IOT SECURITY ERIK TEWS <E.TEWS@UTWENTEL.NL>
THE INTERNET OF THINGS (cc) https://www.flickr.com/photos/wilgengebroed/8249565455/ Systems Security – IoT Security 2 30.04.2018
A NEW WORLD (cc) https://en.wikipedia.org/wiki/Laptop#/media/File:Lenovo_G500s_laptop-2905.jpg (cc) https://commons.wikimedia.org/wiki/File:CERN_Server.jpg Systems Security – IoT Security 3 30.04.2018
POWER! (OR POWERLESS) Powerful Powerless Systems Security – IoT Security 4 30.04.2018
WHAT IS RUNNING THERE Linux / custom OS Real Time OS / custom OS Systems Security – IoT Security 5 30.04.2018
COMMUNICATION Wired Wireless Systems Security – IoT Security 6 30.04.2018
NONE IP COMMUNICATION ▪ Bluetooth(LE) ▪ ZigBee ▪ Zwave ▪ LoRa(WAN) ▪ Sigfox ▪ NFC Systems Security – IoT Security 7 30.04.2018
LPWAN Haidine, Abdelfatteh & El Hassani, Sanae & Aqqal, Abdelhak & El Hannani, Asmaa. (2016). The Role of Communication Technologies in Building Future Smart Cities. 10.5772/64732. Systems Security – IoT Security 8 30.04.2018
EXAMPLE: SIGFOX Systems Security – IoT Security 9 30.04.2018
COMMUNICATION PARTNERS ▪ Mobile devices ▪ Cloud services ▪ Local infrastructure Systems Security – IoT Security 10 30.04.2018
SMART LIGHTS Systems Security – IoT Security 11 30.04.2018
ASSIGNMENT 1 ▪ Listen to the network traffic of this device ▪ Find out how the command for on an off looks like ▪ Is there any protection in the network protocol? Systems Security – IoT Security 12 30.04.2018
WHERE DO WE FIND THAT? Systems Security – IoT Security 13 30.04.2018
VENDORS Systems Security – IoT Security 14 30.04.2018
DEVELOPMENT LIVECYCLE Architecture OEM branded product Chip Reference product Software development Reference board framework Systems Security – IoT Security 15 30.04.2018
HOW STUFF BREAKS Systems Security – IoT Security 16 30.04.2018
WHAT TO WORRY ABOUT ▪ Lifecycle Security ▪ production, take ownership ▪ data flow and storage, device management ▪ Communication Security ▪ Application layer protocols, TLS, wireless security ▪ Device Security ▪ Embedded operating system, secure storage, anti tampering ▪ Cloud Security (not covered here) Systems Security – IoT Security 17 30.04.2018
WHAT MAKES IT HARD ▪ Very often, there is no one locally responsible for the device ▪ Limited resources on the devices (CPU, RAM, ROM, Power) ▪ Very fast development lifecycle ▪ Many security features known from „full“ operating systems are missing ▪ Developers are from a different domain Systems Security – IoT Security 18 30.04.2018
WHAT MAKES IT EASY ▪ Full control over the device ▪ Often full control of the backend service ▪ Often no legacy support ▪ Sometimes, two security zones on a device are possible Systems Security – IoT Security 19 30.04.2018
A SMART PLUG Systems Security – IoT Security 20 30.04.2018
TWO SECURITY ZONES Web Interface Main Alexa Integration 0 Functionality On/Off Mobile App Systems Security – IoT Security 21 30.04.2018
BACK TO THE SMART PLUG Systems Security – IoT Security 22 30.04.2018
ASSIGNMENT 2 ▪ Again, we provide an access point to monitor the network traffic ▪ This device uses encryption ▪ Find a way to see what‘s in the connection ▪ Submit the plaintext of what is transmitted between the cloud and the device when it connects Systems Security – IoT Security 23 30.04.2018
WHAT IS IN THERE Systems Security – IoT Security 24 30.04.2018
THE ESP8266 FAMILY ▪ Rather low power microchip ▪ Not running Linux (usually some kind of RTOS) ▪ 0,5 – 4 MB flash memory ▪ 64+96 KB RAM ▪ Integrated WiFi ▪ Excellent developer support (Lua, Python, C/C++) ▪ Development board including shipping for less than 3€! ▪ New version (ESP32) also support BluetoothLE Systems Security – IoT Security 25 30.04.2018
ASSIGNMENT 3 (BONUS) ▪ We provide you with an ESP8266 development board ▪ You write a more secure firmware for the plug ▪ Later on, you can add a relay shield to the board ▪ And finally, you might flash your own firmware on the real plug Systems Security – IoT Security 26 30.04.2018
WHY WE USE THE DEVELOPMENT BOARD https://github.com/arendst/Sonoff-Tasmota/wiki/Hardware-Preparation Systems Security – IoT Security 27 30.04.2018
Prepare to react The text on this slide will instruct your audience on how to post. This Internet 1 text will only appear once you start a free or a credit session. 2 Please note that the text and appearance of this slide (font, size, color, etc.) cannot be changed. TXT 1 2 30.04.2018 Posting messages is anonymous
Your favorite language A. Python B. Lua C. C The question will open when you start your session and slideshow. Close d Internet This text box will be used to describe the different message sending methods. # Votes: 0 TXT TXT The applicable explanations will be inserted after you have started a session.
Your favorite language We will set these example results to zero once A. Python you've started your session and your slide show. 33.3% In the meantime, feel free to change the looks of your results (e.g. the colors). B. Lua 66.7% C. C 100.0% Close d Internet This text box will be used to describe the different message sending methods. TXT TXT The applicable explanations will be inserted after you have started a session.
HARDWARE (TO PLAY AROUND WITH) ▪ Many wireless routers (OpenWRT/LEDE) ▪ Great for high end hardware ▪ ESP8266/32 based boards ▪ Medium range hardware ▪ Great for communication with WiFi and BLE ▪ Arduino family ▪ Suitable for ultra low power devices (but not all of them) ▪ Intel CPUs are not that wide spread Systems Security – IoT Security 31 30.04.2018
HOW TO APPROACH AN IOT DEVICE ▪ From the network side ▪ From the firmware side ▪ From the corresponding cloud service side/mobile app ▪ From the PCB Systems Security – IoT Security 32 30.04.2018
THE NETWORK SIDE ▪ Wireshark ▪ Nmap ▪ Mitmproxy ▪ Other proxies such as the burp suite Systems Security – IoT Security 33 30.04.2018
WIRESHARK ▪ Great network sniffer ▪ Works best with you as a gateway or a mirroring device ▪ Can be extended with custom dissectors Systems Security – IoT Security 34 30.04.2018
NMAP ▪ Generic port scanner ▪ Fingerprinting ▪ Can also do service discovery Systems Security – IoT Security 35 30.04.2018
MITMPROXY ▪ Generic SSL/TLS proxy ▪ Works with plain HTTP too ▪ May log plain text of sessions ▪ Automatic rewriting of requets Systems Security – IoT Security 36 30.04.2018
BURP SUITE ▪ Generic web proxy ▪ Useful to prepare attacks ▪ Works best when the device has an HTTP server Systems Security – IoT Security 37 30.04.2018
FROM THE FIRMWARE SIDE ▪ First you need to get the firmware ▪ Either extract it from the device ▪ Or get it from the update service ▪ Then analyse it ▪ Either use a decompiler ▪ Or maybe even boot it on a similar development board Systems Security – IoT Security 38 30.04.2018
GETTING THE FIRMWARE FROM THE DEVICE ▪ External flash is great ▪ When it‘s connected via SPI, connect a second device with an SPI interface (ESP8266/Arduino) ▪ Sometimes there is a debugging port ▪ Use it to dump the memory of the device Systems Security – IoT Security 39 30.04.2018
GETTING THE FIRMWARE VIA THE NETWORK ▪ Your network results might indicate an auto update service ▪ Try to trigger a firmware update and capture the new firmware with your proxy ▪ Alternatively, you may edit the traffic (burb/mitmproxy) to act like you are running an older firmware ▪ And you might still just google for it when you find some useful strings in the network traffic ▪ Alternatively the mobile app is a good source for URL patterns Systems Security – IoT Security 40 30.04.2018
ANALYZING THE FIRMWARE ▪ Unpacking might be hard -> http://www.firmware.re/ ▪ Decompile it ▪ Unfortunately the best tool is expensive: IdaPro ▪ Radare2 for the rescue: https://github.com/radare/radare2 ▪ Run it ▪ Try a development board that is not so different ▪ Finally, „strings“ is a powerful tool Systems Security – IoT Security 41 30.04.2018
CLOUD AND MOBILE APP ▪ Have a look at the mobile app ▪ Android is in general not so hard to reverse engineer ▪ Might reveal a lot of strings and additional API endpoints ▪ Also there might be some hidden features in there ▪ Then look at the cloud service ▪ The burp suite might be a good friend ▪ And python is often handy to implement an open source client Systems Security – IoT Security 42 30.04.2018
FINALLY THE PCB ▪ Try to find out what is on there ▪ Sniffing internal communication can be interesting ▪ Side channels can be used for reverse engineering Systems Security – IoT Security 43 30.04.2018
A GOOD START FOR THE SOFTWARE TOOLS ▪ Use KALI Linux ▪ https://www.kali.org/ Systems Security – IoT Security 44 30.04.2018
Recommend
More recommend