SlideShare ist ein Scribd-Unternehmen logo

Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)

J
Jakub Botwicz

Presentation about Cotopaxi toolkit from Black Hat Asia 2019 Arsenal session. Author: Jakub Botwicz https://www.blackhat.com/asia-19/arsenal/schedule/index.html#cotopaxi-iot-protocols-security-testing-toolkit-14325

Technologie
1 von 31
Downloaden Sie, um offline zu lesen
Cotopaxi IoT protocols testing toolkit
About the author • Jakub Botwicz Principal Security Engineer at Samsung R&D Institute in Warsaw, Poland • Leads a team of security researchers / pentesters • PhD and MSc at Warsaw University of Technology • 15+ years experience - previously worked as: ‒ Developer/architect for vendor of encryption devices ‒ Security advisor at credit card payment company ‒ Security consultant and manager at Big4 company • Big enthusiast of rock climbing and active volcanoes
Cotopaxi – origin / idea • IoT introduced new protocols: CoAP, DTLS, MQTT and refurbished old protocols: UPnP, SSDP • Lack of security testing tools for IoT protocols (except for MQTT) • Low level of security measures of IoT components and devices • Our team performed assessment of multiple IoT components – results: - tools - corpus of malformed messages - 15+ new vulnerabilities Source: Redbubble sticker: https://ih1.redbubble.net/image.534691174.7627/sticker,375x360-bg,ffffff.u3.png
IoT protocols – Constrained Application Protocol (CoAP) • IoT messaging protocol • Provides all types of HTTP requests in more compact (binary) format • UDP-based – request / response: 2 packets (while TCP smallest req/resp: 9 packets) • Introduces: CONfirmable messages • Without additional protection CoAP servers are vulnerable to DDoS Source: Trend Micro „The Fragility of Industrial IoT’s Data Backbone”
IoT protocols – Datagram Transport Layer Security (DTLS) • UDP-based version of Transport Layer Security • Reuses all message formats from TLS – only protocol version IDs are different • Used as a security layer for all UDP-based protocols • Anti-DDoS measure (Hello Verify Request) is not mandatory and some libraries do not implement it (vulnerability BOTAN_000 test it) Source: Klaus Hartke, Olaf Bergman „Datagram Transport Layer Security in Constrained Environments”
IoT protocols – Multicast DNS (mDNS) / DNS-Service Discovery (DNS-SD) • Discovery of local services: printers, displays • Querying local services using Multicast addresses • Reuse query formats from DNS protocols • Best known as: Apple Bonjour, Zeroconf or Avahi
IoT protocols – Message Queuing Telemetry Transport (MQTT) • Most popular IoT messaging protocol • Publish/Subscribe message delivery by Brokers between Clients Source: Trend Micro „The Fragility of Industrial IoT’s Data Backbone”
Cotopaxi – the name • Active stratovolcano in Ecuador • Elevation: 5,897 m Author: Gerard Prins CC BY-SA 3.0
Cotopaxi – the toolkit • Set of tools for security testing of Internet of Things devices using network IoT protocols • License: GPL-2.0 • Repository: https://github.com/samsung/cotopaxi Source: Rankin Kennedy C.E. (1912) The Book of the Motor Car, Caxton (PD)
Cotopaxi – usage scenarios • For pentesters to: • analyze environments using IoT, Smart-{Home, Factory, City} • find active endpoints using IoT protocols • identify network traffic reflectors (DDoS) • For security researchers to: • perform „black box” testing of IoT devices • identify known security vulnerabilities • For developers or vendors of IoT devices to: • fuzz components or interfaces • test traffic amplification (DDoS)
Cotopaxi – features Reconnaissance: • Service ping – checking availability of network services • Software fingerprinting – recognizing the software used by remote network server • Resource listing „dirbusting” – discovering resources identified by given URLs Pre-exploitation: • Protocol fuzzing – fuzzing implementation of protocol • Amplification sniffing – detecting network traffic amplification • Vulnerability testing – identifying known vulnerabilities
Cotopaxi – IoT protocols • Supported in 1st release: • Constrained Application Protocol (CoAP) • Datagram Transport Layer Security (DTLS) • Multicast DNS (mDNS) / DNS-System Discovery (DNS-SD) • Message Queuing Telemetry Transport (MQTT) • Planned for next releases: • Advanced Message Queuing Protocol (AMQP) • Discovery and Launch (DIAL) • Hyper Text Coffee Pot Control Protocol (HTCPCP) • MQTT-Sensor Networks (MQTT-SN) • Simple Service Discovery Protocol (SSDP) / Universal Plug and Play (uPnP) • Zigbee/Z-Wave
Cotopaxi – testbed • CoAP (10 servers) • aioCoAP • CoAPthon • eCoAP • FreeCoAP • DTLS (9 servers) • Botan • GnuTLS • LibreSSL • mDNS/DNS-SD (2 servers) • Avahi • tinysvcmdns • MQTT (2 servers) • Fluent-bit • Mosquitto • IoTivity • libcoap • MicroCoAP • Moongoose • MatrixSSL • mbedTLS • OpenSSL • CantCoAP • CoAPthon3 • TinyDTLS • OpenSSL • WolfSSL Source: atennies94 by CC BY-ND 2.0 https://www.flickr.com/photos/9266144@N02/1074855647
Cotopaxi feature – „service ping” • Identifies active service endpoints (IPv4/IPv6:port) • Not uses ICMP echo! • For each protocol there is a set of messages that triggers responses in all tested servers e.g. DTLS – Client Hello in all DTLS versions • Better than using standard tools: • nmap does not recognize CoAP and most DTLS servers • wireshark will not recognize protocols servers on non-standard ports • sslyze and similar SSL/TLS tools do not support DTLS
Cotopaxi feature – service ping sudo python -m cotopaxi.service_ping 192.168.1.2 10000-10008,20000-20010,30000-30002 [.] Started service ping [+] Host 192.168.1.2:10000 does NOT respond to MQTT ping (Connect) message [+] Host 192.168.1.2:10000 does NOT respond to mDNS ping message ... [.] Finished service ping (for all addresses, ports and protocols) ================================================================== Test statistics: Messages sent: 138, responses received: 58, 58% message loss, test time: 123236 ms Round-Trip Time (min/avg/max): 11 / 59 / 84 ms ================================================================== Test results: Active endpoints: For Protocol.CoAP: ['192.168.1.2:20000', '192.168.1.2:20002', ... , '192.168.1.2:20009'] Total number of active endpoints: 18 Inactive endpoints: 5
Cotopaxi feature – resource listing (dirbusting) • Equivalent to DirBuster/dirb for CoAP/mDNS or nmap script coap-resources • Uses a list of URIs (for CoAP) or services (for mDNS) • Cotopaxi includes sample lists of resource • User can provide own list of URIs or services
Cotopaxi feature – resource listing (dirbusting) sudo python -m cotopaxi.resource_listing 192.168.1.2 20000-20010 cotopaxi/lists/urls/short_url_list.txt -P CoAP [.] Started resource listing SENT size:9 RECV size:74 AMPLIFICATION FACTOR:722.00% [+] Url |test| received code |2_05| on server 192.168.1.2:20001 for method GET ... [.] Finished resource listing (for all addresses, ports and protocols) ================================================================== Test statistics: Messages sent: 33, responses received: 28, 15% message loss, test time: 7088 ms Round-Trip Time (min/avg/max): 45 / 61 / 115 ms ================================================================== Test results: Active endpoints: For Protocol.CoAP: ['192.168.1.2:20001/test', '192.168.1.2:20002/big'] Total number active endpoints: 2 Inactive endpoints: 20
Cotopaxi feature – service fingerprinting • Detection of software and version used by server • Equivalent to nmap –sV (Service and Application Version Detection) • Uses machine learning classifier • In this version works only for CoAP, DTLS
Cotopaxi feature – service fingerprinting (algorithm) • Preparation of classifier for protocol: 1. Gather all available protocol implementations 2. Generate corpus of packets (payloads) a. Fuzz implementation of protocol using coverage based fuzzer (like afl) b. One of output result is set of payloads causing different execution (queue in afl) 3. For all available implementations: a. Gather responses of for all payloads b. Extract features c. Convert output to format used by Machine Learning tool (ARFF) 4. Train classifier using machine learning (Weka) 5. Implement classifier as Python function
Cotopaxi feature – service fingerprinting (training classifier) Generated classifier: packet_1_type = No | packet_3_type = No | | packet_10_type = No | | | packet_11_options = Content-Format_Empty: smcp (5.0) | | | packet_11_options = ETag: libcoap (5.0) | | packet_10_type = RST: FreeCoAP (5.0) | | packet_10_type = ACK: moongose (5.0) | packet_3_type = Empty: iotivity (5.0) | packet_3_type = ACK | | packet_0_type = No: coap-rs (5.0) | | packet_0_type = ACK: lwm2m (5.0) packet_1_type = RST | packet_9_code = No: aiocoap (5.0) | packet_9_code = Empty: ecoap (5.0) | packet_9_code = 4_00: CoAPthon (5.0) packet_1_type = ACK: microcoap (5.0) Features (ARFF format): @RELATION coap_responses @ATTRIBUTE class {AIOCOAP, COAPTHON, … } @ATTRIBUTE packet_0_type { No, Empty, RST, ACK, CON, NON } @ATTRIBUTE packet_0_code { No, Empty, 2_05, 4_00, 4_01, 4_04, 4_05, 5_00, 5_02, NON } @ATTRIBUTE packet_0_options { No, Empty, Uri-Query_OK, Uri- Query_Unsupported_cri, Uri-Query_CoAP_version_mu, Uri- Query_Method_Not_Allo, Content-Format_Empty, Content- Format_FFFF, ETag } @ATTRIBUTE packet_1_type … @ATTRIBUTE packet_1_code … @ATTRIBUTE packet_1_options … … No – No response from server for this packet Empty – This field was empty
Cotopaxi feature – service fingerprinting sudo python -m cotopaxi.server_fingerprinter 192.168.0.100 20000 -P CoAP [.] Started service fingerprinting [.] Host 192.168.0.100:20000 is alive before test! [.] Host 192.168.0.100:20000 is alive after test! [+] CoAP server 192.168.0.100:20000 is using software: aiocoap [.] Finished service fingerprinting (for all addresses, ports and protocols) ================================================================== Test statistics: Messages sent: 8, responses received: 5, 38% message loss, test time: 3493 ms Round-Trip Time (min/avg/max): 51 / 62 / 83 ms ================================================================== Test results: Identified endpoints:     For Protocol.CoAP: ['192.168.0.100:20000 is using aiocoap'] Total number of identified endpoints: 1 Inactive endpoints: 0
Cotopaxi feature – protocol fuzzer (black-box) • Uses corpus of malformed protocol messages (payloads) prepared with afl (American Fuzzy Loop) • Checks „service ping” before and after sending payload • Allows to use own corpus of payloads and integrate with mutating fuzzer • In verbose mode displays payload and response packet • Calculates RTT for payloads with responses and displays Top 10% - potentially interesting because of longest processing on server Protocol CoAP DTLS mDNS/ DNS-SD MQTT Size of corpus 557 395 77 285
Cotopaxi feature – protocol fuzzer [+] Started fuzzing payload (nr: 395): dtls_corpus/id:000360,sync:fuzzer_tinydtls_slave_laf-1,src:000379 Request: ###[ DTLS Record ]### content_type= handshake version = DTLS_1_1 ------------------------------------------------------------ Response: ###[ DTLS Record ]### content_type= handshake version = DTLS_1_1 … Payloads with longest Round-Trip Time (RTT): RTT (sec) | Payload -------------------------------------------------------------------------------- 0.08722 | dtls_corpus/id:000206,src:000168,op:arith8,pos:840,val:+27,+cov 0.08630 | dtls_corpus/id:000362,sync:fuzzer_tinydtls_slave_laf-1,src:000373
Cotopaxi feature – protocol fuzzer (cont.) …. ================================================================== Test statistics: Messages sent: 795, responses received: 732, 8% message loss, test time: 169906 ms Round-Trip Time (min/avg/max): 35 / 55 / 131 ms ================================================================== Test results: Payloads causing crash: For Protocol.DTLS: ['192.168.0.100:10004 - payload: id:000308,sync:fuzzer_tinydtls_slave_laf- 1,src:000303,+cov']
Cotopaxi feature – vulnerability tester • Types of vulnerabilities: • crash (DoS) – leads to crash of server (detected by service ping) • traffic amplification (for DDoS) – responses larger than request • memory leak – server wastes memory after processing payload (requires manual confirmation) • remote code execution (currently only detected as crashes) Vulnerab ility Type Protocol CoAP DTLS mDNS/ DNS-SD MQTT Crash 5 4 1 1 Traffic Amplification 1 1 Memory Leak 1 Remote Code Execution 2 1 TOTAL* 7 5 3 2 * 2 vulnerabilities are currently in responsible disclosure process
Cotopaxi feature – vulnerability tester • Example vulnerabilities found by our team and supported by Cotopaxi • CVE-2019-9747 tinysvcmdns mDNS server goes into infinite loop after receiving DNS query with recursive referenced names • CVE-2019-9004 Wakaama CoAP server leaks (wastes) 24 bytes per each crafted packet • CVE-2019-9750 IoTivity CoAP server responds with 6 error messages Source: Grasshopper shot near Miles City Mont. C. 1937 Coles Studio Glassgow Mont
Cotopaxi feature – vulnerability tester sudo python -m cotopaxi.vulnerability_tester 192.168.1.2 10000 –cve CVE-2019-9004 –vuln FLUENTBIT_000 –P DTLS [.] Started vulnerability testing [+] Server 192.168.0.100:30000 is NOT vulnerable to FLUENTBIT_000 [+] Server 192.168.0.100:30002 is probably vulnerable to FLUENTBIT_000 [.] Finished vulnerability testing (for all addresses, ports and protocols) ================================================================== Test statistics: Messages sent: 7, responses received: 4, 43% message loss, test time: 1100 ms Round-Trip Time (min/avg/max): 5 / 21 / 43 ms ================================================================== Test results: Vulnerable endpoints: For Protocol.MQTT: ['192.168.0.100:30002 - vuln: FLUENTBIT_000'] Total number of vulnerable endpoints: 1 Invulnerable endpoints: 1
Cotopaxi feature – amplification sniffer • Sniffs for all packets incoming to and outgoing from specified target • Target is defined by IPv4 or IPv6 address and optionally port • Calculates amplification factor (size_out/size_in - 1) • Tracks req/resp with highest amplification factor and display record on exit • Should be placed on router or use network tap to see all traffic to/from target
DDoS attack via IP Spoofing and Traffic Amplification Vulnerable IoT devices Source: Austin Brooks „NTP DDoS Vulnerability” • Identified amplifiers-reflectors: • CoAP • every request with large response e.g. CoAPthon example /big • IoTivity 4.04 6x repeated response IOTIVITY_000 issue in tester • DTLS • every DTLS server without Hello Verify Request e.g. Botan_000 issue in tester
Cotopaxi feature – amplifier detector sudo python -m cotopaxi.amplifier_detector 192.168.0.100 [.] Starting sniffing with filter: udp and host 192.168.0.100 TARGET: 192.168.0.100 | TO TARGET packets: 3, bytes: 165 | FROM TARGET packets: 1, bytes: 60 | AMPLIF FAC TOR: -64.00% TARGET: 192.168.0.100 | TO TARGET packets: 6, bytes: 311 | FROM TARGET packets: 3, bytes: 180 | AMPLIF FA CTOR: -43.00% [.] Finished sniffing Highest amplify packet factor: 30%  TO TARGET: ###[ Ethernet ]###   dst       = ….   src       = ….   type      = 0x800 ###[ IP ]###      version   = 4L … FROM TARGET: ###[ Ethernet ]###   dst       = ….  
Cotopaxi – common usage details • Destination addresses: set or range of IPv4, IPv6 addresses • Destination port: set or range of ports • Protocol: ALL or subset of CoAP, DTLS, mDNS, MQTT • Ignore Ping: -Pn • Verbose mode: -V (more messages)

Empfohlen

IoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranIoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranKoenig Solutions Ltd.
 
Secureboot Survival Guide
Secureboot Survival GuideSecureboot Survival Guide
Secureboot Survival Guidelcplcp1
 
IoT - Attacks and Solutions
IoT - Attacks and SolutionsIoT - Attacks and Solutions
IoT - Attacks and SolutionsUlf Mattsson
 
Topics in network security
Topics in network securityTopics in network security
Topics in network securityNasir Bhutta
 
Hacking Internet of Things (IoT)
Hacking Internet of Things (IoT)Hacking Internet of Things (IoT)
Hacking Internet of Things (IoT)SecPod Technologies
 
Secure Network Design
Secure Network DesignSecure Network Design
Secure Network DesignConferencias FIST
 
VTU network security(10 ec832) unit 6 notes
VTU network security(10 ec832) unit 6 notesVTU network security(10 ec832) unit 6 notes
VTU network security(10 ec832) unit 6 notesJayanth Dwijesh H P
 
Presentation on IOT SECURITY
Presentation on IOT SECURITYPresentation on IOT SECURITY
Presentation on IOT SECURITYThe Avi Sharma
 

Empfohlen

IoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranIoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranKoenig Solutions Ltd.
 
Secureboot Survival Guide
Secureboot Survival GuideSecureboot Survival Guide
Secureboot Survival Guidelcplcp1
 
IoT - Attacks and Solutions
IoT - Attacks and SolutionsIoT - Attacks and Solutions
IoT - Attacks and SolutionsUlf Mattsson
 
Topics in network security
Topics in network securityTopics in network security
Topics in network securityNasir Bhutta
 
Hacking Internet of Things (IoT)
Hacking Internet of Things (IoT)Hacking Internet of Things (IoT)
Hacking Internet of Things (IoT)SecPod Technologies
 
Secure Network Design
Secure Network DesignSecure Network Design
Secure Network DesignConferencias FIST
 
VTU network security(10 ec832) unit 6 notes
VTU network security(10 ec832) unit 6 notesVTU network security(10 ec832) unit 6 notes
VTU network security(10 ec832) unit 6 notesJayanth Dwijesh H P
 
Presentation on IOT SECURITY
Presentation on IOT SECURITYPresentation on IOT SECURITY
Presentation on IOT SECURITYThe Avi Sharma
 
IOT Security
IOT SecurityIOT Security
IOT SecuritySylvain Martinez
 
Iot Security
Iot SecurityIot Security
Iot SecurityMAITREYA MISRA
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜Retrieva inc.
 
iot unit1.pdf
iot unit1.pdfiot unit1.pdf
iot unit1.pdfshrutinandanwar6
 
Security in IoT
Security in IoTSecurity in IoT
Security in IoTSKS
 
Computer Worms
Computer WormsComputer Worms
Computer Wormssadique_ghitm
 
A survey in privacy and security in Internet of Things IOT
A survey in privacy and security in Internet of Things IOTA survey in privacy and security in Internet of Things IOT
A survey in privacy and security in Internet of Things IOTUniversity of Ontario Institute of Technology (UOIT)
 
Network Design and Security Best Practices
Network Design and Security Best PracticesNetwork Design and Security Best Practices
Network Design and Security Best PracticesMike Sherwood
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of ThingsForgeRock
 
Internet of Things - module 1
Internet of Things - module 1Internet of Things - module 1
Internet of Things - module 1Syed Mustafa
 
Public Key Authentication With SSH
Public Key Authentication With SSHPublic Key Authentication With SSH
Public Key Authentication With SSHDon Norwood
 
IoT security (Internet of Things)
IoT security (Internet of Things)IoT security (Internet of Things)
IoT security (Internet of Things)Sanjay Kumar (Seeking options outside India)
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanismspriya_trehan
 
Proxmox VE & BS 備份與備援策略設計 [2020/12/26] @Proxmox VE 中文使用者社團 2020 年會
Proxmox VE & BS 備份與備援策略設計 [2020/12/26] @Proxmox VE 中文使用者社團 2020 年會 Proxmox VE & BS 備份與備援策略設計 [2020/12/26] @Proxmox VE 中文使用者社團 2020 年會
Proxmox VE & BS 備份與備援策略設計 [2020/12/26] @Proxmox VE 中文使用者社團 2020 年會 Jason Cheng
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdfNdheh
 
Types of attacks
Types of attacksTypes of attacks
Types of attacksVivek Gandhi
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Nessus Software
Nessus SoftwareNessus Software
Nessus SoftwareMegha Sahu
 
Packet sniffer repot
Packet sniffer repotPacket sniffer repot
Packet sniffer repotKunal Thakur
 
IoT Design Principles
IoT Design PrinciplesIoT Design Principles
IoT Design Principlesardexateam
 
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)Jakub Botwicz
 
Test Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysisTest Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysisAxel Rennoch
 

Weitere ähnliche Inhalte

Was ist angesagt?

コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜Retrieva inc.
 
Security in IoT
Security in IoTSecurity in IoT
Security in IoTSKS
 
Network Design and Security Best Practices
Network Design and Security Best PracticesNetwork Design and Security Best Practices
Network Design and Security Best PracticesMike Sherwood
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of ThingsForgeRock
 
Internet of Things - module 1
Internet of Things - module 1Internet of Things - module 1
Internet of Things - module 1Syed Mustafa
 
Public Key Authentication With SSH
Public Key Authentication With SSHPublic Key Authentication With SSH
Public Key Authentication With SSHDon Norwood
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanismspriya_trehan
 
Proxmox VE & BS 備份與備援策略設計 [2020/12/26] @Proxmox VE 中文使用者社團 2020 年會
Proxmox VE & BS 備份與備援策略設計 [2020/12/26] @Proxmox VE 中文使用者社團 2020 年會 Proxmox VE & BS 備份與備援策略設計 [2020/12/26] @Proxmox VE 中文使用者社團 2020 年會
Proxmox VE & BS 備份與備援策略設計 [2020/12/26] @Proxmox VE 中文使用者社團 2020 年會 Jason Cheng
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdfNdheh
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Nessus Software
Nessus SoftwareNessus Software
Nessus SoftwareMegha Sahu
 
Packet sniffer repot
Packet sniffer repotPacket sniffer repot
Packet sniffer repotKunal Thakur
 
IoT Design Principles
IoT Design PrinciplesIoT Design Principles
IoT Design Principlesardexateam
 

Was ist angesagt? (20)

IOT Security
IOT SecurityIOT Security
IOT Security
 
Iot Security
Iot SecurityIot Security
Iot Security
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
 
iot unit1.pdf
iot unit1.pdfiot unit1.pdf
iot unit1.pdf
 
Security in IoT
Security in IoTSecurity in IoT
Security in IoT
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
 
A survey in privacy and security in Internet of Things IOT
A survey in privacy and security in Internet of Things IOTA survey in privacy and security in Internet of Things IOT
A survey in privacy and security in Internet of Things IOT
 
Network Design and Security Best Practices
Network Design and Security Best PracticesNetwork Design and Security Best Practices
Network Design and Security Best Practices
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of Things
 
Internet of Things - module 1
Internet of Things - module 1Internet of Things - module 1
Internet of Things - module 1
 
Public Key Authentication With SSH
Public Key Authentication With SSHPublic Key Authentication With SSH
Public Key Authentication With SSH
 
IoT security (Internet of Things)
IoT security (Internet of Things)IoT security (Internet of Things)
IoT security (Internet of Things)
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanisms
 
Proxmox VE & BS 備份與備援策略設計 [2020/12/26] @Proxmox VE 中文使用者社團 2020 年會
Proxmox VE & BS 備份與備援策略設計 [2020/12/26] @Proxmox VE 中文使用者社團 2020 年會 Proxmox VE & BS 備份與備援策略設計 [2020/12/26] @Proxmox VE 中文使用者社團 2020 年會
Proxmox VE & BS 備份與備援策略設計 [2020/12/26] @Proxmox VE 中文使用者社團 2020 年會
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdf
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
 
Packet sniffer repot
Packet sniffer repotPacket sniffer repot
Packet sniffer repot
 
IoT Design Principles
IoT Design PrinciplesIoT Design Principles
IoT Design Principles
 

Ähnlich wie Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)

Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)Jakub Botwicz
 
Test Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysisTest Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysisAxel Rennoch
 
Network-Connected Development with ZeroMQ
Network-Connected Development with ZeroMQNetwork-Connected Development with ZeroMQ
Network-Connected Development with ZeroMQICS
 
10 years in Network Protocol testing L2 L3 L4-L7 Tcl Python Manual and Automa...
10 years in Network Protocol testing L2 L3 L4-L7 Tcl Python Manual and Automa...10 years in Network Protocol testing L2 L3 L4-L7 Tcl Python Manual and Automa...
10 years in Network Protocol testing L2 L3 L4-L7 Tcl Python Manual and Automa...Mullaiselvan Mohan
 
Osnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptxOsnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptxM.Qasim Arham
 
Apache Pulsar with MQTT for Edge Computing - Pulsar Summit Asia 2021
Apache Pulsar with MQTT for Edge Computing - Pulsar Summit Asia 2021Apache Pulsar with MQTT for Edge Computing - Pulsar Summit Asia 2021
Apache Pulsar with MQTT for Edge Computing - Pulsar Summit Asia 2021StreamNative
 
Using open source for IoT
Using open source for IoTUsing open source for IoT
Using open source for IoTIan Skerrett
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Julien Vermillard
 
End-to-end IoT solutions with Java and Eclipse IoT
End-to-end IoT solutions with Java and Eclipse IoTEnd-to-end IoT solutions with Java and Eclipse IoT
End-to-end IoT solutions with Java and Eclipse IoTBenjamin Cabé
 
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Puppet
 
Enabling 5G through end-to-end wireless and optical orchestration
Enabling 5G through end-to-end wireless and optical orchestrationEnabling 5G through end-to-end wireless and optical orchestration
Enabling 5G through end-to-end wireless and optical orchestrationJohann Marquez-Barja
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Pulsar summit asia 2021 apache pulsar with mqtt for edge computing
Pulsar summit asia 2021 apache pulsar with mqtt for edge computingPulsar summit asia 2021 apache pulsar with mqtt for edge computing
Pulsar summit asia 2021 apache pulsar with mqtt for edge computingTimothy Spann
 
Opentelemetry - From frontend to backend
Opentelemetry - From frontend to backendOpentelemetry - From frontend to backend
Opentelemetry - From frontend to backendSebastian Poxhofer
 
Devoxx 2015 - Building the Internet of Things with Eclipse IoT
Devoxx 2015 - Building the Internet of Things with Eclipse IoTDevoxx 2015 - Building the Internet of Things with Eclipse IoT
Devoxx 2015 - Building the Internet of Things with Eclipse IoTBenjamin Cabé
 
Tungsten Fabric Overview
Tungsten Fabric OverviewTungsten Fabric Overview
Tungsten Fabric OverviewMichelle Holley
 
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....Marcin Bielak
 
Developing Realtime Data Pipelines With Apache Kafka
Developing Realtime Data Pipelines With Apache KafkaDeveloping Realtime Data Pipelines With Apache Kafka
Developing Realtime Data Pipelines With Apache KafkaJoe Stein
 

Ähnlich wie Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal) (20)

Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
 
Test Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysisTest Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysis
 
Network-Connected Development with ZeroMQ
Network-Connected Development with ZeroMQNetwork-Connected Development with ZeroMQ
Network-Connected Development with ZeroMQ
 
10 years in Network Protocol testing L2 L3 L4-L7 Tcl Python Manual and Automa...
10 years in Network Protocol testing L2 L3 L4-L7 Tcl Python Manual and Automa...10 years in Network Protocol testing L2 L3 L4-L7 Tcl Python Manual and Automa...
10 years in Network Protocol testing L2 L3 L4-L7 Tcl Python Manual and Automa...
 
Osnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptxOsnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptx
 
Introduction to ns3
Introduction to ns3Introduction to ns3
Introduction to ns3
 
Apache Pulsar with MQTT for Edge Computing - Pulsar Summit Asia 2021
Apache Pulsar with MQTT for Edge Computing - Pulsar Summit Asia 2021Apache Pulsar with MQTT for Edge Computing - Pulsar Summit Asia 2021
Apache Pulsar with MQTT for Edge Computing - Pulsar Summit Asia 2021
 
Using open source for IoT
Using open source for IoTUsing open source for IoT
Using open source for IoT
 
Resume
ResumeResume
Resume
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
 
End-to-end IoT solutions with Java and Eclipse IoT
End-to-end IoT solutions with Java and Eclipse IoTEnd-to-end IoT solutions with Java and Eclipse IoT
End-to-end IoT solutions with Java and Eclipse IoT
 
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
 
Enabling 5G through end-to-end wireless and optical orchestration
Enabling 5G through end-to-end wireless and optical orchestrationEnabling 5G through end-to-end wireless and optical orchestration
Enabling 5G through end-to-end wireless and optical orchestration
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Pulsar summit asia 2021 apache pulsar with mqtt for edge computing
Pulsar summit asia 2021 apache pulsar with mqtt for edge computingPulsar summit asia 2021 apache pulsar with mqtt for edge computing
Pulsar summit asia 2021 apache pulsar with mqtt for edge computing
 
Opentelemetry - From frontend to backend
Opentelemetry - From frontend to backendOpentelemetry - From frontend to backend
Opentelemetry - From frontend to backend
 
Devoxx 2015 - Building the Internet of Things with Eclipse IoT
Devoxx 2015 - Building the Internet of Things with Eclipse IoTDevoxx 2015 - Building the Internet of Things with Eclipse IoT
Devoxx 2015 - Building the Internet of Things with Eclipse IoT
 
Tungsten Fabric Overview
Tungsten Fabric OverviewTungsten Fabric Overview
Tungsten Fabric Overview
 
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....
 
Developing Realtime Data Pipelines With Apache Kafka
Developing Realtime Data Pipelines With Apache KafkaDeveloping Realtime Data Pipelines With Apache Kafka
Developing Realtime Data Pipelines With Apache Kafka
 

Kürzlich hochgeladen

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Kürzlich hochgeladen (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)

  • 2. About the author • Jakub Botwicz Principal Security Engineer at Samsung R&D Institute in Warsaw, Poland • Leads a team of security researchers / pentesters • PhD and MSc at Warsaw University of Technology • 15+ years experience - previously worked as: ‒ Developer/architect for vendor of encryption devices ‒ Security advisor at credit card payment company ‒ Security consultant and manager at Big4 company • Big enthusiast of rock climbing and active volcanoes
  • 3. Cotopaxi – origin / idea • IoT introduced new protocols: CoAP, DTLS, MQTT and refurbished old protocols: UPnP, SSDP • Lack of security testing tools for IoT protocols (except for MQTT) • Low level of security measures of IoT components and devices • Our team performed assessment of multiple IoT components – results: - tools - corpus of malformed messages - 15+ new vulnerabilities Source: Redbubble sticker: https://ih1.redbubble.net/image.534691174.7627/sticker,375x360-bg,ffffff.u3.png
  • 4. IoT protocols – Constrained Application Protocol (CoAP) • IoT messaging protocol • Provides all types of HTTP requests in more compact (binary) format • UDP-based – request / response: 2 packets (while TCP smallest req/resp: 9 packets) • Introduces: CONfirmable messages • Without additional protection CoAP servers are vulnerable to DDoS Source: Trend Micro „The Fragility of Industrial IoT’s Data Backbone”
  • 5. IoT protocols – Datagram Transport Layer Security (DTLS) • UDP-based version of Transport Layer Security • Reuses all message formats from TLS – only protocol version IDs are different • Used as a security layer for all UDP-based protocols • Anti-DDoS measure (Hello Verify Request) is not mandatory and some libraries do not implement it (vulnerability BOTAN_000 test it) Source: Klaus Hartke, Olaf Bergman „Datagram Transport Layer Security in Constrained Environments”
  • 6. IoT protocols – Multicast DNS (mDNS) / DNS-Service Discovery (DNS-SD) • Discovery of local services: printers, displays • Querying local services using Multicast addresses • Reuse query formats from DNS protocols • Best known as: Apple Bonjour, Zeroconf or Avahi
  • 7. IoT protocols – Message Queuing Telemetry Transport (MQTT) • Most popular IoT messaging protocol • Publish/Subscribe message delivery by Brokers between Clients Source: Trend Micro „The Fragility of Industrial IoT’s Data Backbone”
  • 8. Cotopaxi – the name • Active stratovolcano in Ecuador • Elevation: 5,897 m Author: Gerard Prins CC BY-SA 3.0
  • 9. Cotopaxi – the toolkit • Set of tools for security testing of Internet of Things devices using network IoT protocols • License: GPL-2.0 • Repository: https://github.com/samsung/cotopaxi Source: Rankin Kennedy C.E. (1912) The Book of the Motor Car, Caxton (PD)
  • 10. Cotopaxi – usage scenarios • For pentesters to: • analyze environments using IoT, Smart-{Home, Factory, City} • find active endpoints using IoT protocols • identify network traffic reflectors (DDoS) • For security researchers to: • perform „black box” testing of IoT devices • identify known security vulnerabilities • For developers or vendors of IoT devices to: • fuzz components or interfaces • test traffic amplification (DDoS)
  • 11. Cotopaxi – features Reconnaissance: • Service ping – checking availability of network services • Software fingerprinting – recognizing the software used by remote network server • Resource listing „dirbusting” – discovering resources identified by given URLs Pre-exploitation: • Protocol fuzzing – fuzzing implementation of protocol • Amplification sniffing – detecting network traffic amplification • Vulnerability testing – identifying known vulnerabilities
  • 12. Cotopaxi – IoT protocols • Supported in 1st release: • Constrained Application Protocol (CoAP) • Datagram Transport Layer Security (DTLS) • Multicast DNS (mDNS) / DNS-System Discovery (DNS-SD) • Message Queuing Telemetry Transport (MQTT) • Planned for next releases: • Advanced Message Queuing Protocol (AMQP) • Discovery and Launch (DIAL) • Hyper Text Coffee Pot Control Protocol (HTCPCP) • MQTT-Sensor Networks (MQTT-SN) • Simple Service Discovery Protocol (SSDP) / Universal Plug and Play (uPnP) • Zigbee/Z-Wave
  • 13. Cotopaxi – testbed • CoAP (10 servers) • aioCoAP • CoAPthon • eCoAP • FreeCoAP • DTLS (9 servers) • Botan • GnuTLS • LibreSSL • mDNS/DNS-SD (2 servers) • Avahi • tinysvcmdns • MQTT (2 servers) • Fluent-bit • Mosquitto • IoTivity • libcoap • MicroCoAP • Moongoose • MatrixSSL • mbedTLS • OpenSSL • CantCoAP • CoAPthon3 • TinyDTLS • OpenSSL • WolfSSL Source: atennies94 by CC BY-ND 2.0 https://www.flickr.com/photos/9266144@N02/1074855647
  • 14. Cotopaxi feature – „service ping” • Identifies active service endpoints (IPv4/IPv6:port) • Not uses ICMP echo! • For each protocol there is a set of messages that triggers responses in all tested servers e.g. DTLS – Client Hello in all DTLS versions • Better than using standard tools: • nmap does not recognize CoAP and most DTLS servers • wireshark will not recognize protocols servers on non-standard ports • sslyze and similar SSL/TLS tools do not support DTLS
  • 15. Cotopaxi feature – service ping sudo python -m cotopaxi.service_ping 192.168.1.2 10000-10008,20000-20010,30000-30002 [.] Started service ping [+] Host 192.168.1.2:10000 does NOT respond to MQTT ping (Connect) message [+] Host 192.168.1.2:10000 does NOT respond to mDNS ping message ... [.] Finished service ping (for all addresses, ports and protocols) ================================================================== Test statistics: Messages sent: 138, responses received: 58, 58% message loss, test time: 123236 ms Round-Trip Time (min/avg/max): 11 / 59 / 84 ms ================================================================== Test results: Active endpoints: For Protocol.CoAP: ['192.168.1.2:20000', '192.168.1.2:20002', ... , '192.168.1.2:20009'] Total number of active endpoints: 18 Inactive endpoints: 5
  • 16. Cotopaxi feature – resource listing (dirbusting) • Equivalent to DirBuster/dirb for CoAP/mDNS or nmap script coap-resources • Uses a list of URIs (for CoAP) or services (for mDNS) • Cotopaxi includes sample lists of resource • User can provide own list of URIs or services
  • 17. Cotopaxi feature – resource listing (dirbusting) sudo python -m cotopaxi.resource_listing 192.168.1.2 20000-20010 cotopaxi/lists/urls/short_url_list.txt -P CoAP [.] Started resource listing SENT size:9 RECV size:74 AMPLIFICATION FACTOR:722.00% [+] Url |test| received code |2_05| on server 192.168.1.2:20001 for method GET ... [.] Finished resource listing (for all addresses, ports and protocols) ================================================================== Test statistics: Messages sent: 33, responses received: 28, 15% message loss, test time: 7088 ms Round-Trip Time (min/avg/max): 45 / 61 / 115 ms ================================================================== Test results: Active endpoints: For Protocol.CoAP: ['192.168.1.2:20001/test', '192.168.1.2:20002/big'] Total number active endpoints: 2 Inactive endpoints: 20
  • 18. Cotopaxi feature – service fingerprinting • Detection of software and version used by server • Equivalent to nmap –sV (Service and Application Version Detection) • Uses machine learning classifier • In this version works only for CoAP, DTLS
  • 19. Cotopaxi feature – service fingerprinting (algorithm) • Preparation of classifier for protocol: 1. Gather all available protocol implementations 2. Generate corpus of packets (payloads) a. Fuzz implementation of protocol using coverage based fuzzer (like afl) b. One of output result is set of payloads causing different execution (queue in afl) 3. For all available implementations: a. Gather responses of for all payloads b. Extract features c. Convert output to format used by Machine Learning tool (ARFF) 4. Train classifier using machine learning (Weka) 5. Implement classifier as Python function
  • 20. Cotopaxi feature – service fingerprinting (training classifier) Generated classifier: packet_1_type = No | packet_3_type = No | | packet_10_type = No | | | packet_11_options = Content-Format_Empty: smcp (5.0) | | | packet_11_options = ETag: libcoap (5.0) | | packet_10_type = RST: FreeCoAP (5.0) | | packet_10_type = ACK: moongose (5.0) | packet_3_type = Empty: iotivity (5.0) | packet_3_type = ACK | | packet_0_type = No: coap-rs (5.0) | | packet_0_type = ACK: lwm2m (5.0) packet_1_type = RST | packet_9_code = No: aiocoap (5.0) | packet_9_code = Empty: ecoap (5.0) | packet_9_code = 4_00: CoAPthon (5.0) packet_1_type = ACK: microcoap (5.0) Features (ARFF format): @RELATION coap_responses @ATTRIBUTE class {AIOCOAP, COAPTHON, … } @ATTRIBUTE packet_0_type { No, Empty, RST, ACK, CON, NON } @ATTRIBUTE packet_0_code { No, Empty, 2_05, 4_00, 4_01, 4_04, 4_05, 5_00, 5_02, NON } @ATTRIBUTE packet_0_options { No, Empty, Uri-Query_OK, Uri- Query_Unsupported_cri, Uri-Query_CoAP_version_mu, Uri- Query_Method_Not_Allo, Content-Format_Empty, Content- Format_FFFF, ETag } @ATTRIBUTE packet_1_type … @ATTRIBUTE packet_1_code … @ATTRIBUTE packet_1_options … … No – No response from server for this packet Empty – This field was empty
  • 21. Cotopaxi feature – service fingerprinting sudo python -m cotopaxi.server_fingerprinter 192.168.0.100 20000 -P CoAP [.] Started service fingerprinting [.] Host 192.168.0.100:20000 is alive before test! [.] Host 192.168.0.100:20000 is alive after test! [+] CoAP server 192.168.0.100:20000 is using software: aiocoap [.] Finished service fingerprinting (for all addresses, ports and protocols) ================================================================== Test statistics: Messages sent: 8, responses received: 5, 38% message loss, test time: 3493 ms Round-Trip Time (min/avg/max): 51 / 62 / 83 ms ================================================================== Test results: Identified endpoints:     For Protocol.CoAP: ['192.168.0.100:20000 is using aiocoap'] Total number of identified endpoints: 1 Inactive endpoints: 0
  • 22. Cotopaxi feature – protocol fuzzer (black-box) • Uses corpus of malformed protocol messages (payloads) prepared with afl (American Fuzzy Loop) • Checks „service ping” before and after sending payload • Allows to use own corpus of payloads and integrate with mutating fuzzer • In verbose mode displays payload and response packet • Calculates RTT for payloads with responses and displays Top 10% - potentially interesting because of longest processing on server Protocol CoAP DTLS mDNS/ DNS-SD MQTT Size of corpus 557 395 77 285
  • 23. Cotopaxi feature – protocol fuzzer [+] Started fuzzing payload (nr: 395): dtls_corpus/id:000360,sync:fuzzer_tinydtls_slave_laf-1,src:000379 Request: ###[ DTLS Record ]### content_type= handshake version = DTLS_1_1 ------------------------------------------------------------ Response: ###[ DTLS Record ]### content_type= handshake version = DTLS_1_1 … Payloads with longest Round-Trip Time (RTT): RTT (sec) | Payload -------------------------------------------------------------------------------- 0.08722 | dtls_corpus/id:000206,src:000168,op:arith8,pos:840,val:+27,+cov 0.08630 | dtls_corpus/id:000362,sync:fuzzer_tinydtls_slave_laf-1,src:000373
  • 24. Cotopaxi feature – protocol fuzzer (cont.) …. ================================================================== Test statistics: Messages sent: 795, responses received: 732, 8% message loss, test time: 169906 ms Round-Trip Time (min/avg/max): 35 / 55 / 131 ms ================================================================== Test results: Payloads causing crash: For Protocol.DTLS: ['192.168.0.100:10004 - payload: id:000308,sync:fuzzer_tinydtls_slave_laf- 1,src:000303,+cov']
  • 25. Cotopaxi feature – vulnerability tester • Types of vulnerabilities: • crash (DoS) – leads to crash of server (detected by service ping) • traffic amplification (for DDoS) – responses larger than request • memory leak – server wastes memory after processing payload (requires manual confirmation) • remote code execution (currently only detected as crashes) Vulnerab ility Type Protocol CoAP DTLS mDNS/ DNS-SD MQTT Crash 5 4 1 1 Traffic Amplification 1 1 Memory Leak 1 Remote Code Execution 2 1 TOTAL* 7 5 3 2 * 2 vulnerabilities are currently in responsible disclosure process
  • 26. Cotopaxi feature – vulnerability tester • Example vulnerabilities found by our team and supported by Cotopaxi • CVE-2019-9747 tinysvcmdns mDNS server goes into infinite loop after receiving DNS query with recursive referenced names • CVE-2019-9004 Wakaama CoAP server leaks (wastes) 24 bytes per each crafted packet • CVE-2019-9750 IoTivity CoAP server responds with 6 error messages Source: Grasshopper shot near Miles City Mont. C. 1937 Coles Studio Glassgow Mont
  • 27. Cotopaxi feature – vulnerability tester sudo python -m cotopaxi.vulnerability_tester 192.168.1.2 10000 –cve CVE-2019-9004 –vuln FLUENTBIT_000 –P DTLS [.] Started vulnerability testing [+] Server 192.168.0.100:30000 is NOT vulnerable to FLUENTBIT_000 [+] Server 192.168.0.100:30002 is probably vulnerable to FLUENTBIT_000 [.] Finished vulnerability testing (for all addresses, ports and protocols) ================================================================== Test statistics: Messages sent: 7, responses received: 4, 43% message loss, test time: 1100 ms Round-Trip Time (min/avg/max): 5 / 21 / 43 ms ================================================================== Test results: Vulnerable endpoints: For Protocol.MQTT: ['192.168.0.100:30002 - vuln: FLUENTBIT_000'] Total number of vulnerable endpoints: 1 Invulnerable endpoints: 1
  • 28. Cotopaxi feature – amplification sniffer • Sniffs for all packets incoming to and outgoing from specified target • Target is defined by IPv4 or IPv6 address and optionally port • Calculates amplification factor (size_out/size_in - 1) • Tracks req/resp with highest amplification factor and display record on exit • Should be placed on router or use network tap to see all traffic to/from target
  • 29. DDoS attack via IP Spoofing and Traffic Amplification Vulnerable IoT devices Source: Austin Brooks „NTP DDoS Vulnerability” • Identified amplifiers-reflectors: • CoAP • every request with large response e.g. CoAPthon example /big • IoTivity 4.04 6x repeated response IOTIVITY_000 issue in tester • DTLS • every DTLS server without Hello Verify Request e.g. Botan_000 issue in tester
  • 30. Cotopaxi feature – amplifier detector sudo python -m cotopaxi.amplifier_detector 192.168.0.100 [.] Starting sniffing with filter: udp and host 192.168.0.100 TARGET: 192.168.0.100 | TO TARGET packets: 3, bytes: 165 | FROM TARGET packets: 1, bytes: 60 | AMPLIF FAC TOR: -64.00% TARGET: 192.168.0.100 | TO TARGET packets: 6, bytes: 311 | FROM TARGET packets: 3, bytes: 180 | AMPLIF FA CTOR: -43.00% [.] Finished sniffing Highest amplify packet factor: 30%  TO TARGET: ###[ Ethernet ]###   dst       = ….   src       = ….   type      = 0x800 ###[ IP ]###      version   = 4L … FROM TARGET: ###[ Ethernet ]###   dst       = ….  
  • 31. Cotopaxi – common usage details • Destination addresses: set or range of IPv4, IPv6 addresses • Destination port: set or range of ports • Protocol: ALL or subset of CoAP, DTLS, mDNS, MQTT • Ignore Ping: -Pn • Verbose mode: -V (more messages)