The bad, the ugly and the weird about IoT - Speck&Tech 25 "Spooky Tech"

Transcript

1. The bad, the ugly and the weird about IoT G

   I A N L U C A V A R I S C O C y b e r s e c u r i t y D i g i t a l T r a n s f o r m a t i o n T e a m Speck&Tech 25 "Spooky Tech"

2. ➔ 29y old ➔ Cybersecurity @ Digital Transformation Team (Italian

   Government) ➔ Formerly at Rocket Internet, Red Hat, Lastminute.com Group, PrivateWave $ whoami

3. Systems cannot be changed from inside

4. https://www.youtube.com/watch?v=udlzRaB-pKg Imagine a world where…

5. “Never miss a moment…”

6. “Never miss a moment…”

7. The S in IoT Stands for Security Think about that

   for a second, as you say, “wait, there is no S in IoT”. That is exactly the point of this statement. IoT is missing security.

8. The IoT “Line of Insanity” (TM)

9. IoT by numbers

10. ➔ PERVASIVENESS: You won’t have one IoT device, you’ll have

    ten. ➔ That’s a lot of new attack surface to your life and/or business ➔ UNIQUENESS: IoT devices are a wild-west of mixed technologies. ➔ How do I patch firmware on these dozen devices? ➔ Which random vendor made the HW inside the device? So? What’s wrong with IoT?

11. ➔ ECOSYSTEM: Your vendor may be leveraging six other vendors

    ➔ Where’s your data going once it enters that IoT device? ➔ Who has access to your network via proxy connections? So? What’s wrong with IoT?

12. Lateral movement

13. IoT examples

14. IoT examples (FAKE, luckily!)

15. Why does IoT matters?

16. IoT vs Web App stack

17. IoT attack surface identification

18. IoT: assessing the risks

19. Top 4 IoT Security Risks ➔ Insufficient security training ➔

    Humans #1 weak point: building, deploying, using ➔ Weak Physical Security ➔ Debug interfaces (JTAG, UART, etc.) and USB ports allow unintended device or data access ➔ Infrequent updates ➔ Firmware, device apps, admin apps/interfaces ➔ Expensive and/or remote IoT devices long lifespan (difficult to update) ➔ Weak Data Protection ➔ Data at rest/transit uses weak encryption techniques ➔ Lack of dedicated security chips and modules to store sensitive data.

20. End-user risks (even for my grandma!) ➔ Privacy ➔ PII

    leakage ➔ Mass surveillance ➔ Stalking ➔ Theft ➔ Data breaches ➔ Liability ➔ Reputation ➔ Botnets, e.g. Mirai, for mass hacking

21. Assumptions For the next 5-10 years, assume your IoT device

    has horrible security holes it won’t receive patches for, ever

22. IoT Security Excuses aka #YOLOSEC

23. I am safe, I changed all IoT passwords ➔ Vulnerabilities

    bypassing password protection: ➔ Memory corruption issues (Buffer Overflow, Format String, etc.) ➔ CSRF ➔ Backdoor accounts ➔ Lack of brute-force protection

24. I am safe, I regularly patch all of my IoT

    devices ➔ Patches are often late by years ➔ Most IoT devices do not get a patch, ever

25. Problems with direct IPv4(/v6) connection ➔ If your IoT device

    has an Internet routable IPv4(/v6) address, without any firewall port filtering: ➔ Just prepare for apocalypse ➔ Seriously, don’t do that ➔ CCTV is OCTV today

26. The IoT device is only available in a closed network

27. The device is only exposed in my area (physically)

28. I am safe, home network, behind NAT ➔ NAT is

    sneaky evil ➔ Users believe they are safe behind home router NAT ➔ Developers created ways to connect devices behind NAT, seamless

29. I am safe, home network, behind NAT ➔ Think again:

    ➔ UPNP ➔ IPv6 ➔ Teredo (encapsulates IPv6 packets within UDP/IPv4 datagrams) ➔ Cloud

30. Hype or real threat? ➔ Several cases disclosed in the

    last three years ➔ A lot of same-old background noise (DDoSer) ➔ Things are only getting WORSE

31. VTech ➔ 4.8 million records taken ➔ database of first

    names, genders, birthdays of more than 200,000 kids

32. Hello, Barbie! (WiFi! Yes, WTF!) ➔ Security expert Matt Jakubowski

    managed to hack the Hello Barbie system to extract wi-fi network names, account IDs and MP3 files, which could be used to track down someone’s home.

33. Dyn DDoS Attack ➔ Domain Name System (DNS) service disrupted

    ➔ Affected nearly 1/3 of all internet users in U.S and Europe ➔ No access to: Amazon, PayPal, GitHub, Netflix, Visa, Twitter, Slack, etc. Millions of IoT Devices (printers, IP cameras, baby monitors) infected with Mirai malware and used to flood Dyn with traffic (DDoS)

34. Recent troubles ➔ 465,000 vulnerable pacemakers from St. Jude Medical

    ➔ Implantable cardiac devices have vulnerabilities ➔ Unauthorized remote access ➔ Deplete battery, change pacing, or deliver shocks ➔ Owlet WiFi Baby Heart Monitor ➔ Alerts parents when babies have heart troubles ➔ Connectivity element makes them exploitable

35. Government and customers getting involved ➔ FTC vs D-Link: The

    legal risks of IoT insecurity ➔ Lawsuit against D-Link ➔ Claims company put thousands of customers at risk ➔ Unauthorized access to its IP cameras and routers ➔ Customers vs John Deere: The business risks of IoT ➔ US farmers dispute rights to repair their tractors ➔ Contain embedded software (it’s an IoT device) ➔ Company issued a new license agreement ➔ Prohibits software modification on its tractors ➔ Ensure all repairs are done by John Deere contractors

36. Examples of Malwares / Worms ➔ Mirai and its variants

    ➔ Lizkebab, BASHLITE, Torlus and gafgyt (DDoS botnets), attack vectors: Shellshock, SSH/Telnet creds bruteforce ➔ Exploit kit targeting routers, attack vectors: CSRF + default creds + DNS change ➔ Linux/Moose (telnet creds bruteforce, commits social networking frauds [eg. like post and pages, view videos and follow accounts]) ➔ WIN32/RBrute (dns change + redirection to fake Chrome installer) ➔ Crypto mining of “Monero” currency on Seagate NAS servers, Mal/Miner-C (anonymous FTPs with write access)

37. RECAP: A mess of dependencies and attack surface ➔ Many

    IoT devices leverage third-party services, firmware, and software ➔ Some vendors put a lot of trust in their supply chain without testing security ➔ Implementation errors or failure to comply with best practices also occurs ➔ Complex ecosystems means that there are plenty of ways to screw up: ➔ Mobile applications, cloud services, backend services, web applications, firmware, hardware, network protocols, wireless protocols, & cryptography ➔ It’s difficult for a single IoT vendor to be proficient in security across all of it The frameworks, protocols, and design patterns of IoT are still very much in flux

38. Reporting vulnerabilities ➔ It’s very hard to report vulnerabilities: lack

    of feedback, no contacts published on vendors’ websites to get in touch with, legal threats ➔ Often vendors do not have a Coordinated Vulnerability Disclosure (CVD) policy in place ➔ FTC and/or ENISA recommendations for customers’ safety are not always followed ➔ Just few of the EU member states do have a CVD framework in place at national level (many, unfortunately, have legal uncertainties when it comes to this area) ➔ CEPS’ report on «Software Vulnerability Disclosure in Europe» aims at helping member states with the technology, the policies and legal challenges ahead.

39. Mandatory Shodan slide www.shodan.io

40. Follow us on: teamdigitale.governo.it/en pianotriennale-ict.italia.it @gvarisco, @ITdigitalteam @gvarisco, @team-per-la-trasformazione- digitale/tagged/english-language

    @company/teamdigitale

41. Credits ➔ Mark Stanislav (Rapid7) ➔ Zach Lanier (DUO Security)

    ➔ Zoltán Balázs ➔ Ed Adams