Practical Exploitation of IoT Networks and Ecosystems

Deep Armor is offering a hands-on training for pentesting and hardening Internet of Things (IoT) ecosystems, with special focus on popular communication protocols such as Zigbee, Bluetooth & BLE, as well as Device - Mobile - Cloud security topics. Students will learn to use specialized low-cost hardware (supplied to each student for the duration of the training) & software tools to perform live packet capture, manipulation and injection in wireless sensor networks and Bluetooth/BLE channels.

Students will learn about weaknesses in consumer IoT devices (wearables) paired with mobile ecosystems (Android & iOS) — how information theft is scarily easy, and what steps can be taken to harden these designs. Cloud is an essential part of IoT, and our course includes a case study of AWS IoT Core — how to securely deploy virtual “Things”, configure the rules, accesses and communication parameters. We conclude with defensive security best practices and next generation SDLC for the products of tomorrow.

The Internet of Things (IoT) market today is defined by product manufacturers pushing a broad spectrum of computing devices out to the hands of consumers at an ever-increasing pace, and connecting them to the Internet. They are in a rush to hit the market shelves before their competitors and they often marginalize security, citing irrelevance and no return on investment. Consumers rarely prioritize security over cost, and this this often incentivizes vendors to ignore security.

An IoT product has no predefined form factor. It may be a smart fridge, a pacemaker, or a traffic light in a smart city. Makers of these classes of devices are often small/medium sized businesses who look for standards and reusable code for communication protocols, software stacks and libraries. But standards are few and are rarely one-size-fits-all in this space.

Most IoT architectures can broadly be broken up into three logical modules – the form factor device, mobile applications and cloud services. These three modules may usually be broken up into sub-modules that each have their own computing stack and communicate with each other, as well as the other components through a plethora of communication protocols.

Dozens of protocols and standards exist for IoT-class products. This situation poses a significant challenge for security teams tasked with ensuring that no design and implementation level weaknesses exist in such communication channels. Among the IoT hardware form factor devices, low power protocols such as ZigBee, 6LoWPAN, Z-Wave, Bluetooth, BLE, etc. are popular. Device manufacturers also frequently customize the base IEEE 802.15.4 specifications (ZigBee, for example, is built on top of this) to architect their own Wireless Sensor Networks (WSN) for communication between the IoT gateways and node devices. Such WSNs are popular in Industrial IoT (IIoT) products.

On the consumer IoT front (wearables, home gateways, etc.), Bluetooth and Bluetooth Low Energy (BLE) have been in use for years. While the Bluetooth specifications have gone through several revisions and have included security as part of the protocol, vendors often turn to minimal (or no) security for Bluetooth and BLE channels. Any kind of cryptographic operation on such small form factor devices, which are often powered by low performance micro-controllers running on low power batteries, can be very expensive.

Deep Armor offers a new, hands-on class on practical exploitation of IoT systems. Our program spans across the entire ecosystem — covering security for the hardware form factors, mobile/cloud components and communication protocols. We have four primary sections in our program.

1. Attacking and Hardening a Zigbee-class IoT Network

Design a simple Zigbee-style (IEEE 802.15.4) Wireless Sensor Network (WSN) using low-cost market hardware and open source software. Learn to perform packet sniffing and rogue packet injection in that WSN to break the simple security measures that have been designed into such products. We also teach the students how to redesign the system so that re-injection of the same malware packets is no longer successful. We supply a USB dongle (market-available, with custom firmware) to each student for the duration of the training, and teach them to use the hardware along with several open source software to perform network attacks by themselves.

2. Practical Exploitation of Bluetooth - Mobile Channels, and BLE Security

Understanding Bluetooth and Bluetooth Low Energy (BLE) security models, and using open source software along with our custom ‘pcap’ files to hunt for user-sensitive information and Personally Identifiable Information (PII), and crack simple BLE encryption. Students will also learn about the weaknesses in consumer IoT devices (wearables) paired with mobile ecosystems (Android & iOS) — how information theft is scarily easy, and what steps can be taken to harden these designs. We will use readily-available market hardware and a simple malware application (developed by us) to steal users’ personal and personally identifiable information from fitness trackers. Hands-on packet capture analysis, in-depth code and log walkthroughs are planned for this activity.

3. Next-generation cloud solutions for IoT products

Case study of AWS IoT Core. Students will create their own free AWS accounts, setup IoT Core services, deploy virtual “Things”, securely configure the rules, accesses and communication parameters, and test their own deployments. This section of the training touches upon the “Device - Cloud” interactions and the role of security in them.

4. Secure by Design

This is a rather messy topic in the IoT security. We will discuss the root-causes and origins of the vulnerabilities like the ones demonstrated and practiced by the students, how we can reduce the occurrences of such issues, and build secure solutions. We discuss why and how the traditional security development life cycle (SDLC) models should evolve to be relevant and useful for the products of tomorrow. We propose a high-level model for performing SDLC, taking into consideration Agile development models, Continuous Integration and Continuous Delivery (CI/CD).

Prerequisites

  • Ability to understand and run simple commands on a Linux terminal;
  • Basic programming skills (python is preferred, but familiarity with any programming language is sufficient to execute the tasks);
  • Basic understanding of Android application model and logs;
  • Familiarity with Wireshark;
  • Basics of cryptography;
  • Understanding of common network protocols and web applications.

Requirements

  • A laptop running Kali Linux - Natively running Kali is strongly preferred. Kali Live on USB with Persistence also works when configured for USB passthrough;
  • At least 8 GB RAM on the laptop;
  • Laptops should be capable of plugging in two USB 2.0 devices (you should bring your own adapters, if required)
;
  • Internet access is necessary, so students need to bring their own Wireless network adapters, if required;
  • Trainers will share the list of open source software to be installed prior to the training date.

About the Speakers