Post on 21-Jan-2018
IoT Security – Executing an Effective Security Testing Process
Introduction
Deral Heiland – IoT Research Lead Rapid7•25+ years IT•15 years security•8+ years security consultant pentesters
www.hackerhalted.com
IoT Ecosystem
IoT Testing Methodologies
IoT Research & Results
Questions
Agenda
The IoT Ecosystem
Embedded Hardware
Mobile & Control Applications
Cloud APIs & Web Services
Network Communication
Data
IoT Ecosystem
Help Identify exposure footprint
Threat modeling for risk
Determine Impact across ecosystem
Conducting security testing
Ecosystem Approach
IoT Testing Methodologies
Functional Evaluation
Device Reconnaissance
Cloud & Web APIs
Mobile & Control Applications
Network
Physical Embedded hardware Inspection
Physical Device Attacks
Radio (RF)
Testing Methodology Structure
Standard deployment
Two environments
Map out Features Functions ComponentsCommunication paths
Functional Evaluation
Welcome to my real world lab
Use the product to its full capacity
Functional Evaluation
Component versions
Software versions
Vulnerability history
Open source data
White labeled product history
User Manuals
Component data/spec sheets
FCC Data
Device Reconnaissance
Device Reconnaissance
Eview Panic Button Reconnaissance
User manual very revealing
Encryption (storage and transfer)
Authentication
Access rights
Communication protocols
SSL pinning
Mobile & Control Applications
Mobile ApplicationWink Hub 2 Unencrypted Storage of Credentials
Insteon Smart HubUnencrypted Storage of Credentials
Encryption (storage and transfer)
Authentication and session management
Common web vulnerabilitiesXSSCSRFInjection attacks ( SQLi etc..)Business logic attacks
Cloud & Web APIs
Cloud API’s Wink Hub 2
Cloud API’s Wink Hub 2 Failure to Revoke Oauth Token
Exposed services
Authentication
Access rights
Encryption
Intra product “ecosystem” communication
Network
NetworkDevice Local Mode Security
Loss of internet access
Lack of authentication
Lack of encryption
Osram Lightify Over The Air (OTA) Firmware Captures with Wireshark
ChipsCPUMemoryCommunication
Physical portsEthernetUSBSerial
Circuitry connectionUARTJTAGSPI
Physical Embedded hardware Inspection
JTAG/SWD
UART
SPI
Memory extractionFirmwareconfigurations
Physical Device Attacks
Flash Memory Extraction on Wink Hub 2
Flash Memory Extraction on Wink Hub 2
Gathering RF Configuration Data from Inter Chip Communication
Gathering RF Configuration Data from Inter Chip Communication
1100101010000001110011000110011110000000001111101010011111011000110001000111011111000010011011001001011010000000100110000100010010000010000110001100000011100000
Gathering RF Configuration Data from Inter Chip Communication
Firmware Extractionembedded Multi-Media Controller (eMMC)
Firmware Extractionembedded Multi-Media Controller (eMMC)
Firmware Extractionembedded Multi-Media Controller (eMMC)
Encryption
Pairing
Access control
Command and control
Replay attacks.
Radio (RF)
RF AnalysisInsteon Vulnerable to Replay Attacks
Circle back around for more Insteon RF recon
•Peter Shipley•Defcon23 (False Security and Deceptive Documentation)•https://github.com/evilpete/insteonrf
Appears this issues have never been correctly, specially the unencrypted communication – even on their own products
Insteon RF Analysis Reconnaissance
Reduced issues
Reduced risk
Better products
Deeper understanding
Conclusion
Questions
Deral Heiland - Research Lead (IoT)deral_heiland@rapid7
@percent_xhttp://www.rapid7.com