Successfully reported this slideshow.
Your SlideShare is downloading. ×

Iot top 10 vulnerabilities and misconceptions 2016

More Related Content

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Iot top 10 vulnerabilities and misconceptions 2016

  1. 1. IOT Top 10 Security Vulnerabilities Erez Metula Chairman & Founder, AppSec Labs ErezMetula@AppSec-Labs.com
  2. 2. About me Founder of AppSec Labs Application security expert Book author Managed Code Rootkits (Syngress) Speaker & Trainer Presented at BlackHat, Defcon, RSA, OWASP USA, OWASP IL, etc.. Secure Coding / Hacking trainer
  3. 3. Agenda Introduction to IoT security IoT architecture Common vulnerabilities Common misconceptions Demo – if time permits
  4. 4. What’s common to all of them..?
  5. 5. Hacked Toilet
  6. 6. Hacked IOT Gun
  7. 7. Why would someone attack the IOT? Hack the product’s functionality Break into the server side Steal information from the system Use the device as and entry point to the customer’s network Use the device to serve malware, send spam, etc.
  8. 8. Common IOT architecture
  9. 9. Let’s talk about security mistakes
  10. 10. And about some misconceptions
  11. 11. Insecure Web interfaces SQL injection Cross-site scripting Cross-site Request Forgery Command injection Weak passwords
  12. 12. Common misconception “My server is protected. I have a firewall, a WAF, and I use SSL!” About half of the attacks cannot be stopped by automatic tools – usually attacks that are related to business logic, and in particular to the product specifics
  13. 13. Mobile App Attacks Implicitly trusted by device or cloud Malicious app on the same device (side attacks) Insecure data storage Transport encryption Insecure password recovery mechanism
  14. 14. Common misconception “attacker cannot read values from my decompiled mobile code since it is obfuscated”
  15. 15. Local Memory & Local storage Cleartext usernames, passwords, Third-party credentials Encryption keys Data encrypted with discovered keys Lack of data integrity checks
  16. 16. Common misconception “attacker cannot use my secret (i.e. encryption key) since it is retrieved from a remote server”
  17. 17. Device Physical Interfaces Debug port (Serial, JTAG, etc) Privilege escalation Reset to insecure state Removal of storage media Device/sersor tampering
  18. 18. Common misconception My code / secret value is “burned” on the PCB. No one can access it since it is protected at the hardware level”
  19. 19. Device Firmware Insecure Firmware update - sent without encryption or signing Hardcoded credentials - URL, Encryption keys Backdoor accounts Vulnerable services (web, ssh, tftp, etc.)
  20. 20. Common misconception “attacker cannot obtain the firmware of my device” “My firmware cannot be decompiled. It’s written in C, not .NET or Java!”
  21. 21. Privacy Insecure Storage of sensitive data (location, images, cc, PII, PHI , etc.) Inability to wipe device Unencrypted PII sent to the cloud Insecure network services
  22. 22. Common misconception “my system enforce security right from the beginning, at the client side - device or mobile app” The network service assumes security had been performed by the caller (device/mobile app)
  23. 23. Insecure network traffic Weak authentication of the client side Weak authentication of the server side Lack of encryption Replay attacks Relying of “unknown” or “hard to understand” protocols
  24. 24. Common misconception “attacker cannot manipulate with sensitive request sent from his/her device parameters since they are encrypted”
  25. 25. Authentication vulnerabilities User enumeration Weak passwords Brute force attacks Weak session management User lockout
  26. 26. Common misconception “the attacker can brute force users passwords. The account is blocked after 5 failed login attempts”
  27. 27. Authorization vulnerabilities Perform unauthorized operations Access data of other users Perform operations on behalf of another user
  28. 28. Common misconception “attacker cannot manipulate with communication sent from his/her device since it is protected by HTTPS”
  29. 29. Common misconception “attacker cannot manipulate with requests sent from his/her device since they are signed”
  30. 30. Denial of Service (DoS) attacks Server side network DoS RF (wifi, zigbee, BLE, etc) Jamming Power attacks CPU exhaustion Mobile app Dos
  31. 31. Common misconception “the attacker cannot disconnect the power source of a device without physically touching it” DoS attacks against battery operated devices by invoking a power intensive task – over and over again No power = DoS Can be as trivial as causing a led to turn on! Example – calculation of led power consumption Device is operated by 2 AA batteries: 2700 mAh the device is optimized to consume extremely minimal power - run for years since most of the time it’s on standby There’s a led that consumes about 20 mA when on 1 day = 480 mah. Make it blink somehow and you can easily eat a battery in less than a week!
  32. 32. DEMO – reverse engineering the RF protocol
  33. 33. Summary IoT security is NOT just device security IoT requires a wide range of security coverage for all of the components - Device, Cloud API, Web app, Mobile App, Network protocols, etc. IoT have a lot of special vulnerabilities and attacks Assume attacker will take the device apart, read the flash memory, disassemble the firmware, etc. Assume the attacker will decompile your mobile app Testing IoT requires special expertise
  34. 34. QUESTIONS ?
  35. 35. Thank You! Erez Metula Chairman & Founder, AppSec Labs ErezMetula@AppSec-Labs.com

Editor's Notes

  • Hack the toilet:
    observer.com/2013/08/hack-this-toilet-and-make-it-spray-water-all-over-someones-butt/

    Red button attack:
    https://www.cs.columbia.edu/~angelos/Papers/2014/redbutton-usenix-sec14.pdf

    Hack stations:
    http://www.dn.se/nyheter/sverige/it-expert-bristerna-ett-hot-mot-rikets-sakerhet/

    Zoombak:
    http://www.cnet.com/news/personal-safety-gps-device-presents-security-risk/
  • https://www.blackhat.com/docs/us-15/materials/us-15-Sandvik-When-IoT-Attacks-Hacking-A-Linux-Powered-Rifle.pdf

×