DEEP ARMOR. Hands-on Exploitation & Hardening of Wearable and IoT Platforms. Sumanth Naropanth & Sunil Kumar

Similar documents
Securing your in-ear fitness coach: Challenges in hardening next generation wearables

Bluetooth Smart: The Good, The Bad, The Ugly... and The Fix

Hacking challenge: steal a car!

Click to edit Master title style Buzzing Smart Devices

Aditya Gupta presents: Hacking Bluetooth Low Energy for Internet of Things

PM0257. BlueNRG-1, BlueNRG-2 BLE stack v2.x programming guidelines. Programming manual. Introduction

Using the tpm with iot

Bluetooth low energy security, how good is it? Petter Myhre Bluetooth World, San Jose March 2017

CIS 700/002 : Special Topics : Bluetooth: With Low Energy comes Low Security

Inside Bluetooth Low Energy

Whitepaper. IoT Protocols. PAASMER Support for Protocols. Website:

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Guide to Wireless Communications, 3 rd Edition. Objectives

IOTIVITY INTRODUCTION

Wireless Sensor Networks BLUETOOTH LOW ENERGY. Flavia Martelli

ARM mbed Reference Designs

Developer & maintainer of BtleJuice. Having fun with Nordic's nrf51822

Beetle: Operating System Support for the Internet of Things

Advanced Diploma on Information Security

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Performance Evaluation of Bluetooth Low Energy Communication

Bluetooth LE 4.0 and 4.1 (BLE)

Emerging communication technologies enabling the Internet of Things IoT system design challenges and testing solutions

TOBIAS ZILLNER ZIGBEE EXPLOITED THE GOOD, THE BAD AND THE UGLY

Developing a Common Language for Communication between Disparate IoT Devices and Applications across Various Wireless Technologies

Controlling electrical home appliances, using Bluetooth Smart Technology (October 2015) Pedro José Vieira da Silva

ARCHITECTURING AND SECURING IOT PLATFORMS JANKO ISIDOROVIC MAINFLUX

2017 2nd International Conference on Communications, Information Management and Network Security (CIMNS 2017) ISBN:

CYBERSECURITY AND SERVICE STATIONS

Regulation and the Internet of Things

Bluetooth 5 Presenter Tomas O Raghallaigh )

Resilient IoT Security: The end of flat security models

IoT BOOTCAMP. Become the Next Generation Development Professional.

What Ails Our Healthcare Systems?

mbed OS Update Sam Grove Technical Lead, mbed OS June 2017 ARM 2017

ARM mbed Towards Secure, Scalable, Efficient IoT of Scale

IoT Standardization Process and Smart IoT

Sensor-to-cloud connectivity using Sub-1 GHz and

HOW SENSOR FRAMEWORKS ENABLE EFFICIENT DEVELOPMENT

Mobile Security Fall 2013

Wireless Connectivity Options for IoT. By: MIST Makers John Varela and Nicholas Landy

Course 831 EC-Council Certified Ethical Hacker v10 (CEH)

MASHaBLE: Mobile Applications of Secret Handshakes over Bluetooth Low-Energy. Yan Michalevsky, Suman Nath, Jie Liu

IoT Explained. IoT is comprised of three general domains; Edge, IoT Platform, and the Enterprise.

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

UNIK Building Mobile and Wireless Networks Maghsoud Morshedi

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

Stopping Advanced Persistent Threats In Cloud and DataCenters

Security+ SY0-501 Study Guide Table of Contents

Low Power Wide Area Network (LPWAN) Presented By: Dr. Hafiz Yasar Lateef Director, Telxperts Pty Ltd.

Current Security Issue Demonstration Paper: Exploiting ZigBee Networks

What Is IoT, and How Modulus and Pacific Can Help. Eduardo Pelegri-Llopart Vice President, Technology Progress Software

IoT Roadmap in the IETF. Ines Robles

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Hacking Exposed Wireless: Wireless Security Secrets & Colutions Ebooks Free

ARM mbed Technical Overview

Tizen Connectivity Support. for IoT Devices. Steve(Taesoo) Jun, Ph.D. Copyright 2017 Samsung. All Rights Reserved.

Mobile Security Fall 2014

WPAN/WBANs: ZigBee. Dmitri A. Moltchanov kurssit/elt-53306/

Cloud Based IoT Application Provisioning (The Case of Wireless Sensor Applications)

IoT Security: Hardening Services Over Connected Devices. Brian

M2M spectrum management in China. LI Bo Senior Engineer

Jonas Green, Björn Otterdahl HMS Industrial Networks AB. February 22, 2017

15 th November 2016 IoT Build Conference, Double Tree Hilton, Tower of London London, UK

Thread in Commercial Backgrounder

CompTIA Security+ Study Guide (SY0-501)

The Zentri Secure IoT Platform

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

Mobile Security Fall 2011

Bluetooth. Quote of the Day. "I don't have to be careful, I've got a gun. -Homer Simpson. Stephen Carter March 19, 2002

Wireless LAN Security (RM12/2002)

Omar Alrawi. Security Evaluation of Home-based IoT Deployments

Security for Secure IoT: Advanced Architectures for IoT Gateways. Simon Forrest Director of Segment Marketing, Consumer Electronics

IoT Connectivity Standards

Course 831 Certified Ethical Hacker v9

Smart test and certification of wireless IoT devices

Build the unified end to end IoT solution on ARM LEADING COLLABORATION IN THE ARM ECOSYSTEM

Harvesting IOT data. (Using IP networks) Ericsson 2014

Picture. Scott Ziegenfus CEM, CLEP, CDSM, GGP, GPCP, LEED AP Manager, Government and Industry Relations Hubbell Lighting, Inc.

Lecture 04 Introduction: IoT Networking - Part I

BLE as Active RFID. Tutorial presented by Jeffrey Dungen at IEEE RFID 2017

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

IoT and Smart Home: Seamless Interoperability

Dissecting Data Breaches. What Keeps Going Wrong?

Attacking and Defending LoRa systems. LoRa the Explorer 22/03/2016

KW41Z IEEE and BLE Coexistence Performance

PrecisionAccess Trusted Access Control

Computer Networks II Advanced Features (T )

The Future of Lighting Is Smart. Martin Mueller Roger Sexton

Maximum Security with Minimum Impact : Going Beyond Next Gen

ONEM2M INDUSTRY DAY ALAN SOLOWAY, QUALCOMM. 12 July 2017

Security in Cloud Environments

Pwning KNX & ZigBee Networks

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

DASH7 ALLIANCE PROTOCOL - WHERE RFID MEETS WSN. public

Bluetooth low energy technology Bluegiga Technologies

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

Wireless Technologies

Accelerating IoT with ARM mbed

Transcription:

DEEP ARMOR Hands-on Exploitation & Hardening of Wearable and IoT Platforms Sumanth Naropanth & Sunil Kumar

Agenda Technical overview of an IoT/wearable ecosystem Building blocks Communication Protocols Case Studies IEEE 802.15.4/ZigBee Bluetooth and BLE ZigBee sniffing & packet injection Plain-text Simple integrity protection Advanced integrity protection Ubertooth BLE sniffing Basic sniffing Crackle Hands-on exercises Privacy for next generation IoT/wearable platforms Security development lifecycle (SDL) overview

Instructors Sunil Kumar Security Analyst Deep Armor Ola Security, Aricent/Intel Sumanth Naropanth Founder and CEO Deep Armor Intel, Palm/HP, Sun Microsystems Security consulting, vulnerability testing, SDL and training services for emerging technologies www.deeparmor.com @deep_armor

IoT/Wearable Ecosystem Back End Services HTTP/HTTPS HTTP/HTTPS HTTP/HTTPS Gateway Gateway BT/BLE/WiFi/NFC/WiFi-Direct Zigbee/Z-wave Zigbee/Z-wave Node Node Node Node Node Node BT/BLE/NFC BLE/ANT+ BLE/ANT+ Sensors Sensors Sensors Sensors

Building Blocks Device Mobile Cloud Hardware Firmware/OS/RTOS Crypto Device Communication interfaces Communication protocols Device Software SDK Remote device management Third party libraries ios and Android apps Unity/VR apps SDK for third party apps and services User & Admin portals Micro-services Databases Web applications Storage solutions SDK for third party services Analytics Data sharing

Security for IoT Why? Personal and PII data Healthcare, Payment, Critical Infrastructure, Messy Defensive Security Measures Plethora of protocols and standards Process & Technical challenges

Attacking IoT

Weak Links? Device Mobile Cloud Hardware Firmware/OS/RTOS Crypto Device Communication interfaces Communication protocols Device Software SDK Remote device management Third party libraries ios and Android apps Unity/VR apps SDK for third party apps and services User & Admin portals Micro-services Databases Web applications Storage solutions SDK for third party services Analytics Data sharing

Weak Links Device Mobile Cloud Hardware Firmware/OS/RTOS Crypto Device Communication interfaces Communication protocols Device Software SDK Remote Device management Third party libraries! ios and Android apps Unity/VR apps SDK for third party apps and services User & Admin portals Micro-services Databases Web applications Storage solutions SDK for third party services Analytics Data sharing

Communication Channels Back End Services HTTP/HTTPS HTTP/HTTPS HTTP/HTTPS Gateway Gateway BT/BLE/WiFi/NFC/WiFi-Direct Zigbee/Z-wave Zigbee/Z-wave Node Node Node Node Node Node BT/BLE/NFC BLE/ANT+ BLE/ANT+ Sensors Sensors Sensors Sensors

IoT Protocols SigFox MQTT nwave Bluetooth RFID DASH LTE Zigbee NFC ANT+ DSMx Thread Z-Wave 6LoWPAN 4G CoAP Cellular BLE Wi-Fi

Zigbee

802.15.4

802.15.4 IEEE standard for low-rate wireless personal area networks (LR-WPANs) 6LoWPAN for IPv6 over WPANs Application Presentation Session Transport Network Data Link Physical Logical Link Control Media Access Control Zigbee extends 802.15.4 (wrapper services)

Zigbee Low data rate wireless applications Smart energy, medical, home automation, IIoT Two bands of operation: 868/915MHz and 2450MHz Simpler & less expensive than Bluetooth 10-100m range Zigbee Alliance

Zigbee Security Model Open Trust model (Device Trust Boundary) Crypto protection Network Key Link Key (App Support Sublayer) Secure key storage assumptions Transmission of network key for new nodes Hard-coded Trust Center Link Keys

Exercise 1 Sniffing and Packet Injection in an 802.15.4 network

Overview IoT product simulator Zigbee-like 802.15.4 based communication protocol Packet sniffing, capture and injection Goals: Basic packet header formats Security models for protecting comms Hardware and software tools for packet sniffing & injection

Tools Microchip s RZUSBStick (2 Victims and 1 attacker ) KillerBee firmware IEEE 802.15.4/ZigBee Security Research Toolkit River Loop Security KillerBee tools ~17 tools zbwireshark and zbreplay Scapy

Scenario 1 Packet sniffing & Injection

Outline DA Packets DD Packets Sniff Manipulate Payload Inject

Demo

Scenario 2a (Some Security)

Outline HMAC (DA packet payload) HMAC (DD packet payload Sniff Manipulate Payload Inject

Demo

Scenario 2b (Some Security)

Demo (first)

Outline HMAC (DA packet payload) HMAC (DD packet payload) Sniff Manipulate SEQ NUM Inject

Scenario 3 (Full Security)

Outline HMAC (DA packet payload + headers) HMAC (DD packet payload + headers) Sniff Manipulate SEQ NUM/payload Inject

Demo

Bluetooth and Bluetooth Low Energy (BLE)

Overview: Bluetooth Stack GAP Defines how devices discover, connect and create bonding between them GATT Describes characteristics, services and type of attributes/ their usage SMP Protocol for pairing and key distribution and authenticating other device Shared secrets can be managed and hence speed-up the reconnection process ATT Simple Client/ Server stateless protocol with rules for accessing data on a peer device L2CAP Multiplexing layer for BLE

Intro to BLE Wireless protocol for short range data exchange (~10 to 100 m) Light-weight subset of classic Bluetooth with low power consumption Operates in radio frequencies between 2.4 to 2.485 GHz Managed by the Bluetooth Special Interest Group (SIG) Use cases include wearable devices, smart pay systems, smart security systems etc

BLE Security Pairing Request Pairing Response Establish Short Term Key (STK) Long Term Key (LTK) Agreement Encrypted Channel (using LTK)

Pairing Algorithms Secure Simple Pairing Just Works: very limited/ no user interface Numeric Comparison: devices with display plus yes/ no button Passkey Entry: 6 digit pin as the pass key Out Of Band: Use of an out of the band channel against MITM attacks

Security weaknesses in BT/BLE Security of the communication link depends on pairing algorithm Eavesdropping on pairing mechanism compromises encryption keys Just works mode prone to MITM attacks Apps (on the same phone as the companion app) snooping on encrypted BLE traffic Our talk yesterday

BT/BLE Security - Tools Ubertooth Bluefruit LE sniffer NRFsniffer (Nordic BLE sniffer) Ellisys sniffer

Exercise 2 BLE packet eavesdropping with Ubertooth

Overview Market products for fitness tracking Use Bluetooth Low Energy Packet sniffing, capture and cracking LE encryption Goals: BLE traffic eavesdropping Tools to crack the basic security offered by BLE spec

Tools Ubertooth One Great Scott Gadgets 2.4 GHz wireless deployment platform for BT experimentation Wireshark Malware Android app and logcat Mike Ryan s crackle

Problems & Packet Injection Multiple advertising channels (37, 38, 39) Uncertainty > 3 Ubertooths are better than 1 Custom FW for packet injection

Scenario 1 Packet sniffing X Fitness Band

Outline Activity Data, Notifications, etc. Commands, FOTA, etc. Step Count & Calories

Demo

Scenario 2 Packet sniffing & LE Encryption cracking Fossil Q

Outline LTK-encrypted Activity Data, Notifications, etc. Commands, FOTA, etc. Encrypted (Step Count, Distance & Calories) Decrypted (Step Count, Distance & Calories)

Demo

What happened there? LTK-Encrypted (Step Count, Distance & Calories) Decrypted (Step Count, Distance & Calories) Decrypted ((Encrypted(Step Count, Distance & Calories)) LTK-Encryption BLE Link Layer Wrapper Service B Wrapper Service A Encryption

BT/BLE problems with Android and ios Device Commands: Put device into recovery mode Do a FW update Change Device (BLE) name Notifications: Social apps Calls and texts ATTACKER BLE - ENCRYPTED Information: User activity data User profile updates Application action (calls, music control) Call/text/social updates (sometimes)

Secure by Design for IoT Starts with architecture and product design Multi-device crypto flows In-field read/write disable Shift-left Design weaknesses in comms protocol adoption Network Security Gateway/Node Updates Secure key negotiation and distribution Gateway/Node Updates Ecosystem security Secure key negotiation and distribution Secure Provisioning Design weaknesses in comms protocol adoption Side Channel & Timing attacks

Unshackling from traditional SDL

Security & Privacy Development Lifecycle Architecture Reviews Threat Modeling & Attack Trees Security Code Reviews & Static Code Analysis Penetration Testing Incident Response Privacy Req.; Data Access Review; Stakeholder identification Privacy test cases & Plan Privacy Sign-off, Data Availability Legal sign-off & Incident Response Product Development Lifecycle Program Conception to Pre-Alpha Alpha Beta Launch to Post Launch

Privacy Why worry? Global Markets Country-specific guidelines Ecosystems and overlapping policies

Quantifying Privacy Vulnerabilities <quote>common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities </quote> Privacy vulnerabilities? CVSS Extensions Framework Allowing CVSS to be extensible by third parties

Summary Plethora of protocols (and standards) Custom hardware & software for IoT comms penetration testing RZUSBStick works great. Also, APImote Not much else BT/BLE sniffing is still sketchy SDL/SPDL and Shift-left

SDL Vulnerability Assessments Security Consulting Trainings www.deeparmor.com @deep_armor services@deeparmor.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback