Internet of Things (IoT) OWASP Top 10 IoT Vulns and Exploits of Smart Devices ITAC 2015 – 29 Sept 2015 Presen sented ed b by: Francis Brown & Steve Christiaens Bishop Fox, LLC www.bishopfox.com
Agenda O V E R V I E W • Introd oduction on/B /Bac ackgr grou ound • IoT News and Current Landscape • Corp concerns, Personal / Privacy Issues • Examples: Cars, Fridges, TVs, Wearables, … • Target eting ng Io IoT T – vi via a Int Inter ernet net • Google/Bing/SHODAN/Maltego Hacking • Internet Census 2012, Scans.io, Zmap, MassScan, other mass scanning projects • Target eting ng Io IoT T – over er t the he Air Air • Wi-Fi, Bluetooth, ZigBee, Z-Wave, RFID, NFC, etc. • Hacking devices: Wi-Fi Pineapplers, Kali Tablets, RaspPis, Custom Gear • Target eting ng Io IoT T – up c close, e, Physically lly • USB Rubber Duckies, Teensy Arduino Devices, BadUSB type attacks • Def efens enses es 2
RickMote – Hacking TVs DEMO MO - CHROMECAST - STREAMING DEVICE HACKING 3
Introduction/Background GETTING UP TO SPEED 4
OWASP – IoT Top 10 T O P 1 0 L I S T – Internet of Things 5
IoT - Special Focus B E W A A R R E E E Y E E S S A N D N D E A R R S … S … a and nd robot ha hand nds 1. Cameras / WebCams 2. Microphones 3. Robots … terminators… 6
Twitter Feed WebCams C R E E P Y W E B C A M S V I E W E R S #CAUGHTONNESTCAM 7
Baby WebCams Feb 2015 W O R S T N I G H T M A R E S 8
Smart TVs Feb 2015 L I S T E N I N G C L O S E L Y 9
ILLUSTRATIVE FOOTAGE Video - DEMO 10
Plane Hacking Apr 2015 P a s s e n g e r 3 1 3 3 7 11
Smart Watches July 2015 I N S E C U R I T Y O N T H E G O “A study conducted by HP’s Fortify on security features implemented by Smartwatches revealed that not even a single device found to be 100 percent safe.” 12
Vehicle Attacks July 2015 G O N E I N 6 0 S E C O N D S … 13
ILLUSTRATIVE FOOTAGE Video - DEMO 14
Vehicle Attacks July 2015 … O R L E S S 15
Fridge Hacking Aug 2015 I N T H E H O M E 16
Microsoft IoT Big Push Aug 2015 I O T I N T H E M A I N S T R E A M 17
Baby Monitors Sept 2015 B O R N I N T H E U . S . A . 18
ILLUSTRATIVE FOOTAGE Video - DEMO 19
FBI Warning - PSA Sept 2015 I O T I S D A N G E R O U S 20
IoT Legal Climate Sept 2015 S A M E O L D D E B A T E S 21
Targeting IoT Systems OVER THE INTERNET – SEARCH ENGINES 22
Diggity Tools S E A R C H E N G I N E H A C K I N G 23
IoT and Google G O O G L E H A C K I N G 24
Google Diggity D I G G I T Y C O R E T O O L S 25
IoT and Bing B I N G H A C K I N G 26
Bing Diggity D I G G I T Y C O R E T O O L S 27
N E W G O O G L E H A C K I N G T O O L S SHODAN Diggity 28
SHODAN I O T / H A C K E R S E A R C H E N G I N E • Indexed service banners for whole Internet for HTTP (Port 80), as well as some FTP (21), SSH (22) and Telnet (23) services - https://www.shodan.io/ 29
IoT and SHODAN S H O D A N H A C K I N G 30
IoT and SHODAN S H O D A N H A C K I N G 31
IoT and SHODAN S H O D A N H A C K I N G 32
Mr. Robot H V A C C O M P R O M I S E 33
ILLUSTRATIVE FOOTAGE Video - DEMO 34
SHODAN Diggity F I N D I N G S C A D A S Y S T E M S 35
SHODAN Alerts S H O D A N R S S F E E D S 36
INTERNET MASS SCANNING Scanning the Whole Internet 37
Internet Census 2012 N M A P O F E N T I R E I N T E R N E T • ~420k botnet used to perform NMAP against entire IPv4 addr space! • ICMP sweeps, SYN scans, Reverse DNS, and Service probes of 662 ports • Free torrent of 568GB of NMAP results (9TB decompressed NMAP results) 38
Internet Census 2012 E X A M P L E - S N M P R E S U L T S 39
Internet Census 2012 E X A M P L E - S N M P R E S U L T S 40
HD’s Serial Offenders D A T A M I N I N G C E N S U S 41
Scans.io – Huge Repo R E G U L A R S C A N S O F I N T E R N E T 42
Masscan S C A N T H E I N T E R N E T 43
Wireless Hacking Tools IOT HACKING OVER THE AIR 44
RickMote – Hacking TVs CHROMECAST - STREAMING DEVICE HACKING 45
Wi-Spy – Spectrum Analyzer W I R E L E S S A N A L Y S I S Wi-Spy DBx Pro - USB Spectrum Analyzer with Chanalyzer Pro Software 46
NirSoft Wireless Tools W I N D O W S H A C K I N G T O O L S • NirSoft – WirelessNetView • NirSoft – Wi-FiInfoView • NirSoft – Wireless Network Watcher • NirSoft – Wi-FiChannelMonitor 47
inSSIDer Wi-Fi Scanner W I N D O W S H A C K I N G T O O L S 48
inSSIDer Wi-Fi Scanner A N D R O I D H A C K I N G T O O L S 49
Aircrack-ng Suite L I N U X H A C K I N G T O O L S 50
inSSIDer for Mac M A C O S X H A C K I N G T O O L S 51
NetSpot for Mac M A C O S X H A C K I N G T O O L S 52
Kali VM + USB Adapter E A S Y W I R E L E S S A T T A C K P L A T F O R M • Kali Linux VM + TP-LINK - TL-WN722N (USB) + Yagi + 53
Pwn Pad 2014 N E X U S 7 P E N T E S T D E V I C E 54
Pwn Pad 2014 N E X U S 7 P E N T E S T D E V I C E 55
Kali NetHunter N E X U S 7 P E N T E S T D E V I C E Nexus7 (2013 – Wi-Fi) – Android Tablet – Non - PwnPad2014 56
Bluetooth Low Energy https://hakshop.myshopify.com/products/ubertooth-one 57
Bluetooth – Other • Bluetooth Modules: • SparkFun BLE Mate 2 • Bluetooth Mate Gold - Sparkfun • Bluetooth Module Breakout - Roving Networks (RN-41) • Bluetooth Modem - BlueSMiRF Silver (RN-42) • Bluetooth Bee for Arduino - Seeedstudio • Bluetooth Bee Standalone with built-in Arduino • KEDSUM Arduino Wireless Bluetooth Transceiver Module • Bluetooth 4.0 USB Module (v2.1 Back-Compatible) • SENA UD100 industrial Bluetooth USB adapter • PwnPad 2014 - supports packet injection (up to 1000 ′ ) 58
Bluetooth – Pwn Pad 59
Bluetooth – NirSoft • NirSoft - BluetoothCL v1.00 - dumps all current detected bluetooth devices • NirSoft - BluetoothLogView - Creates a log of Bluetooth devices activity around you • NirSoft - BluetoothView - Monitor the Bluetooth activity around you 60
ILLUSTRATIVE FOOTAGE Video - DEMO 61
Wi-Fi Pineapple WIRELESS PENETRATION TESTING ROUTER 62
Wi-Fi Pineapple WHAT CAN IT DO? 63
Wi-Fi Pineapple WHAT CAN IT DO? 64
Karma on Pineapple R O G U E A C C E S S P O I N T 65
ILLUSTRATIVE FOOTAGE Video - DEMO 66
Karma on Pineapple R O G U E A C C E S S P O I N T 67
Auto-Association to Wi-Fi M O B I L E P H O N E A T T A C K S 68
Dumping Wi-Fi Keys CLIENT EXPLOITING 69
Raspberry Pi F R U I T Y W I -F I • Fruity Wi-Fi – Raspberry Pi version of the “Wi-Fi Pineapple”– cheap alternative (~$35 ~$35) 70
Arduino C U S T O M T O O L S + 71
Arduino: Add-ons W I R E L E S S M O D U L E S • Arduino NFC Shield • Arduino BlueTooth Modules • Arduino WiFly Shield (802.11b/g) • Arduino GSM/GPRS shields (SMS messaging) • WIZnet Embedded Web Server Module • Xbee 2.4GHz Module (802.15.4 Zigbee) • Parallax GPS Module PMB-648 SiRF • Arduino Ethernet Shield • Redpark - Serial-to-iPad/iPhone Cable 72
IoT – Physical Testing UP CLOSE AND PERSONAL 73
USB Rubber Ducky Delux G A I N I N G A C C E S S 74
Brinks Smart Safes P H Y S I C A L H A C K I N G The Brinks CompuSafe Galileo. Access to the USB port and 60 sec. is all that is needed by a prepared attacker. Adding “smarts” turned this safe into an “unsafe.” 75
ILLUSTRATIVE FOOTAGE Video - DEMO 76
Pwn Plug M A I N T A I N I N G A C C E S S 77
Pwn Plug M A I N T A I N I N G A C C E S S • Pwn Plug Elite: $995.00 • Power Pwn: $1,995.00 78
Raspberry Pi M A I N T A I N I N G A C C E S S • Raspberry Pi – cheap alternative (~$35 35) to Pwn Plug/Power Pwn • Pwnie Express – Raspberry Pwn • Rogue Pi – RPi Pentesting Dropbox • Pwn Pi v3.0 79
Defenses PROTECT YO NECK 80
Defenses P R O T E C T I O N: I N T E R N E T • Use a VPN or disconnect critical devices • Use only encrypted management services (SSL/SSH) • Employ strong encryption and authentication methods • Use strong passwords and non-default usernames • Use a password manager • Secure wireless clients (laptops, phones, wearables, ...) • Place untrusted devices on a separate network 81
Defenses P R O T E C T I O N: W i r e l e s s • Conduct regular wireless assessments • Employ strong encryption and authentication methods • Employ wireless IDS/IPS • Secure wireless clients (laptops, phones, …) 82
Defenses P R O T E C T I O N: W i r e l e s s Use “wireless checks” of network vulnerability scanners 83
Defenses P R O T E C T I O N: W i r e l e s s Physically track down rogue access points and malicious devices 84
Recommend
More recommend
