Transcription
IoT Forensics Challenges and Opportunities forDigital TracesFrancesco Servida, Eoghan CaseyDFRWS Europe 201926.04.191
Outline Smart DevicesForensic InterestMethodologyResultsDiscussion2
Smart DevicesSecurity systemscamerasdoor locksmotion sensorssmoke & CO detectorsSmart assistantsaudiovideoSmart hubsSmart:microwave, stove, grill, crock potrefrigeratorgrow systemcoffee makertelevisionthermostatlight bulbsplugstoys.Smart firewalls3
Forensic Interest Myriad of sensors Direct Targets– Sensitive Data Secondary targets Highly connected Low security– Alarm Systems– «Trojan Horses»– Botnets (eg. Mirai) Witnesses4
IoT forensics approachEnterprise IoT- Proactive collectionHome IoT- What to do on an “unprepared” crime scene?5
Methodology6
Methodology- Literature review- Existing Vulnerability Reports- Home automation communities7
Methodology8
MethodologyWho?How?What?9
MethodologyWhat traces on a smartphone? Traditional Tools - No parsers Manual investigation and correlation Plugin development10
Methodology- Builds on Network Analysis- Listening ports, Traffic Type, Traffic Content- MITM- mitmproxy, SSLsplit- Firmware Analysis- Binwalk, strings, hexdump 11
Methodology-Serial ConnectionRoot Access(JTAG)(Chip Off)- Physical Images- NVRAM Settings- Filesystem Images12
Network Analysis- Mostly TLS- Only a minority is local traffic.13
Network Analysis- iSmartAlarm- «Encrypted» traffic with Android app 1- Unauthenticated diagnostic logs access (CVE-2018-16224)- QBee- Cleartext traffic with Android app (CVE-2018-16225)- (UPnP port ity-is-compromised-by-iot-vulnerabilities/14
Physical Analysis- Memory Images- Arlo, iSmartAlarm Cube One- Filesystem Images- Wink, Arlo (Partially)- NVRAM Settings- Settings & Events dependingon device15
Physical Analysis16
Smartphone Application Artifacts- Android Phone (Samsung Galaxy Edge S6)iSmartAlarmArloNestQBeeWinkCloud CredentialsEventsUPnP discovered devicesMQTT Topic InfosCloud Credentials (token)Linked devicesThumbnailsUser InformationsDispositifs LiésEventsVideo ExtractsCloud CredentialsUser InfoLinked DevicesEvents (Long term storage)17
Smartphone Application ArtifactsInvestigationApp Decompilation18
AggregatorsArlo cacheOfficial AppsSmartphone Application ArtifactsArloNestNest cacheWink Hub EventsArlo Settings (Realm DB)19
CloudIncreased persistenceAccess-Reuse of credentials on smartphoneRequest to Service ProviderArlo-Recorded videosDFRWS Challenge submissions-Wink Hub - Devices & Events, iSmartAlarm - Members, Nest - Devices, Events & Clips 120
Freezing the IoT crime scene?Live Data (Transmitted) Authentication Credentials (e.g. CVE-2018-16225)Current EventsStored Data Not always persistentSometimes accessible live (w/ previous knowledge of the device) E.g. CVE-2018-16224First responder activities generate IoT traces at scene Risk of data loss!
Discussion22
DiscussionNew devices Unknown meaning of the data, prone to error andmisinterpretationControlled Environment Testing Share results ( Peer Review)Better and more accepted knowledge of the meaningof the dataIncreased admissibility23
Issues Smartphone artifacts not produced in background Physical:– Extraction methods– Volatility of traces Variety of protocols24
Future ResearchStudy common smarthome IoT devicesAnalyse IoT RF activities (e.g., Zigbee, Z-Wave)Chip-off analysis25
https://github.com/fservida/msc autopsy pluginshttps://github.com/fservida/msc thesis chThank You.26
IoT Forensics Challenges and Opportunities for Digital Traces 26.04.19 DFRWS Europe 2019 1 Francesco Servida, Eoghan Casey