The Internet of Things (IoT)What Does It Have To Do With Transit?

Abraham KololliUtah Transit Authority

1

DefenseInDepth

2

NetworkDefenseSystem

3

6,535 57916,537

69,164

33,444

130,124

14,665

88,371

159,560

143,388112,000

189,085

114,4372,615,730

2,331,591

2,133,881

5,127,047

3,142,792

6,413,998

4,788,055

5,908,155

7,328,903

13,136,336

8,492,025

17,315,17715,584,168

279,753 265,132 256,430 290,483 292,164 312,773 302,588 308,170 320,222 308,353 296,470 287,397 287,666

0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

160,000

180,000

200,000

10,000

100,000

1,000,000

10,000,000

100,000,000

Dec-15 Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Jul-16 Aug-16 Sep-16 Oct-16 Nov-16 Dec-16

Num

berofVira

lEmailsBlocked

Num

bero

fMessages

InboundEmailfromProofpointTrendDecember2016

MsgswithViruses SpamMsgs TotalForwardedMsgs4

MaliciousWebSites/Links/iFrames, 10,717

SuspiciousContent, 4,078

ProxyAvoidance, 221

PhishingandOtherFrauds, 56

Peer-to-PeerFileSharing, 3

UnauthorizedMobileMarketplaces, 3

BotNetworks, 2

MaliciousActivityHitsBlocked

December2016

5

6

7

8

9

10

11

TheIOTisgoingtobebig(Howbig?Nobodyknows…)

28.1BILLION“UNITS”IN2020

$7.1TRILLIONGLOBALSOLUTIONREVENUESBY2020

Source:IDC,May2014

26BILLION“UNITS”BY2020

$300BILLIONSERVICESREVENUES

IN2020

$1.9TRILLIONGLOBALECONOMIC

VALUEIN2020Source:Gartner,March2014

25BILLIONM2M“CONNECTIONS”

BY2022

$1.2TRILLIONGLOBALOPPORTUNIY

BY2022

OFWHICH

2.6BILLIONARECELLULAR

Source:MachinaResearch,January2013

12

WhereisIoT?It’sEverywhere!

Smart Appliances

Healthcare

Wearable Tech

13

TheConnectedWorldofIoT

SmartschoolsSmartvehicles Smarthomes

SmarthealthcareSmartwearablesSmartphones

14

DoWeHaveIoT inTransit?

FuelingSystemBuildingManagementSystemHVAC&TemperatureSensorsSurveillanceCamerasSignalSystemPassengerSignsSprinklerSystemsSnowMeltSystemsElectronicFareReadersTicketVendingMachinesAndMANYMore!

15

ShouldWeBeConcernedAboutIoT?

• It’s just another desktop/laptop/computer, right?

• Imagine your network with many more computers that you

don’t manage or even know they exist.

• All of the same issues we have with access control, vulnerability

management, patching, monitoring, etc.

• Any compromised device is an attack vector on the network

16

Why Attack IoT? Easy Target? (Naahhh!)

• Default, weak, and hardcoded credentials

• Difficult to update firmware and OS• Lack of vendor support for repairing vulnerabilities

• Vulnerable web interfaces (SQL injection, XSS)

• Coding errors (buffer overflow)

• Clear text protocols and unnecessary open ports• DoS / DDoS

• Physical theft and tampering17

IoT GetAttacked,DoWeCare?

• SendSpam(InternalUsersorEvenWorse,toExternalUsers).

• ServeaMalware• CoordinateanAttackAgainstaCriticalInfrastructure

• WorkasanEntryPointtoLaunchAnotherAttack

18

ThereGoesTheGoodOleDays!

19

SoftwareDefinedRadios– SDR(Hacker’sHeaven)

• UsesanIntegratedCircuittocontroltheradio• Controlsaverywiderangeoffreqs• Runsonacomputerusingopensourcesoftware(GNU-Radio,WINSDR,HackRF,RTLSDRandmanymore)

• SoftwaredecodesRFmessagesonthefly(wealthofinformation)• UsesreadilyavailableLayer1hardwaretoTX&RXinmanyfreqs• Capture,modify,rebroadcast,analyze,impersonate,jam

20

AvailableonAmazonandeBay($20-$350)

21

IoT Networks(Wired&Wireless)

InsteonYardStick One(RFCat)Shipley’sInsteonrf

SamsungSmartThingsSimplySafeUsesHomeID &NodeIDYardStick One(RFCat)Scapy-Radio and EZWave

Z-WaveDeveloperKit

22

References

23

TraditionalInteractionBetweenITandControlSystems

CoreIT

Zone

IoTControlZone

24

CoreIT

Zone

IoTControlZone

ITtoIotManagementZone

DesignaFrameworkwithInteractionandCommunicationinMind

Finalthoughts

• Securityismorethanjustbunchofeventsthathappen

• Securityfailuresareseldomtheresultofoneerror,theyareacollectionoferrorsovertime

• Mostofthetimeswehavegooddays,butforgettonoticethecloudsonthehorizon

• Enoughcloudspileup,andyouhaveabadday….26

Questions?

27