BACK TO SPEAKERS
Chris Archimandritis
Sense of Security
Chris Archimandritis is an Information Security researcher and professional with over 10 years of academic and professional experience in information security.

Chris is a mobile platform, mobile application and web application security expert, frequently requested to contribute to industry developments and provide expert commentary. Chris has delivered Advanced VoIP Security Training at Defcon (The Art of VoIP Hacking - Defcon 23 Workshop) and is a frequent presenter of Sense of Security Training Courses, specifically for Web Application and Web Services security.

Along with a Masters in Master of Science in Information Systems, Chris is also an OSCP and general all round mobile security guru, spearheading Sense of Security’s R&D program for Mobile Device and Mobile Application Security.

TUTORIAL: Introduction to IoT Security Assessment and Penetration Testing


The Internet of Things (IoT) is a generic term that encompasses the entire network of devices that, besides its main function or goal, includes networking capabilities that allow it to be controlled, sensed and configured remotely, across an underlying infrastructure like the Internet. These devices range from extremely low cost and simple sensors that are networked to cover a large physical area, to sophisticated systems that allow vehicles to traverse adverse terrain autonomously. In the retail market, a “smart” device is widely considered to be part of the generic IoT family. The explosive growth of the “smart” devices market has led manufacturers down the slippery slope of rapid development and deployment, while the enormous number of providers necessitates that these devices are brought to market with extremely low cost. As such, concerns about the profound need for security have been raised and rightly so. An overview of the sheer breadth of devices, usage scenarios and production techniques, reveal many potential security issues that can arise from the widespread use of IoT devices. These include but are not limited to collection and storage of potentially sensitive data, user anonymity, access and manipulation of critical infrastructure, denial of service attacks on these devices, and using these devices and user access to corporate resources through customer premises devices. Finally, the relevance of this field of research is multiplied by the fact that besides retail and end-user devices, industrial control systems converge continually towards being IoT devices for industrial use.

Scope

In this tutorial, the speakers will introduce the participants to a testing framework that can be used to assess any device they encounter in the field. This testing methodology has been developed and proven in the wild by the speakers while performing hardware and device penetration testing on real products for their customers, or research on state of the art retail devices. This tutorial is created by pen-testers and aimed at both security professionals and product managers who would like to learn what an attacker looks for in their devices, what the usual pitfalls are, and how to create layers of controls to compensate for the inherent shortcomings of low-powered, low-cost devices in the hands of the enemy. Common attacks and techniques will be demonstrated to highlight the impact, and then the participants will work together with the trainers to understand remediation options, evaluate them and improve upon them. These controls are inspired by industry best practice standards and by the trainers’ extensive experience from pen-testing and research. 

Tutorial outline

  • Attack surface
  • Hardware
  • Physical external ports (e.g. USB, Ethernet)
  • External wireless interaction (NFC, Bluetooth)
  • Test points and interfaces
  • Software
  • Web Interface
  • Authentication/Authorisation
  • Network Services
  • Transport Encryption
  • Privacy
  • Cloud Interfaces
  • Mobile Interfaces
  • Firmware
  • Update mechanism

    Methodology for assessing devices

  • Tools
  • Components identification
  • Retrieve data on components
  • Possible test points identification
  • Hardware attack surface mapping
  • Firmware acquisition
  • Firmware analysis
  • Network interception
  • Protocol testing
  • Embedded services testing

    Hands on labs

    All labs will be performed live, on a handful of vulnerable devices.
  • Lab 1: Parts identification. The participants will be given a few naked PCBs and will use several techniques discussed above to map the hardware on them, including but not limited to UART interfaces, JTAG and existing exploits on the chipset firmware.
  • Lab 2: Firmware analysis. The participants will be given a firmware image extracted from one of the devices and will attempt to extract sensitive data, reverse engineer binaries, enable extra functionality and add a backdoor to the running image.
  • Lab 3: Application layer testing The participants will choose a vulnerable binary from lab 2, reverse engineer it and write an exploit for the device chosen.