IOT Security FUN-damental
Download as PPTX, PDF3 likes425 views
The document outlines the fundamental security issues in Internet of Things (IoT) systems from an offensive cyber security perspective, highlighting the risks associated with smart technologies in future urban and industrial environments. Key concerns include authentication, authorization, secure updates, and data validation, as well as vulnerabilities such as weak passwords and insecure communication. The author emphasizes the importance of a robust security framework to address distinct technological challenges and the layered architecture of IoT ecosystems.
![THANK YOU
xathrya [at] reversing.id
https://xathrya.id
xathrya
@xathrya
xathrya](https://image.slidesharecdn.com/presentation-200414155621/85/IOT-Security-FUN-damental-29-320.jpg)
IOT Security FUN-damental
- 1. IOT SECURITY FUN-DAMENTAL AN OFFENSIVE PERSPECTIVE Cyber Sec Satria Ady Pradana April 14th, 2020
- 2. 2 Who am I? Satria Ady Pradana Ordinary Cyber Security Guy • Cyber Security Consultant of Mitra Integrasi Informatika • Penetration Tester, Red Team • IoT / OT Cyber Security Special Interest Group • Community Leader of Reversing.ID • Love Low-Level Stuffs xathrya @xathrya xathrya
- 3. Imagine in (Near) Future …
- 4. Smart City
- 5. SmartHome
- 9. DISASTROUS Cause irreversible damage DISRUPTIVE Disrupt operational processes. DAMAGING Enable information stealing Danger Classification
- 10. 10 Authentication: how to prove identities claimed by devices or users? Authorization: what set of actions a user can do? Update: how do we upgrade the system or part of it? communication: • how do we ensure no one can read or modify the messages? • how do we detect and response to disruption the communication channel? Data: how do we ensure the generated data are valid? Security Issues
- 11. 11 2018 Weak Guessable or Hardcoded Passwords Insecure Network Services Insecure Ecosystem Interfaces Lack of Secure Update Mechanism Insufficient Privacy Protection Insecure Data Transfer and Storage Lack of Device Management Insecure Default Settings Lack of Physical Hardening Internet of Things
- 12. Security on IoT is a serious concern … Development Monitoring Assessment
- 13. Unique Approach Rapid growth, massive volume. Distinctive technology. Wide range of implementations. Multilayered stacks. End to end system. Web protocol technology. Embedded systems Knowledge Needed Cyber Sec
- 14. 14 • Nodes • Edge Gateway • Cloud Gateway • Data storage • Analytics • User business Cyber Sec
- 15. 15 Integrated Testing for IoT Ecosystem Things Network Compute Cyber Sec
- 16. THINGS Devices | Sensors | Machines MII CYBERSEC 16
- 17. 17 DEFINE: The Things • Programmable machine built for specific purpose(s) • Sense physical events in surrounding. • Control the connected peripherals. • Adaptive actions, based on the dynamic of events and commands. • Able to communicate with peers and servers, directly or indirectly. a.k.a Embedded Systems Not all devices are qualified to be “things”
- 18. 18 ATTACK: The Things • Change Behavior • Take Over • Disable Physical or Logical Goal Techniques • Exploitation (memory corruption, race condition, etc.) • Injection (command or telemetry) • Code Rewrite (firmware replace or downgrade) • Side-Channel (timing, hardware glitching, power analysis) • Hardcoded secret
- 19. 19 FirmwareMost common Analysis Target Bare Metal Firmware Full-Stack Firmware • Single program • No operating system • Direct access and full control of low level hardware • Primitive operations. • Typically used for specific hardware. • One or more application • Include embedded OS (ex: linux) • Higher level of operations • Typically used
- 20. NETWORK Data | Protocol | Media 20MII CYBERSEC
- 21. 21 DEFINE: The Network • Medium for connection. • Over the air • Over the wire • Uniquely addressing the things by identity. • Protocol for data transport.
- 22. 22 ATTACK: The Network • Disrupt communication Goal Techniques • Replay Attack • Spoofing • Packet Tampering • Jamming or Flooding
- 23. 23 Communication Data Transmissions Wireless Wired • WiFi (IEEE 802.11) • Bluetooth • ZigBee • LoRaWAN • Cellular (GSM, LTE) • Z-Wave • Sigfox • Ethernet (IEEE 802.3) • USB • RS-232 • UART
- 24. 24 Messaging Data Transport and Format • MQTT (Message Queue Telemetry Transport) • CoAP (Constrained Application Protocol) • DDS (Data Distribution Service) • AMQP (Advanced Queuing Protocol)
- 25. COMPUTE Storage | Analysis | Visualization 25MII CYBERSEC
- 26. 26 DEFINE: The Compute • Aggregate and store all data generated by things. • Process and analyze the data. • Visualize the data, based on certain rules. • Control the things Web Applications | Web Service | Mobile Application
- 27. 27 ATTACK: The Compute • Take Over • Data Exfiltration • Data Modification Goal Techniques • Injections • Command • Query • Telemetry • Broken Session • Data Poisoning
- 28. REFERENCES 28 • https://scriptingxss.gitbook.io/firmware-security-testing-methodology/ • https://github.com/ReversingID/Awesome-Reversing/ • https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Top_10
- 29. THANK YOU xathrya [at] reversing.id https://xathrya.id xathrya @xathrya xathrya
Editor's Notes
- #4: Imagine in near future, we live in era …
- #5: Smart City: city infused with technology to improve living experience Features: street light: public lighting adapts, dims when no activity and brighten up when detecting motion traffic light: coordinate with cluster of traffic light to regulate the traffics. Results: Get information of how city is functioning in real time Predicts how crowd react to something
- #6: Smart Home: living area with connected technology meant to enhance the home adapts the room temperature based on people inside. detect visitor and devise countermeasure for uninvited guests dish suggestion based on available ingredients and reminding for restocking the supply (or even contact the vendor automatically).
- #7: Features: Get the current condition of machine Detect anomaly of production machine Coordinated goods transporting between warehouse and machine. Results: Predict machine wear off
- #8: Features: Automatic plant watering Soil condition monitoring Results: * Efficient soil treatment
- #10: Function failure -> can happen to any system. Failure can lead to danger. What if the failure can be intentionally triggered?
- #13: Often IoT is mission critical, security should be
- #14: IoT pentest need unique approach It also need specific knowledge that might be specialized field