NANOG 69: Security Track

NANOG 69: Security Track Embedded devices (aka IoT) as a community problem

Moderator: Krassimir Tzvetanov

NANOG 69: Security Track

• In order to foster an open discussion all of the presenters are going to share their personal opinion which may not be the one of their current employer • This is not a Mirai talk

Disclaimer

NANOG 69: Security Track

●  Ongoing issues with embedded devices - CPE, IoT, etc.

●  Numbers of infected devices? Potential for new infections?

Mutations?

●  What are the security vendors doing to improve the situation? Do

we see discrepancy in the response between different vendors?

●  What are the service providers doing?

●  What should be the government/regulator's involvement?

Agenda

NANOG 69: Security Track

●  Ongoing issues with embedded devices - CPE, IoT, etc.

●  Why do we keep on seeing the lack of best practices?

●  Why do we keep on seeing poor vendor response or no response?

●  What are the CPE/IoT vendors doing to improve the situation?

●  Do we see discrepancy in the response between different vendors?

Vendors

NANOG 69: Security Track

●  What are the service providers doing?

●  Methods of mitigation of active attacks?

●  Proactive approaches?

●  Working with the vendors?

Service providers

NANOG 69: Security Track

●  What should be the government/regulator's involvement?

●  Can this be resolved through regulatory means? If yes,

why? If not, why?

Regulators and government

NANOG 69: Security Track

●  Tim April

●  Ron Winward

●  Paul Ebersman

●  Allan Friedman

●  Christian Dawson

●  Jesse Sowell

Presenters

NANOG 69: Security Track

Next presenter

NANOG 69: Security Track

●  Sr. Security Architect @ Akamai

●  tapril@people.ops-trust.net ●  Researches and Responds to threats against Akamai

and the Internet

Tim April

NANOG 69: Security Track

The S in IoT is for Security. [1]

1: https://arsechnica.com/security/2017/02/how-google-fought-back-against-a-crippling-iot-powered-botnet-and-won/?comments=1&post=32754617

NANOG 69: Security Track

●  BASHLITE (Gafgyt, Lizkebab, Torlus and

LizardStresser) [1]

●  Internet Census of 2012 [2]

●  Linksys 2009 (CVE-2010-1573, default user/password)

●  Many others

Nothing new

NANOG 69: Security Track

Next presenter

NANOG 69: Security Track

●  Security Evangelist, Americas @ Radware

●  ron.winward@radware.com

Ron Winward

NANOG 69: Security Track

6.4 Billion Connected Things in 2016

NANOG 69: Security Track

IoT market penetration

:http://www.internetlivestats.com/ internet-users/

NANOG 69: Security Track

• “D-Link failed to take reasonable steps to secure its routers and IP cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras.”

• D-Link promoted security: “Easy to secure” & “Advance network Security”

• D-Link did not address well-known security flaws: – Hard-coded credentials (guest/guest) – Command injection software flaw – Mishandling of private key to sign D-Link software

• Key left openly available on public website for 6 months

– D-Link mobile app leaves users’ login credentials unsecured in clear, readable text on the device

FTC Takes D-Link to Court – Jan 5, 2017

NANOG 69: Security Track

Need for a rearchitected, purpose-built embedded IoT software platform with: • Robust and easy OTA (Over The Air) updates

• Require (at least allow) user to change default admin username & pass

• Disable unnecessary services by default (telnet, SSH, smb, FTP)

• Do not run webserver as root, run it chrooted

• Do not keep hidden backdoors – they will be discovered!

•  Avoid UPnP-IGD (Internet Gateway Device) Protocol

•  Enforce strong password and use strong cryptographic hashes to store them

• Hardening of OS and all communications stacks (IP, Bluetooth)

Create a vulnerability disclosure program, consider bug bounty program

IoT Manufacturer Security Recommendations

NANOG 69: Security Track

Next presenter

NANOG 69: Security Track

• DNS Architect @ Comcast

• Paul_Ebersman@comcast.com

Paul Ebersman

NANOG 69: Security Track

• ISPs can’t mandate

• Lowest price wins

• Simple over secure

• Lousy default configs and passwords

• Not auto-update

Challenges

NANOG 69: Security Track

• Bugs (time-b.netgear.com anyone?)

• ID’ing w/NAT: Who’s got the penny?

• Malware/infection

• Amplification attacks

• Can’t ACL against yourself

• Can’t upgrade or patch

Issues with IoT devices

NANOG 69: Security Track

• BCP 38/84, DOCSIS SAV on

customer links/peering points

• Filter customer ports ala: https://customer.xfinity.com/help-and-support/

internet/list-of-blocked-ports/

• Clean up DNS, SNMP, NTP,

etc. reflectors

What can ISPs do?

• Beat on vendors

• Name and shame?

• Discounts for vetted gear?

• 1st Tier and customer

education

• UUCP? ☺

NANOG 69: Security Track

Next presenter

NANOG 69: Security Track

• National Telecommunications & Information Administration (Dept. of Commerce)

• Failed cryptographer, failed economist, failed professor, current technocrat. How can we use voluntary, industry-led practices to address botnets and network-based risks?

Allan Friedman

NANOG 69: Security Track

• The vast majority of security work has been industry-led. • Government can play some role:

– 2012 Industry Botnet Group, led by the White House – NTIA’s Multistakeholder work

• Government as the catalyst, bridging across sectors • Vulnerability Research Disclosure • IoT Patching Transparency

• Is there further work we can do to bring different parts of the ecosystem

Building on Existing Work

NANOG 69: Security Track

Next presenter

NANOG 69: Security Track

• Executive Director, Internet Infrastructure Coalition (i2Coalition)

• Former President of web hosting company ServInt, which operates three data centers How important is it to be part of the discussion of how governments set network cybersecurity requirements?

Christian Dawson

NANOG 69: Security Track

• have mostly been derived from partnership with industry.

• are based on voluntary adherence to policy frameworks, notably the NIST Cybersecurity Framework (NIST CSF).

• are based on existing standards, guidelines, and practices.

• require regular interaction with legislative officials to maintain, and to steer clear of disruptive alternatives.

Today’s Cybersecurity Standards…

NANOG 69: Security Track

Next presenter

NANOG 69: Security Track

Organization affiliations: – Postdoctoral Cybersecurity Fellow, Stanford University Center for International Security and Cooperation

– Senior Advisor, M3AAWG

Problem: – Like Internet security, IoT security requires both technical and coordination (governance) mechanisms to effectively incent changes in the market for not only functional, but secure, devices

– Who can contribute to creating these incentives?

Jesse Sowell

NANOG 69: Security Track

Emerging state of IoT manufacturing – high clockspeed industry + commodity components + low margin – market failure for IoT security features

Easy to blame IoT manufacturers, but responsibility is distributed – collective action problem, notoriously difficult in any context – who are the broader market participants? – components, assembly, distribution, wholesale, resale, deployment

Questions (for the panel and audience): Where along this value network can we incent better security features? Who in the broader market can create economic pressure on which points in the value network?

IoT Security and Governance

NANOG 69: Security Track

1.  Approach a microphone 2.  State your name 3.  If you a representing an organization, please, announce

its name as well

Open discussion

NANOG 69: Security Track

Thank you!