THIS TIME IT’S PERSONALWhy Security and the IoT is Different

Justin Grammens, Lab 651

Fear of the Internet of Things

What We’ll Cover

• About Me

• What is the Internet of Things

• What’s the big deal?

• Example security exploits

• Anti-Patterns that should guarded against

• Emerging security techniques

About Me

• Software Engineer for 20+ years

• Serial Entrepreneur

• Cofounder of Lab 651& IoT Fuse

• Adjunct Professor at University of Saint Thomas teaching IoT

• Publisher of IoT Weekly News

• Excited for the next wave of connected things!

What is the Internet of Things?

Formal: The Internet of things (IoT) is the network of physical devices, vehicles, home appliances, and other items embedded with electronics, software, sensors, actuators, and network connectivity which enable these objects to connect and exchange data.

Practical: The physical world becoming one big information system. We are moving from Internet of Computers (IoC) to IoT. It should actually be called “Things on the Internet”.

IoC vs IoT…What’s the Big Deal?

1. Massive Changes in Scale

2. Impact on the Physical World

Security Needs to Be Addressed at Each Level

Security of IoT vs IoC

• IoT has both information attacks and physical tampering

• Nearly all use wireless communications

• “Denial of sleep” attacks to kill battery

• Devices are expected to run with low power• Operating systems may not support sophisticated security approaches

• Often not easily updatable and no screen / user interface

• It’s not the massive, but smaller scale attacks are more worrisome

IoT vs IoC – Personal Data

• Estimated that the average household generates ~2TB of data a year, by 2020 expected to be 10TB of personal data.

• Researchers found that Vizio & Samsung T.V’s send data to 3rd parties are have known vulnerabilities to listen into your home or what you watch

• FitBit can tell if you are active or not when you say you are• Police used a woman’s Fitbit to discount a story of assault

• Tesla using data logs to disprove claims by automotive reviewers

• Things are becoming personal…

Hacking Devices “Broken Hearts” episode, Homeland, 2012

Yeah, but is this actually possible?

Source: https://www.theverge.com/2017/8/30/16230048/fda-abbott-pacemakers-firmware-update-cybersecurity-hack

Find Open Devices

Open Camera

This is new, but is it?

Mirai Botnet

• Malware infecting IP cameras, routers & DVR players

• Infected between more than 600,000 devices

• Started by 3 college students

• Some countries in Africa were taken offline

• Could have affected more than 185 million devices *

* Source: http://www.newsweek.com/mirai-botnet-brought-down-internet-was-minecraft-stunt-747806

Owlet Baby Monitor

• Monitor your baby’s heartrate & oxygen level

• Base station creates a completely open WiFi

• Anyone in range could • Send data to another

network/server

• Disable alerts

• Nest camera had similar exploit

Jeep Hack

• In 2015 security researchers hacked a Jeep to take control of the vehicle

• Used cellular network and the devices Controller Area Network (CAN)Bus

• Chrysler recalled 1.4 million vehicles to fix this issue

Anti-Patterns

• Doing too much• Just because you can run a full Linux OS, should you?• Consider your end user – do they need root access?• Input validation and buffer overflows need to be checked

• Bugs• Integer overflows• Race conditions• Memory corruption

Anti-Patterns

• Weak encryption

• Service Passwords• No authentication• Default credentials that are easily discoverable• Permanent credentials ( for support ), never changeable• Failure to allow for revocation of credential or privilege• Failure to allow for delegation of privilege to another legitimate party (forces work

arounds)

• Unclear instructions or defaults to the device be online, rather than opt in

Anti-Patterns

• No Authentication• CAN bus how communication happens within an automobile. Never designed

for connections over the internet.

• Default Credentials• EURECOM found 100,000 internet facing IoT devices with default passwords

• Permanent Credentials• ComfortLink thermostat set root passwords that could not be changed. Finally

fixed after 2 years

Online Trust Alliance – IoT Rules

• Default passwords must be prompted to be reset or changed on first use

• All users must adhere to SSL best practices using industry standards

• All device sites and cloud services must use HTTPS encryption

• Manufacturers must conduct penetration testing of devices, applications and services

• Manufacturers must have remediation plans when vulnerabilities are found

• All updates, patches, revision must be signed and verified

• Manufactures must provide a mechanism for the transfer of ownership

Emerging IoT Security Techniques

• TPM ( Trusted Platform Module ) – Cryptographic keys burned into devices as it’s produced

• Two factor (or more) authentication

• Location based as verification• Using a paired device (smartwatch) as access control

• Only send the data that you need and nothing more

Emerging IoT Security Techniques

• Where possible, say no to big data backends• Forbes reports more than 112 million records spilled in 2015• More than a petabyte (1015 bytes) of data accidentally exposed online

• New York Times reported that $50 million stolen from over 100,000 people using “Get Transcripts” service from the IRS

• Instead - use concepts from Distributed Computing Systems• Store data close to the person

• Provide time based access and deletion

Data Type Best Location for Data Consequences If Data Is Lost, or the Network Is Compromised or Disrupted

Sensitive/personal data On a personal device such as a phone, laptop, backup hard drive, or home computer

Loss of employment; public humiliation; bullying or social isolation, which could potentially lead to suicide

Medical data On a local device that can be shared with medical professionals on a timed clock

Blackmailing; loss of employment

Business data (e.g., LinkedIn profile)

On publicly accessible servers (shared)

N/A (this data was created with the intention of sharing it)

Home automation system On a local network within the home without access to a larger network

Loss of access to or control of lights, thermostats, or other home systems

Credit: Calm Technology, Amber Case

Summary

• The world of connected devices ( IoT ) is still an emerging field

• Data available will become increasing personal and unfiltered

• As with prior technology changes:• The IoT ( and mistakes ) will happen whether we like it or not• Apply many of the same security practices from the IoC

• Leverage distributed computing and best practices for data storage

• Always provide mechanisms for updates

Thank You

Justin Grammens

justin@lab651.com

Links:http://lab651.comhttp://iotfuse.com

http://iotweeklynews.com