Praetorian, profile picture
Uploaded byPraetorian
PDF, PPTX557 views

Exploring Risk and Mapping the Internet of Things with Autonomous Drones

Praetorian is collaborating with Dronesense to automate drone operations and secure IoT projects. The document discusses the development and implementation of strategies for end-to-end security in IoT systems, including techniques for attacking Zigbee networks and vulnerabilities in embedded devices. It also emphasizes the importance of integrating security considerations throughout the product development lifecycle and provides recommendations for security best practices.

Technology
Related topics:
Internet of Things

Embed presentation

Download as PDF, PPTX
THE SECURITY EXPERTS WWW.PRAETORIAN.COM 1 PAUL JAUREGUI VP, SECURING IOT @ PRAETORIAN RICHARD MCPHERSON PHD CANDIDATE, INTERN, PRAETORIAN (2015) NISHIL SHAH UT GRADUATE, INTERN, PRAETORIAN (2015) DALLAS KAMAN SENIOR SECURITY ENGINEER, PRAETORIAN Internet of Things Map Project Team | Summer 2015 and beyond
THE SECURITY EXPERTS WWW.PRAETORIAN.COM 2 Praetorian Partnered with DroneSense (dronesense.com) for FAA Exemption and Autonomous Drone Automation
THE SECURITY EXPERTS WWW.PRAETORIAN.COM 3 Praetorian Partnered with DroneSense (dronesense.com) for FAA Exemption and Autonomous Drone Automation
THE SECURITY EXPERTS WWW.PRAETORIAN.COM 4 Praetorian Partnered with DroneSense (dronesense.com) for FAA Exemption and Autonomous Drone Automation
THE SECURITY EXPERTS WWW.PRAETORIAN.COM 5 Praetorian Partnered with DroneSense (dronesense.com) for FAA Exemption and Autonomous Drone Automation
THE SECURITY EXPERTS WWW.PRAETORIAN.COM 6 Praetorian Partnered with DroneSense (dronesense.com) for FAA Exemption and Autonomous Drone Automation
THE SECURITY EXPERTS WWW.PRAETORIAN.COM 7 RESEARCH MEDIA AWARENESS
THE SECURITY EXPERTS WWW.PRAETORIAN.COM Capture Device (v1.0) Specifications and Requirements 8 ZIGBEE RADIOS Atmel RZUSBstick (x8) Flashed custom firmware GPS MODULE Adafruit GPS HAT for Raspberry Pi RASPBERRY PI Model B+ 512MB RAM Raspbian OS ‣ Autonomous operation ‣ Hand-held size ‣ Under 250 grams ‣ Battery powered (Drone’s) ‣ Discover all Zigbee devices within 150-feet across all 16 channels in under 10-seconds while traveling 10-20mph

THE SECURITY EXPERTS WWW.PRAETORIAN.COM Extending Killerbee 802.15.4 Network Attacking Framework 9 11 12 13 14 15 16 18 19 20 21 22 23 24 25 26 2400MHz 2483MHz2.4GHz Zigbee Channels PROCESS 1 PROCESS 2 PROCESS 3 17 ‣ Extended Killerbee zbwardrive utility ‣ Added new Python multiprocessing ‣ All Zigbee radios cycle through channels simultaneously ‣ Channels record for a set amount of time DOWNLOAD KILLERBEE FRAMEWORK AT HTTPS://GITHUB.COM/RIVERLOOPSEC/KILLERBEE
THE SECURITY EXPERTS WWW.PRAETORIAN.COM Extending Killerbee 802.15.4 Network Attacking Framework 10 11 12 13 14 15 16 18 19 20 21 22 23 24 25 26 2400MHz 2483MHz2.4GHz Zigbee Channels PROCESS 1 PROCESS 2 PROCESS 3 17 ‣ Extended Killerbee zbwardrive utility ‣ Added new Python multiprocessing ‣ All Zigbee radios cycle through channels simultaneously ‣ Channels record for a set amount of time DOWNLOAD KILLERBEE FRAMEWORK AT HTTPS://GITHUB.COM/RIVERLOOPSEC/KILLERBEE Step 1: All connected Zigbee radios send beacon request on assigned to channel
THE SECURITY EXPERTS WWW.PRAETORIAN.COM Extending Killerbee 802.15.4 Network Attacking Framework 11 11 12 13 14 15 16 18 19 20 21 22 23 24 25 26 2400MHz 2483MHz2.4GHz Zigbee Channels PROCESS 1 PROCESS 2 PROCESS 3 17 Found Something! ** Listen for 10 sec ** ‣ Extended Killerbee zbwardrive utility ‣ Added new Python multiprocessing ‣ All Zigbee radios cycle through channels simultaneously ‣ Channels record for a set amount of time DOWNLOAD KILLERBEE FRAMEWORK AT HTTPS://GITHUB.COM/RIVERLOOPSEC/KILLERBEE
THE SECURITY EXPERTS WWW.PRAETORIAN.COM Extending Killerbee 802.15.4 Network Attacking Framework 12 11 12 13 14 15 16 18 19 20 21 22 23 24 25 26 2400MHz 2483MHz2.4GHz Zigbee Channels PROCESS 1 PROCESS 2 PROCESS 3 17 Found Something! ** Listen for 10 sec ** ‣ Extended Killerbee zbwardrive utility ‣ Added new Python multiprocessing ‣ All Zigbee radios cycle through channels simultaneously ‣ Channels record for a set amount of time DOWNLOAD KILLERBEE FRAMEWORK AT HTTPS://GITHUB.COM/RIVERLOOPSEC/KILLERBEE
THE SECURITY EXPERTS WWW.PRAETORIAN.COM Post-processing Engine: Fingerprinting Methodology 13 4. | Analyze Zigbee Traffic and Fingerprint Devices with Company MAC address Philips Hue Smart Lighting Network Identified TCP/Greenwave Lighting Network Identified
THE SECURITY EXPERTS WWW.PRAETORIAN.COM 14 praetorian.com/iotmap
THE SECURITY EXPERTS WWW.PRAETORIAN.COM 15 praetorian.com/iotmap
THE SECURITY EXPERTS WWW.PRAETORIAN.COM 16 praetorian.com/iotmap
THE SECURITY EXPERTS WWW.PRAETORIAN.COM Mesh Network Basic Smart Lighting Architecture / Attack Surface 17 CLOUD SERVICES Internet WiFi Router Lighting Gateway Remote INTERNAL NETWORKEXTERNAL WiFiCellular Mobile apps Sensor 6LoWPAN Z-wave and more
THE SECURITY EXPERTS WWW.PRAETORIAN.COM Mesh Network Basic Smart Lighting Architecture / Attack Surface 18 CLOUD SERVICES Internet WiFi Router Remote INTERNAL NETWORKEXTERNAL WiFiCellular Mobile apps Sensor 6LoWPAN Z-wave and more Lighting Gateway
THE SECURITY EXPERTS WWW.PRAETORIAN.COM Embedded Device Hacking with Physical Access 19 TX RX Ground UART Port Gained persistent root access to device via SSH server, which runs on boot up
 ‣ Connected test points on board to UART adapter for “Kernel Init Hijacking” ‣ “Kernel Init Hijacking” allows temporary Root access to TCP Hub file system by tampering with the boot sequence and injecting commands ‣ Access used to retrieve root SSH password, which was “thinkgreen” and shared by all TCP Gateways ‣ Potential to also remotely install malicious software that turns the hub into a proxy to the network, could sniff/exfiltrate data, or launch attacks on other systems INDEPENDENT RESEARCH
THE SECURITY EXPERTS WWW.PRAETORIAN.COM Embedded Device Hacking with Physical Access 20 In January 2015, Greenwave forced a firmware update that fixed these issues
 
 ✓ Removed local web control interface that lacked authentication by closing port 80
 ✓ Opened a secure HTTPS (port 443) service with currently unknown functionality
 ✓ Close the SSH (port 22) service to remove persistent Root access to hub via SSH credentials share by all devices
 ✓ UART pins may have been silenced, and boot delay may have been set to zero (no more “kernel init hijacking”)
 
UART Pins Silenced INDEPENDENT RESEARCH
THE SECURITY EXPERTS WWW.PRAETORIAN.COM Common Security Challenges in Product Development Lifecycle 21 ResearchTime to market pressures Testing Security is often left as an afterthought Support Ongoing security support and maintenance Launch Develop General lack of security consciousness Insufficient security testing prior to launch
THE SECURITY EXPERTS WWW.PRAETORIAN.COM Internet of Things (IoT) — End-to-end Security Considerations 22 EMBEDDED DEVICES Physical and logical threats to embedded systems DEVICE FIRMWARE Device firmware and update distribution process WIRELESS PROTOCOLS Local wireless communication protocols (M2M) APPLICATIONS Web applications, mobile apps, 3rd-party integrations CLOUD SERVICES Web services, RESTful APIs, analytics, 3rd-party services INFRASTRUCTURE Back-end systems, networks, servers, and data INTERNET OF THINGS END-TO-END SECURITY
THE SECURITY EXPERTS WWW.PRAETORIAN.COM Internet of Things (IoT) — End-to-end Security Considerations 23 EMBEDDED DEVICES Physical and logical threats to embedded systems DEVICE FIRMWARE Device firmware and update distribution process WIRELESS PROTOCOLS Local wireless communication protocols (M2M) APPLICATIONS Web applications, mobile apps, 3rd-party integrations CLOUD SERVICES Web services, RESTful APIs, analytics, 3rd-party services INFRASTRUCTURE Back-end systems, networks, servers, and data TX RX Ground UART Port INDEPENDENT RESEARCH
THE SECURITY EXPERTS WWW.PRAETORIAN.COM Internet of Things (IoT) — End-to-end Security Considerations 24 EMBEDDED DEVICES Physical and logical threats to embedded systems DEVICE FIRMWARE Device firmware and update distribution process WIRELESS PROTOCOLS Local wireless communication protocols (M2M) APPLICATIONS Web applications, mobile apps, 3rd-party integrations CLOUD SERVICES Web services, RESTful APIs, analytics, 3rd-party services INFRASTRUCTURE Back-end systems, networks, servers, and data CVE-2015-6949 - October 2015 Praetorian Security Researcher recognized by ASUS for responsible disclosure of a zero-day vulnerability affecting all ASUS router firmware Zero-day Impact: Remote Code Execution (RCE) INDEPENDENT RESEARCH
THE SECURITY EXPERTS WWW.PRAETORIAN.COM Internet of Things (IoT) — End-to-end Security Considerations 25 EMBEDDED DEVICES Physical and logical threats to embedded systems DEVICE FIRMWARE Device firmware and update distribution process WIRELESS PROTOCOLS Local wireless communication protocols (M2M) APPLICATIONS Web applications, mobile apps, 3rd-party integrations CLOUD SERVICES Web services, RESTful APIs, analytics, 3rd-party services INFRASTRUCTURE Back-end systems, networks, servers, and data INDEPENDENT RESEARCH
THE SECURITY EXPERTS WWW.PRAETORIAN.COM Internet of Things (IoT) — End-to-end Security Considerations 26 EMBEDDED DEVICES Physical and logical threats to embedded systems DEVICE FIRMWARE Device firmware and update distribution process WIRELESS PROTOCOLS Local wireless communication protocols (M2M) APPLICATIONS Web applications, mobile apps, 3rd-party integrations CLOUD SERVICES Web services, RESTful APIs, analytics, 3rd-party services INFRASTRUCTURE Back-end systems, networks, servers, and data CLOUD SERVICES Internet WiFi Router HOME LOCAL AREA NETWORKEXTERNAL WiFiCellular Mobile apps IoT Device/Gateway Sensors Mesh Networks
THE SECURITY EXPERTS WWW.PRAETORIAN.COM Recommended Security Best Practices 27 Research Train employees about security best practices Testing Conduct 3rd-party security risk assessments Support Monitor product through its life, patch known vulns Launch Develop Build security in from the start, don’t bolt it on Test end-to-end security before product launch
NETWORK APPLICATION MOBILE CLOUD IOT Internet of Things Map Project Exploring Risk & Mapping the Internet of Things with Autonomous Drones

More Related Content

PDF
STAAF, An Efficient Distributed Framework for Performing Large-Scale Android ...
byPraetorian
 
PPT
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
byPraetorian
 
PPTX
A look at current cyberattacks in Ukraine
byKaspersky
 
PDF
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
byLancope, Inc.
 
PDF
VIPER Labs - VOIP Security - SANS Summit
byShah Sheikh
 
PPTX
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
byLancope, Inc.
 
PPTX
Advanced Persistent Threat in ICS/SCADA/IOT world: a case study
byFrancesco Faenzi
 
PDF
Cisco, Sourcefire and Lancope - Better Together
byLancope, Inc.
 
STAAF, An Efficient Distributed Framework for Performing Large-Scale Android ...
byPraetorian
 
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
byPraetorian
 
A look at current cyberattacks in Ukraine
byKaspersky
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
byLancope, Inc.
 
VIPER Labs - VOIP Security - SANS Summit
byShah Sheikh
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
byLancope, Inc.
 
Advanced Persistent Threat in ICS/SCADA/IOT world: a case study
byFrancesco Faenzi
 
Cisco, Sourcefire and Lancope - Better Together
byLancope, Inc.
 

What's hot

PPTX
Extending Network Visibility: Down to the Endpoint
byLancope, Inc.
 
PDF
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
byKatie Nickels
 
PDF
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
byPriyanka Aash
 
PPTX
What's New in StealthWatch v6.5
byLancope, Inc.
 
PDF
S4xJapan Closing Keynote
byDigital Bond
 
PDF
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
bySylvain Martinez
 
PDF
Stop Passing the Bug: IoT Supply Chain Security
bySynopsys Software Integrity Group
 
PDF
ICS Network Security Monitoring (NSM)
byDigital Bond
 
PPTX
Check Point Threat emulation 2013
byGroup of company MUK
 
PDF
The Four Horsemen of Mobile Security
bySkycure
 
PPTX
IoT Security - Preparing for the Worst
bySatria Ady Pradana
 
PDF
No Easy Breach DerbyCon 2016
byMatthew Dunwoody
 
PPTX
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
PDF
What Happens Before the Kill Chain
byOpenDNS
 
PPT
DHS ICS Security Presentation
byguest85a34f
 
PDF
Remotely Scanning Organization’s Internal Network
byijtsrd
 
PPTX
Sasa milic, cisco advanced malware protection
byDejan Jeremic
 
PDF
Securing Critical Iot Infrastructure, IoT Israel 2014
byiotisrael
 
PPTX
SDN Analytics & Security
byScott Raynovich
 
PPTX
Where Are All The ICS Attacks?
byEnergySec
 
Extending Network Visibility: Down to the Endpoint
byLancope, Inc.
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
byKatie Nickels
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
byPriyanka Aash
 
What's New in StealthWatch v6.5
byLancope, Inc.
 
S4xJapan Closing Keynote
byDigital Bond
 
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
bySylvain Martinez
 
Stop Passing the Bug: IoT Supply Chain Security
bySynopsys Software Integrity Group
 
ICS Network Security Monitoring (NSM)
byDigital Bond
 
Check Point Threat emulation 2013
byGroup of company MUK
 
The Four Horsemen of Mobile Security
bySkycure
 
IoT Security - Preparing for the Worst
bySatria Ady Pradana
 
No Easy Breach DerbyCon 2016
byMatthew Dunwoody
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
What Happens Before the Kill Chain
byOpenDNS
 
DHS ICS Security Presentation
byguest85a34f
 
Remotely Scanning Organization’s Internal Network
byijtsrd
 
Sasa milic, cisco advanced malware protection
byDejan Jeremic
 
Securing Critical Iot Infrastructure, IoT Israel 2014
byiotisrael
 
SDN Analytics & Security
byScott Raynovich
 
Where Are All The ICS Attacks?
byEnergySec
 

Viewers also liked

PPT
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
byPraetorian
 
PPTX
Social engineering tales
byAhmed Musaad
 
PDF
Reverse Engineering Malicious Javascript
byYusuf Motiwala
 
PPTX
Social engineering-Attack of the Human Behavior
byJames Krusic
 
PPTX
Social engineering
byAlexander Zhuravlev
 
PDF
Reverse Engineering (EVO 2008)
byTudor Girba
 
PDF
Social Engineering - Strategy, Tactics, & Case Studies
byPraetorian
 
PPTX
Presentation of Social Engineering - The Art of Human Hacking
bymsaksida
 
PPTX
Social Engineering
byCyber Agency
 
PPTX
Reverse engineering & its application
bymapqrs
 
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
byPraetorian
 
Social engineering tales
byAhmed Musaad
 
Reverse Engineering Malicious Javascript
byYusuf Motiwala
 
Social engineering-Attack of the Human Behavior
byJames Krusic
 
Social engineering
byAlexander Zhuravlev
 
Reverse Engineering (EVO 2008)
byTudor Girba
 
Social Engineering - Strategy, Tactics, & Case Studies
byPraetorian
 
Presentation of Social Engineering - The Art of Human Hacking
bymsaksida
 
Social Engineering
byCyber Agency
 
Reverse engineering & its application
bymapqrs
 

Similar to Exploring Risk and Mapping the Internet of Things with Autonomous Drones

PDF
IoT Hardware Teardown, Security Testing & Control Design
byPriyanka Aash
 
PDF
ErichFicker_FinalDraft_28Mar16_Hardcopy
byErich Ficker
 
PPTX
power rangers(shikha)(rajat)efeffewfewfewfewfewfewewdfewfewfewdfew.pptx
bysinghshikha7898
 
PDF
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
byBrian Knopf
 
PDF
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
byHITCON GIRLS
 
PDF
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
byCloudIDSummit
 
PDF
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
byDuo Security
 
PDF
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
bySeungjoo Kim
 
PDF
The Internet of Things: We've Got to Chat
byDuo Security
 
PPTX
Security Testing for IoT Systems
bySecurity Innovation
 
PPTX
IoT Security Briefing FBI 07 23-2017 final
byFrank Siepmann
 
PDF
Protecting your home and office in the era of IoT
byMarian Marinov
 
PPTX
IoTNEXT 2016 - SafeNation Track
byPriyanka Aash
 
PPTX
ASDF WSS 2014 Keynote Speech 1
byAssociation of Scientists, Developers and Faculties
 
PPTX
How to create a secure IoT device
byAbhijeet Rane
 
PPTX
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
byRapid7
 
PDF
IoT Security by Design
byNUS-ISS
 
PDF
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
bydino715195
 
PDF
Track 5 session 1 - st dev con 2016 - need for security for iot
byST_World
 
PDF
OWASP Cambridge Chapter Meeting 13/12/2016
byjoebursell
 
IoT Hardware Teardown, Security Testing & Control Design
byPriyanka Aash
 
ErichFicker_FinalDraft_28Mar16_Hardcopy
byErich Ficker
 
power rangers(shikha)(rajat)efeffewfewfewfewfewfewewdfewfewfewdfew.pptx
bysinghshikha7898
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
byBrian Knopf
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
byHITCON GIRLS
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
byCloudIDSummit
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
byDuo Security
 
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
bySeungjoo Kim
 
The Internet of Things: We've Got to Chat
byDuo Security
 
Security Testing for IoT Systems
bySecurity Innovation
 
IoT Security Briefing FBI 07 23-2017 final
byFrank Siepmann
 
Protecting your home and office in the era of IoT
byMarian Marinov
 
IoTNEXT 2016 - SafeNation Track
byPriyanka Aash
 
ASDF WSS 2014 Keynote Speech 1
byAssociation of Scientists, Developers and Faculties
 
How to create a secure IoT device
byAbhijeet Rane
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
byRapid7
 
IoT Security by Design
byNUS-ISS
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
bydino715195
 
Track 5 session 1 - st dev con 2016 - need for security for iot
byST_World
 
OWASP Cambridge Chapter Meeting 13/12/2016
byjoebursell
 

Recently uploaded

PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 
PDF
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
bywesley chun
 
PDF
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
PDF
Mutation Testing for Industrial Robotic Systems (FMAS 2025)
bySylvain Hallé
 
PDF
SELinux Policy Management in RHEL - RHCSA+.pdf
byLinuxCert Guru
 
PDF
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
PDF
Building a Multi-Tenant OpenShift Platform with HyperShift
byTosin Akinosho
 
PDF
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
PDF
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
PDF
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
PDF
Raj Jain, Recent Advances, Issues, and Challenges in Cybersecurity, Keynote a...
byrjain51
 
PDF
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
PDF
OutSystsems User Group Brabant November 2025
bymail496323
 
PDF
PMI PMBOK8 Released on November 13, 2025
byScott M. Graffius
 
PDF
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PPTX
Streamlining Business Processes with UiPath Apps
byTracy Dixon
 
PPTX
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
PDF
Introduction to Shell Scripting - RHCSA+.pdf
byLinuxCert Guru
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
bywesley chun
 
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
Mutation Testing for Industrial Robotic Systems (FMAS 2025)
bySylvain Hallé
 
SELinux Policy Management in RHEL - RHCSA+.pdf
byLinuxCert Guru
 
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
Building a Multi-Tenant OpenShift Platform with HyperShift
byTosin Akinosho
 
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
Raj Jain, Recent Advances, Issues, and Challenges in Cybersecurity, Keynote a...
byrjain51
 
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
OutSystsems User Group Brabant November 2025
bymail496323
 
PMI PMBOK8 Released on November 13, 2025
byScott M. Graffius
 
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
Streamlining Business Processes with UiPath Apps
byTracy Dixon
 
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
Introduction to Shell Scripting - RHCSA+.pdf
byLinuxCert Guru
 

Exploring Risk and Mapping the Internet of Things with Autonomous Drones

  • 1.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM 1 PAULJAUREGUI VP, SECURING IOT @ PRAETORIAN RICHARD MCPHERSON PHD CANDIDATE, INTERN, PRAETORIAN (2015) NISHIL SHAH UT GRADUATE, INTERN, PRAETORIAN (2015) DALLAS KAMAN SENIOR SECURITY ENGINEER, PRAETORIAN Internet of Things Map Project Team | Summer 2015 and beyond
  • 2.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM 2Praetorian Partnered with DroneSense (dronesense.com) for FAA Exemption and Autonomous Drone Automation
  • 3.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM 3Praetorian Partnered with DroneSense (dronesense.com) for FAA Exemption and Autonomous Drone Automation
  • 4.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM 4Praetorian Partnered with DroneSense (dronesense.com) for FAA Exemption and Autonomous Drone Automation
  • 5.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM 5Praetorian Partnered with DroneSense (dronesense.com) for FAA Exemption and Autonomous Drone Automation
  • 6.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM 6Praetorian Partnered with DroneSense (dronesense.com) for FAA Exemption and Autonomous Drone Automation
  • 7.
  • 8.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM CaptureDevice (v1.0) Specifications and Requirements 8 ZIGBEE RADIOS Atmel RZUSBstick (x8) Flashed custom firmware GPS MODULE Adafruit GPS HAT for Raspberry Pi RASPBERRY PI Model B+ 512MB RAM Raspbian OS ‣ Autonomous operation ‣ Hand-held size ‣ Under 250 grams ‣ Battery powered (Drone’s) ‣ Discover all Zigbee devices within 150-feet across all 16 channels in under 10-seconds while traveling 10-20mph

  • 9.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM ExtendingKillerbee 802.15.4 Network Attacking Framework 9 11 12 13 14 15 16 18 19 20 21 22 23 24 25 26 2400MHz 2483MHz2.4GHz Zigbee Channels PROCESS 1 PROCESS 2 PROCESS 3 17 ‣ Extended Killerbee zbwardrive utility ‣ Added new Python multiprocessing ‣ All Zigbee radios cycle through channels simultaneously ‣ Channels record for a set amount of time DOWNLOAD KILLERBEE FRAMEWORK AT HTTPS://GITHUB.COM/RIVERLOOPSEC/KILLERBEE
  • 10.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM ExtendingKillerbee 802.15.4 Network Attacking Framework 10 11 12 13 14 15 16 18 19 20 21 22 23 24 25 26 2400MHz 2483MHz2.4GHz Zigbee Channels PROCESS 1 PROCESS 2 PROCESS 3 17 ‣ Extended Killerbee zbwardrive utility ‣ Added new Python multiprocessing ‣ All Zigbee radios cycle through channels simultaneously ‣ Channels record for a set amount of time DOWNLOAD KILLERBEE FRAMEWORK AT HTTPS://GITHUB.COM/RIVERLOOPSEC/KILLERBEE Step 1: All connected Zigbee radios send beacon request on assigned to channel
  • 11.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM ExtendingKillerbee 802.15.4 Network Attacking Framework 11 11 12 13 14 15 16 18 19 20 21 22 23 24 25 26 2400MHz 2483MHz2.4GHz Zigbee Channels PROCESS 1 PROCESS 2 PROCESS 3 17 Found Something! ** Listen for 10 sec ** ‣ Extended Killerbee zbwardrive utility ‣ Added new Python multiprocessing ‣ All Zigbee radios cycle through channels simultaneously ‣ Channels record for a set amount of time DOWNLOAD KILLERBEE FRAMEWORK AT HTTPS://GITHUB.COM/RIVERLOOPSEC/KILLERBEE
  • 12.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM ExtendingKillerbee 802.15.4 Network Attacking Framework 12 11 12 13 14 15 16 18 19 20 21 22 23 24 25 26 2400MHz 2483MHz2.4GHz Zigbee Channels PROCESS 1 PROCESS 2 PROCESS 3 17 Found Something! ** Listen for 10 sec ** ‣ Extended Killerbee zbwardrive utility ‣ Added new Python multiprocessing ‣ All Zigbee radios cycle through channels simultaneously ‣ Channels record for a set amount of time DOWNLOAD KILLERBEE FRAMEWORK AT HTTPS://GITHUB.COM/RIVERLOOPSEC/KILLERBEE
  • 13.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM Post-processingEngine: Fingerprinting Methodology 13 4. | Analyze Zigbee Traffic and Fingerprint Devices with Company MAC address Philips Hue Smart Lighting Network Identified TCP/Greenwave Lighting Network Identified
  • 14.
  • 15.
  • 16.
  • 17.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM Mesh Network BasicSmart Lighting Architecture / Attack Surface 17 CLOUD SERVICES Internet WiFi Router Lighting Gateway Remote INTERNAL NETWORKEXTERNAL WiFiCellular Mobile apps Sensor 6LoWPAN Z-wave and more
  • 18.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM Mesh Network BasicSmart Lighting Architecture / Attack Surface 18 CLOUD SERVICES Internet WiFi Router Remote INTERNAL NETWORKEXTERNAL WiFiCellular Mobile apps Sensor 6LoWPAN Z-wave and more Lighting Gateway
  • 19.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM EmbeddedDevice Hacking with Physical Access 19 TX RX Ground UART Port Gained persistent root access to device via SSH server, which runs on boot up
 ‣ Connected test points on board to UART adapter for “Kernel Init Hijacking” ‣ “Kernel Init Hijacking” allows temporary Root access to TCP Hub file system by tampering with the boot sequence and injecting commands ‣ Access used to retrieve root SSH password, which was “thinkgreen” and shared by all TCP Gateways ‣ Potential to also remotely install malicious software that turns the hub into a proxy to the network, could sniff/exfiltrate data, or launch attacks on other systems INDEPENDENT RESEARCH
  • 20.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM EmbeddedDevice Hacking with Physical Access 20 In January 2015, Greenwave forced a firmware update that fixed these issues
 
 ✓ Removed local web control interface that lacked authentication by closing port 80
 ✓ Opened a secure HTTPS (port 443) service with currently unknown functionality
 ✓ Close the SSH (port 22) service to remove persistent Root access to hub via SSH credentials share by all devices
 ✓ UART pins may have been silenced, and boot delay may have been set to zero (no more “kernel init hijacking”)
 
UART Pins Silenced INDEPENDENT RESEARCH
  • 21.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM CommonSecurity Challenges in Product Development Lifecycle 21 ResearchTime to market pressures Testing Security is often left as an afterthought Support Ongoing security support and maintenance Launch Develop General lack of security consciousness Insufficient security testing prior to launch
  • 22.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM Internetof Things (IoT) — End-to-end Security Considerations 22 EMBEDDED DEVICES Physical and logical threats to embedded systems DEVICE FIRMWARE Device firmware and update distribution process WIRELESS PROTOCOLS Local wireless communication protocols (M2M) APPLICATIONS Web applications, mobile apps, 3rd-party integrations CLOUD SERVICES Web services, RESTful APIs, analytics, 3rd-party services INFRASTRUCTURE Back-end systems, networks, servers, and data INTERNET OF THINGS END-TO-END SECURITY
  • 23.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM Internetof Things (IoT) — End-to-end Security Considerations 23 EMBEDDED DEVICES Physical and logical threats to embedded systems DEVICE FIRMWARE Device firmware and update distribution process WIRELESS PROTOCOLS Local wireless communication protocols (M2M) APPLICATIONS Web applications, mobile apps, 3rd-party integrations CLOUD SERVICES Web services, RESTful APIs, analytics, 3rd-party services INFRASTRUCTURE Back-end systems, networks, servers, and data TX RX Ground UART Port INDEPENDENT RESEARCH
  • 24.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM Internetof Things (IoT) — End-to-end Security Considerations 24 EMBEDDED DEVICES Physical and logical threats to embedded systems DEVICE FIRMWARE Device firmware and update distribution process WIRELESS PROTOCOLS Local wireless communication protocols (M2M) APPLICATIONS Web applications, mobile apps, 3rd-party integrations CLOUD SERVICES Web services, RESTful APIs, analytics, 3rd-party services INFRASTRUCTURE Back-end systems, networks, servers, and data CVE-2015-6949 - October 2015 Praetorian Security Researcher recognized by ASUS for responsible disclosure of a zero-day vulnerability affecting all ASUS router firmware Zero-day Impact: Remote Code Execution (RCE) INDEPENDENT RESEARCH
  • 25.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM Internetof Things (IoT) — End-to-end Security Considerations 25 EMBEDDED DEVICES Physical and logical threats to embedded systems DEVICE FIRMWARE Device firmware and update distribution process WIRELESS PROTOCOLS Local wireless communication protocols (M2M) APPLICATIONS Web applications, mobile apps, 3rd-party integrations CLOUD SERVICES Web services, RESTful APIs, analytics, 3rd-party services INFRASTRUCTURE Back-end systems, networks, servers, and data INDEPENDENT RESEARCH
  • 26.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM Internetof Things (IoT) — End-to-end Security Considerations 26 EMBEDDED DEVICES Physical and logical threats to embedded systems DEVICE FIRMWARE Device firmware and update distribution process WIRELESS PROTOCOLS Local wireless communication protocols (M2M) APPLICATIONS Web applications, mobile apps, 3rd-party integrations CLOUD SERVICES Web services, RESTful APIs, analytics, 3rd-party services INFRASTRUCTURE Back-end systems, networks, servers, and data CLOUD SERVICES Internet WiFi Router HOME LOCAL AREA NETWORKEXTERNAL WiFiCellular Mobile apps IoT Device/Gateway Sensors Mesh Networks
  • 27.
    THE SECURITY EXPERTS WWW.PRAETORIAN.COM RecommendedSecurity Best Practices 27 Research Train employees about security best practices Testing Conduct 3rd-party security risk assessments Support Monitor product through its life, patch known vulns Launch Develop Build security in from the start, don’t bolt it on Test end-to-end security before product launch
  • 28.
    NETWORK APPLICATION MOBILECLOUD IOT Internet of Things Map Project Exploring Risk & Mapping the Internet of Things with Autonomous Drones