IoT Security Risks and Challenges

1. IoT Security Risks and Challenges Ankit Giri

2. About Myself Ankit Giri (@aankitgiri) Security Consultant | Security Compass Web, Mobile Application and IoT Security Researcher Bug Hunter (Hall of Fame: EFF, GM, HTC, Sony, Mobikwik, Pagerduty and some more ) Blogger, Orator and an active contributor to OWASP and null Community The Most Viewed Writer in Web application Security, Network Security and Penetration Testing on Quora.

3. What is IoT?  IoT is computing devices that send data, receive date or both on the internet.  The Internet of Things (IoT) refers to the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems.  Where do we see it in our daily life? Source: Pubnub

4. Understanding what is IoT security

5. The hardware is to be blamed!  Relatively modern 64-bit x86 CPU cores in IoT devices, they will still be substantially more complex than the smallest ARM cores, and therefore will need more battery power.  Cheap and disposable wearables, appear to be the biggest concern, won’t be powered by such chips. We need more powerful processors, such as Intel Atoms or ARMv8 chips, in smart products, like smart refrigerators or washing machines with touchscreens, but they are impractical for disposable devices with no displays and with limited battery capacity.  The industry needs is more unstandardized devices and more fragmentation.

6. The web application side of it!  TrendNet cameras that exposed a full video feed to anyone who accessed it. In this case, there was enough of a “sign on” interface to make end users believe that only authorized people could access the feeds remotely. However, a hacker group called Console Cowboys quickly demonstrated that the authentication mechanism was just for show.  Challenges: IoT device web applications are that the apps are often on unusual ports (e.g., not 80 for HTTP or 443 for HTTPS), that the apps are sometimes disabled by default, and that different apps (e.g., for device administrators and users, or two different applications) may listen on different ports.

7. The web application side of it!  “Weak authentication,” might thinking of passwords that are easy to guess. Unfortunately, the bar is much lower with many smart devices.  Generally IoT devices are secured with passwords like “1234”, put their password in client-side Java code, send credentials without using HTTPS or other encrypted transports, or require no passwords at all.

8. Insecure Network in IoT devices!  In your modern corporate network, you may think Telnet and FTP are dead, but the IOT smart device world would disagree  August 2014, a sweep of more than 32,000 devices found “at least 2000 devices with hard-coded Telnet logins.  October 2014 research that demonstrated more than a million deployed routers were vulnerable to misconfigured NAT-PMP services.

9. Insecure Cloud and Mobile interface  Many IoT devices exchange information with an external cloud interface or ask end users to connect to a remote web server to work with their information or devices. In addition to obvious vulnerabilities such as a lack of HTTPS, the OWASP IoT Top Ten list asks you to look for authentication problems such as username harvesting (“user enumeration”) and no lockouts after a number of brute-force guessing attempts.  IoT devices may also act as wireless access points (WAPs).

10. Insecure Software/ Firmware  Real life examples of corrupt update files abound, especially when people use “jailbroken” phones to disable the validation built in to their devices. MITM attacks using insecure update sources, such as the HTTP-based update vulnerability that affected ASUS RT routers in October 2014.  To test whether or not a device is using insecure updates, you generally need to use a proxy or sniffer to watch the data stream for use of secure transport, for example, an online utility called “APK Downloader” lets you download and inspect Android installations and updates on any platform.

11. Physical security of IoT devices Five things to determine if a device’s exposed ports can be used for malicious purposes. These are ease of storage media removal, encryption of stored data, physical protection of USB and similar ports, ease of disassembly and removal or disabling of unnecessary ports.

12. Scope of IoT security  How many IoT devices do you own and use right now? How many does your business use? That’s where the “Internet of NoThings” joke comes from, most people don’t have any. The numbers keep going up, but the average consumer is not buying many, so where is that growth coming from? IoT devices are out there and the numbers are booming, driven by enterprise rather than the consumer market.  Verizon and ABI Research estimate that there were 1.2 billion different devices connected to the internet last year, but by 2020, they expect as many as 5.4 billion B2B IoT connections.

13. IoT specific security assessment Understanding approach

14. IoT specific security assessment How it is a combination of different type assessments:  Web interface  Network services  Secure Transport medium  Cloud and Mobile interface  Insecure Software/Firmware  Physical security

15. HEATHEN: Internet-Of-Things- Pentesting- Framework Heathen is a research project, which automatically help developers and manufacturers build more secure products in the Internet of Things space based on the Open Web Application Security Project (OWASP) by providing a set of features in every fundamental era. -Insecure Web Interface -Insufficient Authentication/Authorization -Insecure Network Services -Lack of Transport Encryption -Privacy Concerns -Insecure Cloud Interface -Insecure Mobile Interface -Insufficient Security Configurability -Insecure Software/Firmware -Poor Physical Security

16. IoT Protocols Rather than trying to fit all of the IoT Protocols on top of existing architecture models like OSI Model, the protocols are segregated into the following layers to provide some level of organization:  Infrastructure (ex: 6LowPAN, IPv4/IPv6, RPL)  Identification (ex: EPC, uCode, IPv6, URIs)  Comms / Transport (ex: Wifi, Bluetooth, LPWAN)  Discovery (ex: Physical Web, mDNS, DNS-SD)  Data Protocols (ex: MQTT, CoAP, AMQP, Websocket, Node)  Device Management (ex: TR-069, OMA-DM)  Semantic (ex: JSON-LD, Web Thing Model)  Multi-layer Frameworks (ex: Alljoyn, IoTivity, Weave, Homekit)

17. Hardsploit: a Framework to audit IoT devices security Hardsploit is a tool with software and electronic aspects. This is a technical and modular plateform (using FPGA) to perform security tests on electronic communications interfaces of embedded devices. It’s a Framework ! “All-in-one tool for Hardware pentest” The main Hardware security audit functions are”  Sniffer,  Scanner,  Proxy,  Interact,  Dump memory

18. Hardsploit: a Framework to audit IoT devices security

19. Hardsploit: a Framework to audit IoT devices security Hard Sploit is a complete tool box (Hardware + Software), a Framework which facilitates the audit of electronic systems Consultant, Auditor, Pentesters, product designer etc. and at the same time increases the level of security (and trust!) of new communicating products designed by industry.

20. Hardsploit: a Framework to audit IoT devices security  Hardsploit Modules will let Hardware pentester to intercept, replay and/or and send data via each type of electronic bus used by the Hardware Target. The Level of interaction that pen-testers will have depend on the electronic bus features…  Hardsploit ‘s modules enable us to analyse all sort of electronic bus (serial and parallel type) JTAG, SPI, I2C‘s, Parallel address & data bus on chip

21. Hardsploit: a Framework to audit IoT devices security It is an assisted visual wiring function to help, easier connect all wires to the Hardware target:  GUI will display the pin organization (Pin OUT) of the targeted chip.  GUI will guide you throughout the wiring process between Hardsploit Connector and the target  GUI will control a set of LED that will be turn ON and OFF to easy let you find the right Hardsploit Pin Connector to connect to your target  The software part of the project will help conducting an end-to-end security audit. It will be compatible (integrated) with existing tools such as Metasploit. The integration with other API is expected to be introduced in future.  The framework is created with an ambition to provide a tool equivalent to those of the company Qualys or Nessus (Vulnerability Scanner) or the Metasploit framework but in the domain of embedded / electronic.

22. the way it has progressed in past few years

23. Available Resources:  https://iot-analytics.com/understanding-iot-security-part-1-iot-security-architecture/  http://resources.infosecinstitute.com/test-security-iot-smart-devices/  http://blog.attify.com/#  http://internetofthingswiki.com/iot-security-issues-challenges-and-solutions/937/  https://hardsploit.io/the-project/  http://electronicdesign.com/iot/understanding-protocols-behind-internet-things  http://www.postscapes.com/internet-of-things-protocols/ *Note: Refer to the links mentioned in the notes section of the slides.

24. Available Resources:  http://resources.infosecinstitute.com/getting-started-with-iot-security-mapping-the-attack- surface/  http://resources.infosecinstitute.com/test-security-iot-smart-devices/  https://www.blackhat.com/eu-16/training/offensive-internet-of-things-iot-exploitation.html  http://www.pentesteracademy.com/course?id=27  http://nullcon.net/website/goa-2017/training/practical-iot-hacking.php  https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project  https://iotsecuritywiki.com/  *Note: Refer to the links mentioned in the notes section of the slides.

25. You can find me here: https://twitter.com/aankitgiri https://www.linkedin.com/in/ankitgiri/ aankitgiri@gmail.com Thank You!

IoT Security Risks and Challenges

OWASP Delhi

IoT Security Risks and Challenges