Upload
praetorian
View
308
Download
0
Embed Size (px)
Citation preview
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
1
PAUL JAUREGUI VP, SECURING IOT @ PRAETORIAN
RICHARD MCPHERSON PHD CANDIDATE, INTERN, PRAETORIAN (2015)
NISHIL SHAH UT GRADUATE, INTERN, PRAETORIAN (2015)
DALLAS KAMAN SENIOR SECURITY ENGINEER, PRAETORIAN
Internet of Things Map Project Team | Summer 2015 and beyond
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
2 Praetorian Partnered with DroneSense (dronesense.com) for FAA Exemption and Autonomous Drone Automation
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
3 Praetorian Partnered with DroneSense (dronesense.com) for FAA Exemption and Autonomous Drone Automation
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
4 Praetorian Partnered with DroneSense (dronesense.com) for FAA Exemption and Autonomous Drone Automation
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
5 Praetorian Partnered with DroneSense (dronesense.com) for FAA Exemption and Autonomous Drone Automation
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
6 Praetorian Partnered with DroneSense (dronesense.com) for FAA Exemption and Autonomous Drone Automation
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Capture Device (v1.0) Specifications and Requirements
8
ZIGBEE RADIOS Atmel RZUSBstick (x8)
Flashed custom firmware
GPS MODULE Adafruit GPS HAT
for Raspberry Pi
RASPBERRY PI Model B+ 512MB RAM
Raspbian OS
‣ Autonomous operation
‣ Hand-held size
‣ Under 250 grams
‣ Battery powered (Drone’s)
‣ Discover all Zigbee devices within 150-feet across all 16 channels in under 10-seconds while traveling 10-20mph
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Extending Killerbee 802.15.4 Network Attacking Framework
9
11 12 13 14 15 16 18 19 20 21 22 23 24 25 26
2400MHz 2483MHz2.4GHz Zigbee Channels
PROCESS 1
PROCESS 2
PROCESS 3
17
‣ Extended Killerbee zbwardrive utility
‣ Added new Python multiprocessing
‣ All Zigbee radios cycle through channels simultaneously
‣ Channels record for a set amount of time
DOWNLOAD KILLERBEE FRAMEWORK AT HTTPS://GITHUB.COM/RIVERLOOPSEC/KILLERBEE
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Extending Killerbee 802.15.4 Network Attacking Framework
10
11 12 13 14 15 16 18 19 20 21 22 23 24 25 26
2400MHz 2483MHz2.4GHz Zigbee Channels
PROCESS 1
PROCESS 2
PROCESS 3
17
‣ Extended Killerbee zbwardrive utility
‣ Added new Python multiprocessing
‣ All Zigbee radios cycle through channels simultaneously
‣ Channels record for a set amount of time
DOWNLOAD KILLERBEE FRAMEWORK AT HTTPS://GITHUB.COM/RIVERLOOPSEC/KILLERBEE
Step 1: All connected Zigbee radios send beacon request on assigned to channel
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Extending Killerbee 802.15.4 Network Attacking Framework
11
11 12 13 14 15 16 18 19 20 21 22 23 24 25 26
2400MHz 2483MHz2.4GHz Zigbee Channels
PROCESS 1
PROCESS 2
PROCESS 3
17
Found Something! ** Listen for 10 sec **
‣ Extended Killerbee zbwardrive utility
‣ Added new Python multiprocessing
‣ All Zigbee radios cycle through channels simultaneously
‣ Channels record for a set amount of time
DOWNLOAD KILLERBEE FRAMEWORK AT HTTPS://GITHUB.COM/RIVERLOOPSEC/KILLERBEE
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Extending Killerbee 802.15.4 Network Attacking Framework
12
11 12 13 14 15 16 18 19 20 21 22 23 24 25 26
2400MHz 2483MHz2.4GHz Zigbee Channels
PROCESS 1
PROCESS 2
PROCESS 3
17
Found Something! ** Listen for 10 sec **
‣ Extended Killerbee zbwardrive utility
‣ Added new Python multiprocessing
‣ All Zigbee radios cycle through channels simultaneously
‣ Channels record for a set amount of time
DOWNLOAD KILLERBEE FRAMEWORK AT HTTPS://GITHUB.COM/RIVERLOOPSEC/KILLERBEE
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Post-processing Engine: Fingerprinting Methodology
13
4. | Analyze Zigbee Traffic and Fingerprint Devices with Company MAC address
Philips Hue Smart Lighting Network Identified
TCP/Greenwave Lighting Network Identified
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
14
praetorian.com/iotmap
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
15
praetorian.com/iotmap
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
16
praetorian.com/iotmap
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Mesh Network
Basic Smart Lighting Architecture / Attack Surface
17
CLOUD SERVICES
Internet WiFi Router Lighting Gateway Remote
INTERNAL NETWORKEXTERNAL
WiFiCellular
Mobile appsSensor
6LoWPANZ-waveandmore
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Mesh Network
Basic Smart Lighting Architecture / Attack Surface
18
CLOUD SERVICES
Internet WiFi Router Remote
INTERNAL NETWORKEXTERNAL
WiFiCellular
Mobile appsSensor
6LoWPANZ-waveandmore
Lighting Gateway
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Embedded Device Hacking with Physical Access
19
TX RX Ground UARTPort
Gained persistent root access to device via SSH server, which runs on boot up
‣ Connected test points on board to UART adapter for “Kernel Init Hijacking”
‣ “Kernel Init Hijacking” allows temporary Root access to TCP Hub file system by tampering with the boot sequence and injecting commands
‣ Access used to retrieve root SSH password, which was “thinkgreen” and shared by all TCP Gateways
‣ Potential to also remotely install malicious software that turns the hub into a proxy to the network, could sniff/exfiltrate data, or launch attacks on other systems
INDEPENDENT RESEARCH
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Embedded Device Hacking with Physical Access
20
In January 2015, Greenwave forced a firmware update that fixed these issues
✓ Removed local web control interface that lacked authentication by closing port 80
✓ Opened a secure HTTPS (port 443) service with currently unknown functionality
✓ Close the SSH (port 22) service to remove persistent Root access to hub via SSH credentials share by all devices
✓ UART pins may have been silenced, and boot delay may have been set to zero (no more “kernel init hijacking”)UARTPinsSilenced
INDEPENDENT RESEARCH
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Common Security Challenges in Product Development Lifecycle
21
ResearchTime to market pressures
TestingSecurity is often left
as an afterthought
SupportOngoing security support
and maintenance
Launch
Develop General lack of security consciousness
Insufficient security testing prior to launch
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Internet of Things (IoT) — End-to-end Security Considerations
22
EMBEDDED DEVICES Physical and logical threats to embedded systems
DEVICE FIRMWARE Device firmware and update distribution process
WIRELESS PROTOCOLS Local wireless communication protocols (M2M)
APPLICATIONS Web applications, mobile apps, 3rd-party integrations
CLOUD SERVICES Web services, RESTful APIs, analytics, 3rd-party services
INFRASTRUCTURE Back-end systems, networks, servers, and data
INTERNET OF THINGS END-TO-END SECURITY
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Internet of Things (IoT) — End-to-end Security Considerations
23
EMBEDDED DEVICES Physical and logical threats to embedded systems
DEVICE FIRMWARE Device firmware and update distribution process
WIRELESS PROTOCOLS Local wireless communication protocols (M2M)
APPLICATIONS Web applications, mobile apps, 3rd-party integrations
CLOUD SERVICES Web services, RESTful APIs, analytics, 3rd-party services
INFRASTRUCTURE Back-end systems, networks, servers, and data
TX RX Ground UARTPort INDEPENDENT RESEARCH
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Internet of Things (IoT) — End-to-end Security Considerations
24
EMBEDDED DEVICES Physical and logical threats to embedded systems
DEVICE FIRMWARE Device firmware and update distribution process
WIRELESS PROTOCOLS Local wireless communication protocols (M2M)
APPLICATIONS Web applications, mobile apps, 3rd-party integrations
CLOUD SERVICES Web services, RESTful APIs, analytics, 3rd-party services
INFRASTRUCTURE Back-end systems, networks, servers, and data
CVE-2015-6949 - October 2015
Praetorian Security Researcher recognized by ASUS for responsible disclosure of a zero-day vulnerability affecting all ASUS router firmware
Zero-day Impact:Remote Code Execution (RCE)
INDEPENDENT RESEARCH
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Internet of Things (IoT) — End-to-end Security Considerations
25
EMBEDDED DEVICES Physical and logical threats to embedded systems
DEVICE FIRMWARE Device firmware and update distribution process
WIRELESS PROTOCOLS Local wireless communication protocols (M2M)
APPLICATIONS Web applications, mobile apps, 3rd-party integrations
CLOUD SERVICES Web services, RESTful APIs, analytics, 3rd-party services
INFRASTRUCTURE Back-end systems, networks, servers, and data
INDEPENDENT RESEARCH
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Internet of Things (IoT) — End-to-end Security Considerations
26
EMBEDDED DEVICES Physical and logical threats to embedded systems
DEVICE FIRMWARE Device firmware and update distribution process
WIRELESS PROTOCOLS Local wireless communication protocols (M2M)
APPLICATIONS Web applications, mobile apps, 3rd-party integrations
CLOUD SERVICES Web services, RESTful APIs, analytics, 3rd-party services
INFRASTRUCTURE Back-end systems, networks, servers, and data
CLOUD SERVICES
Internet WiFi Router
HOME LOCAL AREA NETWORKEXTERNAL
WiFiCellular
Mobile apps
IoT Device/Gateway
Sensors
Mesh Networks
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Recommended Security Best Practices
27
ResearchTrain employees about security best practices
TestingConduct 3rd-party
security risk assessments
SupportMonitor product through
its life, patch known vulns
Launch
Develop Build security in from the start, don’t bolt it on
Test end-to-end security before product launch
NETWORK APPLICATION MOBILE CLOUD IOT
Internet of Things Map ProjectExploring Risk & Mapping the Internet of Things with Autonomous Drones