SlideShare a Scribd company logo

IoT Attack Surfaces -- DEFCON 2015

Daniel Miessler
Daniel Miessler

Introduction to the IoT Attack Surfaces Project, which is part of the OWASP IoT Project

Technology
1 of 60
Download to read offline
What someone said about “junk hacking” Yes, we get it. Cars, boats, buses, and those singing fish plaques are all hackable and have no security. Most conferences these days have a whole track called "Junk I found around my house and how I am going to scare you by hacking it". That stuff is always going to be hackable whetherornotyouarethecalvalry.org. So in any case, enough with the Junk Hacking, and enough with being amazed when people hack their junk. …
IoT Attack Surface Mapping Seeking a universal, surface-area approach to IoT testing Daniel Miessler IoT Village, DEFCON 23 August 2015
Junk Hacking and Vuln Shaming Yes, we get it. Cars, boats, buses, and those singing fish plaques are all hackable and have no security. Most conferences these days have a whole track called "Junk I found around my house and how I am going to scare you by hacking it". That stuff is always going to be hackable whetherornotyouarethecalvalry.org. So in any case, enough with the Junk Hacking, and enough with being amazed when people hack their junk. …
What’s in a name? ! Universal Daemonization ! Universal Object Interaction ! Programmable Object Interfaces (POIs) ! Transfurigated Phase Inversion
Defining IoT ๏ [ WIKIPEDIA ] The Internet of Things (IoT) is the network of physical objects or "things" embedded with electronics, software, sensors and connectivity to enable it to achieve greater value and service by exchanging data with the manufacturer, operator and/or other connected devices. ๏ [ OXFORD ] A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.
 ๏ [ MY PREFERRED ] The interface between the physical and digital world that allows one to gather information from—and control—everyday objects.
What to do?
What to do?
What to do?
What to do?
What to do?
IoT Security != Device Security IoT Device
Existing approaches… ๏ Look at a collection of common vulnerabilities, risks, etc.
 ๏ Pull up your go-to list
 ๏ Consider some bad scenarios ๏ Check for what others have found on other devices
OWASP
The Previous Version ๏ Used the Top 10 name
 ๏ Mixed surfaces with vulnerability types
New OWASP IoT Project Structure IoT Project Attack Surface Areas Testing Guide Top Vulnerabilities
Subtle differences in approach
Different approaches to finding vulns 1. Let me check against this list of vulns
Different approaches 1. Let me check against this list of vulns.
 2. Let me check my favorite go- to issues

Different approaches 1. Let me check against this list of vulns.
 2. Let me check my favorite go-to issues
 3. What common surface areas do IoT systems share that I need to make sure I don’t miss?
The IoT Attack Surfaces
Ecosystem Access Control Ecosystem Access Control ✓ Authentication ✓ Session management ✓ Implicit trust between 
 components ✓ Enrollment security ✓ Decomissioning system ✓ Lost access procedures
Device Memory Device Memory ✓ Cleartext usernames ✓ Cleartext passwords ✓ Third-party credentials ✓ Encryption keys
Device Physical Interfaces Device Physical Interfaces ✓ Firmware extraction ✓ User CLI ✓ Admin CLI ✓ Privilege escalation ✓ Reset to insecure state
Device Web Interface Device Web Interface ✓ SQL injection ✓ Cross-site scripting ✓ Username enumeration ✓ Weak passwords ✓ Account lockout ✓ Known credentials
Device Firmware Device Firmware ✓ Hardcoded passwords ✓ Sensitive URL disclosure ✓ Encryption keys
Device Network Services Device Network Services ✓ Information disclosure ✓ User CLI ✓ Administrative CLI ✓ Injection ✓ Denial of Service
Administrative Interface Administrative Interface ✓ SQL injection ✓ Cross-site scripting ✓ Username enumeration ✓ Weak passwords ✓ Account lockout ✓ Known credentials
Local Data Storage Local Data Storage ✓ Unencrypted data ✓ Data encrypted with
 discovered keys ✓ Lack of data integrity
 checks
Cloud Web Interface Cloud Web Interface ✓ SQL injection ✓ Cross-site scripting ✓ Username enumeration ✓ Weak passwords ✓ Account lockout ✓ Known credentials
Third-party Backend APIs Third-party Backend APIs ✓ Unencrypted PII sent ✓ Encrypted PII sent ✓ Device information leaked ✓ Location leaked
Update Mechanism Update Mechanism ✓ Update sent without 
 encryption ✓ Updates not signed ✓ Update location 
 writable
Mobile Application Mobile Application ✓ Implicitly trusted 
 by device or cloud ✓ Known credentials ✓ Insecure data storage ✓ Lack of transport 
 encryption
Vendor Backend APIs Vendor Backend APIs ✓ Inherent trust of cloud 
 or mobile application ✓ Weak authentication ✓ Weak access control ✓ Injection attacks
Ecosystem Communication Ecosystem Communication ✓ Health checks ✓ Heartbeats ✓ Ecosystem commands ✓ Deprovisioning ✓ Update pushes
Network Traffic Network Traffic ✓ LAN ✓ LAN to Internet ✓ Short range ✓ Non-standard
IoT Attack Surface Areas Device Network Services Cloud Web Interface Administrative Interface Device Firmware Local Data Storage Vendor Backend APIs Third-party Backend APIs Device Web Interface Device Physical Interfaces Device Memory Ecosystem Access Control Update Mechanism Mobile Application Vendor Backend APIs Network Traffic Ecosystem Communication
The OWASP IoT Attack Surfaces Project https://www.owasp.org/index.php/ OWASP_IoT_Attack_Surface_Areas
Surfaces → vulns → data Attack Surface Vulnerability Data Type • Administrative interface • Weak password policy • Lack of account lockout
 • Credentials • Local data storage • Data stored without encryption • PII • Web Cloud Interface • SQLi • PII • Account data • Device Firmware • Sent over HTTP • Hardcoded passwords • Hardcoded encryption keys • Credentials • Application data • Vendor Backend APIs • Permissive API Data Extraction • PII • Account data • Device Physical Interfaces • Unauthenticated root access • ***
Back to the network… Network Traffic ✓ LAN ✓ LAN to Internet ✓ Short range ✓ Non-standard
What people think they have
What people actually have cleartext honeytoken cleartext sensitive data cleartext sensitive data
What I like to look for in pcaps 1. How many connections were made?
 2. To how many destinations?
 3. Was the sensitive data I entered
 into the ecosystem seen in the
 network traffic?
 4. If so, that’s bad
Getting your capz
The OWASP IoT Attack Surfaces Project https://www.owasp.org/index.php/ OWASP_IoT_Attack_Surface_Areas
Sister projects
This is a Craig Smith Slide Craig Smith
Takeaways and Goodies 1. IoT testing is the same as any other testing
Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security
Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device
Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device 4. A big part of that is the network piece
Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device 4. A big part of that is the network piece 5. Caparser is a tool that can do that analysis
 for you
Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device 4. A big part of that is the network piece 5. Caparser is a tool that can do that analysis
 for you 6. Caparser is free, released today, and will
 be improved in the near future
Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device 4. A big part of that is the network piece 5. Caparser is a tool that can do that analysis
 for you 6. Caparser is free, released today, and will
 be improved in the near future 7. Craig Smith is awesome
Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device 4. A big part of that is the network piece 5. Caparser is a tool that can do that analysis
 for you 6. Caparser is free, released today, and will
 be improved in the near future 7. Craig Smith is awesome 8. There’s a handout!
Thank you! The OWASP IoT Attack Surfaces Project
 https://www.owasp.org/index.php/ OWASP_Internet_of_Things_Project Caparser
 https://github.com/danielmiessler/caparser @danielmiessler @craigz28 TX to HP Fortify on Demand

Recommended

The IoT Attack Surface
The IoT Attack SurfaceThe IoT Attack Surface
The IoT Attack Surface
Daniel Miessler
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to Insight
Deep Shankar Yadav
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
Prashant Chopra
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
IoT Security
IoT SecurityIoT Security
IoT Security
Narudom Roongsiriwong, CISSP
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
IPsec
IPsecIPsec
IPsec
abdullah roomi
 
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptx
MohanPandey31
 

Recommended

The IoT Attack Surface
The IoT Attack SurfaceThe IoT Attack Surface
The IoT Attack Surface
Daniel Miessler
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to Insight
Deep Shankar Yadav
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
Prashant Chopra
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
IoT Security
IoT SecurityIoT Security
IoT Security
Narudom Roongsiriwong, CISSP
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
IPsec
IPsecIPsec
IPsec
abdullah roomi
 
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptx
MohanPandey31
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information Security
Bharath Rao
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
n|u - The Open Security Community
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
 
Getting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsGetting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigations
Olakanmi Oluwole
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle Attack
Deepak Upadhyay
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
Aravind R
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
Stephen Lahanas
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Threat Intelligence & Threat research Sources
Threat Intelligence & Threat research SourcesThreat Intelligence & Threat research Sources
Threat Intelligence & Threat research Sources
LearningwithRayYT
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
RomSoft SRL
 
malware analysis
malware analysismalware analysis
malware analysis
20CS201AkashR
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT Security
CAS
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
2. secure web gateway
2. secure web gateway2. secure web gateway
2. secure web gateway
Fabrizio Volpe
 
SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015
Daniel Miessler
 
IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355
AndrewRJamieson
 

More Related Content

What's hot

DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
Stephen Lahanas
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 

What's hot (20)

Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information Security
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
 
Getting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsGetting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigations
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle Attack
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Threat Intelligence & Threat research Sources
Threat Intelligence & Threat research SourcesThreat Intelligence & Threat research Sources
Threat Intelligence & Threat research Sources
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
malware analysis
malware analysismalware analysis
malware analysis
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT Security
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
2. secure web gateway
2. secure web gateway2. secure web gateway
2. secure web gateway
 

Viewers also liked

IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355
AndrewRJamieson
 

Viewers also liked (20)

SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015
 
IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355
 
IoT of heart rate watchdog
IoT of heart rate watchdogIoT of heart rate watchdog
IoT of heart rate watchdog
 
Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter
 
The Real Internet of Things: How Universal Daemonization Will Change Everything
The Real Internet of Things: How Universal Daemonization Will Change EverythingThe Real Internet of Things: How Universal Daemonization Will Change Everything
The Real Internet of Things: How Universal Daemonization Will Change Everything
 
CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014
 
RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of Things
 
Evolution of The Application
Evolution of The ApplicationEvolution of The Application
Evolution of The Application
 
Adaptive Testing Methodology [ ATM ]
Adaptive Testing Methodology [ ATM ]Adaptive Testing Methodology [ ATM ]
Adaptive Testing Methodology [ ATM ]
 
Implementing Inexpensive Honeytrap Techniques
Implementing Inexpensive Honeytrap TechniquesImplementing Inexpensive Honeytrap Techniques
Implementing Inexpensive Honeytrap Techniques
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Peak Prevention: Moving from Prevention to Resilience
Peak Prevention: Moving from Prevention to ResiliencePeak Prevention: Moving from Prevention to Resilience
Peak Prevention: Moving from Prevention to Resilience
 
Blueprint for creating a Secure IoT Product
Blueprint for creating a Secure IoT ProductBlueprint for creating a Secure IoT Product
Blueprint for creating a Secure IoT Product
 
Dia01 08 keynote_alvaro_mello_gartner
Dia01 08 keynote_alvaro_mello_gartnerDia01 08 keynote_alvaro_mello_gartner
Dia01 08 keynote_alvaro_mello_gartner
 
Fullstack IoT Development
Fullstack IoT DevelopmentFullstack IoT Development
Fullstack IoT Development
 
Raspberry Pi as IoT gateway
Raspberry Pi as IoT gatewayRaspberry Pi as IoT gateway
Raspberry Pi as IoT gateway
 
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
 
Full Buku sakti belajar hacker
Full Buku sakti belajar hackerFull Buku sakti belajar hacker
Full Buku sakti belajar hacker
 
Securing Medical Devices Using Adaptive Testing Methodologies
Securing Medical Devices Using Adaptive Testing MethodologiesSecuring Medical Devices Using Adaptive Testing Methodologies
Securing Medical Devices Using Adaptive Testing Methodologies
 
Smart Cities are the Internet of Things
Smart Cities are the Internet of ThingsSmart Cities are the Internet of Things
Smart Cities are the Internet of Things
 

Similar to IoT Attack Surfaces -- DEFCON 2015

Security challenges for internet of things
Security challenges for internet of thingsSecurity challenges for internet of things
Security challenges for internet of things
Monika Keerthi
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
IoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security ControlsIoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security Controls
Jay Nagar
 
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Product of Things
 
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionBurning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Josh Sokol
 
Information security questions
Information security questions Information security questions
Information security questions
gamemaker762
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 

Similar to IoT Attack Surfaces -- DEFCON 2015 (20)

Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
 
Security challenges for internet of things
Security challenges for internet of thingsSecurity challenges for internet of things
Security challenges for internet of things
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to Chat
 
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network security
 
Practical IoT Security in the Enterprise
Practical IoT Security in the EnterprisePractical IoT Security in the Enterprise
Practical IoT Security in the Enterprise
 
IoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation TrackIoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation Track
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
IoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security ControlsIoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security Controls
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking Bad
 
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving bot
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionBurning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in Action
 
Information security questions
Information security questions Information security questions
Information security questions
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
 
Attacks on the cyber world
Attacks on the cyber worldAttacks on the cyber world
Attacks on the cyber world
 
Security Issues in Internet of Things
Security Issues in Internet of ThingsSecurity Issues in Internet of Things
Security Issues in Internet of Things
 

Recently uploaded

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

IoT Attack Surfaces -- DEFCON 2015

  • 1. What someone said about “junk hacking” Yes, we get it. Cars, boats, buses, and those singing fish plaques are all hackable and have no security. Most conferences these days have a whole track called "Junk I found around my house and how I am going to scare you by hacking it". That stuff is always going to be hackable whetherornotyouarethecalvalry.org. So in any case, enough with the Junk Hacking, and enough with being amazed when people hack their junk. …
  • 2. IoT Attack Surface Mapping Seeking a universal, surface-area approach to IoT testing Daniel Miessler IoT Village, DEFCON 23 August 2015
  • 3. Junk Hacking and Vuln Shaming Yes, we get it. Cars, boats, buses, and those singing fish plaques are all hackable and have no security. Most conferences these days have a whole track called "Junk I found around my house and how I am going to scare you by hacking it". That stuff is always going to be hackable whetherornotyouarethecalvalry.org. So in any case, enough with the Junk Hacking, and enough with being amazed when people hack their junk. …
  • 4. What’s in a name? ! Universal Daemonization ! Universal Object Interaction ! Programmable Object Interfaces (POIs) ! Transfurigated Phase Inversion
  • 5. Defining IoT ๏ [ WIKIPEDIA ] The Internet of Things (IoT) is the network of physical objects or "things" embedded with electronics, software, sensors and connectivity to enable it to achieve greater value and service by exchanging data with the manufacturer, operator and/or other connected devices. ๏ [ OXFORD ] A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.
 ๏ [ MY PREFERRED ] The interface between the physical and digital world that allows one to gather information from—and control—everyday objects.
  • 11. IoT Security != Device Security IoT Device
  • 12. Existing approaches… ๏ Look at a collection of common vulnerabilities, risks, etc.
 ๏ Pull up your go-to list
 ๏ Consider some bad scenarios ๏ Check for what others have found on other devices
  • 13. OWASP
  • 14. The Previous Version ๏ Used the Top 10 name
 ๏ Mixed surfaces with vulnerability types
  • 15. New OWASP IoT Project Structure IoT Project Attack Surface Areas Testing Guide Top Vulnerabilities
  • 17. Different approaches to finding vulns 1. Let me check against this list of vulns
  • 18. Different approaches 1. Let me check against this list of vulns.
 2. Let me check my favorite go- to issues

  • 19. Different approaches 1. Let me check against this list of vulns.
 2. Let me check my favorite go-to issues
 3. What common surface areas do IoT systems share that I need to make sure I don’t miss?
  • 20. The IoT Attack Surfaces
  • 21. Ecosystem Access Control Ecosystem Access Control ✓ Authentication ✓ Session management ✓ Implicit trust between 
 components ✓ Enrollment security ✓ Decomissioning system ✓ Lost access procedures
  • 22. Device Memory Device Memory ✓ Cleartext usernames ✓ Cleartext passwords ✓ Third-party credentials ✓ Encryption keys
  • 23. Device Physical Interfaces Device Physical Interfaces ✓ Firmware extraction ✓ User CLI ✓ Admin CLI ✓ Privilege escalation ✓ Reset to insecure state
  • 24. Device Web Interface Device Web Interface ✓ SQL injection ✓ Cross-site scripting ✓ Username enumeration ✓ Weak passwords ✓ Account lockout ✓ Known credentials
  • 25. Device Firmware Device Firmware ✓ Hardcoded passwords ✓ Sensitive URL disclosure ✓ Encryption keys
  • 26. Device Network Services Device Network Services ✓ Information disclosure ✓ User CLI ✓ Administrative CLI ✓ Injection ✓ Denial of Service
  • 27. Administrative Interface Administrative Interface ✓ SQL injection ✓ Cross-site scripting ✓ Username enumeration ✓ Weak passwords ✓ Account lockout ✓ Known credentials
  • 28. Local Data Storage Local Data Storage ✓ Unencrypted data ✓ Data encrypted with
 discovered keys ✓ Lack of data integrity
 checks
  • 29. Cloud Web Interface Cloud Web Interface ✓ SQL injection ✓ Cross-site scripting ✓ Username enumeration ✓ Weak passwords ✓ Account lockout ✓ Known credentials
  • 30. Third-party Backend APIs Third-party Backend APIs ✓ Unencrypted PII sent ✓ Encrypted PII sent ✓ Device information leaked ✓ Location leaked
  • 31. Update Mechanism Update Mechanism ✓ Update sent without 
 encryption ✓ Updates not signed ✓ Update location 
 writable
  • 32. Mobile Application Mobile Application ✓ Implicitly trusted 
 by device or cloud ✓ Known credentials ✓ Insecure data storage ✓ Lack of transport 
 encryption
  • 33. Vendor Backend APIs Vendor Backend APIs ✓ Inherent trust of cloud 
 or mobile application ✓ Weak authentication ✓ Weak access control ✓ Injection attacks
  • 34. Ecosystem Communication Ecosystem Communication ✓ Health checks ✓ Heartbeats ✓ Ecosystem commands ✓ Deprovisioning ✓ Update pushes
  • 35. Network Traffic Network Traffic ✓ LAN ✓ LAN to Internet ✓ Short range ✓ Non-standard
  • 36. IoT Attack Surface Areas Device Network Services Cloud Web Interface Administrative Interface Device Firmware Local Data Storage Vendor Backend APIs Third-party Backend APIs Device Web Interface Device Physical Interfaces Device Memory Ecosystem Access Control Update Mechanism Mobile Application Vendor Backend APIs Network Traffic Ecosystem Communication
  • 37. The OWASP IoT Attack Surfaces Project https://www.owasp.org/index.php/ OWASP_IoT_Attack_Surface_Areas
  • 38. Surfaces → vulns → data Attack Surface Vulnerability Data Type • Administrative interface • Weak password policy • Lack of account lockout
 • Credentials • Local data storage • Data stored without encryption • PII • Web Cloud Interface • SQLi • PII • Account data • Device Firmware • Sent over HTTP • Hardcoded passwords • Hardcoded encryption keys • Credentials • Application data • Vendor Backend APIs • Permissive API Data Extraction • PII • Account data • Device Physical Interfaces • Unauthenticated root access • ***
  • 39. Back to the network… Network Traffic ✓ LAN ✓ LAN to Internet ✓ Short range ✓ Non-standard
  • 40. What people think they have
  • 41. What people actually have cleartext honeytoken cleartext sensitive data cleartext sensitive data
  • 42. What I like to look for in pcaps 1. How many connections were made?
 2. To how many destinations?
 3. Was the sensitive data I entered
 into the ecosystem seen in the
 network traffic?
 4. If so, that’s bad
  • 43.
  • 45.
  • 46.
  • 47. The OWASP IoT Attack Surfaces Project https://www.owasp.org/index.php/ OWASP_IoT_Attack_Surface_Areas
  • 48.
  • 50. This is a Craig Smith Slide Craig Smith
  • 51. Takeaways and Goodies 1. IoT testing is the same as any other testing
  • 52. Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security
  • 53. Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device
  • 54. Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device 4. A big part of that is the network piece
  • 55. Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device 4. A big part of that is the network piece 5. Caparser is a tool that can do that analysis
 for you
  • 56. Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device 4. A big part of that is the network piece 5. Caparser is a tool that can do that analysis
 for you 6. Caparser is free, released today, and will
 be improved in the near future
  • 57. Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device 4. A big part of that is the network piece 5. Caparser is a tool that can do that analysis
 for you 6. Caparser is free, released today, and will
 be improved in the near future 7. Craig Smith is awesome
  • 58. Takeaways and Goodies 1. IoT testing is the same as any other testing 2. IoT security is NOT device security 3. The IoT Attack Surface area project is
 proposing a universal attack strategy for any
 kind of device 4. A big part of that is the network piece 5. Caparser is a tool that can do that analysis
 for you 6. Caparser is free, released today, and will
 be improved in the near future 7. Craig Smith is awesome 8. There’s a handout!
  • 59.
  • 60. Thank you! The OWASP IoT Attack Surfaces Project
 https://www.owasp.org/index.php/ OWASP_Internet_of_Things_Project Caparser
 https://github.com/danielmiessler/caparser @danielmiessler @craigz28 TX to HP Fortify on Demand