-
IoT (Internet of Things)
- Sensing Technology - Sensors embedded in the devices
- IoT Gateways - are used to bridge the gap between an IoT device (internal network) and the end-user (external network)
- Cloud Server/Data Storage
- Remote Control using Mobile App
-
architecture (from top to bottom)
- application layer - Delivery of various applications to different users in IoT
- middleware layer - Device management and information management
- internet layer - Connection between endpoints
- access gateway layer - Protocol translation and messaging
- edge technology layer - Sensors, devices, machines, and intelligent edge nodes of various types
-
technolgies and protocols
- Short-range Wireless Communication
- Medium-range Wireless Communication
- Long-range Wireless Communication
- Wired communication
- IoT OSs (Windows 10 IoT, Amazon FreeRTOS, Contiki, Fuchsia, RIOT, Ubuntu Core, ARM embed OS, Zephyr)
- IoT application protocols (CoAP, Edge, LWM2M, Physical Web, XMPP, Mihini/M3DA)
-
IoT communication models
- Device-To-Device
- Device-To-Cloud
- Device-To-Gateway
- Back-end data sharing
-
IoT challenges
- there are one big problems with IoT: they are vulnerable because they are difficult to update
-
OWASP IoT Attack Surface Areas
-
OWASP IoT Vulnerabilities
-
IoT threads
-
attacks:
- DDoS attack
- Exploit HVAC (Heating Ventilation and Air Conditioning)
- shodan for vulnerable ICS (industrial control system)
- access to ICS system
- access to HVAC through ICS
- controls of temperature from HVAC
- Best methods to reduce the risk of ICS compromise
- Segmentation - segmenting the devices off the main portion of the network, we can also better protect them
- Disable unused services
- Rolling code (or hopping code) - code that locks or unlocks a vehicle or garag. Attacker uses a jammer to obtain the code
- blueborne attack - take full control of the target device using bluetooth
- jamming attack - the communications between wireless IoT devices are jammed
- Hacking Smart Grid/Industrial Devices: Remote Access using Backdoor
- SDR-Based Attacks (Software Defined Radio)
- send message to connected IoT devices
- types:
- replay attack
- cryptoanalysis attack
- reconnaissance attack
-
fault injection attacks
- Optical, Electro Magnetic Fault Injection (EMFI), Body Bias Injection (BBI)
- Frequency/Voltage Tampering
- Power/Clock/Reset Glitching - these types of attacks occur when faults or glitches are injected into the power supply that can be used for remote execution, also causing the skipping of key instructions. Faults can also be injected into the clock network used for delivering a synchronized Signal across the chip.
- Temperature Attacks
-
Dyn attack
-
IoT Hacking methodology
- information gathering
- vuln scanning
- launch attacks
- gain remote access
- mantain access
-
firmware analysis and reverse engineering
- identify passwords
- API tokens
- endpoint
-
OT (Operation Technology)
- detect or causes changes in industrial operations
- ICS
- SCADA (Supervisory Control and Data Acquisition)
- one of the examples of malware of OT was
Stuxnet
-
OT security: many ICS and SCADA vendors are slow to implement security measures since they cannot be easily retrofitted with the newer security required
-
OT main vulnerabilities
-
OS Hacking methodology (same as IoT)
- information gathering
- vuln scanning
- launch attacks
- gain remote access
- mantain access
-
identify OT devices through Shodan
- search modbus enabled ICS/SCADA on port 502
- search SCADA system using PLC name "Schneider Electric"
- search for SCADA system using geoloc: SCADA Country "US"
-
it is possible to use Nessus to find vulnerability
-
using wireshark it is possible to analyze Modbus/TCP traffic
-
metasploit
scanner/scada/modbus... -
Improve security and reliability
- Flowmon - empowers manufacturers and utility companies to ensure the reliability of their industrial networks to avoid downtime and disruption of service continuity
- Zigbee - a short-range communication protocol based on the IEEE 203.15.4 standard. Zig-Bee is used in devices that transfer data infrequently at a low rate in a restricted area and within a range of 10-100 m.
- shodan
- nessus
- wireshark
- metasploit