IoT Security
Show transcript [en]
all right um about 10 30 so i'm going to get started um thanks so much for showing up on flatter uh they put me head to head with space road and i really wanted to see us talk to you so i was sort of doubly disappointed with somebody
so my name is justin kleinke i work at a company called thinkworks that makes iot developer toolkits i am here in personal capacity i represent my company i may say things that would offend people in my company so just keep that in mind these are solely my opinions on iot security i've been working in the field for about seven months so it's relatively new to me so these are a lot of lessons learned that i've picked up in my short time um in internet of things security um i'm gonna try and sort of make this talk as much your talk as you want so if you have questions about anything that i say please throw up a
hand and i'll take pause and feel free to answer your questions i'll save some time at the end for questions as well but i sort of thought the good way to frame this discussion would be around this project that i've just recently gotten involved in which is the oauth iot project so this project was started up by two guys who used to be well they both used to be hp one of them still is dan messler and craig smith and they worked at hp doing basically an evaluation of iot products and produced a white paper and out of the findings without white paper they sort of came up with a list of top 10 iot
vulnerabilities and attack surfaces and by the time i found them i come from a developer background so i found the project and was sort of looking at ways to find resources for people who are building iot systems and sort of ways that we could sort of you know enable those folks to give them good best practices toolkits frameworks solutions so that we wouldn't constantly be repeating this sort of train wreck of mistakes that we're seeing right now in iot so it's really hard to sort of define what internet of things is right this is this is it may surprise folks to learn but this is a marketing buzzword and not really specific technology so this is a
really broad field that you can kind of pick and choose in between uh of what you're doing um or how you would define it i would say the key differentiator is the first sort of phase of internet of things was just internet control devices right so these were devices that you may be hooked up to the internet so they can reach commanding control and you can use your phone to like open and close your garage door open and that was sort of like the earliest evolution of internet of things what we're moving towards is internet of things consisting of autonomous devices that can talk to one another right so machine to machine or end-to-end communications as well as
with the users with the central hub distributing information doing things like mesh networking and carrying out much more complex sort of analytics and autonomous tasks than just turning on your coffee pot when you wake up using um so most people think about internet of things security and they think about these kinds of incidents right you're hacked baby monitors or you know charlie miller chris balzac's research just destroying cheap um or any of the work that sam and cam cars so if you're not familiar with any stories you should go check them out they're kind of amusing they've sort of led folks like they like health to call this junk hacking right that you know there's all these people
going to the garage finding internet connected stuff and just ripping it apart finding security halls the reality is when you look at most of these hardware hacking or or you know other iot hacking stories and you know sort of media you know covered events they tend to be consumer focused and i think that sort of creates an unfair playing field for iot right if you're developing an iot solution for a consumer right a home consumer especially you're basically considering that you're going to deploy this device into like an area of limited connectivity potentially trusted network right a homeland something like that and you're selling to people that want features they don't really care about security right like like my wife got me
an apple watch for my birthday and i was like this is awesome i don't even care if it's secure right like it just does need stuff and you know that's what the consumers who are looking at these iot deployments are looking for right they just want the nests to automatically adjust their temperature while they're driving down the road they don't really care that it might be expel trading sensitive data from inside their house right so unfortunately the manufacturers of this class of iot don't really care about security because they know it's not really going to be a market differentiator and it's not really going to hurt their sales if they're not the bad security tracker except maybe
arguably in the case of cheap where that's going to cost what we really want to be focusing our efforts when we're thinking about iot security are these realms of io right so this is industrial iot this is manufacturing iot this is municipal iot this is iot in healthcare right so these are connected devices that exist in businesses right so uh companies like you know john deere or caterpillar or you know siemens like these are big you know companies that are producing very expensive very complex pieces of physical hardware that want to connect these devices to the internet and connect the devices to one another right and so the security challenges around this class of iot share a lot in common
with consumer iot but i think it's going to be there it's a tougher nut to crack right first of all you know hopefully these deployments are going to be much larger and face a lot more security scrutiny but ultimately with the oauth iot project these are the kinds of deployments that we're looking for so so if you're a builder i think you should be able to get some good information about like the next few slides if you're a breaker though you're probably going to see a lot of stuff that you could use to maybe test these kinds of systems as well i'm going to point out like a lot of common failures and these kinds of
systems and so on so forth that you can use in your own environment i would encourage you if you want to get into this field to start ripping up some consumer iot stuff it's going to be an easy playground for you you're not going to face a whole lot of resistance from those devices but once you decide to get serious moving into this realm is definitely the place to go so why are these organizations doing this kind of thing right right you talk about security people and you say hey my business is thinking about hooking everything up to the internet right we're gonna hold our water sensors up and maybe our pressure sensors and you
know maybe the valve controls and our nuclear you know facility your security people are going to say you're a like why would you do that that's idiotic please don't the reality is there's a very compelling business case to do all of this right so if you as a business owner can act can collect and aggregate data about all the various components in your business you can make all sorts of really interesting uh decisions based on that data that can have a very real financial impact on your company right so ups is like one of the poster children for iot in industry right so they have sensors on all of their trucks and those sensors are
reporting all sorts of things like tire pressure you know fuel levels uh oil levels maintenance times locations and they're using these for routing and things like that but they're also using them to do what's called predictive analytics and they're looking at the data coming back from their fleet of trucks and trying to spot patterns that will indicate that a truck is going to break down and then they'll perform preventative maintenance on the truck right so this is a clear win for ups right if they can get to a truck before the fuel runs low and the engine blows up they can save themselves a lot of money not only that but they can plan their repair cycles you know in sort of
ways that will prevent a sudden influx of trucks that need to be repaired in a backlog right so this kind of like data analytics and business process optimizations are really really attractive for businesses and that's why they're going to move to iot despite the security investments right they're definitely going to be aware of them but they're going to do it anyway because there's a lot of money to be made here and i think it was like the latest harvard business review focused specifically on the financial wins from going to iot so it's definitely coming the other neat thing that you can do with iot right is with a traditional device it might be collecting a lot of
data but typically you have to go to the device to extract that data like think like maybe an mri machine or something like that right so this is data that would be very valuable to a large number of people but it really only has one interface if you connect that device to the internet then what you can do is you can parcel out access to the data from that device and give different pieces of the data to different people based on authorization models so this is really clear to see in healthcare environments right where you might have like you know some sort of healthcare machine that's collecting data from a patient and that data might be useful for the patient
just for their own healthcare records it might be useful for the doctor for making diagnoses it might be useful for the nurses or the other medical staff on the floor for monitoring what's going on with that particular patient it might be useful to the manufacturer of the device to do this kind of sort of preventive maintenance and predictive analytics and or maybe even the technician who's going to come in and service the device and maybe spot problems and repair it but obviously you don't want to be giving all the data to all of those people right but as soon as you get into an iot environment you can take all this data off of the device put it in some sort of
repository and then enforce you know authentication and access uh you know schemas that will allow the various different people to get access to the various data and to share promotion right so this is a huge promise in healthcare right like i could get an mri scan done in one hospital and i can get a second second opinion on my condition at a totally different hospital because they can access my electronic medical and so records extends all the way through other areas of commercial iot um not just healthcare but it's probably always visible so shifting focus why we're gonna use iot to why is iot security so bad the essential problem behind internet of things security is it's an evolutionary
technology right so iot sits on top of a stack and you can think of all of these other layers here as supporting internet of things in an internet of things deployment you don't just make a singular system really build an ecosystem right so you have a device and it's collecting some sort of data and then you need to do something with that data well so how are you gonna do that well first of all we're gonna have to connect the device to the network so that we can get the data off the device the device might not need to be powerful enough to do like regular tcp networking so we might need to connect it to
something like bluetooth low energy or zigbee or wireless protocol to get the information to some other device that can broker it off to the internet um you've got all of the problems of the devices built on a specific piece of hardware and what does the hardware security look like typically most iot deployments are using like run-of-the-mill operating systems like windows embedded you know ce windows 10 linux something like that all of those operating system challenges that we've dealt with for decades suddenly manifest inside of iot uh we're connecting it to the network so we've got all the network security challenges you know and we're encrypting stuff on the network are the devices able to do something like tls
security um what if they're not powerful enough to do complex encryption then how do we protect messages across the network from these devices do we develop custom protocols and hassle with firewalls well the answer clearly to this point has been no firewalls basically blocked everything but port 80. so we're doing all of this over like web traffic basically and as soon as you're throwing something over you know port 80 we're going to send it to a web service and some sort of restful api that's probably going to be living in the cloud somewhere so we've got all our cloud security deployments on top of that any sort of mobile access to the ecosystem is also going to have
to be considered and so iot is building on all of this right and i think this is why everybody intrinsically knows iot security's battery because i can point to any of these would be like i don't really feel mobile security is developing today sucks right well what about operating system security i don't know i got three critical patches from microsoft on tuesday and my desktop my laptop still crashes right we're doing terrible at it and we're building on top of all of this making an incredibly complex system that's going to rely on all these pieces so it's clear to see why it would be bad and here is why we see so much evidence of things being bad
right so in iot we basically have testers who are coming in who are looking at the various components of this iot stack and they've got really well developed tools with a long history behind them and they're using these tools just tear apart iot solutions and find problems with cloud infrastructure with mobile infrastructure with your operating system set up with hardware all these things are going wrong on the flip side you basically have the builders so these are the developers who see the value and the money in iot right so they want businesses to recognize the value of iot or they recognize that they build the next nest thermostat they're going to be instant billionaires and so
they're trying to get into this field and there's no real good guidelines for these people right there's no sort of like industry recommendations oh hey you're doing iot use the secure iot framework here it'll suit you right or use this software and hardware step this is the one that will prevent you from running into problems and so generally what developers are doing is they're just running out grabbing whatever they can find and cobbling together solutions and just sort of sticking on hardware that works right you say like well raspberry pi is pretty cheap i can grab one of those and maybe i can throw some ubuntu on top of that and you know maybe i'll use some bluetooth in there and
then i'll just send some restful hpi calls back and forth and i'll hook up a sensor on it and they'll make really cool stuff but the there's never any consideration of security in the procurement of any of those elements and there's certainly no consideration given to what are the security implications of the interaction of all of these different elements of cooking all those stuff and so as a result basically we have you know developers building really fragile solutions that fall over very quickly in the face of scrutiny from the security community so i mentioned the hewlett-packard um research study it's pretty easy to find i think you know internet of things research study and i i think they
studied i don't know anywhere between 10 or like 50 different i think maybe it was 10 or 12. um iot devices they tended to be mostly consumer devices right so these were devices that you would actually find in the home it doesn't necessarily make it better because people tend to take these home things off the work and hold them up to a work network too so it's not necessarily making anything better but the reality is they were mainly testing stuff that you could go down to best buy and pick one up um and i've been talking to these guys and um they really are very interested in getting into like industrial iot testing to see
like what is the state of affairs there the problem is in in most industries you have what's called a brownfield deployment right so a green field deployment is you have a you have a situation you have a problem you want to solve you step in as the architect the technologist and you say like here's how we're going to do it soup the nuts we're going to build it this way we're going to deploy it the reality is in most industry industrialists will come to architects and say like i've already got all this machinery and infrastructure i've got some scada systems i've got some other monitoring systems i've got some internet connectivity some stuff i need to hook it all together and i need
to get it into some sort of analytics platform right so solutions providers in this space are working with heterogeneous solutions they're sort of saying like well we'll take a little bit of this and put it here a little bit of this and put it here we'll do some of this over here we'll hook it up maybe over some standard protocols like https you know something like that aggregated in a central data point but ultimately the ecosystem is non-homogenous right it's all sorts of different things all over the place and so you can't easily step into that environment as a tester and say like oh hey ge smart factory is insecure in these ways because it's like well maybe
a couple components are but not the whole thing the other thing is you can't just like go down to best buy and buy like a smart factory and check it out and test it so we don't see much in the media about security researchers reporting on problems generally because if they do get a chance to look at these systems they're under nda and contract with whatever company hired them so those results never go public the one organization that has done some sort of public testing is the security smart city securing smart cities and that's led by cesar ceruto out of argentina but he managed to get a hold of a smart traffic metering system that basically had
sensors that you put on the roadways to track traffic and smart traffic lights that would adjust that based on the volume of traffic and so it was really interesting and no surprise he found problems in the wireless protocols used by the sensor trading messages there was no authentication you could give them updates that weren't validated so you could put a malicious update so on and so forth and they basically found out ways that you do really evil stuff with these traffic sensors but that's like the one case of sort of industrial or in this case it was municipal iot that i'm aware of where a professional tester actually got to the test stuff and produced some really really amazing
results and i think you know even though we might not hear much about industrial iot or commercial iot being bad i think it's not because it's good it's because we don't have the research really to make an evaporation so if you get into this space i think we would find that industrial iot is just as important
so into this mix that's the oauth iot project right we're a bunch of idealistic guys involved in iot and we think hey we're going to make a difference we quickly realized that iot is massive and that the iot project really by necessity had to be an umbrella group um so there's a number of different things that we're doing we're sort of uh actually it's mostly like dan and craig are doing these these top two uh enumerating attack surfaces and vulnerability lists unfortunately like google still throws the oauth iot top ten and the first uh you know that's your first search result so if you're searching for a lost internet of things go to the second result that's actually
the project page not the top ten um we're also looking on developing some reference solutions and architectures that we can give to developers as we say if you're developing iot this is the way to do it securely and to support that effort what we're really trying to do is we're trying to develop these last two things so we're trying to develop some sort of uh implementation agnostic principles of security to think about when you're working in iot and an iot framework assessment so um in a typical uh you know web development environment one of the sort of canonical pieces of advice that you give to web developers is like don't build your own web app like go out and get a
framework use something like django or drupal or whatever you want to use make sure it's got security mitigation against like the oauth top 10 and all those things and build off of that and that way your developers don't have to think about the problems there are actually iot frameworks that are out there that you can develop iot solutions on um they're pretty new to the market but we wanted to create a checklist that basically said like if you're asking somebody about this iot framework you should ask this question this question and this question this question so if you're involved in an organization thinking about iot i would highly recommend that if you're involved in testing iot i would also recommend it
because basically all the questions are very lean it's sort of like do you do device site encryption if the answer is no and you're a tester that is a potential avenue for attack right so it's designed as a sort of a checklist for people doing evaluation but i think you can pretty easily use it as a tester as a checklist of like ways to bring in the system we also aggregate a lot of the community resources that we found around iot i think this is a growing community um and as i go through this talk if you see something that you think should be a part of our material or uh you think that you can make a contribution please
reach out to us come to the website we're looking for contributors so it's definitely an evolving project so here's the oauth iot top 10 and um the categories are accurate but i've abbreviated the security considerations and the recommendations just for the sake of squash i'm sure you can all read this right i'll run through them so you don't have to swing but this is very similar to like the olaf top 10 right so these are vulnerabilities that testers typically find in iot deployment sort of ranked in terms of like the most prolific highest impact to the less prolific less impact so the number one uh problem that we find in ifts and secure websites web
interfaces and part of the reason why you find this is because most people rolling iot are very concerned about resource constraints right they want a very small footprint on their firmware on the devices and so instead of using a web application development framework something like django or something like that they're rolling their own right so they're writing cgi scripts in cdc plus plus and putting them is you know putting them on the web in a web interface for their iot deployment and you can imagine all the things that go wrong there right like you've got buffer overflow vulnerabilities in your web interface and again these are developers intent on standing up iot solutions so it's not like they're doing anything
dumb or stupid or foolish they just they're feature focused right they want to deliver value to the customer no they don't really think about security and frankly they're just not enough security people involved in iot to tell them otherwise yeah they also develop euler's that make it your responsibility to secure the environment yes especially in the solo market which you're discussing the solo market uh but that also ends up in your industrial areas and your kitchenettes and all of your light bulbs and devices in life that is that's exactly true and a lot of manufacturers will use that as an app although basically if you ask them questions about like do you do bi-directional encryption
between clients and a central server the vendors will say like no if you want to set that up you can but but we don't do it right so you'll see a lot of deployments exactly where they're sort of like that's an operational consideration right like that's not what we do we give you the solution you make it secure you've got your own security partner i think luckily the rush to sort of like cloud based deployments has changed that model slightly because now suddenly vendors are responsible for the core of the ecosystem but a lot of companies again wants to host in-house and so they accept that responsibility so yeah so that's a huge area of iot security then
again it's not necessarily iot specific even it's just like you're built you're bringing new systems into your ecosystem you might be responsible for certain risks that may or may not be explicit to you right like unless you read through the jewel and you're like oh geez i can't believe i'm responsible for that stuff yeah definitely um so the second one is insufficient authentication or authorization right so this is either like no usernames and passwords on interfaces default usernames and passwords on interfaces easily guessable interfaces on usernames and passwords these are big or classic group force attacks where you find some ssh or telnet or web interface on the iot device and you type in admin admin
and suddenly you drop to a workshop insecure network services is a big one and i'm going to talk about this one a little bit later but basically utilizing network services that don't have a security component and this sort of comes up as part of the the framework assessment but one of the first things that you want to do if you're testing an iot device is take it into a hostile environment which basically means like rip it out of its ecosystem and put it in one that you control right and most developers don't consider that like they never think about like what if somebody hijacks dns it's like well you're responsible for your dns infrastructure so i could do
that but that's the first thing a tester is going to do is say like what queries is this device making and can i misdirect it right can i attempt to degrade uh any encryption that's applied um can i get access to any information and you know probably not shockingly a lot of iot deployments won't even bother using encryption especially if you're talking about the transport that's close to the device so if you're using like bluetooth low energy or zinc b or something like that a lot of times you'll find that there's not even any protection supply because basically the thought is as an attacker you would have to have physical access or be very close approximately to the
device which is not all that hard in an iot environment um so we find like lack of transport encryption privacy concerns this is a huge one that's sort of like closely related that i'll kind of touch on a little bit it's not entirely my focus i think privacy in the iot space is a really tricky challenge um because there's not really many good technical solutions right like there's not like a privacy module that you can like slap on your iot solution and have it be okay the other thing about privacy in an iot environment is like most iot deployments are designed to like collect data about their environment right so you have things like sensors
that are just sort of aggregating what's going on around them and part of the reason this is a problem for privacy is in a typical or sort of like a traditional application security model when you sit down and you use an app like you log in you start up that app there's some sort of explicit security uh contract that you make with that application right like you interact with it you start it in iot you might be walking by right you might never be aware the device is collecting any information about you you certainly don't have any opportunity to consent to that collection and in the most frightening cases there might be instances in iot
where people who are legally not able to provide consent about data collection with miners being exposed to these iot environments right so this is data that's all getting sucked up and often times about without the consumer's knowledge or the customer knowledge insecure cloud interface and secure mobile interface pretty typical stuff uh insufficient security configurability so this is another one this is a problem with iot because a lot of iot devices don't have any human user interactions right like you don't have an interface for people so it's very difficult for a person to understand what is the device doing does it need an update how do i update it what's the security posture of the device um you know do i need to update
firmware how would that happen uh do i even know uh and you know this ties into number nine which is insecure software or firmware um so this is typically iot devices that will allow you to you know side load or load uh firmware updates onto the device and they won't check whether those updates or those additional software components are valid and should actually be on the device and lastly it's more physical security right so this is the hardware hacking where you actually just crack the case so off of things and you start looking at chips and you start pulling out you know flash memory and just taking a look at it and using you know tools like vin walk to uncover uh
what's going on inside the device or these devices sometimes we'll have usb or ethernet ports that will give privilege access they'll have like jtag interfaces that aren't disabled when they go to production all those things are big problems so we looked at all of that and we tried to develop an iot like list of principles of security um and so these are sort of designed to be kind of marketing and they're supposed to be the kinds of things that you should present to your developers or your ctos when they're thinking about doing an iot deployment and like what are the kinds of things that you need to keep you know in the back of your mind about
the problems that are going to you know crop up and drive to your iot deployment so the first thing you need to do is assume a hostile match right so the idea here is that you deploy your iot devices into a physical environment that's beyond your control right and you need to consider the implications of that right so as a tester this is the thing right again the first thing you do you take the device you put in a hostile fire when you start breaking it open and see what happens i think a lot of developers don't really consider that right um they don't consider that somebody might actually open the device up they might intercept networking
traffic they might interrupt networking traffic to see what happens right they might change out components they may try and download firmware and run it in a virtualized environment that they control so you always have to consider whatever you're deploying on your edge is deploying into a hostile network and you see this where this causes the most problems is people put stuff like authentication credentials into software that goes off the devices and at the end right because you're basically writing down usernames and passwords maybe you might try and obfuscate it but you're putting that somewhere on a device and then you're giving that device to somebody right so then it becomes very easy for them to try and pick apart that
device and find those authentication credentials so you need to be really careful about what you're doing you'll see like you know if you go online and you search for like private key exposure incidents you see a lot of people not necessarily specifically in iot but in sort of deployment environments where manufacturers will unintentionally put like very sensitive cryptographic material on devices and maybe like not unique cryptographic materials so right so they deploy like a hundred thousand routers and not the cisco they've done this but and you put like the same private key on there right so as soon as somebody recovers one private key they suddenly can break down your entire cryptographic image um you want to test for scale right so
the security problems in iot are really exacerbated by scale even simple things like denial of service with iot deployments you're typically talking about like maybe a couple thousand to a couple million devices in an ecosystem all talking at the same time and you can imagine the problems that are inherent there even something simple like self-registration right like so you buy a new smart connected toaster and you turn it on well how does that thing register to whatever cloud service that it connects to i don't know like can you spot a malicious registration what if like you make a device and you deploy it on a factory floor and a million of them all turn on at the same time you can create
a self-denial of service condition right there the internet of lies is like one of my favorite uh little little principles to apply to iot and i thank god for volkswagen for like making this right iowa's your autonomous systems right they're capable of making autonomous decisions and reporting information autonomously and they might not be reporting the truth right just because you see that a diesel motor says yep i'm running clean in the lab doesn't necessarily mean it is running straight everybody if you don't know about volkswagen's little imaginations you just looked up it's just kind of brilliant um and it's really basically using software to feed false information and internet of things because you have so many autonomous devices it oftentimes
becomes really difficult to tell if a device is compromised if it's acting maliciously if it's really sending you what you need to send and if you don't believe that that's the case just you know read ken zetter's book about stuxnet and how you know those little plc devices reporting that you know everything's great here while they're destroying centrifuges in korea you need to exploit autonomy so in iot devices are operating independently of one another but they're also capable of operating independently of one another and doing very complex computational and cryptographic tasks you need to recognize that the device is a full computer right and so don't fall back on models of like using usernames and
passwords for devices to authenticate one another there's no reason a device can't have like a two megabyte cryptographic certificate that it can present as its authentication credential right so you can use this on autonomy to make devices do things that human users would never do right like they would just never deal with all that and you can also use it to enforce those kinds of constraints right like an autonomous device is never going to get uh an ssl cert warning and say not click through add to your exceptionalist right like it will actually follow these sorts of rules that you can enforce you need to expect isolation too so this is sort of my favorite in a lot
of iot deployments if you take a device and you remove its networking capability or you cut out a specific piece of the ecosystem that it expects to be able to communicate with it'll like fail open you know basically just security mechanisms will go away right and they won't sort of enforce the same security posture when they're disconnected as with their connector right so like what happens to these devices if you cut the internet connection you suddenly not need to authenticate anymore because it can't authenticate you to a central service who knows you need to protect uniformly so when i talked about the iot ecosystem and all the different components in there a lot of times what you'll see is you'll
see designers build very strong protection capabilities in areas where they feel like people will try and attack them right so they'll make like complex multi-factor authentication via the web interface to you know see the metrics and control the devices in the attitude ecosystem and they'll forget that there's a mobile app that allows you to enter a four-digit pin and get access to the exact same thing and mobile app isn't talking some like you know magical protocol it's talking over the same and all an attacker needs to do is find that mobile interface and suddenly the challenge of breaking in goes from complex multi-factor to four-digit right so when you think about iot ecosystems you need to think about like
what are the protection mechanisms that are applied and are they applied everywhere do you have a uniform defensive service service um encryption is tricky and you know i see this a lot working with developers that like a lot of developers recognize like hey encryption is the answer and they sort of like sprinkle cryptid dust on stuff and then you come in and you're like why are you encrypting like a post parameter or a url like who cares like guys aes 128 encrypted like they're good for the auditors like it doesn't really do anything and you can find problems where people will do stuff like they'll salt password hashes but they'll use the same solve for every password right like
it's very easy to make mistakes with encryption and this is one that you don't normally see pen testers poke at when they when they're sort of attacking iot systems generally because they don't have to they don't have to get to this level but it's been my experience when you look at the encryption deployed in iot systems typically there are mistakes that basically invalidate the value of the cryptographic defenses you need to make sure you do system hardening at every level of the stack right so you can have a really awesome iot deployment but you could have an ssh service onto the linux box that's running the edge and you can have like the password for
the root account be like password one two three or something like that um you need to make sure that you're following all the traditional system hardening for all of the various components of your of your infrastructure at least not just the hardware not just the networking also your cloud right like the worst thing you want to have is you would like you could have a bunch of really hard virtual machines sitting up in aws but your management interface could have like a bad username and password and somebody could just pop right in through the back door that way um you need to limit what you can so in the rush to produce um you know product for the iot market
features sell and people basically want to build a bunch of features the reality is there's no reason to ship of all those features turned on like you have to turn off as many as you can and this is another avenue of attack is to sort of see like what are the unused or unadvertised features in this ecosystem and can i take advantage of them and bring them full life cycle support you need to plan for compromise you need to plan for being able to revoke certain devices you need to plan for updates i don't know if anybody's familiar with like the wink home hub but uh they had a really bad problem like one of their ssl certificates
inspired and then suddenly like none of their customers could receive updates and everything fail to be able to integrate anymore and they hadn't planned for life cycle support they hadn't planned for like what do we do if you need to update uh you know like your root certificate trust store there and so they did pretty much what jeep did they started mailing out usb keys that people say or bring them back into the shop and um i think if wink is not out of business now it's like it's a chapter i don't think that incident data and aggregate is unpredictable this goes back to the principle that's sort of the privacy io everyone sees the
value of collecting data in iot but very few people are thinking about the privacy implications of collecting that data and i really like to talk about the example of say you're uh you're a manufacturer of uh of a tire pressure sensor right you want this to be a smart higher pressure sensor so you want to report back to home and you want to aggregate all this data and combine it with other information from a car maybe maybe not but let's just assume the tire pressure sensor fluid dynamics let's just assume for the sake of argument that i know what i'm talking about physics and you can tell based on changes in tire pressure where the car
was located say in terms of altitude how long it had been driven or when it was being driven due to pressure due to due to temperature changes and how much load was actually in the vehicle so you could tell like how much time how much the vehicle was carrying what it was being driven and changes even just this basic data most people sort of think well that's pretty innocuous like who cares especially if i aggregate that but what if i what if i'm watching like one car over the course of two years and i notice that this car has a certain uh you know weight ratio or whatever and it steadily increases you know say by like
four or five pounds and then suddenly overnight it goes to an overall weight increase of 12 pounds you might be able to assume that the person who owns that car had to be right like maybe there was a woman driving a car and she slowly gained weight over the time in her pregnancy and then she added a baby and a car seat to the back seat right that's data that those people would never consider that they would be stewards of and you really see problems with this like the ashley madison i mean everybody was sort of like up and arms and it was very sensational like of course people are gonna get to get divorced one of the fallouts of the
exposure of the users for ashley madison was there were people who sort of came out and said i engaged in an activity on ashley madison that could get me the death penalty where i live and i'm sure that ashley madison in designing a risk matrix never considered that they might hold data that could get people killed right and so when we're aggregating this kind of stuff especially in an iot environment especially at scale to iot runs especially considering we're using sensors that may or may not even allow people to opt in for participation we need to think very clearly and carefully about what are the privacy and security implications we have um you need to plan for the worst you
need to assume that eventually you're going to get compromised what are you going to do with it you don't want to be sending out a whole bunch of usb keys that's going to be awful the long haul is an interesting one so most commercial iot deployments are anywhere between like 4 and 20 years right so you're designing a system that you're going to put in the field and it's going to have to last so it's really important for developers to deploy what i like to call forward compatible security right so new attack vectors are going to be discovered new defensive capabilities and cryptographic capabilities are going to come out and if your system is sort of deployed point
in time and it can be upgraded and can't be adjusted you're going to run into problems really quickly because two three four years down the line your systems are basically going to be degrading in the face of advancing attacks transitive ownership is one that i like to talk about that nobody seems to be thinking about like so i build a smart home and then i sell it well like what happens to all my smart devices like but i have to go and like rip them all out of the wall like now you suddenly find my nest studies and you can take apart my security like what would i do with that not only that in an industrial space
you'll oftentimes find companies with smart connected products that use the same products in the same vertical amongst competitive entities so you might have something that has like a smart vending machine right and say they work for a coke distributor and they decide that they don't like that vending machine it's getting older they want to sell it can a pepsi distributor buy that machine and pull out proprietary data from that machine right like so what computational power is moving along with this transitive uh device and can you protect it yeah that speaking of smart homes there was actually a situation that just happened with an individual who was married he got divorced from his wife she married a new person and he
still had connectivity with his device to the house and tortured them in the house by changing the ac in the middle of the night putting on speakers or flashing lights she had no means of revoking it from him because the vendor never put it in right because most manufacturers don't think about that they don't think like well what do i do when this thing gets sold how do i post comments on amazon about how he did that um
well this is a crazy thing you sort of see the consumers leading the bleeding edge here in terms of information reporting but this is happening on an industrial level too like one of the big concerns with a lot of industrial appliances let's say i want to use strong cryptographic capabilities on my edge so i go to somebody like some pancake or barracks and i buy cryptographic certificates that i deploy on each of my devices well those aren't what happens if i sell that device does that cert go to my competitor like how do i de-provision that and you know you'll find answers from industry and they're like oh well we've got you know like an online certificate status
protocol that'll allow you to sort of say like these certificates well an iot scale doesn't work right like you can't have an iot device pull down a certificate replication list that's two million records long and parse it right like it just can't do it so again scale becomes an issue and this last one is one of my favorites and it's one of the it's one of these problems that like there's no good solution right so in traditional computing systems we have like maybe a one-to-one or a one-depending relationship between an application right so you might have an application that has multiple different users but you just have the one application iot you don't have a one device to one
user relationship right you have a device that might be used by multiple different people you have multiple different people that might be using multiple different devices you might have devices that need to broker credentials that sort of operate say like i'm talking to another device but i'm going to use joe's credentials to do this because joe is trusted on this other device there's no good authentication mechanism for that like you want to talk about like crazy authentication schemes how do you do that right how do you credential individuals to devices in this kind of a scale in this kind of a way and these people are going to need different permissions on different devices right
we have no good even academic models i don't think as far as i'm aware to solve this problem like how do we do lattice authentication between devices and that's causing all sorts of problems again where you're just finding devices doing sloppy authentication or insufficient authentication or running into all sorts of authentication mistakes so the last thing i kind of wanted to talk about was um the framework assessment that we started set up and we developed it based on the model of this sort of like prototypical iot deployment where you have like your smart clothing machine for whatever reason and it's connected to the internet and typically it's going to use some sort of a gateway device right so
this may or may not always be the case but a lot of times you'll find that you have some sort of cloudy infrastructure that's doing sort of aggregation this could be like an on-prem thing or it could be something that's like publicly available and then you have some mobile component that may be talking either to the gateway or to the cloud or to the edge component so we basically broke it down into security questions you should ask about the edge the gateway the cloud and the mobile component and i just sort of pulled like a few of the ones that you know i thought were most interesting off of there but when you're talking to vendors of
iot framework solutions you need to be asking these things and if you're a tester and you're looking at an iot deployment and you're looking at like the edge these are the kinds of questions you need to be asking because it can very well guide your research and so again this is not a comprehensive list like go to the website of these different questions and again we're always looking for feedback so if you have questions that you think you would ask that aren't asked please let us know um but so on the edge you want to know like is communication encryption is storage encrypted and if it's not why not like that should be a problem um
does the edge device do any logging where does it store those logs if it stores it locally that might not have a whole lot of value um are they shipped off to like some sort of central aggregation point how are those logs protected did somebody intercept them can they tamper with them can they change them um is there an updating device updating mechanism for the edge can i tell what version of software is running at the edge does it automatically update does it at least report to me that i need to update that edge if i do want to do an update how does that happen does it reach out over http and just grab whatever binary is
off of a content distribution network or does it actually go and find something off of an authenticated site download it check some sort of cryptographic signature before it installs it right are there default passwords and you find this everywhere or are there shared passwords right so even if you're not using a default password if you're sharing a password across an entire infrastructure you're basically setting your own cell phone for failure um what are the offline security features great so if i pull this device and i kill all its internet connectivity what does it do to defend itself uh what happens when it comes back online will do stuff like cash logs and then forward them when it comes back
online or we'll just fall over um and how is transmittive ownership addressed the gateway you have a lot of sort of similar concerns a lot of gateways will perform encryption or secure protocols on one side but not the other and figuring out like whether or not there's support there for encryption edge to end whether or not the gateway breaks encryption right so you could have a gateway device that's gathering things from an encrypted communication on one side and sending them out to the similar encryption on the other side but if an attacker sits on the gateway they see everything unencrypted right like so is the gateway a single point of security failure is there local storage for the gateway
or is it just serving as a proxies and passing things back and forth is it encrypting things locally is there an anomaly detection capability anyway so in a lot of iot deployments you'll have a lot of devices behind a gateway and the center of the cloud won't actually be able to see the devices you'll only be able to see reports from the gateways the gateways are like in a privileged location what are the security implications of that published location can you learn anything is there a login so the cloud implication the cloud security considerations draw a lot on uh you know sort of traditional web interface best practices is there a secure web interface is there
an insecure web interface um is there a capability to do data classification and segregation or is all of your iot data just grown in the same database right so you're storing very sensitive stuff with not very sensitive stuff but what does that mean does that mean like suddenly all of like my very mundane data i have to treat as very protected data because it's stored in the same place as the very protected data or do i just degrade my overall protection and sort of say well you got secure stuff but most of it doesn't matter so we're just not gonna protect it very much um is there a security inventory right so if you're going to attack an iot system attacking
the edge is really easy but attacking the center is really valuable this is where all the data goes and in many iot deployments the center is not only collecting information from the sensors it's also sending out demanding control to the sensors and it can actually actuate them update firmware do that kind of thing so a compromise at the center is particularly bad you see this all over the place where you'll see people build these iot ecosystems and they'll use secure tools but then they'll use random third-party libraries to help support it you know and it's like okay jquery makes your web interface look awesome are you actually updating that do you have a capability to make to even list all of the
third-party stuff like all the software that your company is not directly responsible for and report on its versioning how do you update it plan for any of those updates how will you respond if there's a vulnerability that's found in one of these supporting libraries is there any sort of audit capability right can i tell which device did what when if not why not is it important is there interface separation and you never think about it you rarely find this right so an autonomous device is going to send very predictable information to the cloud right and you're probably going to know what that is and it's going to be doing very different human user is the interface at the center designed
to be the same for the human user as for the device and you see a lot of people do this when they develop systems for convenience right they develop one interface and they have the device interact with it this way the human interacts with it this way mobile interacted with it this way but it doesn't take tester long to figure out like oh hey i can pretend to be a device and get all sorts of interesting new interfaces and new capabilities um and do you have like complex multi-factor authentication right so we've got like a long history of providing good authentication and security on the web you should be using it mobile considerations i'm sorry gonna
scan over just because i think you know mobile security has been kind of done to death and there's a there's no obama mobile group that you can check out for better recommendations there and generally you want to make sure that your mobile device is integrating overall security of your platform so sort of final thoughts is that privacy is a big deal i think i've talked about that a lot the the strategy the federal trade commission is seeking feedback right now for proposed recommendations around iot security best practice that they're going to release and they are probably going to outline the things that iotv manufacturers should be doing and there are going to be fines associated with the data plot so i think
we're going to see a big push in iot security really soon as soon as people understand what those reputations are and finally you know consumers might not care about security but businesses do like any sufficiently sized business hopefully the places that you guys work if somebody says i want to do an iot deployment you're asking questions like why how are you going to make it secure right the kinds of things that most consumers want and owasp is certainly not the only organization in this arena there's very smart cities building security the online journals it's currently an online trusted alliance and probably i'm sure most of you have heard about the cavaliers just you know started working
mainly in the medical field was also branched out into other iots here so i think i have like a few minutes so a lot of what i do is
in terms of like bringing iot into your organization i'm bringing it in i have to bring it in right consumers right in your business are plugging in things that the duke that have these alternatives right right what chance do i what what's the one thing i should buy implement design architect whatever right right who holds me over until then i can do a proper assessment right so yeah this is going to be an exciting answer but defensive right that's really the first thing that you need to do when you're considering these kinds of things is say like okay assuming that i'm bringing in a potentially vulnerable unsafe component into my overall architecture my ig why don't i just look at that component
and think what are the implications for compromise and how can i limit the damage right so like a lot of people like you'll create a separate feed land for their iot huge environment segregate that create traffic restrictions even just getting visibility into what the various iot components in your infrastructure are will help you a lot figuring out what kinds of things those are doing what kind of network communications those devices are making looking for anomalies in those communications um making sure that you know they're not calling out somehow or not are you or whatever but you definitely want to sort of say like okay like i've you know people will passively say like security is only as
strong as its weakest link which is kind of true but if you can isolate those links you might be able to break one as an attacker but you might not be able to allow the other ones so that's the approach how do i isolate this assume a compromise in this one length and how do i limit the damage just cost-wise i mean how do you justify it in the business i mean because unless i mean most most of us here probably don't work in a nuclear power plant you know that's worth you know nation-state attacks um you know if the business season is like okay once in a blue moon someone's gonna flip on the coffee machine with no
cup in it um i mean how do you how do you sell this so you it's actually easier than you would think right so you look at government regulations so you look at fines that the federal communications community the fcc and the fdc the federal trading commission federal communications have levied against businesses for failing to follow best practices right so the ftc has a really great white paper i think it's like start with security that's actually targeted towards startups but they cite like 50 business cases where they find businesses for failing to follow best practices and you go to your management you say look the ftc is already finding people tens if not hundreds of thousand dollars for
failing to follow best practices with iot they're coming out with guidance in january should talk to legal we should talk to clients we should get their readout on what they think those regulations are going to be because you might think it's just going to be you know your coffee machine getting turned on but you know that the leaked verizon report about the target you know compromise showed that like you know internet connected meat slices were an avenue into target's ecosystem right so there are going to be consequences for failing to follow best practices and security and i think if you look at government fines that's a really easy stuff because you can sort of say like
look you're you as a business if you don't address this you're accepting certain risk and potential liability that could
thinking about that same question the scenario i worked out at college so the scenario for us if you know the internet of things for us it's like light and hvac so it becomes a cost issue those things are compromised and somebody's turning on all the lights and burning out the lenses on projectors things like that you've gotta you know in terms of justification right why you isolate these things you can look i don't want to be traveling or quadrupling my power at usage for a building i don't want to be you know these consumables yeah and i think it's important gets turned on at night right you might have to replace that every six months
instead of every two years yeah yeah things like that i think it's important to think more broadly though right i think it's easy to look at an iot dividend environment and say like well somebody compromises my life who cares right like the reality is if somebody compromises that light bulb that uses it to do something else like that's where the ftc will come in and find you and you'd be like well it's just a light bulb like i didn't care it's like sorry you didn't apply security due diligence to your it infrastructure uniformly and you left certain very weak spots that attackers weren't able to use and so sorry like we're hitting you with a book violation
right because you lost 20 000 student records and they came in through your smart light bulb but we don't care how they got it we don't care about the end result so that's the important thing to think about is like these components may seem stupid and worthless and like the damage is very limited but it's important to sort of think more broadly about like these are components in a much larger ecosystem and they don't exist in isolation their compromise might not initially seem like it would cause a big deal yeah so for example i know light bulb is like kind of like a silly example but if you're in a room with somebody who has
epilepsy and if you know someone is spamming the light bulb on them all that organization could get fined over that yeah i mean there's all sorts of unintended consequences i think i think i've really i'm not a fan of government regulation but i think that the fact that the government is moving in this direction is a good tool for us and information to security to go to management and say look there's going to be the financial risk associated with failure to address security in these deployments so think more broadly than the founding machine level you mentioned legal ramifications and or a financial risk and that gets the businesses attention yes exactly exactly like that's so it's
been my experience that my best friends are the legal in the compliance department because i just go to them and i'm like risk and they're like i speak that language and suddenly there's board level meetings that i don't have to go to that they go to basically bring my ammunition and say like look this is not a cool situation so those folks are your friends especially all right well i think that's about all the time we have if you want to ask me questions offline i'll hang out here for like another five minutes
you
Related talks
31:02
28:25
48:45
57:35
22:25
40:35