"The Internet of (Insecure) Things"

Chandler Howell, Engineering Manager at Nexum

Tweet: @chandlerhowell #cloudcamp

#cloudcamp @CloudCamp_CHI

Sponsored by

Hosted by

The Internet of(Insecure)

Things

Chandler HowellJune 2015

The Internet of (Insecure) Things

1. Smart is the New Dumb2. When Worlds Collide3. Failure Modes4. A Parade of Horrors5. So What Should I do Now?

SMART IS THE NEW DUMBIronic, really

Smart is the New Dumb

Smart, but VulnerableSecurity is not a priority of IoT (yet)

Focus is on Time to marketFeatures & Functionality

Focus is NOT onSecurityMaintainabilityLongevity

WHEN WORLDS COLLIDEWe ain’t seen nothing yet

When Worlds Collide

Lifecycles are mismatchedTechnology lifecycles are very short

Devices go EOL in 3-5 years or less

Consumer lifecycles are longerRefrigerators, coffee makers, etc. can last 10 years

Industrial Equipment may outlive youHeavy Equipment can have service lives >50 years

FAILURE MODESHow can I fail thee? Let me count the ways…

Failure Modes

1. Get Broken

2. Get Leveraged

3. Get Exploited

Failure Modes

Get BrokenDamage or destroy the device or attached devices

For example…Plant Control SystemsPeople with Pacemakers

Failure Modes

Get LeveragedCompromised Device is used as a vector for

other Badness

For Example…Unlock a Smart HomeJoin a botnetProvide a beachhead for APT

Failure Modes

Get ExploitedThe device can be used to spy on people, either

directly or indirectly

Yes, even more examples…Smart TV’sData & MetaData Collection

A PARADE OF HORRORSIt’s spelled “IoT” but it’s pronounced “Fail”

A Parade of Horrors

Welcome to the Future

A Parade of Horrors

Consumer Goods

RefrigeratorsSmart Fridges found in a botnet (2014)25% of devices in that large botnet were IoT

Televisions & ElectronicsSamsung “Smart TV” SpyingNumerous XSS, local exploits

Light BulbsLIFX “Smart” Bulbs authentication flawsDisclosed credentials for attached wi-fi

A Parade of Horrors

Medical DevicesSurgical and anesthesia devicesVentilatorsDrug infusion pumpsPacemakersExternal defibrillatorsPatient monitorsLaboratory and analysis equipment

Pretty much every type of failure you can imagine

A Parade of Horrors

CarsBlack Boxes

Data stolen or alteredRemote Lock/Unlock and starters

Key fobs and alarm protocols brokenON*Star

Hacked & Abused by Law EnforcementBraking & steering controls

Integration with entertainment/dash allowed access and compromise

A Parade of Horrors

Airplanes

DronesDefinitely

In-Flight EntertainmentDefinitely

Passenger Flight ControlMaybe

A Parade of Horrors

Infrastructure

Traffic LightsPlaintext wirelessWeak/No Authentication

Industrial Control Systems2008: Turkish Gas Pipeline Destroyed2010: Iranian Gas Centrifuges (Stuxnet)2014: Steel Mill’s Blast Furnace ($17mm in damage)

Utility MetersWeak AuthenticationInaccurate readings == Fraud

Tampered or otherwise

SO WHAT SHOULD I DO?Can I have a hint?

Fortunately, not this.

So what should I do?

So what should I do?

Realize these are not new problemsInsecure computers are nothing new

Think in terms of Failure ModesUse these to understand your threats

Expect Novel attack typesInference AttacksSide-Channel Attacks

So what should I do?

Architect for Insecure ThingsAssume devices are insecure by defaultIf not today, they will be some day

Leverage Security Tools & ProcessesDefense-in-DepthThreat ModelingIncident Response

So what should I do?

Assess whether the Smart is worth the Risk

Don’t forget how to live without IoT

Think of it in Business Continuity Planning (BCP) or Disaster Recovery (DR) termsSmart Devices are just another system to fail

Get Dumb Again

Like Power Over Ethernet (PoE) light bulbs…THANK YOU!

Well, that was fun.