Presentation is loading. Please wait.

Presentation is loading. Please wait.

IoT BBQ Carve Systems. Outline About us (Carve) About IoT Our IoT assessment methodology The Sacred Tenants of IoT Security Some bugs IoT IRL.

Published byMorgan August Thomas Modified over 8 years ago

Similar presentations

Presentation on theme: "IoT BBQ Carve Systems. Outline About us (Carve) About IoT Our IoT assessment methodology The Sacred Tenants of IoT Security Some bugs IoT IRL."— Presentation transcript:

1 IoT BBQ Carve Systems

2 Outline About us (Carve) About IoT Our IoT assessment methodology The Sacred Tenants of IoT Security Some bugs IoT IRL

3 0xGROG Carve Systems – Boutique Information Security Consulting Firm – Clients in Denver! – Full stack hacking Jeremy Allen – Partner – See the future, make research happen Max Sobell – Partner – Find shiny things, bang them with rocks Carve team: we’re all here!

4 Artwork by Mike Ferrin

5 What is IoT BBQ? Home automation/security SMB connectivity Municipal WTFThings Everything the internet touches

6 What exactly is “IoT” Things On the Internet The same things that have been there the whole time – Embedded Systems – M2M

7 “IoT is insecure!” Everyone knows it. Literally everyone. Even my old neighbors. 10 SOUND ALARM 15 REM ALARM IN PROGRESS 20 ??? 30 PROFIT 40 GOTO 10

8 How IoT is Marketed SHINY

9 IoT Reality

10 IoT Device Profile Primarily embedded systems (Linux) 16 – 512MiB RAM Common 2-8 GiB Flash Storage Common ARM Processors, Occasional X86 or MIPS Internet Connected Most have a management web application

11 IoT Hardware vs. Software Embedded Systems / Hardware developers tasked with creating software: “I know C. Let’s just write everything as CGI scripts in C. Oh, and maybe a bash script when I am feeling bold. That should create a management app that meets the requirements.”

12 IoT Software

13 Odd command injection Ruggedized Router/Vehicle Tracker This thing has it all: – Web app flaws (auth bypass, command injection) – Insecure default settings – Awful cryptography – Way too easy to shoot yourself in the foot

14 How do impactful bugs happen? The goal: using what you know about your device, get root on another device Start with the admin – How do they configure the device? – How do they monitor/interact? Can you download a firmware image? – Is the file system easy to mount and work? Encrypted?

15 IoT Methodology Cheat Sheet

16

17 Step by step: root

18 No sharing Don’t trust these devices for a second – Privileged network access – Hard-coded keys (encryption, SSH) – Backdoor accounts – Updating Public case study #1: Updating

19 How doth one update? Home alarm system – Android – No web app, no admin config – No problem Dealer network Force-browse to the update package CVE-2015-6032, 6033; https://www.kb.cert.org/vuls/id/573848 Thanks, CERT!

20 Via SD Card

21 Oh no…

22 Private signing key

23 Attack scenario Attack scenario: – Create malicious update package – Sign with vendor private key – Log in + push update to vendor server [we did not try this] – All devices download malicious update package and install (key matches) [or this] This bug is now fixed – thanks to CERT for coordinating disclosure

24 CERT FTW

25 More on CERT They run a great service We prefer to disclose bugs to CERT first CERT will help coordinate disclosure if the vendor becomes unresponsive – (or if the world is going to end) They will only publish if they coordinate disclosure

26 Artwork by Mike Ferrin

27 We want more bugs! IoT fixes are slow. Not our timeline*: Slow to patch. Slow to update. We’ll see shellshock until the end of time. *http://blog.talosintel.com/2016/02/trane-iot.html

28 Bugs There are plenty, working their way through the disclosure system.

29 Who cares? Apart from getting your WiFi password from your doorbell, why should you care? – Privileged network access – Corporate secrets (passwords) – Sensitive data (location) http://thehackernews.com/2016/01/doorbell-hacking-wifi-pasword.html

30 Things, as far as the eye can see Target of opportunity Also likely the weakest point in a chosen target Attacker can: – Exploit device directly as a foothold – Use device’s routing to get to corp network – Siphon off device secrets and try them elsewhere

31 IoT Use Cases Centralized management of connected things IoT devices enable: – Connectivity – Convenience – “Can I control it from my phone?

32 Abuse Cases Access to privileged networks (including your home) Convenience undermines security IoT devices themselves are not the prize – Contain sensitive data – Live in privileged net segments

33 What to do Eliminate bad trust relationships: what I do has no effect on others. Patch bugs! Lots of software re-use Fail closed Secure defaults Implement the 80% hardware security controls Don’t re-invent the wheel

34 Contact Email: {info,jeremy,max}@carvesystems.com Twitter: @bitexploder, @msobell http://carve.systems Thank you OWASP and conference organizers!

Download ppt "IoT BBQ Carve Systems. Outline About us (Carve) About IoT Our IoT assessment methodology The Sacred Tenants of IoT Security Some bugs IoT IRL."

Similar presentations

Penetration Testing Biometric System

Penetration Testing Biometric System
Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Objectives Overview Define an operating system

Objectives Overview Define an operating system
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.

Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
hotEx RADIUS Manager Installation

hotEx RADIUS Manager Installation
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC.

Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC.
Working From Your Home Computer Safely: The Ten Commandments Stephen Jones, GSEC, A+ With special thanks to Balakrishnan Ramachandran.

Working From Your Home Computer Safely: The Ten Commandments Stephen Jones, GSEC, A+ With special thanks to Balakrishnan Ramachandran.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
November 2009 Network Disaster Recovery October 2014.

November 2009 Network Disaster Recovery October 2014.
Presentation By Deepak Katta

Presentation By Deepak Katta
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02.

Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02.
Guide to Linux Installation and Administration, 2e1 Chapter 3 Installing Linux.

Guide to Linux Installation and Administration, 2e1 Chapter 3 Installing Linux.

Similar presentations

Ads by Google