The document discusses common IoT security vulnerabilities and misconceptions. It outlines 10 top vulnerabilities: insecure web interfaces, SQL injection, cross-site scripting, cross-site request forgery, command injection, weak passwords, mobile app attacks, local memory and storage issues, device physical interfaces, and insecure device firmware. It also notes that IoT security requires covering all components, from the device to the cloud, and should not assume attackers cannot access devices, firmware, or decompiled apps. Common misconceptions about the limitations of attackers are also addressed.

1. IOT Top 10 Security Vulnerabilities
Erez Metula
Chairman & Founder, AppSec Labs
ErezMetula@AppSec-Labs.com

2. About me
Founder of AppSec Labs
Application security expert
Book author
Managed Code Rootkits (Syngress)
Speaker & Trainer
Presented at BlackHat, Defcon, RSA, OWASP USA,
OWASP IL, etc..
Secure Coding / Hacking trainer

3. Agenda
Introduction to IoT security
IoT architecture
Common vulnerabilities
Common misconceptions
Demo – if time permits

4. What’s common to all of them..?

5. Hacked Toilet

6. Hacked IOT Gun

7. Why would someone attack
the IOT?
Hack the product’s functionality
Break into the server side
Steal information from the system
Use the device as and entry point to the customer’s
network
Use the device to serve malware, send spam, etc.

8. Common IOT architecture

9. Let’s talk about security mistakes

10. And about some misconceptions

11. Insecure Web interfaces
SQL injection
Cross-site scripting
Cross-site Request Forgery
Command injection
Weak passwords

12. Common misconception
“My server is protected. I have a firewall, a WAF, and
I use SSL!”
About half of the attacks cannot be stopped by
automatic tools – usually attacks that are related to
business logic, and in particular to the product
specifics

13. Mobile App Attacks
Implicitly trusted by device or cloud
Malicious app on the same device (side attacks)
Insecure data storage
Transport encryption
Insecure password recovery mechanism

14. Common misconception
“attacker cannot read values from my decompiled
mobile code since it is obfuscated”

15. Local Memory & Local storage
Cleartext usernames, passwords, Third-party credentials
Encryption keys
Data encrypted with discovered keys
Lack of data integrity checks

16. Common misconception
“attacker cannot use my secret (i.e. encryption key)
since it is retrieved from a remote server”

17. Device Physical Interfaces
Debug port (Serial, JTAG, etc)
Privilege escalation
Reset to insecure state
Removal of storage media
Device/sersor tampering

18. Common misconception
My code / secret value is “burned” on the PCB. No
one can access it since it is protected at the
hardware level”

19. Device Firmware
Insecure Firmware update - sent without encryption or
signing
Hardcoded credentials - URL, Encryption keys
Backdoor accounts
Vulnerable services (web, ssh, tftp, etc.)

20. Common misconception
“attacker cannot obtain the firmware of my device”
“My firmware cannot be decompiled. It’s written in
C, not .NET or Java!”

21. Privacy
Insecure Storage of sensitive data (location, images, cc, PII,
PHI , etc.)
Inability to wipe device
Unencrypted PII sent to the cloud
Insecure network services

22. Common misconception
“my system enforce security right from the beginning,
at the client side - device or mobile app”
The network service assumes security had been
performed by the caller (device/mobile app)

23. Insecure network traffic
Weak authentication of the client side
Weak authentication of the server side
Lack of encryption
Replay attacks
Relying of “unknown” or “hard to understand” protocols

24. Common misconception
“attacker cannot manipulate with sensitive request
sent from his/her device parameters since they are
encrypted”

25. Authentication vulnerabilities
User enumeration
Weak passwords
Brute force attacks
Weak session management
User lockout

26. Common misconception
“the attacker can brute force users passwords. The
account is blocked after 5 failed login attempts”

27. Authorization vulnerabilities
Perform unauthorized operations
Access data of other users
Perform operations on behalf of another user

28. Common misconception
“attacker cannot manipulate with communication sent
from his/her device since it is protected by HTTPS”

29. Common misconception
“attacker cannot manipulate with requests sent from
his/her device since they are signed”

30. Denial of Service (DoS) attacks
Server side network DoS
RF (wifi, zigbee, BLE, etc) Jamming
Power attacks
CPU exhaustion
Mobile app Dos

31. Common misconception
“the attacker cannot disconnect the power source of a device without
physically touching it”
DoS attacks against battery operated devices by invoking a power
intensive task – over and over again
No power = DoS
Can be as trivial as causing a led to turn on!
Example – calculation of led power consumption
Device is operated by 2 AA batteries: 2700 mAh
the device is optimized to consume extremely minimal power - run for years since most
of the time it’s on standby
There’s a led that consumes about 20 mA when on
1 day = 480 mah.
Make it blink somehow and you can easily eat a battery in less than a week!

32. DEMO – reverse engineering the
RF protocol

33. Summary
IoT security is NOT just device security
IoT requires a wide range of security coverage for all
of the components - Device, Cloud API, Web app,
Mobile App, Network protocols, etc.
IoT have a lot of special vulnerabilities and attacks
Assume attacker will take the device apart, read the
flash memory, disassemble the firmware, etc.
Assume the attacker will decompile your mobile app
Testing IoT requires special expertise

34. QUESTIONS ?

35. Thank You!
Erez Metula
Chairman & Founder, AppSec Labs
ErezMetula@AppSec-Labs.com