need  Third party services – there are many automation tools to manage IoT devices. Use secured and audited and be informed
  156. 156. MOBILE, IoT, CLOUDS… IT’S TIME TO HIRE A RISK MANAGER! HOW TO CONTACT ME ? ADD ME IN LINKEDIN: HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN YURY CHEMERKIN SEND A MAIL TO: YURY.S@CHEMERKIN.COM

Yury Chemerkin in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The videos and other presentations can be found on https://def.camp/archive

Views

Total views

845

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

14

Shares

0

Comments

0

Likes

0

×