Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop

258 views

Published on

(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop. Discover more content on sacon.io

Published in: Technology
  • Be the first to comment

  • Be the first to like this

(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop

  1. 1. Practical Exploitation of IoT Networks and Ecosystems Sanjay V & Nitin Lakshmanan DEEP ARMOR www.deeparmor.com
 @deep_armor
  2. 2. SACON 2020 Instructors Nitin Lakshmanan Senior Security Analyst Deep Armor Aujas Networks, Aricent/ Intel Sanjay V Security Analyst Deep Armor Deloitte
  3. 3. SACON 2020 Agenda • IoT Architecture & Intro to IoT Security • Security Paradigms for the Building Blocks • Wireless Protocols • Hands-on Exercises • Security Development Life Cycle (SDLC) for IoT • Fun Hacking Activities • Summary Hacking Zigbee-style Wireless Sensor Networks Breaking Bluetooth Security Attacking Consumer IoT Ecosystems AWS IoT Core & Cloud Services Hands-on Exercises
  4. 4. SACON 2020 Internet Of Things • Network of devices connected 
 to Internet • Connect, Collect and Exchange • Part of the fast growing electronic culture • Revolution in all the fields Connected People Connected Fleets Connected Infra Connected Markets Connected Assets Connected Products Network Data
  5. 5. SACON 2020 Messy World of IoT Security • “Let me get the product out first” • “I’m paying a supplier for hardware/software. Security is their responsibility” • “We don’t store any confidential information” • “Let me worry about it if/when we get hacked” • “We are 100% secure (!)” • …
  6. 6. SACON 2020 Attacks on IoT products
  7. 7. SACON 2020 IoT Security & Businesses • Security is often seen as zero ROI • Impedes rapid prototyping and delivery (doesn’t have to) • Consumers will buy anyway • Poor awareness; Sometimes, lack of options • Liability laws are almost non-existent • Few that exist don’t hold water
  8. 8. SACON 2020 Range / Power of protocols for IoT Protocol Power Range WiFi High Long Zigbee / Z-Wave Low Short to Mid BT / BLE Low Short LPWAN Low Long
  9. 9. SACON 2020 Zigbee • Low data rate wireless applications • Smart energy, medical, home automation, IIoT • Two bands of operation: 868/915MHz and 2450MHz • Simpler & less expensive than Bluetooth • 10-100m range • Zigbee Alliance
  10. 10. SACON 2020 Zigbee Security Model • Open Trust model (Device Trust Boundary) • Crypto protection only between devices • All services employ the same security suite
  11. 11. SACON 2020 Practical Exploitation of IoT
 Wireless Sensor Networks (WSN)
  12. 12. SACON 2020 Agenda • IEEE 802.15.4 (Layer 1 & 2 definitions for Zigbee) • Tools • Setup • Attack and Defense • Packet Generation • Sniffing and Injection • Packet Manipulation • Security Hardening
  13. 13. SACON 2020 802.15.4 • IEEE standard for low-rate wireless personal area networks (LR-WPANs) • 6LoWPAN for IPv6 over WPANs • Zigbee extends 802.15.4 
 (wrapper services) Application Presentation Session Transport Network Data Link Physical Logical Link Control Media Access Control ZigbeeSpec
  14. 14. SACON 2020 Attacking WSN • IoT product simulator • 802.15.4-based network • Packet sniffing, manipulation and injection • Goals: • Understanding basic packet header formats • Security models for protecting communication • Hardware and software tools for packet sniffing & injection
  15. 15. SACON 2020 Challenges • Insufficient security research and documentation • Few testing/debugging platforms • Reliable ones are very expensive or obsoleted • Beta quality hardware at best • Took us weeks, studying blogs, asking questions, trial- and-error, … • Lots of future work possible. Wanna collaborate?
  16. 16. SACON 2020 Generating & Analyzing IEEE 802.15.4 WSN packets (MAC Layer)
  17. 17. SACON 2020 WSN Internals Payload DASRC SEQ NUM PAN ID DST Payload D A SRC SEQN U M PA NID D ST Attacker Gateway
  18. 18. SACON 2020 Impact • Compromise integrity of sensor data • Spoof all legit devices in the network • Logistics & Asset Management - think Vaccine Transportation! • Medical Use Cases - Hospital monitoring • Security and Surveillance • Rapid emergency response for Industries • CVSSv3 Score: 9.3
  19. 19. SACON 2020 Hardening the WSN
  20. 20. SACON 2020 Approach • We care about: • Integrity of data transmitted (bi-directional) • Confidentiality (sometimes) • Device attestation in the WSN • Crypto • IoT Platform Constraints • RAM and flash memory are often in KBs • Traditional crypto is way too intensive • Libraries — Few and proprietary
  21. 21. SACON 2020 • Protecting data integrity is (should be) a key security objective • Use Crypto • Challenges • Need for HW Acceleration • Key provisioning and exchange • Traditional Public Key Crypto is often unacceptable • Nonce-based approaches are easy but insecure • We did not discuss: • Device Security Measures (Secure Boot, Secure FOTA, etc.) • Out of the box provisioning, device mapping and reuse • Key Management Summary
  22. 22. SACON 2020 Consumer IoT Security
 &
 AWS-IoT Topics
  23. 23. SACON 2020 Agenda • Consumer IoT • Case Study: “X” Fitness Band & “X” Wearable Technology device • Weaknesses in Smartphone Platforms <—> Wearables channels • Hands-on hacking of Bluetooth and BLE protocols • Hardening BLE • AWS IoT Core • Secure by Design and SDLC for IoT Platforms
  24. 24. SACON 2020 Wearables Security
  25. 25. SACON 2020 Introduction • Wireless protocol for short range data exchange • BT: 1-100m • BLE: 10-600m • BLE is Light-weight subset of classic Bluetooth with low power consumption • RF range: 2.4 - 2.485 GHz • Maintained & Governed by the Bluetooth Special Interest Group (SIG) • Popular use cases: wearable devices, smart pay systems, healthcare, smart security systems etc
  26. 26. SACON 2020 Bluetooth 5 Feature Bluetooth 5 Bluetooth 4.2 Speed Supports 2 Mbps Supports 1 Mbps Range 40m indoor 10m indoor Power Requirement Low High Message capacity 255 bytes 31 bytes • Latest version of BT and BLE Spec • Improvements to BLE • Aimed at IoT (especially consumer)
  27. 27. SACON 2020 Bluetooth LE security Secure Simple Pairing (SSP) • Just Works: very limited/no user interface • Numeric Comparison: devices with display or yes/no button • Passkey Entry: 6 digit pin as the pass key • Out Of Band: Out of the band channel for key exchange to thwart MITM attacks • Network traffic is encrypted with AES-128
  28. 28. SACON 2020 Practical Exploitation of BLE Systems
  29. 29. SACON 2020 Attacking Wearable - Mobile Ecosystems Section A
  30. 30. SACON 2020 Section B BLE Packet Analysis using Wireshark (“X” Popular fitness tracker)
  31. 31. SACON 2020 Section B: Sniffing with Ubertooth
  32. 32. SACON 2020 Summary • BT/BLE network packet analysis is easy • Market-available HW and SW • Many products do not enable the existing encryption mechanisms offered by the BT spec • At the very least, enable LTK-encryption
  33. 33. SACON 2020 Section C Attacking BLE LTK Encryption
  34. 34. SACON 2020 Section D Hardening BLE
  35. 35. SACON 2020 IoT Cloud Security
  36. 36. SACON 2020 Agenda • IoT Services from Modern Cloud Vendors • AWS IoT Core • Setting up IoT Core with device simulators • Secure configuration • AWS Cloud Security Checks
  37. 37. SACON 2020 • Managed cloud service for connected devices to interact with cloud applications • Amazon FreeRTOS — open-source OS for MCUs (low power & memory) • Connect and manage devices • Secure the communication • Process and Act • Monitor What is it?
  38. 38. SACON 2020 Unshackling from Traditional SDLC
  39. 39. SACON 2020 Security Development Life Cycle Security Architecture, Privacy Requirements Threat Modeling, Attack Trees & Data Access Reviews Focused Security Code Reviews & Privacy Planning Fuzzing, Penetration Testing, Privacy Sign-off Fix verification, Incident Response Planning Delta Security Assessment, Security for Continuous Integration/ Delivery Program Conception Design Implementation Pre-Launch Deployment Maintenance Reviews Reviews & Reports Reports Resolution & Sign-off Reports Device Mobile Cloud
  40. 40. SACON 2020 Privacy • Why worry? • Global Markets • Country-specific guidelines • Ecosystems and overlapping policies GDPR!
  41. 41. SACON 2020 Summary • Plethora of protocols & standards make IoT security messy • Make hardware & software for IoT comms undergo penetration testing • RZUSBStick works great. Also, ApiMote • Not much else • BT/BLE sniffing is very sketchy • Cloud Services giants & increasing number of IoT services • SDLC and Shift-left Ecosystem Protocols Integration Interoperability
  42. 42. SACON 2020 www.deeparmor.com | @deep_armor | services@deeparmor.com SDLC Vulnerability Assessments Security Consulting Trainings

×