Practical ideas on how to streamline assessments and report writing
Practical Security Assessments of IoT Devices and Systems
-
Upload
ollie-whitehouse -
Category
Technology
-
view
262 -
download
0
Transcript of Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of
IoT Devices and Systems TBC
NCC Group Technical Security Consulting
NCC Group Security Research
Talk synopsis
This talk will discuss strategies and methodologies than can be
employed when assessing IoT devices. We'll look at how to develop
credible threat scenarios for different IoT device and systems, perform
static and dynamic attack surface mapping, perform static firmware
analysis, perform static hardware analysis, undertake a dynamic
device security analysis, sources of supporting information, supporting
capability requirements and establishment, Execution of dynamic
device analysis and approaches around network protocol analysis.
What we’ll zoom through
Understanding
Modelling
Technical Capabilities
Deep Dives
Assessing
Reporting
Understanding – Design
Device – components
Communications – protocols
System – what, where, how, when
Modelling – Flows & Trust Boundaries
On device – data and features
Device to system – traffic
System – data and functionality
Technical Capabilities - Dump
Software - firmware (persistent storage)
Data (persistent storage)
Memory (non-persistent storage)
FPGA Bitstream files / CPLD JEDEC files (persistent)
Technical Capabilities - Dump
Removable storage e.g. SD card
via built-in functionality / debugging (in firmware)
via JTAG
via observing data transmitted across memory buses*
Chip-off analysis
Technical Capabilities - Observe
On device – I2C, SPI, USB, GPIO, generic..
Off device – RF (ZigBee, 6LoWPAN, 802.11, Bluetooth,
GSM/GPRS, Ethernet etc.)
Side Channels - RF / DPA etc.
System – end-to-end
Technical Capabilities - Debug
Chip level – JTAG
Device level – serial ports (e.g. console)
– software interfaces
– internal debugger (in firmware)
Network – RF / wired
– GDB stubs
System – end-to-end
Deep Dives: Obtain
Documentation
SDKs
GPL etc.
Trigger auto-update then capture
network traffic (if SSL not used)
Firmware update bundles
Deep Dives: Reverse
Boot loader
Operating system / software
Sensitive data
IP – data representing device characteristics e.g.
intelligent suspension / stability control
Deep Dives: Identify
Technologies
Security indicators
1st / 3rd party software
Open Source libraries
Security algorithms
How to assess
Review configuration
Standard web app / product assessment methodologies
Use the product
Fuzz / correctness tests
Code review
Summary & Conclusions
IoT = embedded systems + wider system
Approach = understand, model, ensure capability,
assess
… it’s not rocket science but it’s more complex than a
web app, mobile app or standard infrastructure
assessment …
Further Information
Detailed paper on how to
design and build securely
https://www.nccgroup.com/en/learni
ng-and-research-centre/white-
papers/security-of-things-an-
implementers-guide-to-cyber-
security-for-internet-of-things-
devices-and-beyond/
Further Information & Resources
- Binwalk - http://binwalk.org/
- JTAGulator - http://www.grandideastudio.com/portfolio/jtagulator/
- Face Dancer - http://goodfet.sourceforge.net/hardware/facedancer21/
- DevTTYS0 Blog - http://www.devttys0.com/blog/
- Tamper detection / Anti-tamper
.. plus many more ..