I DON’T GIVE ONE IOTA - SANS · I DON’T GIVE ONE IOTA ... • Mobile devices, apps, ... Imagine...
Transcript of I DON’T GIVE ONE IOTA - SANS · I DON’T GIVE ONE IOTA ... • Mobile devices, apps, ... Imagine...
I DON’T GIVE ONE IOTA
Introducing the Internet of Things Attack Methodology
Larry Pesce, @haxorthematrixDirector of Research & Sr. Managing Security Consultant
1
2
▪ Director of Research & Sr. Managing Security Consultant @ InGuardians
▪ Pentester, Hardware Hacker ▪ Radio Enthusiast ▪ Author, Podcaster ▪ Bad at selfies
Who is your daddy and what does he do?
IOT INTRODUCTION & HISTORY
3
“But what is the IoT? There are many ways to describe the IoT. More than 20 professional and
research groups have worked to characterize the IoT, but so far there is not one universally
accepted definition.”
NIST
4ImageCredit:NatashaHanacek/NIST
▪ Before IoT there was “embedded devices” • Printers, cameras, barcode scanners… ▪ They are still here! • More and more lumped into the IoT category ▪ The definition has begun to change…
What is Iot, the history
5
"There is no formal, analytic or even descriptive set of building blocks that govern the operation,
trustworthiness and lifecycle of IoT components,”
Jeff Voas, NIST
6
▪ NIST recently released Special Publication 800-183 • Defines 5 primitives/components of an IoT • Sensor, Aggregator, Communication channel,
External utility, Decision Trigger ▪ NIST’s Components technical but at the “forest”
level • So many trees missing ▪ Ultimately an NoT (Network of Things) • Describes more of the network than the technical
components
A try on definition
7
“With little fanfare, the first Internet of Things (IoT) model …has been published by the National Institute of Standards and Technology (NIST), the folks who set the standards for smart grid interoperability in recent years. This new model is an important step in defining exactly what the IoT is and outlining the necessary security standards that go along with it. Could this be the catalyst needed to help drive the emerging IoT market? It sure doesn’t hurt.”
Neil Strother Navigant Consulting
8
▪ I am in agreement with NIST’s 5 components • As a security professional they are very generic and vague ▪ I think about the technical components that make up each • Mobile devices, apps, hardware, firmware, databases • The list goes on… ▪ From end to end I see it all as a massive connected…
My definition…
9
ECOSYSTEM
10
*this will be important later
▪ This is not a “problem” that is going to go away ▪ We are becoming more and more connected • Everywhere, all the time ▪ Epic physical control ▪ Tons of data can be collected and correlated
What’s the Market?
11
“…more and more “things”—ranging from remotely programmable home thermostats and wearable health and fitness devices to aircraft jet engines and the nation’s power grid—will be added to the internet every day. Devices, connectivity, and IT services will make up the majority of the projected $1.3 trillion IoT market in 2019.”
Verizon State of the Market: Internet of Things 2016
12
▪ Collected data has value to the: • Consumer • Device manufacturer • Software developer ▪ Aggregating this data from multiple sources become mind boggling • Also, even MORE valuable ▪ Imagine your fitness tracker talking to your fridge, dating app, Yelp, Untappd,
home security system, GPS, car, bathroom scale… ▪ …Oh, and your healthcare provider too
When it all goes wrong
13
“I never expected #idiocracy to become a documentary”
Etan Cohen, Co-writer Idiocracy
14
“But if they're so successful, why haven't parasites taken over the world? The answer is simple: they have. We just haven't noticed. That's because successful parasites don't kill us; they become part of us, making us perform all the work to keep them alive and help them reproduce.”
Daniel Suarez, Daemon
15
16
THE ECOSYSTEM
17
▪ It all starts with a device that does “something” ▪ …and the network it connects to ▪ …and the mobile app to interact with it ▪ …and the hosted service to interact with the app ▪ …and the data aggregation databases parsing the hosted service ▪ …and the monetization and big data
NIST to Reality
18
▪ It only takes one art of the ecosystem to make this go sideways ▪ Miral IoT botnet • Discovers and logs into DVRs via telnet with default passwords • Uses compromised DVRs to launch DDoS attacks and others ▪ Used to take Brian Krebs’ site offline • Sustained 620Gbps (gigabits) of traffic, no amplification • 2x Akamai’s previously observed largest attack, WITH
amplification ▪ Originated from approximately 305,000 DVRs and additional IoT
devices ▪ And that is only one part of the ecosystem!
One part
19
one thing…
20
Turns into many things…
21
Many, many things
22
…and then they talk
23
!
I’msureIforgotafewdozenconnection
This is why testing the entire IoT
ecosystem is more important than ever
24
IoTA25
*Internet of Things Attack methodology
METHODOLOGY, IMPLEMENTATION AND LAB(S)
26
▪ Hardware • Firmware • Radio • WiFi • Bluetooth/BLE ▪ Web App
5 environments
27
▪ Mobile App • iOS/Android ▪ Network/Traditional
pentest/“Cloud” • Internal/B2B • Internet facing ▪ API
▪ First step, interaction ▪ Hand tools, security bits, pliers, soldering iron. etc… ▪ TTL Serial, RS-232, JTAG, I2C, SPI • TTL and RS-232 adapters, Goodfet, BusPirate • Total Phase Aardvark, Saelea Logic-X, O-scope ▪ WiFi adapters, SDR, Bluetooth dongles ▪ Internet and data sheets for deciphering chipset pinout, capabilities, protocols ▪ Practice on cheap gear! (Deal Extreme, AliBaba, etc.)
Hardware (Lab)
28
▪ Firmware analysis from memory or download • Observing traffic over wifi during update process perhaps? • Obtain URL, or even full contents from traffic ▪ Manual extract and mount as filesystem (Linux) ▪ Binwalk, Memory aquisition/analysis tools ▪ Analysis, Analysis, Analysys • System configuration files • Password cracking • Management interface (web page) examination
Hardware (Firmware)
29
▪ JTAG great for recovering firmware, memory • Static passwords, hashes, device configuration • Filesystem, memory forensics ▪ SPI, I2C *Serial for observing inter chip comms • Boot time configuration down stream* • Bus sniffing FTW • Plaintext during use ▪ Pull firmware from distributor*
Hardware (Board analysis)
30
▪ Radio analysis, RX and TX ▪ RTL-SDR (RX), HackRF One (RX/TX), BladeRF (RX/TX) LimeSDR (RX/TX) • Gnuradio, Gnuradio Companion, GQRX ▪ YardStick One, DONSDONGLE (CC1111) • RFcat ▪ Semi proprietary end us down the rabbit hole • Nordic NRF24L01+, Zwave, Zigbee, LoRa, WirelessHART • Having copies of radios/devkits great for interaction (see bus sniffing for configs) ▪ What happens when we capture and replay traffic? • With modification? • Without modification?
Hardware (Radio)
31
▪ Stand up your own access point and tcpdump FTW • Also, capture in air with WiFi/monitor mode • Easier to do upstream on Ethernet! ▪ Examine traffic during • Boot • Normal use • “duress” • Sitting Idle ▪ Massive amounts of traffic to analyze ▪ Wireshark, Snort hugely helpful ▪ WiFi analysis not too helpful in itself, unless the network is defined by manufacturer • Default key selection, configuration when WiFi is delivered by the device, not a participant
Hardware (WiFi)
32
▪ Bluetooth is hard. BLE is frightening. ▪ Ubertooth One, standard BLE dongle ▪ Bluetooth discover, connect • Listen, playback • Interact with “public” services, default pins for others • sdptool, hcitool, Ubertooth suite, BLESuite and BLEReplay ▪ BLE discover, connect • Pin recovery with crackle • Interact with public services, read/write values
Hardware (Bluetooth/BLE)
33
▪ This is super simple! ▪ A web browser, time and creativity ▪ Of course some tools help speed that up • Burp, Zed, Charles • dirb, wpscan, sqlmap ▪ Curl, wget, python also helpful ▪ Some targets for practice? • Mutillidae, Hacme Bank, etc • Oh, and Bug Bounty programs!
Web App (Lab)
34
▪ All sorts of fun stuff to be found! ▪ XSS, SQLi ▪ Session token expiration and modification ▪ Token entropy calculations, sequential sessions ▪ Unauthenticated access ▪ User manipulation/escalation of privs ▪ Data manipulation, field length checking ▪ Command injection, directory traversal
Web App (In practice)
35
▪ Time to acquire devices! • Multiple for each platform helpful for comparison • Android, iOS • Emulation OK for Android, limited for iOS ▪ Don’t buy the latest and greatest • You want to be able to root/jailbreak • Older/used less expensive (think $40 android tablet clone) ▪ Hopper, IDA Pro, IDB, frida, mobsf, filesystem browser, SSH, terminal ▪ Pick an app and have fun • Disclose responsibly/bug bounty, please.
Mobile App (Lab)
36
▪ Intercept and examine traffic ▪ Respond with malformed values • Good use for web app proxy/Charles proxy ▪ Obtain values for interacting with Web apps ▪ Capture of credentials/cookies • These may be fun for API interaction! ▪ On disk App analysis • What is in the configs? • What is on disk? • What is in memory? ▪ Buffer overflow, underrun, format string, etc.
Mobile App (In practice)
37
▪ So so many volumes to be said, 3-6 slides will not do this justice • Internal, B2B, Cloud, AWS have so many similarities ▪ Building a scenario • Insider threat • Assumed compromise • Determined attacker/Industrial Espionage/Nationstate ▪ ESX, MSDN, Linux • Build all the things! Webservers, Databases, LDAP, E-mail ▪ Raspi, Beaglebone, ODROID • For when virtualization won’t do “real hardware” ▪ Cisco CCIE lab, Emulation • Because you can only emulate so much with ESX virtual networking.
Network Pentesting (Lab)
38
▪ External gets crazy real fast ▪ OSINT • Maltego, Shodan, Censys, Google ▪ Scanning and Enumeration • nmap, dnsrecon, Nessus, etc • Internal, B2B, Cloud, AWS have so many similarities ▪ Exploitation and C2 • Metasploit, Cobalt Strike and others ▪ Test environments in AWS and other cloud providers
Network Pentesting (Lab)
39
▪ Recon ▪ Scan ▪ Analyze/Enumerate ▪ Exploit ▪ Pillage the Village ▪ Pivot ▪ Now do it all over again!
Network Pentesting (In Practice)
40
▪ In most cases we won’t have advance access ▪ Find tools with similar API ▪ Implement in one of your ESXi hosts ▪ Pick a programming language and GO! • Be mindful off major versions and backwards compatibility IE python ▪ Web app proxies (burpsuite, ZAP, etc) SoapUI, custom tools ▪ Understanding OAUTH, SASL is huge!
Api Testing (Lab)
41
▪ What kind of API language? • XML, SOAP, JSON, RESTful, WSDL, Binary/HTTP, Custom • Each environment introduces it’s own unique challenges ▪ Unique tools per API methodology ▪ Find libraries for your language of choice
Api Testing (In Practice)
42
IN CONCLUSION
43
Woah.
44
Tank, I need a pilot program for a military M-109 helicopter.
Trinity The Matrix
45
Full scope IoT penetration testing encompasses many
disciplines and Volumes of knowledge
46
[METAL DETECTOR BEEPS] Holy shit!
Lobby Guard The Matrix
47
Don’t go it alone. Build a diverse,
capable team
48
49
Together we can help build a better
ecosystem
50
▪ Turns out this is a massive undertaking!
▪ We are almost ready to unleash the final document
▪ Stay tuned. When ready, it will be available at:
Where do I get it?
51
www.inguardians.com/iota