IoT HACKING - 101 Arun Magesh(@marunmagesh) Mounish Periasamy © Attify, Inc.| www.offensiveiotexploitation.com | [email protected] Goal of the course • Learn more about IoT security and internals • Understand tools and techniques to exploit IoT devices • Get skills to perform • Embedded reverse engineering • Firmware and binary analysis • Conventional attack vectors • Comprise of both demos + hands-on exercise © Attify, Inc.| www.offensiveiotexploitation.com | [email protected] Working in groups • We will be mostly working in groups for most of the lab exercises • Get to know your partner well • Highly encouraged to exchange ideas during class and come up with a solution for challenges © Attify, Inc.| www.offensiveiotexploitation.com | [email protected] What are we going to cover • Understanding IoT devices from a pentester perspective • Firmware reverse engineering • Firmware based exploitation • Hacking a Smart switch • Few Demos (if we have time) © Attify, Inc.| www.offensiveiotexploitation.com | [email protected] Thought Exercise Imagine you have a refrigerator connected to the Internet. It tells you when you are low on food and sends you pictures nightly. • What kinds of data is being collected? • Where does your data travel? • How many different organizations could see your data? © Attify, Inc.| www.offensiveiotexploitation.com | [email protected] Thought Exercise – 2 • What are some security and privacy risks to you as a user? © Attify, Inc.| www.offensiveiotexploitation.com | [email protected] What is IoT • Internet of Things or Smart Devices • Physical objects interacting with the outside world • Used for ease to the user, and for automation, monitoring, and data collection purposes • Thermostats, Smart plugs, TVs, ICS, Cars, Refrigerator, Kettles, Egg trays, Toys etc. © Attify, Inc.| www.offensiveiotexploitation.com | [email protected] Offensive IoT Exploitation Current State of IoT security © Attify, Inc.| www.offensiveiotexploitation.com | [email protected] IoT platforms • AWS IoT • ARM mbed • Ioteclipse.org • IBM Bluemix , etc. • Whatever be the platform, the vulnerabilities will be quite similar and the pentesting approach won’t change © Attify, Inc.| www.offensiveiotexploitation.com | [email protected] IoT Landscape © Attify, Inc.| www.offensiveiotexploitation.com | [email protected]
Description: