Security Innovation, profile picture
Uploaded bySecurity Innovation
PPTX, PDF1,303 views

Security Testing for IoT Systems

This document discusses the security risks associated with Internet of Things (IoT) devices, highlighting incidents like the Mirai botnet attack and vulnerabilities in consumer and medical devices. It emphasizes the importance of risk-based testing and security considerations in IoT deployments, urging manufacturers to build security into devices from the outset. Key recommendations include robust data protection, proper authentication, and ongoing monitoring of connected devices to mitigate risks.

Embed presentation

Downloaded 43 times
Risk-Based Testing for IoT Systems Ed Adams 11 June 2019
About Me • CEO by day; engineer by trade (and heart) • Mechanical Engineer, Software Engineer • Research Fellow, Ponemon Institute • Privacy by Design Ambassador, Canada • In younger days, built non-lethal weapons systems for US Federal Government
Agenda Security Risks of IoT Devices • Risk-based Testing Essentials • IoT Device Considerations • Securing Our Digital Future
So many connected “things”…
Good Ol’ Days: Devices Were Just Devices • Ran on a little code; made to serve a specific purpose • Cash payments • Real-time changes; no “wait for compile” and see • Had to be physically at the device to access/change • Sharing data meant print, verbal, film, CD, etc.
Today’s Devices are Still Devices but... • Run on LOTS of code; made to serve single/multiple purposes • Make changes from anywhere via cellular or Wi-Fi connection • Sharing data is instantaneous and digital
The Mirai Botnet (aka Dyn Attack) A not so oldie but goodie • Domain Name System (DNS) service disrupted • Affected nearly 1/3 of all Internet users in US and Europe • No access to (short list): • Amazon.com • Comcast • DirecTV • GitHub • Netflix • Twitter • PayPal • Starbucks • Verizon • Visa • Walgreens • Xbox Live • PlayStation Network • iHeart Radio • BBC • NY Times • GrubHub • Slack Millions of IoT Devices (printers, IP cameras, baby monitors) infected with Mirai malware and used to flood Dyn with traffic (DDoS)
More Recent IoT Trouble Consumer & Medical Devices • 465,000 vulnerable pacemakers from St. Jude • Implantable cardiac devices have vulnerabilities • Unauthorized remote access • Deplete battery, change pacing, or deliver shocks • Owlet WiFi Baby Heart Monitor • Alerts parents when babies have heart troubles • Connectivity element makes them exploitable • TRENDnet SecurView Webcam • Faulty software  anyone who obtained a camera’s IP address could look through it and listen as well • Transmitted user login credentials in clear, readable text • Mobile app stored login information in clear, readable text Best intentions exploited via careless manufacture configuration
Governments & Customers Getting Involved • FTC vs D-Link: The legal risks of IoT insecurity • Lawsuit against D-Link • Claims company put thousands of customers at risk • Unauthorized access to its IP cameras and routers • Customers vs John Deere: The business risks of IoT • US farmers dispute rights to repair their tractors • Contain embedded software (it’s an IoT device) • Company issued a new license agreement • Prohibits software modification on its tractors • Ensure all repairs are done by John Deere contractors
Skimmers • Evolved from mag stripe readers  Bluetooth and cellular transmitters • devices keep getting smaller • embedded inside pumps and PoS devices • Future skimmers • Embedded devices that don't steal credit card data but rather attack your networks directly.
Agenda • Security Risks of IoT Devices Risk-based Testing Essentials • Weak Links, Soft Spots, Blind Spots • Securing Our Digital Future
Convenience-Risk Trade Offs • Building in security takes time initially; equates to money • Time to market pressures often trump this investment • Security can equate to safety in consumer IoT devices • Ease of setup and operation • Consumers want devices to “just work” • Quick setup and minimal configuration required • Often means little to no authentication or default (same for all devices) • When vulnerabilities discovered, patching is the answer • But IoT patching can be difficult, impossible, and illegal Consumers demand easy and convenient features, until they backfire
Today’s IoT Deployment in Practice • How is testing IoT different from our other platforms, e.g., web, mobile cloud? The answer is it’s not very different. • Most IoT devices are connected to many of the following: • Mobile App • APIs • Cloud Infrastructure • Web App • KEYPOINT: IoT is not a magical technology, but a mash up of many different technologies – and at its core, it’s just almost all software Sources: “International Journal of Web Portals” Ahmedi, Sejdiu, et al; Geoff Vaughan Security Innovation, Inc.
Top 4 IoT Security Weak Points • Insufficient Security Awareness • Humans #1 weak point: building, deploying, using • Weak Physical Security • Debug interfaces (JTAG, UART, etc.) and USB ports allow unintended device or data access • Infrequent Updates • Firmware, device apps, admin apps/interfaces • Expensive and/or remote IoT devices long lifespan (difficult to update) • Weak Data Protection • Data at rest/transit uses weak encryption techniques • Lack of dedicated security chips and modules to store sensitive data.
3 Must-have IoT Security Considerations • “Shift left” • Think security earlier and more often in system design • Account for resources that will be able to provide security updates • Could be vendor, e.g., maintenance agreement, and/or internal staff, e.g., patching • KEYPOINT: Every component needs to be tested as part of the ecosystem • Not just individual IoT device testing Sources: “Dr. Dobbs” Larry Smith; Geoff Vaughan Security Innovation, Inc.
Start with “Simple” Questions • How is the IoT deployed in our organization today, and who owns it or its respective components? • IoT inventory and business activity/role • Don’t expect the word “IoT” to show up in project docs • Do we know what data is collected, stored and analyzed? Have we assessed the legal, security and privacy implications? • Governance policies cover data captured at thousands of sensors? • Do we have contingency plans in place in case our IoT “things” are hijacked or modified for unintended purposes? Driven by Key Threats & Attack Surface
Start by Assessing IoT Risk/Liability IoT Connection Chain Ownership Threats Device hardware/firmware Vendor X Known vulnerabilities with Vendor products Patching process for Vendor X products Mobile application Vendor Y Secure SDLC activities for Vendor Y Web application Us Our own Secure SDLC activities/process Information/Data management Us Storage and transport of data Where is it encrypted? Channels of transmission Telco X Security guarantees/SLA with Telco X User authentication/roles Us Enumerate each role and authorized activity Authentication for each role
US FTC IoT Security Best Practices* • Build security into devices at the outset, rather than as an afterthought • Train employees about the importance of security • Ensure security is managed at an appropriate level in the organization • Ensure outside service providers are capable of maintaining reasonable security, and provide oversight of providers • Consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk • Keep unauthorized users from accessing device data, or personal info • Monitor connected devices; provide security patches for known risks * https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices
Agenda • Security Risks of IoT Devices • Risk-based Testing Essentials IoT Device Considerations • Securing Our Digital Future
Testing IoT Devices • ~8-10 very technology specific areas to consider • Component Identification and Classification • Static Firmware Analysis • Dynamic Debugging • Peripheral Hacking • Protocols and Data Sniffing • WIFI • BLE • SDR • Cellular • USB • Hardware Hacks • JTAG • UART • SPI • Obtain from vendor website • Web search: support and community forums • Reverse the mobile application • Sniffing the OTA update mechanism • Dumping it from the device Tools such as Binwalk, IDA Pro, Radare2 can be usefulSimilar to other network-based testing • What services are running? • What communication protocols are being used? • What ports are open? • What version is running? Known vulnerability? Sources: Attify, Security Innovation
Agenda • How Connected Are We? • Nothing Ever Goes Wrong… Right? • IoT Device Considerations Securing Our Digital Future
Top 5 IoT Security Tips TIPS  Secure the Device OS and Firmware  Ensure Sufficient Data Protection  Secure the Physical Device  Secure the Communication Channel  Enforce Authentication and Authorization
Secure the Device OS and Firmware Security Controls  Ensure updates are over a secure channel, signed and verified  Ensure bootloader firmware is secure and has not been tampered with  Ensure installed bootloader is verified at every stage of boot sequence  Ensure device makes use of full disk encryption  Disable unnecessary services running on the device  Protect against fuzzing and buffer overflow attacks  Ensure that binaries are compiled and signed for security
Ensure Sufficient Data Protection Security Controls  Encrypt data at rest using strong and known encryption techniques  Ensure device uses dedicated security chips and modules to store sensitive data  Avoid usage of hard-coded credentials or cryptographic key  Do not collect data not essential for device functionality  Avoid usage of weak, broken, or risky cryptographic algorithms  Log all secure data access and alter events  Ensure authentication and authorization to all PII
Secure the Physical Device Security Controls  Ensure data storage is not directly accessible  Test debug interfaces (JTAG, UART, etc.) and USB ports for unintended device or data access  Ensure tamper protection/resistance techniques are in use  Limit the admin functionalities present on the device
Secure the Communication Channel Security Controls  Secure the Wi-Fi interface via secure configurations (encryption, password, etc.) and drivers  Ensure protection against Denial-of-Service (DoS) and fuzzing attacks  Secure the exposed services and keys during device enrollment  Audit the file, printer and device sharing mechanism in place regularly  Secure the Bluetooth interface via secure configurations (discovery modes, PIN, etc.) and drivers  Verify that secure Bluetooth modes are in use  Ensure sensitive data is not sent over unencrypted bus lines
Enforce Authentication and Authorization Security Controls  Ensure role-based access control is currently in place  Mandate the use of multi-factor authentication for privileged accounts  Ensure that a strong password management policy is in place
Summary of Tips for Securing IoT Systems • Know your technology vendor’s track record • Update your evaluation process, if necessary • Invest in security training for all in-house systems staff • From “Don’t Click on Sh*t” toTechnical/Configuration for IT/Ops teams • Perform proactive penetration testing • Obtain right to do so from 3rd-parties • Adopt a "defense-in-depth" strategy • e.g.,WAF between IoT devices and cloud admin app? • Eliminate all hardcoded default passwords and backdoors IoT Security Toolkit: https://tinyurl.com/y4zxw577
Engage with Security Professionals •Have a chat with us  •Bug Bounty Programs •Non-hostile relationship with “researchers” •Vulnerability Disclosure Program •Direct Relationship • Use as independent 3rd-party • Share info about good/bad ones
Questions? @AppSec eadams@securityinnovation.com Want a whitepaper? ….and/or Tip Sheet?

More Related Content

PPTX
Mobile Device Security
byNemwos
 
PPTX
VAPT - Vulnerability Assessment & Penetration Testing
byNetpluz Asia Pte Ltd
 
PDF
Mobile Security
byXavier Mertens
 
PPT
01 computer%20 forensics%20in%20todays%20world
byAqib Memon
 
PPTX
IoT security
byYashKesharwani2
 
PPTX
Vulnerability and Assessment Penetration Testing
byYvonne Marambanyika
 
PDF
Cyber Security Awareness
byRamiro Cid
 
PPTX
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
byAjin Abraham
 
Mobile Device Security
byNemwos
 
VAPT - Vulnerability Assessment & Penetration Testing
byNetpluz Asia Pte Ltd
 
Mobile Security
byXavier Mertens
 
01 computer%20 forensics%20in%20todays%20world
byAqib Memon
 
IoT security
byYashKesharwani2
 
Vulnerability and Assessment Penetration Testing
byYvonne Marambanyika
 
Cyber Security Awareness
byRamiro Cid
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
byAjin Abraham
 

What's hot

PDF
Mobile Security 101
byLookout
 
PDF
Mobile Security
byMarketingArrowECS_CZ
 
PPTX
Smartphone security
byManish Gupta
 
PDF
Cyber security and demonstration of security tools
byVicky Fernandes
 
PPTX
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
bymike parks
 
PPTX
Mobile security
byHimmatsingh Rajpurohit
 
PPTX
Mobile Application Security
byIshan Girdhar
 
PPTX
Malware & Anti-Malware
byArpit Mittal
 
PDF
Internet of Things - Privacy and Security issues
byPierluigi Paganini
 
PDF
OWASP API Security Top 10 - API World
by42Crunch
 
PDF
OWASP – Internet of Things (IoT) – Top 10 Vulnerabilities List
byBishop Fox
 
PPTX
Impact to it security of incorrect configuration of firewall policies and thi...
byusman butt
 
PPTX
Firewall presentation
bygaurav96raj
 
PDF
Cybersecurity Skills in Industry 4.0
byEryk Budi Pratama
 
PPTX
Introduction To Vulnerability Assessment & Penetration Testing
byRaghav Bisht
 
PDF
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
byYogesh Ojha
 
PPTX
Security threats in social networks
byTannistho Ghosh
 
PDF
Cybersecurity in Oil & Gas Company
byEryk Budi Pratama
 
PPT
Information Technology Security Basics
byMohan Jadhav
 
PPTX
Network security
byEstiak Khan
 
Mobile Security 101
byLookout
 
Mobile Security
byMarketingArrowECS_CZ
 
Smartphone security
byManish Gupta
 
Cyber security and demonstration of security tools
byVicky Fernandes
 
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
bymike parks
 
Mobile security
byHimmatsingh Rajpurohit
 
Mobile Application Security
byIshan Girdhar
 
Malware & Anti-Malware
byArpit Mittal
 
Internet of Things - Privacy and Security issues
byPierluigi Paganini
 
OWASP API Security Top 10 - API World
by42Crunch
 
OWASP – Internet of Things (IoT) – Top 10 Vulnerabilities List
byBishop Fox
 
Impact to it security of incorrect configuration of firewall policies and thi...
byusman butt
 
Firewall presentation
bygaurav96raj
 
Cybersecurity Skills in Industry 4.0
byEryk Budi Pratama
 
Introduction To Vulnerability Assessment & Penetration Testing
byRaghav Bisht
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
byYogesh Ojha
 
Security threats in social networks
byTannistho Ghosh
 
Cybersecurity in Oil & Gas Company
byEryk Budi Pratama
 
Information Technology Security Basics
byMohan Jadhav
 
Network security
byEstiak Khan
 

Similar to Security Testing for IoT Systems

PPTX
IoT Security: Debunking the "We Aren't THAT Connected" Myth
bySecurity Innovation
 
PDF
IoT – Breaking Bad
byNUS-ISS
 
PDF
Track 5 session 1 - st dev con 2016 - need for security for iot
byST_World
 
DOCX
Final Research Project - Securing IoT Devices What are the Challe.docx
bytjane3
 
DOCX
Final Research Project - Securing IoT Devices What are the Challe.docx
bylmelaine
 
PDF
Cybersecurity in the Age of IoT - Skillmine
bySkillmine Technology Consulting
 
PPTX
Fundamental Best Practices in Secure IoT Product Development
byMark Szewczul, CISSP
 
PDF
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
bySeungjoo Kim
 
PPTX
IoT-Device-Security-DRAFT-slide-presentation
byAuliaArifWardana
 
PDF
IoT Security.pdf
bySudhanshiBakre1
 
DOCX
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
byvrickens
 
PPTX
Spirent: The Internet of Things: The Expanded Security Perimeter
bySailaja Tennati
 
PDF
The bad, the ugly and the weird about IoT
bySpeck&Tech
 
PDF
An Internet of Things Reference Architecture
bySymantec
 
PDF
Is IoT Security A Challenge? Surefire Target Plan Explained | USCSI®
byUnited States Cybersecurity Institute (USCSI®)
 
PPTX
IoT-Device-Security.pptx
byZahidHussainqaisar
 
PPTX
Hugo Fiennes - Security and the IoT - Electric Imp
byBusiness of Software Conference
 
PDF
Bridgera enterprise IoT security
byRon Pascuzzi
 
PDF
IoT, Security & the Path to a Solution
byDr Laurent Guiraud
 
PDF
IoT Security and Privacy Considerations
byKenny Huang Ph.D.
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
bySecurity Innovation
 
IoT – Breaking Bad
byNUS-ISS
 
Track 5 session 1 - st dev con 2016 - need for security for iot
byST_World
 
Final Research Project - Securing IoT Devices What are the Challe.docx
bytjane3
 
Final Research Project - Securing IoT Devices What are the Challe.docx
bylmelaine
 
Cybersecurity in the Age of IoT - Skillmine
bySkillmine Technology Consulting
 
Fundamental Best Practices in Secure IoT Product Development
byMark Szewczul, CISSP
 
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
bySeungjoo Kim
 
IoT-Device-Security-DRAFT-slide-presentation
byAuliaArifWardana
 
IoT Security.pdf
bySudhanshiBakre1
 
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
byvrickens
 
Spirent: The Internet of Things: The Expanded Security Perimeter
bySailaja Tennati
 
The bad, the ugly and the weird about IoT
bySpeck&Tech
 
An Internet of Things Reference Architecture
bySymantec
 
Is IoT Security A Challenge? Surefire Target Plan Explained | USCSI®
byUnited States Cybersecurity Institute (USCSI®)
 
IoT-Device-Security.pptx
byZahidHussainqaisar
 
Hugo Fiennes - Security and the IoT - Electric Imp
byBusiness of Software Conference
 
Bridgera enterprise IoT security
byRon Pascuzzi
 
IoT, Security & the Path to a Solution
byDr Laurent Guiraud
 
IoT Security and Privacy Considerations
byKenny Huang Ph.D.
 

More from Security Innovation

PPTX
Securing Applications in the Cloud
bySecurity Innovation
 
PPTX
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
bySecurity Innovation
 
PPTX
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
bySecurity Innovation
 
PPTX
Protecting Sensitive Data (and be PCI Compliant too!)
bySecurity Innovation
 
PDF
5 Ways To Train Security Champions
bySecurity Innovation
 
PPTX
Aligning Application Security to Compliance
bySecurity Innovation
 
PPTX
How to Hijack a Pizza Delivery Robot with Injection Flaws
bySecurity Innovation
 
PPTX
How an Attacker "Audits" Your Software Systems
bySecurity Innovation
 
PPTX
Opening the Talent Spigot to Securing our Digital Future
bySecurity Innovation
 
PPTX
Assessing System Risk the Smart Way
bySecurity Innovation
 
PDF
Slashing Your Cloud Risk: 3 Must-Do's
bySecurity Innovation
 
PPTX
A Fresh, New Look for CMD+CTRL Cyber Range
bySecurity Innovation
 
PPTX
Cyber Ranges: A New Approach to Security
bySecurity Innovation
 
PPTX
Is Blockchain Right for You? The Million Dollar Question
bySecurity Innovation
 
PPTX
Privacy: The New Software Development Dilemma
bySecurity Innovation
 
PPTX
Privacy Secrets Your Systems May Be Telling
bySecurity Innovation
 
PPTX
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
PPTX
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
PDF
GDPR: The Application Security Twist
bySecurity Innovation
 
PDF
The New OWASP Top Ten: Let's Cut to the Chase
bySecurity Innovation
 
Securing Applications in the Cloud
bySecurity Innovation
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
bySecurity Innovation
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
bySecurity Innovation
 
Protecting Sensitive Data (and be PCI Compliant too!)
bySecurity Innovation
 
5 Ways To Train Security Champions
bySecurity Innovation
 
Aligning Application Security to Compliance
bySecurity Innovation
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
bySecurity Innovation
 
How an Attacker "Audits" Your Software Systems
bySecurity Innovation
 
Opening the Talent Spigot to Securing our Digital Future
bySecurity Innovation
 
Assessing System Risk the Smart Way
bySecurity Innovation
 
Slashing Your Cloud Risk: 3 Must-Do's
bySecurity Innovation
 
A Fresh, New Look for CMD+CTRL Cyber Range
bySecurity Innovation
 
Cyber Ranges: A New Approach to Security
bySecurity Innovation
 
Is Blockchain Right for You? The Million Dollar Question
bySecurity Innovation
 
Privacy: The New Software Development Dilemma
bySecurity Innovation
 
Privacy Secrets Your Systems May Be Telling
bySecurity Innovation
 
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
GDPR: The Application Security Twist
bySecurity Innovation
 
The New OWASP Top Ten: Let's Cut to the Chase
bySecurity Innovation
 

Recently uploaded

PPTX
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
Agentic AI with Google ADK GDG On Campus Netaji Subhash Engineering College
bydscnsecorg
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
Designing a Blog Using Wordpress
bymarkzubi50
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Agentic AI with Google ADK GDG On Campus Netaji Subhash Engineering College
bydscnsecorg
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
How to build hackthon projects from ZERO!
byishantyadav1111
 

Security Testing for IoT Systems

  • 2.
    Risk-Based Testing for IoTSystems Ed Adams 11 June 2019
  • 3.
    About Me • CEOby day; engineer by trade (and heart) • Mechanical Engineer, Software Engineer • Research Fellow, Ponemon Institute • Privacy by Design Ambassador, Canada • In younger days, built non-lethal weapons systems for US Federal Government
  • 4.
    Agenda Security Risks ofIoT Devices • Risk-based Testing Essentials • IoT Device Considerations • Securing Our Digital Future
  • 5.
    So many connected“things”…
  • 6.
    Good Ol’ Days:Devices Were Just Devices • Ran on a little code; made to serve a specific purpose • Cash payments • Real-time changes; no “wait for compile” and see • Had to be physically at the device to access/change • Sharing data meant print, verbal, film, CD, etc.
  • 7.
    Today’s Devices areStill Devices but... • Run on LOTS of code; made to serve single/multiple purposes • Make changes from anywhere via cellular or Wi-Fi connection • Sharing data is instantaneous and digital
  • 8.
    The Mirai Botnet(aka Dyn Attack) A not so oldie but goodie • Domain Name System (DNS) service disrupted • Affected nearly 1/3 of all Internet users in US and Europe • No access to (short list): • Amazon.com • Comcast • DirecTV • GitHub • Netflix • Twitter • PayPal • Starbucks • Verizon • Visa • Walgreens • Xbox Live • PlayStation Network • iHeart Radio • BBC • NY Times • GrubHub • Slack Millions of IoT Devices (printers, IP cameras, baby monitors) infected with Mirai malware and used to flood Dyn with traffic (DDoS)
  • 9.
    More Recent IoTTrouble Consumer & Medical Devices • 465,000 vulnerable pacemakers from St. Jude • Implantable cardiac devices have vulnerabilities • Unauthorized remote access • Deplete battery, change pacing, or deliver shocks • Owlet WiFi Baby Heart Monitor • Alerts parents when babies have heart troubles • Connectivity element makes them exploitable • TRENDnet SecurView Webcam • Faulty software  anyone who obtained a camera’s IP address could look through it and listen as well • Transmitted user login credentials in clear, readable text • Mobile app stored login information in clear, readable text Best intentions exploited via careless manufacture configuration
  • 10.
    Governments & CustomersGetting Involved • FTC vs D-Link: The legal risks of IoT insecurity • Lawsuit against D-Link • Claims company put thousands of customers at risk • Unauthorized access to its IP cameras and routers • Customers vs John Deere: The business risks of IoT • US farmers dispute rights to repair their tractors • Contain embedded software (it’s an IoT device) • Company issued a new license agreement • Prohibits software modification on its tractors • Ensure all repairs are done by John Deere contractors
  • 11.
    Skimmers • Evolved frommag stripe readers  Bluetooth and cellular transmitters • devices keep getting smaller • embedded inside pumps and PoS devices • Future skimmers • Embedded devices that don't steal credit card data but rather attack your networks directly.
  • 12.
    Agenda • Security Risksof IoT Devices Risk-based Testing Essentials • Weak Links, Soft Spots, Blind Spots • Securing Our Digital Future
  • 13.
    Convenience-Risk Trade Offs •Building in security takes time initially; equates to money • Time to market pressures often trump this investment • Security can equate to safety in consumer IoT devices • Ease of setup and operation • Consumers want devices to “just work” • Quick setup and minimal configuration required • Often means little to no authentication or default (same for all devices) • When vulnerabilities discovered, patching is the answer • But IoT patching can be difficult, impossible, and illegal Consumers demand easy and convenient features, until they backfire
  • 14.
    Today’s IoT Deploymentin Practice • How is testing IoT different from our other platforms, e.g., web, mobile cloud? The answer is it’s not very different. • Most IoT devices are connected to many of the following: • Mobile App • APIs • Cloud Infrastructure • Web App • KEYPOINT: IoT is not a magical technology, but a mash up of many different technologies – and at its core, it’s just almost all software Sources: “International Journal of Web Portals” Ahmedi, Sejdiu, et al; Geoff Vaughan Security Innovation, Inc.
  • 15.
    Top 4 IoTSecurity Weak Points • Insufficient Security Awareness • Humans #1 weak point: building, deploying, using • Weak Physical Security • Debug interfaces (JTAG, UART, etc.) and USB ports allow unintended device or data access • Infrequent Updates • Firmware, device apps, admin apps/interfaces • Expensive and/or remote IoT devices long lifespan (difficult to update) • Weak Data Protection • Data at rest/transit uses weak encryption techniques • Lack of dedicated security chips and modules to store sensitive data.
  • 16.
    3 Must-have IoTSecurity Considerations • “Shift left” • Think security earlier and more often in system design • Account for resources that will be able to provide security updates • Could be vendor, e.g., maintenance agreement, and/or internal staff, e.g., patching • KEYPOINT: Every component needs to be tested as part of the ecosystem • Not just individual IoT device testing Sources: “Dr. Dobbs” Larry Smith; Geoff Vaughan Security Innovation, Inc.
  • 17.
    Start with “Simple”Questions • How is the IoT deployed in our organization today, and who owns it or its respective components? • IoT inventory and business activity/role • Don’t expect the word “IoT” to show up in project docs • Do we know what data is collected, stored and analyzed? Have we assessed the legal, security and privacy implications? • Governance policies cover data captured at thousands of sensors? • Do we have contingency plans in place in case our IoT “things” are hijacked or modified for unintended purposes? Driven by Key Threats & Attack Surface
  • 18.
    Start by AssessingIoT Risk/Liability IoT Connection Chain Ownership Threats Device hardware/firmware Vendor X Known vulnerabilities with Vendor products Patching process for Vendor X products Mobile application Vendor Y Secure SDLC activities for Vendor Y Web application Us Our own Secure SDLC activities/process Information/Data management Us Storage and transport of data Where is it encrypted? Channels of transmission Telco X Security guarantees/SLA with Telco X User authentication/roles Us Enumerate each role and authorized activity Authentication for each role
  • 19.
    US FTC IoTSecurity Best Practices* • Build security into devices at the outset, rather than as an afterthought • Train employees about the importance of security • Ensure security is managed at an appropriate level in the organization • Ensure outside service providers are capable of maintaining reasonable security, and provide oversight of providers • Consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk • Keep unauthorized users from accessing device data, or personal info • Monitor connected devices; provide security patches for known risks * https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices
  • 20.
    Agenda • Security Risksof IoT Devices • Risk-based Testing Essentials IoT Device Considerations • Securing Our Digital Future
  • 21.
    Testing IoT Devices •~8-10 very technology specific areas to consider • Component Identification and Classification • Static Firmware Analysis • Dynamic Debugging • Peripheral Hacking • Protocols and Data Sniffing • WIFI • BLE • SDR • Cellular • USB • Hardware Hacks • JTAG • UART • SPI • Obtain from vendor website • Web search: support and community forums • Reverse the mobile application • Sniffing the OTA update mechanism • Dumping it from the device Tools such as Binwalk, IDA Pro, Radare2 can be usefulSimilar to other network-based testing • What services are running? • What communication protocols are being used? • What ports are open? • What version is running? Known vulnerability? Sources: Attify, Security Innovation
  • 22.
    Agenda • How ConnectedAre We? • Nothing Ever Goes Wrong… Right? • IoT Device Considerations Securing Our Digital Future
  • 23.
    Top 5 IoTSecurity Tips TIPS  Secure the Device OS and Firmware  Ensure Sufficient Data Protection  Secure the Physical Device  Secure the Communication Channel  Enforce Authentication and Authorization
  • 24.
    Secure the DeviceOS and Firmware Security Controls  Ensure updates are over a secure channel, signed and verified  Ensure bootloader firmware is secure and has not been tampered with  Ensure installed bootloader is verified at every stage of boot sequence  Ensure device makes use of full disk encryption  Disable unnecessary services running on the device  Protect against fuzzing and buffer overflow attacks  Ensure that binaries are compiled and signed for security
  • 25.
    Ensure Sufficient DataProtection Security Controls  Encrypt data at rest using strong and known encryption techniques  Ensure device uses dedicated security chips and modules to store sensitive data  Avoid usage of hard-coded credentials or cryptographic key  Do not collect data not essential for device functionality  Avoid usage of weak, broken, or risky cryptographic algorithms  Log all secure data access and alter events  Ensure authentication and authorization to all PII
  • 26.
    Secure the PhysicalDevice Security Controls  Ensure data storage is not directly accessible  Test debug interfaces (JTAG, UART, etc.) and USB ports for unintended device or data access  Ensure tamper protection/resistance techniques are in use  Limit the admin functionalities present on the device
  • 27.
    Secure the CommunicationChannel Security Controls  Secure the Wi-Fi interface via secure configurations (encryption, password, etc.) and drivers  Ensure protection against Denial-of-Service (DoS) and fuzzing attacks  Secure the exposed services and keys during device enrollment  Audit the file, printer and device sharing mechanism in place regularly  Secure the Bluetooth interface via secure configurations (discovery modes, PIN, etc.) and drivers  Verify that secure Bluetooth modes are in use  Ensure sensitive data is not sent over unencrypted bus lines
  • 28.
    Enforce Authentication andAuthorization Security Controls  Ensure role-based access control is currently in place  Mandate the use of multi-factor authentication for privileged accounts  Ensure that a strong password management policy is in place
  • 29.
    Summary of Tipsfor Securing IoT Systems • Know your technology vendor’s track record • Update your evaluation process, if necessary • Invest in security training for all in-house systems staff • From “Don’t Click on Sh*t” toTechnical/Configuration for IT/Ops teams • Perform proactive penetration testing • Obtain right to do so from 3rd-parties • Adopt a "defense-in-depth" strategy • e.g.,WAF between IoT devices and cloud admin app? • Eliminate all hardcoded default passwords and backdoors IoT Security Toolkit: https://tinyurl.com/y4zxw577
  • 30.
    Engage with SecurityProfessionals •Have a chat with us  •Bug Bounty Programs •Non-hostile relationship with “researchers” •Vulnerability Disclosure Program •Direct Relationship • Use as independent 3rd-party • Share info about good/bad ones
  • 31.

Editor's Notes

  • #8 All of our devices are conveniently connected and able to communicate with each other either via central control systems or with some consumption device like your phone or tablet. Getting too hot? Just have your thermostat signal your blinds to close. Speak into your phone and have your front-door unlock. Washing machine in need of a check-up?  It can request service by itself through an API call. loaded with Attack Vectors Cloud apps and wireless networks accessible by others Distributed devices may be used for email, DDoS, and other applications subjected to social engineering Devices may be accessible by unknown/unauthorized people Devices may have open connections Devices likely lack encryption Physical interfaces on the devices leak sensitive data Debug ports lead to privileged access on the device Radio and network communication protocols can be exploited Weak Firmware security can lead to device compromise
  • #9 Summary - Friday October 21, 2016 - Dyn (The company that controls much of internets domain name system infrastructure) came under attack by two large and complex Distributed Denial of Service (DDoS) attacks against its Managed DNS infrastructure. High flood of TCP and UDP traffic both with destination port 53 (DNS port) from large number of source IP addresses. When service went down – legitimate devices started trying to reconnect to the services. This made it difficult to differentiate between real and fake requests. Many devices had no login credentials; others had default username-password; the “tough” ones to crack were easily brute-forced by Mirai Mirai open-source software freely available
  • #10  St. Jude/ Abbott: The wireless protocol (RF) used had serious security vulnerabilities that could be exploited by unauthorized attackers (as far as 10 ft away .. but can be extended with off-the-shelf parts). The unauthorized commands could modify device settings (e.g., stop pacing), deliver shocks or impact device functionality. Owlet WiFi Baby Heart Monitor:  sensor that babies wear in a sock that monitors their heartbeat and relays that data wirelessly to parent's smartphones if anything is amiss. Vulnerabiility was that the device created its own base station which is basically an unlocked wifi network that anyone can join. After joining the attackers can monitor a stranger's baby and prevent alerts from being sent out.
  • #16 we conduct trainings at well known conferences like Black Hat. That way they can trust that we know what we are talking about. Most organizations don’t have sufficient in-house expertise to keep their IoT systems secure day in and day out. Developers, testers, operators, and system administrators often lack the training to identify common vulnerabilities, understand why they’re dangerous, and mitigate their risks. Without this in-house security expertise, IT staff don’t recognize system vulnerabilities until after a hack or breach occurs. People can’t protect themselves if they don’t understand the threat. In addition to this lack of in-house knowledge, when organizations deploy IoT systems, they’re also typically constricted by tight deadlines and inadequate in-house experience. These combined constraints, coupled with complex documentation and deployment processes, will inevitably leave systems unsecured and vulnerable to hacks and breaches. Weak Physical Security – Opening up the IoT device you can find test pads. These may be debug ports like JTAG, UART. In the past we’ve encountered devices that directly drop us to “root” when we connect hardware tools to it (Eg: http://konukoii.com/blog/2018/02/16/5-min-tutorial-root-via-uart/ and https://blog.malwarebytes.com/security-world/2014/02/uart-root-shell-on-commercial-devices/). This is pretty common in our projects too. Updating firmware on IoT devices can be a daunting task. It’s understandable that an organization may want to avoid the hassle and potential business risk of updating firmware regularly, especially if the business doesn’t have trusted processes in place. But firmware releases often contain critical security updates. By skipping releases, not only does an IoT infrastructure get out-of-date; it also becomes vulnerable to threats. IoT devices tend to have a much longer lifespan than typical software applications, largely because they are physical devices, some of which have relatively high capital costs (think refrigerators and TVs). The legacy systems supporting these devices can be difficult to keep up-to-date, and may have vulnerabilities that can't easily be patched due to legacy design issues or a lack of vendor support.
  • #17 we conduct trainings at well known conferences like Black Hat. That way they can trust that we know what we are talking about. Most organizations don’t have sufficient in-house expertise to keep their IoT systems secure day in and day out. Developers, testers, operators, and system administrators often lack the training to identify common vulnerabilities, understand why they’re dangerous, and mitigate their risks. Without this in-house security expertise, IT staff don’t recognize system vulnerabilities until after a hack or breach occurs. People can’t protect themselves if they don’t understand the threat. In addition to this lack of in-house knowledge, when organizations deploy IoT systems, they’re also typically constricted by tight deadlines and inadequate in-house experience. These combined constraints, coupled with complex documentation and deployment processes, will inevitably leave systems unsecured and vulnerable to hacks and breaches. Weak Physical Security – Opening up the IoT device you can find test pads. These may be debug ports like JTAG, UART. In the past we’ve encountered devices that directly drop us to “root” when we connect hardware tools to it (Eg: http://konukoii.com/blog/2018/02/16/5-min-tutorial-root-via-uart/ and https://blog.malwarebytes.com/security-world/2014/02/uart-root-shell-on-commercial-devices/). This is pretty common in our projects too. Updating firmware on IoT devices can be a daunting task. It’s understandable that an organization may want to avoid the hassle and potential business risk of updating firmware regularly, especially if the business doesn’t have trusted processes in place. But firmware releases often contain critical security updates. By skipping releases, not only does an IoT infrastructure get out-of-date; it also becomes vulnerable to threats. IoT devices tend to have a much longer lifespan than typical software applications, largely because they are physical devices, some of which have relatively high capital costs (think refrigerators and TVs). The legacy systems supporting these devices can be difficult to keep up-to-date, and may have vulnerabilities that can't easily be patched due to legacy design issues or a lack of vendor support.
  • #18 How is the IoT deployed in our organization today, and who owns it or its respective components? This includes determining an organization’s potential IoT inventory and IoT’s business activity role. The IoT could play a part in the end products that a business sells, for example, or in internal process management. It most likely does not reside in the IT organization. In many cases, projects will not include the wording “IoT” in their project plans or definitions. This underscores the importance of having skilled IT auditors who are able to link strategy and the underlying implementation mechanisms to identify where the IoT exists within the organization. Do we know what data is collected, stored and analyzed, and have we assessed the potential legal, security and privacy implications? If IoT technology is found within a company’s solution offerings, for example, customer agreements may require disclosures regarding what information the devices are capturing and sharing. Do the organization’s data governance policies cover the tremendous amount of data being captured through the thousands of deployed sensors? Does the collection of sensor data pose risks that data may be aggregated in a manner that would create privacy concerns? Do we have contingency plans in place in case our IoT “things” are hijacked or modified for unintended purposes? Among other considerations, it is critical to identify how an organization uses IoT devices and how a partial or full network shutdown would impact the business. Does the loss of these devices pose a risk to our organizations or other organizations? Is there a risk that our devices sold to others could be compromised on a large scale? One well-publicized example was the utilization of thousands of internet-connected devices as part of a denial of service attack on Dyn in October of 2016.
  • #19 Go back to the Attack Surface list and start identifying who owns what Then discuss threats for each piece of the IoT chain Finally, discuss steps to mitigate each threat identified
  • #30 If you’re investing in new IoT technology, perform due diligence to understand whether the vendor comes with a history of insecure firmware, inadequate responses to public vulnerability reports, or any kind of lax attitude towards security. If so, find a different vendor. In-house expertise and sound internal processes can help prevent human error and ensure systems are secure. However, because they can't prevent what they don't know, developers need to understand common vulnerabilities before they can avoid them. When planning your initial security spending priorities, ensuring the security knowledge of your in-house staff will be your best line of defense, and will deliver your best security value overall. Remember that if you’re switching to a new IoT technology platform, your operations, system admins, testers, and others have to be ramped up on the new technology. They’ll also need to draft new systems deployment, configuration, and verification guidelines. Organizations, particularly those with high-risk applications, need to undergo regular penetration testing – before product launch (for manufacturers) and before product deployment (for customers). Too often, penetration testing doesn’t happen until after a breach, public disclosure, or other event that tarnishes a company’s brand or leaks customer data. IT managers can mistakenly assume that their firewalls, network segmentation, and perimeter defenses will be enough to secure their IoT assets. As a result, they fail to prioritize application security on the devices themselves, leaving gaping security holes. The IoT firmware, applications that run on the IoT devices, communication to outside resources, and servers (to which IoT devices upload data), all need to be secured. Device firmware sometimes includes default credentials or "administrative backdoors.” While these "features" may make it easier to troubleshoot potential problems that on the devices, they also create a large attack surface for hackers. The safest solution is to adopt the more secure key-based and multi-factor forms of authentication.