Conference:  Defcon 31

Authors: Sharon Brizinov Director of Security Research @ Claroty Team82, Noam Moshe Vulnerability Researcher @ Claroty Team82

2023-08-01

OPC-UA is the most popular protocol today in ICS/SCADA and IoT environments for data exchanges from sensors to on-premises or cloud applications. OPC-UA is therefore the bridge between different OT trust zones and a crown jewel for attacks attempting to break security zones and crossover from the industrial to corporate networks. We have been researching during the past two years dozens of OPC-UA protocol stack implementations being used in millions of industrial products. We focused on two main attack vectors: attacking OPC-UA servers and protocol gateways, and attacking OPC-UA clients. The research yielded unique attack techniques that targeted specific OPC-UA protocol specification pitfalls that enabled us to create a wide range of vulns ranging from denial of service to remote code execution. For example, we explored OPC-UA features such as method call processing, chunking mechanisms, certification handling, complex variant structures, monitored items, race-conditions, and many more. For each part of the specification, we tried to understand its caveats and exploit them to achieve RCE, information leaks, or denial of service attacks. In this talk, we will share our journey, methods, and release an open-source framework with all of our techniques and vulnerabilities to exploit modern OPC-UA protocol stacks.

Conference:  Defcon 31

Authors: Alan Meekins Member, Dataparty, Roger Hicks

2023-08-01

BLE devices are now all the rage. What makes a purpose built tracking device like the AirTag all that different from the majority of BLE devices that have a fixed address? With the rise of IoT we're alsoing seeing a rise in government and corporate BLE survallaince systems. We'll look at tools that normal people can use to find out if their favorite IoT gear is easily trackable. If headphones and GoPro's use fixed addresses, what about stun guns and bodycams? We'll take a look at IoT gear used by authorities and how it may be detectedable over long durations, just like an AirTag.

Conference:  Black Hat Asia 2023

Authors: Roni Gavrilov

2023-05-12

The adoption of Industry 4.0 and IoT (IIoT) technologies into industrial business operations has brought great operational and economic benefits, but also introduced new risks and challenges. One of the major risks is the potential for central points of failure (the cloud), which in the industrial remote access scenario can leave many industrial companies reliant on a single IIoT supplier's security level.IIoT suppliers often provide cloud-based management solutions to remotely manage and operate devices. While some research has been conducted on the security of these IIoT devices' firmwares and protocols, there is still much to learn about the unexpected security risks emerging from their cloud-based management platforms.In our research, we focused on the cloud-based management platforms of three major IIoT gateway suppliers - Sierra Wireless, Teltonika Networks, and InHand Networks. When investigating how they might be exploited by malicious actors, we found out these types of platforms can act as the backdoor for accessing multiple industrial and critical environments at once, bypassing perimeter and defense-in-depth security measures. During the session, we will present three attack vectors that could compromise cloud-managed IIoT devices through their cloud-based management platforms. The discovered vulnerabilities impact thousands of devices in industrial environments, bypassing NAT and traditional security layers. We will provide an in-depth overview of these vulnerabilities and demonstrate multiple vulnerabilities including RCE over the internet, bypassing NAT and reaching directly to the internal network, without any pre-conditions. At the end of the session, we will suggest practical recommendations for asset owners, security architects and IIoT vendors.

Conference:  Linux Security Summit Europe 2022

Authors: Zahra Tarkhani

2022-09-15

The presentation discusses the challenges of secure partitioning and sharing hardware resources within complex system layers of heterogeneous SoC architectures and proposes a hardware-assisted dynamic partitioning framework for Linux- and TEE-based architectures.

• Heterogeneous SoC architectures are becoming more popular for complex IoT and edge devices
• Multiple CPUs and peripherals require secure partitioning and sharing of hardware resources
• Static hardware partitioning at boot time cannot satisfy most use cases' security, performance, or compatibility requirements
• Hardware-assisted dynamic partitioning framework is proposed for Linux- and TEE-based architectures
• Framework modifies the Linux kernel, trusted firmware, and TEE kernel to achieve fine-grained privilege separation
• Hardware features such as mdac, pack, and mrcs enable hierarchical access control policies for logical separation of secure world from normal world
• Multiple trusted execution environments and enclaves can be combined to provide strong security features for different use cases

Conference:  OWASP 20th Anniversary Event

Authors: Brian Reed

2021-09-24

The presentation discusses the creation of a certification and testing regime for IoT connected mobile apps and VPNs using the 20 years of history and documentation of OWASP.

• Mobile apps dominate usage in the market and have security vulnerabilities.
• The OAuth Mobile Project was created to address mobile app security issues.
• The prevalence of insecure data storage and network connections in mobile apps is similar to cross-site scripting in web apps.
• The IOXT organization created a standard for certifying the security of IoT devices and expanded to include mobile connected apps.
• The 20 years of history and documentation of OWASP were used to create a certification and testing regime for IoT connected mobile apps and VPNs.
• The speaker's company is a financial sponsor of the OAuth Mobile Project and participates in creating tools and standards for mobile app security.