iotnext 2016 - safenation track
TRANSCRIPT
![Page 1: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/1.jpg)
1
Las Vegas comes to Bengaluru!
IoTNext 2016 - SafeNation Track
• Arvind Tiwary
• Ravi Mishra
• Vishwas Lakkundi
• Devesh Bhatt
![Page 2: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/2.jpg)
2
Task Force on IoT Security
IoT Forum & CISO platform join hands to create IoT Security Task force
Readying up the Nation for #IoTSecurity
The task force is chartered to develop threat models, controls and assist players in new techno-legal-
commercial arrangements to improve IoT Security
Fresh thinking around Security for IOT
![Page 3: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/3.jpg)
3
The Indus Entrepreneurs (TiE) Network
15,000+Members globally
58Chapters spread across the globe
18Across Countries
2,500+ Charter Members Globally
1999Started the Bangalore Chapter
750+Members in Bangalore
1,000+Startups at TiE Bangalore
75+ events per year in Bangalore
1992TiE Silicon Valley was started
125+Mentors/CMs in Bangalore
![Page 4: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/4.jpg)
4
TiE IoT Forum Activities : 12 Billion Indian IoT Market
▪ June 5 Open House (Attended by 125+ participants)
▪June 26 Communication (Connectivity workshop attended by over 25 participants)
▪Aug 6 BlueTooth (Technical deep dive session attended by over 35 participants)
▪ Aug 22 Survelliance Workshop with B.PAC for schools, (attended by over 25 participants)
▪ Sep 11 MOU with IESA Press coverage in leading online and print media
▪ Sep 11 Smart Water-Power & Internet Public utilities for the city of Future (TiE IESA Bangalore attended by 280+ participants)
▪ Sep 18 IoT in Retail (attended by 65+ participants)
▪ Nov 13 Crowdfunding Your IoT Product ( attended by 75+ participants)
▪ Nov 19 MEMS Technical deep dive session ( Attended by 30+ participants)
▪ Nov 20 Smart Devices : Leveraging Consumerization and Open Innovation for the Future ( TiE IESA Hyderabad 65+ particpants)
▪ Feb 20 IoT based Smart Grid Core of Sustainable Living ( TiE IESA Delhi 50+ Participants)
▪ Feb 26 Contiki IoT workshop : Middleware for IoT ( RBCCPS Bangalore 40 participants)
▪ March 10 Workshop Demystifying IoT (TiE IESA Pune 50 participants)
▪ March 10 Smart Vehicles The IoT Future ( TiE IESA Pune 50 participants)
▪ May 9 IoT Innovation Showcase by 16 Startups (150+ Participants)
▪ June 25 Smart Agriculture and Smart Healthcare ( TiE IESA with pan India Colleges and Universities) 175+ Participants
▪ Sep 25 IoT Security a IEEE partner event ( IEEE partner 75 +)
▪ Dec 4 – 5 IEEE Bangalore: Leveraging Use cases to Validate IoT Opportunities ( partner event 200+)
▪ Dec 9 -10 IoT Next 2015 ( 700+ particpants, 60 Speakers, 20 Starups)
2014 2015
20 + events, 2000 Attendees , 280+ Startups
![Page 5: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/5.jpg)
5
About CISO Platform
• IoT Security • Cyber Crisis Management• Cyber Security Index • Top N Threats & Controls Mapping
• Enterprise Security Architecture • Using AI for Security Decisions
Current Research Areas Include
• Help CISOs make right IT Security decisions using our Decision Tools, Content and Peer Collaboration
• Build community based knowledge repository in form of structured research and reference documents
Industry’s 1st Dedicated Collaboration Platform for CISOs and Senior IT Security Leaders with the vision to:
![Page 6: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/6.jpg)
6
FRIDAY OCTOBER 21, 2016
DO YOU REMEMBER THIS DATE??
![Page 7: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/7.jpg)
7
LARGEST DDOS ATTACK AGAINST DYN
![Page 8: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/8.jpg)
8
Why Did Dyn Fail▪A large network of compromised devices was
used to flood Dyn’s servers with traffic
▪In particular servers used as part of Dyn’s enterprise offerings were targeted
▪Dyn wasn’t able to handle the additional traffic, and its servers either stopped responding or responses were substantially delayed.
![Page 9: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/9.jpg)
9
Who Did it and Why?
![Page 10: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/10.jpg)
10
How can we minimize the risk?
▪Use multiple DNS providers. This way, if one experiences problems, we can use the others as backup
▪This requires additional tools and setup to make sure information is synchronized across different providers
▪We can maintain some DNS servers in house to provide limited service to internal users and as a last resort if we are not targeted, but experience issues due to collateral damage
▪Adjust our DNS configuration to allow for caching of our records (increase “Time to Live”)
![Page 11: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/11.jpg)
11
IoT Architectural Layers
End Nodes Hubs Gateway Platform Applications Touchpoints
Temp Sensor
Vibration Sensor
Fitness tracker
Electric Meter
Switch Actuator
Router Nodes
EdgeRouter
Smartphone
LPWAN Basestations
Opensource
Commercial
Device Management
Access Management
Security
End user
City Managers
System Admin
City One
Operations Center
Apps
SMS
Social Media
3rd Party
![Page 12: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/12.jpg)
12
Components of an IoT Node
Microcontroller
RF Transceiver
External Memory
Sensors/ActuatorsPower Source/
Storage
Energy Harvesting
Hardware Layers
Low-level Device Drivers
Energy-aware RTOS (optional), Protocols and Middleware
App Interfaces for Sensors, Communication, Processing..
![Page 13: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/13.jpg)
13
Security of Nodes
▪Securing the end nodes (physical accessibility)
▪Securing the network links
▪Securing remote device management
▪Securing admin operations
▪OS security configurations
▪Patching and firmware updates
▪Reverse engineering of just one node can lead to insecure n/w!
![Page 14: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/14.jpg)
14
Threat Model
![Page 15: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/15.jpg)
15
Components of an IoT Gateway
Microprocessor
Applications
Local Storage/DatabaseLocal/Edge AnalyticsPower Source
Local UIProtocol
Translators/Proxies
Cloud ConnectivitySecurity
![Page 16: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/16.jpg)
16
Security of Gateways
▪Protocol Translation vs End-to-End Encryption
▪Secure On-boarding of Devices
▪Secure Boot
▪Firewalls
▪Intrusion Prevention System
▪Access Control Policy
▪Root of Trust and TPM
▪Security Updates
![Page 17: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/17.jpg)
17
Threat Model
![Page 18: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/18.jpg)
18
APPLICATION SECURITY
![Page 19: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/19.jpg)
19
Types of Threats
Spoofed packets, etc.
Buffer overflows, illicit paths, etc.
SQL injection, XSS, input tampering, etc.
Network
Host
ApplicationThreats
againstthe network
Threats against the host
Threats against the application
![Page 20: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/20.jpg)
20
BlackHat
▪Total talks – 117▪Top 5 domains▪Malware - 22 talks
▪Platform security: VM, OS, Host, Container - 21 talks
▪Exploit development - 15 talks
▪Android, IOS security - 13 talks
▪Internet of Things- 13 talks
DEFCON
▪Total talks – 100
▪Top 5 domains
▪Internet of Things - 19 talks
▪Network security - 13 talks
▪Application security - 10 talks
▪Critical infrastructure protection - 7 talks
▪Penetration testing - 7 talks
BHUSA and DEFCON Talk Trends
![Page 21: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/21.jpg)
21
Detailed Trends
BlackHat DEFCON
![Page 22: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/22.jpg)
22
KEY ATTACKS OF 2016
![Page 23: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/23.jpg)
23
1. Building trust and enabling innovation for voice enable IOT by Lynn Terwoerds (BHUSA)
2. Let's Get Physical Network Attacks Against Physical Security Systems (DEFCON)
3. A lighbulb Worm? by Colin o Flynn (BHUSA)
4. Can You Trust Autonomous Vehicles? by Jianhao Liu, Chen Yan, Wenyuan Xu (DEFCON)
5. Picking Bluetooth Low Energy Locks from a Quarter Mile Away by Anthony Rose (DEFCON)
TOP Talks
![Page 24: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/24.jpg)
24
1. BLE is Bluetooth Low Energy designed for apps that don't need to exchange large amounts of data
✓ Operates on 2.4 Ghz frequency
✓ car locks , bike locks, padlocks, door locks , gun cases, lockers, ATMs, Airbnb etc.
✓ short range <100m and consumes very less energy
✓ Total 3 billion devices per year
2. Attack Set up✓ ubertooth one
✓ Bluetooth dongle
✓ high beam antenna
✓ raspberry pi
Picking BLE Locks from a Quarter Mile Away by Anthony Rose
![Page 25: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/25.jpg)
25
1. Sniffing -Plain text passwords
➢ war dialing by roaming around using ubertooth one
➢ The high beam antenna makes it easier to capture far away signals.
➢ the attacker sniffs the BLE traffic, get the dump, takes out the user password
➢ uses HCI and Bluetooth dongle to sends the authentication requests to the devices and it opens up
2. Replay attacks
➢ Devices like ceomate, Elecycle , vians and lagute use encryption (256 AES)
➢ sniff the complete packet as it is with the password in the encrypted form and still can break into the lock
Picking BLE Locks from a Quarter Mile Away by Anthony Rose
![Page 26: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/26.jpg)
26
3. Fuzzing devices (okidokey)
▪This exploits the fail safe mechanism in the devices
▪initially claimed that they had AES 256 plus custom developed encryption (which is not a good idea)
▪The attacker when sniffed the traffic, he noticed message packets having some commands and couple of random keys which looked very difficult to break
▪first part is an op code and the second part is the actual key
▪the attacker changed the 3rd byte to 0, the device went into error state and since there was no error state defined, it just unlocks itself
▪It came out that their patented crypto was the culprit wherein they were using the previous keys to do XOR to get the new keys.
Picking BLE Locks from a Quarter Mile Away by Anthony Rose
![Page 27: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/27.jpg)
27
4. Decompiling APKs▪This was done with the danalock doorlock.
▪download apk--->dex to jar→ Anaylse
▪reveals encryption method and hardcoded passwords
▪XOR (password, thisishtesecret) and store it in the table
5. Device spoofing▪This was done with bitlock, which is a padlock for the bikes
▪This is possible where the user authentications happens in a webserver and there is nothing stored on the device
▪The attacker here impersonates as the lock and actually steals the sensitive encrypted nonce from the user.
Picking BLE Locks from a Quarter Mile Away by Anthony Rose
![Page 28: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/28.jpg)
28
Picking BLE Locks from a Quarter Mile Away by Anthony Rose
![Page 29: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/29.jpg)
29
Picking BLE Locks from a Quarter Mile Away by Anthony Rose
![Page 30: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/30.jpg)
30
✓encryption (256 AES)✓random nonce✓strong passwords, multi factor authentication✓no hard coded passwords
CONTROLS
![Page 31: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/31.jpg)
31
Fresh thinking around Security for IOTFresh Thinking around Security for IoT
![Page 32: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/32.jpg)
32
Fresh Thinking: Is the Emperor Naked?
![Page 33: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/33.jpg)
33
Urban City: Does every house need to be a Fort Knox?
▪The Wild West
▪The Frontier Town
▪The City
▪The Mega Polis
▪The Township
Rights of Self Defence and Delegated Policing in Cyberspace?
The Cyber Rights
![Page 34: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/34.jpg)
34
Going Forward..
▪Technical Roadmap
▪Community Engagement▪ Deep practitioners
▪ Architectural
www.IoTForIndia.org
![Page 35: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/35.jpg)
35
❖ https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/❖ https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-inte
rnet-outage/❖ https://www.blackhat.com/us-16/briefings.html❖ https://www.defcon.org/html/defcon-24/dc-24-index.html❖ https://isc.sans.edu/presentations/dyndnsattack.pptx❖ https://www.mdsec.co.uk/2016/10/building-an-iot-botnet-bsides-manchester-2016/
Special thanks to:❖ Lynn Terwoerds for “Building trust and enabling innovation for voice enable IOT”❖ Ricky Lawshae for “Let's Get Physical Network Attacks Against Physical Security
Systems”❖ Eyal and Colin o Flynn for “A lighbulb Worm”❖ Jianhao Liu, Chen Yan, Wenyuan Xu for “Can You Trust Autonomous Vehicles? ”❖ Anthony Rose and Ben Rasmsey “Picking Bluetooth Low Energy Locks from a Quarter
Mile Away ”
REFERENCES
![Page 36: IoTNEXT 2016 - SafeNation Track](https://reader036.vdocuments.us/reader036/viewer/2022081604/589a2f171a28ab051f8b6215/html5/thumbnails/36.jpg)
36
Thank You