Practical Security Assessments of

IoT Devices and Systems TBC

NCC Group Technical Security Consulting

NCC Group Security Research

Talk synopsis

This talk will discuss strategies and methodologies than can be

employed when assessing IoT devices. We'll look at how to develop

credible threat scenarios for different IoT device and systems, perform

static and dynamic attack surface mapping, perform static firmware

analysis, perform static hardware analysis, undertake a dynamic

device security analysis, sources of supporting information, supporting

capability requirements and establishment, Execution of dynamic

device analysis and approaches around network protocol analysis.

What we’ll zoom through

Understanding

Modelling

Technical Capabilities

Deep Dives

Assessing

Reporting

Internet of Things

What do we mean?

What is the IoT?

What is the IoT?

Understanding

Purpose, Use Case

& Design

Understanding

Understanding – Design

Device – components

Communications – protocols

System – what, where, how, when

Modelling

Threats & Resilience Expectations

Flows & Trust Boundaries

Modelling – Threats

Device level

Communication level

System level

Modelling – Resilience Expectations

Device level

Communication level

System level

Modelling – Flows & Trust Boundaries

On device – data and features

Device to system – traffic

System – data and functionality

Technical CapabilitiesDump

Observe

Interrogate

Debug

Technical Capabilities - Dump

Software - firmware (persistent storage)

Data (persistent storage)

Memory (non-persistent storage)

FPGA Bitstream files / CPLD JEDEC files (persistent)

Technical Capabilities - Dump

Removable storage e.g. SD card

via built-in functionality / debugging (in firmware)

via JTAG

via observing data transmitted across memory buses*

Chip-off analysis

Technical Capabilities - Observe

On device – I2C, SPI, USB, GPIO, generic..

Off device – RF (ZigBee, 6LoWPAN, 802.11, Bluetooth,

GSM/GPRS, Ethernet etc.)

Side Channels - RF / DPA etc.

System – end-to-end

Technical Capabilities - Debug

Chip level – JTAG

Device level – serial ports (e.g. console)

– software interfaces

– internal debugger (in firmware)

Network – RF / wired

– GDB stubs

System – end-to-end

Deep DivesObtain

Extract

Reverse

Identify

Deep Dives: Obtain

Documentation

SDKs

GPL etc.

Trigger auto-update then capture

network traffic (if SSL not used)

Firmware update bundles

Deep Dives: Extract

Structure

Clear-text / Encoding

Obfuscation

Compression

Encryption / Signatures

Deep Dives: Reverse

Boot loader

Operating system / software

Sensitive data

IP – data representing device characteristics e.g.

intelligent suspension / stability control

Deep Dives: Identify

Technologies

Security indicators

1st / 3rd party software

Open Source libraries

Security algorithms

Assess

Technical Techniques

Security Assessment / fuzzing tools

How to assess

Review configuration

Standard web app / product assessment methodologies

Use the product

Fuzz / correctness tests

Code review

Example

.. of the technical aspects ..

(i.e. excluding understanding / modelling)

Example: …

REDATCED

Summary & Conclusions

….

Summary & Conclusions

IoT = embedded systems + wider system

Approach = understand, model, ensure capability,

assess

… it’s not rocket science but it’s more complex than a

web app, mobile app or standard infrastructure

assessment …

Resources & Reading

Further Information

Detailed paper on how to

design and build securely

https://www.nccgroup.com/en/learni

ng-and-research-centre/white-

papers/security-of-things-an-

implementers-guide-to-cyber-

security-for-internet-of-things-

devices-and-beyond/

Further Information & Resources

- Binwalk - http://binwalk.org/

- JTAGulator - http://www.grandideastudio.com/portfolio/jtagulator/

- Face Dancer - http://goodfet.sourceforge.net/hardware/facedancer21/

- DevTTYS0 Blog - http://www.devttys0.com/blog/

- Tamper detection / Anti-tamper

.. plus many more ..

Europe

Manchester - Head Office

Cheltenham

Edinburgh

Leatherhead

London

Milton Keynes

Amsterdam

Copenhagen

Munich

Zurich

North America

Atlanta

Austin

Chicago

Mountain View

New York

San Francisco

Seattle

Australia

Sydney