Exploring Risk and Mapping the Internet of Things with Autonomous Drones

THE SECURITY EXPERTS WWW.PRAETORIAN.COM

1

PAUL JAUREGUI VP, SECURING IOT @ PRAETORIAN

RICHARD MCPHERSON PHD CANDIDATE, INTERN, PRAETORIAN (2015)

NISHIL SHAH UT GRADUATE, INTERN, PRAETORIAN (2015)

DALLAS KAMAN SENIOR SECURITY ENGINEER, PRAETORIAN

Internet of Things Map Project Team | Summer 2015 and beyond

https://www.praetorian.com


2 Praetorian Partnered with DroneSense (dronesense.com) for FAA Exemption and Autonomous Drone Automation


http://dronesense.com


7

RESEARCH MEDIA AWARENESS



Capture Device (v1.0) Specifications and Requirements

8

ZIGBEE RADIOS Atmel RZUSBstick (x8)

Flashed custom firmware

GPS MODULE Adafruit GPS HAT

for Raspberry Pi

RASPBERRY PI Model B+ 512MB RAM

Raspbian OS

‣ Autonomous operation

‣ Hand-held size

‣ Under 250 grams

‣ Battery powered (Drone’s)

‣ Discover all Zigbee devices within 150-feet across all 16 channels in under 10-seconds while traveling 10-20mph



Extending Killerbee 802.15.4 Network Attacking Framework

9

11 12 13 14 15 16 18 19 20 21 22 23 24 25 26

2400MHz 2483MHz2.4GHz Zigbee Channels

PROCESS 1

PROCESS 2

PROCESS 3

17

‣ Extended Killerbee zbwardrive utility

‣ Added new Python multiprocessing

‣ All Zigbee radios cycle through channels simultaneously

‣ Channels record for a set amount of time

DOWNLOAD KILLERBEE FRAMEWORK AT HTTPS://GITHUB.COM/RIVERLOOPSEC/KILLERBEE


https://github.com/riverloopsec/killerbee



10

11 12 13 14 15 16 18 19 20 21 22 23 24 25 26


PROCESS 1

PROCESS 2

PROCESS 3

17






Step 1: All connected Zigbee radios send beacon request on assigned to channel





11

11 12 13 14 15 16 18 19 20 21 22 23 24 25 26


PROCESS 1

PROCESS 2

PROCESS 3

17

Found Something! ** Listen for 10 sec **










12

11 12 13 14 15 16 18 19 20 21 22 23 24 25 26


PROCESS 1

PROCESS 2

PROCESS 3

17

Found Something! ** Listen for 10 sec **









Post-processing Engine: Fingerprinting Methodology

13

4. | Analyze Zigbee Traffic and Fingerprint Devices with Company MAC address

Philips Hue Smart Lighting Network Identified

TCP/Greenwave Lighting Network Identified



14

praetorian.com/iotmap


http://praetorian.com/iotmap


15





16





Mesh Network

Basic Smart Lighting Architecture / Attack Surface

17

CLOUD SERVICES

Internet WiFi Router Lighting Gateway Remote

INTERNAL NETWORKEXTERNAL

WiFiCellular

Mobile appsSensor

6LoWPANZ-waveandmore



Mesh Network

Basic Smart Lighting Architecture / Attack Surface

18

CLOUD SERVICES

Internet WiFi Router Remote

INTERNAL NETWORKEXTERNAL

WiFiCellular

Mobile appsSensor

6LoWPANZ-waveandmore

Lighting Gateway



Embedded Device Hacking with Physical Access

19

TX RX Ground UARTPort

Gained persistent root access to device via SSH server, which runs on boot up

‣ Connected test points on board to UART adapter for “Kernel Init Hijacking”

‣ “Kernel Init Hijacking” allows temporary Root access to TCP Hub file system by tampering with the boot sequence and injecting commands

‣ Access used to retrieve root SSH password, which was “thinkgreen” and shared by all TCP Gateways

‣ Potential to also remotely install malicious software that turns the hub into a proxy to the network, could sniff/exfiltrate data, or launch attacks on other systems

INDEPENDENT RESEARCH



Embedded Device Hacking with Physical Access

20

In January 2015, Greenwave forced a firmware update that fixed these issues

✓ Removed local web control interface that lacked authentication by closing port 80

✓ Opened a secure HTTPS (port 443) service with currently unknown functionality

✓ Close the SSH (port 22) service to remove persistent Root access to hub via SSH credentials share by all devices

✓ UART pins may have been silenced, and boot delay may have been set to zero (no more “kernel init hijacking”)UARTPinsSilenced




Common Security Challenges in Product Development Lifecycle

21

ResearchTime to market pressures

TestingSecurity is often left

as an afterthought

SupportOngoing security support

and maintenance

Launch

Develop General lack of security consciousness

Insufficient security testing prior to launch



Internet of Things (IoT) — End-to-end Security Considerations

22

EMBEDDED DEVICES Physical and logical threats to embedded systems

DEVICE FIRMWARE Device firmware and update distribution process

WIRELESS PROTOCOLS Local wireless communication protocols (M2M)

APPLICATIONS Web applications, mobile apps, 3rd-party integrations

CLOUD SERVICES Web services, RESTful APIs, analytics, 3rd-party services

INFRASTRUCTURE Back-end systems, networks, servers, and data

INTERNET OF THINGS END-TO-END SECURITY




23







TX RX Ground UARTPort INDEPENDENT RESEARCH




24







CVE-2015-6949 - October 2015

Praetorian Security Researcher recognized by ASUS for responsible disclosure of a zero-day vulnerability affecting all ASUS router firmware

Zero-day Impact:Remote Code Execution (RCE)





25











26







CLOUD SERVICES

Internet WiFi Router

HOME LOCAL AREA NETWORKEXTERNAL

WiFiCellular

Mobile apps

IoT Device/Gateway

Sensors

Mesh Networks



Recommended Security Best Practices

27

ResearchTrain employees about security best practices

TestingConduct 3rd-party

security risk assessments

SupportMonitor product through

its life, patch known vulns

Launch

Develop Build security in from the start, don’t bolt it on

Test end-to-end security before product launch


NETWORK APPLICATION MOBILE CLOUD IOT

Internet of Things Map ProjectExploring Risk & Mapping the Internet of Things with Autonomous Drones

Exploring Risk and Mapping the Internet of Things with Autonomous Drones

Technology

Transcript of Exploring Risk and Mapping the Internet of Things with Autonomous Drones