iot_and_the_impact_on_security_brian_knopf_issa-oc_july-2014

Brian Knopf

brian@brksecurity.com

@doyouqa

Director of Application Security, Belkin International (owners of Linksys)

Member, UPnP Task Force

Previously Principal Test Architect, Office of the CTO at Rapid7

20+ years of experience in IT, QA, Development and Security

Programming, disassembling and reverse engineering since age 5

What is IoT?

Why is IoT Important?

Components of IoT

IoT Attacks

How Do I Protect My Environment?

Future of IoT

Conclusion

Source: Wikipedia.org http://en.wikipedia.org/wiki/IOT

Source: Gartner http://www.gartner.com/newsroom/id/2636073

Originated at the Auto-ID center at MIT

Started with RFID, Electronic Product Code tags to connect devices

Self-configuring was the key

Evolved into connected advanced wireless devices

No single IoT protocol currently

Source: Gartner http://www.gartner.com/newsroom/id/2636073

Hundreds of manufacturers creating devices

Everyday devices now connected and communicating valuable data

Makes environments smarter

Improves power conservation

Provides sense of security

Connects M2M and M2B

Pain Management 1970’s Pain Management 2010’s

Source: Postscapes http://postscapes.com/what-exactly-is-the-internet-of-things-infographic

• Turn your electronics on/off, monitor them from anywhere

• Create rules, schedules, and receive notifications

• Get insight into home energy or water usage

• Compatible with iOS and Android

Source: http://www.belkin.com

• GPS tracking device for pets

• Track how much exercise they get

• Receive notifications when they leave user configured zone

• Uses Google Maps for setup

• Mobile and web apps for tracking and notifications

• Same technology used to track company vehicles

• Now cheaper and more accessible to average person

Source: http://www.pettracker.com/

• 3-factor authentication (Nymi, smart phone, cardiac rhythm)

• Integration with Windows, Mac OS, Android, and iOS

• Uses Bluetooth Low Energy

• Motion detection for gesture recognition

• Looking at integration with cars to unlock and start them

• Potential to replace identification or PIN for financial transactions

• Is this more secure than a password?

Source: http://www.getnymi.com

Protocols• ZigBee• Z-Wave• 6LoWPAN• NFC• RFID• Bluetooth• Bluetooth Low Energy• INSTEON• Lutron• MQTT

Source: Postscapes http://postscapes.com/what-exactly-is-the-internet-of-things-infographic

IEEE 802.15.4

2.4GHz frequency worldwide (16 channels)

Regional 915Mhz (Americas) & 868Mhz (Europe)

Powered and battery operated devices

Multiple star topology and inter-personal area network (PAN) communication

AES-128 security

2010 – 40% Market Share

2016 – 55% Market Share

ZC

ZED

ZRZR

ZED ZED ZED

ZR

ZED

ZED

ZR

ZED

ZED

ZED

ZED

ZigBee Mesh

Network

ZigBee Coordinator - ZC

ZigBee Router - ZR

ZigBee End Device - ZED

• ZigBee Coordinator - ZC

• Only one

• Trust Center

• Network information

• ZigBee Router - ZR• Plug-in not battery

powered

• Passes data from ZED to ZC

• MitM Heaven

• ZigBee End Device - ZED• Talks to ZC or ZR

Source: Postscapes http://postscapes.com/what-exactly-is-the-internet-of-things-infographic

Hardware, software, protocol solutions

Allow innovation and automation

Software connects APIs between services

Hardware to speak to everything

Protocol to bridge physical layer

Sources: http://www.ifttt.com, http://www.ninjablocks.com, http://www.revolv.com,

Access to personal information

Can be used to protect physical location

Share some technology with traditional networked devices

Updates are mostly manual if available

Some endpoint devices are not updateable at all (ZigBee, Z-Wave)

Consumers rarely think about patching

Consumers are dependent on manufacture updates

Many built on SDKs from chip vendors and manufactures with no security expertise

Use 3rd Party libraries as black boxes

Consumer - Loosely connected devices that may or may not have rules integrating them

Enterprise – Technologies like Closed Loop Lifecycle Management (CL2M) enable businesses to see how their products are being used, track maintenance status, and share information securely

Enterprise users are charging, synching, and connecting IoT devices to corporate assets

The dividing line will disappear

Sources: http://www.vizualiiz.com, http://professional.medtronic.com, http://www.nike.com, http://www.progressive.com, http://retailnext.net, http://www.skylanders.com, https://onlycoin.com

Banking

Insurance

Retail

Health

& Fitness

Medical

Entertainment

Asset

Management

Sources: http://www.getnymi.com, http://www.yubico.com, http://myidkey.com/

Do these improve security or make people feel safer?

Some IoT devices rely on Wi-Fi credentials only

Hard to use products fail

Accounts should depend on class of products

Take measures to counter ease of use & improve security

Perception vs Reality

P2P vs Server Relay

Which is safer?

IoT protocols open parallel wireless networks

Strong encryption + bad implementation = 0 benefit

Increase in attack surface

More devices to patch and maintain

Cannot backport fixes

Dependent on vendor updates

Where do IT teams draw the responsibility line?

Impact of IoT on BYOD

What is allowed on systems?

What is allowed in the network?

What glue services make sense for your company?

Is it worth the risk?

How can you stop them?

Are you watching outbound?

Source: http://www.veracode.com

3rd party libraries getting attacked

Developers select based on features and popularity

Rarely audit code or understand them

Poorly architected, bad code, and not well reviewed

Critical Vulns UPnP (libupnp, miniupnp)

GnuTLS

OpenSSL

GoToFail (Apple SSL)

OpenSSH

LibYAML

• Researcher: Nitesh Dhanjani

• User browses to website containing Java exploit code

• Laptop on network compromised with malware

• Infected laptop turns lights off

• Attack pauses when bridge is unplugged

• Attack resumes when bridge is plugged back in

Exploit Source: Nitesh Dhanjani http://www.dhanjani.com/blog/2013/08/hacking-lightbulbs.html

• Researcher: HD Moore

• Cameras were searchable on Internet

• Scanned 3% of Internet

• Found 250,000 devices running services, 5000 vulnerable

• Some vendors had disabled auto answer by default

• Able to capture passwords and documents

• Audio outside rooms was captured

Exploit Source: HD Moore, R7 http://www.nytimes.com/2012/01/23/technology/flaws-in-videoconferencing-systems-put-boardrooms-at-risk.html?_r=0

• Researcher: Daniel Crowley

• No authentication on web console

• Unconfirmed authentication bypass

• Firmware can be modified from attacks

• Server-side request forgery enables devices to bypass firewall and be used as a proxy

Exploit Source: Daniel Crowley of Trustwave SpiderLabs https://www.youtube.com/watch?v=PSRPE49lGYw

• Used UPnP buffer overflow to exploit WeMo

• Able to turn on and off the device rapidly

• We had a patch available before the researcher notified us of the issue

• Valid UPnP requests still work within the network

Exploit Source: Daniel Buentello using UPnP vulnerability discovered by HD Moore http://hackaday.com/2013/01/31/turning-the-belkin-wemo-into-a-deathtrap/

2010 study by Tufin Technologies, supported by UK's Association of Chief Police Officers

"...23% of "uni" students have hacked into IT systems.

32% thought hacking was "cool.“

28% considered it to be easy.

The hackers offered a variety of motivations for their behavior: curiosity, fun, while "an entrepreneurial 15% revealed that they hacked to make money.“

Source: Fast Company http://www.fastcompany.com/1690541/it-security-firm-fear-students, image from Infosec Reactions - http://securityreactions.tumblr.com/

Exploit Source: Joshua Wright http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf

• Researcher: Joshua Wright

• Presented at ToorCon 11 - 2009

• Framework for ZigBee exploitation

• Presentation and source are easy to find

• Hardware is cheap and easy to get

• Wireshark has built in tool for cracking ZigBee Network (NWK) encryption

Source: https://greatscottgadgets.com/ubertoothone/, http://www.kismetwireless.net

• Open source affordable Bluetooth development platform

• Class 1 Bluetooth device

• Bluetooth & BTLE injection & monitoring

• 802.11 FHSS monitoring and injection

• Basic spectrum monitoring

• Works with Kismet sniffer

• Commercial Bluetooth equipment starts at $10,000

• Cost: $115

10 MHz to 6 GHz operating frequency

Half-duplex transceiver

Compatible with GNU Radio, and Software Defined Radio (SDR)

Software-configurable RX and TX gain baseband filter

Open source hardware

Lots of applications already written to decode wireless using this

Cost: $330

Source: https://greatscottgadgets.com/hackrf/, http://www.sharebrained.com/2014/05/28/portapack-h1-imminent/

Universal bus interface

Talks to most chips via PC serial terminal

Comes with debugger software and BIOS/flash programmers

Cost: $30

Source: http://dangerousprototypes.com/docs/Bus_Pirate

• Supports

• 1-Wire

• I2C

• SPI

• JTAG

• Asynchronous serial

• MIDI

• PC keyboard

• HD44780 LCD

• & more

Texas Insturments CC1110

2x SmartRF boards

1 Debugger

Documentation

Software for sniffing & controlling hardware

Flash programmer

Cost: $76

Paired with Z-Force exploit framework from researchers

Source:Behrang Fouladi & Sahand Ghanoun, Sensepost http://research.sensepost.com/conferences/2013/bh_zwave, http://research.sensepost.com/tools/embedded/zforce

Offensive Security Defensive Security

New technologies, limited standards, competing protocols, and more attack surface may scare you…

GO BACK TO BASICS

• Secure By Design

• Secure By Default

• Secure In Deployment

• Defense In Depth

Secure by Design

Secure architecture and code

Threat analysis

Vulnerability reduction

Secure by Default

Attack surface area reduced

Unused features turned off by default

Minimum privileges used

Secure in Deployment

Protection: Detection, defense,

recovery, and management

Process: How to guides, architecture

guides

People: Training

Source: Josh Abraham (Jabra)

Defense In Depth is critical

Separate classes of systems, devices, and users

What do IoT devices need access to?

Limit password reuse

Password Management

Multi-factor authentication

Industry collaboration to improve security of embedded OS and protocols is critical

Groups like BuildItSecure.ly trying to improve collaboration between vendors and security researchers

Improvements to standards like ZigBee HA 1.3

UPnP+ certification requiring Device Protection

Secure Elements / TPM for firmware protection

• Does deploying biometric sensors to employees put a company at risk if the data is compromised?

• What compliance issues arise based on the data being collected and whether companies have access to it?

Source: http://www.computerworld.com/s/article/9247137/Pros_and_Cons_of_Using_Fitness_Trackers_for_Employee_Wellness?taxonomyId=220

IoT brings awareness, automation, & security to enterprise environments

Rapid growth of IoT devices and vendors without security focus

Insecure devices expanding network attack surface

Plan your IoT implementation based on use cases

Select devices to fit use cases rather than individual issues

Threat Model, plan, remediate, mitigate

The protection line has moved, adjust your goals

Thank you for attending

Contact brian@brksecurity.com for additional information on IoT & Security

Thanks to Amanda Honea, Dianne Asis, & my family for their support

Thanks to Terry Gold for the invitation and in-depth biometrics discussions

Questions?