How to Shield an IoT Product from the OWASP IoT Top 10

hi guys this is pablo and i'm going to be talking about iot security so let me flip over to my slides all right so we're going to be talking about how to shield an iot product from the os iot top ten or how the s in iot stands for security okay who am i i'm a security professional or a hacker trainer i've been working in security for the last 15 to 20 years depending on where you start counting i worked on defense offense and you know i just enjoy doing security in my free time i like doing um shotokan karate and slacklining especially right now in the summer okay i work for sevenshift which is a

company i founded around three years ago and we're a boutique security company focusing on cyber security and iot normally we work with security testing testing devices applications normal applications and whatnot when we're lucky enough to get called in to believe into the beginning of a project we we actually try to help our customers implement security by design we help them with certification to achieve security certifications and not automation and then we do trainings uh public trainings at least twice a year normally in may and november moral hours and we do trainings on um on iot we have two hands-on trainings which are these two the i.t security boot camp and assessing exploiting control systems and iiot

we need a new name for that it's just too long but these are hands-on trainings where you will be hacking on devices plc's wireless hacking hardware tracking and we have a training that is more for your theoretical part where we talk about security strategy threat modeling and whatnot so um we're going to be running them this year live and online because of you know the same reason we're doing this conference online um the corona but you know just take it take a look at our website and see if there's something for you there okay enough for the plugs and about me let's go down to content what i'm going to be talking about today first of all i'm going to be

talking about an introduction to iot what it is a little bit over the architecture um then i'm going to go into iot security what we see that the current status is and talking about the attack surface then we're going to get a quick jump into the os iot top 10. i'm going to show you a list and then we're going to i'm going to try to go through a couple of examples of the gps trackers and smart cities to put this all into practice so iot i think everybody knows what it is it stands for the internet of things and basically you have objects that are interconnected let's say networked in some way and they

have interactions with the physical world through sensors and actors okay and some of the devices have both some of them are specialized in one and what they do is they tend to collect information from the environment take a decision and act on it right and they allow to automate things allow for monitoring data collection so we can advance on things in iot we tend to separate the type of iot based on the use case and the technologies involved for example we have a consumer iot where you would have use cases like your smart watches fitness smart home smart plugs and whatnot automotive is actually a very interesting category because all the cars are getting connected right now

if you see if you take a look at a tesla car it's probably your biggest and most expensive iot device out there and yeah automotive technologies are just really interesting per se then we have industrial iot or iiot where we were seeing lots of development there right uh for example in the smart city area where cities are starting to work on smart lighting parking waste management you have your typical operational technologies industrial control systems and scada which are just production environments maybe you have a smart grid which has evolved a lot over time so in times of iot there's like many many many devices getting connected it doesn't matter what sources you look at it you know the the graph tends to

look like this one here so it's tends to go into um a geometric curve and it just or an exponential curve and it just keeps on growing so and there's everything's getting online right there's so many iot devices even for example we found an alexa controlled toilet so you can just roll out alexa flush the toilet if you want to find things like these you can just pick up this internet account this twitter account internet of it's really fun it's interesting uh you know if you're bored this will you'll find something that will make your data in their feed so iot is complex because we're dealing with different layers that have to work all together on one of

the layers we have the devices the sensors and the things which are actually made of hardware software or firmware which is what it's called when it's uh when you know the the small software that's running on on top of these devices this embedded software you have communication particles sometimes you have gateways that are translating different uh technologies of or routing messages back and forth you have your network technologies on which these things are built on right which are actually a lot of them you have a data collection layer where all of all information from the sensors and the things is going to be going to to be able to take decisions right which are taken in the next layer

right where you normally tend to have a visualization layer something that does the business and your different applications that are working another way to break this down is based on the technologies they use right so you have all your hardware where you have systems on chips microcontroller units or mcus sensors actors you're gonna have your device firmware which could be a bare bone firmware which is only dedicated to use for that device especially you know slim down or maybe you have something that's based on linux that would probably be fit into your bigger devices and then they just have a demon or process running in that linux and bevet linux you have all your connectivity

where you're going to find things like an ip layer maybe wi-fi bluetooth sigbee set wave of you know custom protocols you're going to have your mobile applications which tend to be the you know the trendy and the easiest interfaces for most of these iot devices you're going to have web applications which are going to give you your backends to um your web applications so you can control your devices and um and you know maybe have a single plane plane of a single plane of a pane of glass to see all your your dashboards and you're probably going to have ipas and backhands that are going to be enabling everything to work together from the security point of view you

actually have to make sure deal with all the complexity of all these different layers all the interactions and all the weaknesses present in all of them to actually make a device secure or make an ecosystem secure and with that we're in a good jump into iot security there's a running joke on the internet it's been there for a long time that the s in iot stands for security which normally tends to mean that you know there's lots of devices out there that are not secure which we tend to agree that is actually sad better most of the iot devices we picked up out there have not been secured one of the main reasons for that is that

they have a quick time to market so pressure to get the devices out of the door very fast and they're pushing for low cost right especially on the in the consumer iot area and if you're doing things fast and without spending much money you're not leaving much uh space for security security takes time and it costs money because you know you need to pay for good professionals to do it and to do a detailed work lots of the marketplaces and platforms and ecosystems out there are not secure um and may in many cases because they don't have security requirements in place you know to ask for anybody who's getting into these ecosystems that have to comply with them or

actually you know and there's no regulatory compliance in many states yet so i you assume that maybe next year or the year after that there's going to be more laws requiring iot devices to be more secure but we're just not that far there yet um yeah in many cases platform providers and end users are actually carrying the cost of security because if a big you know let's say a big mobile provider they have a big if uh if someone gets hacked under the devices they sell you they're going to suffer our reputation damage and since they don't want to do that they are contracting people like us to actually do the tests for them instead of the vendors

designing and delivering a secure product and the end users pay for the attacks with their data or hopefully only their data and not something physically happening in their homes and their environments so current status status of iot summed up consumer t devices they tend to be cheap with a quick time to market and somewhere along the way they turn into disposable devices and when you buy them you have no idea how long you're going to be supported in the industrial iot or in enterprise iot we're going to see lots of binary and pro and proprietary protocols in place which actually happens um because of how these um these things have evolved especially when you talk

about old technology or actually operational technologies where these things were developed you know with serial lines that went all the way into there so the only way to interact with these devices was to be get on the shop floor connect to them having you know the right engineering tools to be able to understand what the hell was going on and now they've just slapped on ip uh connection to that and they started integrating it and making it easier you know for remote login or people to work from home or whatnot in most cases they talk they base their security on false premises right for example they just say oh we're just transmitting sensor data we don't

need to secure that or maybe we're just using network technology x which is secure but they forget to actually use these security features or you know the biggest fires of all of us our communications happen behind our firewalls that means we're just secure now we know how how that ends up one of the things we've seen is that we're actually as an industry we're recycling the idea iot industry recycling bugs and errors from the past it's like going back to the 90s where we had clear text protocols where we would use telnet instead of ssh because association didn't exist where we had problems with big problems with authentication and trust management right for example we use ssl but you

don't validate your certificates or we just have non-mature stacks because you know they're just new and these are things that we should have learned already as as an industry right as an i.t industry or what about and you know people should learn things in universities and it should be part of our daily lives so why don't we just make the devices secure by design well this is actually the best way to do it if it's the most effective way if you take it from the design all the way to implementation and make a security part of your life cycle there are studies that can say you can actually save have over save up to 24 20 times the investment

instead of bolting it on at the end so if my devices are already out there you already have a product i have bad news for you there's no easy way to just bolt security onto it in most cases this will actually take a couple of releases until you know you get that far where you have a more secure device um and you have this and there's no syllable bullets so how do we do this you know since the rabbit is already out of the hat um there's one um you can just go ahead and do a risk-based approach and do your cold analysis this will take a little bit of time right and you would go ahead and do a

complete security assessment where you define your attack surface you go ahead you do your threat modeling maybe do your pen testing and then you have to fix issues right and here's when you're gonna have to um where the os iot can come in handy because you can use the os iot top 10 to use it as you know as input for your threat modeling to see if you're covering those those big risk or it's actually you can use that to help you prioritize because you want to make sure that you fix the things that you can fix quickly and have the biggest impact once you've done that you can do a little dance all right

so let's go into a little more details first of all um with the attack surface we normally tend to split it into four categories mainly or for buckets mainly because of the know-how and the experience you need to work with them right so every anything that has to do with the devices and the hardware goes into one bucket normally you have vulnerabilities that are based on the firmware and the software that's running on these devices then you have mobile mobile web infrastructure and networking security issues which would be your classical i.t security and then you're going to have radio communication because you're using different radio protocols in your devices so what you want to do is you're going

to start with your threat analysis you want to make sure you have a big picture you create a design diagram when you include all the components all the interactions between them then you pick up your favorite methodology for example you want to use stride or mass and then go through each of the interactions and see if you can spoof them if the if you have integrity and whatnot then you're going to have to fix these issues right and one of the hard things is to define your priorities a common approach here would be to go for the quick wins first so let's take for example the g pack right happened a couple of years ago these

guys they prepared to talk for defcon and they hacked the jeep and you know they took it out of the road turned off the motor radio the whole you know they did the whole deal remotely just sitting in their sofas now after you know taking apart a couple of cars and training for this it was not easy right and the quick win is asking for their um mobile provider to enable client isolation right which basically cleaned out the attack surface the remote attack surface because with that um none of the different cars can be spoken to from other sim cards and this was actually the best thing they could have done they should have done that from the start

um and then you can go with a bit high impact issues for example taking any things anything from your os iot another way which is a shortcut is that you can just test and review your os iot top 10. big disclaimer here this does not replace your security process you know the process i described before uh is actually the correct way of doing it but this is a shortcut that will you know it's better than you know it's better to do this first quickly and then go go with the details then not doing anything at all right so i've already named this before the os iot project basically the idea of the project is to help

manufacturers developers and consumers understand the security issues in these things so what is our top 10 list the first of all we guessable password or hard-coded passwords in there you have insecure network services insecure ecosystem interfaces so basically if you know if someone can hack the web interface of the apis this is actually pretty big and lots of devices forget it you need a secure mechanism to update the devices that have gone out of your shop floor right using insecure outdating components which is actually if hopefully you have a secure update mechanism so you can patch and update the components you have in there insufficient privacy protection it's not storing data transferring and storing data

in a secure way basically you know encrypt that in motion and in rest you don't have a lacking a device management insecure default settings and lack of physical hardening so let's go into a couple of use cases to see this in place so uh word of conscience these use cases that i'm going to be working with are generic use cases i'm not going to be talking a specific device this is actually like a collection of our experience with these types of use cases okay so we have a device that has a gps it has wi-fi bluetooth and gsm right so it can track anything anywhere and it uses gps for fine grain and you can use wi-fi and

and bluetooth for the last mile you know if you want to find something um in the last 10 feet or that or 10 meters the bluetooth bluetooth beacon will actually help you with that right and your device is connected via gsm with uh with with a cloud you have a mobile uh a mobile app that talks https with the rest api and yeah your mobile app can talk wi-fi and use wi-fi and bluetooth to figure out how this tracker works so what are the typical things you would find on your mobile app yeah take a look at the os iot top 10 for mobile right you will find certificate the lots of mobile apps that do not

check their certificates there's no certificate validation so anyone can do a man-in-the-middle attack or maybe they're not doing certificate pinning um dictionary attacks on the mobile app that allows you to crack it open of problems with authentication business logic hard-coded password information so sometimes that you can find the api keys that are hard coded into the app and of course using insecure and third-party libraries and of course in many mobile applications you will find lots of trackers you will find you know that your typical crash analytics and stuff like that to figure out so the developers know what the errors are coming up you're going to find tracking for marketing people so there tends to be lots of trackers

and they are pushing that information out which for the privacy's point point of view this is not good you have to make sure you especially in times of gdpr you want to make sure that you have that under control um web portals they tend to have insecure ssl setup you know they're they have problems with authentication and authorization so for example dictionary attacks um injection flaws are your typical uh uh cross-cut uh cross-site scripting or maybe and often using insecure and third-party libraries these tend to be javascript so there's too many people using all versions of jquery in their devices please please please use an updated version so on the cloud side there's insecure api communications

because people assume that nobody's going to try to attack their api in proper protection of resources you will have things like for example the ability to modify data right so for example you could use one if you pick up one device and sniff the communication with with the cloud service you can find a way to change the configuration of a different device and of course that they're typical s3 buckets or you know um basically you're storing information in the cloud and any but they're open for anybody to look at that device and firmware this these these findings actually make are a lot more fun maybe they have the smallest impact the biggest impact is are always going

to be in your central components they are going to be in your back ends and your mobile apps uh actually mainly in their back ends because if you do manage to do something there it will affect all users but these are the most fun right so if you crack open the device and make a look at it you will find maybe debugging interfaces here please do not pay attention to my soldering that is not my best handy work but anyway you can solder up on some cables on this and then you can connect to these things using some maybe for example something like a jtag later to connect to jtag or serial connections if you find chips and flash ships on

there you can actually connect you can actually connect directly to them and dump the contents of these things often there is no integrity and signature verification of the firmware that means i can upload any firmware i want onto the device insecure over the air update mechanisms and plain text traffic going out of the device so summing this up for consumer iot most of them are not secured by design or implementation they are riddled with os top tens in the mobile mobile web apis in iot like i said the biggest issues are in your back ends and your apis because it will affect all of the customers and not just one user normally if the device is already out

the doors it takes somewhere between four iterations to pass a security test which in time is somewhere between six to nine months and if if it's a startup they will be cast stripped and this is actually not good for them we've seen lots of companies go tits up because they they were you know their plan was to sell this to big companies and they couldn't do it okay let's talk about smart city and irrigation system so this setup is a little more fun we have devices that are sensors and actors in this case we actually have um right so we have something that that is a sensor that's checking the most the moisture of the

soil to see if you know does it need do the plants need water yes or no when it detects that you have another actor which actually opens up the hose and you know waters the plane they are going to be talking zigbee because it's a lightweight and it's you know it's trendy and it's actually a pretty secure protocol they have a gateway that allows to extend communication so this gate gateway is going to be talking wi-fi or maybe has a land cable connected to it from inside the building and it's taking care of the garden that outside in the back end you're going to have an mqtt queue you're going to have a rest api for for

the mobile application and then you're going to have maybe going to have a direct web interface to control everything and have your analytics so if you go through the wireless things that happens often with sigby did you enable the encryption are you doing key management or is just one key for all time mqtt mqtt is a clear text protocol by design actually it's a binary protocol but it's not encrypted by design so you want to make sure you want to run this over ssl or in ssl or in vpns right to make sure that you have a secure network communication the next thing you want to make sure is that you're doing correct authentication and authorization

and you want to make sure that anybody is only allowed to talk to the queue that they're they need to for example you want to make sure that no device can change the configuration of another device or no device can actually write you know values for another device so for example you want to make sure that nobody comes in and by faking this sensor they can make yeah uh you know make sure that they don't want to make everything water be flowing all the time so on these devices you will find often you will find that these devices are you know maybe their raspberry pi or something similar and all their configuration is stored on

an sd card which is actually easy makes it easier to you know upgrade and distribute firmwares but it means that anybody can go up and pull out that sd card and if it's not encrypted they can just go ahead and read the configuration and for example extract the credentials of the device you will often find the it's serial interfaces so you just connect the right cables enter and have the right speeds enter enter and you have a group shell on these devices or maybe they have a debugging interface so you can go ahead with jtag and dump the firmware or you know see what's debug exactly what's going on in memory to bypass for example um authentication

you can go ahead and dump sentences sunset information from the chips you have um insecure verification uh or insecure uh update mechanisms and then often you very often have plain text traffic going out of device on the cloud apis just like i said before make sure you take sure uh take a look at the in communications and things like that on the mobile apps in the web portals these are known so one thing that happens in in many cases on these devices is that you know they're not doing encryption because they want to you want to keep your battery life longer and anybody can just go ahead and fake any of your devices so if maybe you

don't need encryption but signing them and make sure that nobody can fake messages is really important for you so um to sum up in our smart cities you have a large diversity of devices that may be going from arduino project with shields on top to complex boards with custom firmware depending on how mature the company is that's doing these right lots of the time main issues are insecure messaging queues and apis authentication lack of back end on api security and no authentication or encryption on their wireless devices and the main justification here is that we're just transmitting sensor data right which is makes it not accessible you know sensors in a parking garage you can if someone fakes them all it

makes tells that the car garage is full and nobody can come in for a couple of days it's just sensor data but it will be very expensive so that's all i have for you from now um i'm going to be on the slack channel if you have any questions here's my contact data so feel free to reach out and hope you enjoy the rest of the besides conference see you guys around