an introduction to iot penetration testing
play

An Introduction to IoT Penetration Testing @libertyunix - PowerPoint PPT Presentation

Oct 14, 2022 •386 likes •923 views

An Introduction to IoT Penetration Testing @libertyunix www.kmco.com The Agenda n IoT Attack Surface l OWASP IoT Top 10 l -1 Ring in IoT n Wireless Topics in IoT n IoT Pen Testing Tools & Examples n Q&A 2 Getting Started in IoT

  1. An Introduction to IoT Penetration Testing @libertyunix www.kmco.com

  2. The Agenda n IoT Attack Surface l OWASP IoT Top 10 l -1 Ring in IoT n Wireless Topics in IoT n IoT Pen Testing Tools & Examples n Q&A 2

  3. Getting Started in IoT Penetration Testing 3

  4. OWASP IoT Top 10 www.kmco.com 4

  5. OWASP IoT Top 10 1. Weak, Guessable, or Hardcoded Passwords l Hard Code Everything 2. Insecure Network Services l Ecosystem services are vulnerable? 3. Insecure Ecosystem Interfaces l Account Lockout? l Credentials Exposed in Network Traffic 4. Lack of Secure Update Mechanism l More info in the clear & OTA 5

  6. OWASP IoT Top 10 Cont. 5. Insecure or Outdated Components l Supply Chain Risk Management 6. Insufficient Privacy Protection l GDPR for IoT? 7. Insecure Data Transfer & Storage l More info in the clear 6

  7. OWASP IoT Top 10 Cont. 8. Insufficient Security Configurability l Lack of Password Security Options l Security Monitoring & Logging? 9. Insecure Software/Firmware l Encryption Not Used to Fetch Updates l Update File not Encrypted l Update Not Verified before Upload 10. Poor Physical Security l USB l SPI l JTAG 7

  8. -1 Protection Ring in IoT* *Not an Official Term 8

  9. Software Defined Radio & FCC ID 9

  10. Amplitude l Vertical distance between crests 10

  11. Frequency, Cycles, and Hertz l The frequency determines how often a signal is seen l 1 cycle per second = 1 Hertz 11

  12. Modulation 12

  13. Digital Modulation Amplitude Doors, Bells, On Off Keying Shift Lights, Keys Keying(ASK) Frequency Digital Gaussian FSK BLE , ZWave Shift Modulation Keying(FSK) Offset Phase Shift Quadrature Zigbee Keying(PSK) PSK(OQPSK) 13

  14. IoT Networks 14

  15. IEEE 802.15.4 & ZigBee Customer Application API – “the software” Security ZigBee – Network, Security Alliance 32- / 64- / 128-bit encryption & Application Network layers Star / Mesh / Cluster-Tree IEEE 802.15.4 MAC IEEE – “the hardware” 802.15.4 PHY – Physical & Media 868MHz / 915MHz / 2.4GHz Access Control Stack layers Silicon App Source: http://www.zigbee.org/resources/documents/IWAS_presentation_Mar04_Designing_with_802154_and_zigbee.ppt

  16. Z-WAVE 16

  17. Z-WAVE Packet 17

  18. RFID LF - 125-134 kHz RFID HF - 13.56 MHz UHF - 433 MHz & 856-960 MHz 18

  19. Bluetooth Cross Compatibility 19

  20. BLE Application 20

  21. BLE - (Adaptive) Frequency Hopping n When in a data connection, a frequency hopping algorithm is used to cycle through the data channels n Access Addresses to avoid collisions 21

  22. BLE Stack 22

  23. GATT Example 23

  24. IoT Pen Testing Tools & Examples 24

  25. IoT Penetration Testing Physical Cloud & Mobile Wireless 25

  26. IoT Testing Roadmap Example • Technical IoT SME Discovery ID Attack • OWASP Surface IoT Top • Intelligence Technical Gathering Testing • Exploitation Vulnerability • ?? Ranking Reporting 26

  27. IoT Setup Laptop – USE LINUX § Preferably a dual boot or dedicated machine Hardware OS/Software § HackRF § Ubuntu LTS § BladeRF – Most common § Yardstick One § Kali Linux § Atmel RZ RAVEN – apt-get install kali-linux-all § Ubertooth One § Universal Radio Hacker § Proxmark3 Dev Kit § GNU Radio § Arduino Nano § Blue hydra § Every cable and adapter you § Bettercap can think of § KillerBee § PC Repair and Build Kit § Binwalk § Misc § Firmadyne § A patient wife § APKtool 27

  28. Access Control Systems 28

  29. CCTV System n The real time streaming protocol “RTSP” uses port 554 to connect via TCP n Locating cameras: l #nmap –p554 192.168.1.1/24 29

  30. Access Panel Discovery 30

  31. API Interaction 31

  32. API Interaction n There are three major fields analyzed : l EncodedNum, Card Format, and the Access Levels 32

  33. IoT On-Boarding 1. IoT Device Creates Wi-Fi Network 2. PC or Tablet joins open AP 3. IoT device is then registered to connect to the local Wi-Fi 33

  34. Fun with GNU Radio 34

  35. Zigbee “Smart” Home 35

  36. Sniffing BLE 36

  37. Sniffing BLE 37

  38. Exploring Services with Bettercap 38

  39. Extracting Sensitive Data 39

  40. Exploiting BLE 40

  41. Exploiting BLE 41

  42. Binwalk 42

  43. Firmadyne n An automated and scalable system for performing emulation and dynamic analysis of Linux-based embedded firmware n It includes the following components: l Modified kernels (MIPS,ARM) instrumentation of firmware execution l Ability to emulate a hardware NVRAM peripheral l An extractor to extract a filesystem and kernel l A small console application to spawn an additional shell for debugging 43

  44. Firmadyne 44

  45. Hard Coded Passwords www.kmco.com 45

  46. APKTool 46

  47. Locating Keys www.kmco.com 47

  48. Automotive Security 48

  49. Bypassing Rolling Codes 49

  50. Bypassing Rolling Codes www.kmco.com 50

  51. Vapor Trail –Data Exfiltration Tool of Tomorrow 51

  52. 52 libertyunix@protonmail.com Q & A www.kmco.com

Recommend

Testing Dr. Patrick McDaniel Meghan Riegel Fall 2015 What is Penetration Testing? Attacking

Testing Dr. Patrick McDaniel Meghan Riegel Fall 2015 What is Penetration Testing? Attacking

Introduction to Penetration Testing Dr. Patrick McDaniel Meghan Riegel Fall 2015 What is Penetration Testing? Attacking a system to find security vulnerabilities in order to fix them before a malicious party attacks the system Legal if

455 views • 9 slides
Penetration testing auditability Alexandros Tsiridis & Stamatios Maritsas What is the purpose

Penetration testing auditability Alexandros Tsiridis & Stamatios Maritsas What is the purpose

MSc System and Network Engineering Penetration testing auditability Alexandros Tsiridis & Stamatios Maritsas What is the purpose of penetration testing auditability? Research questions What are the sources of penetration testing

554 views • 13 slides
Web Application Penetration By: Frank Coburn & Haris Mahboob Testing Take Aways Overview

Web Application Penetration By: Frank Coburn & Haris Mahboob Testing Take Aways Overview

Web Application Penetration By: Frank Coburn & Haris Mahboob Testing Take Aways Overview of the web Web proxy tool Reporting Gaps in the process app penetration testing process Penetration testing vs vulnerability assessment What

301 views • 17 slides
Penetration Testing for Certification: What we care about Marcel Medwed marcel.medwed@nxp.com

Penetration Testing for Certification: What we care about Marcel Medwed marcel.medwed@nxp.com

Penetration Testing for Certification: What we care about Marcel Medwed marcel.medwed@nxp.com Outline Common Criteria Evaluation Assurance Levels JHAS Penetration Testing and Countermeasures 2 Design and security of cryptographic

523 views • 40 slides
Team Cymru Cymru Team Penetration Testing Ryan Connolly, ryan@cymru.com

Team Cymru Cymru Team Penetration Testing Ryan Connolly, ryan@cymru.com

Team Cymru Cymru Team Penetration Testing Ryan Connolly, ryan@cymru.com <http://www.cymru.com> Penetration Testing Agenda Pentesting Basics Pentesting Defined Vulnerability Scanning vs. Penetration testing Pentesting

879 views • 83 slides
Penetration Testing Engineering Secure Software Last Revised: July 28, 2020 SWEN-331:

Penetration Testing Engineering Secure Software Last Revised: July 28, 2020 SWEN-331:

Penetration Testing Engineering Secure Software Last Revised: July 28, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Testing That Digs Deeper Penetration testing is about attempting to exploit as much as possible

516 views • 18 slides
Simulated Penetration Testing: From Dijkstra to Turing Test++ J org Hoffmann June

Simulated Penetration Testing: From Dijkstra to Turing Test++ J org Hoffmann June

What? Classical Attack Graphs POMDPs MDPs Taxonomy And Now? Simulated Penetration Testing: From Dijkstra to Turing Test++ J org Hoffmann June 26, 2015 J org Hoffmann Simulated Penetration Testing 1/58 What? Classical

2.44k views • 184 slides
World s first Machine- Based Penetration Testing Solution Take Control, Get CyBot CREST

World s first Machine- Based Penetration Testing Solution Take Control, Get CyBot CREST

World s first Machine- Based Penetration Testing Solution Take Control, Get CyBot CREST certified CREST Certified Cronus is the 1 st CREST certified Automatic Penetration Testing vendor One of top 12 tech companies transforming

611 views • 13 slides
Network Penetration Testing Toolkit NMAP, NETCAT, AND METASPLOIT BASICS DAY OF SHECURITY

Network Penetration Testing Toolkit NMAP, NETCAT, AND METASPLOIT BASICS DAY OF SHECURITY

Network Penetration Testing Toolkit NMAP, NETCAT, AND METASPLOIT BASICS DAY OF SHECURITY February 22. 2019 whoami AND HOW DID I GET HERE? Cecillia Tran Kelly Albrink External network pen testing & web Network pen testing,

882 views • 31 slides
CYBERSECURITY RISK ASSESSMENT AND PENETRATION TESTING FOR BOCES PARTICIPATING SCHOOL DISTRICTS

CYBERSECURITY RISK ASSESSMENT AND PENETRATION TESTING FOR BOCES PARTICIPATING SCHOOL DISTRICTS

CYBERSECURITY RISK ASSESSMENT AND PENETRATION TESTING FOR BOCES PARTICIPATING SCHOOL DISTRICTS RFP #2416 OUR DIFFERENTIATORS Global Risk Atlantic has a deep understanding of Risk Assessment and Penetration Testing on a Assessment global

519 views • 7 slides
Practical Penetration Testing 101 Look mom Im a hacker now! Words of warning Anything

Practical Penetration Testing 101 Look mom Im a hacker now! Words of warning Anything

Practical Penetration Testing 101 Look mom Im a hacker now! Words of warning Anything you do to a remote system without authorization is illegal Use common sense Federal prison is bad Overview of Today Brief overview

348 views • 13 slides
Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL

Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL

Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL Injection Vulnerabilities in Web Services Nuno Antunes, Marco Vieira PRDC 2009 nmsa@dei.uc.pt, mvieira@dei.uc.pt University of Coimbra

370 views • 24 slides
Multi-vendor Penetration Testing in the Advanced Metering Infrastructure: Future Challenges

Multi-vendor Penetration Testing in the Advanced Metering Infrastructure: Future Challenges

Multi-vendor Penetration Testing in the Advanced Metering Infrastructure: Future Challenges DIMACS Workshop on Algorithmic Decision Theory for the Smart Grid Stephen McLaughlin - Penn State University Systems and Internet Infrastructure

590 views • 33 slides
SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar Krishnan & Dr. Mingkui Wei Department of Computer Science Sam Houston State University, Huntsville, Texas ISDFS 2019 SC SCADA Ov Overv

635 views • 22 slides
Black Ops 2007: Design Review ing The Web Dan Kaminsky Director of Penetration Testing IOActive

Black Ops 2007: Design Review ing The Web Dan Kaminsky Director of Penetration Testing IOActive

Black Ops 2007: Design Review ing The Web Dan Kaminsky Director of Penetration Testing IOActive Inc. Three Interesting Things Slirpie: Come to my website, be my VPN P0wf: Automagically discovering the toolkits behind the web

407 views • 19 slides
Information Decay + POMDP Incorporating Defenders Behaviour in Autonomous Penetration Testing

Information Decay + POMDP Incorporating Defenders Behaviour in Autonomous Penetration Testing

Information Decay + POMDP Incorporating Defenders Behaviour in Autonomous Penetration Testing Jonathon Schwartz 1 , Hanna Kurniawati 1 , and Edwin El-Mahassni 2 1 1 Research School of Computer Science, ANU 2 Defence Science and Technology

698 views • 16 slides
Mesh Stalkings Penetration Testing with Small Networked Devices Philip Polstra University of

Mesh Stalkings Penetration Testing with Small Networked Devices Philip Polstra University of

Mesh Stalkings Penetration Testing with Small Networked Devices Philip Polstra University of Dubuque @ppolstra DrPhil@polstra.org Please complete the Speaker Feedback Surveys. This will help speakers to improve and for Black Hat to make

901 views • 55 slides
FUSE: Finding File Upload Bugs via Penetration Testing Taekjin Lee, Seongil Wi , Suyoung Lee,

FUSE: Finding File Upload Bugs via Penetration Testing Taekjin Lee, Seongil Wi , Suyoung Lee,

FUSE: Finding File Upload Bugs via Penetration Testing Taekjin Lee, Seongil Wi , Suyoung Lee, Sooel Son KAIST Upload Functionality Sharing user-provided content has become a de facto standard feature of modern web applications 2 File

995 views • 61 slides
Testing iOS Apps Graham Lee / @secboffin Monday, 25 March 13 Penetration Unit Integration

Testing iOS Apps Graham Lee / @secboffin Monday, 25 March 13 Penetration Unit Integration

Testing iOS Apps Graham Lee / @secboffin Monday, 25 March 13 Penetration Unit Integration Whole-app A lot to cover Monday, 25 March 13 Agenda Monday, 25 March 13 Agenda High-level overview of testing options Monday, 25 March 13

733 views • 36 slides
Penetration Testing Beginner Level PentesterUniversity By NetSecNow Disclaimer: Any and all

Penetration Testing Beginner Level PentesterUniversity By NetSecNow Disclaimer: Any and all

PentesterUniversity By NetSecNow Course Overview Penetration Testing Beginner Level PentesterUniversity By NetSecNow Disclaimer: Any and all information provided in this training series is provided at no risk to PentesterUniversity,

239 views • 7 slides
Testing Overview Introduction (Proving and Testing) Types of Testing Unit,

Testing Overview Introduction (Proving and Testing) Types of Testing Unit,

CPSC 310 Software Engineering Testing Overview Introduction (Proving and Testing) Types of Testing Unit, Integration, Regression, System, Acceptance Testing Tactics Functional (Black Box), Structural (White Box)

982 views • 61 slides
PCI-DSS Penetration Testing Adam Goslin, Co-Founder High Bit Security May 10, 2011 About

PCI-DSS Penetration Testing Adam Goslin, Co-Founder High Bit Security May 10, 2011 About

PCI-DSS Penetration Testing Adam Goslin, Co-Founder High Bit Security May 10, 2011 About High Bit Security High Bit helps companies obtain or maintain their PCI compliance (Level 1 through Level 4 compliance) High Bit will

290 views • 15 slides
26 June 2020 Local Digital Landscape 58% 159% Unique mobile user SIM penetration penetration

26 June 2020 Local Digital Landscape 58% 159% Unique mobile user SIM penetration penetration

Rural Bankers Association of the Philippines 67 th Annual National Convention 26 June 2020 Local Digital Landscape 58% 159% Unique mobile user SIM penetration penetration Average time spent on internet 9 hours 67% and 45 Filipinos are

587 views • 16 slides
ts% 5.s% s.0% 1..9% November 730 3761 4825 1026 County Monthly Avg 45249 68984 ro2792

ts% 5.s% s.0% 1..9% November 730 3761 4825 1026 County Monthly Avg 45249 68984 ro2792

FY16 Quarter L Penetration Report Ethnicity State Penetration Rate 3.78% s.09% 10.134/o 3.81o/a 10.144/o 7.39o/o July 2015 1462 653 4534 119 2497 978 County Monthly Avg 70255 10662 140147 1046 33644 19089 County Penetration Rate

423 views • 9 slides

More recommend