This presentation will encompass the following: • An overview of the OWASP IoT Top 10: Understanding IoT Vulnerabilities and Risks to Offices / Homes • Smart home wireless communication standards and their weaknesses: Bluetooth, Z-Wave, ZigBee, Wi-Fi, NFC, RFID • Exploiting vulnerable networked smart devices (e.g. smart TVs, refrigerators, etc.) as a means to get foot in the door and attack core infrastructure (laptops, workstations, servers) • Attacks against smart products connected to your network or controlled directly via your mobile device • Performing security evaluations of smart products using frameworks like the OWASP Application Security Verification Standard (ASVS) • Tools and resources for securing smart devices and their implementations • DEMOs – vulnerabilities and most common issues in smart devices – real examples of the OWASP IoT Top 10 • Exploiting smart devices, such as: TVs, media streaming devices, refrigerators, thermostats, smart plugs, security locks and cameras, health/fitness devices, wearables, office smart hubs, home automation products, and more… Originally presented at IT Audits & Control Conference 2015.

1. Internet of Things (IoT)
OWASP Top 10 IoT Vulns and Exploits of Smart Devices
ITAC 2015 – 29 Sept 2015
Presented by:
Francis Brown &
Steve Christiaens
Bishop Fox, LLC
www.bishopfox.com

2. Agenda
2
• Introduction/Background
• IoT News and Current Landscape
• Corp concerns, Personal / Privacy Issues
• Examples: Cars, Fridges, TVs, Wearables, …
• Targeting IoT – via Internet
• Google/Bing/SHODAN/Maltego Hacking
• Internet Census 2012, Scans.io, Zmap, MassScan, other mass scanning projects
• Targeting IoT – over the Air
• Wi-Fi, Bluetooth, ZigBee, Z-Wave, RFID, NFC, etc.
• Hacking devices: Wi-Fi Pineapplers, Kali Tablets, RaspPis, Custom Gear
• Targeting IoT – up close, Physically
• USB Rubber Duckies, Teensy Arduino Devices, BadUSB type attacks
• Defenses
O V E R V I E W

3. RickMote – Hacking TVs
3
DEMO - CHROMECAST - STREAMING DEVICE HACKING

4. Introduction/Background
4
GETTING UP TO SPEED

5. OWASP – IoT Top 10
T O P 1 0 L I S T – Internet of Things
5

6. IoT - Special Focus
B E W A R E E Y E S A N D E A R S … and robot hands
1. Cameras / WebCams
2. Microphones
3. Robots … terminators…
6

7. Twitter Feed WebCams
C R E E P Y W E B C A M S V I E W E R S
#CAUGHTONNESTCAM
7

8. Baby WebCams
8
W O R S T N I G H T M A R E S Feb 2015

9. Smart TVs
9
L I S T E N I N G C L O S E L Y Feb 2015

10. ILLUSTRATIVE FOOTAGE
10
Video - DEMO

11. Plane Hacking
11
P a s s e n g e r 3 1 3 3 7 Apr 2015

12. Smart Watches
12
I N S E C U R I T Y O N T H E G O July 2015
“A study conducted by HP’s Fortify
on security features implemented by
Smartwatches revealed that not even
a single device found to be 100
percent safe.”

13. 13
Vehicle Attacks
G O N E I N 6 0 S E C O N D S … July 2015

14. ILLUSTRATIVE FOOTAGE
14
Video - DEMO

15. 15
Vehicle Attacks
… O R L E S S July 2015

16. 16
Fridge Hacking
I N T H E H O M E
Aug 2015

17. Microsoft IoT Big Push
I O T I N T H E M A I N S T R E A M Aug 2015
17

18. Baby Monitors
18
B O R N I N T H E U . S . A . Sept 2015

19. ILLUSTRATIVE FOOTAGE
19
Video - DEMO

20. FBI Warning - PSA
20
I O T I S D A N G E R O U S Sept 2015

21. IoT Legal Climate
21
S A M E O L D D E B A T E S Sept 2015

22. Targeting IoT Systems
22
OVER THE INTERNET – SEARCH ENGINES

23. Diggity Tools
23
S E A R C H E N G I N E H A C K I N G

24. IoT and Google
24
G O O G L E H A C K I N G

25. Google Diggity
25
D I G G I T Y C O R E T O O L S

26. IoT and Bing
26
B I N G H A C K I N G

27. Bing Diggity
27
D I G G I T Y C O R E T O O L S

28. N E W G O O G L E H A C K I N G T O O L S
28
SHODAN Diggity

29. SHODAN
29
I O T / H A C K E R S E A R C H E N G I N E
• Indexed service banners for whole Internet for HTTP (Port 80), as well as
some FTP (21), SSH (22) and Telnet (23) services - https://www.shodan.io/

30. IoT and SHODAN
30
S H O D A N H A C K I N G

31. IoT and SHODAN
31
S H O D A N H A C K I N G

32. IoT and SHODAN
32
S H O D A N H A C K I N G

33. Mr. Robot
33
H V A C C O M P R O M I S E

34. ILLUSTRATIVE FOOTAGE
34
Video - DEMO

35. SHODAN Diggity
35
F I N D I N G S C A D A S Y S T E M S

36. SHODAN Alerts
36
S H O D A N R S S F E E D S

37. INTERNET MASS SCANNING
37
Scanning the Whole Internet

38. Internet Census 2012
38
N M A P O F E N T I R E I N T E R N E T
• ~420k botnet used to perform NMAP against entire IPv4 addr space!
• ICMP sweeps, SYN scans, Reverse DNS, and Service probes of 662 ports
• Free torrent of 568GB of NMAP results (9TB decompressed NMAP results)

39. Internet Census 2012
39
E X A M P L E - S N M P R E S U L T S

40. Internet Census 2012
40
E X A M P L E - S N M P R E S U L T S

41. HD’s Serial Offenders
41
D A T A M I N I N G C E N S U S

42. Scans.io – Huge Repo
42
R E G U L A R S C A N S O F I N T E R N E T

43. Masscan
43
S C A N T H E I N T E R N E T

44. Wireless Hacking Tools
44
IOT HACKING OVER THE AIR

45. RickMote – Hacking TVs
45
CHROMECAST - STREAMING DEVICE HACKING

46. Wi-Spy – Spectrum Analyzer
46
W I R E L E S S A N A L Y S I S
Wi-Spy DBx Pro - USB Spectrum Analyzer with Chanalyzer Pro Software

47. NirSoft Wireless Tools
47
W I N D O W S H A C K I N G T O O L S
• NirSoft – WirelessNetView
• NirSoft – Wi-FiInfoView
• NirSoft – Wireless Network Watcher
• NirSoft – Wi-FiChannelMonitor

48. inSSIDer Wi-Fi Scanner
48
W I N D O W S H A C K I N G T O O L S

49. inSSIDer Wi-Fi Scanner
49
A N D R O I D H A C K I N G T O O L S

50. Aircrack-ng Suite
50
L I N U X H A C K I N G T O O L S

51. inSSIDer for Mac
51
M A C O S X H A C K I N G T O O L S

52. NetSpot for Mac
52
M A C O S X H A C K I N G T O O L S

53. Kali VM + USB Adapter
53
E A S Y W I R E L E S S A T T A C K P L A T F O R M
• Kali Linux VM + TP-LINK - TL-WN722N (USB) + Yagi
+

54. Pwn Pad 2014
54
N E X U S 7 P E N T E S T D E V I C E

55. Pwn Pad 2014
55
N E X U S 7 P E N T E S T D E V I C E

56. Kali NetHunter
56
N E X U S 7 P E N T E S T D E V I C E
Nexus7 (2013 – Wi-Fi) –
Android Tablet – Non-
PwnPad2014

57. Bluetooth Low Energy
https://hakshop.myshopify.com/products/ubertooth-one
57

58. Bluetooth – Other
58
• Bluetooth Modules:
• SparkFun BLE Mate 2
• Bluetooth Mate Gold - Sparkfun
• Bluetooth Module Breakout - Roving Networks (RN-41)
• Bluetooth Modem - BlueSMiRF Silver (RN-42)
• Bluetooth Bee for Arduino - Seeedstudio
• Bluetooth Bee Standalone with built-in Arduino
• KEDSUM Arduino Wireless Bluetooth Transceiver Module
• Bluetooth 4.0 USB Module (v2.1 Back-Compatible)
• SENA UD100 industrial Bluetooth USB adapter
• PwnPad 2014 - supports packet injection (up to 1000′)

59. Bluetooth – Pwn Pad
59

60. Bluetooth – NirSoft
60
• NirSoft - BluetoothCL v1.00 - dumps all current detected bluetooth devices
• NirSoft - BluetoothLogView - Creates a log of Bluetooth devices activity around you
• NirSoft - BluetoothView - Monitor the Bluetooth activity around you

61. ILLUSTRATIVE FOOTAGE
61
Video - DEMO

62. Wi-Fi Pineapple
62
WIRELESS PENETRATION TESTING ROUTER

63. Wi-Fi Pineapple
63
WHAT CAN IT DO?

64. Wi-Fi Pineapple
64
WHAT CAN IT DO?

65. Karma on Pineapple
65
R O G U E A C C E S S P O I N T

66. ILLUSTRATIVE FOOTAGE
66
Video - DEMO

67. Karma on Pineapple
67
R O G U E A C C E S S P O I N T

68. Auto-Association to Wi-Fi
68
M O B I L E P H O N E A T T A C K S

69. Dumping Wi-Fi Keys
69
CLIENT EXPLOITING

70. Raspberry Pi
70
F R U I T Y W I -F I
• Fruity Wi-Fi – Raspberry Pi version of the “Wi-Fi Pineapple”– cheap alternative (~$35)

71. Arduino
71
C U S T O M T O O L S
+

72. Arduino: Add-ons
72
W I R E L E S S M O D U L E S
• Arduino NFC Shield
• Arduino BlueTooth Modules
• Arduino WiFly Shield (802.11b/g)
• Arduino GSM/GPRS shields (SMS messaging)
• WIZnet Embedded Web Server Module
• Xbee 2.4GHz Module (802.15.4 Zigbee)
• Parallax GPS Module PMB-648 SiRF
• Arduino Ethernet Shield
• Redpark - Serial-to-iPad/iPhone Cable

73. IoT – Physical Testing
73
UP CLOSE AND PERSONAL

74. USB Rubber Ducky Delux
G A I N I N G A C C E S S
74

75. Brinks Smart Safes
75
P H Y S I C A L H A C K I N G
The Brinks CompuSafe Galileo.
Access to the USB port and 60 sec.
is all that is needed by a prepared
attacker.
Adding “smarts” turned this safe
into an “unsafe.”

76. ILLUSTRATIVE FOOTAGE
76
Video - DEMO

77. Pwn Plug
M A I N T A I N I N G A C C E S S
77

78. Pwn Plug
M A I N T A I N I N G A C C E S S
• Pwn Plug Elite: $995.00
• Power Pwn: $1,995.00
78

79. Raspberry Pi
79
M A I N T A I N I N G A C C E S S
• Raspberry Pi – cheap alternative (~$35) to Pwn Plug/Power Pwn
• Pwnie Express – Raspberry Pwn
• Rogue Pi – RPi Pentesting Dropbox
• Pwn Pi v3.0

80. Defenses
80
PROTECT YO NECK

81. Defenses
81
P R O T E C T I O N: I N T E R N E T
• Use a VPN or disconnect critical devices
• Use only encrypted management services (SSL/SSH)
• Employ strong encryption and authentication methods
• Use strong passwords and non-default usernames
• Use a password manager
• Secure wireless clients (laptops, phones, wearables, ...)
• Place untrusted devices on a separate network

82. Defenses
82
• Conduct regular wireless assessments
• Employ strong encryption and authentication methods
• Employ wireless IDS/IPS
• Secure wireless clients (laptops, phones, …)
P R O T E C T I O N: W i r e l e s s

83. Defenses
83
Use “wireless checks” of network vulnerability scanners
P R O T E C T I O N: W i r e l e s s

84. Defenses
84
Physically track down rogue access points and
malicious devices
P R O T E C T I O N: W i r e l e s s

85. Thank You
85
Bishop Fox
www.bishopfox.com

86. Attributions (Images)
86
Bishop Fox
www.bishopfox.com
Wi-Spy image
Adapter image
ASUS USB image
Wi-Fi Antenna image
Blue-Tooth USB adapter image
Nexus 7 2013 image
Kali Linux NetHunter image
SparkFun Bluetooth image
SparkFun BLE Mate 2 image
Bluetooth Bee image
Roving Networks image
BlueSMiRF image
Arduino BlueTooth image
Raspberry Pi BlueTooth image
O’Reilly BlueTooth Book image
SENA Adapter image
Wi-Fi Pineapple image
Wi-Fi Pineapple infographic
Raspberry Pi image
Redpark Serial Cable image
NFC Shield image
BlueTooth Mate image
BlueTooth Module Breakout
image
BlueTooth Bee image
WiFly Shield image
Xbee image
Wiznet image
tkemot/Shutterstock
USB Rubber Ducky Diagram image
USB Rubber Ducky Diagram II
image
Smart Safe Hacking illustration
Smart Safe image
PWN Plug Diagram image
PWN Plug Book image
First Release of PWN Plug image
Power PWN image
Power Strip image
Raspberry Pi SSH Tunnel image
Wi-Spy DBx Pro image
Device Finder Directional Antenna
image
For Further Information:
Smart Safe Hacking - BF Blog