ATAGTR2017 Security Testing / IoT Testing in Real World

#ATAGTR2017
16th 17th March
Security Testing/ IoT
Testing in Real World
Aditya Upadhya

Agile Testing Alliance Global Testing Retreat 2017
Security testing
Internet Of Things
• Age of Information Warfare

whoami
Name : Aditya Upadhya
Occupation: Information security consultant at Capgemini
Location: Navi Mumbai
OSCP certified

• the interconnection via the Internet of
computing devices embedded in everyday
objects, enabling them to send and receive
data. [Wikipedia]
What is IOT ?

• Experts estimate that the IoT will consist of
almost 50 billion objects by 2020. [Wikipedia]

Almost Everywhere!
• Mobile devices, Health bands, sensors, GPS
• Driverless cars/vehicles
• Drones UAV
• Daily life usage Household electronics (STB, refrigerators,
smart automated home appliances, CCTV etc.)
• Surveillance systems
• Measuring pollution levels, water level alerts, earthquake and
tectonic alerts
• Industries: machine maintenance, tracking assets, quality
check, safety checks, SCADA-PLC systems, smart grids, nuclear
reactors .
• POS machines , ATM, Routers.
• Health industries.
Uses of IOT ?

Threats- IOT

• Smartphone :- If Compromised can makes your location, your
habits, and yourself more predictable , privacy compromised.
• Smart home devices:- can be misused to play pranks, can
make life miserable, or even be used to leverage anonymity of
a hacker to perform illegal activities.
• Driverless cars/vehicles - faulty protocols to failure of security
compliance can be threat, vehicles manipulated controls
overtaken, risk to life.
• Surveillance access:- failure of security compliance,
Information gathering made easy for terrorists if not secure.
• Sensors: that helps during natural calamities if manipulated,
can cause panic among people or reporting false normality in
high alerts can be hazardous.
Threats

• Industrial devices :- nuclear reactor controllers , PLC – SCADA
systems, Smart grid controllers, driverless trains and more
such systems if compromised can cause a great deal of
damage to property and life.
• Healthcare :- an attacker can gain access to PHI and also
manipulate the devices that control drug dosage
• Future :- Nano bots in health cares Who knows ? May be they
can be reprogrammed for malicious intent ?
Threats

Threats

Business loss
• 3.2 million debit cards compromised; SBI, HDFC Bank, ICICI,
YES Bank and Axis worst hit
-Economic times.
• Ransom ware hits, guests locked in rooms hotel had to pay
1500 EU to save people :
http://www.thelocal.at/20170128/hotel-ransomed-by-
hackers-as-guests-locked-in-rooms
Real life events

•Stuxnet – case of attack on iran nuclear reactor
https://en.wikipedia.org/wiki/Stuxnet
•botnets and malwares caused billions of loss
https://en.wikipedia.org/wiki/Mirai_(malware)
The case of mirai botnet made giants like akamai fall on their
knees (internal sources say)
Real life events

•Drones hacked
https://packetstormsecurity.com/news/26287/NASA-Hack-
AnonSec-Attempts-To-Crash-222m-Drone-Release-Secret-
Flight-Videos-And-Employee-Data.html
Real life events

•Cars hacked:
• https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
•https://www.theguardian.com/technology/2016/sep/20/tesla-model-s-chinese-
hack-remote-control-brakes
Real life events

The Dangers of the Smart Grid
• In 2012, the Department of Homeland Security discovered a
flaw in hardened grid and router provider RuggedCom’s
devices.
• Ukraine power station hacked multiple times
• https://motherboard.vice.com/en_us/article/ukrainian-
power-station-hacking-december-2016-report
Real life events

•Health industry :-
In April 2014, Scott Erven and his team of security
researchers released the results of a two-year study on the
vulnerability of medical devices. They found that they could
remotely manipulate devices, including those that controlled
dosage levels for drug infusion pumps and connected
defibrillators.
•http://www.zdnet.com/article/st-jude-releases-security-patches-for-vulnerable-
cardiac-devices/
http://m.healthcareitnews.com/news/massive-ddos-attack-harnesses-145000-
hacked-iot-devices
https://www.cbinsights.com/blog/iot-healthcare-market-map-company-list/
•Hacking blood pressure monitor
https://www.edusteinhorst.com/hacking-a-blood-pressure-monitor/
Real life events

• Shodan search engine has collection of open
CCTVs, industrial devices, dumb boxes
connected to internet
• Thinkful, censys etc
• https://thingful.net/adityaupadhya
• Demo
Search engines

• In computing, a hacker is any highly skilled computer expert
capable of breaking into computer systems and networks using
bugs and exploits. [Wikipedia]
• A child playing with his remote control car gets curious to know
how it operates so, disintegrates the controller and toy car to
know about it’s working is also a hacker !
Who is a Hacker ?

• IOT security Break into several categories
• Top 10 from owasp is available but top 10 are not everything.
• No standard Methodology can be implemented as IOT is not one
thing or framework.
• Different (IOT)things has different approach
• Analyzing hardware memory devices, wireless devices, and other
components like JTAG, UART debugging interfaces
• After gathering all information you can identify all attack surface,
threat agents and document them.
• Prepare a checklist of testing methods against the device and cross
check with existing ones to identify if some thing is missing.
• Identify vulnerabilities and see if you can exploit further more.
• Research, learn and do more information gathering.
For techies – how to attack ?

• https://github.com/nebgnahz/awesome-iot-hacks
• http://blog.j-michel.org/post/86992432269/from-nand-chip-
to-files
• Metasploit enters IOT
https://community.rapid7.com/community/transpo-
security/blog/2017/02/02/exiting-the-matrix
• Defcon , blackhat, conference archives for reference
some resources

• Ensure CIA compliance
• Secure by design approach to develop
• Changing of default password on first use and strong
password policy
• Strong encryption mechanisms
• Secure application interface
• Firmware upgrades
• Disable remote access whenever not required
• Hardware security
• Network layer security
• Keep eye on latest security updates and patches
For techies – how to defend?

• Keep yourself such abreast of such developments
• Explore insurance options
• Have a robust strategy before rolling out the services that
depends on IOT.
• Lead your security team for attending more and more
world hacking conferences like blackhat, defcon, HITB,
nullcon etc
• Encourage your team mate security testers to explore
and research about IOT, learn new case studies and try to
replicate.
• Encourage them for Technical certifications like OSCP,
OSCE etc.
For CXO

• My personal experience in IPTV set top box
security testing. Was able to stream TV
channels for free using VLC media player and
much more…
Case study

Information gathering- Nmap

MITM

Local storage sqlite files

Local storgae syslog file

UART

SQLi

LFI

Network local storage information

• Started simply with nmap
• Performing Arp poison with mitm revealed
information flying around in GBs
• From analysis we got authentication mechanism,
types of servers and infrastructure design to
some extent
• Analyzing local storage device gave IP, channel,
port, streaming address, SAP, middleware,
backend servers and many other information
Summary

• After having as much as information gathered
as possible time to exploit !
• Found LFI, SQLi, user:pass revealed in mitm,
authentication mechanism easily bypassed,
streaming for free, got ssl pem keys for
infrastructure, access to server possible. (not
shown in poc)
Summary

• Information gathering
• Research
• Analyze
• Attack
• Reform (new 0-day)
• Analyze
• Improvise
• Defend and finally
• Evolve.
Summary

Email: adityapadhya@gmail.com
Questions ?

Thank you

ATAGTR2017 Security Testing / IoT Testing in Real World

More Related Content

What's hot (20)

Similar to ATAGTR2017 Security Testing / IoT Testing in Real World (20)

More from Agile Testing Alliance (20)

Recently uploaded (20)

ATAGTR2017 Security Testing / IoT Testing in Real World