Goals• Understand IoT concepts• Describe IoT Threats and Attacks• Understand IoT Hacking Methodology• Describe IoT Hacking Tools• Describe IoT Hacking Countermeasures• List IoT Security Tools• Describe IoT Penetration Testing
Module 20.0 IoT Hacking• 20.1 IoT Concepts• 20.2 IoT Vulnerabilities and Attacks• 20.3 IoT Hacking Methodology and Tools• 20.4 IoT Hacking Countermeasures• 20.5 IoT Penetration Testing
What is IoT?
• Internet of Things• Internet of Everything• Anything that can be connected to
a network:• Industrial devices• Embedded devices• Wearable devices• Healthcare devices• Home devices• Buildings, HVACs, Alarm systems
IoT Application Areas and Devices
Service Sector Application Group Location Devices
Buildings • Commercial• Industrial
• Office• Education• Retail• Hospitality• Healthcare• Airports• Stadiums
• HVAF• Transport• Fire & Safety• Lighting• Security• Access
Energy • Supply/Demand• Oil/Gas• Alternative
• Power generators• Transportation &
Distribution• Low Voltage• Power Quality• Energy management• Solar & Windmills• Electrochemical• Rigs, derricks, pumps• Pipelines
• Turbines• Windmills• UPS• Batteries• Generators• Meters• Drills• Fuel Cells
IoT Application Areas and Devices (cont’d)
Service Sector Application Group Location Devices
Consumer and Home • Infrastructure• Awareness & Safety• Convenience and
Entertainment
• Wiring, networkaccess, energy management
• Security/Alerts, Fire safety, Elderly, Children, Power protection
• HVAC/Climate, Lighting, Appliances, Entertainment
• Cameras, power systems, e-Readers, dishwashers, desktop computers, washers/dryers, meters, lights, TVs, MP3 players, Gaming consoles, alarms
Healthcare and Life Sciences
• Care• In Vivo/Home• Research
• Hospital, ER, Mobile, PoC, Clinic, Labs, Doctor’s office
• Implants, Home, monitoring systems
• Drug discovery, diagnostics, labs
• MRI, PDAs, Implants, health monitors, Surgical Equipment, Pumps, Monitors, Telemedicine
IoT Application Areas and Devices (cont’d)Service Sector Application Group Location Devices
Transportation • Non-Vehicular• Vehicles• Transportation
Systems
• Air, Rail, Marine• Consumer,
Commercial, Construction, Off-Highway
• Tools, traffic management, navigation
• Vehicles, lights, ships, planes, signage, tolls
Industrial • Resource automation• Fluid/Processes• Converting/Discrete• Distribution
• Mining, irrigation,agriculture, woodland
• Petrochemical, hydro, carbons, food, beverage
• Metals, papers, rubber/plastic
• Metalworking• Electronics• Assembly/testing
• Pumps, valves, vats, conveyors, fabrication, assembly/packaging, vessels, tanks
IoT Application Areas and Devices (cont’d)Service Sector Application Group Location Devices
Retail • Specialty• Hospitality• Stores
• Fuel stations, Gaming, Bowling, Cinemas, Discos, Special Events,
• Hotel restaurants, bars, cafes, clubs
• Supermarkets, shopping centers, single site, distribution
• POS Terminals, Tags, Cash Registers, Vending machines, Signs, inventory control
Security / Public Safety • Surveillance• Equipment• Tracking• Public Infrastructure
• Radar/satellite,environmental, military, unmanned, fixed
• Human, animal, postal, food, health, beverage
• Water treatment, building, environmental equipment, personnel, police, fire, regulatory
• Tanks, fighter jets, battlefields, jeeps, cars, ambulance, Homeland security, Environment, Monitoring
IoT Application Areas and Devices (cont’d)
Service Sector Application Group Location Devices
IT and Networks • Public• Enterprise
• Services, e-Commerce,data centers, mobile carriers, ISPs
• Servers, storage, PCs,routers, switches, PBXs
How IoT Works
• Sensing Technology• Gathers telemetry
• IoT Gateway• Connects device to the Internet• Cloud services• Cloud-based storage
• Cloud Server/Data Storage• Connect through web services
• Remote Control• Mobile App
IoT Architecture
• Application Layer• Delivery of services to
end users• Middleware Layer
• Sits between application layer and hardware layer
• Data management• Data analysis and
aggregation• Data filtering• Device information
discovery• Access control
• Internet Layer• Device-to-device• Device-to-Cloud• Device-to-Gateway• Back-end Data-sharing
• Access Gateway Layer• Connection between
device and client• Very first data handling• Message routing,
identification, subscribing• Edge Technology Layer
• Devices• RFID tags• Sensors
IoT Technologies and Protocols
Short-Range Wireless Communications
Medium-Range Wireless Communications
Long-Range Wireless Communications
Wired Communications
IoT Operating Systems
• Bluetooth Low Energy
• Light-Fidelity (Li-Fi)
• NFC• QR
Codes/Barcodes• RFID• Thread• Wi-Fi• Wi-Fi Direct• Z-Wave• ZigBee
• Ha-Low• LTE-Advanced
• Low-power WAN (LPWAN)
• Very Small Aperture Terminal (VSAT
• Cellular
• Ethernet• Multimedia over
Coax Alliance (MoCA)
• Power-line Communication (PLC)
• RIOT OS• ARM embedded
OS• RealSense OS X• Nucleus RTOS• Brillo• Contiki• Zephyr• Ubuntu Core• Integrity RTOS• Apache Mynewt• Windows 10 IoT
Core
Challenges of IoT
• Lack of security and privacy• Most devices are connected to the Internet• They contain important and confidential data• Lack even basic security
• Vulnerable web interfaces• Many devices have embedded web servers that make them vulnerable
• Legal regulatory and rights issues• No existing laws that address interconnection of IoT devices
• Default, weak, or hardcoded credentials• Clear text protocols• Unnecessary ports
Challenges of IoT (cont’d)
• Coding errors• buffer overflows• SQL injection
• Storage issues• Small storage capacity, yet limitless data collection
• Difficult to update firmware and OS• Interoperability• Inability of manufacturers to test APIs using common methods and mechanisms
• Physical theft and tampering• Lack of vendor support for fixing vulnerabilities• Emerging economy and development issues
• Policy makers have yet to catch up
OWASP Top 10 IoT Vulnerabilities
• Insecure web interface• Insufficient Authentication/Authorization• Insecure Network Services• Lack of Transport Encryption/Integrity Verification• Privacy Concerns• Insecure Cloud Interface• Insecure Mobile Interface• Insufficient Security Configurability• Insecure Software/Firmware• Poor Physical Security
IoT Attack Surfaces
• Device memory• Clear text credentials• Third party credentials• Vulnerable encryption keys
• Ecosystem access control • Implicit trust between components• Weak restrictions allow enrolling malicious devices
• Device physical interfaces• Hidden OS vulnerabilities can be exposed if firmware is accessed• Possible user access to administrative features/CLI
IoT Attack Surfaces
• Device web interface• SQL injection• XSS• XSRF• Weak passwords• Absence of account lockout• Known default credentials
IoT Attack Surfaces (cont’d)
• Device firmware• Hard coded credentials• Leak of sensitive data via URLs• Poorly protected encryption keys
• Device network services• Standard network risks (information disclosure, DoS, UPnP, UDP services
IoT Attack Surfaces (cont’d)
• Administrative interface• SQL injection• XSS/XSRF• Username enumeration and default credentials• Weak passwords• Inability to wipe device
• Local data storage• Unencrypted data• Data encryption keys are discoverable• Lack of data integrity checks
IoT Attack Surfaces (cont’d)
• Cloud web interface• Weak or missing transport encryption• All of the common cloud/web issues
• Update mechanism• Updates sent without encryption• Updates not signed• No mechanism for updates
• Third-party back end APIs• Unencrypted PII/PHI• Device information leakage
• Mobile applications• Implicitly trusted by device or cloud• All of the common mobile app issues
IoT Attack Surfaces (cont’d)
• Vendor back end APIs• Inherent trust of cloud or mobile app• Weak authentication/authorization/access control
• Ecosystem communications• Vulnerable medical devices can put a patient’s life at risk• Vulnerable medical devices are connected to many monitors and sensors• Potential points of entry into the hospital network• Lack of verification of any commands• Improperly de-commissioned devices that are still connected to the network
• Network traffic• Absence of any robust LAN security
Common IoT Threats
• DDoS• Exploiting HVAC• Rolling code• BlueBorne Attack• Jamming• Remote access / backdoor• Remote accessing using
telnet• Sybil attack
• Exploit kits• MITM• Replay • Forged malicious devices• Side channel attack• Ransomware attack
IoT Device Hacking
• Information gathering • Shodan.io• Censys.io• Thingful.net• Z-Wave Sniffer• CloudShark• Ubiqua Protocol Analyzer• Wireshark• Multiping• Nmap• RIoT Vulnerability Scanner• Foren6
IoT Device Hacking (cont’d)
• Vulnerability Scanning• beSTORM fuzzer• Metasploit• IoTsploit• IoTSeeker• Bitdefender Home Scanner• IoTInspector
IoT Device Hacking (cont’d)
• Attack• RFCrack - obtain vehicle unlock rolling code• Attify Zigbee - attack Zigbee devices• HackRF One - BlueBorne attack (replay, fuzzing, jamming)• Firmalyzer Enterprise - automated security assessment• ChipWhisperer• Rfcat-rolljam• KillerBee• GATTack.io• JTAGULATOR• Firmware Analysis Toolkit
IoT Device Hacking (cont’d)
• Gain Remote Access• Telnet
• Maintain Access• Firmware Mod Kit -
Exploit firmware
Defend Against IoT Hacking
• Approach security as a unified, integrated, holistic system• Disable guest and demo accounts if enabled• Implement any existing lockout feature• Implement the strongest available authentication mechanism• Local control system networks and devices behind firewalls, and
isolate them from the business network• Implement IDS/IPS on the network• Implement end-to-end encryption using PKI when possible• Use VPNs when possible
Defend Against IoT Hacking (cont’d)
• Only allow trusted IP addresses to access the device from the Internet• Disable telnet (TCP 23)• Disable UPnP ports on routers• Protect devices from physical tampering• Patch vulnerabilities and update firmware if available• Monitor traffic on port 48101 as infected devices tend to use this port
Defend Against IoT Hacking (cont’d)
• Ensure that a vehicle has only one identity• Implement data privacy and protection as much as possible• Implement data authentication, authenticity, and encryption
wherever possible
IoT Security Tools
• SeaCat.io• DigiCert IoT Security Solution• Pulse: IoT Security Platform• Symantec IoT Security• Google Cloud IoT• Net-Shield• Trustwave Endpoint Protection
Suite• NSFOCUS ADS
• Darktrace• Noddos• Norton Core• Cisco IoT Threat Defense• AWS IoT Device Defender• Zvelo0 IoT Security Solution• Cisco Umbrella• Carwall• Bayshore Industrial Cyber Protection
Platform
2. Perform Hardware Analysis
• Evaluate physical and hardware components• See if you can connect to JTAG, SWD or USB interfaces• Use tools like:• JTAG Dongle• Digital Storage Oscilloscope• Software Defined Radio
3. Perform Firmware and OS Analysis
• See if the firmware is cryptographically signed, and has an update mechanism• Use tools such as:• IoTInspector• Binwalk• Firmware Mod Kit• Firmalyzer Enterprise
4. Conduct Wireless Protocol Analysis
• See if you can connect using:• ZigBee• Bluetooth LE• 6LoWPAN• Attempt to perform replay and MITM attacks• Attempt to gain unauthorized network access• Try to fuzz test the device
• Use tools such as:• Ubiqua Protocol Analyzer• Perytons Protocol Analyzer• Wireshark• SoapUI Pro• Attify Zigbee• Z3sec
5. Conduct Mobile App Testing
• Attempt to penetrate mobile apps that connect with the IoT device• Try to access storage, and bypass authentication and authorization• Use tools such as:• X-Ray• Threat Scan• Norton Halt exploit defender• Shellshock Scanner - Zimperium• Hackode• BlueBorne• EternalBlue Vulnerability Scanner
6. Perform Web App Testing
• Try typical attacks against a web app including buffer overflows, SQL injection, bypassing authentication, XSS/XSRF, code execution• Use tools such as:• SAUCE LABS Functional Testing• PowerSploit• Kali Linux• WAFNinja• Arachni
7. Perform Cloud Services Testing
• Try to gain unauthorized access to cloud services for the IoT device• Use tools such as:
• ZEPHYR• SOASTA CloudTest• LoadStorm PRO• BlazeMeter• Nexpose
8. Document All Findings
• Analyze all findings• Make any recommendations• Provide all findings in a report
IoT Hacking Review
• The Internet of Things is the connection of any type of device, industrial, scientific, home/consumer, public health and safety, etc. to a network, and ultimate the Internet• IoT devices may require a gateway to
connect them to the cloud• Ultimately IoT devices can be remotely
accessed and managed across a network and often the cloud• Most IoT devices have few if any
security features• There are currently few or no laws
governing IoT devices and the data they process• IoT is a new, uncharted frontier in
cyber security