Abstract image of a woman sitting on books and studying on a laptop

Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)

J
Jakub Botwicz

The Cotopaxi IoT Protocols Testing Toolkit, developed by Jakub Botwicz, is a set of security testing tools designed to evaluate the security of various IoT protocols including CoAP, DTLS, mDNS, and MQTT. It aims to address the lack of security testing resources for these protocols by enabling penetration testers and security researchers to discover vulnerabilities, perform black box testing, and analyze IoT environments. The toolkit also features service ping, resource listing, fuzzing capabilities, and a vulnerability tester to identify known weaknesses in IoT components.

Technology
Related topics:
Information Security Penetration-Testing
1 of 31
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Cotopaxi IoT protocols testing toolkit
About the author • Jakub Botwicz Principal Security Engineer at Samsung R&D Institute in Warsaw, Poland • Leads a team of security researchers / pentesters • PhD and MSc at Warsaw University of Technology • 15+ years experience - previously worked as: ‒ Developer/architect for vendor of encryption devices ‒ Security advisor at credit card payment company ‒ Security consultant and manager at Big4 company • Big enthusiast of rock climbing and active volcanoes
Cotopaxi – origin / idea • IoT introduced new protocols: CoAP, DTLS, MQTT and refurbished old protocols: UPnP, SSDP • Lack of security testing tools for IoT protocols (except for MQTT) • Low level of security measures of IoT components and devices • Our team performed assessment of multiple IoT components – results: - tools - corpus of malformed messages - 15+ new vulnerabilities Source: Redbubble sticker: https://ih1.redbubble.net/image.534691174.7627/sticker,375x360-bg,ffffff.u3.png
IoT protocols – Constrained Application Protocol (CoAP) • IoT messaging protocol • Provides all types of HTTP requests in more compact (binary) format • UDP-based – request / response: 2 packets (while TCP smallest req/resp: 9 packets) • Introduces: CONfirmable messages • Without additional protection CoAP servers are vulnerable to DDoS Source: Trend Micro „The Fragility of Industrial IoT’s Data Backbone”
IoT protocols – Datagram Transport Layer Security (DTLS) • UDP-based version of Transport Layer Security • Reuses all message formats from TLS – only protocol version IDs are different • Used as a security layer for all UDP-based protocols • Anti-DDoS measure (Hello Verify Request) is not mandatory and some libraries do not implement it (vulnerability BOTAN_000 test it) Source: Klaus Hartke, Olaf Bergman „Datagram Transport Layer Security in Constrained Environments”
IoT protocols – Multicast DNS (mDNS) / DNS-Service Discovery (DNS-SD) • Discovery of local services: printers, displays • Querying local services using Multicast addresses • Reuse query formats from DNS protocols • Best known as: Apple Bonjour, Zeroconf or Avahi
IoT protocols – Message Queuing Telemetry Transport (MQTT) • Most popular IoT messaging protocol • Publish/Subscribe message delivery by Brokers between Clients Source: Trend Micro „The Fragility of Industrial IoT’s Data Backbone”
Cotopaxi – the name • Active stratovolcano in Ecuador • Elevation: 5,897 m Author: Gerard Prins CC BY-SA 3.0
Cotopaxi – the toolkit • Set of tools for security testing of Internet of Things devices using network IoT protocols • License: GPL-2.0 • Repository: https://github.com/samsung/cotopaxi Source: Rankin Kennedy C.E. (1912) The Book of the Motor Car, Caxton (PD)
Cotopaxi – usage scenarios • For pentesters to: • analyze environments using IoT, Smart-{Home, Factory, City} • find active endpoints using IoT protocols • identify network traffic reflectors (DDoS) • For security researchers to: • perform „black box” testing of IoT devices • identify known security vulnerabilities • For developers or vendors of IoT devices to: • fuzz components or interfaces • test traffic amplification (DDoS)
Cotopaxi – features Reconnaissance: • Service ping – checking availability of network services • Software fingerprinting – recognizing the software used by remote network server • Resource listing „dirbusting” – discovering resources identified by given URLs Pre-exploitation: • Protocol fuzzing – fuzzing implementation of protocol • Amplification sniffing – detecting network traffic amplification • Vulnerability testing – identifying known vulnerabilities
Cotopaxi – IoT protocols • Supported in 1st release: • Constrained Application Protocol (CoAP) • Datagram Transport Layer Security (DTLS) • Multicast DNS (mDNS) / DNS-System Discovery (DNS-SD) • Message Queuing Telemetry Transport (MQTT) • Planned for next releases: • Advanced Message Queuing Protocol (AMQP) • Discovery and Launch (DIAL) • Hyper Text Coffee Pot Control Protocol (HTCPCP) • MQTT-Sensor Networks (MQTT-SN) • Simple Service Discovery Protocol (SSDP) / Universal Plug and Play (uPnP) • Zigbee/Z-Wave
Cotopaxi – testbed • CoAP (10 servers) • aioCoAP • CoAPthon • eCoAP • FreeCoAP • DTLS (9 servers) • Botan • GnuTLS • LibreSSL • mDNS/DNS-SD (2 servers) • Avahi • tinysvcmdns • MQTT (2 servers) • Fluent-bit • Mosquitto • IoTivity • libcoap • MicroCoAP • Moongoose • MatrixSSL • mbedTLS • OpenSSL • CantCoAP • CoAPthon3 • TinyDTLS • OpenSSL • WolfSSL Source: atennies94 by CC BY-ND 2.0 https://www.flickr.com/photos/9266144@N02/1074855647
Cotopaxi feature – „service ping” • Identifies active service endpoints (IPv4/IPv6:port) • Not uses ICMP echo! • For each protocol there is a set of messages that triggers responses in all tested servers e.g. DTLS – Client Hello in all DTLS versions • Better than using standard tools: • nmap does not recognize CoAP and most DTLS servers • wireshark will not recognize protocols servers on non-standard ports • sslyze and similar SSL/TLS tools do not support DTLS
Cotopaxi feature – service ping sudo python -m cotopaxi.service_ping 192.168.1.2 10000-10008,20000-20010,30000-30002 [.] Started service ping [+] Host 192.168.1.2:10000 does NOT respond to MQTT ping (Connect) message [+] Host 192.168.1.2:10000 does NOT respond to mDNS ping message ... [.] Finished service ping (for all addresses, ports and protocols) ================================================================== Test statistics: Messages sent: 138, responses received: 58, 58% message loss, test time: 123236 ms Round-Trip Time (min/avg/max): 11 / 59 / 84 ms ================================================================== Test results: Active endpoints: For Protocol.CoAP: ['192.168.1.2:20000', '192.168.1.2:20002', ... , '192.168.1.2:20009'] Total number of active endpoints: 18 Inactive endpoints: 5
Cotopaxi feature – resource listing (dirbusting) • Equivalent to DirBuster/dirb for CoAP/mDNS or nmap script coap-resources • Uses a list of URIs (for CoAP) or services (for mDNS) • Cotopaxi includes sample lists of resource • User can provide own list of URIs or services
Cotopaxi feature – resource listing (dirbusting) sudo python -m cotopaxi.resource_listing 192.168.1.2 20000-20010 cotopaxi/lists/urls/short_url_list.txt -P CoAP [.] Started resource listing SENT size:9 RECV size:74 AMPLIFICATION FACTOR:722.00% [+] Url |test| received code |2_05| on server 192.168.1.2:20001 for method GET ... [.] Finished resource listing (for all addresses, ports and protocols) ================================================================== Test statistics: Messages sent: 33, responses received: 28, 15% message loss, test time: 7088 ms Round-Trip Time (min/avg/max): 45 / 61 / 115 ms ================================================================== Test results: Active endpoints: For Protocol.CoAP: ['192.168.1.2:20001/test', '192.168.1.2:20002/big'] Total number active endpoints: 2 Inactive endpoints: 20
Cotopaxi feature – service fingerprinting • Detection of software and version used by server • Equivalent to nmap –sV (Service and Application Version Detection) • Uses machine learning classifier • In this version works only for CoAP, DTLS
Cotopaxi feature – service fingerprinting (algorithm) • Preparation of classifier for protocol: 1. Gather all available protocol implementations 2. Generate corpus of packets (payloads) a. Fuzz implementation of protocol using coverage based fuzzer (like afl) b. One of output result is set of payloads causing different execution (queue in afl) 3. For all available implementations: a. Gather responses of for all payloads b. Extract features c. Convert output to format used by Machine Learning tool (ARFF) 4. Train classifier using machine learning (Weka) 5. Implement classifier as Python function
Cotopaxi feature – service fingerprinting (training classifier) Generated classifier: packet_1_type = No | packet_3_type = No | | packet_10_type = No | | | packet_11_options = Content-Format_Empty: smcp (5.0) | | | packet_11_options = ETag: libcoap (5.0) | | packet_10_type = RST: FreeCoAP (5.0) | | packet_10_type = ACK: moongose (5.0) | packet_3_type = Empty: iotivity (5.0) | packet_3_type = ACK | | packet_0_type = No: coap-rs (5.0) | | packet_0_type = ACK: lwm2m (5.0) packet_1_type = RST | packet_9_code = No: aiocoap (5.0) | packet_9_code = Empty: ecoap (5.0) | packet_9_code = 4_00: CoAPthon (5.0) packet_1_type = ACK: microcoap (5.0) Features (ARFF format): @RELATION coap_responses @ATTRIBUTE class {AIOCOAP, COAPTHON, … } @ATTRIBUTE packet_0_type { No, Empty, RST, ACK, CON, NON } @ATTRIBUTE packet_0_code { No, Empty, 2_05, 4_00, 4_01, 4_04, 4_05, 5_00, 5_02, NON } @ATTRIBUTE packet_0_options { No, Empty, Uri-Query_OK, Uri- Query_Unsupported_cri, Uri-Query_CoAP_version_mu, Uri- Query_Method_Not_Allo, Content-Format_Empty, Content- Format_FFFF, ETag } @ATTRIBUTE packet_1_type … @ATTRIBUTE packet_1_code … @ATTRIBUTE packet_1_options … … No – No response from server for this packet Empty – This field was empty
Cotopaxi feature – service fingerprinting sudo python -m cotopaxi.server_fingerprinter 192.168.0.100 20000 -P CoAP [.] Started service fingerprinting [.] Host 192.168.0.100:20000 is alive before test! [.] Host 192.168.0.100:20000 is alive after test! [+] CoAP server 192.168.0.100:20000 is using software: aiocoap [.] Finished service fingerprinting (for all addresses, ports and protocols) ================================================================== Test statistics: Messages sent: 8, responses received: 5, 38% message loss, test time: 3493 ms Round-Trip Time (min/avg/max): 51 / 62 / 83 ms ================================================================== Test results: Identified endpoints:     For Protocol.CoAP: ['192.168.0.100:20000 is using aiocoap'] Total number of identified endpoints: 1 Inactive endpoints: 0
Cotopaxi feature – protocol fuzzer (black-box) • Uses corpus of malformed protocol messages (payloads) prepared with afl (American Fuzzy Loop) • Checks „service ping” before and after sending payload • Allows to use own corpus of payloads and integrate with mutating fuzzer • In verbose mode displays payload and response packet • Calculates RTT for payloads with responses and displays Top 10% - potentially interesting because of longest processing on server Protocol CoAP DTLS mDNS/ DNS-SD MQTT Size of corpus 557 395 77 285
Cotopaxi feature – protocol fuzzer [+] Started fuzzing payload (nr: 395): dtls_corpus/id:000360,sync:fuzzer_tinydtls_slave_laf-1,src:000379 Request: ###[ DTLS Record ]### content_type= handshake version = DTLS_1_1 ------------------------------------------------------------ Response: ###[ DTLS Record ]### content_type= handshake version = DTLS_1_1 … Payloads with longest Round-Trip Time (RTT): RTT (sec) | Payload -------------------------------------------------------------------------------- 0.08722 | dtls_corpus/id:000206,src:000168,op:arith8,pos:840,val:+27,+cov 0.08630 | dtls_corpus/id:000362,sync:fuzzer_tinydtls_slave_laf-1,src:000373
Cotopaxi feature – protocol fuzzer (cont.) …. ================================================================== Test statistics: Messages sent: 795, responses received: 732, 8% message loss, test time: 169906 ms Round-Trip Time (min/avg/max): 35 / 55 / 131 ms ================================================================== Test results: Payloads causing crash: For Protocol.DTLS: ['192.168.0.100:10004 - payload: id:000308,sync:fuzzer_tinydtls_slave_laf- 1,src:000303,+cov']
Cotopaxi feature – vulnerability tester • Types of vulnerabilities: • crash (DoS) – leads to crash of server (detected by service ping) • traffic amplification (for DDoS) – responses larger than request • memory leak – server wastes memory after processing payload (requires manual confirmation) • remote code execution (currently only detected as crashes) Vulnerab ility Type Protocol CoAP DTLS mDNS/ DNS-SD MQTT Crash 5 4 1 1 Traffic Amplification 1 1 Memory Leak 1 Remote Code Execution 2 1 TOTAL* 7 5 3 2 * 2 vulnerabilities are currently in responsible disclosure process
Cotopaxi feature – vulnerability tester • Example vulnerabilities found by our team and supported by Cotopaxi • CVE-2019-9747 tinysvcmdns mDNS server goes into infinite loop after receiving DNS query with recursive referenced names • CVE-2019-9004 Wakaama CoAP server leaks (wastes) 24 bytes per each crafted packet • CVE-2019-9750 IoTivity CoAP server responds with 6 error messages Source: Grasshopper shot near Miles City Mont. C. 1937 Coles Studio Glassgow Mont
Cotopaxi feature – vulnerability tester sudo python -m cotopaxi.vulnerability_tester 192.168.1.2 10000 –cve CVE-2019-9004 –vuln FLUENTBIT_000 –P DTLS [.] Started vulnerability testing [+] Server 192.168.0.100:30000 is NOT vulnerable to FLUENTBIT_000 [+] Server 192.168.0.100:30002 is probably vulnerable to FLUENTBIT_000 [.] Finished vulnerability testing (for all addresses, ports and protocols) ================================================================== Test statistics: Messages sent: 7, responses received: 4, 43% message loss, test time: 1100 ms Round-Trip Time (min/avg/max): 5 / 21 / 43 ms ================================================================== Test results: Vulnerable endpoints: For Protocol.MQTT: ['192.168.0.100:30002 - vuln: FLUENTBIT_000'] Total number of vulnerable endpoints: 1 Invulnerable endpoints: 1
Cotopaxi feature – amplification sniffer • Sniffs for all packets incoming to and outgoing from specified target • Target is defined by IPv4 or IPv6 address and optionally port • Calculates amplification factor (size_out/size_in - 1) • Tracks req/resp with highest amplification factor and display record on exit • Should be placed on router or use network tap to see all traffic to/from target
DDoS attack via IP Spoofing and Traffic Amplification Vulnerable IoT devices Source: Austin Brooks „NTP DDoS Vulnerability” • Identified amplifiers-reflectors: • CoAP • every request with large response e.g. CoAPthon example /big • IoTivity 4.04 6x repeated response IOTIVITY_000 issue in tester • DTLS • every DTLS server without Hello Verify Request e.g. Botan_000 issue in tester
Cotopaxi feature – amplifier detector sudo python -m cotopaxi.amplifier_detector 192.168.0.100 [.] Starting sniffing with filter: udp and host 192.168.0.100 TARGET: 192.168.0.100 | TO TARGET packets: 3, bytes: 165 | FROM TARGET packets: 1, bytes: 60 | AMPLIF FAC TOR: -64.00% TARGET: 192.168.0.100 | TO TARGET packets: 6, bytes: 311 | FROM TARGET packets: 3, bytes: 180 | AMPLIF FA CTOR: -43.00% [.] Finished sniffing Highest amplify packet factor: 30%  TO TARGET: ###[ Ethernet ]###   dst       = ….   src       = ….   type      = 0x800 ###[ IP ]###      version   = 4L … FROM TARGET: ###[ Ethernet ]###   dst       = ….  
Cotopaxi – common usage details • Destination addresses: set or range of IPv4, IPv6 addresses • Destination port: set or range of ports • Protocol: ALL or subset of CoAP, DTLS, mDNS, MQTT • Ignore Ping: -Pn • Verbose mode: -V (more messages)

More Related Content

PDF
Malware classification and detection
Chong-Kuan Chen
 
PPTX
Malware & Anti-Malware
Arpit Mittal
 
PPTX
Two factor authentication presentation mcit
mmubashirkhan
 
PDF
Understanding ransomware
Prathan Phongthiproek
 
PDF
Anatomy of a cyber attack
Mark Silver
 
PPTX
Antivirus
ava & araf co.
 
PPT
Uses of computer
joy grace bagui
 
PPT
Spoofing
Sanjeev
 
Malware classification and detection
Chong-Kuan Chen
 
Malware & Anti-Malware
Arpit Mittal
 
Two factor authentication presentation mcit
mmubashirkhan
 
Understanding ransomware
Prathan Phongthiproek
 
Anatomy of a cyber attack
Mark Silver
 
Antivirus
ava & araf co.
 
Uses of computer
joy grace bagui
 
Spoofing
Sanjeev
 

What's hot (20)

PPTX
Malware ppt
Faiz Khan
 
PPTX
Network Security Goals
Kabul Education University
 
PPT
HMAC&CMAC.ppt
DrVASAVIBANDE
 
PPT
Vpn
Ankit Anand
 
PPTX
Cyber crime and secuity
Alisha Korpal
 
PPT
Network Security Tools and applications
webhostingguy
 
PDF
Chapter04 processor and memory
Ainuddin Yousufzai
 
PPTX
Computer Virus powerpoint presentation
shohrabkhan
 
PPT
Chapter 7 Presentation
Amy McMullin
 
PPT
Computer networks chapter1
kirankumar boidhapu
 
PDF
Chfi V3 Module 01 Computer Forensics In Todays World
gueste0d962
 
PPT
Computer Virus And Antivirus-Sumon Chakraborty
sankhadeep
 
PPTX
Modern Network Security Issue and Challenge
Ikhtiar Khan Sohan
 
PPTX
Computer virus
Utchi
 
PPTX
S tora ge devices
Anish Raj Goyal
 
DOCX
Computer in Society
MdMojibulHoqueRony
 
PPTX
IOS security
bakhti rahman
 
PPTX
Best Network Performance Monitoring Tool
Joe Shestak
 
PDF
Two factor authentication
Hai Nguyen
 
PPT
Registry forensics
Prince Boonlia
 
Malware ppt
Faiz Khan
 
Network Security Goals
Kabul Education University
 
HMAC&CMAC.ppt
DrVASAVIBANDE
 
Vpn
Ankit Anand
 
Cyber crime and secuity
Alisha Korpal
 
Network Security Tools and applications
webhostingguy
 
Chapter04 processor and memory
Ainuddin Yousufzai
 
Computer Virus powerpoint presentation
shohrabkhan
 
Chapter 7 Presentation
Amy McMullin
 
Computer networks chapter1
kirankumar boidhapu
 
Chfi V3 Module 01 Computer Forensics In Todays World
gueste0d962
 
Computer Virus And Antivirus-Sumon Chakraborty
sankhadeep
 
Modern Network Security Issue and Challenge
Ikhtiar Khan Sohan
 
Computer virus
Utchi
 
S tora ge devices
Anish Raj Goyal
 
Computer in Society
MdMojibulHoqueRony
 
IOS security
bakhti rahman
 
Best Network Performance Monitoring Tool
Joe Shestak
 
Two factor authentication
Hai Nguyen
 
Registry forensics
Prince Boonlia
 
Ad

Similar to Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal) (20)

PDF
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Jakub Botwicz
 
PDF
Introduction to Internet of Things
Nagasai Arun Panchakarla
 
PPTX
CoAP Course for m2m and Internet of Things scenarios
carlosralli
 
PPTX
Connecting Stuff to Azure (IoT)
Mark Simms
 
PDF
ArtigofinalpublicadoASTESJ_060139.pdf
MeftahMehdawi
 
PPTX
Embedded to connected
Michael Koster
 
PDF
Mphasis Digital POV - Emerging Open Standard Protocol stack for IoT
Aniruddha Chakrabarti
 
PDF
Performance Evaluation of Different Raspberry Pi Models as MQTT Servers and C...
IJCNCJournal
 
PDF
PERFORMANCE EVALUATION OF DIFFERENT RASPBERRY PI MODELS AS MQTTSERVERS AND CL...
IJCNCJournal
 
DOCX
AF-2599-P.docx
Sami Siddiqui
 
PPTX
3. RINA use cases, results, benefits
ARCFIRE ICT
 
PDF
IoT - Understanding internet of things
veerababu penugonda(Mr-IoT)
 
PPTX
17.) layer 3 (advanced tcp ip routing)
Jeff Green
 
PDF
Fundamental components of the Internet of Things unit 1.pdf
govindsingh258478
 
PDF
Internet of Things and Future Internet
Torsten Braun, Universität Bern
 
PDF
IOT Exploitation
Cysinfo Cyber Security Community
 
PDF
Intel IPSO/6LoWPAN solution for general wireless sensor network
usman sarwar
 
PDF
Enhancing IoT Routing Security and Efficiency: Towards AI-Enabled RPL Protocol
IJCNCJournal
 
PDF
Enhancing IoT Routing Security and Efficiency: Towards AI-Enabled RPL Protocol
IJCNCJournal
 
PPTX
Generic network architecture discussion
ARCFIRE ICT
 
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Jakub Botwicz
 
Introduction to Internet of Things
Nagasai Arun Panchakarla
 
CoAP Course for m2m and Internet of Things scenarios
carlosralli
 
Connecting Stuff to Azure (IoT)
Mark Simms
 
ArtigofinalpublicadoASTESJ_060139.pdf
MeftahMehdawi
 
Embedded to connected
Michael Koster
 
Mphasis Digital POV - Emerging Open Standard Protocol stack for IoT
Aniruddha Chakrabarti
 
Performance Evaluation of Different Raspberry Pi Models as MQTT Servers and C...
IJCNCJournal
 
PERFORMANCE EVALUATION OF DIFFERENT RASPBERRY PI MODELS AS MQTTSERVERS AND CL...
IJCNCJournal
 
AF-2599-P.docx
Sami Siddiqui
 
3. RINA use cases, results, benefits
ARCFIRE ICT
 
IoT - Understanding internet of things
veerababu penugonda(Mr-IoT)
 
17.) layer 3 (advanced tcp ip routing)
Jeff Green
 
Fundamental components of the Internet of Things unit 1.pdf
govindsingh258478
 
Internet of Things and Future Internet
Torsten Braun, Universität Bern
 
IOT Exploitation
Cysinfo Cyber Security Community
 
Intel IPSO/6LoWPAN solution for general wireless sensor network
usman sarwar
 
Enhancing IoT Routing Security and Efficiency: Towards AI-Enabled RPL Protocol
IJCNCJournal
 
Enhancing IoT Routing Security and Efficiency: Towards AI-Enabled RPL Protocol
IJCNCJournal
 
Generic network architecture discussion
ARCFIRE ICT
 
Ad

Recently uploaded (20)

PDF
Early detection and classification of bone marrow changes in lumbar vertebrae...
IAESIJAI
 
PPTX
Module 1 Introduction to Web Programming .pptx
kamleshkc191
 
PDF
Electrocardiogram sequences data analytics and classification using unsupervi...
IAESIJAI
 
PPTX
Build automations faster and more reliably with UiPath ScreenPlay
AndreeaTom
 
PPTX
Presentation - Principles of Instructional Design.pptx
Ntokozo Mhlongo
 
PDF
Transform-Your-Streaming-Platform-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
SaaS reusability assessment using machine learning techniques
IAESIJAI
 
PDF
Co-training pseudo-labeling for text classification with support vector machi...
IAESIJAI
 
PDF
Planning-an-Audit-A-How-To-Guide-Checklist-WP.pdf
DROK2
 
PDF
4 layer Arch & Reference Arch of IoT.pdf
sendilkumar66
 
PDF
giants, standing on the shoulders of - by Daniel Stenberg
Daniel Stenberg
 
PDF
Introduction to MCP and A2A Protocols: Enabling Agent Communication
Maxim Salnikov
 
PDF
CXOs-Are-you-still-doing-manual-DevOps-in-the-age-of-AI.pdf
Kalilur Rahman
 
PDF
EIS-Webinar-Regulated-Industries-2025-08.pdf
Earley Information Science
 
PDF
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
AI.gov: A Trojan Horse in the Age of Artificial Intelligence
Michael Weaver
 
PDF
Build Real-Time ML Apps with Python, Feast & NoSQL
ScyllaDB
 
PDF
The AI Revolution in Customer Service - 2025
Body of Knowledge
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
Safe Software
 
PDF
“The Future of Visual AI: Efficient Multimodal Intelligence,” a Keynote Prese...
Edge AI and Vision Alliance
 
Early detection and classification of bone marrow changes in lumbar vertebrae...
IAESIJAI
 
Module 1 Introduction to Web Programming .pptx
kamleshkc191
 
Electrocardiogram sequences data analytics and classification using unsupervi...
IAESIJAI
 
Build automations faster and more reliably with UiPath ScreenPlay
AndreeaTom
 
Presentation - Principles of Instructional Design.pptx
Ntokozo Mhlongo
 
Transform-Your-Streaming-Platform-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
SaaS reusability assessment using machine learning techniques
IAESIJAI
 
Co-training pseudo-labeling for text classification with support vector machi...
IAESIJAI
 
Planning-an-Audit-A-How-To-Guide-Checklist-WP.pdf
DROK2
 
4 layer Arch & Reference Arch of IoT.pdf
sendilkumar66
 
giants, standing on the shoulders of - by Daniel Stenberg
Daniel Stenberg
 
Introduction to MCP and A2A Protocols: Enabling Agent Communication
Maxim Salnikov
 
CXOs-Are-you-still-doing-manual-DevOps-in-the-age-of-AI.pdf
Kalilur Rahman
 
EIS-Webinar-Regulated-Industries-2025-08.pdf
Earley Information Science
 
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
AI.gov: A Trojan Horse in the Age of Artificial Intelligence
Michael Weaver
 
Build Real-Time ML Apps with Python, Feast & NoSQL
ScyllaDB
 
The AI Revolution in Customer Service - 2025
Body of Knowledge
 
Data Virtualization in Action: Scaling APIs and Apps with FME
Safe Software
 
“The Future of Visual AI: Efficient Multimodal Intelligence,” a Keynote Prese...
Edge AI and Vision Alliance
 

Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)

  • 2. About the author • Jakub Botwicz Principal Security Engineer at Samsung R&D Institute in Warsaw, Poland • Leads a team of security researchers / pentesters • PhD and MSc at Warsaw University of Technology • 15+ years experience - previously worked as: ‒ Developer/architect for vendor of encryption devices ‒ Security advisor at credit card payment company ‒ Security consultant and manager at Big4 company • Big enthusiast of rock climbing and active volcanoes
  • 3. Cotopaxi – origin / idea • IoT introduced new protocols: CoAP, DTLS, MQTT and refurbished old protocols: UPnP, SSDP • Lack of security testing tools for IoT protocols (except for MQTT) • Low level of security measures of IoT components and devices • Our team performed assessment of multiple IoT components – results: - tools - corpus of malformed messages - 15+ new vulnerabilities Source: Redbubble sticker: https://ih1.redbubble.net/image.534691174.7627/sticker,375x360-bg,ffffff.u3.png
  • 4. IoT protocols – Constrained Application Protocol (CoAP) • IoT messaging protocol • Provides all types of HTTP requests in more compact (binary) format • UDP-based – request / response: 2 packets (while TCP smallest req/resp: 9 packets) • Introduces: CONfirmable messages • Without additional protection CoAP servers are vulnerable to DDoS Source: Trend Micro „The Fragility of Industrial IoT’s Data Backbone”
  • 5. IoT protocols – Datagram Transport Layer Security (DTLS) • UDP-based version of Transport Layer Security • Reuses all message formats from TLS – only protocol version IDs are different • Used as a security layer for all UDP-based protocols • Anti-DDoS measure (Hello Verify Request) is not mandatory and some libraries do not implement it (vulnerability BOTAN_000 test it) Source: Klaus Hartke, Olaf Bergman „Datagram Transport Layer Security in Constrained Environments”
  • 6. IoT protocols – Multicast DNS (mDNS) / DNS-Service Discovery (DNS-SD) • Discovery of local services: printers, displays • Querying local services using Multicast addresses • Reuse query formats from DNS protocols • Best known as: Apple Bonjour, Zeroconf or Avahi
  • 7. IoT protocols – Message Queuing Telemetry Transport (MQTT) • Most popular IoT messaging protocol • Publish/Subscribe message delivery by Brokers between Clients Source: Trend Micro „The Fragility of Industrial IoT’s Data Backbone”
  • 8. Cotopaxi – the name • Active stratovolcano in Ecuador • Elevation: 5,897 m Author: Gerard Prins CC BY-SA 3.0
  • 9. Cotopaxi – the toolkit • Set of tools for security testing of Internet of Things devices using network IoT protocols • License: GPL-2.0 • Repository: https://github.com/samsung/cotopaxi Source: Rankin Kennedy C.E. (1912) The Book of the Motor Car, Caxton (PD)
  • 10. Cotopaxi – usage scenarios • For pentesters to: • analyze environments using IoT, Smart-{Home, Factory, City} • find active endpoints using IoT protocols • identify network traffic reflectors (DDoS) • For security researchers to: • perform „black box” testing of IoT devices • identify known security vulnerabilities • For developers or vendors of IoT devices to: • fuzz components or interfaces • test traffic amplification (DDoS)
  • 11. Cotopaxi – features Reconnaissance: • Service ping – checking availability of network services • Software fingerprinting – recognizing the software used by remote network server • Resource listing „dirbusting” – discovering resources identified by given URLs Pre-exploitation: • Protocol fuzzing – fuzzing implementation of protocol • Amplification sniffing – detecting network traffic amplification • Vulnerability testing – identifying known vulnerabilities
  • 12. Cotopaxi – IoT protocols • Supported in 1st release: • Constrained Application Protocol (CoAP) • Datagram Transport Layer Security (DTLS) • Multicast DNS (mDNS) / DNS-System Discovery (DNS-SD) • Message Queuing Telemetry Transport (MQTT) • Planned for next releases: • Advanced Message Queuing Protocol (AMQP) • Discovery and Launch (DIAL) • Hyper Text Coffee Pot Control Protocol (HTCPCP) • MQTT-Sensor Networks (MQTT-SN) • Simple Service Discovery Protocol (SSDP) / Universal Plug and Play (uPnP) • Zigbee/Z-Wave
  • 13. Cotopaxi – testbed • CoAP (10 servers) • aioCoAP • CoAPthon • eCoAP • FreeCoAP • DTLS (9 servers) • Botan • GnuTLS • LibreSSL • mDNS/DNS-SD (2 servers) • Avahi • tinysvcmdns • MQTT (2 servers) • Fluent-bit • Mosquitto • IoTivity • libcoap • MicroCoAP • Moongoose • MatrixSSL • mbedTLS • OpenSSL • CantCoAP • CoAPthon3 • TinyDTLS • OpenSSL • WolfSSL Source: atennies94 by CC BY-ND 2.0 https://www.flickr.com/photos/9266144@N02/1074855647
  • 14. Cotopaxi feature – „service ping” • Identifies active service endpoints (IPv4/IPv6:port) • Not uses ICMP echo! • For each protocol there is a set of messages that triggers responses in all tested servers e.g. DTLS – Client Hello in all DTLS versions • Better than using standard tools: • nmap does not recognize CoAP and most DTLS servers • wireshark will not recognize protocols servers on non-standard ports • sslyze and similar SSL/TLS tools do not support DTLS
  • 15. Cotopaxi feature – service ping sudo python -m cotopaxi.service_ping 192.168.1.2 10000-10008,20000-20010,30000-30002 [.] Started service ping [+] Host 192.168.1.2:10000 does NOT respond to MQTT ping (Connect) message [+] Host 192.168.1.2:10000 does NOT respond to mDNS ping message ... [.] Finished service ping (for all addresses, ports and protocols) ================================================================== Test statistics: Messages sent: 138, responses received: 58, 58% message loss, test time: 123236 ms Round-Trip Time (min/avg/max): 11 / 59 / 84 ms ================================================================== Test results: Active endpoints: For Protocol.CoAP: ['192.168.1.2:20000', '192.168.1.2:20002', ... , '192.168.1.2:20009'] Total number of active endpoints: 18 Inactive endpoints: 5
  • 16. Cotopaxi feature – resource listing (dirbusting) • Equivalent to DirBuster/dirb for CoAP/mDNS or nmap script coap-resources • Uses a list of URIs (for CoAP) or services (for mDNS) • Cotopaxi includes sample lists of resource • User can provide own list of URIs or services
  • 17. Cotopaxi feature – resource listing (dirbusting) sudo python -m cotopaxi.resource_listing 192.168.1.2 20000-20010 cotopaxi/lists/urls/short_url_list.txt -P CoAP [.] Started resource listing SENT size:9 RECV size:74 AMPLIFICATION FACTOR:722.00% [+] Url |test| received code |2_05| on server 192.168.1.2:20001 for method GET ... [.] Finished resource listing (for all addresses, ports and protocols) ================================================================== Test statistics: Messages sent: 33, responses received: 28, 15% message loss, test time: 7088 ms Round-Trip Time (min/avg/max): 45 / 61 / 115 ms ================================================================== Test results: Active endpoints: For Protocol.CoAP: ['192.168.1.2:20001/test', '192.168.1.2:20002/big'] Total number active endpoints: 2 Inactive endpoints: 20
  • 18. Cotopaxi feature – service fingerprinting • Detection of software and version used by server • Equivalent to nmap –sV (Service and Application Version Detection) • Uses machine learning classifier • In this version works only for CoAP, DTLS
  • 19. Cotopaxi feature – service fingerprinting (algorithm) • Preparation of classifier for protocol: 1. Gather all available protocol implementations 2. Generate corpus of packets (payloads) a. Fuzz implementation of protocol using coverage based fuzzer (like afl) b. One of output result is set of payloads causing different execution (queue in afl) 3. For all available implementations: a. Gather responses of for all payloads b. Extract features c. Convert output to format used by Machine Learning tool (ARFF) 4. Train classifier using machine learning (Weka) 5. Implement classifier as Python function
  • 20. Cotopaxi feature – service fingerprinting (training classifier) Generated classifier: packet_1_type = No | packet_3_type = No | | packet_10_type = No | | | packet_11_options = Content-Format_Empty: smcp (5.0) | | | packet_11_options = ETag: libcoap (5.0) | | packet_10_type = RST: FreeCoAP (5.0) | | packet_10_type = ACK: moongose (5.0) | packet_3_type = Empty: iotivity (5.0) | packet_3_type = ACK | | packet_0_type = No: coap-rs (5.0) | | packet_0_type = ACK: lwm2m (5.0) packet_1_type = RST | packet_9_code = No: aiocoap (5.0) | packet_9_code = Empty: ecoap (5.0) | packet_9_code = 4_00: CoAPthon (5.0) packet_1_type = ACK: microcoap (5.0) Features (ARFF format): @RELATION coap_responses @ATTRIBUTE class {AIOCOAP, COAPTHON, … } @ATTRIBUTE packet_0_type { No, Empty, RST, ACK, CON, NON } @ATTRIBUTE packet_0_code { No, Empty, 2_05, 4_00, 4_01, 4_04, 4_05, 5_00, 5_02, NON } @ATTRIBUTE packet_0_options { No, Empty, Uri-Query_OK, Uri- Query_Unsupported_cri, Uri-Query_CoAP_version_mu, Uri- Query_Method_Not_Allo, Content-Format_Empty, Content- Format_FFFF, ETag } @ATTRIBUTE packet_1_type … @ATTRIBUTE packet_1_code … @ATTRIBUTE packet_1_options … … No – No response from server for this packet Empty – This field was empty
  • 21. Cotopaxi feature – service fingerprinting sudo python -m cotopaxi.server_fingerprinter 192.168.0.100 20000 -P CoAP [.] Started service fingerprinting [.] Host 192.168.0.100:20000 is alive before test! [.] Host 192.168.0.100:20000 is alive after test! [+] CoAP server 192.168.0.100:20000 is using software: aiocoap [.] Finished service fingerprinting (for all addresses, ports and protocols) ================================================================== Test statistics: Messages sent: 8, responses received: 5, 38% message loss, test time: 3493 ms Round-Trip Time (min/avg/max): 51 / 62 / 83 ms ================================================================== Test results: Identified endpoints:     For Protocol.CoAP: ['192.168.0.100:20000 is using aiocoap'] Total number of identified endpoints: 1 Inactive endpoints: 0
  • 22. Cotopaxi feature – protocol fuzzer (black-box) • Uses corpus of malformed protocol messages (payloads) prepared with afl (American Fuzzy Loop) • Checks „service ping” before and after sending payload • Allows to use own corpus of payloads and integrate with mutating fuzzer • In verbose mode displays payload and response packet • Calculates RTT for payloads with responses and displays Top 10% - potentially interesting because of longest processing on server Protocol CoAP DTLS mDNS/ DNS-SD MQTT Size of corpus 557 395 77 285
  • 23. Cotopaxi feature – protocol fuzzer [+] Started fuzzing payload (nr: 395): dtls_corpus/id:000360,sync:fuzzer_tinydtls_slave_laf-1,src:000379 Request: ###[ DTLS Record ]### content_type= handshake version = DTLS_1_1 ------------------------------------------------------------ Response: ###[ DTLS Record ]### content_type= handshake version = DTLS_1_1 … Payloads with longest Round-Trip Time (RTT): RTT (sec) | Payload -------------------------------------------------------------------------------- 0.08722 | dtls_corpus/id:000206,src:000168,op:arith8,pos:840,val:+27,+cov 0.08630 | dtls_corpus/id:000362,sync:fuzzer_tinydtls_slave_laf-1,src:000373
  • 24. Cotopaxi feature – protocol fuzzer (cont.) …. ================================================================== Test statistics: Messages sent: 795, responses received: 732, 8% message loss, test time: 169906 ms Round-Trip Time (min/avg/max): 35 / 55 / 131 ms ================================================================== Test results: Payloads causing crash: For Protocol.DTLS: ['192.168.0.100:10004 - payload: id:000308,sync:fuzzer_tinydtls_slave_laf- 1,src:000303,+cov']
  • 25. Cotopaxi feature – vulnerability tester • Types of vulnerabilities: • crash (DoS) – leads to crash of server (detected by service ping) • traffic amplification (for DDoS) – responses larger than request • memory leak – server wastes memory after processing payload (requires manual confirmation) • remote code execution (currently only detected as crashes) Vulnerab ility Type Protocol CoAP DTLS mDNS/ DNS-SD MQTT Crash 5 4 1 1 Traffic Amplification 1 1 Memory Leak 1 Remote Code Execution 2 1 TOTAL* 7 5 3 2 * 2 vulnerabilities are currently in responsible disclosure process
  • 26. Cotopaxi feature – vulnerability tester • Example vulnerabilities found by our team and supported by Cotopaxi • CVE-2019-9747 tinysvcmdns mDNS server goes into infinite loop after receiving DNS query with recursive referenced names • CVE-2019-9004 Wakaama CoAP server leaks (wastes) 24 bytes per each crafted packet • CVE-2019-9750 IoTivity CoAP server responds with 6 error messages Source: Grasshopper shot near Miles City Mont. C. 1937 Coles Studio Glassgow Mont
  • 27. Cotopaxi feature – vulnerability tester sudo python -m cotopaxi.vulnerability_tester 192.168.1.2 10000 –cve CVE-2019-9004 –vuln FLUENTBIT_000 –P DTLS [.] Started vulnerability testing [+] Server 192.168.0.100:30000 is NOT vulnerable to FLUENTBIT_000 [+] Server 192.168.0.100:30002 is probably vulnerable to FLUENTBIT_000 [.] Finished vulnerability testing (for all addresses, ports and protocols) ================================================================== Test statistics: Messages sent: 7, responses received: 4, 43% message loss, test time: 1100 ms Round-Trip Time (min/avg/max): 5 / 21 / 43 ms ================================================================== Test results: Vulnerable endpoints: For Protocol.MQTT: ['192.168.0.100:30002 - vuln: FLUENTBIT_000'] Total number of vulnerable endpoints: 1 Invulnerable endpoints: 1
  • 28. Cotopaxi feature – amplification sniffer • Sniffs for all packets incoming to and outgoing from specified target • Target is defined by IPv4 or IPv6 address and optionally port • Calculates amplification factor (size_out/size_in - 1) • Tracks req/resp with highest amplification factor and display record on exit • Should be placed on router or use network tap to see all traffic to/from target
  • 29. DDoS attack via IP Spoofing and Traffic Amplification Vulnerable IoT devices Source: Austin Brooks „NTP DDoS Vulnerability” • Identified amplifiers-reflectors: • CoAP • every request with large response e.g. CoAPthon example /big • IoTivity 4.04 6x repeated response IOTIVITY_000 issue in tester • DTLS • every DTLS server without Hello Verify Request e.g. Botan_000 issue in tester
  • 30. Cotopaxi feature – amplifier detector sudo python -m cotopaxi.amplifier_detector 192.168.0.100 [.] Starting sniffing with filter: udp and host 192.168.0.100 TARGET: 192.168.0.100 | TO TARGET packets: 3, bytes: 165 | FROM TARGET packets: 1, bytes: 60 | AMPLIF FAC TOR: -64.00% TARGET: 192.168.0.100 | TO TARGET packets: 6, bytes: 311 | FROM TARGET packets: 3, bytes: 180 | AMPLIF FA CTOR: -43.00% [.] Finished sniffing Highest amplify packet factor: 30%  TO TARGET: ###[ Ethernet ]###   dst       = ….   src       = ….   type      = 0x800 ###[ IP ]###      version   = 4L … FROM TARGET: ###[ Ethernet ]###   dst       = ….  
  • 31. Cotopaxi – common usage details • Destination addresses: set or range of IPv4, IPv6 addresses • Destination port: set or range of ports • Protocol: ALL or subset of CoAP, DTLS, mDNS, MQTT • Ignore Ping: -Pn • Verbose mode: -V (more messages)