Brian Knopf [email protected] @doyouqa §  Director of Application Security, Belkin International (owners of Linksys) §  Member, UPnP Task Force §  Previously Principal Test Architect, Office of the CTO at Rapid7 §  20+ years of experience in IT, QA, Development and Security §  Programming, disassembling and reverse engineering since age 5 §  What is IoT? §  Why is IoT Important? §  Components of IoT §  IoT Attacks §  How Do I Protect My Environment? §  Future of IoT §  Conclusion Source: Wikipedia.org http://en.wikipedia.org/wiki/IOT Source: Gartner http://www.gartner.com/newsroom/id/2636073 §  Originated at the Auto-ID center at MIT §  Started with RFID, Electronic Product Code tags to connect devices §  Self-configuring was the key §  Evolved into connected advanced wireless devices §  No single IoT protocol currently Source: Gartner http://www.gartner.com/newsroom/id/2636073 §  Hundreds of manufacturers creating devices §  Everyday devices now connected and communicating valuable data §  Makes environments smarter §  Improves power conservation §  Provides sense of security §  Connects M2M and M2B Pain Management 1970’s Pain Management 2010’s Source: Postscapes http://postscapes.com/what-exactly-is-the-internet-of-things-infographic •  Turn your electronics on/off, monitor them from anywhere •  Create rules, schedules, and receive notifications •  Get insight into home energy or water usage •  Compatible with iOS and Android Source: http://www.belkin.com •  GPS tracking device for pets •  Track how much exercise they get •  Receive notifications when they leave user configured zone •  Uses Google Maps for setup •  Mobile and web apps for tracking and notifications •  Same technology used to track company vehicles •  Now cheaper and more accessible to average person Source: http://www.pettracker.com/ •  3-factor authentication (Nymi, smart phone, cardiac rhythm) •  Integration with Windows, Mac OS, Android, and iOS •  Uses Bluetooth Low Energy •  Motion detection for gesture recognition •  Looking at integration with cars to unlock and start them •  Potential to replace identification or PIN for financial transactions •  Is this more secure than a password? Source: http://www.getnymi.com Protocols •  ZigBee •  Z-Wave •  6LoWPAN •  NFC •  RFID •  Bluetooth •  Bluetooth Low Energy •  INSTEON •  Lutron •  MQTT Source: Postscapes http://postscapes.com/what-exactly-is-the-internet-of-things-infographic §  IEEE 802.15.4 §  2.4GHz frequency worldwide (16 channels) §  Regional 915Mhz (Americas) & 868Mhz (Europe) §  Powered and battery operated devices §  Multiple star topology and inter-personal area network (PAN) communication §  AES-128 security §  2010 – 40% Market Share §  2016 – 55% Market Share ZigBee Mesh Network ZED ZR ZED ZED ZED ZED •  ZigBee Coordinator - ZC •  Only one •  Trust Center •  Network information ZR ZC •  ZigBee Router - ZR •  Plug-in not battery powered •  Passes data from ZED to ZC •  MitM Heaven ZED ZR ZED ZED ZED • ZigBee Coordinator - ZC • ZigBee Router - ZR • ZigBee End Device - ZED ZR •  ZigBee End Device - ZED •  Talks to ZC or ZR ZED Source: Postscapes http://postscapes.com/what-exactly-is-the-internet-of-things-infographic §  Hardware, software, protocol solutions §  Allow innovation and automation §  Software connects APIs between services §  Hardware to speak to everything §  Protocol to bridge physical layer Sources: http://www.ifttt.com, http://www.ninjablocks.com, http://www.revolv.com, §  Access to personal information §  Can be used to protect physical location §  Share some technology with traditional networked devices §  Updates are mostly manual if available §  Some endpoint devices are not updateable at all (ZigBee, Z-Wave) §  Consumers rarely think about patching §  Consumers are dependent on manufacture updates §  Many built on SDKs from chip vendors and manufactures with no security expertise §  Use 3rd Party libraries as black boxes §  Consumer - Loosely connected devices that may or may not have rules integrating them §  Enterprise – Technologies like Closed Loop Lifecycle Management (CL2M) enable businesses to see how their products are being used, track maintenance status, and share information securely §  Enterprise users are charging, synching, and connecting IoT devices to corporate assets §  The dividing line will disappear §  Health & Fitness §  Asset Management §  Insurance §  Medical §  Banking §  Retail §  Entertainment Sources: http://www.vizualiiz.com, http://professional.medtronic.com, http://www.nike.com, http://www.progressive.com, http://retailnext.net, http://www.skylanders.com, https://onlycoin.com Do these improve security or make people feel safer? Sources: http://www.getnymi.com, http://www.yubico.com, http://myidkey.com/ §  Some IoT devices rely on Wi-Fi credentials only §  Hard to use products fail §  Accounts should depend on class of products §  Take measures to counter ease of use & improve security §  Perception vs Reality §  P2P vs Server Relay §  Which is safer? §  IoT protocols open parallel wireless networks §  Strong encryption + bad implementation = 0 benefit §  Increase in attack surface §  More devices to patch and maintain §  Cannot backport fixes §  Dependent on vendor updates §  Where do IT teams draw the responsibility line? §  Impact of IoT on BYOD §  What is allowed on systems? §  What is allowed in the network? §  What glue services make sense for your company? §  Is it worth the risk? §  How can you stop them? §  Are you watching outbound? Source: http://www.veracode.com §  3rd party libraries getting attacked §  Developers select based on features and popularity §  Rarely audit code or understand them §  Poorly architected, bad code, and not well reviewed §  Critical Vulns §  UPnP (libupnp, miniupnp) §  GnuTLS §  OpenSSL §  GoToFail (Apple SSL) §  OpenSSH §  LibYAML •  Researcher: Nitesh Dhanjani •  User browses to website containing Java exploit code •  Laptop on network compromised with malware •  Infected laptop turns lights off •  Attack pauses when bridge is unplugged •  Attack resumes when bridge is plugged back in Exploit Source: Nitesh Dhanjani http://www.dhanjani.com/blog/2013/08/hacking-lightbulbs.html •  Researcher: HD Moore •  Cameras were searchable on Internet •  Scanned 3% of Internet •  Found 250,000 devices running services, 5000 vulnerable •  Some vendors had disabled auto answer by default •  Able to capture passwords and documents •  Audio outside rooms was captured Exploit Source: HD Moore, R7 http://www.nytimes.com/2012/01/23/technology/flaws-in-videoconferencing-systems-put-boardrooms-at-risk.html?_r=0 •  Researcher: Daniel Crowley •  No authentication on web console •  Unconfirmed authentication bypass •  Firmware can be modified from attacks •  Server-side request forgery enables devices to bypass firewall and be used as a proxy Exploit Source: Daniel Crowley of Trustwave SpiderLabs https://www.youtube.com/watch?v=PSRPE49lGYw •  Used UPnP buffer overflow to exploit WeMo •  Able to turn on and off the device rapidly •  We had a patch available before the researcher notified us of the issue •  Valid UPnP requests still work within the network Exploit Source: Daniel Buentello using UPnP vulnerability discovered by HD Moore http://hackaday.com/2013/01/31/turning-the-belkin-wemo-into-a-deathtrap/ §  2010 study by Tufin Technologies, supported by UK's Association of Chief Police Officers §  "...23% of "uni" students have hacked into IT systems. §  32% thought hacking was "cool.“ §  28% considered it to be easy. The hackers offered a variety of motivations for their behavior: curiosity, fun, while "an entrepreneurial 15% revealed that they hacked to make money.“ Source: Fast Company http://www.fastcompany.com/1690541/it-security-firm-fear-students, image from Infosec Reactions - http://securityreactions.tumblr.com/ •  Researcher: Joshua Wright •  Presented at ToorCon 11 - 2009 •  Framework for ZigBee exploitation •  Presentation and source are easy to find •  Hardware is cheap and easy to get •  Wireshark has built in tool for cracking ZigBee Network (NWK) encryption Exploit Source: Joshua Wright http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf •  Open source affordable Bluetooth development platform •  Class 1 Bluetooth device •  Bluetooth & BTLE injection & monitoring •  802.11 FHSS monitoring and injection •  Basic spectrum monitoring •  Works with Kismet sniffer •  Commercial Bluetooth equipment starts at $10,000 •  Cost: $115 Source: https://greatscottgadgets.com/ubertoothone/, http://www.kismetwireless.net §  10 MHz to 6 GHz operating frequency §  Half-duplex transceiver §  Compatible with GNU Radio, and Software Defined Radio (SDR) §  Software-configurable RX and TX gain baseband filter §  Open source hardware §  Lots of applications already written to decode wireless using this §  Cost: $330 Source: https://greatscottgadgets.com/hackrf/, http://www.sharebrained.com/2014/05/28/portapack-h1-imminent/ §  Universal bus interface §  Talks to most chips via PC serial terminal §  Comes with debugger software and BIOS/flash programmers §  Cost: $30 Source: http://dangerousprototypes.com/docs/Bus_Pirate •  Supports •  1-Wire •  I2C •  SPI •  JTAG •  Asynchronous serial •  MIDI •  PC keyboard •  HD44780 LCD •  & more §  Texas Insturments CC1110 §  2x SmartRF boards §  1 Debugger §  Documentation §  Software for sniffing & controlling hardware §  Flash programmer §  Cost: $76 §  Paired with Z-Force exploit framework from researchers Source:Behrang Fouladi & Sahand Ghanoun, Sensepost http://research.sensepost.com/conferences/2013/bh_zwave, http://research.sensepost.com/tools/embedded/zforce Offensive Security Defensive Security §  New technologies, limited standards, competing protocols, and more attack surface may scare you… §  GO BACK TO BASICS •  Secure By Design •  Secure By Default •  Secure In Deployment •  Defense In Depth Secure by Design Source: Josh Abraham (Jabra) Secure by Default Secure in Deployment Secure architecture and code Attack surface area reduced Protection: Detection, defense, recovery, and management Threat analysis Unused features turned off by default Process: How to guides, architecture guides Vulnerability reduction Minimum privileges used People: Training §  Defense In Depth is critical §  Separate classes of systems, devices, and users §  What do IoT devices need access to? §  Limit password reuse §  Password Management §  Multi-factor authentication §  Industry collaboration to improve security of embedded OS and protocols is critical §  Groups like BuildItSecure.ly trying to improve collaboration between vendors and security researchers §  Improvements to standards like ZigBee HA 1.3 §  UPnP+ certification requiring Device Protection §  Secure Elements / TPM for firmware protection Source: http://www.computerworld.com/s/article/9247137/Pros_and_Cons_of_Using_Fitness_Trackers_for_Employee_Wellness?taxonomyId=220 •  Does deploying biometric sensors to employees put a company at risk if the data is compromised? •  What compliance issues arise based on the data being collected and whether companies have access to it? §  IoT brings awareness, automation, & security to enterprise environments §  Rapid growth of IoT devices and vendors without security focus §  Insecure devices expanding network attack surface §  Plan your IoT implementation based on use cases §  Select devices to fit use cases rather than individual issues §  Threat Model, plan, remediate, mitigate §  The protection line has moved, adjust your goals §  Thank you for attending §  Contact [email protected] for additional information on IoT & Security §  Thanks to Amanda Honea, Dianne Asis, & my family for their support §  Thanks to Terry Gold for the invitation and in-depth biometrics discussions §  Questions?