iot: exploring the threat surfaceintro the big idea securing the edge ... » elasticsearch. threat...
TRANSCRIPT
IOT: EXPLORING THE THREAT SURFACE
Jason Ortiz
Sr. Integration Engineer
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
CONTENTSINTRO
THE BIG IDEA SECURING THE EDGE SECURING THE REST
SECURING THE DATA
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
01 | INTRODUCTION
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
02 | THE BIG IDEA
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
EVERYTHING I KNOW ABOUT IOT
THE BIG IDEA
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
EVERYTHING I KNOW ABOUT IOT SECURITY
THE BIG IDEA
QUESTIONS? THANK YOU.
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
EVERYTHING I THINK SORT OF MAKES SENSE…
THE BIG IDEA
» IoT Ecosystem
» The Edge
» The Fog/Mist
» The Cloud
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
WHAT IS THE BIG IDEA?
THE BIG IDEA
» Data
» Data
» Data
» Simple
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
03 | SECURING THE EDGE
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
HARDWARE
THE EDGE
» Physical Ports
» uArt
» JTAG
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
FIRMWARE
THE EDGE
» Vulnerabilities
» Conventional
» Stored keys?
» Memory dump keys?
» Updates … or NOT
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
AUTHENTICATION
THE EDGE
» Sooooo many things!
» Based mostly in HTTP
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
AUTHENTICATION
THE EDGE
» Elliptic Curve Crypto?
» Blockchain?
0
450
900
1350
1800
Bitcoin Ethereum PayPal VISA
Transactions / Second
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
PAYLOADS
THE EDGE
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
04 | SECURING THE MIST, OR FOG, OR WHATEVER
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
OK BUT REALLY
THE … WHATEVER
» The Edge
» The Fog
» The Mist
» The Cloud
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
COMPONENTS
THE … WHATEVER
» Networking
» Messaging
» Ecosystems
» Data
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
NETWORKING
THE … WHATEVER
» Which part?
» User -> Stand Alone Device?
» User -> Cloud Connected Device?
» User -> Hub?
» Device -> Hub?
» Hub -> Cloud?
» User -> Cloud?
» Device -> Device?
» Device -> Cloud?
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
DNS REBINDING
THE … WHATEVER
» Same Origin Policy
» bad.js
» CVEs? You bet
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
DNS REBINDING
THE … WHATEVER
» Vulns Everywhere!
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
SECURE NETWORKING?
THE … WHATEVER
» Heavy Use of HTTPS
» Authentication?
» FIDO Alliance
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
QUEUES
THE … WHATEVER
» RabbitMQ
» Complex setup
» Basic security
» nats.io
» Auth
» TLS
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
MQTT
THE … WHATEVER
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
MQTT
THE … WHATEVER
» Anything interesting on a public broker?
» SHODAN
» C2 through MQTT
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
SECURING MQTT
THE … WHATEVER
» Enterprise Solution (HiveMQ)
» 3rd party broker
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
NODERED
THE … WHATEVER
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
NODERED
THE … WHATEVER
» Security?
» Anything live?
» API!
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
SECURING NODERED
THE … WHATEVER
» Authentication
» Secure Comms
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
WEB INTERFACES
THE … WHATEVER
» Basic Vulnerabilities
» Custom HTTP servers … but why?
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
Databases
THE … WHATEVER
» Mongo
» Postgres
pg_hba.conf
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
INDICES
THE … WHATEVER
» ElasticSearch
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
05 | SECURING THE DATA
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
SECURING THE DATA
THE DATA
» Make No Mistake … I mean PRIVACY
» Is perimeter security dead?
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
SECURING THE DATA
THE DATA
» CamerasUnited States
Japan
Italy
France
UK
0 1500 3000 4500 6000
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
SECURING THE DATA
THE DATA
» Cars and Cities?
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
SECURING THE DATA
THE DATA
» Wearable Medical Devices
“Frankly, I don’t give a damn if someone wants to change their heart rate data.”
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
SECURING THE DATA
THE DATA
» ?
QUESTIONS? THANK YOU.
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING