This presentation aims to share working knowledge on how attackers are taking an advantage of connected (IOT) devices for scaling attacks. From hardware to repeatable software exploitation that scale. X-ray on the current security resilience of some of today's connected devices. Typically challenges developers are facing today and a proof of concept attack on a "secure" connected camera with critical consequences. Finally we give valuable takeaways for improving the security of your solutions and avoid these horrible mistakes.
4. 4
A couple stories about IoT (in)security
Intro
2017: Over 8.4 billion “things” connected to internet
5. 5
A couple stories about IoT (in)security
Intro
Fish tank
Img src: https://www.bitdefender.com/box/blog/iot-news/attacker-uses-smart-fish-tank-steal-casino-data/
2018: IoT fish tank
6. 6
A couple stories about IoT (in)security
Intro
Fish tank
Img src: https://www.bitdefender.com/box/blog/iot-news/attacker-uses-smart-fish-tank-steal-casino-data/
https://www.quora.com/What-is-the-difference-between-the-thinking-of-Programmer-and-Hacker
2018: IoT fish tank
12. 14
X-ray of an IoT device
Typical IoT device:
Heart of the device:
• general purpose microcontroller (MCU)
TON of features for extremely low $$$
• WiFi / Bluetooth / ZigBee / memory / …
• Lots of interfaces & sensors
• Feature-packed devkit typically < 20$
IoT Achilles heel: hardware (physical) attacks
• All general purpose MCUs quite vulnerable
to hardware attacks (SCA/FI/…)
• Yes, all general purpose MCUs
• Chip vendors know: also offer secure
MCUs
13. 15
The challenge of IoT developers
Putting proper security in devices is not free
• Secure MCUs/protocols/coding standards/… cost money and time
The IoT doom pattern
Time pressure + limited budget + design tradeoffs == bad security
practices
IoT
Developers
Security Eng.
15. 17
Escalating a hardware attack
General purpose MCUs are vulnerable to hardware attacks
Hardware attacks reveal secrets/information about a device
• What if that secret information affects all devices?
• What if that secret information exposes a remote attack path?
• If yes to both: attack SCALES VERY FAST
Repeat
forever
16. 18
Escalating hardware attacks on a generic
ES
Hardware
attacks expose
flaws
• Reverse Engineer
• SCA/FI
• …
Find a
remote way
to access
the flaw
Remote
exploitation
of flaw
17. 19
Escalating hardware attacks on IoT devices
Hardware
attacks expose
flaws
• Reverse Engineer
• SCA/FI
• …
Find a
remote way
to access
the flaw
Remote
exploitation
of flaw
Achilles
heel of
IoT
I in IoT
stands for
internet
Bad
security
practices
19. 21
Case 1: IoT camera
• IoT camera bought from China
• 17 euros ( ~1500 rupee)
• Tons of features
• Wi-Fi connection
• 2-way audio
• HD image
• Motors for rotating the camera
• IR light for night imaging
• Logs data to microSD card
• Phone app for Android & iOS
• ….
What can go wrong?
Case 1: IoT camera
20. 22
Case 1: IoT camera
Let’s open the camera and
identify interfaces
Case 1: IoT camera
21. 23
Case 1: IoT camera
Let’s open the camera
and identify interfaces
Case 1: IoT camera
Google + a bit of RE:
• Ingenic T10 SoC
• Heart of the system
• MediaTek MT7601 SoM
• Wifi comms
• DoSilicon FM25Q64A
• Storage for OS
(linux)
• Atmel AT24C02 I2C flash
• Storing camera
model
• MAC address
• Transistor array
• Powering the motors
22. 24
Case 1: IoT camera
The camera runs an OS… can we see it?
• Most embedded systems still have a
UART
• Of course, this camera too
Case 1: IoT camera
UART TX
UART RX
24. 34
Case 1: recap
Camera security fully bypassed & backdoor for free
• These cameras are used typically as baby monitors: privacy violation
• Linux system: can be used for illicit activities, e.g. bitcoin miners
• IoT botnet Mirai almost brought down DNS in parts of the world
Remark: don’t access other people cameras without permission, it is illegal
Case 1: consequences
HW attack:
Serial port reveals root
password
Found telnet:
users & config
exposed
Access remotely
video stream &
all config
25. 35
Case 1: takeaways
Takeaway 1: bad security practices + hardware attack == scalability
• Use strong passwords
• Do a little pentesting, including hardware attacks
• Put firewalls
Takeaway 2: flawed IoT devices == stepping stone for bigger attacks
• Root access to Linux system: enemy in-house
Takeaway 3: proper security is not free; demand proof of security work
done
• Evaluation labs are like doctors:
• You can choose not to go
• But if you don’t go, prepare for the consequences
• In the IoT realm: consequences can scale really fastCase 1: takeaways
27. 37
Case 2: AES on IoT device
In a much better world…
• IoT devices have a Secure Development Life Cycle (SDLC)
• Follow security best-practices
• Use strong crypto & protocols
Is it still enough?
Case 2: AES password on IoT
29. 39
Case 2: AES on IoT device
Lots of people solved the software challenges
But very few attempted the SCA and FI challenges
Typical reasons given:
• “The SCA equipment is very expensive”
• “SCA and FI are too difficult”
• “These attacks are only for evaluation labs”
• “I’m allergic to mathematics”
• “I will destroy my device”
Case 2: AES password on IoT
30. 40
Case 2: AES on IoT device
Challenge: Piece of SCAke (available on
riscure.com/Github)
Goal
• Get the AES key from the device
Info
• Device has no logic flaws
• The device performs AES encryption of a message
• Then replies the encrypted message
Case 2: AES password on IoT
Plain text Encrypted
31. 41
Case 2: AES on IoT device
Note: there are SCA/FI attacks for all sorts of crypto
Case 2: AES password on IoT
32. 42
Case 2: AES on IoT device
Side-Channel Attacks (SCA) recipe:
1 – Talk or listen to a device doing crypto (e.g. AES)
2 – Measure power consumption of device doing crypto
3 – SCA program “computes math” with collected data
4 – You get the crypto key
Full detailed walkthrough of this attack using only Open Source software and cheap
tools: http://www.riscure.com/gocheap
Case 2: AES password on IoT
33. 43
Case 2: AES on IoT device
INTRODUCTION
Computer
Resistor
Power measurement
Power trace:
- Measured power
- I/O data
35. 45
Case 2: recap
AES cryptographic key revealed
• This allows to impersonate manufacturer / authorized users
• Malicious updates will be indistinguishable from legit updates
• Update a malicious firmware: IoT device as attack tool
• This can also allow to decrypt IoT device communications
Case 2: consequences
HW attack:
SCA reveals AES master key
from devices
All devices share
the same master
key
Forge signatures,
intercept&decrypt
traffic, MitM
attacks …
36. 46
Case 2: takeaways
Takeaway 1: sophisticated hardware attacks now affordable for
anyone
• Full setup costs less than 50 euro (~4000 rupees)
Takeaway 2: problems are much more persistent than they seem
• Even with good practices, there can be security issues
• But good practices make attack scalability (much) harder
Case 2: takeaways
38. 48
Wrap-up: is there any hope?
The IoT doom pattern will chase us for a long time
• Time pressure + low budget + design tradeoffs == doom
• Bad security practices often lead hardware attacks to global scale
Can you do something now?
Apply mitigations until good security is forced into all IoT devices
• Firewalls, IDS, network segmentation, firmware updates…
• Holistic view for security: look at a system level, not device-level
More info: Thread group, OWASP IoT Project, “Security Engineering”
book…
Conclusions
39. 49
Wrap-up: is there any hope?
Perfect security does not exist, but good enough security does
• Other markets have achieved good security: it is possible
Can you do something now?
• Follow good security practices
• Strong, per-device passwords/keys; proper crypto & protocols
• Don’t use broken stuff
• Follow a good security training course and ask the experts for
help
• If you already follow good practices: keep & step up your security
game
• Defensive coding, hw protections, …
Conclusions