iot_and_the_impact_on_security_brian_knopf_issa-oc_july-2014
TRANSCRIPT
Director of Application Security, Belkin International (owners of Linksys)
Member, UPnP Task Force
Previously Principal Test Architect, Office of the CTO at Rapid7
20+ years of experience in IT, QA, Development and Security
Programming, disassembling and reverse engineering since age 5
What is IoT?
Why is IoT Important?
Components of IoT
IoT Attacks
How Do I Protect My Environment?
Future of IoT
Conclusion
Source: Wikipedia.org http://en.wikipedia.org/wiki/IOT
Source: Gartner http://www.gartner.com/newsroom/id/2636073
Originated at the Auto-ID center at MIT
Started with RFID, Electronic Product Code tags to connect devices
Self-configuring was the key
Evolved into connected advanced wireless devices
No single IoT protocol currently
Source: Gartner http://www.gartner.com/newsroom/id/2636073
Hundreds of manufacturers creating devices
Everyday devices now connected and communicating valuable data
Makes environments smarter
Improves power conservation
Provides sense of security
Connects M2M and M2B
Pain Management 1970’s Pain Management 2010’s
Source: Postscapes http://postscapes.com/what-exactly-is-the-internet-of-things-infographic
• Turn your electronics on/off, monitor them from anywhere
• Create rules, schedules, and receive notifications
• Get insight into home energy or water usage
• Compatible with iOS and Android
Source: http://www.belkin.com
• GPS tracking device for pets
• Track how much exercise they get
• Receive notifications when they leave user configured zone
• Uses Google Maps for setup
• Mobile and web apps for tracking and notifications
• Same technology used to track company vehicles
• Now cheaper and more accessible to average person
Source: http://www.pettracker.com/
• 3-factor authentication (Nymi, smart phone, cardiac rhythm)
• Integration with Windows, Mac OS, Android, and iOS
• Uses Bluetooth Low Energy
• Motion detection for gesture recognition
• Looking at integration with cars to unlock and start them
• Potential to replace identification or PIN for financial transactions
• Is this more secure than a password?
Source: http://www.getnymi.com
Protocols• ZigBee• Z-Wave• 6LoWPAN• NFC• RFID• Bluetooth• Bluetooth Low Energy• INSTEON• Lutron• MQTT
Source: Postscapes http://postscapes.com/what-exactly-is-the-internet-of-things-infographic
IEEE 802.15.4
2.4GHz frequency worldwide (16 channels)
Regional 915Mhz (Americas) & 868Mhz (Europe)
Powered and battery operated devices
Multiple star topology and inter-personal area network (PAN) communication
AES-128 security
2010 – 40% Market Share
2016 – 55% Market Share
ZC
ZED
ZRZR
ZED ZED ZED
ZR
ZED
ZED
ZR
ZED
ZED
ZED
ZED
ZigBee Mesh
Network
ZigBee Coordinator - ZC
ZigBee Router - ZR
ZigBee End Device - ZED
• ZigBee Coordinator - ZC
• Only one
• Trust Center
• Network information
• ZigBee Router - ZR• Plug-in not battery
powered
• Passes data from ZED to ZC
• MitM Heaven
• ZigBee End Device - ZED• Talks to ZC or ZR
Source: Postscapes http://postscapes.com/what-exactly-is-the-internet-of-things-infographic
Hardware, software, protocol solutions
Allow innovation and automation
Software connects APIs between services
Hardware to speak to everything
Protocol to bridge physical layer
Sources: http://www.ifttt.com, http://www.ninjablocks.com, http://www.revolv.com,
Access to personal information
Can be used to protect physical location
Share some technology with traditional networked devices
Updates are mostly manual if available
Some endpoint devices are not updateable at all (ZigBee, Z-Wave)
Consumers rarely think about patching
Consumers are dependent on manufacture updates
Many built on SDKs from chip vendors and manufactures with no security expertise
Use 3rd Party libraries as black boxes
Consumer - Loosely connected devices that may or may not have rules integrating them
Enterprise – Technologies like Closed Loop Lifecycle Management (CL2M) enable businesses to see how their products are being used, track maintenance status, and share information securely
Enterprise users are charging, synching, and connecting IoT devices to corporate assets
The dividing line will disappear
Sources: http://www.vizualiiz.com, http://professional.medtronic.com, http://www.nike.com, http://www.progressive.com, http://retailnext.net, http://www.skylanders.com, https://onlycoin.com
Banking
Insurance
Retail
Health
& Fitness
Medical
Entertainment
Asset
Management
Sources: http://www.getnymi.com, http://www.yubico.com, http://myidkey.com/
Do these improve security or make people feel safer?
Some IoT devices rely on Wi-Fi credentials only
Hard to use products fail
Accounts should depend on class of products
Take measures to counter ease of use & improve security
Perception vs Reality
P2P vs Server Relay
Which is safer?
IoT protocols open parallel wireless networks
Strong encryption + bad implementation = 0 benefit
Increase in attack surface
More devices to patch and maintain
Cannot backport fixes
Dependent on vendor updates
Where do IT teams draw the responsibility line?
Impact of IoT on BYOD
What is allowed on systems?
What is allowed in the network?
What glue services make sense for your company?
Is it worth the risk?
How can you stop them?
Are you watching outbound?
Source: http://www.veracode.com
3rd party libraries getting attacked
Developers select based on features and popularity
Rarely audit code or understand them
Poorly architected, bad code, and not well reviewed
Critical Vulns UPnP (libupnp, miniupnp)
GnuTLS
OpenSSL
GoToFail (Apple SSL)
OpenSSH
LibYAML
• Researcher: Nitesh Dhanjani
• User browses to website containing Java exploit code
• Laptop on network compromised with malware
• Infected laptop turns lights off
• Attack pauses when bridge is unplugged
• Attack resumes when bridge is plugged back in
Exploit Source: Nitesh Dhanjani http://www.dhanjani.com/blog/2013/08/hacking-lightbulbs.html
• Researcher: HD Moore
• Cameras were searchable on Internet
• Scanned 3% of Internet
• Found 250,000 devices running services, 5000 vulnerable
• Some vendors had disabled auto answer by default
• Able to capture passwords and documents
• Audio outside rooms was captured
Exploit Source: HD Moore, R7 http://www.nytimes.com/2012/01/23/technology/flaws-in-videoconferencing-systems-put-boardrooms-at-risk.html?_r=0
• Researcher: Daniel Crowley
• No authentication on web console
• Unconfirmed authentication bypass
• Firmware can be modified from attacks
• Server-side request forgery enables devices to bypass firewall and be used as a proxy
Exploit Source: Daniel Crowley of Trustwave SpiderLabs https://www.youtube.com/watch?v=PSRPE49lGYw
• Used UPnP buffer overflow to exploit WeMo
• Able to turn on and off the device rapidly
• We had a patch available before the researcher notified us of the issue
• Valid UPnP requests still work within the network
Exploit Source: Daniel Buentello using UPnP vulnerability discovered by HD Moore http://hackaday.com/2013/01/31/turning-the-belkin-wemo-into-a-deathtrap/
2010 study by Tufin Technologies, supported by UK's Association of Chief Police Officers
"...23% of "uni" students have hacked into IT systems.
32% thought hacking was "cool.“
28% considered it to be easy.
The hackers offered a variety of motivations for their behavior: curiosity, fun, while "an entrepreneurial 15% revealed that they hacked to make money.“
Source: Fast Company http://www.fastcompany.com/1690541/it-security-firm-fear-students, image from Infosec Reactions - http://securityreactions.tumblr.com/
Exploit Source: Joshua Wright http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf
• Researcher: Joshua Wright
• Presented at ToorCon 11 - 2009
• Framework for ZigBee exploitation
• Presentation and source are easy to find
• Hardware is cheap and easy to get
• Wireshark has built in tool for cracking ZigBee Network (NWK) encryption
Source: https://greatscottgadgets.com/ubertoothone/, http://www.kismetwireless.net
• Open source affordable Bluetooth development platform
• Class 1 Bluetooth device
• Bluetooth & BTLE injection & monitoring
• 802.11 FHSS monitoring and injection
• Basic spectrum monitoring
• Works with Kismet sniffer
• Commercial Bluetooth equipment starts at $10,000
• Cost: $115
10 MHz to 6 GHz operating frequency
Half-duplex transceiver
Compatible with GNU Radio, and Software Defined Radio (SDR)
Software-configurable RX and TX gain baseband filter
Open source hardware
Lots of applications already written to decode wireless using this
Cost: $330
Source: https://greatscottgadgets.com/hackrf/, http://www.sharebrained.com/2014/05/28/portapack-h1-imminent/
Universal bus interface
Talks to most chips via PC serial terminal
Comes with debugger software and BIOS/flash programmers
Cost: $30
Source: http://dangerousprototypes.com/docs/Bus_Pirate
• Supports
• 1-Wire
• I2C
• SPI
• JTAG
• Asynchronous serial
• MIDI
• PC keyboard
• HD44780 LCD
• & more
Texas Insturments CC1110
2x SmartRF boards
1 Debugger
Documentation
Software for sniffing & controlling hardware
Flash programmer
Cost: $76
Paired with Z-Force exploit framework from researchers
Source:Behrang Fouladi & Sahand Ghanoun, Sensepost http://research.sensepost.com/conferences/2013/bh_zwave, http://research.sensepost.com/tools/embedded/zforce
Offensive Security Defensive Security
New technologies, limited standards, competing protocols, and more attack surface may scare you…
GO BACK TO BASICS
• Secure By Design
• Secure By Default
• Secure In Deployment
• Defense In Depth
Secure by Design
Secure architecture and code
Threat analysis
Vulnerability reduction
Secure by Default
Attack surface area reduced
Unused features turned off by default
Minimum privileges used
Secure in Deployment
Protection: Detection, defense,
recovery, and management
Process: How to guides, architecture
guides
People: Training
Source: Josh Abraham (Jabra)
Defense In Depth is critical
Separate classes of systems, devices, and users
What do IoT devices need access to?
Limit password reuse
Password Management
Multi-factor authentication
Industry collaboration to improve security of embedded OS and protocols is critical
Groups like BuildItSecure.ly trying to improve collaboration between vendors and security researchers
Improvements to standards like ZigBee HA 1.3
UPnP+ certification requiring Device Protection
Secure Elements / TPM for firmware protection
• Does deploying biometric sensors to employees put a company at risk if the data is compromised?
• What compliance issues arise based on the data being collected and whether companies have access to it?
Source: http://www.computerworld.com/s/article/9247137/Pros_and_Cons_of_Using_Fitness_Trackers_for_Employee_Wellness?taxonomyId=220
IoT brings awareness, automation, & security to enterprise environments
Rapid growth of IoT devices and vendors without security focus
Insecure devices expanding network attack surface
Plan your IoT implementation based on use cases
Select devices to fit use cases rather than individual issues
Threat Model, plan, remediate, mitigate
The protection line has moved, adjust your goals
Thank you for attending
Contact [email protected] for additional information on IoT & Security
Thanks to Amanda Honea, Dianne Asis, & my family for their support
Thanks to Terry Gold for the invitation and in-depth biometrics discussions
Questions?