IoT Security: Targeting the IoT Ecosystem Lecture PDF

IoT Security: Targeting the IoT Ecosystem Dr Hanan Hindy [email protected] Let’s Remember Common IoT Threats Signal Jamming Attacks Replay Attacks Settings Tampering Attacks Hardware Integrity Attacks Node Cloning Security and Privacy Breaches User Security Awareness Common IoT Threats Signal Jamming Attacks The adversary interferes with the communication between two systems. IoT systems usually have their own ecosystems of nodes. https://www.researchgate.net/profile/Cong-Nguyen-5/publication/328380592/figure/fig6/AS:683287936778240@1539919947052/Jamming-attack-in- cognitive-radio-network-111.png Common IoT Threats Replay Attacks The adversary repeats some operation or resends a transmitted packet. https://hackster.imgix.net/uploads/attachments/973420/1_vcUmj-H8_WF_E9f70XOd4w.png?auto=compress%2Cformat Common IoT Threats Settings Tampering Attacks The adversary exploits a component’s lack of integrity to change its settings. https://media.wired.com/photos/593248a4a312645844993df8/master/pass/GettyImages-157394356.jpg Common IoT Threats Hardware Integrity Attacks Compromise the integrity of the physical device. Common IoT Threats Node Cloning Node cloning is a threat that arises as part of a Sybil attack, in which an attacker creates fake nodes in a network to compromise its reliability. IoT systems commonly use multiple nodes in their ecosystem, such as when one control server manages multiple drug infusion pumps. https://www.researchgate.net/profile/Sathish-r-2/publication/315489886/figure/fig1/AS:669488102010884@1536629810538/Node-Clone-Replicatio Attack.jpg Common IoT Threats Security and Privacy Breaches Privacy breaches are one of the biggest and most consistent threats in IoT systems. Often, very little protects user data confidentiality, so you can find this threat in almost any communication protocol that transfers data to and from a device. Map the system architecture, fid the components that might contain sensitive user data, and monitor the endpoints that transfer them. Common IoT Threats User Security Awareness Even if you manage to mitigate all other threats, you’ll probably have trouble addressing users’ security awareness. This could include their ability to detect phishing emails, which could compromise their workstations, or their habit of allowing unauthorized people into sensitive areas. People who work with medical IoT equipment have a saying: if you’re looking for a hack, a business logic bypass, or something that will accelerate some processing tasks, just ask the nurse operating the system. Because they use this system daily, they’ll know all the system shortcuts. Passive Reconnaissance Passive reconnaissance, also commonly referred to as open-source intelligence (OSINT), is the process of collecting data about targets without communicating directly with the systems. It’s one of the initial steps for any assessment; you should always perform it to get the lay of the land. For example, Download and examine device manuals and chipset datasheets Browse online forums and social media, or interview users and technical personnel for information. Passive Reconnaissance It’s amazing how much public information you can find on social media, online forums, and chat rooms. You can even use Amazon and eBay reviews as a knowledge source. Look for users complaining about certain device functions. Physical or Hardware Layer Oneof the most important attack vectors in an IoT device is the hardware. If attackers can get ahold of a system’s hardware components, they’re frequently able to gain elevated privileges, because the system almost always implicitly trusts anyone who has physical access. An assessment of the hardware layer should include the following: Physical or Hardware Layer (1) Peripheral Interfaces Peripheral interfaces are physical communication ports that allow you to connect external devices, such as keyboards, hard disks, and network cards. Check whether any active USB ports or PC card slots are enabled and whether they’re bootable. Devices usually operate in devices have a kiosk mode, however, Imagine what you could do if you could attach a USB keyboard to an exposed port on the device. Using specific key combinations, such as CTRL-ALT-DELETE or the Windows key, you might be able to escape the kiosk mode and gain direct access to the rest of the system. Physical or Hardware Layer (2) Boot Environment For systems using a conventional BIOS (typically x86 and x64 platforms), check whether the BIOS and boot loader are password- protected and what the preferred boot order is. Ifthe system boots removable media fist, you can boot your own operating system without having to make any changes to the BIOS settings. Physical or Hardware Layer (3) Locks Check whether the device is protected by some kind of lock, and if it is, how easy it is to pick the lock. Also, check whether there’s a universal key for all locks or a separate one for every device. Physical or Hardware Layer (4) Tamper Protection and Detection Check whether the device is tamper-resistant and tamper-evident. For example, one way to make a device tamper-evident is to use a label with perforated tape that permanently displays some kind of message after it’s opened. Also, you can use physical fuses that can erase sensitive contents if a device is disassembled. Tamper detection mechanisms send an alert or create a log file on the device upon sensing an attempt to compromise the device’s integrity. Physical or Hardware Layer (5) Debug Interfaces Check for debug, services, or test point interfaces that the manufacturer might have used to simplify development, manufacturing, and debugging. Network Layer The network layer, which includes all components that directly or indirectly communicate through standard network communication paths, is usually the largest attack vector. Network Layer (1) Reconnaissance Passive reconnaissance might include listening on the network for useful data , whereas active reconnaissance (reconnaissance that requires interacting with the target) requires querying devices directly. Host Discovery Host discovery is determining which systems are live on the network by probing them using a variety of techniques. These techniques include Sending Internet Control Message Protocol (ICMP) echo-request packets Conducting TCP/UDP scans of common ports Listening for broadcast traffic on the network Conducting ARP request scans Network Layer (1) Reconnaissance Service Version Detection Determine all the listening services on the device Operating System Identification Determine the exact operating system running on each of the tested hosts so you can develop exploits for them later. At the very least, identify the architecture (for example, x86, x64, or ARM). Ideally, you’d identify the operating system’s exact service pack level (for Windows) and kernel version (for Linux or Unix-based systems in general). But be aware that for some sensitive IoT devices, operating system fingerprinting can be intrusive and can cause crashes Network Layer (1) Reconnaissance Topology Mapping Topology mapping models the connections between different systems in a network. Network Layer (2) Network Protocol and Service Attacks Vulnerability Scanning Network Traffic Analysis Wireshark or tcpdump running for a period of time to get an idea of the communication protocols in use. IDS An intrusion detection system (IDS) is a security mechanism that works mainly in the network layer of an IoT system. AnIDS deployed for an IoT system should be able to analyze packets of data and generate responses in real time, analyze data packets in different layers of the IoT network with different protocol stacks, and adapt to different technologies in the IoT environment. Web Application Client-Side Controls Authentication Access Controls and Authorization Session Management Input Validation Logic Flows Application Server Host Configuration User Accounts The existence of default user accounts The robustness of account policies Password history Password expiration Lockout mechanisms Password Strength Account Privileges Patch Levels Update process Remote Maintenance Filesystem Access Controls Data Encryption Misconfigurations Mobile Application Mobile apps bring their own ecosystem of threats to the IoT- enabled world. General Mobile Device Threats It can be easily lost or stolen Even if people steal phonesfor the device’s value, adversaries could retrieve sensitive personal data stored in the IoT companion app storage. Or, they could attempt to circumvent a weak or broken authentication control in the app to gain remote access to the associated IoT device. Mobiledevices are usually connected to untrusted networks, such as the random Wi-Fi public hotspots in cafes and hotel rooms, opening the way for a variety of network attacks (such as man-in-the-middle attacks or network sniffing). Sandboxing & IPC SAST vs DAST Source: https://www.synopsys.com/blogs/software-security/wp-content/uploads/2016/03/IG_SASTvsDAST_011918.jpg SAST vs DAST Source: https://www.synopsys.com/blogs/software-security/wp-content/uploads/2016/03/IG_SASTvsDAST_011918.jpg SAST vs DAST Source: https://www.synopsys.com/blogs/software-security/wp-content/uploads/2016/03/IG_SASTvsDAST_011918.jpg SAST vs DAST Source: https://www.synopsys.com/blogs/software-security/wp-content/uploads/2016/03/IG_SASTvsDAST_011918.jpg SAST vs DAST Source: https://www.synopsys.com/blogs/software-security/wp-content/uploads/2016/03/IG_SASTvsDAST_011918.jpg Static Analysis Common vulnerabilities: Unused permissions Unused Code Certificate Metadata Hardcoded passwords Dynamic Analysis Common vulnerabilities: Suspicious Phone Activity Data Leaks Network Activity Privacy Leaks SQL Injection Memory Corruption Insecure Connections 52

IoT Security: Targeting the IoT Ecosystem Lecture PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue