iot security – executing an effective security testing process
TRANSCRIPT
![Page 1: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/1.jpg)
IoT Security – Executing an Effective Security Testing Process
![Page 2: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/2.jpg)
Introduction
Deral Heiland – IoT Research Lead Rapid7•25+ years IT•15 years security•8+ years security consultant pentesters
www.hackerhalted.com
![Page 3: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/3.jpg)
IoT Ecosystem
IoT Testing Methodologies
IoT Research & Results
Questions
Agenda
![Page 4: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/4.jpg)
The IoT Ecosystem
![Page 5: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/5.jpg)
Embedded Hardware
Mobile & Control Applications
Cloud APIs & Web Services
Network Communication
Data
IoT Ecosystem
![Page 6: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/6.jpg)
Help Identify exposure footprint
Threat modeling for risk
Determine Impact across ecosystem
Conducting security testing
Ecosystem Approach
![Page 7: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/7.jpg)
IoT Testing Methodologies
![Page 8: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/8.jpg)
Functional Evaluation
Device Reconnaissance
Cloud & Web APIs
Mobile & Control Applications
Network
Physical Embedded hardware Inspection
Physical Device Attacks
Radio (RF)
Testing Methodology Structure
![Page 9: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/9.jpg)
Standard deployment
Two environments
Map out Features Functions ComponentsCommunication paths
Functional Evaluation
![Page 10: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/10.jpg)
Welcome to my real world lab
Use the product to its full capacity
Functional Evaluation
![Page 11: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/11.jpg)
Component versions
Software versions
Vulnerability history
Open source data
White labeled product history
User Manuals
Component data/spec sheets
FCC Data
Device Reconnaissance
![Page 12: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/12.jpg)
Device Reconnaissance
![Page 13: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/13.jpg)
Eview Panic Button Reconnaissance
User manual very revealing
![Page 14: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/14.jpg)
Encryption (storage and transfer)
Authentication
Access rights
Communication protocols
SSL pinning
Mobile & Control Applications
![Page 15: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/15.jpg)
Mobile ApplicationWink Hub 2 Unencrypted Storage of Credentials
![Page 16: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/16.jpg)
Insteon Smart HubUnencrypted Storage of Credentials
![Page 17: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/17.jpg)
Encryption (storage and transfer)
Authentication and session management
Common web vulnerabilitiesXSSCSRFInjection attacks ( SQLi etc..)Business logic attacks
Cloud & Web APIs
![Page 18: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/18.jpg)
Cloud API’s Wink Hub 2
![Page 19: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/19.jpg)
Cloud API’s Wink Hub 2 Failure to Revoke Oauth Token
![Page 20: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/20.jpg)
Exposed services
Authentication
Access rights
Encryption
Intra product “ecosystem” communication
Network
![Page 21: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/21.jpg)
NetworkDevice Local Mode Security
Loss of internet access
Lack of authentication
Lack of encryption
![Page 22: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/22.jpg)
Osram Lightify Over The Air (OTA) Firmware Captures with Wireshark
![Page 23: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/23.jpg)
ChipsCPUMemoryCommunication
Physical portsEthernetUSBSerial
Circuitry connectionUARTJTAGSPI
Physical Embedded hardware Inspection
![Page 24: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/24.jpg)
JTAG/SWD
UART
SPI
Memory extractionFirmwareconfigurations
Physical Device Attacks
![Page 25: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/25.jpg)
Flash Memory Extraction on Wink Hub 2
![Page 26: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/26.jpg)
![Page 27: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/27.jpg)
Flash Memory Extraction on Wink Hub 2
![Page 28: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/28.jpg)
Gathering RF Configuration Data from Inter Chip Communication
![Page 29: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/29.jpg)
Gathering RF Configuration Data from Inter Chip Communication
![Page 30: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/30.jpg)
1100101010000001110011000110011110000000001111101010011111011000110001000111011111000010011011001001011010000000100110000100010010000010000110001100000011100000
Gathering RF Configuration Data from Inter Chip Communication
![Page 31: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/31.jpg)
Firmware Extractionembedded Multi-Media Controller (eMMC)
![Page 32: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/32.jpg)
Firmware Extractionembedded Multi-Media Controller (eMMC)
![Page 33: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/33.jpg)
Firmware Extractionembedded Multi-Media Controller (eMMC)
![Page 34: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/34.jpg)
Encryption
Pairing
Access control
Command and control
Replay attacks.
Radio (RF)
![Page 35: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/35.jpg)
RF AnalysisInsteon Vulnerable to Replay Attacks
![Page 36: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/36.jpg)
Circle back around for more Insteon RF recon
•Peter Shipley•Defcon23 (False Security and Deceptive Documentation)•https://github.com/evilpete/insteonrf
Appears this issues have never been correctly, specially the unencrypted communication – even on their own products
Insteon RF Analysis Reconnaissance
![Page 37: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/37.jpg)
Reduced issues
Reduced risk
Better products
Deeper understanding
Conclusion
![Page 38: IoT Security – Executing an Effective Security Testing Process](https://reader031.vdocuments.mx/reader031/viewer/2022022415/5a648b2c7f8b9a31568b514f/html5/thumbnails/38.jpg)
Questions
Deral Heiland - Research Lead (IoT)deral_heiland@rapid7
@percent_xhttp://www.rapid7.com