IoT BBQ Carve Systems. Outline About us (Carve) About IoT Our IoT assessment methodology The Sacred Tenants of IoT Security Some bugs IoT IRL.

Slides:



Advertisements
Similar presentations
Penetration Testing Biometric System
Advertisements

Implementing Tableau Server in an Enterprise Environment
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Objectives Overview Define an operating system
7 Effective Habits when using the Internet Philip O’Kane 1.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
hotEx RADIUS Manager Installation
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC.
Working From Your Home Computer Safely: The Ten Commandments Stephen Jones, GSEC, A+ With special thanks to Balakrishnan Ramachandran.
OWASP Mobile Top 10 Why They Matter and What We Can Do
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
November 2009 Network Disaster Recovery October 2014.
Presentation By Deepak Katta
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02.
Guide to Linux Installation and Administration, 2e1 Chapter 3 Installing Linux.
Is Your Mobile App Secure. DEF CON 23 Wall of Sheep Sat
1 We’ve been p0wn’d? Review of 2015 Surface Transportation Cybersecurity Incidents 2015 TRB Session 850 Edward Fok USDOT/FHWA – Resource Center.
Explain the purpose of an operating system
Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.
Specialist communication channel. Sarah-Jane king.
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
A Tale of Two Bugs. This Fall has been bad Let’s look at two CVE AKA “Shellshock” CVE AKA “Drupalgeddon”
9: Troubleshooting Your Network
Core 3: Communication Systems. Network software includes the Network Operating Software (NOS) and also network based applications such as those running.
Convenience product security Collin Busch. What is a convenience product? A convenience product is a device or application that makes your life easier.
CENTRAL SECURED PROXY NETWORK Zachary Craig Eastern Kentucky University Dept. of Technology, NET.
TCOM Information Assurance Management System Hacking.
Lecture 13 Page 1 CS 236 Online Principles for Secure Software Following these doesn’t guarantee security But they touch on the most commonly seen security.
Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Slides and projects at samsclass.info. Adding Trojans to Apps Slides and projects at samsclass.info.
Michael Still Google Inc. October, Linux on the Linksys NSLU2 Solving all your problems with little NAS boxes Michael Still Google, Inc. October,
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
Wireless and Mobile Security
MobileSecurity Vulnerability Assessment Tools for the Enterprise Mobile Security Vulnerability Assessment Tools for the Enterprise Integrating Mobile/BYOD.
Engineering Secure Software. Agenda  What is IoT?  Security implications of IoT  IoT Attack Surface Areas  IoT Testing Guidelines  Top IoT Vulnerabilities.
1. ◦ Intro ◦ Client-side security ◦ Server-side security ◦ Complete security ? 2.
Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.
GVF CyberSecurity Task Force Rakesh Bharania Chair, GVF Security Task Force Network Consulting Engineer, Cisco Tactical Operations 2015 Update on Activities.
Chapter 9 Operating Systems Discovering Computers Technology in a World of Computers, Mobile Devices, and the Internet.
IoT: Windows 10 & Raspberry Pi By: Mitchel Sellers.
Joe Budzyn Jeff Goeke-Smith Jeff Utter. Risk Analysis  Match the technologies used with the security need  Spend time and resources covering the most.
Education – Partnership – Solutions Information Security Office of Budget and Finance Christopher Giles Governance Risk Compliance Specialist The Internet.
Easy 802.1X Onboarding with EAPConfig files and Supplicant Configuration Automatic Discovery (SCAD) Gareth Ayres (Speaker) Stefan.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
How to Use an Android Tablet Well Come To You few Steps For How to Use an Android Tablet?
James F. Fox MENA Cyber Security Practice Lead Presenters Cyber Security in a Mobile and “Always-on” World Booz | Allen | Hamilton.
How to Make Yourself More Secure Using Public Computers and Free Public Wi-Fi.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Embedded Linux Conference6 April 2009Jake Edge - LWN.net Security Issues for Embedded Devices Jake Edge LWN.net Slides:
Module 54 (Cellular Telephone Network Security)
DISCOVERING COMPUTERS 2018 Digital Technology, Data, and Devices
Containers as a Service with Docker to Extend an Open Platform
Stress Free Deployments with Octopus Deploy
Critical Security Controls
Backdoor Attacks.
Technology Envioronment
OWASP CONSUMER TOP TEN SAFE WEB HABITS
E-commerce Application Security
Introduction to System Administration
Introduction to System Administration
Chapter 27: System Security
Building an Internet of Things Device
OPS235: Week 1 Installing Linux ( Lab1: Investigations 1-4)
6. Application Software Security
Presentation transcript:

IoT BBQ Carve Systems

Outline About us (Carve) About IoT Our IoT assessment methodology The Sacred Tenants of IoT Security Some bugs IoT IRL

0xGROG Carve Systems – Boutique Information Security Consulting Firm – Clients in Denver! – Full stack hacking Jeremy Allen – Partner – See the future, make research happen Max Sobell – Partner – Find shiny things, bang them with rocks Carve team: we’re all here!

Artwork by Mike Ferrin

What is IoT BBQ? Home automation/security SMB connectivity Municipal WTFThings Everything the internet touches

What exactly is “IoT” Things On the Internet The same things that have been there the whole time – Embedded Systems – M2M

“IoT is insecure!” Everyone knows it. Literally everyone. Even my old neighbors. 10 SOUND ALARM 15 REM ALARM IN PROGRESS 20 ??? 30 PROFIT 40 GOTO 10

How IoT is Marketed SHINY

IoT Reality

IoT Device Profile Primarily embedded systems (Linux) 16 – 512MiB RAM Common 2-8 GiB Flash Storage Common ARM Processors, Occasional X86 or MIPS Internet Connected Most have a management web application

IoT Hardware vs. Software Embedded Systems / Hardware developers tasked with creating software: “I know C. Let’s just write everything as CGI scripts in C. Oh, and maybe a bash script when I am feeling bold. That should create a management app that meets the requirements.”

IoT Software

Odd command injection Ruggedized Router/Vehicle Tracker This thing has it all: – Web app flaws (auth bypass, command injection) – Insecure default settings – Awful cryptography – Way too easy to shoot yourself in the foot

How do impactful bugs happen? The goal: using what you know about your device, get root on another device Start with the admin – How do they configure the device? – How do they monitor/interact? Can you download a firmware image? – Is the file system easy to mount and work? Encrypted?

IoT Methodology Cheat Sheet

Step by step: root

No sharing Don’t trust these devices for a second – Privileged network access – Hard-coded keys (encryption, SSH) – Backdoor accounts – Updating Public case study #1: Updating

How doth one update? Home alarm system – Android – No web app, no admin config – No problem Dealer network Force-browse to the update package CVE , 6033; Thanks, CERT!

Via SD Card

Oh no…

Private signing key

Attack scenario Attack scenario: – Create malicious update package – Sign with vendor private key – Log in + push update to vendor server [we did not try this] – All devices download malicious update package and install (key matches) [or this] This bug is now fixed – thanks to CERT for coordinating disclosure

CERT FTW

More on CERT They run a great service We prefer to disclose bugs to CERT first CERT will help coordinate disclosure if the vendor becomes unresponsive – (or if the world is going to end) They will only publish if they coordinate disclosure

Artwork by Mike Ferrin

We want more bugs! IoT fixes are slow. Not our timeline*: Slow to patch. Slow to update. We’ll see shellshock until the end of time. *

Bugs There are plenty, working their way through the disclosure system.

Who cares? Apart from getting your WiFi password from your doorbell, why should you care? – Privileged network access – Corporate secrets (passwords) – Sensitive data (location)

Things, as far as the eye can see Target of opportunity Also likely the weakest point in a chosen target Attacker can: – Exploit device directly as a foothold – Use device’s routing to get to corp network – Siphon off device secrets and try them elsewhere

IoT Use Cases Centralized management of connected things IoT devices enable: – Connectivity – Convenience – “Can I control it from my phone?

Abuse Cases Access to privileged networks (including your home) Convenience undermines security IoT devices themselves are not the prize – Contain sensitive data – Live in privileged net segments

What to do Eliminate bad trust relationships: what I do has no effect on others. Patch bugs! Lots of software re-use Fail closed Secure defaults Implement the 80% hardware security controls Don’t re-invent the wheel

Contact Thank you OWASP and conference organizers!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.