Security testing the Internet-of-things

Transcription

1 Security testing the Internet-of-things Lindholmen Software Development Day Emilie Lundin Barse Informa(on Security Consultant, Combitech

2 Contents State of security in Internet- of- things A:ack surfaces OWASP Internet of Things top 10 Case studies a:ack examples 2

3 About me PhD in computer engineering (Chalmers) logging and intrusion detec(on Informa(on Security Consultant for 9 years Areas of interest Log analysis Intrusion detec(on Pentra(on tes(ng/security tes(ng Code review 3

4 4

5 State of security in Internet of Things Immature area when it comes to security Security by obscurity ORen not working anymore informa(on spreads Different actors have studied the area for some (me Researchers, standardisa(on organisa(ons Trust is needed Sensi(ve/personal informa(on is handled SCADA systems malicious control can have great impact Consumer worries about security and privacy prevents development Vendors do the implementa(ons Must also design, implement and test for security 5

6 A>ack surfaces sensor attacker Internet cloud service central manager, analyst third party data user management interface private network manager sensors sensor data 6

7 A>ack surfaces sensor attacker Internet cloud service central manager, analyst third party data user management interface private network manager sensors sensor data 7

8 A>ack surfaces sensor attacker Internet cloud service central manager, analyst third party data user management interface private network manager sensors sensor data 8

9 machine to machine interfaces Less documenta(on Non- standard/less common protocols Less security Limita(ons in computa(onal power prevents use of cryptography Security updates may not exist or are released seldom Hardware limita(ons fixing security vulnerabili(es may require new hardware May take more (me for a:acker But standard components used in many applica(ons Common that replay a:acks can be used Or very simple authen(ca(on schemes 9

10 machine to machine interfaces Security tester/a:acker may need new tools and hardware equipment SoRware defined radio Protocol analysis tools (e.g. carshark) Fuzzing Need a device or two for tes(ng 10

11 OWASP Internet of Things Top 10 I1 Insecure Web Interface I2 Insufficient Authen(ca(on/Authoriza(on I3 Insecure Network Services I4 Lack of Transport Encryp(on I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure SoRware/Firmware I10 Poor Physical Security 11

12 Case study car (in)security Source: Stephen Checkoway et al. Usenix 2011

13 Case study car (in)security Successfully hacked a:ack surfaces: CAN buses Any func(on can be accessed - breaking, steering, accelera(ng, Physical access/diagnos(c connector Can also be reached remotely via telema(cs unit Wireless car key CD player Bluetooth Source: Stephen Checkoway et al. Usenix 2011

14 Exploit example Bluetooth in car Comprehensive experimental analyses of Automo(ve A:ack Surfaces Stephen Checkoway et al. Usenix 2011 Bluetooth for connec(ng cell phone - telema(cs unit Arbitrary code execu(on vulnerability Reverse engineering of bluetooth implementa(on in telema(cs ECU Unsafe string copy func(ons found one in handling bluetooth configura(on command - > buffer overflow Requires paired bluetooth device indirect compromise phone with trojan app direct bruteforce PIN for pairing 14

15 Case study hack your home Home alarm systems NAS (storage) Smart TV Toys Baby monitors 15

16 Exploit example Home alarm system Tested alarm system for home usage in higher price range Found two ways of a:acking: Physical a:ack Read security codes from PIC processor memory RF communica(on Turn of alarm by replay a:ack of signal from key fob Source: Silvio Cesare, BlackHat USA

17 Links OWASP Internet of Things Top Ten: h:ps://owasp.org/index.php/owasp_internet_of_things_top_ten_project HP Internet of Things Survey: h:p://for(fyprotect.com/hp_iot_research_study.pdf Shodan search engine for Internet connected devices: h:ps:// Owning a building Billy Rios, BlackHat 2014: h:ps:// 14/materials/Rios/Asia- 14- Rios- Owning- A- Building- Exploi(ng- Access- Control- And- Facility- Management.pdf 17

18 18

19 19

20 20

21 21

22