beta

SEC556: IoT Penetration Testing

  • In Person (3 days)
  • Online
18 CPEs

SEC556 is designed to help you build the vital skills needed to identify, assess, and exploit basic and complex security mechanisms in IoT devices. From firmware and network protocol analysis to hardware implementation issues and all the way to application flaws, this course facilitates examining the entire IoT ecosystem, giving you the tools and hands-on techniques to evaluate the ever-expanding IoT attack surface.

What You Will Learn

A growing trend in recent years has seen small-form factor computing devices increasingly accessing networks to provide connectivity to what typically used to be disconnected devices. While we can debate if your home appliances truly need Internet access, there is no debate that the Internet of Things (IoT) is here to stay. It allows for deeper connectivity of many devices that are indeed useful, with great benefits to homes and enterprises alike.

Unfortunately, with this proliferation of connected technology, many of these devices do not consider or only minimally consider security in the design process. While we have seen this behavior in other types of testing as well, IoT is different because it utilizes and mixes together many different technology stacks such as custom Operating System builds, web and API interfaces, various networking protocols (e.g., Zigbee, LoRA, Bluetooth/BLE, WiFi), and proprietary wireless. This wide range of diverse, poorly secured technology makes for a desirable pivot point into networks, opportunities for modification of user data, network traffic manipulation, and more.

SEC556 will familiarize you with common interfaces in IoT devices and recommend a process along with the Internet of Things Attack (IoTA) testing framework to evaluate these devices within many layers of the Open Systems Interconnection (OSI) model. From firmware and network protocol analysis to hardware implementation issues and all the way to application flaws, we will give you the tools and hands-on techniques to evaluate the ever-expanding range of IoT devices. The course approach facilitates examining the IoT ecosystem across many different verticals, from automotive technology to healthcare, manufacturing, and industrial control systems. In all cases, the methodology is the same but the risk model is different.

Once weve been empowered to understand each individual challenge, we can understand the need for more secure development and implementation practices with IoT devices.

You will be able to:

  • Assess IoT network-facing controls, web applications, and API endpoints with an IoT focus
  • Examine hardware to discover functionality and find interaction points and use them to obtain data from the hardware
  • Uncover firmware from hardware and other means, and explore it for secrets and implementation failures
  • Sniff, interact with, and manipulate WiFi, LoRA, and Zigbee wireless technologies and understand security failures in implementation
  • Interact with Bluetooth Low Energy (BLE) for device manipulation
  • Automate recovery of unknown radio protocols to perform replay attacks and additional analysis

You will receive with this course:

  • BusPirate 3.6a and cable
  • SPI Flash integrated circuit
  • Solderless breadboard
  • HackRF One with antenna
  • HackRF ANT500 antenna
  • USB Logic analyzer
  • Dupont wires
  • RaspberryPi 4 8G Vilros Kit (32 Gig SD card) (Note: this comes with a U.S. plug, so international students will need to bring an adapter)
  • USB wireless adapter
  • TP-Link Bluetooth Low Energy USB adapter
  • 433Mhz IoT remote-controlled outlet (110/120V only, EU and APAC students will need to bring a voltage converter)
  • A pair of CC2531 custom-flashed USB Zigbee adapters
  • USB 3.0 4-port hub
  • Ethernet cable
  • Custom Slingshot Linux Virtual Machine
  • Custom Raspberry Pi image (PIoT.01)

Syllabus (18 CPEs)

  • Overview

    This course section introduces the overall problem with IoT security and examines how testing can address the problem in largely generic terms, given the multitude of IoT implementations. The first technical concepts include network recon and attacks as well as key web application issues often found with IoT devices, such as authentication bypass, RFI, and command injection. Additionally, we will examine API requests from mobile apps to back-end services and the devices themselves, then use the tools testers need to inspect and exploit network and web-based IoT.

    Exercises
    • Lab 1.1: Wireshark filters and PCAP inspection
    • Lab 1.2: Nmap scan of an IoT device and exploitation with Metasploit
    • Lab 1.3, Part 1: Burp Suite interception on IoT web portal for exposed secrets
    • Lab 1.3, Part 2: Using Postman to send password data to an IoT API
    • Lab 1.4, Part 1: Exploiting an IoT portal for consumer-grade devices
    • Lab 1.4, Part 2: Injecting commands into vulnerable IoT web services
    Topics

    Course introduction

    Course methodology for testing IoT: Modified IoTA

    Tooling for IoTA: Introducing hardware tools

    Network discovery and recon

    Active network discovery

    Network exploitation for IoT

    Web services in IoT

    Web and API recon and discovery

    Tools for web services

    Web service attack types and exploitation

  • Overview

    This section will introduce key concepts to perform recon against various hardware devices for destructive and semi-destructive testing for hardware, as well as hardware identification, communication, and exploitation using various hardware tools. We will also examine ways to recover device operating systems (firmware) and analyze them to recover stored secrets and various implementation flaws.

    Exercises
    • Lab 2.1: Obtaining and analyzing Specification Sheets
    • Lab 2.2: Sniffing serial and SPI
    • Lab 2.3: Recovering firmware from PCAP
    • Lab 2.4: Recovering filesystems with binwalk
    • Lab 2.5: Pillaging the filesystem
    Topics
    • Background and importance of IoT hardware
    • Opening the device
    • Examining and identifying components
    • Discovering and identifying ports
    • A soldering primer
    • Sniffing, interaction, and exploitation of hardware ports: Serial, SPI, JTAG
    • Recovering firmware
    • Firmware analysis
    • Pillaging the firmware
  • Overview

    This course section focuses on the more popular and developing, documented, and standardized wireless technologies often found in IoT technology. The concepts introduced include capturing traffic, gaining access to networks and encrypted data, and interacting with and compromising IoT devices and their functions. The section will introduce the concepts to analyze and exploit non-standard and proprietary RF communications often found in IoT devices

    Exercises
    • Lab 3.1: WiFi PSK cracking
    • Lab 3.2: BLE device interaction
    • Lab 3.3: Zigbee traffic capture
    • Lab 3.4: Conducting a replay transmission attack on IoT
    Topics
    • Wi-Fi
    • Bluetooth Low Energy
    • Zigbee
    • LoRA
    • SDR

Prerequisites

Attendees are expected to have a working knowledge of TCP/IP and web technologies and a basic knowledge of the Linux command lines before they come to class. While SEC556 is technically in-depth, it is important to note that programming knowledge is NOT required for the course.

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. These requirements are the mandatory minimums. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. We strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back up your system before class. it is also strongly advised that you do not bring a system storing any sensitive data.

System Hardware Requirements

CPU: 64-bit Intel i5/i7 2.0+ GHz processor

Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher.

Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

IMPORTANT NOTE: You may be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function, even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.

VMWare

You will use VMware to run a custom Slingshot Linux VM when performing exercises in the course. The VM comes with all the tools you will need to complete the lab exercises.

We will provide a USB/ISO with backup copies of the Raspberry Pi image and Linux image with all of our tools pre-installed that run within VMware.

Windows and Native Linux Users: You must have either the free VMware Workstation Player 16 or later or the commercial VMware Workstation 16 or later installed on your system prior to coming to class.

Mac users: You will need VMware Fusion 12 or later or the free VMware Fusion Player 12 or later installed on your Mac prior to class.

Virtualbox, Hyper-V, and other virtualization products are not appropriate because of compatibility and troubleshooting problems you might encounter during class. While these may work in the course, they are not officially supported. If you choose to use this software you will be responsible for configuring the virtual machines to work for the exercises. Also, installation of both VMware and Virtualbox can sometimes cause network issues. We recommend only installing one virtualization technology.

BIOS: Intel's VT (VT-x) hardware virtualization technology should be enabled in your system's BIOS or UEFI settings. You must be able to access your system's BIOS throughout the class. If your BIOS is password-protected, you must have the password.

USB: At least one available USB 3.0 Type-A port is required for copying the large data files from the USB 3.0 drives we provide in class. The USB port must not be locked in hardware or software. Some newer laptops may have only the smaller Type-C ports. In this case, you will need to bring a USB Type-C to Type-A adapter.

RAM: 8 GB RAM minimum with 16 GB or higher recommended

8 GB RAM minimum is required for the best experience, but additional RAM will improve overall system performance while running the class VM.

Hard Drive Free Space: 60 GB of FREE space on the hard drive is critical to host the VM and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.

Additional Hardware Requirements

The requirements below are in addition to baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.

Network Wireless Connection: A wireless 802.11 B, G, N, or AC network adapter is required.

A wireless 802.11 B, G, N, or AC network adapter is required. This can be the internal wireless adapter in your system or an external USB wireless adapter. A wireless adapter allows you to connect to the network without any cables. If you can surf the Internet on your system without plugging in a network cable, you have wireless.

Network Ethernet Connection: Integrated or external Ethernet adapter is required.

A wired ethernet network adapter is required. This can be the internal Ethernet adapter in your system or an external USB Ethernet adapter.

Additional Software Requirements

Credential Guard

If your host computer is running Windows, Credential Guard may interfere with the ability to run VMs. It is important that you start up VMWare prior to class and confirm that virtual machines can run. It is required that Credential Guard be turned off prior to coming to class.

System Configuration Settings

Local Admin: Some of the tools used in the course will require local admin access. This is absolutely required. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different system.

Disable VPN: Enterprise VPN clients may interfere with the network configuration required to participate in the class. To avoid any frustration in class, uninstall or disable your enterprise VPN client for the duration of the class. If you keep it installed, make sure that you have the access to disable or uninstall it during the class.

Disable Anti-Virus: You will be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.

Disable Firewall: You must have the ability to disable the host firewall (OS-based or other third-party firewall)

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Author Statement

"It has been amazing to watch the progression and widespread adoption of what we now know as the Internet of Things in both our homes and enterprises  whether you realize it or not! However, while IoT-enabled technologies have arguably made our lives better by improving conveniences and our ability to obtain more accurate data about our environment, we unknowingly increase our attack surface through their use."

"In other words, the benefits often come at a cost, in many cases because of lackluster development practices by many IoT manufacturers that fail to consider the entirety of the attack surface of their device ecosystem. This failure is largely seen as financial; baking security in from the start is an expense that reduces the already low profit margins on IoT devices. Delays from adopting enhanced security measures can prevent a timely push to market, further compounding profit-per-device issues."

"With the increased adoption of IoT, attackers have also focused their efforts on IoT platforms. Techniques and tool capabilities have become exponentially more sophisticated, and they are often used for good to unlock additional features and capabilities. However, less-ethical attackers have gained the same sophistication with their toolsets, giving them the upper hand in exploiting the technology we rely on for critical tasks. The IoT adoption rate, in combination with the sophistication of attackers, paints a grave picture for the future of IoT and the networks IoT devices are connected to unless we begin now to improve the security of all facets of the IoT ecosystem."

"We are very excited to deliver interactive, hands-on labs and a suite of hardware and software tools to equip IoT analysts and developers with practical skills, methodologies, and thought processes that they can bring back to their organizations and apply on day one. The skills you will build in this class will be valuable for today's IoT technology and serve as a foundation for tomorrow's advancements, regardless of your vertical, application, or data." - Larry Pesce, James Leyte-Vidal, and Steven Walbroehl

Register for SEC556

  • In Person

Training events and topical summits feature presentations and courses in classrooms around the world.

Learn more
  • Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

Learn more
  • OnDemand

Study and prepare for GIAC Certification with four months of online access. Includes labs and exercises, and support.

Learn more

Loading...