ATAL FDP on Cybersecurity for Internet of Things

Introduction to
Security for IoT Networks

Presented by:
Dr. Neelam Dayal
Asst. Professor 1
IIITDM Jabalpur
Internet of Things
● Network of physical objects—a.k.a. "things"—that are embedded with sensors,
software, and other technologies for the purpose of connecting and exchanging data
with other devices and systems over the Internet
● “The Internet of Things (IoT) is a system of interrelated computing devices,
mechanical and digital machines, objects, animals or people that are provided with
unique identifiers and the ability to transfer data over a network without requiring
human-to-human or human-to-computer interaction.”
--Kevin Ashton

2
IoT Applications

3
Benefits of Using IoT

4
IoT Architecture

5
Why IoT Security Matters?

6
Why IoT Security Matters?

7
Why IoT Security Matters?

8
Why IoT Security Matters?
Two researchers have shown how a Tesla — and possibly other cars — can be hacked remotely without any user
interaction. They carried out the attack from a drone.

9
Why IoT Security Matters?

10
Main Challenges in IoT Security
- “Things” not secure inherently
- Usability vs. Security
- Heterogeneous nature of “Things”
- Resource constraint
- Complex supply chain dynamics
- Security cost
- Inconsistent production standards
- Poor maintenance & updates
11
Attack Vectors

Gateway
IoT device Cloud Remote Control

● Ecosystem
● Device
● Communication network
● Cloud and storage
● Mobile application
● Administrative interface

12
Attack Vector: Ecosystem
Attack Surface Vulnerability

Ecosystem (general) ● Interoperability standards

● Data governance
● System wide failure
● Individual stakeholder risks
● Implicit trust between components
● Enrollment security
● Decommissioning system
● Lost access procedures

Ecosystem Communication ● Health checks

● Heartbeats
● Ecosystem commands
● Deprovisioning
● Pushing updates

13
Attack Vector: Device
Attack Surface Vulnerability

Hardware (Sensors) ● Sensing Environment Manipulation

● Tampering (Physically)
● Damage (Physical)

Device Memory ● Sensitive data

○ Cleartext usernames
○ Cleartext passwords
○ Third-party credentials
○ Encryption keys

Device Web Interface ● Standard set of web application vulnerabilities,

● Credential management vulnerabilities:
○ Username enumeration
○ Weak passwords
○ Account lockout
○ Known default credentials
○ Insecure password recovery mechanism
14
Attack Vector: Device Contd...
Attack Surface Vulnerability

Device Physical ● Firmware extraction

Interfaces ● User CLI
● Admin CLI
● Privilege escalation
● Reset to insecure state
● Removal of storage media
● Tamper resistance
● Debug port
○ UART (Serial)
○ JTAG / SWD
● Device ID/Serial number exposure

15
Attack Vector: Device Contd....
Attack Surface Vulnerability

Device Firmware ● Sensitive data exposure :

○ Backdoor accounts
○ Hardcoded credentials
○ Encryption keys
○ Encryption (Symmetric, Asymmetric)
○ Sensitive information
○ Sensitive URL disclosure
● Firmware version display and/or last update date
● Vulnerable services (web, ssh, tftp, etc.)
○ Verify for old sw versions and possible attacks (Heartbleed, Shellshock,
old PHP versions etc)
● Security related function API exposure
● Firmware downgrade possibility

16
Attack Vector: Device Contd...
Attack Surface Vulnerability

Device Network ● Information disclosure

Services ● User and Administrative CLI
● Injection
● Unencrypted Services
● Poorly implemented encryption
● Test/Development Services
● Buffer Overflow
● UPnP
● Vulnerable UDP Services
● Device Firmware OTA update block
● Firmware loaded over insecure channel (no TLS)
● Lack of payload verification
● Lack of message integrity check
● Credential management vulnerabilities:
○ Username enumeration
○ Weak passwords
○ Account lockout
○ Known default credentials
○ Insecure password recovery mechanism 17
Attack Vector: Network
Attack Surface Vulnerability

Network Traffic
● LAN
● LAN to Internet
● Short range
● Non-standard
● Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
● Protocol fuzzing
● Replay attack
● Denial of Service Attack

18
Attack Vector: Administrative Interface
Attack Surface Vulnerability

Administrative Interface ● Standard set of web application vulnerabilities,

● Credential management vulnerabilities:
○ Username enumeration
○ Weak passwords
○ Account lockout
○ Known default credentials
○ Insecure password recovery mechanism
● Security/encryption options
● Logging options
● Two-factor authentication
● Check for insecure direct object references
● Inability to wipe device

Update Mechanism ● Update sent without encryption

● Updates not signed
● Update location writable
● Update verification
● Update authentication
● Malicious update
● Missing update mechanism 19
● No manual update mechanism
Attack Vector: Cloud and Storage
Attack Surface Vulnerability

Cloud Web Interface

● Standard set of web application vulnerabilities.
● Credential management vulnerabilities:
○ Username enumeration
○ Weak passwords
○ Account lockout
○ Known default credentials
○ Insecure password recovery mechanism
● Transport encryption
● Two-factor authentication

Local Data Storage

● Unencrypted data
● Data encrypted with discovered keys
● Lack of data integrity checks
● Use of static same enc/dec key

20
Attack Vector: Mobile App and Vendor Backend API
Attack Surface Vulnerability

Mobile Application
● Implicitly trusted by device or cloud
● Username enumeration
● Account lockout
● Known default credentials
● Weak passwords
● Insecure data storage
● Transport encryption
● Insecure password recovery mechanism
● Two-factor authentication

Vendor Backend APIs

● Inherent trust of cloud or mobile application
● Weak authentication
● Weak access controls
● Injection attacks
● Hidden services
21
Attack Vector: Authentication and Privacy
Attack Surface Vulnerability

Authentication/Autho
rization ● Authentication/Authorization related values (session key, token, cookie, etc.)
disclosure
● Reusing of session key, token, etc.
● Device to device authentication
● Device to mobile Application authentication
● Device to cloud system authentication
● Mobile application to cloud system authentication
● Web application to cloud system authentication
● Lack of dynamic authentication

Privacy
● User data disclosure
● User/device location disclosure
● Differential privacy

22
Attacker’s Approach to Tear IoT Network
• Physical Attacks: Targets deployed devices
• Sensor tampering
• Hardware tampering
• Side channel attack
• Malicious code or usb installation

• Network Attacks: Target IoT Infrastructure

• Man in the middle attacks
• Sniffing
• Traffic hijacking
• Distributed Denial of service attacks
• Replay attacks

• Software Attacks: Targets of software installed in sensors, collectors, gateways and cloud
• Phishing attacks
• Malware injection
• Ransomware
• Botnet

23
Physical Tampering

False data
transmission Gateway
Remote Control
Inaccurate
Decision

Tampered Remote Control

Cloud
Sensor

Smart device

24
Man-in-the Middle Attack

data transmission
Gateway
Remote Control

False
Decision
Attacker Remote Control
Cloud
intercepts
data
Smart device

Data
malformed

25
Data Sniffing

Gateway
Remote Control

Sniff Private Cloud Remote Control

Network Data
Smart device

26
Unauthorized Access

Gateway
Remote Control

Cloud Remote Control

Smart device
Log on to device
exploiting vulnerabilities

Impose False
Decision

27
Attack Server/ Cloud

Gateway
Remote Control

Cloud Remote Control

Smart device

Exploit cloud/ server

vulnerabilities to take
server control

28
Steal user credentials

Gateway
Remote Control

Cloud Remote Control

Smart device

Communicate
as remote user

Steal remote user

credentials

29
Inject Bad Configuration

Gateway
Remote Control

Cloud Remote Control

Inject bad
configuration
Smart device

Inject bad
configuration/
firmware

30
Malware injection

Gateway
Remote Control

Cloud Remote Control

Smart device

Inject malware

31
Top 10 IoT Vulnerabilities
1. Weak, Guessable, or Hardcoded Passwords
2. Insecure Network Services

3. Insecure Ecosystem Interfaces

4. Lack of Secure Update Mechanism
5. Use of Insecure or Outdated Components
6. Insufficient Privacy Protection
7. Insecure Data Transfer and Storage
8. Lack of Device Management
9. Insecure Default Settings
10. Lack of Physical Hardening

32
Security Flaws While IoT Adoption

- Not having a security and privacy program

- Lack of owner-ship/governance to drive security and privacy for IoT devices or appliances
- Security not being incorporated into the product designing and ecosystems
- Insufficient security understanding and training for engineers and architects
- Lack of IoT/IIoT and device security and privacy resources
- Insufficient monitoring of devices and systems to expose security events
- Unavailability of post-market/ implementation security and privacy risk management
- Lack of visibility of devices or not having a full device inventory
- Detecting and treating risks of fielded and legacy products
- Immature incident response practice
33
Recommendations
1. Weak, guessable or hardcoded passwords
• Every device must have a unique set of credentials
• Disable weak passwords
• Removing backdoors created during debugging
2. Insecure network services
• Use secure protocols like HTTPS, sFTP, and SSH
• Disable non-essential ports and services that provide remote access
• Keep IoT devices on a separate network
• Installation of regular updates
34
Recommendations Contd...
3. Insecure ecosystem interfaces
• Adhering to the principle of least privilege
• Block public access to S3 bucket
• Strong authentication of IoT endpoints
4. Lack of secure update mechanisms
• Only implement updates that are digitally signed
• Implement anti-rollback mechanisms
• Secure and verify access to updates

35
Recommendations Contd...
5. Use of insecure or outdated components
• Refrain from legacy technologies
• Ensure continuous tracking of hardware and software components
• Immediately replace any of the components that turn obsolete
6. Insufficient privacy protection
• Limit the storage of personal data on devices
• Frame a data protection policy for your organization
• Prepare an incident response plan to combat any breach of security in
the future
36
Recommendations Contd...
7. Insecure storage and transfer of data
• Ensure encryption at all levels
• Strictly utilize secure channels like HTTPS, sFTP and SSH
• Opt for one-time-use keys that aren’t stored in the device
8. Lack of device management
• Secure decommissioning, endpoint quarantine and blacklisting
• Integrate devices with asset management, bug tracking and patch
management systems
• Build an interface that is flexible and seamlessly integrates with other
systems 37
Recommendations Contd...
9. Insecure default settings
• Use only secure default settings
• Grant users permission to change default passwords
• Prompt users to change their default passwords compulsorily
10. Lack of physical hardening
• Understand how a user may modify the device
• Proactively anticipate what damages any user may inflict on the device
• Devise solutions and build an IoT device that can withstand all the possible
attacks
38
IoT Penetration Testing

• IoT Device hardware pentest

• Internal communications Protocols like UART,I2C, SPI etc.
• Open ports
• JTAG debugging
• Exacting Firmware from EEPROM or FLASH memory
• Tampering

39
IoT Penetration Testing Contd...

• Firmware Penetration testing

• Binary Analysis
• Reverse Engineering
• Analyzing different file system
• Sensitive key and certificates
• Firmware Modification

40
IoT Penetration Testing Contd...

• Radio Security Analysis

• Exploitation of communication protocols
• BLE,Zigbee,LoRA,6LoWPAN
• Sniffing Radio packets
• Jamming based attacks
• Modifying and replaying packets

41
IoT Penetration Testing Contd...

• Mobile, Web and Cloud Application Testing

• Web dashboards-XSS, IDOR, Injections
• .apk and .ios Source code review
• Application reversing
• Hardcoded api keys
• Cloud Credentials like MQTT, CoAP, AWS etc.

42
IoT Penetration Testing: Software Tools

Hardware Level Firmware Level Radio Security

● Baudrate.py ● Binwalk ● Gatttool

● Esptool ● Strings ● Hcitool

● Flashrom ● IDAPro ● GNURadio

● Minicom ● Radare2 ● Killerbee

● Screen ● Qumu

43
IoT Penetration Testing: Hardware Tools

Jtagulator: identifying OCD

HackRF: transmission or Ubertooth: open source
interfaces from test points, vias,
reception of radio signals from bluetooth penetration tool
component pads, or connectors
1MHz to 6GHz.

Bus Pirate: programming,

debugging, and analyzing Zigbee Sniffer: Chip whisperer: side-channel
microcontrollers and other zigbee packet power analysis and glitch
ICs sniffing vulnerabilities in hardware
44
Bytesweep
Bytesweep

Bytesweep Bytesweep- Bytesweep-

DB
watchdog cvefetch worker

1. Artifact Upload
2. Data extraction - Bytewalk
3. Data enrichment-
- libmagic for file type determination,
- Byte level entropy and index coincidence for determining compression or encryption
4. Data Analysis
- Search for unsafe C functions- strcpy, strcat, etc.
- Reverse engineering for code verification- Radare 2
- Static string search(password, keys, etc.)- Regex search system
- For finding known vulnerabilities- CVE Fetch service
- Crosslists program name and version numbers found in binaries- Watchdog service
45
Vulnerable Firmwares
• OWASP IoTGoat

• https://github.com/OWASP/IoTGoat

• The Damn Vulnerable Router Firmware Project

• https://github.com/praetorian-code/DVRF

• Damn Vulnerable ARM Router (DVAR)

• https://blog.exploitlab.net/2018/01/dvar-damn-vulnerable-arm-router.html

• ARM-X

• https://github.com/therealsaumil/armx#downloads

• Azeria Labs VM 2.0

• https://azeria-labs.com/lab-vm-2-0/

• Damn Vulnerable IoT Device (DVID)

• https://github.com/Vulcainreo/DVID 46
IoTGoat

• Deliberately insecure firmware

• Based on OpenWrt and maintained by OWASP
• Educate users how to test for the most common vulnerabilities
• The vulnerability challenges are based on the OWASP IoT Top 10
• Emulate firmware for testing vulnerabilities

47
IoTGoat Contd...
1. Hardcoded user credentials compiled into firmware.
○ binwalk - extract file system
○ cat - find username passwords in /etc/passwd
○ cat - find hash in /etc/shadow
○ John or hashcat - crack the hash
○ Hydra, Medusa, or Ncrack- bruteforce using username(iotgoatuser) and passwords

2. Insecure Network Services

○ nmap- scan open ports
○ get service versioning information

3. Insecure Ecosystem Interfaces

○ Secret Developer Diagnostics Page
○ nmap- scan open ports
○ netcat - connect to identified open port

48
49