SlideShare a Scribd company logo
IoT Security Risks and Challenges
Ankit Giri
About Myself
Ankit Giri (@aankitgiri)
Security Consultant | Security
Compass
Web, Mobile Application and IoT
Security Researcher
Bug Hunter (Hall of Fame: EFF, GM,
HTC, Sony, Mobikwik, Pagerduty and
some more )
Blogger, Orator and an active
contributor to OWASP and null
Community
The Most Viewed Writer in Web
application Security, Network
Security and Penetration Testing on
Quora.
What is IoT?
 IoT is computing devices that send data,
receive date or both on the internet.
 The Internet of Things (IoT) refers to the ever-growing
network of physical objects that feature an IP
address for internet connectivity, and the
communication that occurs between these objects
and other Internet-enabled devices and systems.
 Where do we see it in our daily life?
Source: Pubnub
Understanding what is IoT security
The hardware is to be blamed!
 Relatively modern 64-bit x86 CPU cores in IoT devices, they will still be substantially more complex than the
smallest ARM cores, and therefore will need more battery power.
 Cheap and disposable wearables, appear to be the biggest concern, won’t be powered by such chips. We need
more powerful processors, such as Intel Atoms or ARMv8 chips, in smart products, like smart refrigerators or
washing machines with touchscreens, but they are impractical for disposable devices with no displays and with
limited battery capacity.
 The industry needs is more unstandardized devices and more fragmentation.
The web application side of it!
 TrendNet cameras that exposed a full video feed to anyone who accessed it. In this case, there
was enough of a “sign on” interface to make end users believe that only authorized people
could access the feeds remotely. However, a hacker group called Console Cowboys quickly
demonstrated that the authentication mechanism was just for show.
 Challenges: IoT device web applications are that the apps are often on unusual ports (e.g., not
80 for HTTP or 443 for HTTPS), that the apps are sometimes disabled by default, and that
different apps (e.g., for device administrators and users, or two different applications) may
listen on different ports.
The web application side of it!
 “Weak authentication,” might thinking of passwords that are easy to guess. Unfortunately, the bar
is much lower with many smart devices.
 Generally IoT devices are secured with passwords like “1234”, put their password in client-side
Java code, send credentials without using HTTPS or other encrypted transports, or require no
passwords at all.
Insecure Network in IoT devices!
 In your modern corporate network, you may think Telnet and FTP are dead, but the IOT smart device
world would disagree
 August 2014, a sweep of more than 32,000 devices found “at least 2000 devices with hard-coded
Telnet logins.
 October 2014 research that demonstrated more than a million deployed routers were vulnerable
to misconfigured NAT-PMP services.
Insecure Cloud and Mobile interface
 Many IoT devices exchange information with an external cloud interface or ask end users to connect
to a remote web server to work with their information or devices. In addition to obvious
vulnerabilities such as a lack of HTTPS, the OWASP IoT Top Ten list asks you to look for
authentication problems such as username harvesting (“user enumeration”) and no lockouts after a
number of brute-force guessing attempts.
 IoT devices may also act as wireless access points (WAPs).
Insecure Software/ Firmware
 Real life examples of corrupt update files abound, especially when people use “jailbroken”
phones to disable the validation built in to their devices. MITM attacks using insecure update
sources, such as the HTTP-based update vulnerability that affected ASUS RT routers in October
2014.
 To test whether or not a device is using insecure updates, you generally need to use a proxy or
sniffer to watch the data stream for use of secure transport, for example, an online utility called
“APK Downloader” lets you download and inspect Android installations and updates on any
platform.
Physical security of IoT devices
Five things to determine if a device’s exposed ports can be used for malicious purposes. These are
ease of storage media removal, encryption of stored data, physical protection of USB and similar
ports, ease of disassembly and removal or disabling of unnecessary ports.
Scope of IoT security
 How many IoT devices do you own and use right now? How many does your business use?
That’s where the “Internet of NoThings” joke comes from, most people don’t have any. The numbers
keep going up, but the average consumer is not buying many, so where is that growth coming
from? IoT devices are out there and the numbers are booming, driven by enterprise rather than the
consumer market.
 Verizon and ABI Research estimate that there were 1.2 billion different devices connected to the
internet last year, but by 2020, they expect as many as 5.4 billion B2B IoT connections.
IoT specific security assessment
Understanding approach
IoT specific security assessment
How it is a combination of different type assessments:
 Web interface
 Network services
 Secure Transport medium
 Cloud and Mobile interface
 Insecure Software/Firmware
 Physical security
HEATHEN: Internet-Of-Things- Pentesting-
Framework
Heathen is a research project, which automatically help developers and manufacturers build more secure products in the Internet of
Things space based on the Open Web Application Security Project (OWASP) by providing a set of features in every fundamental era.
-Insecure Web Interface
-Insufficient Authentication/Authorization
-Insecure Network Services
-Lack of Transport Encryption
-Privacy Concerns
-Insecure Cloud Interface
-Insecure Mobile Interface
-Insufficient Security Configurability
-Insecure Software/Firmware
-Poor Physical Security
IoT Protocols
Rather than trying to fit all of the IoT Protocols on top of existing architecture models like OSI Model,
the protocols are segregated into the following layers to provide some level of organization:
 Infrastructure (ex: 6LowPAN, IPv4/IPv6, RPL)
 Identification (ex: EPC, uCode, IPv6, URIs)
 Comms / Transport (ex: Wifi, Bluetooth, LPWAN)
 Discovery (ex: Physical Web, mDNS, DNS-SD)
 Data Protocols (ex: MQTT, CoAP, AMQP, Websocket, Node)
 Device Management (ex: TR-069, OMA-DM)
 Semantic (ex: JSON-LD, Web Thing Model)
 Multi-layer Frameworks (ex: Alljoyn, IoTivity, Weave, Homekit)
Hardsploit: a Framework to audit IoT devices
security
Hardsploit is a tool with software and electronic aspects. This is a technical and modular plateform
(using FPGA) to perform security tests on electronic communications interfaces of embedded
devices. It’s a Framework !
“All-in-one tool for Hardware pentest”
The main Hardware security audit functions are”
 Sniffer,
 Scanner,
 Proxy,
 Interact,
 Dump memory
Hardsploit: a Framework to audit IoT devices
security
Hardsploit: a Framework to audit IoT devices
security
Hard Sploit is a complete tool box (Hardware + Software), a Framework which facilitates the audit of electronic
systems Consultant, Auditor, Pentesters, product designer etc. and at the same time increases the level of
security (and trust!) of new communicating products designed by industry.
Hardsploit: a Framework to audit IoT devices
security
 Hardsploit Modules will let Hardware pentester to intercept, replay and/or and send data via each
type of electronic bus used by the Hardware Target. The Level of interaction that pen-testers will
have depend on the electronic bus features…
 Hardsploit ‘s modules enable us to analyse all sort of electronic bus (serial and parallel type)
JTAG, SPI, I2C‘s,
Parallel address & data bus on chip
Hardsploit: a Framework to audit IoT devices
security
It is an assisted visual wiring function to help, easier connect all wires to the Hardware target:
 GUI will display the pin organization (Pin OUT) of the targeted chip.
 GUI will guide you throughout the wiring process between Hardsploit Connector and the target
 GUI will control a set of LED that will be turn ON and OFF to easy let you find the right Hardsploit Pin
Connector to connect to your target
 The software part of the project will help conducting an end-to-end security audit. It will be
compatible (integrated) with existing tools such as Metasploit. The integration with other API is
expected to be introduced in future.
 The framework is created with an ambition to provide a tool equivalent to those of the company
Qualys or Nessus (Vulnerability Scanner) or the Metasploit framework but in the domain of
embedded / electronic.
the way it has progressed in past few years
Available Resources:
 https://iot-analytics.com/understanding-iot-security-part-1-iot-security-architecture/
 http://resources.infosecinstitute.com/test-security-iot-smart-devices/
 http://blog.attify.com/#
 http://internetofthingswiki.com/iot-security-issues-challenges-and-solutions/937/
 https://hardsploit.io/the-project/
 http://electronicdesign.com/iot/understanding-protocols-behind-internet-things
 http://www.postscapes.com/internet-of-things-protocols/
*Note: Refer to the links mentioned in the notes section of the slides.
Available Resources:
 http://resources.infosecinstitute.com/getting-started-with-iot-security-mapping-the-attack-
surface/
 http://resources.infosecinstitute.com/test-security-iot-smart-devices/
 https://www.blackhat.com/eu-16/training/offensive-internet-of-things-iot-exploitation.html
 http://www.pentesteracademy.com/course?id=27
 http://nullcon.net/website/goa-2017/training/practical-iot-hacking.php
 https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
 https://iotsecuritywiki.com/
 *Note: Refer to the links mentioned in the notes section of the slides.
You can find me here:
https://twitter.com/aankitgiri
https://www.linkedin.com/in/ankitgiri/
aankitgiri@gmail.com
Thank You!

More Related Content

IoT Security Risks and Challenges

  • 1. IoT Security Risks and Challenges Ankit Giri
  • 2. About Myself Ankit Giri (@aankitgiri) Security Consultant | Security Compass Web, Mobile Application and IoT Security Researcher Bug Hunter (Hall of Fame: EFF, GM, HTC, Sony, Mobikwik, Pagerduty and some more ) Blogger, Orator and an active contributor to OWASP and null Community The Most Viewed Writer in Web application Security, Network Security and Penetration Testing on Quora.
  • 3. What is IoT?  IoT is computing devices that send data, receive date or both on the internet.  The Internet of Things (IoT) refers to the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems.  Where do we see it in our daily life? Source: Pubnub
  • 4. Understanding what is IoT security
  • 5. The hardware is to be blamed!  Relatively modern 64-bit x86 CPU cores in IoT devices, they will still be substantially more complex than the smallest ARM cores, and therefore will need more battery power.  Cheap and disposable wearables, appear to be the biggest concern, won’t be powered by such chips. We need more powerful processors, such as Intel Atoms or ARMv8 chips, in smart products, like smart refrigerators or washing machines with touchscreens, but they are impractical for disposable devices with no displays and with limited battery capacity.  The industry needs is more unstandardized devices and more fragmentation.
  • 6. The web application side of it!  TrendNet cameras that exposed a full video feed to anyone who accessed it. In this case, there was enough of a “sign on” interface to make end users believe that only authorized people could access the feeds remotely. However, a hacker group called Console Cowboys quickly demonstrated that the authentication mechanism was just for show.  Challenges: IoT device web applications are that the apps are often on unusual ports (e.g., not 80 for HTTP or 443 for HTTPS), that the apps are sometimes disabled by default, and that different apps (e.g., for device administrators and users, or two different applications) may listen on different ports.
  • 7. The web application side of it!  “Weak authentication,” might thinking of passwords that are easy to guess. Unfortunately, the bar is much lower with many smart devices.  Generally IoT devices are secured with passwords like “1234”, put their password in client-side Java code, send credentials without using HTTPS or other encrypted transports, or require no passwords at all.
  • 8. Insecure Network in IoT devices!  In your modern corporate network, you may think Telnet and FTP are dead, but the IOT smart device world would disagree  August 2014, a sweep of more than 32,000 devices found “at least 2000 devices with hard-coded Telnet logins.  October 2014 research that demonstrated more than a million deployed routers were vulnerable to misconfigured NAT-PMP services.
  • 9. Insecure Cloud and Mobile interface  Many IoT devices exchange information with an external cloud interface or ask end users to connect to a remote web server to work with their information or devices. In addition to obvious vulnerabilities such as a lack of HTTPS, the OWASP IoT Top Ten list asks you to look for authentication problems such as username harvesting (“user enumeration”) and no lockouts after a number of brute-force guessing attempts.  IoT devices may also act as wireless access points (WAPs).
  • 10. Insecure Software/ Firmware  Real life examples of corrupt update files abound, especially when people use “jailbroken” phones to disable the validation built in to their devices. MITM attacks using insecure update sources, such as the HTTP-based update vulnerability that affected ASUS RT routers in October 2014.  To test whether or not a device is using insecure updates, you generally need to use a proxy or sniffer to watch the data stream for use of secure transport, for example, an online utility called “APK Downloader” lets you download and inspect Android installations and updates on any platform.
  • 11. Physical security of IoT devices Five things to determine if a device’s exposed ports can be used for malicious purposes. These are ease of storage media removal, encryption of stored data, physical protection of USB and similar ports, ease of disassembly and removal or disabling of unnecessary ports.
  • 12. Scope of IoT security  How many IoT devices do you own and use right now? How many does your business use? That’s where the “Internet of NoThings” joke comes from, most people don’t have any. The numbers keep going up, but the average consumer is not buying many, so where is that growth coming from? IoT devices are out there and the numbers are booming, driven by enterprise rather than the consumer market.  Verizon and ABI Research estimate that there were 1.2 billion different devices connected to the internet last year, but by 2020, they expect as many as 5.4 billion B2B IoT connections.
  • 13. IoT specific security assessment Understanding approach
  • 14. IoT specific security assessment How it is a combination of different type assessments:  Web interface  Network services  Secure Transport medium  Cloud and Mobile interface  Insecure Software/Firmware  Physical security
  • 15. HEATHEN: Internet-Of-Things- Pentesting- Framework Heathen is a research project, which automatically help developers and manufacturers build more secure products in the Internet of Things space based on the Open Web Application Security Project (OWASP) by providing a set of features in every fundamental era. -Insecure Web Interface -Insufficient Authentication/Authorization -Insecure Network Services -Lack of Transport Encryption -Privacy Concerns -Insecure Cloud Interface -Insecure Mobile Interface -Insufficient Security Configurability -Insecure Software/Firmware -Poor Physical Security
  • 16. IoT Protocols Rather than trying to fit all of the IoT Protocols on top of existing architecture models like OSI Model, the protocols are segregated into the following layers to provide some level of organization:  Infrastructure (ex: 6LowPAN, IPv4/IPv6, RPL)  Identification (ex: EPC, uCode, IPv6, URIs)  Comms / Transport (ex: Wifi, Bluetooth, LPWAN)  Discovery (ex: Physical Web, mDNS, DNS-SD)  Data Protocols (ex: MQTT, CoAP, AMQP, Websocket, Node)  Device Management (ex: TR-069, OMA-DM)  Semantic (ex: JSON-LD, Web Thing Model)  Multi-layer Frameworks (ex: Alljoyn, IoTivity, Weave, Homekit)
  • 17. Hardsploit: a Framework to audit IoT devices security Hardsploit is a tool with software and electronic aspects. This is a technical and modular plateform (using FPGA) to perform security tests on electronic communications interfaces of embedded devices. It’s a Framework ! “All-in-one tool for Hardware pentest” The main Hardware security audit functions are”  Sniffer,  Scanner,  Proxy,  Interact,  Dump memory
  • 18. Hardsploit: a Framework to audit IoT devices security
  • 19. Hardsploit: a Framework to audit IoT devices security Hard Sploit is a complete tool box (Hardware + Software), a Framework which facilitates the audit of electronic systems Consultant, Auditor, Pentesters, product designer etc. and at the same time increases the level of security (and trust!) of new communicating products designed by industry.
  • 20. Hardsploit: a Framework to audit IoT devices security  Hardsploit Modules will let Hardware pentester to intercept, replay and/or and send data via each type of electronic bus used by the Hardware Target. The Level of interaction that pen-testers will have depend on the electronic bus features…  Hardsploit ‘s modules enable us to analyse all sort of electronic bus (serial and parallel type) JTAG, SPI, I2C‘s, Parallel address & data bus on chip
  • 21. Hardsploit: a Framework to audit IoT devices security It is an assisted visual wiring function to help, easier connect all wires to the Hardware target:  GUI will display the pin organization (Pin OUT) of the targeted chip.  GUI will guide you throughout the wiring process between Hardsploit Connector and the target  GUI will control a set of LED that will be turn ON and OFF to easy let you find the right Hardsploit Pin Connector to connect to your target  The software part of the project will help conducting an end-to-end security audit. It will be compatible (integrated) with existing tools such as Metasploit. The integration with other API is expected to be introduced in future.  The framework is created with an ambition to provide a tool equivalent to those of the company Qualys or Nessus (Vulnerability Scanner) or the Metasploit framework but in the domain of embedded / electronic.
  • 22. the way it has progressed in past few years
  • 23. Available Resources:  https://iot-analytics.com/understanding-iot-security-part-1-iot-security-architecture/  http://resources.infosecinstitute.com/test-security-iot-smart-devices/  http://blog.attify.com/#  http://internetofthingswiki.com/iot-security-issues-challenges-and-solutions/937/  https://hardsploit.io/the-project/  http://electronicdesign.com/iot/understanding-protocols-behind-internet-things  http://www.postscapes.com/internet-of-things-protocols/ *Note: Refer to the links mentioned in the notes section of the slides.
  • 24. Available Resources:  http://resources.infosecinstitute.com/getting-started-with-iot-security-mapping-the-attack- surface/  http://resources.infosecinstitute.com/test-security-iot-smart-devices/  https://www.blackhat.com/eu-16/training/offensive-internet-of-things-iot-exploitation.html  http://www.pentesteracademy.com/course?id=27  http://nullcon.net/website/goa-2017/training/practical-iot-hacking.php  https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project  https://iotsecuritywiki.com/  *Note: Refer to the links mentioned in the notes section of the slides.
  • 25. You can find me here: https://twitter.com/aankitgiri https://www.linkedin.com/in/ankitgiri/ aankitgiri@gmail.com Thank You!

Editor's Notes

  1. connected security systems, thermostats, cars, electronic appliances, lights in household and commercial environments, alarm clocks, speaker systems, vending machines and more.  
  2. To mitigate these challenges, you should plan on using a standard port scanner or (shudder) reading the manual to discover what web services a particular device offers.
  3. Example, I have recently purchased an IP Camera from Edimax, the default credentials are as stupid as admin:1234.
  4. At DEFCON 2014 an extensive hack of an “Internet kiosk” was made possible through a tiny USB port left exposed near the floor in the back of the appliance. A related presentation called “Hack all the things: 20 devices in 45 minutes” also demonstrated how to break into many devices using externally-exposed USB ports, USB headers on circuit boards, simple serial-based “terminal headers” (e.g., “RX” and “TX”) on circuit boards and bypasses of local storage components.
  5. You must be thinking that There Weren’t That Many IoT Security Debacles? Recent studies indicate that the majority of currently available IoT devices have security vulnerabilities. HP found that as many 70 percent of IoT devices are vulnerable to attack.
  6. It can connect to any computing device via a USB port and it has 64 i/o pins.