Practical Security Assessments of IoT Devices and Systems TBC NCC Group Technical Security Consulting NCC Group Security Research
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Practical Security Assessments of
IoT Devices and Systems TBC
NCC Group Technical Security Consulting
NCC Group Security Research
Talk synopsis
This talk will discuss strategies and methodologies than can be
employed when assessing IoT devices. We'll look at how to develop
credible threat scenarios for different IoT device and systems, perform
static and dynamic attack surface mapping, perform static firmware
analysis, perform static hardware analysis, undertake a dynamic
device security analysis, sources of supporting information, supporting
capability requirements and establishment, Execution of dynamic
device analysis and approaches around network protocol analysis.
What we’ll zoom through
Understanding
Modelling
Technical Capabilities
Deep Dives
Assessing
Reporting
Internet of Things
What do we mean?
What is the IoT?
What is the IoT?
Understanding
Purpose, Use Case
& Design
Understanding
Understanding – Design
Device – components
Communications – protocols
System – what, where, how, when
Modelling
Threats & Resilience Expectations
Flows & Trust Boundaries
Modelling – Threats
Device level
Communication level
System level
Modelling – Resilience Expectations
Device level
Communication level
System level
Modelling – Flows & Trust Boundaries
On device – data and features
Device to system – traffic
System – data and functionality
Technical CapabilitiesDump
Observe
Interrogate
Debug
Technical Capabilities - Dump
Software - firmware (persistent storage)
Data (persistent storage)
Memory (non-persistent storage)
FPGA Bitstream files / CPLD JEDEC files (persistent)
Technical Capabilities - Dump
Removable storage e.g. SD card
via built-in functionality / debugging (in firmware)
via JTAG
via observing data transmitted across memory buses*
Chip-off analysis
Technical Capabilities - Observe
On device – I2C, SPI, USB, GPIO, generic..
Off device – RF (ZigBee, 6LoWPAN, 802.11, Bluetooth,
GSM/GPRS, Ethernet etc.)
Side Channels - RF / DPA etc.
System – end-to-end
Technical Capabilities - Debug
Chip level – JTAG
Device level – serial ports (e.g. console)
– software interfaces
– internal debugger (in firmware)
Network – RF / wired
– GDB stubs
System – end-to-end
Deep DivesObtain
Extract
Reverse
Identify
Deep Dives: Obtain
Documentation
SDKs
GPL etc.
Trigger auto-update then capture
network traffic (if SSL not used)
Firmware update bundles
Deep Dives: Extract
Structure
Clear-text / Encoding
Obfuscation
Compression
Encryption / Signatures
Deep Dives: Reverse
Boot loader
Operating system / software
Sensitive data
IP – data representing device characteristics e.g.
intelligent suspension / stability control
Deep Dives: Identify
Technologies
Security indicators
1st / 3rd party software
Open Source libraries
Security algorithms
Assess
Technical Techniques
Security Assessment / fuzzing tools
How to assess
Review configuration
Standard web app / product assessment methodologies
Use the product
Fuzz / correctness tests
Code review
Example
.. of the technical aspects ..
(i.e. excluding understanding / modelling)
Example: …
REDATCED
Summary & Conclusions
….
Summary & Conclusions
IoT = embedded systems + wider system
Approach = understand, model, ensure capability,
assess
… it’s not rocket science but it’s more complex than a
web app, mobile app or standard infrastructure
assessment …
Resources & Reading
Further Information
Detailed paper on how to
design and build securely
https://www.nccgroup.com/en/learni
ng-and-research-centre/white-
papers/security-of-things-an-
implementers-guide-to-cyber-
security-for-internet-of-things-
devices-and-beyond/
Further Information & Resources
- Binwalk - http://binwalk.org/
- JTAGulator - http://www.grandideastudio.com/portfolio/jtagulator/
- Face Dancer - http://goodfet.sourceforge.net/hardware/facedancer21/
- DevTTYS0 Blog - http://www.devttys0.com/blog/
- Tamper detection / Anti-tamper
.. plus many more ..
Europe
Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
Milton Keynes
Amsterdam
Copenhagen
Munich
Zurich
North America
Atlanta
Austin
Chicago
Mountain View
New York
San Francisco
Seattle
Australia
Sydney
Related Documents
