- Browser based: Phishing, Framing (using iFrame), Clickjacking, Man-in-the-Mobile, Buffer Overflow, Data Caching
- Phone/SMS based: Baseband Attack (GSM/3GPP vulnerability), SMiShing
- Application based: Sensitive Data Storage, No/Weak Encryption, Improper SSL Validation, Configuration Manipulation, Dynamic Runtime Injection, Unintended Permissions, Escalated Privileges
- OS based: No/Weak Passcode, iOS Jailbreaking, Android Rotting, OS Data Caching, Passwords and Data Accessible, Carrier-loaded Software, User-initiated Code
- Wi-Fi, Rogue AP, Packet Sniffing, MITM, Session Hijacking, DNS Poisoning, SSLStripk (MITM, SSL/TLS vulnerability), Fake SSL Certificates
- Web server based: Platform Vulnerabilities, Server Misconfiguration, XSS, CSRF, Weak Input Validation, Brute-Force
- Database based: SQL Injection, Privilege Escalation, Data Dumping, OS Command Execution
- M1 Improper Platform Usage: misuse of features or security controls (Android intents, TouchID, Keychain)
- M2 Insecure Data Storage: improperly stored data and data leakage
- M3 Insecure Communication: poor handshaking, incorrect SSL, clear-text communication
- M4 Insecure Authentication: authenticating end user or bad session management
- M5 Insufficient Cryptography: code that applies cryptography to an asset, but is insufficient (does NOT include SSL/TLS)
- M6 Insecure Authorization: failures in authorization (access rights)
- M7 Client Code Quality: catchall for code-level implementation problems
- M8 Code Tampering: binary patching, resource modification, dynamic memory modification
- M9 Reverse Engineering: reversing core binaries to find problems and exploits
- M10 Extraneous Functionality: catchall for backdoors that were inadvertently placed by coders
- Mobile Device Management (MDM)
- Helping enforce security and deploy apps from enterprise
- MDM solutions including IBM MaaS360, XenMobile
- Bring Your Own Device (BYOD): dangerous for organizations because not all phones can be locked down by default
- Ability to have root access on an Android device
- Tools: KingoRoot, TunesGo Root Android Tool
- Installing a modified set of kernel patches that allows users to run not signed applications, bypassing user limitations as set by Apple
- Userland Exploit
- Using loophole in system app
- Allowing user-level access but not allows iboot-level access
- Firmware updates can patch it
- iBoot Exploit
- Using loophole in iBoot (iDevice's thrid bootloader)
- Can be Semi-tethered
- Allowing user-level access and iboot-level access
- Firmware updates can patch it
- BootROM Exploit
- Using loophole in SecureROM (iDevice's first bootloader)
- Allowing user-level access and iboot-level access
- Firmware updates can NOT patch it
- Only hardware update of bootrom by Apple can patch it
- Untethered: kernel remaining patched after reboot, with or without a system connection
- Semi-Tethered: no longer retaining patches after reboot, device is still usable as normal
- Tethered: removing all patches after reboot, device may get in boot loop, must be re-jailbreak with a computer
- Tools
- Cydia: app for iOS to find and install software on a jailbroken iOS device
- Pangu Anzhuang: app, no PC required jailbreak method
- Keen Jailbreak: an unofficial semi-tethered tool
- App Store attacks: malicious apps placed in app store, no vetting
- Android Device Administration API: allowing for security-aware apps that may help
- SMS Phishing (SMiShing)
- Sending text message with malicious links
- People tend to trust these more because they happen less
- Apps
- NetCut: blocks Wi-Fi access, works only on rooted devices
- zANTI: hacking app
- Network Spoofer: changing websites from Android phone
- Low Orbit Ion Cannon (LOIC): performing Dos/DDos attacks
- DroidSheep: performing session hijacking/sidejacking, using libpcap and arpspoof
- Orbit Proxy: Tor
- FaceNiff: sniffer
- Trojans
- BankBot/Spy.Banker.LA: Android Trojan, banking Trojan
- SpyDealer: Android Trojan, spying Trojan
- AceDeceiver Trojan: iOS Trojan, MITM
- Spy/MobileSpy!iPhoneOS: iOS Trojan
- ZitMo: Zeus-in-the-mobile, banking Trojan
- Mobile Spyware
- mSpy
- FlexiSPY
- Security Tools
- Find My Device/Phone: tracking tool
- Kaspersky Mobile Antivirus
- X-Ray: vulnerability scanner
- Avira Mobile Security
- Lookout Personal: identifying protection, theft prevention
- Zimperium's zIPS: mobile intrusion prevention system app
- BullGuard Mobile Security: complete mobile phone antivirus
- Malwarebytes for Android: anti-spyware
- Pen Testing Tool: Hackode
- IoT is a collection of devices using sensors, software, storage and electronics to collect, analyze, store and share data
- Application + Network + Mobile + Cloud = IoT
- Sensing Technology: sensors
- IoT gateways: used to bridge the gap between the IoT device and end user
- cloud Server/Data Storage
- Remote Control using Mobile App
- Edge Technology Layer: consisting of sensors, RFID tags, readers and the devices
- Access Gateway Layer: first data handling, message identification and routing
- Internet Layer: crucial layer which serves as main component to allow communication
- Middleware Layer: two-way mode, between application and hardware, handles data and device management, data analysis and aggregation
- Application Layer: responsible for delivery of services and data to users
- Short range Wireless Communication: Bluetooth Low Energy (BLE), Light-Fidelity (Li-Fi), Near-field Communication (NFC), QR Codes and Barcodes, Radio Frequency Identification (RFID), Thread, Wi-Fi, Wi-Fi Direct, Z-Wave, Zig-Bee
- Medium Range Wireless Communication: HaLow, LTE-Advanced
- Long Range Wireless Communication: LPWAN, Very Small Aperture Terminal (VSAT), Cellular
- Wired Communication: Ethernet, Multimedia over Coax Alliance (MoCA), Power-line Communication (PLC)
- RIOT OS: embedded systems, actuator boards, sensors; is energy efficient
- ARM mbed OS: mostly used on wearables and other low-powered devices
- RealSense OS X: Intel's depth sensing version; mostly found in cameras and other sensors
- Nucleus RTOS: used in aerospace, medical and industrial applications
- Brillo: Android-based OS; generally found in thermostats
- Contiki: OS made for low-power devices; found mostly in street lighting and sound monitoring
- Zephyr: option for low-power devices and devices without many resources
- Ubuntu Core: used in robots and drones; known as "snappy"
- Integrity RTOS: found in aerospace, medical, defense, industrial and automotive sensors
- Apache Mynewt: used in devices using Bluetooth Low Energy Protocol
- Device to Device: communicates directly with other IoT devices
- Device to Cloud: communicates directly to a cloud service
- Device to Gateway: communicates with a gateway before sending to the cloud
- Back-End Data Sharing: like device to cloud but adding abilities for parties to collect and use the data
- Misconfigured and Misapprehended: posing unprecedented risk to personal data, privacy and safety
- Apprehended and Protected: boosting transmissions, communications, delivery of services and standard of living
- I1 Insecure Web Interface
- I2 Insufficient Authentication/Authorization
- I3 Insecure Network Services
- I4 Lack of Transport Encryption/Integrity Verification
- I5 Privacy Concerns
- I6 Insecure Cloud Interface
- I7 Insecure Mobile Interface
- I8 Insufficient Security Configurability
- I9 Insecure Software/Firmware
- I10 Poor Physical Security
- Exploiting HVAC Attack: attacking on HVAC systems, Heating, Ventilation and Air Conditioning
- Rolling Code: jamming a key fob's communications, steals the code and then creates a subsequent code
- BlueBorne Attack: attacking against Bluetooth devices by exploiting vulnerabilities of Bluetooth protocol
- Jamming Attack: jamming signal between sender and receiver with malicious traffic, makes two endpoints unable to communicate with each other
- Remote Access using Backdoor: exploiting vulnerabilities in IoT device to turn it into a backdoor and gain access to target network
- Remote Access using Telnet: exploiting an open telnet port to obtain information
- Sybil Attack: using multiple forged identities to create the illusion of traffic
- Replay Attack: intercepting legitimate messages from a valid communication and continuously send the intercepted message to target device to perform a DoS attack or crash the target device
- Forged Malicious Device: replacing authentic IoT devices with malicious ones, if they have physical access to the network
- Other attacks: Exploit Kits, DDoS Attack, MITM Attack, Side Channel Attack, Ransomware Attack
- Case Study: Dyn Attack
- Mirai malware: finding IoT devices to infect and adds them to botnet
- Triggers DDoS 1+ Tbps attack on OVH and DYN in October 2016
- Hacking Tools
- Search engine: Shodan, Censys, Tingful
- MultiPing: information gathering tool to find IP addres of any IoT devices
- Foren6: IoT traffic sniffer
- Z-Wave Sniffer
- beSTORM: vulnerability scanning tool, smart fuzzer to find butter overflow
- RFCrack: obtaining rolling code
- Attify: attacking Zigbee networks
- HackRF One: an advanced hardware and software, performs BlueBorne or AirBorne attacks, such as replay, fuzzing, jamming etc
- Firmware Mod Kit: reconstructing firmware images for embedded devices
- Firmalyzer Enterprise: performing automated security assessment on software that powers IoT device firmware
- Security Tools
- SeaCat.io: SaaS to operate IoT products
- DigiCert IoT Security Solution