Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
IOT Top 10 Security Vulnerabilities
Erez Metula
Chairman & Founder, AppSec Labs
ErezMetula@AppSec-Labs.com
About me
Founder of AppSec Labs
Application security expert
Book author
Managed Code Rootkits (Syngress)
Speaker & Trainer...
Agenda
Introduction to IoT security
IoT architecture
Common vulnerabilities
Common misconceptions
Demo – if time permits
What’s common to all of them..?
Hacked Toilet
Hacked IOT Gun
Why would someone attack
the IOT?
Hack the product’s functionality
Break into the server side
Steal information from the s...
Common IOT architecture
Let’s talk about security mistakes
And about some misconceptions
Insecure Web interfaces
SQL injection
Cross-site scripting
Cross-site Request Forgery
Command injection
Weak passwords
Common misconception
“My server is protected. I have a firewall, a WAF, and
I use SSL!”
About half of the attacks cannot b...
Mobile App Attacks
Implicitly trusted by device or cloud
Malicious app on the same device (side attacks)
Insecure data sto...
Common misconception
“attacker cannot read values from my decompiled
mobile code since it is obfuscated”
Local Memory & Local storage
Cleartext usernames, passwords, Third-party credentials
Encryption keys
Data encrypted with d...
Common misconception
“attacker cannot use my secret (i.e. encryption key)
since it is retrieved from a remote server”
Device Physical Interfaces
Debug port (Serial, JTAG, etc)
Privilege escalation
Reset to insecure state
Removal of storage ...
Common misconception
My code / secret value is “burned” on the PCB. No
one can access it since it is protected at the
hard...
Device Firmware
Insecure Firmware update - sent without encryption or
signing
Hardcoded credentials - URL, Encryption keys...
Common misconception
“attacker cannot obtain the firmware of my device”
“My firmware cannot be decompiled. It’s written in...
Privacy
Insecure Storage of sensitive data (location, images, cc, PII,
PHI , etc.)
Inability to wipe device
Unencrypted PI...
Common misconception
“my system enforce security right from the beginning,
at the client side - device or mobile app”
The ...
Insecure network traffic
Weak authentication of the client side
Weak authentication of the server side
Lack of encryption
...
Common misconception
“attacker cannot manipulate with sensitive request
sent from his/her device parameters since they are...
Authentication vulnerabilities
User enumeration
Weak passwords
Brute force attacks
Weak session management
User lockout
Common misconception
“the attacker can brute force users passwords. The
account is blocked after 5 failed login attempts”
Authorization vulnerabilities
Perform unauthorized operations
Access data of other users
Perform operations on behalf of a...
Common misconception
“attacker cannot manipulate with communication sent
from his/her device since it is protected by HTTP...
Common misconception
“attacker cannot manipulate with requests sent from
his/her device since they are signed”
Denial of Service (DoS) attacks
Server side network DoS
RF (wifi, zigbee, BLE, etc) Jamming
Power attacks
CPU exhaustion
M...
Common misconception
“the attacker cannot disconnect the power source of a device without
physically touching it”
DoS atta...
DEMO – reverse engineering the
RF protocol
Summary
IoT security is NOT just device security
IoT requires a wide range of security coverage for all
of the components ...
QUESTIONS ?
Thank You!
Erez Metula
Chairman & Founder, AppSec Labs
ErezMetula@AppSec-Labs.com
Upcoming SlideShare
Loading in …5
×

Iot top 10 vulnerabilities and misconceptions 2016

579 views

Published on

Iot top 10 vulnerabilities and misconceptions 2016, presented by Erez Metula from AppSec Labs

Published in: Internet
  • Hello! Who wants to chat with me? Nu photos with me here http://bit.ly/helenswee
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Iot top 10 vulnerabilities and misconceptions 2016

  1. 1. IOT Top 10 Security Vulnerabilities Erez Metula Chairman & Founder, AppSec Labs ErezMetula@AppSec-Labs.com
  2. 2. About me Founder of AppSec Labs Application security expert Book author Managed Code Rootkits (Syngress) Speaker & Trainer Presented at BlackHat, Defcon, RSA, OWASP USA, OWASP IL, etc.. Secure Coding / Hacking trainer
  3. 3. Agenda Introduction to IoT security IoT architecture Common vulnerabilities Common misconceptions Demo – if time permits
  4. 4. What’s common to all of them..?
  5. 5. Hacked Toilet
  6. 6. Hacked IOT Gun
  7. 7. Why would someone attack the IOT? Hack the product’s functionality Break into the server side Steal information from the system Use the device as and entry point to the customer’s network Use the device to serve malware, send spam, etc.
  8. 8. Common IOT architecture
  9. 9. Let’s talk about security mistakes
  10. 10. And about some misconceptions
  11. 11. Insecure Web interfaces SQL injection Cross-site scripting Cross-site Request Forgery Command injection Weak passwords
  12. 12. Common misconception “My server is protected. I have a firewall, a WAF, and I use SSL!” About half of the attacks cannot be stopped by automatic tools – usually attacks that are related to business logic, and in particular to the product specifics
  13. 13. Mobile App Attacks Implicitly trusted by device or cloud Malicious app on the same device (side attacks) Insecure data storage Transport encryption Insecure password recovery mechanism
  14. 14. Common misconception “attacker cannot read values from my decompiled mobile code since it is obfuscated”
  15. 15. Local Memory & Local storage Cleartext usernames, passwords, Third-party credentials Encryption keys Data encrypted with discovered keys Lack of data integrity checks
  16. 16. Common misconception “attacker cannot use my secret (i.e. encryption key) since it is retrieved from a remote server”
  17. 17. Device Physical Interfaces Debug port (Serial, JTAG, etc) Privilege escalation Reset to insecure state Removal of storage media Device/sersor tampering
  18. 18. Common misconception My code / secret value is “burned” on the PCB. No one can access it since it is protected at the hardware level”
  19. 19. Device Firmware Insecure Firmware update - sent without encryption or signing Hardcoded credentials - URL, Encryption keys Backdoor accounts Vulnerable services (web, ssh, tftp, etc.)
  20. 20. Common misconception “attacker cannot obtain the firmware of my device” “My firmware cannot be decompiled. It’s written in C, not .NET or Java!”
  21. 21. Privacy Insecure Storage of sensitive data (location, images, cc, PII, PHI , etc.) Inability to wipe device Unencrypted PII sent to the cloud Insecure network services
  22. 22. Common misconception “my system enforce security right from the beginning, at the client side - device or mobile app” The network service assumes security had been performed by the caller (device/mobile app)
  23. 23. Insecure network traffic Weak authentication of the client side Weak authentication of the server side Lack of encryption Replay attacks Relying of “unknown” or “hard to understand” protocols
  24. 24. Common misconception “attacker cannot manipulate with sensitive request sent from his/her device parameters since they are encrypted”
  25. 25. Authentication vulnerabilities User enumeration Weak passwords Brute force attacks Weak session management User lockout
  26. 26. Common misconception “the attacker can brute force users passwords. The account is blocked after 5 failed login attempts”
  27. 27. Authorization vulnerabilities Perform unauthorized operations Access data of other users Perform operations on behalf of another user
  28. 28. Common misconception “attacker cannot manipulate with communication sent from his/her device since it is protected by HTTPS”
  29. 29. Common misconception “attacker cannot manipulate with requests sent from his/her device since they are signed”
  30. 30. Denial of Service (DoS) attacks Server side network DoS RF (wifi, zigbee, BLE, etc) Jamming Power attacks CPU exhaustion Mobile app Dos
  31. 31. Common misconception “the attacker cannot disconnect the power source of a device without physically touching it” DoS attacks against battery operated devices by invoking a power intensive task – over and over again No power = DoS Can be as trivial as causing a led to turn on! Example – calculation of led power consumption Device is operated by 2 AA batteries: 2700 mAh the device is optimized to consume extremely minimal power - run for years since most of the time it’s on standby There’s a led that consumes about 20 mA when on 1 day = 480 mah. Make it blink somehow and you can easily eat a battery in less than a week!
  32. 32. DEMO – reverse engineering the RF protocol
  33. 33. Summary IoT security is NOT just device security IoT requires a wide range of security coverage for all of the components - Device, Cloud API, Web app, Mobile App, Network protocols, etc. IoT have a lot of special vulnerabilities and attacks Assume attacker will take the device apart, read the flash memory, disassemble the firmware, etc. Assume the attacker will decompile your mobile app Testing IoT requires special expertise
  34. 34. QUESTIONS ?
  35. 35. Thank You! Erez Metula Chairman & Founder, AppSec Labs ErezMetula@AppSec-Labs.com

×