Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The State of IoT Security - WMF 2019

The State of IoT Security - WMF 2019

IoT is at the peak of the hype cycle - what they call the 'Peak of Inflated Expectations’. Every IT organisation wants to ride the IoT wave. As with all new technologies, the battle over standards is always a struggle. The unresolved problem of software updates and short vendor support cycle combined with the lack of effort into security makes these devices an easy target. This talk will try to shine a light into this bizarre and scary future with a steady stream of funny and smart (as in clever, not internet-connected) jokes. Think about misconfigured cameras, televisions, home routers, baby monitors, toys and spammy refrigerators!

Gianluca Varisco

June 22, 2019
Tweet

More Decks by Gianluca Varisco

Other Decks in Technology

Transcript

  1. The S in IoT stands for Security Nome Cognome -

    Azienda Think about that for a second, as you say, “wait, there is no S in IoT”. That is exactly the point of this statement. IoT is missing security.
  2. So? What’s wrong with IoT? Nome Cognome - Azienda q

    PERVASIVENESS: You won’t have one IoT device, you’ll have ten. q That’s a lot of new attack surface to your life and/or business q UNIQUENESS: IoT devices are a wild-west of mixed technologies. q How do I patch firmware on these dozen devices? q Which random vendor made the HW inside the device?
  3. So? What’s wrong with IoT? Nome Cognome - Azienda q

    ECOSYSTEM: Your vendor may be leveraging six other vendors q Where’s your data going once it enters that IoT device? q Who has access to your network via proxy connections?
  4. Why does IoT matter? Nome Cognome - Azienda Hard to

    detect Hard to remediate Hard to fix Low hanging fruit for bad guys
  5. Top 4 IoT Security Risks Nome Cognome - Azienda q

    Insufficient security training q Humans #1 weak point: building, deploying, using q Weak Physical Security q Debug interfaces (JTAG, UART, etc.) and USB ports allow unintended device or data access
  6. Top 4 IoT Security Risks Nome Cognome - Azienda q

    Infrequent updates q Firmware, device apps, admin apps/interfaces q Expensive and/or remote IoT devices long lifespan (difficult to update) q Weak Data Protection q Data at rest/transit uses weak encryption techniques q Lack of dedicated security chips and modules to store sensitive data.
  7. End-user risks (even for my grandma!) Nome Cognome - Azienda

    q Privacy q PII leakage q Mass surveillance q Stalking q Theft q Data breaches q Liability q Reputation q Botnets, e.g. Mirai, for mass hacking
  8. Assumptions Nome Cognome - Azienda For the next 5-10 years,

    assume your IoT device has horrible security holes it won’t receive patches for, ever
  9. I am safe, I changed all IoT passwords! Nome Cognome

    - Azienda q Vulnerabilities bypassing password protection: q Memory corruption issues (Buffer Overflow, Format String, etc.) q CSRF q Backdoor accounts q Lack of brute-force protection
  10. I am safe, I regularly patch all of my IoT

    devices Nome Cognome - Azienda q Patches are often late by years q Most IoT devices do not get a patch, ever
  11. Problems with direct IPv4(/v6) connection Nome Cognome - Azienda q

    If your IoT device has an Internet routable IPv4(/v6) address, without any firewall port filtering: q Just prepare for apocalypse q Seriously, don’t do that q CCTV is OCTV today
  12. I am safe, home network, behind NAT Nome Cognome -

    Azienda q NAT is sneaky evil q Users believe they are safe behind home router NAT q Developers created ways to connect devices behind NAT, seamless
  13. I am safe, home network, behind NAT Nome Cognome -

    Azienda q Think again: q UPNP q IPv6 q Teredo (encapsulates IPv6 packets within UDP/IPv4 datagrams) q Cloud
  14. Hype or real threat? Nome Cognome - Azienda q Several

    cases disclosed in the last years q A lot of same-old background noise (DDoSer) q Things are only getting WORSE
  15. VTech Nome Cognome - Azienda q 4.8 million records taken

    q database of first names, genders, birthdays of more than 200,000 kids
  16. Hello, Barbie! (WiFi! Yes, WTF!) Nome Cognome - Azienda q

    Security expert Matt Jakubowski managed to hack the Hello Barbie system to extract wi-fi network names, account IDs and MP3 files, which could be used to track down someone’s home.
  17. Dyn DDoS Attack Nome Cognome - Azienda q Domain Name

    System (DNS) service disrupted q Affected nearly 1/3 of all internet users in U.S and Europe q No access to: Amazon, PayPal, GitHub, Netflix, Visa, Twitter, Slack, etc. Millions of IoT Devices (printers, IP cameras, baby monitors) infected with Mirai malware and used to flood Dyn with traffic (DDoS)
  18. Recent troubles Nome Cognome - Azienda q 465,000 vulnerable pacemakers

    from St. Jude Medical q Implantable cardiac devices have vulnerabilities q Unauthorized remote access q Deplete battery, change pacing, or deliver shocks q Owlet WiFi Baby Heart Monitor q Alerts parents when babies have heart troubles q Connectivity element makes them exploitable
  19. Government and customers getting involved Nome Cognome - Azienda q

    FTC vs D-Link: The legal risks of IoT insecurity q Lawsuit against D-Link q Claims company put thousands of customers at risk q Unauthorized access to its IP cameras and routers
  20. Government and customers getting involved Nome Cognome - Azienda q

    Customers vs John Deere: The business risks of IoT q US farmers dispute rights to repair their tractors q Contain embedded software (it’s an IoT device) q Company issued a new license agreement q Prohibits software modification on its tractors q Ensure all repairs are done by John Deere contractors
  21. Examples of Malwares/Worms Nome Cognome - Azienda q Mirai and

    its variants q Lizkebab, BASHLITE, Torlus and gafgyt (DDoS botnets), attack vectors: Shellshock, SSH/Telnet creds bruteforce q Exploit kit targeting routers, attack vectors: CSRF + default creds + DNS change
  22. Examples of Malwares/Worms Nome Cognome - Azienda q Linux/Moose (telnet

    creds bruteforce, commits social networking frauds [eg. like post and pages, view videos and follow accounts]) q WIN32/RBrute (dns change + redirection to fake Chrome installer) q Crypto mining of “Monero” currency on Seagate NAS servers, Mal/Miner-C (anonymous FTPs with write access)
  23. RECAP: A mess of dependencies and attack surface Nome Cognome

    - Azienda q Many IoT devices leverage third-party services, firmware, and software q Some vendors put a lot of trust in their supply chain without testing security q Implementation errors or failure to comply with best practices also occurs.
  24. RECAP: A mess of dependencies and attack surface Nome Cognome

    - Azienda q Complex ecosystems means that there are plenty of ways to screw up: q Mobile applications, cloud services, backend services, web applications, firmware, hardware, network protocols, wireless protocols, & cryptography q It’s difficult for a single IoT vendor to be proficient in security across all of it
  25. Reporting vulnerabilities Nome Cognome - Azienda q It’s very hard

    to report vulnerabilities: lack of feedback, no contacts published on vendors’ websites to get in touch with, legal threats q Often vendors do not have a Coordinated Vulnerability Disclosure (CVD) policy in place q FTC and/or ENISA recommendations for customers’ safety are not always followed q CEPS’ report on «Software Vulnerability Disclosure in Europe» aims at helping member states with the technology, the policies and legal challenges ahead.
  26. Credits q Mark Stanislav (Rapid7) q Zach Lanier (DUO Security)

    q Zoltán Balázs q Ed Adams q Security Innovation