October 28, 2016
IoT Security Testing Types
With the recent DNS denial-of-service attacks originating from compromised Internet of Things (IoT)/ Connected Devices, I thought it would make sense to break down all the various areas companies are struggling to keep these devices safe. The Internet of Things (IoT) can be defined as Cisco well states “a pervasive and ubiquitous network which enables monitoring and control of the physical environment by collecting, processing, and analyzing the data generated by sensors or smart objects.”
The problem with these devices is the perimeter of software and hardware realms that could be compromised. Security professionals working with product development can build better IoT ecosystems, but a full scope IOT security testing program encompasses MANY disciplines and volumes of knowledge – this is not something we can fix overnight. Here is a list of areas to consider when you are looking into IOT hardening.
- Code Security Assessment “Code Review”: Security code review is the process of auditing the source code for an application to verify that the proper security controls are present, that they work as intended, and that they have been invoked in all the right places. Code review is a way of ensuring that the application has been developed so as to be “self-defending” in its given environment. Covers both Automated or Manuel Reviews
- Binary Testing: we create various ways to dynamically exploit the code on the phone like it would be in the real world
- Hardware Testing: Not knowing the application details can be frightening, encryption and protection are important, here we use hardware-based attacks such as power-timing or side-channel to compromise the application.
- Host Forensics: What does the application leave on the host that could make it vulnerable? Does any leftover data give attackers insight?
- iOS/Android Environment Assessment “APK”: Digital Rights Management, Content Protection
- Authentication/Authorization Review: How credentials are transmitted and stored. With authentication and authorization components, a trust relationship is established between IoT devices to exchange appropriate information.
- Vulnerability Assessment/ Penetration Testing: Process of identifying and quantifying security vulnerabilities in an environment then simulate the actions of an external and/or internal cyber attacker that aims to breach the information security of the organization.
- Automated Fuzzing: Software testing technique that involves providing invalid, unexpected, or random data to the inputs of a computer program.
- System Architecture Security Analysis: Early assessment for General Hardening will reduce tons of additional work in the development process.
- Cloud or Systems/Network Architecture Security Analysis: Does the application communicate with a back-end? If so, that should be in scope. We analyze the network traffic and how it relates between host and server, particularly with encryption, there are typically vulnerabilities.
- Backend Systems/Network: Traditional areas should not be forgotten.
- Protocol Analysis: BLE/ WiFi, 802.15.4/Zigbee, USB, and Ethernet.
- Database Security Review: Trust Modeling & Verification
- Key management systems (KMS) / Cryptanalysis “cryptography”: Addresses problems associated with the design and security analysis of network protocols that use cryptographic primitives. Examples: public-key protocol, TLS, probabilistic, computational soundness, polynomial-time process, game-based verification
- Malware Analysis: The number of malware threats targeting the segment is rising
- API Analysis: Application program interface (API) is a set of routines, protocols, and tools for building software applications. An API specifies how software components should interact and APIs are used when programming graphical user interface (GUI) components.
- Configuration Assessment: Reducing configuration drift and unauthorized changes with static analysis/methodology.
- Security Documentation Review: A document that establishes standards for Information Security documentation – What risks were calculated and how to monitor/protect against.
The defenders have the difficult job to get it right every time, whereas the attackers/criminals only need to find one seemingly small weakness to bring the whole thing crashing down.
Regarding DNS attacks, the creator of DNS, Paul Mockapetris, said “DDoS threatens our values and freedoms, as well as our surfing”. Therefore, I believe security researchers, businesses, and government will learn from previous attacks and keep healing our system into a bigger, better, and stronger global network.
~Michael Goetzman “Korgo”