Migrating IoT to the Cloud: Security Considerations and Benefits

um hello my name is Jonathan Fisher we're talking about migration io2 to the cloud if you're here to figure out how to migrate I2 the cloud I'm sorry this talk is not for you this is me trying to convince you why iot devices should be in the cloud great so who is this guy talking to me who's this guy up on the stage hello I'm Jonathan Fisher I'm a staff security engineer at praetorian we do a few offensive Security Services this list is not a sell for the company this is we do a lot of things web mobile Cloud iot red teaming purple is an interesting exercise where we're inside the network we do commands and we see if they can

detect our commands externally look at all from an outside perspective any assets that we could see or exploit both of those are the offense security the reason why I have this up here is because I've personally done all of these services but we also do blue team-esque services around threat modeling secure development life cycle the nist cyber security framework and other things like IR and threat hunting exercises so company does quite a bit I've been here for about four and a half years uh our engagements last from anywhere from one to three weeks what that translates to is I've done about 100 engagements which which is a lot um I'm definitely not a expert on

everything but I've seen a lot uh so I also have an ocpt sorry oscp certificate well known in the ecptx which is a red team specific series um but you know what I could care less about all that stuff we actually care about my wife my cute dog look at him with the ball and then I also have a kid on the way which I am super stoked for great so you aren't here to hear about me what are you here for uh we'll be going through an overview of iot security the iot cloud components that's actually relevant for iot and then also iot use and AWS Azure and gcp we also have time for Q a uh afterwards

so uh don't be aligned with this page scares you so this is our engineering alphabet soup when it comes to internet of things that's what iot stands for security also often consists of many different components and you can think of a device for an example let's take a smart robot vacuum let me take it apart there's Hardware components inside of it there's pcbs those pcbs may have debug ports I could connect to um it may have some serial Communications to other chips on the board that's all interesting to test there may be some external i o interfaces that could be as something like an SD card or USB interface and also memory on the device itself and so

there's a few common ones like eproms by flash emmc which is an embedded SD card and then secure enclaves like a TPM another common attack surface for iot is the firmware and software and I kind of joined them together because often when people think about the firmware of the device the typically thinking about embedded firmware what that means is it's just machine ran code on the device where software you can have just portions of the software updated without having the whole firmware updated so things we care about there is input handling business logic software updates you can talk about the Linux if it's running a Linux OS the security of the Linux software and the security

functionalities other things on iot security is the wireless connectivity also internet connectivity so ethernet Wi-Fi Bluetooth zigbee and then finally that's all device uh finally what we're actually focusing on is this last little sliver of it internet communications so for example https mqtt is a really common publish subscribe protocol so this is used whenever you have multiple devices that want to subscribe and publish events and they want to do it in a way that is easily managed through this message broker and they communicate is called mqtt so that's iot security at a broad level so as we do security assessments what I typically do is test these devices however iot security is not just about the

device it's actually about the whole ecosystem so iot should never just be only focused on the device yes that is the majority of how we test the devices but it should also include not just the devices but it's mobile applications and it's API services and Cloud Integrations so uh what are common iot setups uh two common ones is where the device connects directly to the internet uh Often provisioned by mobile app and this example I have another iRobot Roomba as an example of this iot setup that's very popular another way is you have a device that connects to a Gateway and that Gateway is what connects to the internet what you think about this is for a Google

Hub a home hub we have these lights that's not going to talk directly through Wi-Fi it's going to talk through a load a low range bandwidth with the Hub and then the Hub is what connects to the internet so what are the things we actually care about from an iot Securities perspective on the focus of internet communications number one is communication channels so the way that the device connects to the internet that channel is very important to secure typically what we look for is for secure TLS connections that makes sure that data is encrypted and is unable to be man the middle sufficiently during Transit another thing we care about is the authentication and authorization of the

device how the device handles and receives input this could lead to things like injection attacks and denial a service of the device itself or of the internet service that it's connecting to um that's still just really General any of the oauth top 10 would still apply to this internet connectivity other things that are specific to iot is the provisioning so this is how a device initially connects to the internet that's not completely true provisioning could also be done out of band so it could be done during manufacturing but for iot devices especially consumer home devices there is this provisioning step with like a mobile application or some sort of manual process another thing that's really interesting

is the firmware and software updates how a device securely receives and updates its own firmware and software is incredibly important so if we can manual in the middle this firmware update process we could possibly get bad code on the device and then have control of that device another thing that's really interesting is device logging so if we have device logs we could possibly see how often the device is connected and could lead to indicators if there's any sort of exploit against that device great migrating to Cloud so this is kind of the focus of the talk why Cloud platforms why even do Cloud platforms to begin with um you don't need the cloud you just

need some sort of internet connectivity to call iot internet of things we don't need Cloud however cloud is the future for iot why first thing is scale so iot fleets could be a hundred thousand plus devices out on the world and so how do you manage these things if you have your own Services you have to make sure all this can have availability concerns all sorts of load balancing that nothing breaks it becomes very important Cloud helped alleviate that scale public key infrastructure so how a device authenticates and authorizes to the internet the best solution is public key infrastructure and that is really hard to do if you already have devices out on the field that do not have pki

already installed onto the devices The Way Forward is to have pki systems and thankfully Cloud providers already provide this from the from the box also what's really nice about cloud is that they already provide this logging and monitoring aspect of iot security that we want to have other big benefits is that the cloud can integrate with other Cloud resources so if you have some sort of ec2 or Lambda service that goes to the internet you could have some sort of API endpoint that then updates information to the devices connected to the cloud very seamless you don't actually have to write a lot of services you can do everything in your own cloud provider there's also a nice defined registration

process what you find is how a device registers itself there's many many different ways you can do this and it gets very confusing fast because if you don't do it right you can have vulnerabilities another big thing is access controls so once the device is connected what should it be able to do should it be able to publish to anything or say hey I want to talk to this device maybe or maybe not so Cloud allows us to have this access controls other things are vendor special features and we'll see a few of those in AWS Azure in gcp so before I get to the vendors we do need some high level concepts of iot

core features none of the cloud providers even goes this basic of the cloud components but this is kind of abstracted in my belief what you should care about number one is registration how a device gets registered to the cloud we've already talked about this could be out of band during manufacturing this can also be done pre-done in the cloud itself so this goes hand in hand with Device identity so inside the cloud you can generate certificates and then after you generate those certificates in the cloud you can place them onto the device during manufacturing and so that's all part of this registration and device identity components that allow some sort of trust between the device and the internet

another core component is message bus how the device actually communicates with the cloud the most common messages bus is mqtt which is what we talked about earlier which is that publish And subscribe message protocol another big component is data routing so once the device is talking with the cloud where does that data go does the cloud Network pass it to its own services does it send it somewhere else all Cloud providers have this aspect of data routing and then last is this logging and monitoring of device events should be logged and monitored great there are multiple different Cloud iot vendors um but I did just want to focus on the big three big names AWS Azure and gcp

so for AWS it's called AWS iot core it was the first one to get released it was released in 2015 then quickly followed by Azure iot Hub released in 2016 and wasn't until two years later that gcp had its own iot core service that was released and so as you can see this is all sub um 10 years yeah the gcp is less than five years old so this is all new and as these pushes happen you'll see more and more vendors start pushing to the cloud other notable missions IBM Cisco Salesforce things work there's a bunch more than just these three Cloud providers but they all do those core components right here they will all do

the registration identity mushes bus data routing and logging okay so here is the fun part of the talk AWS iot core uh this is a screenshot of the panel and as you can see uh that has uh the thing called a thing so it's it's an older platform and what's consistent with AWS is they have weird confusing naming conventions um so if anyone who's used AWS all their services are these random names and the names don't tell you anything about what the service does uh so similar in iot land uh I wouldn't expect anything different but devices are called things this has funny conversations when you say hey I need to protect your thing um and then uh like all right what thing

are you talking about like oh well the thing in your iot Hub at that thing so you can also use templates for Fleet provisioning this is a really cool technology so you see underneath this manage column there's this Fleet hub you can create templates that all devices should have the same kind of device state or information about the device and you can do it during manufacturing and so this Fleet provisioning is very very powerful from AWS and you can very quickly get devices in the correct state by using this Fleet hub also device identities are handled through x509 certificates these are very nice to have because it already has this trusted CA that is signed and by AWS

itself but you can see on the left here there's a bunch of these weird names so you got green grass like what is that this Wireless connectivity you have the secure defend actin test and uh it is a big steep learning curve that's one of the key takeaways I want you to have about AWS I know in the past four months they've actually changed this View and so this is actually probably a bad screenshot to use but it is just to say this stuff is moving and it's always changing so it does take knowledge about the services to even kind of get started which is unfortunate um other things about AWS iot core is it

provides ways for users to create their own access controls so this is unique to AWS Azure in gcp does not allow you to do this but it is very flexible on the downside you can actually expose security holes by creating bad access policies so on the right what we have is this access policy it's in Json and so it has two statements one is an allow an iot connect action and that resource is the thing name and so that allows any device to connect which makes sense you want devices to connect what's the next effect next statement it's an action subscribe or receive data you're allowing that but the resource is this thing slash start and for mqtt

connect Communications this means it can talk to any device anything um and so what that is really bad is that if a device is connected they can actually receive and see any other device update information so if you have any sort of like privileged updates or information this would be a vulnerability that they're not aware that they're exposing kind of the worst example we have seen this and exploited it is where you have and allow publish action to Firmware update topics from any device so that means any device if you compromise it obtain a certificate connect to AWS you could actually say hey every device here's where you should update your firmware and I'm going to give you the URL of where to do

that and I can put whatever I want in there and if the device is not properly validate that firmware update you can then compromise you know hundreds of thousand devices from one device this is where these things can be very dangerous if you don't do it right um other things about AWS is that it's message brushes over mqtt remember that's the most common protocol if you don't want to use mqtt you can use https only through publishes messages you can't subscribe um and then you can also do mqtt through websockets which is nice um data routing occurs in the ACT section so previously as you can see it's kind of towards bottom there's this defend ACT test it's not really clear

what act does and you have to know what it does you have to go into it and see what the functionality is but in this case act section it allows data routes to go different places so you can have an act rule where if you see this particular topic you can pass it to AWS dynamodb so that example is the device is saying hey I want to update my information let's say I'm a robot I want to update my state I am now vacuuming and so I'm going to publish that information to the cloud and the cloud is just going to update a database an AWS dynamodb that stuff is very powerful you don't have to write a lot of code to

make that happen um also what's really nice about AWS iot core is that they also have these kind of new features that are really premium so green grass like we said earlier what the heck is that green grass is a way to kind of manage these things through a seamless process so you can kind of do graph queries or not graph queries just graphs where you can take a Lambda function go to this meshes route it allows you to to manage these iot fleets through a very programmatic way directly in AWS other things this device Defender what you can do with Device Defender is really powerful once it's submitting events to the device you can have

monitoring detections and you can have a device profile to be able to pick up an alert if something isn't happening as expected so if device is not behaving as expected you can actually alert on that really cool last is that low range Wan this is useful if you want to be able to do that device the gateway to internet setup so if you have all these long range wired area networks that have this mesh Network to the Gateway AWS does provide solutions to do it through a more secure way through their own pki so it's just cool technology great so that is AWS let's do a quick switch to Azure so uh Azure has feature

reach feature Rich iot platform but it can be expensive so this is also typical of azure land so like we said in the last bit AWS has weird naming conventions typically Azure can sometimes be very expensive depends on how many service you have they have a little bit more flexibility about the types of devices they support so it can support three different types of authentication symmetric key self-signed certificates and CA signed certificates those first two symmetric key and self-signed those are important to make sure you get those right if you have problems where you leak the symmetric key for a device then you can run into that same situation where you can authenticate as a device you're not

supposed to be able to authenticate as other things about Azure iot Hub is they have this kind of strong push on this Premium iot Edge device type and so the edge is complicated because what you can do with an edge is you can put a local Azure Services onto the device itself it's a very interesting technology also what's really cool is Edge devices can also act as a Gateway and you can kind of configure per need basis on what kind of device The Edge is supposed to be this is why they've kind of centered around this Edge premium device the downside is it's just expensive to use they are also really good at message routing so they have very flexible

message routes you can send it to event Hub service bus cues or topics storage these are all Azure Services very similar to AWS where you could pass it through that act management inside Azure is way more simple and you can easily see what it's doing it also has the most flexible message bus so it doesn't just only have mqtt and https it also has another service called amqp and so it's another type of publish subscribe message broker that is a little bit more flexible and the way it handles data so takeaways there is that it has a lot of options as your cares a lot about its products and they want to have a lot of

features other premium features is Microsoft Defender this is very similar to AWS where you have these device profiles that will alert and monitor based off of incorrect behaving devices and so this is their own kind of way to have visibility on their Edge this is also an edge device specific thing so another reason why they want everyone to use their iot Edge devices last one last but not least is gcp iot core this is Simple and Clean so if you want to say I don't want to know anything about these Services I just want it to work gcp is your friend so if you can look on the right it only has four little paints so if we look back look at

all that mess I want two more back that's also a bunch of mess we go back to gcp there's only four things registry details devices gateways and monitoring very simple very clean it does authenticate a little bit differently it authenticates RSA or x509 search but they authenticate with the JWT that is a particular way to authenticate using Json web tokens but the same idea where you sign data with something that you own it also has simple Gateway devices so in the AWS world you have that premium feature called long range Wan and Azure world we had this iot Edge it could act as a Gateway gcp is really clean it just says Gateway you don't have to think about what

you're trying to do it's very clear uh also what's really nice about gcp is the entire message bus is hidden we can't control at all uh what it what's happening underneath uh the hood so um where AWS had a lot of customized access controls you can have in gcp you can't do any of that it defines what that protocol is and the only thing it cares about this device updates and reads and writes so I know it's a little bit hard to see in that text but underneath that registry ID we have Pub sub topics Pub sub is a special service inside gcp and so by default all data is passed to gcp HUB sub and uh and the

right the topic types there's default Telemetry and default device State and so those are kind of the two main topics that will happen right out of the box okay that was really fast I apologize if I spoke too quickly but there are some cool takeaways iot security is very complex and it's hard to get it right but Cloud platforms help alleviate very big security concerns one is availability you just want the device to work and connect to the internet the cloud helps alleviate so many concerns authentication authorization the cloud has pki built in if you have certificates downloaded to your device you're way better than most of the competition because most devices don't use a cloud at all they have their own

custom authentication mechanism they have their own session key that you can use to authenticate there's many problems with those types of authentication that pki helps solve those problems another big is logging and monitoring we've already talked about this but the idea of having device logs you know it doesn't sound new because we're used to logging but in the iot space it is very new you don't typically send logs to the internet and they're not monitoring these things it's a very good thing to have it's kind of the advance where things are going in the future and Cloud will help do that for you things can go wrong if devices are not registered securely or access controls

policies are not following best practices so just because you use iot in the cloud doesn't mean everything is happy and you have no problems you do need to have some awareness of what you're doing whenever you're migrating your iot services to the cloud no I know you all are asking which Audi platform is the best and unfortunately there's no right answer it really depends uh go figure on what services you already have in your network so if you're a company and you have a bunch of AWS Services odds are you probably want to use AWS for your iot systems um you know vice versa if you're using gcp in-house you probably won't use gcp okay

let's say I'm not that far yet I'm just interested in getting my iot devices for some sort of deployment I just want to do some sort of development prototyping on a sell my device to a company what do I use uh I would say research is a cloud platform there are some interesting Technologies in each Cloud platform however each one does have its own pros and cons so it is good to be smart about it if you just want it to work I would personally suggest gcp but if you want to actually be in the market and competing against large players I would probably gravitate towards the AWS or Azure world but you know there are

proper discussions about this you can say you know I forget those three providers we're going to use cellforce cloud you know I like them so there are a bunch of cloud Fighters and that is it I know I am quite early so we'll have great questions I hope you'll have some great questions and we can even ask iot device specific questions if you say forget the cloud how do you hack iot stuff that can also help as per usual if anybody does have any questions please line up here at the front and I'll give you a microphone so everybody can hear you so come on come on up I don't bite I don't know about him but I know

all right uh yeah just had a quick question on as far as moving your iot devices at least from The Edge to the cloud um what does that do as far as like reducing attack surface um uh do any of these platforms have anything on the lines of um not vulnerability management but more of like patch management uh firmware life cycles stuff like that um I know a lot of those are usually done in-house but doing these platforms have those type Integrations yes yes they do so uh great question thank you uh Azure is probably the most forward thinking on that so one of their premium features of their iot Edge devices is you have built-in firmware update

protocols and so it'll do the firmware updates it'll validate the signature which is very important so all those protections are already built in for Azure um there are you know other things to worry about from a platform perspective so you know if you are storing device data on S3 bucket you know you have possible exposed S3 buckets so every cloud provider also has their own security concerns you know to think about and I can speak more to those if you're if you're curious what those are but yes you don't um you still have the baggage of whatever provider you choose to make sure there's no additional security exposure

okay

um I do a lot of iot stuff myself um I'm concerned because I've got all my devices you know sitting in the house communicating up to the cloud and everything else uh what do you recommend on you know securing your local network from the standpoint of those same devices that are reaching out to all the cloud environments yeah that's a great question uh So my answer is probably not what most people do but what I typically do is I place all of my connected devices that's not my phone or my laptop on its own subnet what that means is that the devices cannot communicate with one another I just expect that my iot devices already hacked you know like I

should have zero confidence that someone's not already on my device the question is do you do you really care like I have a smart vacuum at my house like do I really care if it gets hacked maybe like then I'll just disconnect it from the internet you know like the possibly you know you know but if it's more concerning things like uh you know baby monitor where people really care about you know the securing of their of their child um you know you could be even more particular about it but the way I go about it is I just place all of my devices that are not my primary like my phone my laptop on their own subnet and

I just let them talk to each other and everything else

so you mentioned that AWS has a steeper learning curve um they they often they'll have pretty kind of good training yes um so if someone really was agnostic as to which one but they wanted to kind of get learning on iot uh Cloud security would uh do do you have an advice or could you give insight as to maybe which Microsoft versus Azure has better kind of training um uh support yeah that's a great question unfortunately I probably don't have the best answer the way I've even learned about all of these Services was by doing assessments on these devices and where they would use different Cloud providers and so I never came from this as a zero

knowledge type person but I would imagine that all providers have some sort of documentation I know AWS typically has better documentation of their services but you still have to get behind the idea of like what is device registration mean like what is it really doing here you need to have some sort of understanding of pki what is the device actually connecting with how is it creating some sort of message structure in AWS there's a lot of stuff that you can customize it can be very overwhelming um I would personally say like gcp is the easiest learning curve Azure is also good but sometimes their docs aren't the best so hi Robert um my question is more like

towards um asset Discovery for iot Stuff um big organizations um the hardest part of iot is figure out what you have right right so in your experienced what is like the most efficient way to discover iot devices um is it like it's going for the best most affordable like third-party asset Discovery thing or what has your experience been with like in big organizations trying to find like you know cameras or smartphones or smart watches that connect to your network yeah that's a great question so uh again I'm coming from a different perspective because this is after the fact that customers come to us to ask us to break into their things and so it's very

particular about what products we're testing we're not really inside a client Network where we're trying to see all their their devices so I would go towards the asset Discovery um software side if I was really interested let's say I'm a big hospital and I have you know hundreds or maybe possibly thousands of devices it could be like a printer and I don't know where all of them live I would go to some sort of software solution it would not be easy for one person to do that I believe there's actually one person tabling out there for phosphorus that does that software I think they're you know they're a little bit newer but they have asset Discovery and that's their main

core cell I don't know if anyone's from that table I was just like yes he talked about me

um

no I I had originally planned to have almost demo sessions of each provider I think that would have been a little confusing uh if I would have been scrolling around each provider and going through all of their features and descriptions people would have gotten bored very quickly and it just wouldn't gone as well uh so that's probably the piece that would extend this talk where you could be a little bit more specific about some of the things that they do that's really cool they're cool Technologies it's cool to know about uh but for the aspect of iot security that weren't as important of course at my job I do a lot of hacking of things and I can't talk about

that so I wish I could but that is not with besides that's with my company

so okay uh the question was uh in the conclusions slide what would be the best practices to follow if they don't if they weren't using cloud

oh yes what are the recommended best practices in the conclusion section so thankfully AWS does have some nice uh documentation about this if you use the device Defender let's go back to AWS ID core yes the vice Defender will call out bad policies so this is why you know they want you to sign up for their services if you have any sort of bad policies it'll flag it and it'll tell you why this is bad or something that's alarming um and so this is something to invest in if you want to make sure you don't have bad policies while you're developing this thing so if if you don't know what you're doing it may be a good idea to

enable these sorts of services as a catch before you start implementing stuff out for production uh for uh the Azure world where you have kind of that possible exploit this metric key the recommendation is to migrate to x509 certificates signed by a CA that third one is kind of the the future of making sure of some sort of strong route to sign devices the problem that happens if you already have a thousand fleets you know out there in the field right now and they're not using some sort of certificate based authentication like how do you even start that first step and so that's why you know they have these other options like self-sign ca certificates or uh metric key but the

recommendation would just be as you're deploying or building new devices you migrate to x509 certificates or some sort of certificate based Authentication foreign but it can be very complex if someone asked me um you know how do we secure our manufacturing process for device registration we're like oh man like it depends on who's a manufacturer so everything changes it's a very pretty complex system

s [Music]

[Music] yeah that's a good question so the question was is there any public information I can share uh there there are a few ones if you go to our website praetorian.com we do have a lot of customers and their own testimonies about our products so one on our website was a Samsung Arctic device that they published so they were prototyping this new device by Samsung and we came in and we looked at it and found uh you know possible vulnerabilities that they quickly remediated before they went to Market with it so it was it was a nice success story where they had things we found vulnerabilities they fixed it and now they could go to market

other things one of our biggest customers is Abbott Laboratories which is they do medical you probably see them with their Cova tests you know we we do a lot of work with them so you can imagine the type of medical devices we may be testing with those sort of products

yeah of course nope one more question um

foreign yeah of course uh the question was there are some documentation for network security and application security but not really for iot security like where do I get started where do I where I get um first steps so the question I would have for you would be if you are um trying to test the iot device or this kind of cloud communication so that most iot security tools and training is around the device itself there is one particular company we really like called adify atify is a company that does training sessions at black hat and Defcon for this iot hacking type stuff and they have a lab kit that you can buy that includes hardware and it's

vulnerable hardware and you can use the tools of the business to actually break into the device it is a hard field to get into because you actually had to hack something that's physical and not everyone has access to those devices other really cool groups I've been a big fan of it's the exploit T to RS group they have a bunch of blog posts also big Defcon black hat company and they have a bunch of really cool exploits where they would go and Route something like a Amazon Fire TV something like that of course

okay well I appreciate y'all's time thank you besides for letting me talk I appreciate your involvement and apologize if you're expecting more uh but hope you have a good time