SlideShare a Scribd company logo
1 of 35
IOT Top 10 Security Vulnerabilities
Erez Metula
Chairman & Founder, AppSec Labs
ErezMetula@AppSec-Labs.com
About me
Founder of AppSec Labs
Application security expert
Book author
Managed Code Rootkits (Syngress)
Speaker & Trainer
Presented at BlackHat, Defcon, RSA, OWASP USA,
OWASP IL, etc..
Secure Coding / Hacking trainer
Agenda
Introduction to IoT security
IoT architecture
Common vulnerabilities
Common misconceptions
Demo – if time permits
What’s common to all of them..?
Hacked Toilet
Hacked IOT Gun
Why would someone attack
the IOT?
Hack the product’s functionality
Break into the server side
Steal information from the system
Use the device as and entry point to the customer’s
network
Use the device to serve malware, send spam, etc.
Common IOT architecture
Let’s talk about security mistakes
And about some misconceptions
Insecure Web interfaces
SQL injection
Cross-site scripting
Cross-site Request Forgery
Command injection
Weak passwords
Common misconception
“My server is protected. I have a firewall, a WAF, and
I use SSL!”
About half of the attacks cannot be stopped by
automatic tools – usually attacks that are related to
business logic, and in particular to the product
specifics
Mobile App Attacks
Implicitly trusted by device or cloud
Malicious app on the same device (side attacks)
Insecure data storage
Transport encryption
Insecure password recovery mechanism
Common misconception
“attacker cannot read values from my decompiled
mobile code since it is obfuscated”
Local Memory & Local storage
Cleartext usernames, passwords, Third-party credentials
Encryption keys
Data encrypted with discovered keys
Lack of data integrity checks
Common misconception
“attacker cannot use my secret (i.e. encryption key)
since it is retrieved from a remote server”
Device Physical Interfaces
Debug port (Serial, JTAG, etc)
Privilege escalation
Reset to insecure state
Removal of storage media
Device/sersor tampering
Common misconception
My code / secret value is “burned” on the PCB. No
one can access it since it is protected at the
hardware level”
Device Firmware
Insecure Firmware update - sent without encryption or
signing
Hardcoded credentials - URL, Encryption keys
Backdoor accounts
Vulnerable services (web, ssh, tftp, etc.)
Common misconception
“attacker cannot obtain the firmware of my device”
“My firmware cannot be decompiled. It’s written in
C, not .NET or Java!”
Privacy
Insecure Storage of sensitive data (location, images, cc, PII,
PHI , etc.)
Inability to wipe device
Unencrypted PII sent to the cloud
Insecure network services
Common misconception
“my system enforce security right from the beginning,
at the client side - device or mobile app”
The network service assumes security had been
performed by the caller (device/mobile app)
Insecure network traffic
Weak authentication of the client side
Weak authentication of the server side
Lack of encryption
Replay attacks
Relying of “unknown” or “hard to understand” protocols
Common misconception
“attacker cannot manipulate with sensitive request
sent from his/her device parameters since they are
encrypted”
Authentication vulnerabilities
User enumeration
Weak passwords
Brute force attacks
Weak session management
User lockout
Common misconception
“the attacker can brute force users passwords. The
account is blocked after 5 failed login attempts”
Authorization vulnerabilities
Perform unauthorized operations
Access data of other users
Perform operations on behalf of another user
Common misconception
“attacker cannot manipulate with communication sent
from his/her device since it is protected by HTTPS”
Common misconception
“attacker cannot manipulate with requests sent from
his/her device since they are signed”
Denial of Service (DoS) attacks
Server side network DoS
RF (wifi, zigbee, BLE, etc) Jamming
Power attacks
CPU exhaustion
Mobile app Dos
Common misconception
“the attacker cannot disconnect the power source of a device without
physically touching it”
DoS attacks against battery operated devices by invoking a power
intensive task – over and over again
No power = DoS
Can be as trivial as causing a led to turn on!
Example – calculation of led power consumption
Device is operated by 2 AA batteries: 2700 mAh
the device is optimized to consume extremely minimal power - run for years since most
of the time it’s on standby
There’s a led that consumes about 20 mA when on
1 day = 480 mah.
Make it blink somehow and you can easily eat a battery in less than a week!
DEMO – reverse engineering the
RF protocol
Summary
IoT security is NOT just device security
IoT requires a wide range of security coverage for all
of the components - Device, Cloud API, Web app,
Mobile App, Network protocols, etc.
IoT have a lot of special vulnerabilities and attacks
Assume attacker will take the device apart, read the
flash memory, disassemble the firmware, etc.
Assume the attacker will decompile your mobile app
Testing IoT requires special expertise
QUESTIONS ?
Thank You!
Erez Metula
Chairman & Founder, AppSec Labs
ErezMetula@AppSec-Labs.com

More Related Content

What's hot

Security in Internet of Things(IoT) Ecosystem
Security in Internet of Things(IoT) EcosystemSecurity in Internet of Things(IoT) Ecosystem
Security in Internet of Things(IoT) Ecosystemrahulbindra
 
Privacy and Security in the Internet of Things
Privacy and Security in the Internet of ThingsPrivacy and Security in the Internet of Things
Privacy and Security in the Internet of ThingsJeff Katz
 
The use case for Cassandra at Ping Identity
The use case for Cassandra at Ping IdentityThe use case for Cassandra at Ping Identity
The use case for Cassandra at Ping IdentityPing Identity
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoTWSO2
 
IoT Security in Action - Boston Sept 2015
IoT Security in Action - Boston Sept 2015IoT Security in Action - Boston Sept 2015
IoT Security in Action - Boston Sept 2015Eurotech
 
ON THE SECURITY AND PRIVACY OF INTERNET OF THINGS ARCHITECTURES
ON THE SECURITY AND PRIVACY OF INTERNET OF THINGS ARCHITECTURESON THE SECURITY AND PRIVACY OF INTERNET OF THINGS ARCHITECTURES
ON THE SECURITY AND PRIVACY OF INTERNET OF THINGS ARCHITECTURESManisha Luthra
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT SecurityCAS
 
TOP 6 Security Challenges of Internet of Things
TOP 6 Security Challenges of Internet of ThingsTOP 6 Security Challenges of Internet of Things
TOP 6 Security Challenges of Internet of ThingsChromeInfo Technologies
 
Security Aspects in IoT - A Review
Security Aspects in IoT - A Review Security Aspects in IoT - A Review
Security Aspects in IoT - A Review Asiri Hewage
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT SystemsSecurity Innovation
 
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...Ping Identity
 
Internet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsInternet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsGeorge Fletcher
 
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...ClicTest
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTAllSeen Alliance
 
Presentation on IOT SECURITY
Presentation on IOT SECURITYPresentation on IOT SECURITY
Presentation on IOT SECURITYThe Avi Sharma
 
"Cybersecurity - Current Landscape and Future Challenges", Anish Mohammed, Le...
"Cybersecurity - Current Landscape and Future Challenges", Anish Mohammed, Le..."Cybersecurity - Current Landscape and Future Challenges", Anish Mohammed, Le...
"Cybersecurity - Current Landscape and Future Challenges", Anish Mohammed, Le...Dataconomy Media
 
Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Ulf Mattsson
 
Internet of things –
Internet of things –Internet of things –
Internet of things –Mathews Job
 

What's hot (20)

IoT security (Internet of Things)
IoT security (Internet of Things)IoT security (Internet of Things)
IoT security (Internet of Things)
 
Security in Internet of Things(IoT) Ecosystem
Security in Internet of Things(IoT) EcosystemSecurity in Internet of Things(IoT) Ecosystem
Security in Internet of Things(IoT) Ecosystem
 
Privacy and Security in the Internet of Things
Privacy and Security in the Internet of ThingsPrivacy and Security in the Internet of Things
Privacy and Security in the Internet of Things
 
IoT Security: Cases and Methods [CON5446]
IoT Security: Cases and Methods [CON5446]IoT Security: Cases and Methods [CON5446]
IoT Security: Cases and Methods [CON5446]
 
The use case for Cassandra at Ping Identity
The use case for Cassandra at Ping IdentityThe use case for Cassandra at Ping Identity
The use case for Cassandra at Ping Identity
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoT
 
IoT Security in Action - Boston Sept 2015
IoT Security in Action - Boston Sept 2015IoT Security in Action - Boston Sept 2015
IoT Security in Action - Boston Sept 2015
 
ON THE SECURITY AND PRIVACY OF INTERNET OF THINGS ARCHITECTURES
ON THE SECURITY AND PRIVACY OF INTERNET OF THINGS ARCHITECTURESON THE SECURITY AND PRIVACY OF INTERNET OF THINGS ARCHITECTURES
ON THE SECURITY AND PRIVACY OF INTERNET OF THINGS ARCHITECTURES
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT Security
 
TOP 6 Security Challenges of Internet of Things
TOP 6 Security Challenges of Internet of ThingsTOP 6 Security Challenges of Internet of Things
TOP 6 Security Challenges of Internet of Things
 
Security Aspects in IoT - A Review
Security Aspects in IoT - A Review Security Aspects in IoT - A Review
Security Aspects in IoT - A Review
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
 
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
 
Internet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsInternet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open Standards
 
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoT
 
Presentation on IOT SECURITY
Presentation on IOT SECURITYPresentation on IOT SECURITY
Presentation on IOT SECURITY
 
"Cybersecurity - Current Landscape and Future Challenges", Anish Mohammed, Le...
"Cybersecurity - Current Landscape and Future Challenges", Anish Mohammed, Le..."Cybersecurity - Current Landscape and Future Challenges", Anish Mohammed, Le...
"Cybersecurity - Current Landscape and Future Challenges", Anish Mohammed, Le...
 
Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017
 
Internet of things –
Internet of things –Internet of things –
Internet of things –
 

Similar to Iot top 10 vulnerabilities and misconceptions 2016

Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...centralohioissa
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Tim Wright
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Sourcehack33
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network securitySreerag Gopinath
 
Wireless Device and Network level security
Wireless Device and Network level securityWireless Device and Network level security
Wireless Device and Network level securityChetan Kumar S
 
Computer security and_privacy_2010-2011
Computer security and_privacy_2010-2011Computer security and_privacy_2010-2011
Computer security and_privacy_2010-2011lbcollins18
 
IoT Hardware Teardown, Security Testing & Control Design
IoT Hardware Teardown, Security Testing & Control DesignIoT Hardware Teardown, Security Testing & Control Design
IoT Hardware Teardown, Security Testing & Control DesignPriyanka Aash
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecDroidConTLV
 
Recognizing security threats
Recognizing security threatsRecognizing security threats
Recognizing security threatsKishore Kumar
 
Security communication
Security communicationSecurity communication
Security communicationSay Shyong
 
Enterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurityEnterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurityVenkat Alagarsamy
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemSweta Sharma
 

Similar to Iot top 10 vulnerabilities and misconceptions 2016 (20)

Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Source
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network security
 
Day4
Day4Day4
Day4
 
Iot Security
Iot SecurityIot Security
Iot Security
 
Wireless Device and Network level security
Wireless Device and Network level securityWireless Device and Network level security
Wireless Device and Network level security
 
Computer security and_privacy_2010-2011
Computer security and_privacy_2010-2011Computer security and_privacy_2010-2011
Computer security and_privacy_2010-2011
 
IoT Hardware Teardown, Security Testing & Control Design
IoT Hardware Teardown, Security Testing & Control DesignIoT Hardware Teardown, Security Testing & Control Design
IoT Hardware Teardown, Security Testing & Control Design
 
Cloud Computing & Security
Cloud Computing & SecurityCloud Computing & Security
Cloud Computing & Security
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSec
 
Recognizing security threats
Recognizing security threatsRecognizing security threats
Recognizing security threats
 
System-Security-acit-Institute
System-Security-acit-InstituteSystem-Security-acit-Institute
System-Security-acit-Institute
 
Security communication
Security communicationSecurity communication
Security communication
 
Enterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurityEnterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurity
 
Chapter 10.0
Chapter 10.0Chapter 10.0
Chapter 10.0
 
BackDoors Seminar
BackDoors SeminarBackDoors Seminar
BackDoors Seminar
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Safe Computing At Home And Work
Safe Computing At Home And WorkSafe Computing At Home And Work
Safe Computing At Home And Work
 

Recently uploaded

『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 

Recently uploaded (17)

『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in  Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in  Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 

Iot top 10 vulnerabilities and misconceptions 2016

  • 1. IOT Top 10 Security Vulnerabilities Erez Metula Chairman & Founder, AppSec Labs ErezMetula@AppSec-Labs.com
  • 2. About me Founder of AppSec Labs Application security expert Book author Managed Code Rootkits (Syngress) Speaker & Trainer Presented at BlackHat, Defcon, RSA, OWASP USA, OWASP IL, etc.. Secure Coding / Hacking trainer
  • 3. Agenda Introduction to IoT security IoT architecture Common vulnerabilities Common misconceptions Demo – if time permits
  • 4. What’s common to all of them..?
  • 7. Why would someone attack the IOT? Hack the product’s functionality Break into the server side Steal information from the system Use the device as and entry point to the customer’s network Use the device to serve malware, send spam, etc.
  • 9. Let’s talk about security mistakes
  • 10. And about some misconceptions
  • 11. Insecure Web interfaces SQL injection Cross-site scripting Cross-site Request Forgery Command injection Weak passwords
  • 12. Common misconception “My server is protected. I have a firewall, a WAF, and I use SSL!” About half of the attacks cannot be stopped by automatic tools – usually attacks that are related to business logic, and in particular to the product specifics
  • 13. Mobile App Attacks Implicitly trusted by device or cloud Malicious app on the same device (side attacks) Insecure data storage Transport encryption Insecure password recovery mechanism
  • 14. Common misconception “attacker cannot read values from my decompiled mobile code since it is obfuscated”
  • 15. Local Memory & Local storage Cleartext usernames, passwords, Third-party credentials Encryption keys Data encrypted with discovered keys Lack of data integrity checks
  • 16. Common misconception “attacker cannot use my secret (i.e. encryption key) since it is retrieved from a remote server”
  • 17. Device Physical Interfaces Debug port (Serial, JTAG, etc) Privilege escalation Reset to insecure state Removal of storage media Device/sersor tampering
  • 18. Common misconception My code / secret value is “burned” on the PCB. No one can access it since it is protected at the hardware level”
  • 19. Device Firmware Insecure Firmware update - sent without encryption or signing Hardcoded credentials - URL, Encryption keys Backdoor accounts Vulnerable services (web, ssh, tftp, etc.)
  • 20. Common misconception “attacker cannot obtain the firmware of my device” “My firmware cannot be decompiled. It’s written in C, not .NET or Java!”
  • 21. Privacy Insecure Storage of sensitive data (location, images, cc, PII, PHI , etc.) Inability to wipe device Unencrypted PII sent to the cloud Insecure network services
  • 22. Common misconception “my system enforce security right from the beginning, at the client side - device or mobile app” The network service assumes security had been performed by the caller (device/mobile app)
  • 23. Insecure network traffic Weak authentication of the client side Weak authentication of the server side Lack of encryption Replay attacks Relying of “unknown” or “hard to understand” protocols
  • 24. Common misconception “attacker cannot manipulate with sensitive request sent from his/her device parameters since they are encrypted”
  • 25. Authentication vulnerabilities User enumeration Weak passwords Brute force attacks Weak session management User lockout
  • 26. Common misconception “the attacker can brute force users passwords. The account is blocked after 5 failed login attempts”
  • 27. Authorization vulnerabilities Perform unauthorized operations Access data of other users Perform operations on behalf of another user
  • 28. Common misconception “attacker cannot manipulate with communication sent from his/her device since it is protected by HTTPS”
  • 29. Common misconception “attacker cannot manipulate with requests sent from his/her device since they are signed”
  • 30. Denial of Service (DoS) attacks Server side network DoS RF (wifi, zigbee, BLE, etc) Jamming Power attacks CPU exhaustion Mobile app Dos
  • 31. Common misconception “the attacker cannot disconnect the power source of a device without physically touching it” DoS attacks against battery operated devices by invoking a power intensive task – over and over again No power = DoS Can be as trivial as causing a led to turn on! Example – calculation of led power consumption Device is operated by 2 AA batteries: 2700 mAh the device is optimized to consume extremely minimal power - run for years since most of the time it’s on standby There’s a led that consumes about 20 mA when on 1 day = 480 mah. Make it blink somehow and you can easily eat a battery in less than a week!
  • 32. DEMO – reverse engineering the RF protocol
  • 33. Summary IoT security is NOT just device security IoT requires a wide range of security coverage for all of the components - Device, Cloud API, Web app, Mobile App, Network protocols, etc. IoT have a lot of special vulnerabilities and attacks Assume attacker will take the device apart, read the flash memory, disassemble the firmware, etc. Assume the attacker will decompile your mobile app Testing IoT requires special expertise
  • 35. Thank You! Erez Metula Chairman & Founder, AppSec Labs ErezMetula@AppSec-Labs.com

Editor's Notes

  1. Hack the toilet: observer.com/2013/08/hack-this-toilet-and-make-it-spray-water-all-over-someones-butt/ Red button attack: https://www.cs.columbia.edu/~angelos/Papers/2014/redbutton-usenix-sec14.pdf Hack stations: http://www.dn.se/nyheter/sverige/it-expert-bristerna-ett-hot-mot-rikets-sakerhet/ Zoombak: http://www.cnet.com/news/personal-safety-gps-device-presents-security-risk/
  2. https://www.blackhat.com/docs/us-15/materials/us-15-Sandvik-When-IoT-Attacks-Hacking-A-Linux-Powered-Rifle.pdf