Technical Workshop : (Hands-On) A Practical Approach To IoT Security : Hacking And Defending
[Book My Seat]

Trainer: Nitin Lakshmanan, Rahul U and Puneeth K 

Nitin Lakshmanan (Black Hat USA Trainer 2019 & 2021|Speaker at Insomni’hack, OWASP AppSec, ISC2)

Black Hat USA Trainer 2019 & 2021|Speaker at Insomni’hack, OWASP AppSec, ISC2

Skilled in SDLC methodologies and Security assessment of Web applications, Mobile security solutions and IoT platforms. Strong Information Technology professional with a Bachelor of Technology (B.Tech.) focused in Information Technology from Coimbatore Institute of Technology. Speaks at security conferences and conducts trainings/workshops on Cloud and IoT topics. Have conducted training at Black Hat USA.

Rahul U (Expert On IoT Technology BLE)

Extensively worked on BLE(Bluetooth Low Energy) | Security Analyst, Deep Armor

Rahul is a Security Analyst at Deep Armor. He is skilled in penetration testing of mobile & web applications and IoT products. Rahul has worked extensively on several IoT topics, particularly focusing on BLE (Bluetooth Low Energy) security. He is well-versed in security-testing communication protocols and network services using the Peach or Protocol CE Fuzzer. Rahul has been part of the core technical team from Deep Armor that conducts corporate trainings. Rahul regularly speaks at local and international security conferences.

Puneeth K (Expert web application security assessment, network security and digital forensics)

Skilled on web application security assessment, network security and digital forensics  | Security Analyst, Deep Armor

Puneeth is a Security Analyst at Deep Armor. He is skilled in web application security assessments, network security and digital forensics. He has worked on several projects in cybersecurity. Puneeth has a Masters degree in Cyber Security.

>>Block My Seat For Workshop Session 

Workshop Summary : 

Workshop Duration: 6 Hours, 1 Day
Date: 30th May, Thursday, 2024

Description:

The Internet of Things (IoT) market today is defined by product manufacturers pushing a broad spectrum of computing devices out to the hands of consumers at an ever-increasing pace, and connecting them to the Internet. They are in a rush to hit the market shelves before their competitors and they often marginalize security. In this workshop, we offer hands-on training for pentesting and hardening IoT ecosystems, with special focus on popular communication protocols such as Zigbee, Bluetooth & BLE, as well as Device - Mobile - Cloud security topics. Students will learn about weaknesses in consumer IoT devices (wearables) paired with mobile ecosystems (Android & iOS) — how information theft is scarily easy, and what steps can be taken to harden these designs. We conclude with a Capture The Flag (CTF) session, and a discussion on defensive security best practices for IoT.

Workshop Agenda:

PART-A (90 minutes)

1. Introduction to IoT

   • Overview of IoT fundamentals and use cases.
   • Exploration of IoT computing platforms' impact on security practices.
   • Identification of challenges in IoT security, including vendor fragmentation and regulatory standards.
   • Emphasis on the underestimated impact of security lapses on IoT businesses and customers.
   • Discussion of real-world attacks on IoT platforms and proactive risk mitigation measures.

2. Security for IoT

   • In-depth exploration of technical aspects of attacks on IoT platforms.
   • Case studies presenting vulnerabilities discovered by the research team.
   • Emphasis on not disclosing specific vulnerabilities in actual products.
   • Comprehensive understanding of the varied nature of IoT attacks.
   • Focus on broadening students' perspectives on security challenges in IoT products.

3. Securing Wireless Protocols

4. Live Demo: Attacking BT/BLE in IoT — Mobile Ecosystem

   • Deep dive into Bluetooth and BLE Security topics, Open Source tools, and market hardware.
   • Bluetooth service model on Android and iOS, walkthrough of a malware application on Android.

5. Hands-on Exercises (Part-1)

   • Practical Exploitation of BLE using specialized hardware kit (BBC Micro:Bit)
     • Basic introduction to BBC Micro:Bit
     • Setting up Micro:Bit device
   • ---SHORT BREAK---

PART-B (90 minutes)

1. Continuation of Hands-on Exercises
   • Modifying firmware to add custom features.
   • Interacting with the hardware using mobile apps.
   • Exploiting the BLE vulnerability with your micro:bit.
2. Part-2: Analysis of BLE Network Traffic (Working with PCAP Files)
   • Packet capture and analysis of shared BLE pcap files.
   • Breaking Bluetooth/BLE security — extracting encryption keys with open-source tools.
   • Using keys to decrypt encrypted pcaps.
   • ---LUNCH BREAK---

PART-C (90 minutes)

1. Part-3: Hacking an IoT Wireless Sensor Network
   • Deep dive into IEEE 802.15.4.
   • Protocols based on IEEE 802.15.4 and security measures.
   • Packet formats for practical labs.
   • Using open-source tools on a custom USB-based transceiver.
   • Packet capture and analysis.
   • Device Reconnaissance - scanning for Zigbee capable devices in the network.
   • Packet manipulation using Scapy (multiple scenarios).
   • Packet injection into a WSN (multiple scenarios).
   • Simple cryptographic techniques to protect against practiced attacks.
   • Hands-on modification of source code (python scripts) to fix vulnerabilities.
   • Exploration of the full set of commands and features of the Zigbee debugging open-source tool.
   • ---SHORT BREAK---

PART-D (90 minutes)

1. Security Development Life Cycle for IoT

   • Examination of limitations in traditional SDLC models when applied to IoT platforms.
   • Introduction of a new framework supporting Agile development and Continuous Integration/Continuous Deployment for IoT.
   • Integration of security and privacy considerations throughout the product lifecycle.
   • Emphasis on a comprehensive SDLC model covering continuous integration, continuous development, and continuous deployment.
   • Provision of templates for threat modeling and security architecture reviews for practical application in students' institutions and businesses.

2. IoT Security Best Practices

3. Capture The Flag!

4. Summary

   • Review the theoretical and practical topics.
   • Q&A session.
   • Revisiting specific practical assignments based on student demand.

>>Block My Seat For Workshop Session 

Candidate Requirements:

You need to bring:

• Machine Requirements
  • Laptop with minimum 2GB RAM and 10GB Storage
  • Operating system — Kali GNU/Linux
• Tools & Software Requirement
  • Python 3 & Crypto Libraries
  • Scapy 2.4.2

Note: A comprehensive report detailing the additional installation of the necessary software will be shared prior to the training date.

Who Should Attend ? 

• IOT engineers, especially if you are working on consumer home automation and industrial IOT solutions.
• Developers, architects and QA engineers who want to learn holistic approaches for securely designing and testing IoT products
• Security professionals interested in gaining hands-on experience with hardware and software for IoT pentesting
• Anyone interested in exploring security of IoT platforms in greater depth
• Beginner to Intermediate-level expertise in IoT Security

Set Expectations:

• Hands on session

Audience Skill Level

• Able to understand basic concepts of embedded systems and IoT
• Some familiarity with wireless communication technologies and protocols
• Basic coding techniques and familiarity with any programming language

What Students Will Be Provided With

• A USB-based transceiver capable of generating and sniffing IEEE 802.15.4 network traffic. We use this hardware kit for pentesting Zigbee/Thread/6LoWPAN-style networks. This kit will be provided to students for the duration of the class.

 >>Block My Seat For Workshop Session