Dr. Mike Bartley CEO, Test and Verification Solutions

How to avoid the Internet of

Insecure Things

Helping companies develop products that are:

Reliable, Safe and Secure

Copyright T&VS Limited | Private & Confidential | Page 2

TVS - Leaders in Verification

India - 2011

UK - 2008

Germany - 2011

Singapore - 2014

China South Korea USA - 2014

Japan - 2016

Global presence in all

high-end technology

locations

Copyright T&VS Limited | Private & Confidential | Page 3

IoT headlines – lack of consumer trust

Copyright T&VS Limited | Private & Confidential | Page 4

Botnet DDOS DNS attack in Oct 2016

Hackers hijacked millions of IoT devices

Sent vast amounts of junk traffic at DNS services operated by US company Dyn

Popular websites inaccessible.

Two things are clear, however: the

freewheeling idiots of the Internet of Things

business need the fear of regulation put

into them – and so do network owners and

operators.

Copyright T&VS Limited | Private & Confidential | Page 5

What is a DDoS on DNS Services?

DDoS = Distributed Denial of Service

DNS = Domain Name System: translates website names into Internet Protocol (IP) addresses, and locate resources on the Internet.

Copyright T&VS Limited | Private & Confidential | Page 6

DDOS Botnet - Technical Details

Mirai is malware that turns computer systems running Linux into remotely controlled “botnets” • It primarily targets online consumer devices such as remote cameras and home routers

Mirai spreads by logging into devices using their default, factory-set passwords • Mirai takes over routers, CCTV cameras, digital video recorders, etc.

Zombie = IoT device

running Mirai malware

Copyright T&VS Limited | Private & Confidential | Page 7

Why are IoT devices so vulnerable?

Quality

Assurance

Security

Connectivity

standards

• PetNet pet feeder fault

• Nest smoke alarms

• Thermostat fault

• Most IoT products have security measures that are 10 years

out of date

• HP: 70% of the IoT devices and sensors examined were

susceptible to the vulnerabilities in the OWASP IoT Top 10

Connected devices create an increased

level of intrusion, generating new types and

unprecedented quantities of data, raising

potential quality and security issues.

onem2m Open Interconnection Consortium Wireless IoT forum

IETF ZigBee Alliance Industrial Internet Consortium

ITU AllSeen Thread Alliance

IEEE AllJoyn GSMA

Copyright T&VS Limited | Private & Confidential | Page 8

Rebuild Consumer Trust

The IoT needs to ensure quality and security within its products and services. 1.) Government

regulation

2.) Trusted

industry

organizations

3.)

Independent

testing Increase regulation that

ensures manufacturers

meet quality and security

criteria before launching a

device.

Certify IoT-enabled

devices – reassure

consumers that the

device had been through

rigorous quality analysis

& security verification.

Enable a manufacturer to

demonstrate compliance

to the latest standards or

IoT / internet guidelines.

Copyright T&VS Limited | Private & Confidential | Page 9

Complex supply chain

ODM –

Develops

and

makes

device

Software

developer

Software

developers

Software

developer

Chip

vendor

Software

developer

Comms

module

vendor

“Brand

Owner” –

markets

and

supports

service

Users

Softwa

re

develo

per

IP

vendor

1. Self-Certification Scheme

2. Connected Consumer Products

3. Patching Constrained Devices

4. Framework for Vulnerability Disclosure

5. IoT Security Landscape

Copyright T&VS Limited | Private & Confidential | Page 10

Trusted supply chain

ODM –

Develops

and

makes

device

Software

developer

Software

developers

Software

developer

Chip

vendor

Software

developer

Comms

module

vendor

“Brand

Owner” –

markets

and

supports

service

Users

Softwa

re

develo

per

IP

vendor

OTS

RTOS

= IoTSF stamp of approval

= not approved, requires separate

audit

Copyright T&VS Limited | Private & Confidential | Page 11

Testing Challenges – IoT standards

Security:

1. GSMA IoT security standards

2. Onem2m security standards

3. OWASP Internet of Things Top 10

4. Online Trust Alliance’s IoT Trust Framework

Network:

1. GSMA IoT connection efficiency guidelines

2. onem2m connection standards

3. Individual IoT protocol: Zigbee / LoRa etc..

Copyright T&VS Limited | Private & Confidential | Page 12

IoT Security - OWASP IoT TOP 10

The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies.

The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities

The Top 10 is the top categories for security vulnerabilities for IoT devices.

Copyright T&VS Limited | Private & Confidential | Page 13

OWASP IoT top 10 – typical test scenarios

Functional Area Example type of test performed (note: there are a number of tests for each functional area)

I1 Insecure Web interface • Ensure that web interface disallows weak passwords

• Can change password on initial product setup

I2 Insufficient Authentication /

Authorization

• Ensure that web interfaces has the ability to use secure communication

• Password is not 1234

I3 Insecure network services • Check for insecure ports

I4 Lack of transport

encryption

• Check if any information in clear text

• Validate secure communication is integrated correctly

I5 Privacy concerns. • Check the device only captures the information it requires.

• Who has access to personal info

I6 Insecure cloud interface • Ensure that cloud interface disallows weak passwords

• Can change password on initial product setup

I7 Insecure mobile interface

• Ensure that mobile interface disallows weak passwords

• Credentials not disclosed over mobile interface

I8 Insufficient security

configurability

• Review admin options to ensure security options

• Admin options for strong password

I9 Insecure software /

Firmware

• Check if security used to fetch updates

• Update file is secure

I10 Poor Physical security • Access via USBs

• Review if all physical ports required.

Copyright T&VS Limited | Private & Confidential | Page 14

IoT Networking – mass interoperability

Many Communication protocols: • Mobile Z-Wave • Wifi 6LowPAN • Bluetooth Thread • Zigbee NFC

Simulate wide range of Networking conditions: • RF testing • cell handovers • low signal strength • protocol analysis • moving between 2G, 3G & LTE or wifi

Test scenarios to consider: • Moving between networks

• Losing power on upgrade

• Low bandwidth

• Simulate signal loss (going through a tunnel)

• Patching the device

Copyright T&VS Limited | Private & Confidential | Page 15

IoT - Ongoing patching & maintenance

IoT devices require ongoing functionality & security updates • New issues discovered

• Best practice updates

Patching IoT devices is not easy: • It gives another route to install malware

• IoT devices have limited resources • CPU, memory, encryption, etc.

• Functional issues (e.g. power loss during a patch can “brick” a device)

Who is responsible? • Manufacturers? Consumers?

• Who pays for a lifetime patching warranty for their pet feeder?

Copyright T&VS Limited | Private & Confidential | Page 16

Example of an encryption bug: Logjam

Logjam attack against the TLS protocol. • The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS

connections to 512-bit export-grade cryptography.

• Due to a flaw in the TLS protocol rather than an implementation vulnerability

• Attacks a Diffie-Hellman key exchange rather than an RSA key exchange

Discovered May 2015 • By a group of academics

• It had been present since 1990!

• Affected all modern web browsers

The advice given • If you have a web or mail server

• You should disable support for export cipher suites and use a 2048-bit Diffie-Hellman group.

• If you use a browser… • Use the most recent version of your browser installed, and check for updates frequently.

• If you’re a sysadmin or developer … • Make sure any TLS libraries you use are up-to-date ...

Advice for testing … • It is IMPOSSIBLE to find these bugs in testing

• Make sure you keep up with the relevant websites that report such issues

• And make sure you follow the advice

Protocol Vulnerable to Logjam

HTTPS — Top 1 Million Domains 8.4%

HTTPS — Browser Trusted Sites 3.4%

SMTP+StartTLS — IPv4 Address Space 14.8%

POP3S — IPv4 Address Space 8.9%

IMAPS — IPv4 Address Space 8.4%

Copyright T&VS Limited | Private & Confidential | Page 17

TVS IoT client – security concerns

Company produces monitoring & control valves

Was using a private controlled single network

Opening up to external access via internet

Engaged with TVS to provide:

• Industry security best practice for securing gateway

• Demonstrate conformance to latest standards

• Guidelines for customers using valves

• Ongoing checks on the threat landscape

Build customer confidence.

Copyright T&VS Limited | Private & Confidential | Page 18

Summary

Increased regulation

Focus on QA & security

IoT ongoing maintenance

IoT Kitemark model?

Rebuild consumer trust

Unless these issues are addressed the only winners in the IoT will be the hackers.

Verification Futures 2017

Thank you

“IoT Device Testing: how do you provide

assurance of your products?”

Dr. Mike Bartley,

mike@testandverification.com 07796 307958

Helping companies develop products that are:

Reliable, Safe and Secure