I DON’T GIVE ONE IOTA

Introducing the Internet of Things Attack Methodology

Larry Pesce, @haxorthematrixDirector of Research & Sr. Managing Security Consultant

1

2

▪ Director of Research & Sr. Managing Security Consultant @ InGuardians

▪ Pentester, Hardware Hacker ▪ Radio Enthusiast ▪ Author, Podcaster ▪ Bad at selfies

Who is your daddy and what does he do?

IOT INTRODUCTION & HISTORY

3

“But what is the IoT? There are many ways to describe the IoT. More than 20 professional and

research groups have worked to characterize the IoT, but so far there is not one universally

accepted definition.”

NIST

4ImageCredit:NatashaHanacek/NIST

▪ Before IoT there was “embedded devices” • Printers, cameras, barcode scanners… ▪ They are still here! • More and more lumped into the IoT category ▪ The definition has begun to change…

What is Iot, the history

5

"There is no formal, analytic or even descriptive set of building blocks that govern the operation,

trustworthiness and lifecycle of IoT components,”

Jeff Voas, NIST

6

▪ NIST recently released Special Publication 800-183 • Defines 5 primitives/components of an IoT • Sensor, Aggregator, Communication channel,

External utility, Decision Trigger ▪ NIST’s Components technical but at the “forest”

level • So many trees missing ▪ Ultimately an NoT (Network of Things) • Describes more of the network than the technical

components

A try on definition

7

“With little fanfare, the first Internet of Things (IoT) model …has been published by the National Institute of Standards and Technology (NIST), the folks who set the standards for smart grid interoperability in recent years. This new model is an important step in defining exactly what the IoT is and outlining the necessary security standards that go along with it. Could this be the catalyst needed to help drive the emerging IoT market? It sure doesn’t hurt.”

Neil Strother Navigant Consulting

8

▪ I am in agreement with NIST’s 5 components • As a security professional they are very generic and vague ▪ I think about the technical components that make up each • Mobile devices, apps, hardware, firmware, databases • The list goes on… ▪ From end to end I see it all as a massive connected…

My definition…

9

ECOSYSTEM

10

*this will be important later

▪ This is not a “problem” that is going to go away ▪ We are becoming more and more connected • Everywhere, all the time ▪ Epic physical control ▪ Tons of data can be collected and correlated

What’s the Market?

11

“…more and more “things”—ranging from remotely programmable home thermostats and wearable health and fitness devices to aircraft jet engines and the nation’s power grid—will be added to the internet every day. Devices, connectivity, and IT services will make up the majority of the projected $1.3 trillion IoT market in 2019.”

Verizon State of the Market: Internet of Things 2016

12

▪ Collected data has value to the: • Consumer • Device manufacturer • Software developer ▪ Aggregating this data from multiple sources become mind boggling • Also, even MORE valuable ▪ Imagine your fitness tracker talking to your fridge, dating app, Yelp, Untappd,

home security system, GPS, car, bathroom scale… ▪ …Oh, and your healthcare provider too

When it all goes wrong

13

“I never expected #idiocracy to become a documentary”

Etan Cohen, Co-writer Idiocracy

14

“But if they're so successful, why haven't parasites taken over the world? The answer is simple: they have. We just haven't noticed. That's because successful parasites don't kill us; they become part of us, making us perform all the work to keep them alive and help them reproduce.”

Daniel Suarez, Daemon

15

16

THE ECOSYSTEM

17

▪ It all starts with a device that does “something” ▪ …and the network it connects to ▪ …and the mobile app to interact with it ▪ …and the hosted service to interact with the app ▪ …and the data aggregation databases parsing the hosted service ▪ …and the monetization and big data

NIST to Reality

18

▪ It only takes one art of the ecosystem to make this go sideways ▪ Miral IoT botnet • Discovers and logs into DVRs via telnet with default passwords • Uses compromised DVRs to launch DDoS attacks and others ▪ Used to take Brian Krebs’ site offline • Sustained 620Gbps (gigabits) of traffic, no amplification • 2x Akamai’s previously observed largest attack, WITH

amplification ▪ Originated from approximately 305,000 DVRs and additional IoT

devices ▪ And that is only one part of the ecosystem!

One part

19

one thing…

20

Turns into many things…

21

Many, many things

22

…and then they talk

23

!

I’msureIforgotafewdozenconnection

This is why testing the entire IoT

ecosystem is more important than ever

24

IoTA25

*Internet of Things Attack methodology

METHODOLOGY, IMPLEMENTATION AND LAB(S)

26

▪ Hardware • Firmware • Radio • WiFi • Bluetooth/BLE ▪ Web App

5 environments

27

▪ Mobile App • iOS/Android ▪ Network/Traditional

pentest/“Cloud” • Internal/B2B • Internet facing ▪ API

▪ First step, interaction ▪ Hand tools, security bits, pliers, soldering iron. etc… ▪ TTL Serial, RS-232, JTAG, I2C, SPI • TTL and RS-232 adapters, Goodfet, BusPirate • Total Phase Aardvark, Saelea Logic-X, O-scope ▪ WiFi adapters, SDR, Bluetooth dongles ▪ Internet and data sheets for deciphering chipset pinout, capabilities, protocols ▪ Practice on cheap gear! (Deal Extreme, AliBaba, etc.)

Hardware (Lab)

28

▪ Firmware analysis from memory or download • Observing traffic over wifi during update process perhaps? • Obtain URL, or even full contents from traffic ▪ Manual extract and mount as filesystem (Linux) ▪ Binwalk, Memory aquisition/analysis tools ▪ Analysis, Analysis, Analysys • System configuration files • Password cracking • Management interface (web page) examination

Hardware (Firmware)

29

▪ JTAG great for recovering firmware, memory • Static passwords, hashes, device configuration • Filesystem, memory forensics ▪ SPI, I2C *Serial for observing inter chip comms • Boot time configuration down stream* • Bus sniffing FTW • Plaintext during use ▪ Pull firmware from distributor*

Hardware (Board analysis)

30

▪ Radio analysis, RX and TX ▪ RTL-SDR (RX), HackRF One (RX/TX), BladeRF (RX/TX) LimeSDR (RX/TX) • Gnuradio, Gnuradio Companion, GQRX ▪ YardStick One, DONSDONGLE (CC1111) • RFcat ▪ Semi proprietary end us down the rabbit hole • Nordic NRF24L01+, Zwave, Zigbee, LoRa, WirelessHART • Having copies of radios/devkits great for interaction (see bus sniffing for configs) ▪ What happens when we capture and replay traffic? • With modification? • Without modification?

Hardware (Radio)

31

▪ Stand up your own access point and tcpdump FTW • Also, capture in air with WiFi/monitor mode • Easier to do upstream on Ethernet! ▪ Examine traffic during • Boot • Normal use • “duress” • Sitting Idle ▪ Massive amounts of traffic to analyze ▪ Wireshark, Snort hugely helpful ▪ WiFi analysis not too helpful in itself, unless the network is defined by manufacturer • Default key selection, configuration when WiFi is delivered by the device, not a participant

Hardware (WiFi)

32

▪ Bluetooth is hard. BLE is frightening. ▪ Ubertooth One, standard BLE dongle ▪ Bluetooth discover, connect • Listen, playback • Interact with “public” services, default pins for others • sdptool, hcitool, Ubertooth suite, BLESuite and BLEReplay ▪ BLE discover, connect • Pin recovery with crackle • Interact with public services, read/write values

Hardware (Bluetooth/BLE)

33

▪ This is super simple! ▪ A web browser, time and creativity ▪ Of course some tools help speed that up • Burp, Zed, Charles • dirb, wpscan, sqlmap ▪ Curl, wget, python also helpful ▪ Some targets for practice? • Mutillidae, Hacme Bank, etc • Oh, and Bug Bounty programs!

Web App (Lab)

34

▪ All sorts of fun stuff to be found! ▪ XSS, SQLi ▪ Session token expiration and modification ▪ Token entropy calculations, sequential sessions ▪ Unauthenticated access ▪ User manipulation/escalation of privs ▪ Data manipulation, field length checking ▪ Command injection, directory traversal

Web App (In practice)

35

▪ Time to acquire devices! • Multiple for each platform helpful for comparison • Android, iOS • Emulation OK for Android, limited for iOS ▪ Don’t buy the latest and greatest • You want to be able to root/jailbreak • Older/used less expensive (think $40 android tablet clone) ▪ Hopper, IDA Pro, IDB, frida, mobsf, filesystem browser, SSH, terminal ▪ Pick an app and have fun • Disclose responsibly/bug bounty, please.

Mobile App (Lab)

36

▪ Intercept and examine traffic ▪ Respond with malformed values • Good use for web app proxy/Charles proxy ▪ Obtain values for interacting with Web apps ▪ Capture of credentials/cookies • These may be fun for API interaction! ▪ On disk App analysis • What is in the configs? • What is on disk? • What is in memory? ▪ Buffer overflow, underrun, format string, etc.

Mobile App (In practice)

37

▪ So so many volumes to be said, 3-6 slides will not do this justice • Internal, B2B, Cloud, AWS have so many similarities ▪ Building a scenario • Insider threat • Assumed compromise • Determined attacker/Industrial Espionage/Nationstate ▪ ESX, MSDN, Linux • Build all the things! Webservers, Databases, LDAP, E-mail ▪ Raspi, Beaglebone, ODROID • For when virtualization won’t do “real hardware” ▪ Cisco CCIE lab, Emulation • Because you can only emulate so much with ESX virtual networking.

Network Pentesting (Lab)

38

▪ External gets crazy real fast ▪ OSINT • Maltego, Shodan, Censys, Google ▪ Scanning and Enumeration • nmap, dnsrecon, Nessus, etc • Internal, B2B, Cloud, AWS have so many similarities ▪ Exploitation and C2 • Metasploit, Cobalt Strike and others ▪ Test environments in AWS and other cloud providers

Network Pentesting (Lab)

39

▪ Recon ▪ Scan ▪ Analyze/Enumerate ▪ Exploit ▪ Pillage the Village ▪ Pivot ▪ Now do it all over again!

Network Pentesting (In Practice)

40

▪ In most cases we won’t have advance access ▪ Find tools with similar API ▪ Implement in one of your ESXi hosts ▪ Pick a programming language and GO! • Be mindful off major versions and backwards compatibility IE python ▪ Web app proxies (burpsuite, ZAP, etc) SoapUI, custom tools ▪ Understanding OAUTH, SASL is huge!

Api Testing (Lab)

41

▪ What kind of API language? • XML, SOAP, JSON, RESTful, WSDL, Binary/HTTP, Custom • Each environment introduces it’s own unique challenges ▪ Unique tools per API methodology ▪ Find libraries for your language of choice

Api Testing (In Practice)

42

IN CONCLUSION

43

Woah.

44

Tank, I need a pilot program for a military M-109 helicopter.

Trinity The Matrix

45

Full scope IoT penetration testing encompasses many

disciplines and Volumes of knowledge

46

[METAL DETECTOR BEEPS] Holy shit!

Lobby Guard The Matrix

47

Don’t go it alone. Build a diverse,

capable team

48

49

Together we can help build a better

ecosystem

50

▪ Turns out this is a massive undertaking!

▪ We are almost ready to unleash the final document

▪ Stay tuned. When ready, it will be available at:

Where do I get it?

51

www.inguardians.com/iota

Thank you!

52

@haxorthematrix larry@inguardians.com