How to securely build your own IoT enabling embedded systems: from design to execution and assessment

Presented at BSidesLV 2016, Aug. 2, 2016, 2 p.m. (240 minutes).

ABSTRACT: The Internet of Things (IoT) is the next Internet revolution that aims at interconnecting devices that we use on a daily basis e.g. household appliances, wearables, cars, cameras, and sensors. Enabling the IoT can be done by introducing new smart devices, or by equipping legacy devices with sensors to accommodate them with smart capabilities. But how secure are these IoT appliances? And why limit yourself to commercial off-the-shelf devices if you can design and build them yourself? Our workshop will (1) guide all participants through all steps that are required to build their own Internet of Things enabling embedded systems and (2) give an introduction on the assessment of security and exploitation of vulnerabilities in embedded systems. Our, very practically oriented, workshop will consist of a presentation that briefly explains all required steps to build and assess the security of embedded systems and a guided hands-on lab session in which all participants will actually program and exploit their own basic, but smart temperature sensor. The presentation will provide the participants with all the means to design their own IoT-enabling embedded systems and will focus on how to transfer ideas into real plans and designs. We will elaborate on how to gather information on the required electronics, where to buy them, how to use their datasheets and we will even teach the audience how they can design, print and test their ideas on self-designed PCBs. Topped off with some of our lessons learned and practical tips ‘n tricks, the main presentation will provide the audience with everything they need to know to start building. The guided and hands-on lab session will even take everything a step further. We will provide the participants with an already assembled version of the smart temperature sensor we have designed during the presentation and we will go into writing and flashing our own bare-metal ARM firmware. After we have all successfully created our first embedded system, we will move towards a basic firmware analysis and exploitation session by flashing our temperature sensor board with custom made, but vulnerable firmware. This will allow us to assess our embedded system by reverse engineering the firmware with Radare and gdb and exploit it using basic shellcode. WORKSHOP REQUIREMENTS: PLEASE BRING THE FOLLOWING HARDWARE TO THE WORKSHOP: - LAPTOP CAPABLE TO BOOT FROM USB (PREFERRED!) OR RUN VIRTUAL MACHINES (e.g. via VirtualBox) - 2 MINI USB CABLES - 2 AVAILABLE USB PORTS - IF POSSIBLE: USB-TO-SERIAL ADAPTER (e.g. http://ebay.to/2a595mP or http://bit.ly/2a1fUY4) (we will bring our personal stock to provide adapters for 25 participants, so bring yours if you have one yourself) If you would not be capable to bring 2 usb cables and/or a usb-to-serial adapter, there will be a possibility to borrow one from our personal stock (a small security deposit of 10 USD might be asked). We only have usb cables/usb-to-serial adapters for 25 participants, so please bring yours if you have one. Vulnerable temperature board The hands-on workshop requires, next to what is listed above, a smart, but vulnerable, temperature sensor board. As these are custom build (based on an ARM development board (http://bit.ly/29StwW0) and our own PCB+components), we will provide them for you. Again, a small security deposit of 40 USD will be asked at the start of the workshop (so make sure you have some cash). This also gives you the possibility to keep/buy the development and victim boards for 40 USD after the workshop. As we only have 40 of them, the hands-on workshop part of this workshop will be limited to 40 participants (first come, first serve).

Presenters:

  • Vito Rallo
  • Jean-Georges Valle
  • Jens Devloo - Senior Technology Consultant - PwC
    Jens is a Technology Consultant within the Advisory service line of PwC since September 2014. At PwC, Jens is involved in a wide variety of more technical assignments with a focus on IoT and mobile. In every project, Jens is dedicated to reach the same goal: to help the client reach its objectives using new, emerging technologies (e.g. wireless communication networks, mobile applications, cloud solutions, etc.). Prior to joining PwC, Jens obtained a degree in Civil Engineering with a Master in Information- and Communications Technology at Ghent University and has developed his social and management skills as a group leader at Chiro Lichtervelde. In his spare time, Jens spends a lot of time volunteering. Next to his involvement in a non-profit organisation that raises funds for the local youth movement, he is also a member of the regional department that educates and brings multiple, local Chiro units together. As Jens is fully convinced of the fact that learning to develop and coding has to be a fun, sociable and awesome experience, he regularly organises coding clubs for young people between 5 and 17!

Links:

Similar Presentations: