cloudcamp chicago lightning talk "the internet of (insecure) things" - chandler howell
TRANSCRIPT
"The Internet of (Insecure) Things"
Chandler Howell, Engineering Manager at Nexum
Tweet: @chandlerhowell #cloudcamp
#cloudcamp @CloudCamp_CHI
Sponsored by
Hosted by
The Internet of (Insecure) Things
1. Smart is the New Dumb2. When Worlds Collide3. Failure Modes4. A Parade of Horrors5. So What Should I do Now?
Smart is the New Dumb
Smart, but VulnerableSecurity is not a priority of IoT (yet)
Focus is on Time to marketFeatures & Functionality
Focus is NOT onSecurityMaintainabilityLongevity
When Worlds Collide
Lifecycles are mismatchedTechnology lifecycles are very short
Devices go EOL in 3-5 years or less
Consumer lifecycles are longerRefrigerators, coffee makers, etc. can last 10 years
Industrial Equipment may outlive youHeavy Equipment can have service lives >50 years
Failure Modes
Get BrokenDamage or destroy the device or attached devices
For example…Plant Control SystemsPeople with Pacemakers
Failure Modes
Get LeveragedCompromised Device is used as a vector for
other Badness
For Example…Unlock a Smart HomeJoin a botnetProvide a beachhead for APT
Failure Modes
Get ExploitedThe device can be used to spy on people, either
directly or indirectly
Yes, even more examples…Smart TV’sData & MetaData Collection
A Parade of Horrors
Consumer Goods
RefrigeratorsSmart Fridges found in a botnet (2014)25% of devices in that large botnet were IoT
Televisions & ElectronicsSamsung “Smart TV” SpyingNumerous XSS, local exploits
Light BulbsLIFX “Smart” Bulbs authentication flawsDisclosed credentials for attached wi-fi
A Parade of Horrors
Medical DevicesSurgical and anesthesia devicesVentilatorsDrug infusion pumpsPacemakersExternal defibrillatorsPatient monitorsLaboratory and analysis equipment
Pretty much every type of failure you can imagine
A Parade of Horrors
CarsBlack Boxes
Data stolen or alteredRemote Lock/Unlock and starters
Key fobs and alarm protocols brokenON*Star
Hacked & Abused by Law EnforcementBraking & steering controls
Integration with entertainment/dash allowed access and compromise
A Parade of Horrors
Airplanes
DronesDefinitely
In-Flight EntertainmentDefinitely
Passenger Flight ControlMaybe
A Parade of Horrors
Infrastructure
Traffic LightsPlaintext wirelessWeak/No Authentication
Industrial Control Systems2008: Turkish Gas Pipeline Destroyed2010: Iranian Gas Centrifuges (Stuxnet)2014: Steel Mill’s Blast Furnace ($17mm in damage)
Utility MetersWeak AuthenticationInaccurate readings == Fraud
Tampered or otherwise
So what should I do?
Realize these are not new problemsInsecure computers are nothing new
Think in terms of Failure ModesUse these to understand your threats
Expect Novel attack typesInference AttacksSide-Channel Attacks
So what should I do?
Architect for Insecure ThingsAssume devices are insecure by defaultIf not today, they will be some day
Leverage Security Tools & ProcessesDefense-in-DepthThreat ModelingIncident Response
So what should I do?
Assess whether the Smart is worth the Risk
Don’t forget how to live without IoT
Think of it in Business Continuity Planning (BCP) or Disaster Recovery (DR) termsSmart Devices are just another system to fail