Securely storing & transmitting information on mobile/IoT devices

[Music] [Applause] [Music] the next uh speaker we have is nicholas he's a software developer and he is going to discuss the topic on security uh securely scoring and transmitting information on mobile slash iot a story in development so you know thank you all right give me a second poof and let's do this fantastic let's remove that okay hello everyone uh my name is nicholas burke uh and uh uh jax we're joining uh let me set up one thing next sorry point option uh can you check camera for nick uh please yep it's coming up now good to go uh and yeah so thanks for joining me at besides islamabad uh this is going to be a high octane roller

coaster of infosec devsec and iot the title of the talk is securely storing and transmitting information on mobile iot devices and it's a story and development it's from a development perspective so who am i uh well i usually go by atomic nicos on social media uh you can find me on linkedin on twitter on i have a blog on github on gitlab etc uh i am pretty active at least in the field of development i've been getting more active in the field of information security and osint and that's part of my perspective uh in my talk today so when we're talking about cyber security which isn't entirely the topic of this talk uh we're talking about a world

an entire world and the main issue i have when seeing this world is that when we're uh discussing development security well development is a process it iterates over time you have multiple phases and when you think about it not one single aspect of cyber security does map to uh development security and so what i'm going to do is i'm going to bring you from the overview perspective of cyber security into the needy and grainy perspective of everything that development security devsec touches so from this map i'm going to define a small color scale which goes from which represents ideation development production deployment incidents which are the multiple phases that a project can go through uh sometimes multiple times where

ideation would be when your idea takes fruit you know when your idea is born someone has an idea uh has an idea of how to implement that idea thinks about the certain protocols that you want to implement stuff like that development is when they put the building blocks together of course production is when they start you know discussing it with their user base training their users putting it out there basically quote unquote deployment is when it's fully out there the clients or the users have access to the platform the service you provide and typically it's not something everyone does but we do factor in incident incident being the moment where something goes horribly wrong so if we start at ideation and we use

our map from earlier it hits a ton of places on our cyber security map so here in ideation for example well you do need to have a certain idea of the laws and regulations in place for example you do need to be aware of data protection and how that will factor into your security architecture for example if we move on to just development uh discussing security architecture how uh you you manage access control how you uh perform risk assessment by doing uh source code scans and the like is also some things that will only happen in certain stages like this one when you're in production well you start getting some more security operations you you start discussing

uh some things like threat detection threat protection etc and you also start to educate your users by training them their new skills or making them aware of issues that they can be exposed to in deployment itself you stay pretty much on the same on the same thing but uh you do have to maintain your assets inventory uh you do at some point uh probably will have to have some form of penetration testing on your on your service and all of this does impact you finally you also have well at the moment of the incident when uh an incident response happens uh you know an incident happens incident response goes into play and you have all these things like

breach notifications uh incident containment that all factor in and that's a lot of things we just talked about so i just pointed out a few um just on the map and i am thinking of a common point what is that common point well it would be contentious to say developers uh i'm going to say developers but i'm going to say not only developers it's developers managers and the entire rest of the hierarchy that's very important to to think about there's not one single point of failure not one single point of blame why am i giving this talk well uh i'm a developer uh first and i do have a few fingers in the infosec pie

and so i'm infosec adjacent i would say and that's something that not everyone is um usually you will have developers who are infosec aware that have some knowledge of how to secure their their stuff uh will be able to do the research to additionally secure their their services but the scariest part and the one that happens in most uh big big big companies is that you have developers that have no clue of how infosec works uh or anything that they would do in infosec and that is something quite scary that can lead to issues such as there being an entire divide big gap between your developers and your uh information security specialists the second reason why i'm giving this

talk is um well i'm a student i'm doing a bachelor's degree in information systems and service sciences which basically breaks down into development management ethics security and regulations on a big ball well to be fair it's not an entirely equal ball i do way more development i do management or security which is what led me to practice infosec and ocean on the side uh so what are we going to talk about well uh i wanted to basically do a small brief overview of the ecosystem basically ground some terminology first right up then i wanted to uh discuss why we would want to do this the people involved the technology involved uh how those two produce risks uh when

combined and fallout that can come out when those risks aren't uh taken care of then i'm going to discuss some risk mitigation and finally go a little bit live at the studio with the development team and their managers which is basically back and forth of things i've already heard and things i should have said at the time things that will probably make you scream so uh first we're going to to talk about iot the internet of things what it is mobile devices and development what is information transmission at the base level what is information storage at a base level and since these things kind of build up on one another i'm going to start with

information storage and end with iot i hope that makes sense so information storage very quickly it's bits on some form of storage which would be flash memory like sd cards or ssds hard drives uh it can be live memory such as in ram things like that it's stored in certain forms such as raw data which would just be like device output sensor output or process data which would be some text files csv files json files they can be more or less hierarchical and more or less useful now with that we have some information we can actually transmit it well um one thing that's pretty easy pretty often used to represent uh um physical devices placed in

in a network and what data can flow through and how it flows through is the osi stack which is multiple layers which go from the layer one physical layer to layer seven which is the application layer seven being the closest to user one being closest to the hardware if i clean that little tweet up uh kind of looks like this and this would be for example a mobile device like a smartphone and if i were to connect it to a router your router would be a physical media which wouldn't have all of your application layers the problem being is we're also discussing iot and iot devices will have a peer-to-peer connection usually and that connection

will have multiple layers not necessarily all seven but will have multiple layers more to interact with uh how does information go through well you have some snazzy packaging quote unquote where a pdu's protocol data units are used to package your um your data much like a letter uh for example uh an ethernet pdu you would have a destination address which is you know where your letter is going a source address where your letter is from so that you know if it doesn't get there it can ping back or whatever uh the length of the content which in this case isn't um the fcs so that would be an integrity uh check code uh often a crc a cyclic

redundancy check and some flags which would be your postmarks for example so mobile devices and development so mobile devices themselves at a base level these just store and transmit information and they enable some form of user interaction development uh in itself can specify additional requirements from a more abstract perspective uh for example uh requiring the use of bluetooth requiring the use of databases requiring uh access to certain files to the internet to an api things like that and for that you use development stacks uh i just highlighted a few uh you have a few native ones for android for example uh kotlin and java for ios you would have objective c and swift uh one is more recent than the other of

course and then you have some things in the middle of android and ios they do cross os development for example flutter and react native which do these kinds of fancy things so now that we can talk about iot uh what is the internet of things what does it include smart everything so what is a smart everything uh well think of fridges watches cars uh smart homes uh if you even wanna go that far we can even talk about teledildonics so things like uh iot butt plugs and stuff like that uh uh smee actually did uh talk about that in def at def con 27 and uh it's pretty fun if you just want to look at it

uh when we're talking about iot we're not specifically talking about all this we're talking about a cluster of iot devices and that cluster is usually service-centric i think maybe an iot sensor grid that measures carbon monoxide levels on the city streets it's my go-to example uh the these iot clusters kind of form the iot triad when put in construction with mobile devices and servers they have multiple ways of communicating you would have for example wi-fi or jsm networks between phones and servers or between iot devices and servers if you have fancy gsm capability on your iot chips you could also have lora which is long range radio frequencies where you could just transmit from an iot device straight

into a server that has the correct add-ons quote-unquote you also have bluetooth and nfc uh which can be used to transmit information although maybe slightly less fast so why would one want to do this um well as i said before we're going to go through the people the technology at hand the risks that both of them produce and fallout that happens when you don't take care of this so a quick overview of people you have users which if you're building a service goes from uh they're your best friend because they give you money and they're your worst enemy because they bring you problems uh we've always i mean most of people who have at least

manned a help desk for 30 minutes will see that or i don't know a ticket system and some type of service we'll know that there's that one type of user that always has 50 000 types of problems which are improbable to say the least so yeah the basic morality is to love them for the income and hate them for the problems but they're not the only people involved uh as i said before you have developers managers and well at some point in the hierarchical chain uh because everyone manages everyone you have people that will just let something burn uh burn off to save face and that is an issue because well at some point you are also responsible

and they might just shift the blame onto you so it's better to do things that are solid now if we talk about the technology well in some shapewear form it always boils down to information storage whether you're talking about iot devices databases data dumps servers log files or even apis it all relies on some form of information storage uh iot could be storing uh sensor output for a certain time uh databases will store data data dumps will be a representation of data that was stored uh servers will contain files uh maybe a web server will contain also your web pages and stuff and these if they're exposed can also you know have some information in them log files

are pretty juicy usually uh apis if they're too chatty you can access the content within without too much uh too many issues and all of this relies on some form of physical media which is the main flaw with information nowadays is if you have access to a hard drive well either you have a very good encryption which is fun uh always uh but it won't hold up to a threat actor you know a state level threat actor when we're talking about information transmission well it usually goes through some form of medium wires for example ethereum wires usb cables etc bluetooth which would be proximity wireless i think also nfc or uh wi-fi which would be longer range

wireless uh i think maybe also laura or things like that gsm networks an important part of information transmission is the availability usually when you have an information uh provider quoted coach you expect the information to be available 24 7. if you have downtime it's an issue and that's something that factors into technology finally you have protocols which assists the transmission of information and multiple protocols that handle authenticity for example that the person who sent it is actually the person person who sent it that the origin of your data is the one that is that really came from um authentication which would be that the user that sent it is allowed to send said data integrity which would be that the data

wasn't modified over time and security which many people don't do which would be maybe encryption or things like that in terms of iot over the years no this isn't a fixed number and defines what you define as iot the number of iot devices in the world uh it's not 50.1 it's not 50.1 million it's 50.1 billion if i just compare this graph also which doesn't say the exact same well actually yes it does say almost the same numbers many things are iot and many of these things especially the entire yellow and gray area these ones here this entire area is iot such as maybe smart plugs it can be printers that can be anything and those are the one that ones that are

usually most vulnerable and there's a ton of them in the world uh so yeah my main conclusion on the technology is that it's a huge attack surface now when we talk about risks in iot now that we've talked about technology the one main rule is that the s in the terminology of iot stands for security uh that meaning that there usually isn't any security in terms of storage well usually your iot device will have an sd card an sd card is pretty simple you just take it out plug it into your laptop or into an adapter and poof you have physical access it's pretty easy io it contains files usually sometimes files it shouldn't contain

and that's an issue a second point of note is microprocessors on these machines and if you know what you're doing you can actually retrieve the bytecode the the assembled code on your microprocessor and even if you're not going to reverse engineer it what you're going to do is maybe find some static values like api keys and stuff like that it's pretty dangerous um so yeah if it's addressable to a computer it's addressable to you you just need to have the right tools thanks to blind hacker for actually giving me that quote um when we're talking about transmission well we're talking about bluetooth energy at the base level it's just a plain text byte stream that goes over some networking protocol

it's vulnerable to be to passive observation observing observer in the middle uh it's vulnerable to actual physical attacks for example by leveraging the gap framework so generic attribute which is how they segment their data for example using uh services and characteristics and bluetooth wide energy devices and one thing is that the entire there's no standards but they have built profiles for bluetooth meaning you know that ensure interoperability between these devices and that's also an issue for example tautology not so one of the pen test partners a uk firm that does pen testing uh did an entire thread about hacking a smart block which had bluetooth dual energy and it was ridiculously easy uh if we're talking about long range rf

well it's also plain text by stream except it's over radio frequency so you have the right receiver proof you can receive your data wi-fi well that's not my area of knowledge quote-unquote but it is vulnerable to packet capture and all that those other risks uh in terms of storage itself well on mobile devices uh storage has also usually uh if you're one of the 90 of devices that support sd cards well sd cards uh you can pretty easily get them out of a phone you can pretty easily get them into a computer yet again and also it's not just one or two files it's all the files it can be anything it can be badly

cached data it can be just a data dump that an app is keeping on the side it can be anything and that's even more dangerous uh if you think about routing or jailbreaking your device depending on if your android or ios well that gives you access to cache data cache data is usually where you know the apps hide all their fun stuff even if your phone isn't rooted well you can use apps like my phone explorer or amazing to just get at least a certain level of information what i like to say is that even with the the most recently equal issues between epic games and apple where children or players of the video game fortnite would

have to jailbreak devices to be able to install fortnite on uh on iphones well if is your eight-year-old really part of your threat model if not you should be but well they should be in terms of memory uh which is also a form of storage well um you have concurrent concurrency issues the paper i linked really goes into depth about how concurrency issues can produce funky and destructive results on a on a phone that's something to take care of and to think about in terms of transmission well you know the usual bluetooth energy wi-fi etc uh nfc uh so near field communication is vulnerable to skimming you can put nfc skimmers on uh bank terminals stuff

like that well more usually on terminals at uh shops and stuff like that and you can just skim some credit card details and reuse them so that's fun uh i guess in terms of risks well you have services on phones uh your phone usually gives you access to geolocation uh some sensors like gyrometric data electromagnetic fields luminosity stuff like that uh the paper i linked uh produced an app that was able to determine with 88.8 percent probability if you were sleeping based on that sensor output which sounds fine until you learn that uh you know these apps can be hijacked and well maybe i want to you know rob someone and uh oh they're sleeping perfect

opportunity in terms of service well that's yet again not my area of knowledge uh here's a video a link uh which might be fun for you uh uh honestly it's not my area of expertise so i'll defer to those and the internet um let's do a small story about iot well let's talk about iot smartwatches uh there's these kinds of iot watches that allow you to track your children which sounds fantastic so a dutch security company bought one for their child quote unquote uh registered it and installed the app uh what they did then saw is that there was some communication between the app and servers so they installed burp suit which is uh you know web application uh trace uh

pen testing tool um in the middle and they would see that uh the the app was using an id to query the server for the location so they do well they changed the id and the location changed um they tried to replicate the same browser that didn't work so it was more of a case of a sufficient level of authentication but not of authorization to the data that was accessed and this gave them potential access to a hundred thousands of children's locations which is a huge issue uh thankfully uh that issue which implicated the third party has been fixed but it's just you know it quantifies the risk in terms of fallout well you can

quantify followed through with multiple metrics for example the amount and sensitivity of the information that was exposed how the controlling entity responded so that would be the company that owns the service for example and how fast the service recovers if you don't have if you've too much information was exposed and the entity doesn't respond correctly you erode the trust in the service uh if you have information that's too sensitive and uh that your service recovers slowly well your feeling of privacy might be eroded and if your service recovers slowly and your entity responds horribly it also erodes the credibility industry of the service and if you have the magnificent three you have something called the nominee shambles

which is a situation that has been comprehensively mismanaged characterized by a string of blunders and miscalculations which is a polite way of saying um and if you have that on shambles well that gives the big c's of your company an opportunity to yell uh i'm going to go through a live example uh lisa forte uh has a series called rebooting where she talks about cyber security in general and they did a hypothetical scenario for a dating company called right match singles with some high level uh people on it uh some celebrities for example and they have a massive breach that compromises users and personal documents that shouldn't have been stored there they failed to disclose it properly to the

relevant british authorities which would be the ico and also to its users and finally uh once you know they gets threatened with legal action because it gets out well they go nuclear and just take the service down which is a big issue this checks all of the boxes from what i was talking about earlier we can quantify fallout uh just by the how the entity responded for example if you have an information disclosure in some new service part uh and you know it's solved pretty pretty fast uh it gets a good payout for the bug bounty poof that's fantastic if you have a user information disclosure in some form or whatever and it takes a while to get solved let's not talk

about the payout that's okay it's still solved but for example when we talk about giggle hq and digital interruption uh digital interruption being a pen testing and cyber security firm group giggle is a company that produced an app called giggle which allowed people mostly women to communicate between each other securely and they were extremely leaky in the information that their api could provide and so digital interruption contacted them and they were like no we have no issue and uh then proceeded to antagonize the infosec community which didn't work correctly it actually turned into a dumpster fire so yeah fun let's talk risk mitigation uh how do we reduce the risks of getting pumped well in terms of iot storage uh avoid

upstream critical files ss you wouldn't believe the number of ssh files or things like that i've seen on iot devices just so that they can you know do firmware updates and stuff like that yeah uh try going for operations logs instead of full data logs operations logs logging state changes uh in case of you know general usage and uh state description an error description and the data that produce the error in case in there that actually first keeps your memory your memory impact smaller but also produces less information that an attacker could use and also don't produce anything that can't receive firmware updates because even though your device is secure now that's not a guaranteed in

the future so yeah in terms of transmission well uh you can define and use standards for pdus or protocol data units what we talked about earlier uh you can use a standard representation for data like uh the ieee 754 representation for floating point numbers uh the default uh binary representation for integers characters etc what advantages do they have well if you have a standard you can most probably detect some form of error or modification and also it also usually compresses the data like floating point numbers are six characters which is 12 bytes the ieee 754 representation is four but it's only and that's smaller uh some bonus points go towards an extensible framework like you could be

able to add stuff over time without it you know crapping out validating the integrity of your data adding timestamps to avoid replay attacks stuff like that uh for example here's a custom clear text transmission pdu which would allow you to you know send data over bluetooth energy so this isn't secure but at least it's integ it has integrity for example it stores uh two flags uh the length of the number of values that the entire map should have uh a map of all values that are actually in the values array and then the values finally it just adds a small crc at the end so i'm going to take that very basic example and go into a practical example i'm

going to talk about an iot pacemaker transmits a vital information to a phone for example for uh if you have tachycardia it should be able to call an ambulance or stuff like that so the phone monitors for variations in your heart rhythm tachycardia etc the information that's sent from the device would be the device id the heart rate uh ecg values egg values all these things are used to monitor heart attack activity and the information received by a device would be uh should defibrillation occur and also the power of said the defibrillation so the risks are well introduced tachycardia then death sounds fun so how are we going to go through building that well uh we can collect data transform that

data map that data encrypt the data check its integrity and then finally set flags now let's do that step by step coalescing data so i just took some random data i took a device id icd underscore 1337 random heart rate which seems normal i think it was my heart rate at the time uh it's a little bit higher than usual stress um ecg values uh usually there's more of them but you know and egg values usually there's more of them but you know it needs to be a legible example so right i forgot i had these things um so let's transform the data so our device id well it's a string how can you represent string well with

cars uh but how do you know that your text is going to be a certain length well you use a flag uh so here we use oxa0d which isn't the character that is really used uh unless for carriage returns and stuff like that uh you store your text size which would be eight characters you then store your text which would be uh you know a certain number of characters and then you finish with another text lag this gets you a device id which has a text flag a length the data and then finally another text slide if we talk about the other information that was there that i talked about well that's an integer representation

those are multiple integer presentations and we have an empty data which can happen at some point so we just replace it with axes for the moment and then we add the rest of the data around it then we map the data so we we have eight values in total and we have our uh before last that isn't there uh the zero zero zero one of the x's that we saw earlier so the map data would be this because you have eight values uh your zeros your empty values aren't mapped but you're keeping that entire value here then you add your device id then you add your values magic quote-unquote so let's go to encryption uh so for example we could use a yes

128-bit in ctr mode fun so here's some keys and some ip initial vectors and i use cyber chef uh because you know fun so your unencrypted data turns into this fun also uh using uh you can check for integrity using your crc 16 for example uh in arc mode uh the output of uh said crc would be 46 55 and 5f in hexadecimal so here we used another tool uh so we encrypted data generates that crc uh and i forgot to change it out but my bad um [Music] so the final iteration of your data would be this and then you set flags main issue being that flags if you know if you've studied ethernet

they have a certain structure and that structure can also be found in other places so what you do is you check for example this is six consecutive ones which define a flag well here you check for five consecutive ones and every time you find one instance of that pattern you add zeros right after them uh this is something you then can remove pretty easily so now that you have this thing we've had it added zeros you transform it you know to the hexadecimal representation you add your flags does this and that's the data you send so now we're going to evaluate the solution uh in terms of compression well you go from a certain level of a text

let's say it's a csv array and you know you have all that stuff it generates this which in itself is 62 bytes except if i would have had a floating point number with five decimal five digits after the comma i would have had uh what was it five uh so if i went three plus yeah i would have had uh 70 bytes uh so it's it scales pretty horribly uh our solution uh so as text is transmitted like this the the x two characters are you know unicode symbols uh it's 84 bytes but it's fixed within a few bits whatever you send it's going to be 84 bytes even if your uh microcontroller craps out and produces something with

50 digits after the floating point number well it's still going to be 84 bytes more or less uh in terms of integrity well we use crc16 arc so that's a check in terms of encryption asctr and 128 bits it's a check but can't run on fpgas or like microprocessors or stuff like that well the main issue would be aes ctr in theory research has showed that if you do use certain implementations they can process about 12 megabits per second on a 25 megahertz board uh which is pretty cool because most boards are somewhere in the 30 to 80 range and we need less than one kilobyte well kilobit per second in theory also fun uh secondary issues will be the

conversion to standards uh usually most of your representations are baked in uh but floating point to ie triple e 754 representation there's a pretty sequential algorithm that happens it just does binary additions binary math uh so left shifts right shifts and the like and crc16 has the exact same uh same thing it's binary shifts and the like in terms of mobile development well for storage uh if you're you know part of the 95 of devices that have android or ios you have frameworks for preferences you have frameworks for reading files you have frameworks to have database systems on phones these are all things that you shouldn't you have to store on an sd card or on

physical storage so you can use these things in terms of memory well you can use singletons which are a single object instance design pattern uh which sound complicated but what they do is they basically create one instance of a of a memory storage an object which is accessible from anywhere so you can interact use its methods and like usually it's used for database wrapping or api wrapping the like it's convenient a problem is that you don't know who is requesting the information what segment of your code is requesting it and asynchronously which solves concurrency issues which would basically mean that if you're reading a file reading a database or querying an api you don't do everything at the same time

and have a block blockage what you're doing is you're doing it on the side and you're waiting for things to happen and this allows you to sequentialize or serialize operations that take a lot of time uh so let's go now live to studio uh so let's take an information security professional a developer and a manager and these are things i've heard so in this case i'll be the information security professional although i'm not an infrastruct professional uh it's an app it needs to look good we'll sort out the data later yeah big issue there uh your service is bound to change and your ui is probably going to crap out when you're thinking about that

so yeah uh adapting a ui to a service is probably easier than adapting a service to a ui worst case scenario you can parallelize um our data persists for one second what's the worst that can happen well uh for example when transmitting data via bluetooth well uh if you know about wardriving which was you know a thing that was done in the 80s and 90s to get access to enterprise wireless networks you have access you have the same thing for bluetooth uh the the shmu group at defcon 11 in 2003 did an entire presentation on bluetooth for driving it's a thing nowaday uh so yeah it's something we need to to think about uh we don't use application ids for

location data if you're using a location what do you mean they can be tracked well uh i'm just going to point you to new york times 2019 privacy project uh where they took uh location data aggregators from you know your ad services and everything and punched everything into a machine and they were able to find people at the pentagon at the white house people that shouldn't have probably have been able to be tracked uh by just tracking them from their homes and then following the dot around so pretty fun uh so yeah location using and transmitting devices uh can be traced uh the developer saying the manager can't uh coordinate the idea with the rest of that task an idea

being you know a cyber security suggestion or some form of suggestion uh so first that's gonna get you to yell internally and secondly you can use a mock-up based workflow and once the service is built you switch the data calls from mock calls to actual service calls that's pretty cool uh develop a ton of apps and have deadlines well define a template project a baseline project with minimal services for api calls databases bluetooth location etc it's easier to strip content away than add content uh when you need it also it if you do it correctly it allows you to spread your updates correctly uh to every single app you do in conclusions um iot is the stuff of nightmares uh

don't tell your ciso about uh about iot uh improvements for the moment aren't standards uh they're improvements uh it's not iso certified it's it's really horrible for the moment security is a matter of being consistent on all fronts you can have the best web app security if you have shitty iot security you're done for and my own two cents are to have an infrastructure professional assigned to a dev team uh because it's going to matter at some point it will help you from snowballing into vulnerability hell uh and since iot is now a networking backbone uh it's a great part of the networking we need to to think about that uh my talk is available under cc by sa

which basically is an open license have fun just credit me and i'd like to thank all these fantastic people on the screen and you can ask me anything thank you nicholas uh that was really good i'll see if we have any specific questions