The State of IoT Security - WMF 2019

Transcript

1. The State of IoT Security Gianluca Varisco CISO, Arduino

2. Who am I? Nome Cognome - Azienda

3. The S in IoT stands for Security Nome Cognome -

   Azienda Think about that for a second, as you say, “wait, there is no S in IoT”. That is exactly the point of this statement. IoT is missing security.

4. Imagine a world where… Nome Cognome - Azienda

5. Video Nome Cognome - Azienda

6. «Never miss a moment…» Nome Cognome - Azienda

7. «Never miss a moment…» Nome Cognome - Azienda

8. The IoT «Line of Insanity»™ Nome Cognome - Azienda

9. Lateral Movement Nome Cognome - Azienda

10. IoT by numbers Nome Cognome - Azienda

11. So? What’s wrong with IoT? Nome Cognome - Azienda q

    PERVASIVENESS: You won’t have one IoT device, you’ll have ten. q That’s a lot of new attack surface to your life and/or business q UNIQUENESS: IoT devices are a wild-west of mixed technologies. q How do I patch firmware on these dozen devices? q Which random vendor made the HW inside the device?

12. So? What’s wrong with IoT? Nome Cognome - Azienda q

    ECOSYSTEM: Your vendor may be leveraging six other vendors q Where’s your data going once it enters that IoT device? q Who has access to your network via proxy connections?

13. IoT Examples Nome Cognome - Azienda

14. IoT Examples (fake, luckily!) Nome Cognome - Azienda

15. Why does IoT matter? Nome Cognome - Azienda Hard to

    detect Hard to remediate Hard to fix Low hanging fruit for bad guys

16. IoT vs Web stack Nome Cognome - Azienda

17. IoT attack surface identification Nome Cognome - Azienda

18. IoT: assessing the risks Nome Cognome - Azienda

19. Top 4 IoT Security Risks Nome Cognome - Azienda q

    Insufficient security training q Humans #1 weak point: building, deploying, using q Weak Physical Security q Debug interfaces (JTAG, UART, etc.) and USB ports allow unintended device or data access

20. Top 4 IoT Security Risks Nome Cognome - Azienda q

    Infrequent updates q Firmware, device apps, admin apps/interfaces q Expensive and/or remote IoT devices long lifespan (difficult to update) q Weak Data Protection q Data at rest/transit uses weak encryption techniques q Lack of dedicated security chips and modules to store sensitive data.

21. End-user risks (even for my grandma!) Nome Cognome - Azienda

    q Privacy q PII leakage q Mass surveillance q Stalking q Theft q Data breaches q Liability q Reputation q Botnets, e.g. Mirai, for mass hacking

22. Assumptions Nome Cognome - Azienda For the next 5-10 years,

    assume your IoT device has horrible security holes it won’t receive patches for, ever

23. IoT Security Excuses aka #YOLOSEC

24. I am safe, I changed all IoT passwords! Nome Cognome

    - Azienda q Vulnerabilities bypassing password protection: q Memory corruption issues (Buffer Overflow, Format String, etc.) q CSRF q Backdoor accounts q Lack of brute-force protection

25. I am safe, I regularly patch all of my IoT

    devices Nome Cognome - Azienda q Patches are often late by years q Most IoT devices do not get a patch, ever

26. Problems with direct IPv4(/v6) connection Nome Cognome - Azienda q

    If your IoT device has an Internet routable IPv4(/v6) address, without any firewall port filtering: q Just prepare for apocalypse q Seriously, don’t do that q CCTV is OCTV today

27. The IoT device is only available in a closed network

    Nome Cognome - Azienda

28. The device is only exposed in my area (physically) Nome

    Cognome - Azienda

29. I am safe, home network, behind NAT Nome Cognome -

    Azienda q NAT is sneaky evil q Users believe they are safe behind home router NAT q Developers created ways to connect devices behind NAT, seamless

30. I am safe, home network, behind NAT Nome Cognome -

    Azienda q Think again: q UPNP q IPv6 q Teredo (encapsulates IPv6 packets within UDP/IPv4 datagrams) q Cloud

31. Hype or real threat? Nome Cognome - Azienda q Several

    cases disclosed in the last years q A lot of same-old background noise (DDoSer) q Things are only getting WORSE

32. VTech Nome Cognome - Azienda q 4.8 million records taken

    q database of first names, genders, birthdays of more than 200,000 kids

33. Hello, Barbie! (WiFi! Yes, WTF!) Nome Cognome - Azienda q

    Security expert Matt Jakubowski managed to hack the Hello Barbie system to extract wi-fi network names, account IDs and MP3 files, which could be used to track down someone’s home.

34. Dyn DDoS Attack Nome Cognome - Azienda q Domain Name

    System (DNS) service disrupted q Affected nearly 1/3 of all internet users in U.S and Europe q No access to: Amazon, PayPal, GitHub, Netflix, Visa, Twitter, Slack, etc. Millions of IoT Devices (printers, IP cameras, baby monitors) infected with Mirai malware and used to flood Dyn with traffic (DDoS)

35. Recent troubles Nome Cognome - Azienda

36. Recent troubles Nome Cognome - Azienda q 465,000 vulnerable pacemakers

    from St. Jude Medical q Implantable cardiac devices have vulnerabilities q Unauthorized remote access q Deplete battery, change pacing, or deliver shocks q Owlet WiFi Baby Heart Monitor q Alerts parents when babies have heart troubles q Connectivity element makes them exploitable

37. Recent troubles Nome Cognome - Azienda

38. Government and customers getting involved Nome Cognome - Azienda q

    FTC vs D-Link: The legal risks of IoT insecurity q Lawsuit against D-Link q Claims company put thousands of customers at risk q Unauthorized access to its IP cameras and routers

39. Government and customers getting involved Nome Cognome - Azienda q

    Customers vs John Deere: The business risks of IoT q US farmers dispute rights to repair their tractors q Contain embedded software (it’s an IoT device) q Company issued a new license agreement q Prohibits software modification on its tractors q Ensure all repairs are done by John Deere contractors

40. Examples of Malwares/Worms Nome Cognome - Azienda q Mirai and

    its variants q Lizkebab, BASHLITE, Torlus and gafgyt (DDoS botnets), attack vectors: Shellshock, SSH/Telnet creds bruteforce q Exploit kit targeting routers, attack vectors: CSRF + default creds + DNS change

41. Examples of Malwares/Worms Nome Cognome - Azienda q Linux/Moose (telnet

    creds bruteforce, commits social networking frauds [eg. like post and pages, view videos and follow accounts]) q WIN32/RBrute (dns change + redirection to fake Chrome installer) q Crypto mining of “Monero” currency on Seagate NAS servers, Mal/Miner-C (anonymous FTPs with write access)

42. RECAP: A mess of dependencies and attack surface Nome Cognome

    - Azienda q Many IoT devices leverage third-party services, firmware, and software q Some vendors put a lot of trust in their supply chain without testing security q Implementation errors or failure to comply with best practices also occurs.

43. RECAP: A mess of dependencies and attack surface Nome Cognome

    - Azienda q Complex ecosystems means that there are plenty of ways to screw up: q Mobile applications, cloud services, backend services, web applications, firmware, hardware, network protocols, wireless protocols, & cryptography q It’s difficult for a single IoT vendor to be proficient in security across all of it

44. Reporting vulnerabilities Nome Cognome - Azienda q It’s very hard

    to report vulnerabilities: lack of feedback, no contacts published on vendors’ websites to get in touch with, legal threats q Often vendors do not have a Coordinated Vulnerability Disclosure (CVD) policy in place q FTC and/or ENISA recommendations for customers’ safety are not always followed q CEPS’ report on «Software Vulnerability Disclosure in Europe» aims at helping member states with the technology, the policies and legal challenges ahead.

45. Mandatory Shodan slide Nome Cognome - Azienda www.shodan.io

46. THAT’S A WRAP, THANK YOU! @gvarisco

47. Credits q Mark Stanislav (Rapid7) q Zach Lanier (DUO Security)

    q Zoltán Balázs q Ed Adams q Security Innovation