Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Immunizing IoT

Immunizing IoT

Talk given at AtlSecCon 2017

The “internet of things” is an important consideration for any organization’s infosec plan. As professionals we need to ensure the proliferation of smart devices can be managed in a safe and controlled way, and answer the looming questions of liability when things go wrong.
Just within the last year, there have been several record-breaking 1Tbps DDOS attacks because only a few default credentials were leaked; we will explore how real world incidents like this could have been mitigated by herd immunity, and virtually prevented with simple programming.
We’ll also address the standards required of industrial telematics, and why “Bank Grade” isn’t good enough.

01d4f345508a9e898004a4d4f6d6459e?s=128

evandentremont

April 27, 2017
Tweet

Transcript

  1. Immunizing IOT Real solutions to modern threats

  2. About Me • 8 years in software industry • Long

    time hardware tinkerer • Currently Senior Software Engineer on IIoT R&D Project • Reigning title holder for the shortest talk in AtlSecCon history
  3. What is the IOT? According to Wikipedia: The Internet of

    Things (IoT) is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction In reality; A buzzword for anything and everything bolted to the internet.
  4. IoT Devices

  5. IoT Devices

  6. IoT Devices

  7. IoT Devices

  8. IoT Devices

  9. IoT Devices

  10. IoT Devices

  11. IoT Devices

  12. IoT Devices

  13. Why is this an issue? Proliferation of easy targets Support

    / Warranty period 90-365 days, on a product that will be in the wild for 10 years. Any vulns found, any best practices updates, won’t apply. Weakest link. Pivot off old IoT devices.
  14. Why is this an issue?

  15. Why is this an issue?

  16. Why is this an issue? Mirai

  17. Why is this an issue? Brickerbot

  18. Why is this an issue?

  19. Technical Solutions

  20. Prove Physical Access Easy and simple two factor authentication... Require

    a reboot for admin access. https://github.com/evandentremont/simple-pam PAM_EXTERN int pam_sm_authenticate( pam_handle_t *pamh, int flags,int argc, const char **argv ) { struct sysinfo s_info; int error = sysinfo(&s_info); if(error != 0){ printf("code error = %d\n", error); } if ( s_info.uptime < 180) { return PAM_SUCCESS; } return PAM_AUTH_ERR; }
  21. Count Hops A valid admin isn’t (generally) going to be

    connecting from anywhere other than the local network Limit admin access to connections under some threshold
  22. Decouple the Internet from the Device We’ve covered RCE; Connected

    devices are problematic, especially in an industrial setting REST API’s are an analogous solution • Industrial engines • Remote climate control • Vehicle infotainment
  23. Decouple the Internet from the Device

  24. Vigilantism If manufacturers won’t update their firmware; Malicious users may

    just #bricktheplanet.
  25. Vigilantism Brickerbot is akin to culling the herd

  26. Vigilantism Benevolent hackers may have other ideas

  27. Vaccination Mirai without command and control is literally an immunization.

    It can no longer be infected and prevents further infection. I can’t legally give you source code.
  28. Vaccination A benevolent hacker could also install an uptime check

    providing extra security... PAM_EXTERN int pam_sm_authenticate( pam_handle_t *pamh, int flags,int argc, const char **argv ) { struct sysinfo s_info; int error = sysinfo(&s_info); if(error != 0){ printf("code error = %d\n", error); } if ( s_info.uptime < 180) { return PAM_SUCCESS; } return PAM_AUTH_ERR; }
  29. Vaccination

  30. ISP Policing A dangerous solution, is to require ISP’s to

    block questionable traffic. Why allow telnet connections?
  31. Human Solutions

  32. Human Solutions 4-step program for an security-adverse organization: 1. Companies

    are required to optimize profit. 2. Security may save money. 3. Security definitely costs money. 4. Security is optimized out.
  33. Human Solutions Put another way; Security needs to cost less

    than apathy. Security currently costs more than apathy. This is true for any sector, IoT included. That doesn’t make it right.
  34. Liability If someone is harmed by an IoT device, who

    is liable? “Technically there is no bricking, though,” the rep replied. “No changes are made to the hardware or the firmware of the device, just denied use of company servers.”
  35. Liability If someone is harmed by an IoT device, who

    is liable? “Technically there is no bricking, though. No changes are made to the hardware or the firmware of the device, just denied use of company servers.” - Garadget
  36. Legislation Warning The following slide is known to the State

    of California to cause boredom. Side effects may include apathy, fatigue, nervousness, and/or jittering.
  37. Legislation California SB 327 Information privacy: connected devices SECTION 1.

    Title 1.81.26 (commencing with Section 1798.91.01) is added to Part 4 of Division 3 of the Civil Code, to read: TITLE 1.81.26. Security of Connected Devices 1798.91.01. (a) A manufacturer that sells or offers to sell a connected device in this state shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure. (b) A manufacturer that sells or offers to sell a connected device in this state shall design the device to indicate through visual, auditory, or other means when it is collecting information. (c) A manufacturer that sells or offers to sell a connected device in this state shall design the device to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a consumer transaction or for the stated functionality of the connected device. 1798.91.02. (a) A person who sells or offers to sell a connected device in this state shall provide a short, plainly written notice of the connected device’s information collection functions at the point of sale that contains, but is not limited to, all of the following: (1) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive consumer information. (2) Where a consumer can find the applicable privacy policy for the connected device. (3) How the consumer will be notified directly of security patches and updates applicable to the connected device. (b) Direct notification of security patches and updates shall be provided to a consumer who purchases a connected device by the manufacturer of that device in addition to any other notices required by law. 1798.91.03. For purposes of this title, the following terms have the following meanings: (a) “Connected device” means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device. (b) “Person” means an individual, partnership, corporation, association, or other group, however organized.
  38. Legislation Require a company that sells ‘connected’ devices • To

    equip the device with reasonable and appropriate security features • Design the device to indicate when it is collecting information and to obtain consumer consent before it collects or transmits information • Require vendors to post a plainly written notice of whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive consumer information. • Direct notification of security patches and updates to consumers. “Connected device” means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device.
  39. Standards Main issue with these approaches is there needs to

    be a minimum standard for ‘secure’ PCI compliance is common, but in practice... “Are you secure?” “Yes.” “Thanks you’re certified”
  40. Standards An actual 26 page standard: Cookies, Oatmeal; and Brownies;

    Chocolate Covered
  41. Standards Bank grade alone is meaningless. Any claim to bank

    grade security should cite an actual standard. What does bank grade have to do with IoT?
  42. Standards

  43. Standards

  44. Standards

  45. Standards Bank transactions are reversible. Loss of privacy, or even

    life, is not.
  46. A trigger event

  47. Trigger event I am strongly of the opinion that •

    the push required for liability and legislation; • and the exact moment information security will start to be taken seriously; Will be upon the first clearly attributable death.
  48. Trigger event A successful attack using the flaw "could definitely

    result in fatalities," said Barnaby Jack, who has notified the manufacturers of the problem but did not publicly identify the companies. In a video demonstration, Jack showed how he could remotely cause a pacemaker to suddenly deliver an 830-volt shock, which could be heard with a crisp audible pop.
  49. Trigger event Johnson & Johnson issued a warning about a

    possible cybersecurity issue with its Animas OneTouch Ping Insulin Infusion Pump. Computer security firm Rapid 7 discovered that it might be possible to take control of the pump via its an unencrypted radio frequency communication system that allows it to send commands and information via a wireless remote control.
  50. Trigger event

  51. In Conclusion To reiterate, there’s a simple solution.

  52. In Conclusion

  53. In Conclusion

  54. In Conclusion

  55. In Conclusion The solution? Make apathy expensive.

  56. Fini Questions? Comments? https://github.com/evandentremont evan@evandentremont.com