the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.”, Gartner IT Glossary1 “Machine to machine (M2M) refers to technologies that allow both wireless and wired systems to communicate with other devices of the same type.”, Wikipedia2 IoT Growth Estimates * Gartner: 26 billion units by 20203 * ABI Research: 30 billion units by 20204 4. https://www.abiresearch.com/press/more-than-30-billion-devices-will-wirelessly-conne 3. http://www.gartner.com/newsroom/id/2636073 1. http://www.gartner.com/it-glossary/internet-of-things/ 2. http://en.wikipedia.org/wiki/Internet_of_Things
IoT growth that we’re all expecting won’t just be from large vendors like Belkin, TRENDnet, Cisco, and Ericsson • Postscapes1 and Wolfram Alpha2 list a few hundred IoT-related companies, most of which you’ve likely never heard of • Crowd-funding web sites are going to produce many of the newest IoT devices we all want to use • Entrepreneurs likely have no experience with information security, nor the budget to afford help • They also won’t know what a “security researcher” is or why you’re contacting them… 1. http://postscapes.com/companies/ 2. http://devices.wolfram.com
Ohlhausen sits on panel at CES about IoT3 November 21st, 2013 Internet of Things - Privacy and Security in a Connected World Workshop2 February 7th, 2014 FTC approves final order settling charges against TRENDnet, Inc.4 June 3rd, 2013 Software & Information Industry Association asks FTC to be careful with IoT1 1. https://www.siia.net/blog/index.php/2013/06/siia-to-ftc-internet-of-things-requires-technology-neutral-policies-and-flexible-privacy-framework/ 3. http://www.adweek.com/news/technology/will-washington-move-quickly-regulate-internet-things-154863 2. http://www.ftc.gov/news-events/events-calendar/2013/11/internet-things-privacy-and-security-connected-world 4. http://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-order-settling-charges-against-trendnet-inc February 18th, 2014 US CERT works with IOActive to resolve Belkin WeMo vulnerabilities5 5. http://www.kb.cert.org/vuls/id/656302
If-This-Then-That (IFTTT) supports over 80 platforms, services, and devices • Allows for event-based actions across disparate technologies • If the CO2 in this room is unsafe, change my lightbulb to be red to warn me • This behavior will become a consumer expectation rather than merely a “nice to have”
Quick development, few security features • i.e. “HW hacking made easy” - serial consoles, FW dumping/ JTAGs, etc. • HW-based trusted execution and HSMs are practically nil • Prevalence/distribution of same components, firmware, etc. means one bug could affect many products • Little expertise required to design, build, and ship an “IoT Product”
own security issues • See also “OWASP Mobile Top 10 Risks” • Developer naïveté: “HOW COULD/WHY WOULD YOU DO THIS? IT WASN’T SHOWN IN THE MOBILE APP USER INTERFACE!” “Relayr says that developers can have their first Internet of Things App up and running in less than 10 minutes”
WPA, exploitable behavior, etc.) • Plaintext protocols or poor crypto at transport layer • …or lack of cert pinning where SSL/TLS actually used • Unprotected FW updates/downloads • Otherwise seemingly unnecessary services listening • Telnet, SSH, FTP, you name it… • Shared accounts/auth material for “support” or updates • Use of technologies such as ZigBee and cellular introduce additional security considerations
ZigBee HTTPS HTTPS HTTPS Mobile app Web browser "Gateway" Lights Pool pump Automated cat entertainment toy XSS, CSRF, auth bugs, etc. Key extraction, replay, injection, etc. Unfettered console access, no priv sep for services, same "support" creds on multiple devices Linux-based gateway talks RESTful HTTP to “cloud”-based service, receives commands (schedules, metering data, etc.), relays commands to smart plugs/meters via ZigBee
has become an “API” to the average developer • Authentication? Signed requests? Unlikely. • Input manipulation is a less obvious concern when developers do mobile and embedded • Yup… OWASP {Mobile,Web} Top 10 • Leveraging third-party service providers introduce exponential complexities and further increases potential attack surface • Quick & Dirty cloud infrastructure yields poor accessibility and potentially confidentiality * for our purposes “Platform” also includes supporting infrastructure, services, frameworks, etc.
would allow anyone with a generic URL to access the camera’s live feed without requiring authentication Belkin, July 20122 The WeMo Switch allowed for UPnP actions (e.g. power cycle) that didn’t require authentication to be performed to do so Philips, August 20133 The Hue Lighting System utilized the MD5 hash of the MAC address of an authorized system as a “secret token” to control the platform 1. http://console-cowboys.blogspot.com/2012/01/trendnet-cameras-i-always-feel-like.html 2. http://www.issackelly.com/blog/2012/07/30/wemo-hacking/ 3. http://www.dhanjani.com/blog/2013/08/hacking-lightbulbs.html
“alerts” were saved in an AWS S3 bucket unencrypted, with no access control preventing someone from viewing the file [Redacted], December 20132 API call to purchase in-app credits for service was done without purchase verification and via clear-text HTTP calls Belkin, February 20143 The WeMo Home Automation API allowed XML injection (XXE) allowing for the potential revealing of filesystem contents 1. https://speakerdeck.com/mstanislav/eyes-on-izon-surveilling-ip-camera-security 3. http://www.dhanjani.com/blog/2013/08/hacking-lightbulbs.html 2. [Redacted] =)
alone care) how to update device firmware or apps • Disparity in management: web console v. mobile app v. physical “update” button • Also they just want to use the !@#$ thing now! • Lack of feedback or notification for updates or errors • How does a user know their IoT device was updated or, worse, compromised?
big ones) fail to get it, or just simply don’t know • “But, why would anyone want to hack this device? And why would they want to tell us or talk about it publicly?” • Few-to-no resources for small vendors to handle this • Nascency of “IoT” means some researchers may not know either • And we’d like for them to stay out of jail
for small IoT developers/builders to make informed security decisions • Incentivize vulnerability research and reporting for these devices ! Our Goal Help secure the "Internet of Things” ! This ISN’T… • “saving the world” • something that’s happening tomorrow
team of advisors and content contributors • Curate secure development documents and disclosure guidelines • Build new diagrams, flow charts, info graphics to transfer knowledge • Form relationships with crowd-funding sites, IoT-centric hardware vendors/platform providers, and other relevant organizations Gather Advisors & Contributors Collect/build and share resources Establish relationships w/vendors, funding sites
early on • IoT at this level is still malleable • Much work to be done, but we can leverage lessons learned in the past • BuildItSecure.ly could help keep IoT from spinning any further out of control • Plus, it’ll be fun!
duosec
shumei_ito
fullkaiten
oracle4engineer
msato
kidooonn
trishagee
shujisado
kazzpapa3
oztick139
asei
nssv
tsumita
jacobian
jcasabona
quramy
ammeep
tammyeverts
malarkey
chriscoyier
sonatard
eileencodes
matthewcrist
philhawksworth
![Thanks! Questions? Mark Stanislav [email protected] @markstanislav Zach Lanier [email protected] @quine](https://files.speakerdeck.com/presentations/755408e07f52013160b336cb8c62d8f9/slide_36.jpg){kind=link}