how to avoid the internet of insecure things dr. mike bartley...security: 1. gsma iot security...
TRANSCRIPT
Dr. Mike Bartley CEO, Test and Verification Solutions
How to avoid the Internet of
Insecure Things
Helping companies develop products that are:
Reliable, Safe and Secure
Copyright T&VS Limited | Private & Confidential | Page 2
TVS - Leaders in Verification
India - 2011
UK - 2008
Germany - 2011
Singapore - 2014
China South Korea USA - 2014
Japan - 2016
Global presence in all
high-end technology
locations
Copyright T&VS Limited | Private & Confidential | Page 3
IoT headlines – lack of consumer trust
Copyright T&VS Limited | Private & Confidential | Page 4
Botnet DDOS DNS attack in Oct 2016
Hackers hijacked millions of IoT devices
Sent vast amounts of junk traffic at DNS services operated by US company Dyn
Popular websites inaccessible.
Two things are clear, however: the
freewheeling idiots of the Internet of Things
business need the fear of regulation put
into them – and so do network owners and
operators.
Copyright T&VS Limited | Private & Confidential | Page 5
What is a DDoS on DNS Services?
DDoS = Distributed Denial of Service
DNS = Domain Name System: translates website names into Internet Protocol (IP) addresses, and locate resources on the Internet.
Copyright T&VS Limited | Private & Confidential | Page 6
DDOS Botnet - Technical Details
Mirai is malware that turns computer systems running Linux into remotely controlled “botnets” • It primarily targets online consumer devices such as remote cameras and home routers
Mirai spreads by logging into devices using their default, factory-set passwords • Mirai takes over routers, CCTV cameras, digital video recorders, etc.
Zombie = IoT device
running Mirai malware
Copyright T&VS Limited | Private & Confidential | Page 7
Why are IoT devices so vulnerable?
Quality
Assurance
Security
Connectivity
standards
• PetNet pet feeder fault
• Nest smoke alarms
• Thermostat fault
• Most IoT products have security measures that are 10 years
out of date
• HP: 70% of the IoT devices and sensors examined were
susceptible to the vulnerabilities in the OWASP IoT Top 10
Connected devices create an increased
level of intrusion, generating new types and
unprecedented quantities of data, raising
potential quality and security issues.
onem2m Open Interconnection Consortium Wireless IoT forum
IETF ZigBee Alliance Industrial Internet Consortium
ITU AllSeen Thread Alliance
IEEE AllJoyn GSMA
Copyright T&VS Limited | Private & Confidential | Page 8
Rebuild Consumer Trust
The IoT needs to ensure quality and security within its products and services. 1.) Government
regulation
2.) Trusted
industry
organizations
3.)
Independent
testing Increase regulation that
ensures manufacturers
meet quality and security
criteria before launching a
device.
Certify IoT-enabled
devices – reassure
consumers that the
device had been through
rigorous quality analysis
& security verification.
Enable a manufacturer to
demonstrate compliance
to the latest standards or
IoT / internet guidelines.
Copyright T&VS Limited | Private & Confidential | Page 9
Complex supply chain
ODM –
Develops
and
makes
device
Software
developer
Software
developers
Software
developer
Chip
vendor
Software
developer
Comms
module
vendor
“Brand
Owner” –
markets
and
supports
service
Users
Softwa
re
develo
per
IP
vendor
1. Self-Certification Scheme
2. Connected Consumer Products
3. Patching Constrained Devices
4. Framework for Vulnerability Disclosure
5. IoT Security Landscape
Copyright T&VS Limited | Private & Confidential | Page 10
Trusted supply chain
ODM –
Develops
and
makes
device
Software
developer
Software
developers
Software
developer
Chip
vendor
Software
developer
Comms
module
vendor
“Brand
Owner” –
markets
and
supports
service
Users
Softwa
re
develo
per
IP
vendor
OTS
RTOS
= IoTSF stamp of approval
= not approved, requires separate
audit
Copyright T&VS Limited | Private & Confidential | Page 11
Testing Challenges – IoT standards
Security:
1. GSMA IoT security standards
2. Onem2m security standards
3. OWASP Internet of Things Top 10
4. Online Trust Alliance’s IoT Trust Framework
Network:
1. GSMA IoT connection efficiency guidelines
2. onem2m connection standards
3. Individual IoT protocol: Zigbee / LoRa etc..
Copyright T&VS Limited | Private & Confidential | Page 12
IoT Security - OWASP IoT TOP 10
The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies.
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities
The Top 10 is the top categories for security vulnerabilities for IoT devices.
Copyright T&VS Limited | Private & Confidential | Page 13
OWASP IoT top 10 – typical test scenarios
Functional Area Example type of test performed (note: there are a number of tests for each functional area)
I1 Insecure Web interface • Ensure that web interface disallows weak passwords
• Can change password on initial product setup
I2 Insufficient Authentication /
Authorization
• Ensure that web interfaces has the ability to use secure communication
• Password is not 1234
I3 Insecure network services • Check for insecure ports
I4 Lack of transport
encryption
• Check if any information in clear text
• Validate secure communication is integrated correctly
I5 Privacy concerns. • Check the device only captures the information it requires.
• Who has access to personal info
I6 Insecure cloud interface • Ensure that cloud interface disallows weak passwords
• Can change password on initial product setup
I7 Insecure mobile interface
• Ensure that mobile interface disallows weak passwords
• Credentials not disclosed over mobile interface
I8 Insufficient security
configurability
• Review admin options to ensure security options
• Admin options for strong password
I9 Insecure software /
Firmware
• Check if security used to fetch updates
• Update file is secure
I10 Poor Physical security • Access via USBs
• Review if all physical ports required.
Copyright T&VS Limited | Private & Confidential | Page 14
IoT Networking – mass interoperability
Many Communication protocols: • Mobile Z-Wave • Wifi 6LowPAN • Bluetooth Thread • Zigbee NFC
Simulate wide range of Networking conditions: • RF testing • cell handovers • low signal strength • protocol analysis • moving between 2G, 3G & LTE or wifi
Test scenarios to consider: • Moving between networks
• Losing power on upgrade
• Low bandwidth
• Simulate signal loss (going through a tunnel)
• Patching the device
Copyright T&VS Limited | Private & Confidential | Page 15
IoT - Ongoing patching & maintenance
IoT devices require ongoing functionality & security updates • New issues discovered
• Best practice updates
Patching IoT devices is not easy: • It gives another route to install malware
• IoT devices have limited resources • CPU, memory, encryption, etc.
• Functional issues (e.g. power loss during a patch can “brick” a device)
Who is responsible? • Manufacturers? Consumers?
• Who pays for a lifetime patching warranty for their pet feeder?
Copyright T&VS Limited | Private & Confidential | Page 16
Example of an encryption bug: Logjam
Logjam attack against the TLS protocol. • The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS
connections to 512-bit export-grade cryptography.
• Due to a flaw in the TLS protocol rather than an implementation vulnerability
• Attacks a Diffie-Hellman key exchange rather than an RSA key exchange
Discovered May 2015 • By a group of academics
• It had been present since 1990!
• Affected all modern web browsers
The advice given • If you have a web or mail server
• You should disable support for export cipher suites and use a 2048-bit Diffie-Hellman group.
• If you use a browser… • Use the most recent version of your browser installed, and check for updates frequently.
• If you’re a sysadmin or developer … • Make sure any TLS libraries you use are up-to-date ...
Advice for testing … • It is IMPOSSIBLE to find these bugs in testing
• Make sure you keep up with the relevant websites that report such issues
• And make sure you follow the advice
Protocol Vulnerable to Logjam
HTTPS — Top 1 Million Domains 8.4%
HTTPS — Browser Trusted Sites 3.4%
SMTP+StartTLS — IPv4 Address Space 14.8%
POP3S — IPv4 Address Space 8.9%
IMAPS — IPv4 Address Space 8.4%
Copyright T&VS Limited | Private & Confidential | Page 17
TVS IoT client – security concerns
Company produces monitoring & control valves
Was using a private controlled single network
Opening up to external access via internet
Engaged with TVS to provide:
• Industry security best practice for securing gateway
• Demonstrate conformance to latest standards
• Guidelines for customers using valves
• Ongoing checks on the threat landscape
Build customer confidence.
Copyright T&VS Limited | Private & Confidential | Page 18
Summary
Increased regulation
Focus on QA & security
IoT ongoing maintenance
IoT Kitemark model?
Rebuild consumer trust
Unless these issues are addressed the only winners in the IoT will be the hackers.
Verification Futures 2017
Thank you
“IoT Device Testing: how do you provide
assurance of your products?”
Dr. Mike Bartley,
[email protected] 07796 307958
Helping companies develop products that are:
Reliable, Safe and Secure