SESSION ID: MBS2-W02 Building a Comprehensive IoT Security Testing Methodology Deral Heiland IoT Research Lead Rapid7 deral_heiland@rapid7.com @percent_x #RSAC #RSAC The Ecosystem of an IoT Product What is the Internet of Things (IoT) 3 #RSAC #RSAC IoT Ecosystem • Embedded Hardware • Management & Control Application • Cloud Service APIs and Storage 4 #RSAC IoT Ecosystem 5 • Understanding the holistic structure • Help with threat modeling • Understand related security impact • Facilitate security testing #RSAC IoT Security Testing Methodology Structure Security Testing Methodology Structure • 4 key phases • All components of the ecosystem Focused team • – Functional – Reconnaissance – Testing – Analysis 7 #RSAC #RSAC Security Testing Methodology Structure Functional Evaluation Reconnaissance Analyzing 8 Testing #RSAC Functional Evaluation Phase Functional Evaluation Reconnaissance Analyzing 9 Testing #RSAC Functional Evaluation • Standard setup & deployment • Goal: Understanding IoT product – Map out 10 • Feature • Functions • Components • Communication paths #RSAC Reconnaissance Phase Functional Evaluation Reconnaissance Analyzing 11 Testing #RSAC Reconnaissance • Open Source Intelligence – FCC ID – User Manuals – Electronic component datasheets – Product history – CVEs – Electronic component vulnerabilities • Vendor supplied data 12 #RSAC Testing Phase Functional Evaluation Reconnaissance Analyzing 13 Testing #RSAC Cloud & Web API Testing • Vulnerability testing – OWASP top 10 – Injection attacks – Business logic attacks • Functional validation – Encryption – Authentication – Session management • 14 Ecosystem impact Management & Control Application Testing • Vulnerability • Encryption • Authentication • Data management • Ecosystem impact 15 #RSAC #RSAC Network Testing 16 • Vulnerabilities • Exposed services • Encryption • Ecosystem impact Embedded Hardware Testing • Chip sets • Physical ports • Debugger access • Access Security – – – • Memory extraction Side Channel attacks Inter Chip communication Ecosystem impact 17 #RSAC #RSAC Firmware Analysis Testing 18 • Hardcoded default passwords • Encryption keys • Undocumented commands • Hardcoded IP addresses of interest • Hardcoded URLs of interest • Ecosystem impact #RSAC Radio (RF) Testing • Protocol versions • Encryption • Pairing processes • Access control • Replay attacks • Ecosystem impact 19 #RSAC Analysis Phase Functional Evaluation Reconnaissance Analyzing 20 Testing

pdf文档 2020_USA20_MBS2-W02_01_Building a Comprehensive IoT Security Testing Methodology

安全研究库 > 国外研究报告 > 移动和物联网安全 > 文档预览
46 页 0 下载 16 浏览 0 评论 0 收藏 3.0分
温馨提示:如果当前文档出现乱码或未能正常浏览,请先下载原文档进行浏览。
2020_USA20_MBS2-W02_01_Building a Comprehensive IoT Security Testing Methodology 第 1 页 2020_USA20_MBS2-W02_01_Building a Comprehensive IoT Security Testing Methodology 第 2 页 2020_USA20_MBS2-W02_01_Building a Comprehensive IoT Security Testing Methodology 第 3 页 2020_USA20_MBS2-W02_01_Building a Comprehensive IoT Security Testing Methodology 第 4 页 2020_USA20_MBS2-W02_01_Building a Comprehensive IoT Security Testing Methodology 第 5 页
下载文档到电脑,方便使用
还有 41 页可预览,继续阅读
本文档由 张玉竹2022-04-08 10:00:50上传分享
举报
下载(4.88 MB)
收藏 分享
给文档打分
您好可以输入 255 个字符
安信天行文库的中文名是什么?( 答案:安信天行 )
评论列表
  • 暂时还没有评论,期待您的金玉良言
最新文档
安信天行知识库  ©2025