SlideShare a Scribd company logo

(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop

Priyanka Aash, profile picture
Priyanka Aash

The document discusses the security challenges and exploitation techniques in Internet of Things (IoT) networks, detailing aspects of wireless protocols such as Zigbee and Bluetooth. It emphasizes the inadequacies of current security practices in IoT products, along with strategies for improving device security through proper implementation of security development life cycle (SDLC). The document concludes by advocating for better hardware/software testing and increased awareness of existing vulnerabilities in consumer IoT devices.

Technology
1 of 42
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Practical Exploitation of IoT Networks and Ecosystems Sanjay V & Nitin Lakshmanan DEEP ARMOR www.deeparmor.com
 @deep_armor
SACON 2020 Instructors Nitin Lakshmanan Senior Security Analyst Deep Armor Aujas Networks, Aricent/ Intel Sanjay V Security Analyst Deep Armor Deloitte
SACON 2020 Agenda • IoT Architecture & Intro to IoT Security • Security Paradigms for the Building Blocks • Wireless Protocols • Hands-on Exercises • Security Development Life Cycle (SDLC) for IoT • Fun Hacking Activities • Summary Hacking Zigbee-style Wireless Sensor Networks Breaking Bluetooth Security Attacking Consumer IoT Ecosystems AWS IoT Core & Cloud Services Hands-on Exercises
SACON 2020 Internet Of Things • Network of devices connected 
 to Internet • Connect, Collect and Exchange • Part of the fast growing electronic culture • Revolution in all the fields Connected People Connected Fleets Connected Infra Connected Markets Connected Assets Connected Products Network Data
SACON 2020 Messy World of IoT Security • “Let me get the product out first” • “I’m paying a supplier for hardware/software. Security is their responsibility” • “We don’t store any confidential information” • “Let me worry about it if/when we get hacked” • “We are 100% secure (!)” • …
SACON 2020 Attacks on IoT products
SACON 2020 IoT Security & Businesses • Security is often seen as zero ROI • Impedes rapid prototyping and delivery (doesn’t have to) • Consumers will buy anyway • Poor awareness; Sometimes, lack of options • Liability laws are almost non-existent • Few that exist don’t hold water
SACON 2020 Range / Power of protocols for IoT Protocol Power Range WiFi High Long Zigbee / Z-Wave Low Short to Mid BT / BLE Low Short LPWAN Low Long
SACON 2020 Zigbee • Low data rate wireless applications • Smart energy, medical, home automation, IIoT • Two bands of operation: 868/915MHz and 2450MHz • Simpler & less expensive than Bluetooth • 10-100m range • Zigbee Alliance
SACON 2020 Zigbee Security Model • Open Trust model (Device Trust Boundary) • Crypto protection only between devices • All services employ the same security suite
SACON 2020 Practical Exploitation of IoT
 Wireless Sensor Networks (WSN)
SACON 2020 Agenda • IEEE 802.15.4 (Layer 1 & 2 definitions for Zigbee) • Tools • Setup • Attack and Defense • Packet Generation • Sniffing and Injection • Packet Manipulation • Security Hardening
SACON 2020 802.15.4 • IEEE standard for low-rate wireless personal area networks (LR-WPANs) • 6LoWPAN for IPv6 over WPANs • Zigbee extends 802.15.4 
 (wrapper services) Application Presentation Session Transport Network Data Link Physical Logical Link Control Media Access Control ZigbeeSpec
SACON 2020 Attacking WSN • IoT product simulator • 802.15.4-based network • Packet sniffing, manipulation and injection • Goals: • Understanding basic packet header formats • Security models for protecting communication • Hardware and software tools for packet sniffing & injection
SACON 2020 Challenges • Insufficient security research and documentation • Few testing/debugging platforms • Reliable ones are very expensive or obsoleted • Beta quality hardware at best • Took us weeks, studying blogs, asking questions, trial- and-error, … • Lots of future work possible. Wanna collaborate?
SACON 2020 Generating & Analyzing IEEE 802.15.4 WSN packets (MAC Layer)
SACON 2020 WSN Internals Payload DASRC SEQ NUM PAN ID DST Payload D A SRC SEQN U M PA NID D ST Attacker Gateway
SACON 2020 Impact • Compromise integrity of sensor data • Spoof all legit devices in the network • Logistics & Asset Management - think Vaccine Transportation! • Medical Use Cases - Hospital monitoring • Security and Surveillance • Rapid emergency response for Industries • CVSSv3 Score: 9.3
SACON 2020 Hardening the WSN
SACON 2020 Approach • We care about: • Integrity of data transmitted (bi-directional) • Confidentiality (sometimes) • Device attestation in the WSN • Crypto • IoT Platform Constraints • RAM and flash memory are often in KBs • Traditional crypto is way too intensive • Libraries — Few and proprietary
SACON 2020 • Protecting data integrity is (should be) a key security objective • Use Crypto • Challenges • Need for HW Acceleration • Key provisioning and exchange • Traditional Public Key Crypto is often unacceptable • Nonce-based approaches are easy but insecure • We did not discuss: • Device Security Measures (Secure Boot, Secure FOTA, etc.) • Out of the box provisioning, device mapping and reuse • Key Management Summary
SACON 2020 Consumer IoT Security
 &
 AWS-IoT Topics
SACON 2020 Agenda • Consumer IoT • Case Study: “X” Fitness Band & “X” Wearable Technology device • Weaknesses in Smartphone Platforms <—> Wearables channels • Hands-on hacking of Bluetooth and BLE protocols • Hardening BLE • AWS IoT Core • Secure by Design and SDLC for IoT Platforms
SACON 2020 Wearables Security
SACON 2020 Introduction • Wireless protocol for short range data exchange • BT: 1-100m • BLE: 10-600m • BLE is Light-weight subset of classic Bluetooth with low power consumption • RF range: 2.4 - 2.485 GHz • Maintained & Governed by the Bluetooth Special Interest Group (SIG) • Popular use cases: wearable devices, smart pay systems, healthcare, smart security systems etc
SACON 2020 Bluetooth 5 Feature Bluetooth 5 Bluetooth 4.2 Speed Supports 2 Mbps Supports 1 Mbps Range 40m indoor 10m indoor Power Requirement Low High Message capacity 255 bytes 31 bytes • Latest version of BT and BLE Spec • Improvements to BLE • Aimed at IoT (especially consumer)
SACON 2020 Bluetooth LE security Secure Simple Pairing (SSP) • Just Works: very limited/no user interface • Numeric Comparison: devices with display or yes/no button • Passkey Entry: 6 digit pin as the pass key • Out Of Band: Out of the band channel for key exchange to thwart MITM attacks • Network traffic is encrypted with AES-128
SACON 2020 Practical Exploitation of BLE Systems
SACON 2020 Attacking Wearable - Mobile Ecosystems Section A
SACON 2020 Section B BLE Packet Analysis using Wireshark (“X” Popular fitness tracker)
SACON 2020 Section B: Sniffing with Ubertooth
SACON 2020 Summary • BT/BLE network packet analysis is easy • Market-available HW and SW • Many products do not enable the existing encryption mechanisms offered by the BT spec • At the very least, enable LTK-encryption
SACON 2020 Section C Attacking BLE LTK Encryption
SACON 2020 Section D Hardening BLE
SACON 2020 IoT Cloud Security
SACON 2020 Agenda • IoT Services from Modern Cloud Vendors • AWS IoT Core • Setting up IoT Core with device simulators • Secure configuration • AWS Cloud Security Checks
SACON 2020 • Managed cloud service for connected devices to interact with cloud applications • Amazon FreeRTOS — open-source OS for MCUs (low power & memory) • Connect and manage devices • Secure the communication • Process and Act • Monitor What is it?
SACON 2020 Unshackling from Traditional SDLC
SACON 2020 Security Development Life Cycle Security Architecture, Privacy Requirements Threat Modeling, Attack Trees & Data Access Reviews Focused Security Code Reviews & Privacy Planning Fuzzing, Penetration Testing, Privacy Sign-off Fix verification, Incident Response Planning Delta Security Assessment, Security for Continuous Integration/ Delivery Program Conception Design Implementation Pre-Launch Deployment Maintenance Reviews Reviews & Reports Reports Resolution & Sign-off Reports Device Mobile Cloud
SACON 2020 Privacy • Why worry? • Global Markets • Country-specific guidelines • Ecosystems and overlapping policies GDPR!
SACON 2020 Summary • Plethora of protocols & standards make IoT security messy • Make hardware & software for IoT comms undergo penetration testing • RZUSBStick works great. Also, ApiMote • Not much else • BT/BLE sniffing is very sketchy • Cloud Services giants & increasing number of IoT services • SDLC and Shift-left Ecosystem Protocols Integration Interoperability
SACON 2020 www.deeparmor.com | @deep_armor | services@deeparmor.com SDLC Vulnerability Assessments Security Consulting Trainings

More Related Content

PDF
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...
Priyanka Aash
 
PDF
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
Priyanka Aash
 
PDF
(SACON) Satish Sreenivasaiah - DevSecOps Tools and Beyond
Priyanka Aash
 
PDF
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
Priyanka Aash
 
PDF
(SACON) Apoorv Raj Saxena - Hacking and Securing Kubernetes and Dockers in Cl...
Priyanka Aash
 
PPTX
Software-Defined Segmentation Done Easily, Quickly and Right
SBWebinars
 
PPTX
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Skycure
 
PDF
Protecting National Critical Infrastructure Asiangames 2018
Yusuf Hadiwinata Sutandar
 
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...
Priyanka Aash
 
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
Priyanka Aash
 
(SACON) Satish Sreenivasaiah - DevSecOps Tools and Beyond
Priyanka Aash
 
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
Priyanka Aash
 
(SACON) Apoorv Raj Saxena - Hacking and Securing Kubernetes and Dockers in Cl...
Priyanka Aash
 
Software-Defined Segmentation Done Easily, Quickly and Right
SBWebinars
 
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Skycure
 
Protecting National Critical Infrastructure Asiangames 2018
Yusuf Hadiwinata Sutandar
 

What's hot (20)

PPTX
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Lancope, Inc.
 
PDF
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
PDF
TechWiseTV Workshop: Cisco Stealthwatch and ISE
Robb Boyd
 
PPTX
TechWiseTV Workshop: Cisco TrustSec
Robb Boyd
 
PPTX
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
Robb Boyd
 
PDF
Cisco Connect Halifax 2018 Anatomy of attack
Cisco Canada
 
PDF
TechWiseTV Workshop: Stealthwatch Learning Network License
Robb Boyd
 
PPTX
Ten security product categories you've (probably) never heard of
Adrian Sanabria
 
PDF
2018 06 Presentation Cloudguard SaaS de Checkpoint
e-Xpert Solutions SA
 
PPTX
Get an office 365 expereience your users will love v8.1
Zscaler
 
PDF
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco Canada
 
PDF
Pactera - Cloud, Application, Cyber Security Trend 2016
Kyle Lai
 
PDF
Palo Alto Networks CASB
Alberto Rivai
 
PPTX
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
Perimeter 81
 
PPTX
Overcoming the Challenges of Architecting for the Cloud
Zscaler
 
PPTX
Modern Security Operations & Common Roles/Competencies
Harry McLaren
 
PPTX
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Cryptzone
 
PPTX
Check Point Solutions Portfolio- Detailed
Moti Sagey מוטי שגיא
 
PDF
SDP Glossary v2.0
Shamun Mahmud
 
PPTX
Maximize your cloud app control with Microsoft MCAS and Zscaler
Ankit Dua
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Lancope, Inc.
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
TechWiseTV Workshop: Cisco Stealthwatch and ISE
Robb Boyd
 
TechWiseTV Workshop: Cisco TrustSec
Robb Boyd
 
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
Robb Boyd
 
Cisco Connect Halifax 2018 Anatomy of attack
Cisco Canada
 
TechWiseTV Workshop: Stealthwatch Learning Network License
Robb Boyd
 
Ten security product categories you've (probably) never heard of
Adrian Sanabria
 
2018 06 Presentation Cloudguard SaaS de Checkpoint
e-Xpert Solutions SA
 
Get an office 365 expereience your users will love v8.1
Zscaler
 
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco Canada
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Kyle Lai
 
Palo Alto Networks CASB
Alberto Rivai
 
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
Perimeter 81
 
Overcoming the Challenges of Architecting for the Cloud
Zscaler
 
Modern Security Operations & Common Roles/Competencies
Harry McLaren
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Cryptzone
 
Check Point Solutions Portfolio- Detailed
Moti Sagey מוטי שגיא
 
SDP Glossary v2.0
Shamun Mahmud
 
Maximize your cloud app control with Microsoft MCAS and Zscaler
Ankit Dua
 
Ad

Similar to (SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop (20)

PPTX
Connecting_Things_2.01_Instructor Supplemental Materials_Chapter4.pptx
ssuser52b751
 
PDF
Industrial IoT Mayhem? Java IoT Gateways to the Rescue
Eurotech
 
PPTX
Gustavo Zastrow - Introduction to AWS IoT Core and MQTT
GustavoRuizZastrow
 
PPTX
How to design AWS Serverless Architecture for IOT
Sanket Saxena
 
PDF
Drobics trustworthy io-t-for-industrial-applications
Mario Drobics
 
PDF
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
Priyanka Aash
 
PDF
Market Trend And Korenix IIoT Vision - 2018
Jiunn-Jer Sun
 
PDF
Vlad Trifa, Chief Product Officer ,Ambrosus - Bridging Blockchains and the Io...
Techsylvania
 
PPTX
IoTSummit: Create iot devices connected or on the edge using ai and ml
Marco Dal Pino
 
PDF
Overblik over trådløs teknologi og designovervejelser
InfinIT - Innovationsnetværket for it
 
PDF
Internet of Things
Prithwis Mukerjee
 
PPTX
Io t solutions world congress 2018 review Henk Jan van Wijk Conclusion Connect
Conclusion Connect enabling industry 4.0 with IoT
 
PDF
TM4C-IoT-Gateway-with-Security-Protection_0.pdf
ssuser8b324e
 
PDF
Iot architectures slides important.pdf
ASTIECE
 
PDF
Internet Of Things is Fully Networked and Connected Devices sending analytics...
moaminmarey2001
 
PDF
Unit 4 Internet of Things communication models.pdf
sayalee7
 
PDF
Is your MQTT broker IoT ready?
Eurotech
 
PPTX
INTERNET OF THINGS.pptx
Manikandan Kandasamy
 
PPTX
ch2.pptxnnbhyyg uuggy jgugjb huuuhj hihij
sigmatej123
 
PPTX
ch2.pptx huuuuhy hhhh bjuuu huuujkjjjf hh
darshangd9899
 
Connecting_Things_2.01_Instructor Supplemental Materials_Chapter4.pptx
ssuser52b751
 
Industrial IoT Mayhem? Java IoT Gateways to the Rescue
Eurotech
 
Gustavo Zastrow - Introduction to AWS IoT Core and MQTT
GustavoRuizZastrow
 
How to design AWS Serverless Architecture for IOT
Sanket Saxena
 
Drobics trustworthy io-t-for-industrial-applications
Mario Drobics
 
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
Priyanka Aash
 
Market Trend And Korenix IIoT Vision - 2018
Jiunn-Jer Sun
 
Vlad Trifa, Chief Product Officer ,Ambrosus - Bridging Blockchains and the Io...
Techsylvania
 
IoTSummit: Create iot devices connected or on the edge using ai and ml
Marco Dal Pino
 
Overblik over trådløs teknologi og designovervejelser
InfinIT - Innovationsnetværket for it
 
Internet of Things
Prithwis Mukerjee
 
Io t solutions world congress 2018 review Henk Jan van Wijk Conclusion Connect
Conclusion Connect enabling industry 4.0 with IoT
 
TM4C-IoT-Gateway-with-Security-Protection_0.pdf
ssuser8b324e
 
Iot architectures slides important.pdf
ASTIECE
 
Internet Of Things is Fully Networked and Connected Devices sending analytics...
moaminmarey2001
 
Unit 4 Internet of Things communication models.pdf
sayalee7
 
Is your MQTT broker IoT ready?
Eurotech
 
INTERNET OF THINGS.pptx
Manikandan Kandasamy
 
ch2.pptxnnbhyyg uuggy jgugjb huuuhj hihij
sigmatej123
 
ch2.pptx huuuuhy hhhh bjuuu huuujkjjjf hh
darshangd9899
 
Ad

More from Priyanka Aash (20)

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
Priyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
Keynote : Presentation on SASE Technology
Priyanka Aash
 
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 

Recently uploaded (20)

PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 

(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop

  • 1. Practical Exploitation of IoT Networks and Ecosystems Sanjay V & Nitin Lakshmanan DEEP ARMOR www.deeparmor.com
 @deep_armor
  • 2. SACON 2020 Instructors Nitin Lakshmanan Senior Security Analyst Deep Armor Aujas Networks, Aricent/ Intel Sanjay V Security Analyst Deep Armor Deloitte
  • 3. SACON 2020 Agenda • IoT Architecture & Intro to IoT Security • Security Paradigms for the Building Blocks • Wireless Protocols • Hands-on Exercises • Security Development Life Cycle (SDLC) for IoT • Fun Hacking Activities • Summary Hacking Zigbee-style Wireless Sensor Networks Breaking Bluetooth Security Attacking Consumer IoT Ecosystems AWS IoT Core & Cloud Services Hands-on Exercises
  • 4. SACON 2020 Internet Of Things • Network of devices connected 
 to Internet • Connect, Collect and Exchange • Part of the fast growing electronic culture • Revolution in all the fields Connected People Connected Fleets Connected Infra Connected Markets Connected Assets Connected Products Network Data
  • 5. SACON 2020 Messy World of IoT Security • “Let me get the product out first” • “I’m paying a supplier for hardware/software. Security is their responsibility” • “We don’t store any confidential information” • “Let me worry about it if/when we get hacked” • “We are 100% secure (!)” • …
  • 6. SACON 2020 Attacks on IoT products
  • 7. SACON 2020 IoT Security & Businesses • Security is often seen as zero ROI • Impedes rapid prototyping and delivery (doesn’t have to) • Consumers will buy anyway • Poor awareness; Sometimes, lack of options • Liability laws are almost non-existent • Few that exist don’t hold water
  • 8. SACON 2020 Range / Power of protocols for IoT Protocol Power Range WiFi High Long Zigbee / Z-Wave Low Short to Mid BT / BLE Low Short LPWAN Low Long
  • 9. SACON 2020 Zigbee • Low data rate wireless applications • Smart energy, medical, home automation, IIoT • Two bands of operation: 868/915MHz and 2450MHz • Simpler & less expensive than Bluetooth • 10-100m range • Zigbee Alliance
  • 10. SACON 2020 Zigbee Security Model • Open Trust model (Device Trust Boundary) • Crypto protection only between devices • All services employ the same security suite
  • 11. SACON 2020 Practical Exploitation of IoT
 Wireless Sensor Networks (WSN)
  • 12. SACON 2020 Agenda • IEEE 802.15.4 (Layer 1 & 2 definitions for Zigbee) • Tools • Setup • Attack and Defense • Packet Generation • Sniffing and Injection • Packet Manipulation • Security Hardening
  • 13. SACON 2020 802.15.4 • IEEE standard for low-rate wireless personal area networks (LR-WPANs) • 6LoWPAN for IPv6 over WPANs • Zigbee extends 802.15.4 
 (wrapper services) Application Presentation Session Transport Network Data Link Physical Logical Link Control Media Access Control ZigbeeSpec
  • 14. SACON 2020 Attacking WSN • IoT product simulator • 802.15.4-based network • Packet sniffing, manipulation and injection • Goals: • Understanding basic packet header formats • Security models for protecting communication • Hardware and software tools for packet sniffing & injection
  • 15. SACON 2020 Challenges • Insufficient security research and documentation • Few testing/debugging platforms • Reliable ones are very expensive or obsoleted • Beta quality hardware at best • Took us weeks, studying blogs, asking questions, trial- and-error, … • Lots of future work possible. Wanna collaborate?
  • 16. SACON 2020 Generating & Analyzing IEEE 802.15.4 WSN packets (MAC Layer)
  • 17. SACON 2020 WSN Internals Payload DASRC SEQ NUM PAN ID DST Payload D A SRC SEQN U M PA NID D ST Attacker Gateway
  • 18. SACON 2020 Impact • Compromise integrity of sensor data • Spoof all legit devices in the network • Logistics & Asset Management - think Vaccine Transportation! • Medical Use Cases - Hospital monitoring • Security and Surveillance • Rapid emergency response for Industries • CVSSv3 Score: 9.3
  • 20. SACON 2020 Approach • We care about: • Integrity of data transmitted (bi-directional) • Confidentiality (sometimes) • Device attestation in the WSN • Crypto • IoT Platform Constraints • RAM and flash memory are often in KBs • Traditional crypto is way too intensive • Libraries — Few and proprietary
  • 21. SACON 2020 • Protecting data integrity is (should be) a key security objective • Use Crypto • Challenges • Need for HW Acceleration • Key provisioning and exchange • Traditional Public Key Crypto is often unacceptable • Nonce-based approaches are easy but insecure • We did not discuss: • Device Security Measures (Secure Boot, Secure FOTA, etc.) • Out of the box provisioning, device mapping and reuse • Key Management Summary
  • 22. SACON 2020 Consumer IoT Security
 &
 AWS-IoT Topics
  • 23. SACON 2020 Agenda • Consumer IoT • Case Study: “X” Fitness Band & “X” Wearable Technology device • Weaknesses in Smartphone Platforms <—> Wearables channels • Hands-on hacking of Bluetooth and BLE protocols • Hardening BLE • AWS IoT Core • Secure by Design and SDLC for IoT Platforms
  • 25. SACON 2020 Introduction • Wireless protocol for short range data exchange • BT: 1-100m • BLE: 10-600m • BLE is Light-weight subset of classic Bluetooth with low power consumption • RF range: 2.4 - 2.485 GHz • Maintained & Governed by the Bluetooth Special Interest Group (SIG) • Popular use cases: wearable devices, smart pay systems, healthcare, smart security systems etc
  • 26. SACON 2020 Bluetooth 5 Feature Bluetooth 5 Bluetooth 4.2 Speed Supports 2 Mbps Supports 1 Mbps Range 40m indoor 10m indoor Power Requirement Low High Message capacity 255 bytes 31 bytes • Latest version of BT and BLE Spec • Improvements to BLE • Aimed at IoT (especially consumer)
  • 27. SACON 2020 Bluetooth LE security Secure Simple Pairing (SSP) • Just Works: very limited/no user interface • Numeric Comparison: devices with display or yes/no button • Passkey Entry: 6 digit pin as the pass key • Out Of Band: Out of the band channel for key exchange to thwart MITM attacks • Network traffic is encrypted with AES-128
  • 29. SACON 2020 Attacking Wearable - Mobile Ecosystems Section A
  • 30. SACON 2020 Section B BLE Packet Analysis using Wireshark (“X” Popular fitness tracker)
  • 31. SACON 2020 Section B: Sniffing with Ubertooth
  • 32. SACON 2020 Summary • BT/BLE network packet analysis is easy • Market-available HW and SW • Many products do not enable the existing encryption mechanisms offered by the BT spec • At the very least, enable LTK-encryption
  • 33. SACON 2020 Section C Attacking BLE LTK Encryption
  • 36. SACON 2020 Agenda • IoT Services from Modern Cloud Vendors • AWS IoT Core • Setting up IoT Core with device simulators • Secure configuration • AWS Cloud Security Checks
  • 37. SACON 2020 • Managed cloud service for connected devices to interact with cloud applications • Amazon FreeRTOS — open-source OS for MCUs (low power & memory) • Connect and manage devices • Secure the communication • Process and Act • Monitor What is it?
  • 38. SACON 2020 Unshackling from Traditional SDLC
  • 39. SACON 2020 Security Development Life Cycle Security Architecture, Privacy Requirements Threat Modeling, Attack Trees & Data Access Reviews Focused Security Code Reviews & Privacy Planning Fuzzing, Penetration Testing, Privacy Sign-off Fix verification, Incident Response Planning Delta Security Assessment, Security for Continuous Integration/ Delivery Program Conception Design Implementation Pre-Launch Deployment Maintenance Reviews Reviews & Reports Reports Resolution & Sign-off Reports Device Mobile Cloud
  • 40. SACON 2020 Privacy • Why worry? • Global Markets • Country-specific guidelines • Ecosystems and overlapping policies GDPR!
  • 41. SACON 2020 Summary • Plethora of protocols & standards make IoT security messy • Make hardware & software for IoT comms undergo penetration testing • RZUSBStick works great. Also, ApiMote • Not much else • BT/BLE sniffing is very sketchy • Cloud Services giants & increasing number of IoT services • SDLC and Shift-left Ecosystem Protocols Integration Interoperability
  • 42. SACON 2020 www.deeparmor.com | @deep_armor | services@deeparmor.com SDLC Vulnerability Assessments Security Consulting Trainings