Daniel Miessler, profile picture
Uploaded byDaniel Miessler
PDF, PPTX6,787 views

IoT Attack Surfaces -- DEFCON 2015

The document discusses junk hacking and vulnerability research of IoT devices. It notes that many IoT devices have no security and can easily be hacked. It argues that while demonstrating vulnerabilities in everyday devices is interesting, the "junk hacking" trend has become overdone at security conferences. The document advocates moving the discussion beyond just identifying vulnerabilities and toward developing a standardized approach for assessing IoT security across different device types and platforms.

Embed presentation

Download as PDF, PPTX
What someone said about “junk hacking” Yes, we get it. Cars, boats, buses, and those singing fish plaques are all hackable and have no security. Most conferences these days have a whole track called "Junk I found around my house and how I am going to scare you by hacking it". That stuff is always going to be hackable whetherornotyouarethecalvalry.org. So in any case, enough with the Junk Hacking, and enough with being amazed when people hack their junk. …
IoT Attack Surface Mapping Seeking a universal, surface-area approach to IoT testing Daniel Miessler IoT Village, DEFCON 23 August 2015
Junk Hacking and Vuln Shaming Yes, we get it. Cars, boats, buses, and those singing fish plaques are all hackable and have no security. Most conferences these days have a whole track called "Junk I found around my house and how I am going to scare you by hacking it". That stuff is always going to be hackable whetherornotyouarethecalvalry.org. So in any case, enough with the Junk Hacking, and enough with being amazed when people hack their junk. …
What’s in a name? ! Universal Daemonization ! Universal Object Interaction ! Programmable Object Interfaces (POIs) ! Transfurigated Phase Inversion
Defining IoT ๏ [ WIKIPEDIA ] The Internet of Things (IoT) is the network of physical objects or "things" embedded with electronics, software, sensors and connectivity to enable it to achieve greater value and service by exchanging data with the manufacturer, operator and/or other connected devices. ๏ [ OXFORD ] A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.
 ๏ [ MY PREFERRED ] The interface between the physical and digital world that allows one to gather information from—and control—everyday objects.
What to do?
What to do?
What to do?
What to do?
What to do?
IoT Security != Device Security IoT Device
Existing approaches… ๏ Look at a collection of common vulnerabilities, risks, etc.
 ๏ Pull up your go-to list
 ๏ Consider some bad scenarios ๏ Check for what others have found on other devices
OWASP
The Previous Version ๏ Used the Top 10 name
 ๏ Mixed surfaces with vulnerability types
New OWASP IoT Project Structure IoT Project Attack Surface Areas Testing Guide Top Vulnerabilities
Subtle differences in approach
Different approaches to finding vulns 1. Let me check against this list of vulns
Different approaches 1. Let me check against this list of vulns.
 2. Let me check my favorite go- to issues

Different approaches 1. Let me check against this list of vulns.
 2. Let me check my favorite go-to issues
 3. What common surface areas do IoT systems share that I need to make sure I don’t miss?
The IoT Attack Surfaces
Ecosystem Access Control Ecosystem Access Control ✓ Authentication ✓ Session management ✓ Implicit trust between 
 components ✓ Enrollment security ✓ Decomissioning system ✓ Lost access procedures
Device Memory Device Memory ✓ Cleartext usernames ✓ Cleartext passwords ✓ Third-party credentials ✓ Encryption keys
Device Physical Interfaces Device Physical Interfaces ✓ Firmware extraction ✓ User CLI ✓ Admin CLI ✓ Privilege escalation ✓ Reset to insecure state
Device Web Interface Device Web Interface ✓ SQL injection ✓ Cross-site scripting ✓ Username enumeration ✓ Weak passwords ✓ Account lockout ✓ Known credentials
Device Firmware Device Firmware ✓ Hardcoded passwords ✓ Sensitive URL disclosure ✓ Encryption keys
Device Network Services Device Network Services ✓ Information disclosure ✓ User CLI ✓ Administrative CLI ✓ Injection ✓ Denial of Service
Administrative Interface Administrative Interface ✓ SQL injection ✓ Cross-site scripting ✓ Username enumeration ✓ Weak passwords ✓ Account lockout ✓ Known credentials
Local Data Storage Local Data Storage ✓ Unencrypted data ✓ Data encrypted with
 discovered keys ✓ Lack of data integrity
 checks
Cloud Web Interface Cloud Web Interface ✓ SQL injection ✓ Cross-site scripting ✓ Username enumeration ✓ Weak passwords ✓ Account lockout ✓ Known credentials
Third-party Backend APIs Third-party Backend APIs ✓ Unencrypted PII sent ✓ Encrypted PII sent ✓ Device information leaked ✓ Location leaked
Update Mechanism Update Mechanism ✓ Update sent without 
 encryption ✓ Updates not signed ✓ Update location 
 writable
Mobile Application Mobile Application ✓ Implicitly trusted 
 by device or cloud ✓ Known credentials ✓ Insecure data storage ✓ Lack of transport 
 encryption
Vendor Backend APIs Vendor Backend APIs ✓ Inherent trust of cloud 
 or mobile application ✓ Weak authentication ✓ Weak access control ✓ Injection attacks
Ecosystem Communication Ecosystem Communication ✓ Health checks ✓ Heartbeats ✓ Ecosystem commands ✓ Deprovisioning ✓ Update pushes
Network Traffic Network Traffic ✓ LAN ✓ LAN to Internet ✓ Short range ✓ Non-standard
IoT Attack Surface Areas Device Network Services Cloud Web Interface Administrative Interface Device Firmware Local Data Storage Vendor Backend APIs Third-party Backend APIs Device Web Interface Device Physical Interfaces Device Memory Ecosystem Access Control Update Mechanism Mobile Application Vendor Backend APIs Network Traffic Ecosystem Communication
The OWASP IoT Attack Surfaces Project https://www.owasp.org/index.php/ OWASP_IoT_Attack_Surface_Areas
Surfaces → vulns → data Attack Surface Vulnerability Data Type • Administrative interface • Weak password policy • Lack of account lockout
 • Credentials • Local data storage • Data stored without encryption • PII • Web Cloud Interface • SQLi • PII • Account data • Device Firmware • Sent over HTTP • Hardcoded passwords • Hardcoded encryption keys • Credentials • Application data • Vendor Backend APIs • Permissive API Data Extraction • PII • Account data • Device Physical Interfaces • Unauthenticated root access • ***
Back to the network… Network Traffic ✓ LAN ✓ LAN to Internet ✓ Short range ✓ Non-standard
What people think they have
What people actually have cleartext honeytoken cleartext sensitive data cleartext sensitive data
What I like to look for in pcaps 1. How many connections were made?
 2. To how many destinations?
 3. Was the sensitive data I entered
 into the ecosystem seen in the
 network traffic?
 4. If so, that’s bad
Getting your capz
The OWASP IoT Attack Surfaces Project https://www.owasp.org/index.php/ OWASP_IoT_Attack_Surface_Areas
Sister projects
This is a Craig Smith Slide Craig Smith
Takeaways and Goodies 1. IoT testing is the same as any other testing
Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security
Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device
Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device 4. A big part of that is the network piece
Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device 4. A big part of that is the network piece 5. Caparser is a tool that can do that analysis
 for you
Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device 4. A big part of that is the network piece 5. Caparser is a tool that can do that analysis
 for you 6. Caparser is free, released today, and will
 be improved in the near future
Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device 4. A big part of that is the network piece 5. Caparser is a tool that can do that analysis
 for you 6. Caparser is free, released today, and will
 be improved in the near future 7. Craig Smith is awesome
Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device 4. A big part of that is the network piece 5. Caparser is a tool that can do that analysis
 for you 6. Caparser is free, released today, and will
 be improved in the near future 7. Craig Smith is awesome 8. There’s a handout!
Thank you! The OWASP IoT Attack Surfaces Project
 https://www.owasp.org/index.php/ OWASP_Internet_of_Things_Project Caparser
 https://github.com/danielmiessler/caparser @danielmiessler @craigz28 TX to HP Fortify on Demand

More Related Content

PPTX
Expense tracker
byLay Leangsros
 
PPTX
Servlets
byZainabNoorGul
 
PDF
Time Table Management System
byMuhammad Zeeshan
 
PPTX
Web Programming
byNilaNila16
 
PPT
Character stream classes introd .51
bymyrajendra
 
DOCX
Prisoner Management System
byPrince Kumar
 
PDF
Structures and Pointers
byPrabu U
 
PDF
Internet Of Things (Question Paper) [October – 2018 | Choice Based Syllabus]
byMumbai B.Sc.IT Study
 
Expense tracker
byLay Leangsros
 
Servlets
byZainabNoorGul
 
Time Table Management System
byMuhammad Zeeshan
 
Web Programming
byNilaNila16
 
Character stream classes introd .51
bymyrajendra
 
Prisoner Management System
byPrince Kumar
 
Structures and Pointers
byPrabu U
 
Internet Of Things (Question Paper) [October – 2018 | Choice Based Syllabus]
byMumbai B.Sc.IT Study
 

What's hot

DOCX
PROJECT FOR CSE BY TUSHAR DHOOT
byTushar Dhoot
 
PPTX
Final Year Project BCA Presentation on Pic-O-Stica
bySharath Raj
 
PPT
Inner classes ,annoumous and outer classes in java
byAdil Mehmoood
 
PPT
Arrays searching-sorting
byAjharul Abedeen
 
PDF
Srs template ieee-movie recommender
by429SAYAKTRIPATHY
 
PPT
Asynchronous JavaScript & XML (AJAX)
byAdnan Sohail
 
PPT
Applet life cycle
bymyrajendra
 
PDF
Spring Framework - Core
byDzmitry Naskou
 
PPSX
Collections - Lists, Sets
byHitesh-Java
 
PPTX
Java arrays
byMohammed Sikander
 
PPTX
Introduction to Spring Framework
bySerhat Can
 
DOCX
Hotel network scenario implementation by using cisco packet tracer
byHome
 
PPTX
Event handling
byswapnac12
 
PPT
Java servlets
bylopjuan
 
PPTX
Java string handling
bySalman Khan
 
PPT
Chat application
byMudasir Sunasara
 
PPT
Java Servlets
byBG Java EE Course
 
PPTX
MULTI THREADING IN JAVA
byVINOTH R
 
PPT
Javascript
byManav Prasad
 
PPTX
Presentation on "An Introduction to ReactJS"
byFlipkart
 
PROJECT FOR CSE BY TUSHAR DHOOT
byTushar Dhoot
 
Final Year Project BCA Presentation on Pic-O-Stica
bySharath Raj
 
Inner classes ,annoumous and outer classes in java
byAdil Mehmoood
 
Arrays searching-sorting
byAjharul Abedeen
 
Srs template ieee-movie recommender
by429SAYAKTRIPATHY
 
Asynchronous JavaScript & XML (AJAX)
byAdnan Sohail
 
Applet life cycle
bymyrajendra
 
Spring Framework - Core
byDzmitry Naskou
 
Collections - Lists, Sets
byHitesh-Java
 
Java arrays
byMohammed Sikander
 
Introduction to Spring Framework
bySerhat Can
 
Hotel network scenario implementation by using cisco packet tracer
byHome
 
Event handling
byswapnac12
 
Java servlets
bylopjuan
 
Java string handling
bySalman Khan
 
Chat application
byMudasir Sunasara
 
Java Servlets
byBG Java EE Course
 
MULTI THREADING IN JAVA
byVINOTH R
 
Javascript
byManav Prasad
 
Presentation on "An Introduction to ReactJS"
byFlipkart
 

Viewers also liked

PDF
SecLists @ BlackHat Arsenal 2015
byDaniel Miessler
 
PDF
IoT Security – It’s in the Stars! 16_9 v201605241355
byAndrewRJamieson
 
PDF
IoT of heart rate watchdog
by艾思程式教育
 
PPTX
Spirent: The Internet of Things: The Expanded Security Perimeter
bySailaja Tennati
 
PDF
The Real Internet of Things: How Universal Daemonization Will Change Everything
byDaniel Miessler
 
PPTX
CLUSIR INFONORD OWASP iot 2014
bySebastien Gioria
 
PDF
RSA2015: Securing the Internet of Things
byDaniel Miessler
 
PDF
Evolution of The Application
byDaniel Miessler
 
PPTX
Adaptive Testing Methodology [ ATM ]
byDaniel Miessler
 
PDF
Implementing Inexpensive Honeytrap Techniques
byDaniel Miessler
 
PPTX
Understanding Cross-site Request Forgery
byDaniel Miessler
 
PPTX
Peak Prevention: Moving from Prevention to Resilience
byDaniel Miessler
 
PPTX
Blueprint for creating a Secure IoT Product
byGuy Vinograd ☁
 
PDF
Dia01 08 keynote_alvaro_mello_gartner
byAssociação Brasileira de Startups
 
PDF
Fullstack IoT Development
byAndri Yadi
 
PPTX
Raspberry Pi as IoT gateway
byGuy Vinograd ☁
 
ODP
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
byMauro Risonho de Paula Assumpcao
 
PDF
Full Buku sakti belajar hacker
bystephan EL'wiin Shaarawy
 
PDF
Securing Medical Devices Using Adaptive Testing Methodologies
byDaniel Miessler
 
PPT
Smart Cities are the Internet of Things
byzdshelby
 
SecLists @ BlackHat Arsenal 2015
byDaniel Miessler
 
IoT Security – It’s in the Stars! 16_9 v201605241355
byAndrewRJamieson
 
IoT of heart rate watchdog
by艾思程式教育
 
Spirent: The Internet of Things: The Expanded Security Perimeter
bySailaja Tennati
 
The Real Internet of Things: How Universal Daemonization Will Change Everything
byDaniel Miessler
 
CLUSIR INFONORD OWASP iot 2014
bySebastien Gioria
 
RSA2015: Securing the Internet of Things
byDaniel Miessler
 
Evolution of The Application
byDaniel Miessler
 
Adaptive Testing Methodology [ ATM ]
byDaniel Miessler
 
Implementing Inexpensive Honeytrap Techniques
byDaniel Miessler
 
Understanding Cross-site Request Forgery
byDaniel Miessler
 
Peak Prevention: Moving from Prevention to Resilience
byDaniel Miessler
 
Blueprint for creating a Secure IoT Product
byGuy Vinograd ☁
 
Dia01 08 keynote_alvaro_mello_gartner
byAssociação Brasileira de Startups
 
Fullstack IoT Development
byAndri Yadi
 
Raspberry Pi as IoT gateway
byGuy Vinograd ☁
 
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
byMauro Risonho de Paula Assumpcao
 
Full Buku sakti belajar hacker
bystephan EL'wiin Shaarawy
 
Securing Medical Devices Using Adaptive Testing Methodologies
byDaniel Miessler
 
Smart Cities are the Internet of Things
byzdshelby
 

Similar to IoT Attack Surfaces -- DEFCON 2015

PDF
The IoT Attack Surface
byDaniel Miessler
 
PPTX
Practical IoT Security in the Enterprise
byDaniel Miessler
 
PDF
IoT – Breaking Bad
byNUS-ISS
 
PPTX
IoT Security, Threats and Challenges By V.P.Prabhakaran
byKoenig Solutions Ltd.
 
PDF
iotsecurity-171108154118.pdf
byKerimBozkanli
 
PDF
Smau Milano 2015 - Stefano Zanero
bySMAU
 
PDF
IoT Security
byNarudom Roongsiriwong, CISSP
 
PPTX
IoT Security: Debunking the "We Aren't THAT Connected" Myth
bySecurity Innovation
 
PPTX
IoT Security Risks and Challenges
byOWASP Delhi
 
PDF
[TestWarez 2017] Securing the Internet of Things
byStowarzyszenie Jakości Systemów Informatycznych (SJSI)
 
PPTX
IoT security
byYashKesharwani2
 
PPTX
Security Testing for IoT Systems
bySecurity Innovation
 
PDF
Hack one iot device, break them all!
byJustin Black
 
PPTX
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
bymike parks
 
PDF
Christopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of Things
byKatedra Informatologii. Wydział Dziennikarstwa, Informacji i Bibliologii, Uniwersytet Warszawski
 
PPTX
IoT-Device-Security-DRAFT-slide-presentation
byAuliaArifWardana
 
PDF
Dissecting internet of things by avinash sinha
byAvinash Sinha
 
PDF
New challenges to secure the IoT (with notes)
byCaston Thomas
 
PPTX
IoT-Device-Security.pptx
byZahidHussainqaisar
 
PDF
Internet of Things Security Patterns
byMark Benson
 
The IoT Attack Surface
byDaniel Miessler
 
Practical IoT Security in the Enterprise
byDaniel Miessler
 
IoT – Breaking Bad
byNUS-ISS
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
byKoenig Solutions Ltd.
 
iotsecurity-171108154118.pdf
byKerimBozkanli
 
Smau Milano 2015 - Stefano Zanero
bySMAU
 
IoT Security
byNarudom Roongsiriwong, CISSP
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
bySecurity Innovation
 
IoT Security Risks and Challenges
byOWASP Delhi
 
[TestWarez 2017] Securing the Internet of Things
byStowarzyszenie Jakości Systemów Informatycznych (SJSI)
 
IoT security
byYashKesharwani2
 
Security Testing for IoT Systems
bySecurity Innovation
 
Hack one iot device, break them all!
byJustin Black
 
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
bymike parks
 
Christopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of Things
byKatedra Informatologii. Wydział Dziennikarstwa, Informacji i Bibliologii, Uniwersytet Warszawski
 
IoT-Device-Security-DRAFT-slide-presentation
byAuliaArifWardana
 
Dissecting internet of things by avinash sinha
byAvinash Sinha
 
New challenges to secure the IoT (with notes)
byCaston Thomas
 
IoT-Device-Security.pptx
byZahidHussainqaisar
 
Internet of Things Security Patterns
byMark Benson
 

Recently uploaded

PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
PDF
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
PPT
Introduction to Risk Based Inspection API-580 & 581
byumerfaiz99
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PDF
Making Search Less Taxing: Leveraging Semantics and Keywords in Hybrid Search
byEnterprise Knowledge
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
Introduction to Risk Based Inspection API-580 & 581
byumerfaiz99
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
Making Search Less Taxing: Leveraging Semantics and Keywords in Hybrid Search
byEnterprise Knowledge
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 

IoT Attack Surfaces -- DEFCON 2015

  • 1.
    What someone saidabout “junk hacking” Yes, we get it. Cars, boats, buses, and those singing fish plaques are all hackable and have no security. Most conferences these days have a whole track called "Junk I found around my house and how I am going to scare you by hacking it". That stuff is always going to be hackable whetherornotyouarethecalvalry.org. So in any case, enough with the Junk Hacking, and enough with being amazed when people hack their junk. …
  • 2.
    IoT Attack SurfaceMapping Seeking a universal, surface-area approach to IoT testing Daniel Miessler IoT Village, DEFCON 23 August 2015
  • 3.
    Junk Hacking andVuln Shaming Yes, we get it. Cars, boats, buses, and those singing fish plaques are all hackable and have no security. Most conferences these days have a whole track called "Junk I found around my house and how I am going to scare you by hacking it". That stuff is always going to be hackable whetherornotyouarethecalvalry.org. So in any case, enough with the Junk Hacking, and enough with being amazed when people hack their junk. …
  • 4.
    What’s in aname? ! Universal Daemonization ! Universal Object Interaction ! Programmable Object Interfaces (POIs) ! Transfurigated Phase Inversion
  • 5.
    Defining IoT ๏[ WIKIPEDIA ] The Internet of Things (IoT) is the network of physical objects or "things" embedded with electronics, software, sensors and connectivity to enable it to achieve greater value and service by exchanging data with the manufacturer, operator and/or other connected devices. ๏ [ OXFORD ] A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.
 ๏ [ MY PREFERRED ] The interface between the physical and digital world that allows one to gather information from—and control—everyday objects.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
    IoT Security !=Device Security IoT Device
  • 12.
    Existing approaches… ๏ Lookat a collection of common vulnerabilities, risks, etc.
 ๏ Pull up your go-to list
 ๏ Consider some bad scenarios ๏ Check for what others have found on other devices
  • 13.
  • 14.
    The Previous Version ๏Used the Top 10 name
 ๏ Mixed surfaces with vulnerability types
  • 15.
    New OWASP IoTProject Structure IoT Project Attack Surface Areas Testing Guide Top Vulnerabilities
  • 16.
  • 17.
    Different approaches tofinding vulns 1. Let me check against this list of vulns
  • 18.
    Different approaches 1. Letme check against this list of vulns.
 2. Let me check my favorite go- to issues

  • 19.
    Different approaches 1. Letme check against this list of vulns.
 2. Let me check my favorite go-to issues
 3. What common surface areas do IoT systems share that I need to make sure I don’t miss?
  • 20.
  • 21.
    Ecosystem Access Control Ecosystem AccessControl ✓ Authentication ✓ Session management ✓ Implicit trust between 
 components ✓ Enrollment security ✓ Decomissioning system ✓ Lost access procedures
  • 22.
    Device Memory Device Memory ✓Cleartext usernames ✓ Cleartext passwords ✓ Third-party credentials ✓ Encryption keys
  • 23.
    Device Physical Interfaces DevicePhysical Interfaces ✓ Firmware extraction ✓ User CLI ✓ Admin CLI ✓ Privilege escalation ✓ Reset to insecure state
  • 24.
    Device Web Interface DeviceWeb Interface ✓ SQL injection ✓ Cross-site scripting ✓ Username enumeration ✓ Weak passwords ✓ Account lockout ✓ Known credentials
  • 25.
    Device Firmware Device Firmware ✓Hardcoded passwords ✓ Sensitive URL disclosure ✓ Encryption keys
  • 26.
    Device Network Services DeviceNetwork Services ✓ Information disclosure ✓ User CLI ✓ Administrative CLI ✓ Injection ✓ Denial of Service
  • 27.
    Administrative Interface Administrative Interface ✓ SQLinjection ✓ Cross-site scripting ✓ Username enumeration ✓ Weak passwords ✓ Account lockout ✓ Known credentials
  • 28.
    Local Data Storage LocalData Storage ✓ Unencrypted data ✓ Data encrypted with
 discovered keys ✓ Lack of data integrity
 checks
  • 29.
    Cloud Web Interface CloudWeb Interface ✓ SQL injection ✓ Cross-site scripting ✓ Username enumeration ✓ Weak passwords ✓ Account lockout ✓ Known credentials
  • 30.
    Third-party Backend APIs Third-party BackendAPIs ✓ Unencrypted PII sent ✓ Encrypted PII sent ✓ Device information leaked ✓ Location leaked
  • 31.
    Update Mechanism Update Mechanism ✓ Updatesent without 
 encryption ✓ Updates not signed ✓ Update location 
 writable
  • 32.
    Mobile Application Mobile Application ✓ Implicitlytrusted 
 by device or cloud ✓ Known credentials ✓ Insecure data storage ✓ Lack of transport 
 encryption
  • 33.
    Vendor Backend APIs VendorBackend APIs ✓ Inherent trust of cloud 
 or mobile application ✓ Weak authentication ✓ Weak access control ✓ Injection attacks
  • 34.
    Ecosystem Communication Ecosystem Communication ✓ Healthchecks ✓ Heartbeats ✓ Ecosystem commands ✓ Deprovisioning ✓ Update pushes
  • 35.
    Network Traffic Network Traffic ✓LAN ✓ LAN to Internet ✓ Short range ✓ Non-standard
  • 36.
    IoT Attack SurfaceAreas Device Network Services Cloud Web Interface Administrative Interface Device Firmware Local Data Storage Vendor Backend APIs Third-party Backend APIs Device Web Interface Device Physical Interfaces Device Memory Ecosystem Access Control Update Mechanism Mobile Application Vendor Backend APIs Network Traffic Ecosystem Communication
  • 37.
    The OWASP IoTAttack Surfaces Project https://www.owasp.org/index.php/ OWASP_IoT_Attack_Surface_Areas
  • 38.
    Surfaces → vulns→ data Attack Surface Vulnerability Data Type • Administrative interface • Weak password policy • Lack of account lockout
 • Credentials • Local data storage • Data stored without encryption • PII • Web Cloud Interface • SQLi • PII • Account data • Device Firmware • Sent over HTTP • Hardcoded passwords • Hardcoded encryption keys • Credentials • Application data • Vendor Backend APIs • Permissive API Data Extraction • PII • Account data • Device Physical Interfaces • Unauthenticated root access • ***
  • 39.
    Back to thenetwork… Network Traffic ✓ LAN ✓ LAN to Internet ✓ Short range ✓ Non-standard
  • 40.
  • 41.
    What people actuallyhave cleartext honeytoken cleartext sensitive data cleartext sensitive data
  • 42.
    What I liketo look for in pcaps 1. How many connections were made?
 2. To how many destinations?
 3. Was the sensitive data I entered
 into the ecosystem seen in the
 network traffic?
 4. If so, that’s bad
  • 44.
  • 47.
    The OWASP IoTAttack Surfaces Project https://www.owasp.org/index.php/ OWASP_IoT_Attack_Surface_Areas
  • 49.
  • 50.
    This is aCraig Smith Slide Craig Smith
  • 51.
    Takeaways and Goodies 1.IoT testing is the same as any other testing
  • 52.
    Takeaways and Goodies 1.IoT testing is the same as any other testing 2. IoT security is NOT device security
  • 53.
    Takeaways and Goodies 1.IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device
  • 54.
    Takeaways and Goodies 1.IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device 4. A big part of that is the network piece
  • 55.
    Takeaways and Goodies 1.IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device 4. A big part of that is the network piece 5. Caparser is a tool that can do that analysis
 for you
  • 56.
    Takeaways and Goodies 1.IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device 4. A big part of that is the network piece 5. Caparser is a tool that can do that analysis
 for you 6. Caparser is free, released today, and will
 be improved in the near future
  • 57.
    Takeaways and Goodies 1.IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device 4. A big part of that is the network piece 5. Caparser is a tool that can do that analysis
 for you 6. Caparser is free, released today, and will
 be improved in the near future 7. Craig Smith is awesome
  • 58.
    Takeaways and Goodies 1.IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device 4. A big part of that is the network piece 5. Caparser is a tool that can do that analysis
 for you 6. Caparser is free, released today, and will
 be improved in the near future 7. Craig Smith is awesome 8. There’s a handout!
  • 60.
    Thank you! The OWASPIoT Attack Surfaces Project
 https://www.owasp.org/index.php/ OWASP_Internet_of_Things_Project Caparser
 https://github.com/danielmiessler/caparser @danielmiessler @craigz28 TX to HP Fortify on Demand