2017 ithome talk 20170314 release

1. Ashley Shen, Belinda Lai

2. Senior Threat Analyst at Team T5
ashley@hitcon.org
• Co-founder of HITCON GIRLS
• Malware analysis, Advanced Persistence
Threat research, campaign tracking
• Speaker at HITCON CMT, HITCON ENT,
CodeBlue, Troopers

3. Brocade Software Engineer
• Co-founder of HITCON GIRLS
• Speaker at HITCON CMT, HITCON ENT
• Malware analysis

4. •
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•

6. “The Internet of Things (IoT) is the network
of physical objects that contain embedded
technology to communicate and sense or
interact with their internal states or the
external environment.”
- Definition of IoT by Gartner

7. Avg:122B?
IHS Markit
2017 IoT Trend
Report

8. • A world of connected everyday objects means a bigger attack surface for
cybercriminals.
• Security is often not considered at the design stage.
• AT&T‘s Cybersecurity Insights Report surveyed more than 5,000 enterprises around the world
and found that 85% of enterprises are in the process of or intend to deploy IoT devices. Yet a
mere 10% of those surveyed feel confident that they could secure those devices against hackers.
(2015)

9. IoT devices will increasingly penetrate the enterprise, leading to
increased IoT DDoS attacks.
The growth in IoT devices provides a newly available slew of poorly protected or
monitored devices that can be coopted for malicious purposes.
IoT devices will play a bigger role in DDoS attacks; IIoT systems in
targeted attacks.
Growth in the number and variety of Internet of Things devices will break some
cloud security models, leading to successful attacks through these devices
The risk of connecting
everything, regardless — in 2016, need we say more?

12. 2015 Cloud Security Alliance - Security Guidance for Early Adopters of the Internet of Things (IoT)

17. 2013 2014 2017
• IoT security in Healthcare is life or death , specially implantable medical device.
• Not just about the device, but also the environment.
• Hacking into MRI through the hospital guest WI-FI. (ERNW)

20. Individual
• Privacy
• Physical Safety
(Healthcare)
• Personal identical
data
http://www.truste.com/blog/wp-content/uploads/smart-devices-circle-of-trust.png

21. Organization
• Intellectual property
• DDOS blackmail
• Services stability
• Financial

22. • Domestic security
• Homeland security
• Attacks on Critical
Infrastructure security
• Cyber espionage attack
• Politic & Financial
Nation
• IoT leverage in cyber
espionage attack.
• 2015 – PLEAD the
Phantom of routers
by Charles & zha0

24. IoT Security != Device Security

25. IoT Ecosystem
Sensors
Network
Application

26. IoT Ecosystem Attack Surface
Sensors
Hardware
Network
Connectivity
Application

28. Hardware Connectivity Application
Vendor Backend APIs Cloud Web InterfaceDevice Physical Interfaces
Mobile ApplicationLocal Data Storage
Update Mechanism
Device Firmware
Third-party Backend APIs
Network Traffic
Device Memory
Device Web Interface
Device Network Services
Privacy
Authentication/Authorization
Ecosystem Communication
Administrative Interface
IoTAttackSurfaceAreas

29. Hardware
Device Physical Interfaces
Local Data Storage
Update Mechanism
Device Firmware
Device Memory
Device Web Interface
Device Network Services
Common Vulnerability Hacking Tools
• Firmware extraction
• Admin CLI
• Privilege escalation
• Reset to insecure state
• Removal of storage media
• Debug port
• Web vulnerabilities
• Backdoor accounts
• Hardcoded credentials
• Encryption keys (weak or
crackable)
• Encryption (Symmetric,
Asymmetric)
• Sensitive URL disclosure
• Vulnerable services (web, ssh,
tftp, etc.)
• Unencrypted data
• Mousejack - Injecting Keystrokes
into Wireless Mice
• Metasploit - vulnerabilities for
iot (from smart fridges to smart
cars)
• Attify Badge Tool: hardware
device used to hack IoT devices
• Shikra: Hardware hacking tool
box

30. • Mifare Classic is one of the most used
RFID card.
• The card utilize the standard ISO 14443
Type A protocol for communication on
frequency 13.56 MHz (High Frequency).
• The proprietary cryptography utilized in
the Mifare Classic cards is CRYPTO1, with
48 bits key.
• In October 2008 Radbond University
published a Crypto-1 cipher
implementation as Open Source (GNU
GPL v2 license).

31. • Tools:
• RFID Reader (about 900 NTD)
• MFOC & MFCUK (Free)
• UID Changeable Mifare (5 NTD)
https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Almeida-Hacking-MIFARE-Classic-Cards-Slides.pdf

32. Connectivity
Vendor Backend APIs
Third-party Backend APIs
Network Traffic
Ecosystem Communication
• Common Vulnerability • Hacking Tools
• Weak authentication
• Weak access controls
• Protocol fuzzing
• Injection attacks
• Hidden services
• Unencrypted PII sent
• Encrypted PII sent
• Device information leaked
• Location leaked
• Non-standard
• Wireless (WiFi, Z-wave, XBee,
Zigbee, Bluetooth, LoRA)
• Inherent trust of cloud or mobile
application
• Wifi-hacking: aircrack-ng
• BLE Hacking: Ubertooth One
• Fluxion – WPA/WPA2 Security
Hacked Without Brute Force
• Cain and Abel - penetration
tools
• Fiddler - monitor, manipulate,
and reuse HTTP requests
• Kismet: network detector, packet
sniffer for 802.11 a/b/g/n layers
• GATTracker: BLE Man in the
middle attack

33. • Bluetooth low energy (a.k.a Bluetooth Smart, Bluetooth 4.0), different from
Bluetooth Classic and high speed
• Designed to be power-efficient, different protocol
BLE authentication design challenges on smartphone controlled IoT devices: analyzing Gogoro Smart Scooter by Chen-yu Dai [GD] & Professor Shi-Cho Cha [CSC]

34. • Security Procedures provided by Security Manager:
• Paring: (Encrypt with Temp Key)
• Security Manager Protocol
• Just Work: No Passkey required. à Man in the Middle Attack
• Passkey Display: Passkey required.
• Out of Bound (OOB): Passing through non-BLE protocol.
• Bonding: (Encrypt with permanent key)
• Encryption Re-establishment (Support Bonding)

35. • Many BLE Devices do “FAKE PARING”:
• Mi bracelet could be vibrated by
anyone close to you
• No authentication & Paring
• Mi Smart Scale
• Sending data without
encryption
• Anyone could see your
weight when they are close
to you
• Tool: BLE Scanner (app on your
phone)

36. Application
Cloud Web Interface
Mobile Application
Administrative Interface
Common Vulnerability Hacking Tools
• SQL injection
• Cross-site scripting
• Cross-site Request Forgery
• Username enumeration
• Weak passwords
• Account lockout
• Known default credentials
• Transport encryption
• Two-factor authentication
• Insecure password recovery
mechanism
• Two-factor authentication
• SuperPutty : operate all your
VPS
• Hardcode : Android hacking
• AndroRAT : Remote
Administration Tool for Android
• SpoofApp:spoof (Place) calls
with any caller ID number
• APK Inspector:reverse engineer
any android app
• dSploit :perform various attacks
• AnDOSid : perform a DOS attack
• SQLMap: Finding vulnerabilities
on web application
• Androbug: Finding android app
vulunerbilities

38. • The process of finding targets and
vulnerabilities.
• Tools
• Shodan
• www.shodan.io
• Censys
• censys.io
• ZoomEye
• www.zoomeye.org
• WHOIS
• Netcraft
• Nmap

40. • Consider security by design, rather
than an afterthought.
• Provide security trainings to
developer.
• Listen to security experts.
• Do penetration testing before
releasing.

41. • Know what and how much IoT devices you have.
• Device management.
• Know the IoT vulnerabilities.
• Understand the threat (vulnerabilities, attack vector) and defend.
• Securing IoT devices does NOT means simply securing the actual devices
themselves. Companies also need to build security into software applications
and network connections that link to those devices.
• Creating a separate network segment is one option.
• Requiring the vendors to assert that their products aren't vulnerable to
common attacks.

42. • Understand the risk of your device. (Do not trust them)
• Don’t use them if you don’t want to share your data
• Ensure the default passwords on all devices are changed (using unique,
complex passwords) to prevent them being remotely accessed.
• Review the functionality of a smart device and disable any functions that you
don’t actually need.

44. Internet of Threat!Things?

45. HITCON GIRLS Internet Security Group
RFID Card Hacking WIFI Hacking Wall of Sheep BLE Device Hacking Pineapple Router
Web Pentesting Android PentestingMalware AnalysisNewbie Group
Recruiting !!!
https://www.facebook.com/HITCONGIRLS/

47. • Internet of Things (IoT) History, http://www.postscapes.com/internet-of-things-history/
• 20 Billion Connected Internet of Things Devices in 2017, IHS Markit Says, http://electronics360.globalspec.com/article/8032/20-billion-
connected-internet-of-things-devices-in-2017-ihs-markit-says
• IoT-trend-watch-2017, https://cdn.ihs.com/www/pdf/IoT-trend-watch-2017.pdf
• Sensing-as-a-Service - New Business Models for Internet of Things (IOT), https://www.slideshare.net/mazlan1/sensingasaservice-new-
business-models-for-internet-of-things-iot
• Connecting RFID to IoT, https://image.slidesharecdn.com/internetofthingsiot-160825065927/95/internet-of-things-iot-10-
638.jpg?cb=1472108952
• IoE vs. IoT vs. M2M: What’s the Difference and Does It Matter?, http://blog.aeris.com/ioe-vs.-iot-vs.-m2m-what-s-the-difference-and-
does-it-matter
• The Internet of Things By Samuel Greengard,
https://books.google.com.tw/books?id=oyyyBwAAQBAJ&pg=PA16&lpg=PA16&dq=physical-first+digital-
first+iot&source=bl&ots=IlVCfyMGMM&sig=OHCYXqPAs5FayJ5zcB6mzQ484pQ&hl=en&sa=X&ved=0ahUKEwij5fqwmq7SAhWBgLwK
HdpaDwQQ6AEINzAF#v=onepage&q=physical-first%20digital-first%20iot&f=false
• CISCO Internet of Everthing Infographic, http://internetofeverything.cisco.com/vas-public-sector-infographic/
• https://blog.trendmicro.com.tw/?p=10855
• QUESTIONS
• AND ANSWERS:
• FireEye - THE 2017 SECURITY LANDSCAPE – ASIA PACIFIC 2017, https://www2.fireeye.com/rs/848-DID-242/images/rpt-security-
predictions-2017-
apac.pdf?mkt_tok=eyJpIjoiTWpnNE1EUmlNbUZoWmpVeSIsInQiOiJDY3lUMXBYR2tXdVRIRW81bjlWNEZGREVXMUFwU3d1cmo3MHpM
RG1qWHY4RlQ2N3JaSWQ0MVh3VWc1S3Nhb1JWZTRXTWJMUytjRFROVThRQ01VZDRZdHVYZDdHN1c3dmtEK1wvXC9PSlplN01kc2htN
GxrbEdLRm5zMHZIbFRpNktTIn0%3D

48. • Security in 2017 and Beyond: Symantec’s Predictions for the Year Ahead, https://www.symantec.com/connect/blogs/security-2017-
and-beyond-symantec-s-predictions-year-ahead
• KASPERSKY_SECURITY_BULLETIN_2016,
https://kasperskycontenthub.com/securelist/files/2016/12/KASPERSKY_SECURITY_BULLETIN_2016.pdf
• McAfee Labs 2017 Threats Predictions, https://www.mcafee.com/us/resources/reports/rp-threats-predictions-2017.pdf
• How the Internet of Things will affect security & privacy, http://www.businessinsider.com/internet-of-things-security-privacy-2016-8
• Hackers Remotely Kill a Jeep on the Highway—With Me in It, https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
• 比特幣集體勒索又來了，這次鎖定全臺4千校！不只大學，桃園3小學也出現駭客勒索信, http://www.ithome.com.tw/news/112282
• 2.5萬監視器成DDoS殭屍網路大軍，多數來自台灣 !, http://www.ithome.com.tw/news/106745
• Compromised clinics, hacked MRIs and online breach-traders | MassDevice.com On Call, http://www.massdevice.com/compromised-
clinics-hacked-mris-and-online-breach-traders-massdevicecom-call/
• IoT in Healthcare: Life or Death, Dr. May Wang,
https://webcache.googleusercontent.com/search?q=cache:PF0a41C3ttoJ:https://www.rsaconference.com/writable/presentations/file
_upload/sbx2-r4-iot-in-healthcare-life-or-death.pdf+&cd=1&hl=en&ct=clnk&gl=tw
• Internet of Things (IoT): Security, Privacy and Safety, https://datafloq.com/read/internet-of-things-iot-security-privacy-safety/948
• Does CCTV put the public at risk of cyberattack?, https://securelist.com/blog/research/70008/does-cctv-put-the-public-at-risk-of-
cyberattack/
• University DDoS'd by its own seafood-curious malware-infected vending machines,
https://www.theregister.co.uk/2017/02/13/university_ddosd_by_own_vending_machines/
• Bombs that can recognise their targets are back in fashion, http://www.economist.com/news/science-and-technology/21711012-new-
generation-smart-weapons-development-bombs-can-recognise-their
• Amazon's delivery drones may drop packages via parachute, http://money.cnn.com/2017/02/14/technology/amazon-drone-patent/

49. • https://www.cyberscoop.com/researchers-hack-robots-killer-industrial-machines/
• Hackers can hijack Wi-Fi Hello Barbie to spy on your children, https://www.theguardian.com/technology/2015/nov/26/hackers-can-
hijack-wi-fi-hello-barbie-to-spy-on-your-children
• Hacking Mifare Classic Cards, https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Almeida-Hacking-MIFARE-Classic-Cards-
Slides.pdf
• Mifare classic-slides, https://de.slideshare.net/nethemba/mifare-classicslides
• 物聯網 BLE 認證機制設計的挑戰 以 Gogoro Smart Scooter 為例, https://hitcon.org/2016/CMT/slide/day1-r0-a-1.pdf
• https://www.owasp.org/images/6/6f/OWASP2017_HackingBLEApplications_TalMelamed.pdf