The Internet of Things: We've Got to Chat

The Internet Of Things 
We’ve Got To Chat

View Slide

Introduction
Mark Stanislav
Security Evangelist
Zach Lanier
Sr. Security Researcher

View Slide

The Internet of Things

View Slide

About The Internet Of Things
“The Internet of Things is the network of physical objects that
contain embedded technology to communicate and sense or interact
with their internal states or the external environment.”, Gartner IT
Glossary1
“Machine to machine (M2M) refers to technologies that allow both
wireless and wired systems to communicate with other devices of the
same type.”, Wikipedia2 
IoT Growth Estimates
* Gartner: 26 billion units by 20203
* ABI Research: 30 billion units by 20204
4. https://www.abiresearch.com/press/more-than-30-billion-devices-will-wirelessly-conne
3. http://www.gartner.com/newsroom/id/2636073
1. http://www.gartner.com/it-glossary/internet-of-things/
2. http://en.wikipedia.org/wiki/Internet_of_Things

View Slide

There’s A Shift Underway You Should Know About
• The IoT growth that we’re all expecting won’t just
be from large vendors like Belkin, TRENDnet, Cisco,
and Ericsson
• Postscapes1 and Wolfram Alpha2 list a few
hundred IoT-related companies, most of which
you’ve likely never heard of
• Crowd-funding web sites are going to produce
many of the newest IoT devices we all want to use
• Entrepreneurs likely have no experience with
information security, nor the budget to afford help
• They also won’t know what a “security researcher”
is or why you’re contacting them…
1. http://postscapes.com/companies/ 2. http://devices.wolfram.com

View Slide

The Internet of Things “Line of Insanity”TM
Sane Reasonable Insane
Questionable
Egg Tray
IP Camera Door Lock
Door Bell

View Slide

Cheap Hardware, Unlimited Possibilities
Electric Imp ($25) Gumstix ($169) Arduino ($75)
Raspberry Pi ($35)
Intel Quark ($?)

View Slide

Plenty Of Choices, How Do You Determine Security?
Philips ($60) LimitlessLED ($23)
INSTEON ($30)
Vendors could each use different hardware, software, APIs,
third-party service providers, and patching mechanisms

View Slide

The Government Is Watching
January 8th, 2014
FTC Commissioner Maureen Ohlhausen sits on panel at CES about IoT3
November 21st, 2013
Internet of Things - Privacy and Security in a Connected World Workshop2
February 7th, 2014
FTC approves final order settling charges against TRENDnet, Inc.4
June 3rd, 2013
Software & Information Industry Association asks FTC to be careful with IoT1
1. https://www.siia.net/blog/index.php/2013/06/siia-to-ftc-internet-of-things-requires-technology-neutral-policies-and-flexible-privacy-framework/
3. http://www.adweek.com/news/technology/will-washington-move-quickly-regulate-internet-things-154863
2. http://www.ftc.gov/news-events/events-calendar/2013/11/internet-things-privacy-and-security-connected-world
4. http://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-order-settling-charges-against-trendnet-inc
February 18th, 2014
US CERT works with IOActive to resolve Belkin WeMo vulnerabilities5
5. http://www.kb.cert.org/vuls/id/656302

View Slide

A Case Study in IoT Failure - IZON

View Slide

IoT Ecosystem

View Slide

CrowdFunding & IoT
Pinoccio
Wunderbar
KoolThings
Twine
Knut
Tessel
Canary
Piper

View Slide

Challenges Faced

View Slide

What’s Better Than One Vulnerable Device?
Interconnected Vulnerable Devices!
• If-This-Then-That (IFTTT)
supports over 80 platforms,
services, and devices
• Allows for event-based actions
across disparate technologies
• If the CO2 in this room is
unsafe, change my lightbulb
to be red to warn me
• This behavior will become a
consumer expectation rather
than merely a “nice to have”

View Slide

Challenges
•Hardware security
•Software security
•Comms/Network security
•Platform security
•User awareness & behavior
•Vulnerability handling & disclosure awareness

View Slide

Challenges: Hardware Security
• Many devices use generic SoCs/boards
• Quick development, few security features
• i.e. “HW hacking made easy” - serial consoles, FW dumping/
JTAGs, etc.
• HW-based trusted execution and HSMs are practically nil
• Prevalence/distribution of same components, ﬁrmware, etc.
means one bug could affect many products
• Little expertise required to design, build, and ship an “IoT Product”

View Slide

Challenges: Hardware Security (Cont’d…)
+ =
+
Least common denominator:
Logic analyzer Bus Pirate UART headers Console!

View Slide

Challenges: Software Security
• Development environments don’t
necessarily make security
controls/options “clear”
• Selected platform may drive/
restrict language choices
% grep -Er "\s(mem|str)cpy\(" . 
… 
./apps/http-post-auth/http-post-auth.c: strcpy(s->message, "status="); 
./apps/http-post-auth/http-post-auth.c: strcpy(&s->message[7], msg); 
./apps/irc/irc.c: memcpy(log, &log[LOG_WIDTH], LOG_WIDTH * (LOG_HEIGHT - 1)); 
./apps/irc/irc.c: memcpy(log, &log[LOG_WIDTH], LOG_WIDTH * (LOG_HEIGHT - 1)); 
./apps/ping6/ping6.c: memcpy(command, (void *)"ping6", 5); 
./apps/rest-coap/coap-common.c: memcpy( 
./apps/rest-coap/coap-common.c: memcpy((char*)&buffer[index], option->value, option->len); 
./apps/rest-coap/coap-common.c: memcpy(&buffer[index], packet->payload, packet->payload_len); 
./apps/rest-coap/coap-server.c: memcpy(option->value, value, len); 
./apps/rest-common/buffer.c: memcpy(buffer, data, len); 
./apps/rest-common/buffer.c: strcpy(buffer, text); 
./apps/rest-common/rest-util.c: memcpy(p + 4 - size, buf, size); 
./apps/rest-common/rest-util.c: memcpy(buf, ((char*)(&data)) + 4 - size, size); 
./apps/rest-common/rest.c: memcpy(temp_etag, etag, size); 
./apps/rest-http/http-server.c: strcpy(current_header->value, value); 
./apps/rest-http/http-server.c: strcpy(current_header->value, buffer); 
./apps/rest-http/http-server.c: memcpy(buffer + index, response->payload, response->payload_len);
• “Me write Python/Ruby/
Node/… pretty one day” (or
worse, C)
• History repeating…?
Quick grep for potentially dangerous functions in someone’s Contiki project

View Slide

Challenges: Software Security (Cont’d…)
• Selected platform often locks dev/
vendor into given OS choice
• Proprietary OSes (such as
ElectricImp) - don’t peek inside
the black box!
• Linux, Contiki, QNX, et. al (all with
their own issues)
• Little consideration given to least-
priv, mitigations, hardening, etc.
• Third-party dependencies
• Inherited bugs/attack surface
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
Bro, do you even PIE?
Bro, do you even PIE?
Bro, do you even randomize?

View Slide

Challenges: Software Security Cont’d
• iOS/Android/other mobile
apps with their own security
issues
• See also “OWASP Mobile
Top 10 Risks”
• Developer naïveté: 
“HOW COULD/WHY
WOULD YOU DO THIS? IT
WASN’T SHOWN IN THE
MOBILE APP USER
INTERFACE!”
“Relayr says that developers can have their ﬁrst
Internet of Things App up and running in less
than 10 minutes”

View Slide

Challenges: Comms/Network Security
• WiFi gooﬁness (“device as AP”, no WPA, exploitable behavior, etc.)
• Plaintext protocols or poor crypto at transport layer
• …or lack of cert pinning where SSL/TLS actually used
• Unprotected FW updates/downloads
• Otherwise seemingly unnecessary services listening
• Telnet, SSH, FTP, you name it…
• Shared accounts/auth material for “support” or updates
• Use of technologies such as ZigBee and cellular introduce
additional security considerations

View Slide

Example: Sparqee Cell
"Cellular made easy"

View Slide

Wat?
TRUST US WITH CREDENTIALS TO YOUR CLEARTEXT PROTOCOL SERVERS

View Slide

Example: GoPro WiFi Remote
• Remote acts as access point,
camera acts as mobile station
• Remote/AP does not use any
security - totally open
• Camera scans for HERO-RC-
XXXXXX (where XX... are the
last three octets of the BSSID/
MAC of the remote)
• Prefers known BSSID, but can
be conﬁgured to “pair” with
new remote
8484/udp
OO
se
lc
lc
lc + bitmap
se
lc
lc + bitmap
...
sh
sh
Conversation
Scan for "HERO-RC-XXXXXX"
HERO-RC-123456
HERO-RC-123456
WiFi RC
Fake AP/Evil twin
GoPro Camera

View Slide

Example: “Home Automation Gateway”
Magical
cloud
service/site
M
ZigBee
ZigBee
ZigBee
HTTPS
HTTPS
HTTPS
Mobile app
Web browser
"Gateway"
Lights
Pool pump
Automated
cat entertainment
toy
XSS, CSRF,
auth bugs, etc.
Key extraction, replay,
injection, etc.
Unfettered console access,
no priv sep for services,
same "support" creds on
multiple devices
Linux-based gateway talks RESTful HTTP to “cloud”-based service, receives commands
(schedules, metering data, etc.), relays commands to smart plugs/meters via ZigBee

View Slide

Challenges: Platform* Security
• Everything that uses an HTTP GET/POST has
become an “API” to the average developer
• Authentication? Signed requests? Unlikely.
• Input manipulation is a less obvious concern
when developers do mobile and embedded
• Yup… OWASP {Mobile,Web} Top 10
• Leveraging third-party service providers
introduce exponential complexities and further
increases potential attack surface
• Quick & Dirty cloud infrastructure yields poor
accessibility and potentially conﬁdentiality
* for our purposes “Platform” also includes supporting infrastructure, services, frameworks, etc.

View Slide

Real-World IoT Failures
TRENDnet, January 20121
Various IP camera products would allow anyone with a generic URL
to access the camera’s live feed without requiring authentication
Belkin, July 20122
The WeMo Switch allowed for UPnP actions (e.g. power cycle) that
didn’t require authentication to be performed to do so
Philips, August 20133
The Hue Lighting System utilized the MD5 hash of the MAC address
of an authorized system as a “secret token” to control the platform
1. http://console-cowboys.blogspot.com/2012/01/trendnet-cameras-i-always-feel-like.html
2. http://www.issackelly.com/blog/2012/07/30/wemo-hacking/
3. http://www.dhanjani.com/blog/2013/08/hacking-lightbulbs.html

View Slide

Real-World IoT Failures, cont’d
IZON, October 20131
Video clips of “alerts” were saved in an AWS S3 bucket unencrypted,
with no access control preventing someone from viewing the file
[Redacted], December 20132 
API call to purchase in-app credits for service was done without
purchase verification and via clear-text HTTP calls
Belkin, February 20143
The WeMo Home Automation API allowed XML injection (XXE)
allowing for the potential revealing of filesystem contents
1. https://speakerdeck.com/mstanislav/eyes-on-izon-surveilling-ip-camera-security
3. http://www.dhanjani.com/blog/2013/08/hacking-lightbulbs.html
2. [Redacted] =)

View Slide

User Awareness & Behavior
• Users may not know (let alone care)
how to update device ﬁrmware or
apps
• Disparity in management: web
console v. mobile app v. physical
“update” button
• Also they just want to use the !@#$
thing now!
• Lack of feedback or notiﬁcation for
updates or errors
• How does a user know their IoT
device was updated or, worse,
compromised?

View Slide

Vulnerability Handling & Disclosure Awareness
• Small vendors (and some big ones) fail
to get it, or just simply don’t know
• “But, why would anyone want to hack
this device? And why would they want
to tell us or talk about it publicly?”
• Few-to-no resources for small vendors to
handle this
• Nascency of “IoT” means some
researchers may not know either
• And we’d like for them to stay out of jail

View Slide

A New Initiative

View Slide

Announcing BuildItSecure.ly
Our Mission  
• Provide resources, guidance, community for
small IoT developers/builders to make
informed security decisions
• Incentivize vulnerability research and
reporting for these devices
!
Our Goal 
Help secure the "Internet of Things”
!
This ISN’T… 
• “saving the world”
• something that’s happening tomorrow

View Slide

BuildItSecure.ly Phase 1 - Build Out
• Establish a core team of advisors and content contributors
• Curate secure development documents and disclosure guidelines
• Build new diagrams, ﬂow charts, info graphics to transfer knowledge
• Form relationships with crowd-funding sites, IoT-centric hardware
vendors/platform providers, and other relevant organizations
Gather Advisors
& Contributors
Collect/build
and share
resources
Establish
relationships
w/vendors,
funding sites

View Slide

BuildItSecure.ly Phase 2 - Rewards/Incentives
• Build a reporting and reward/
incentive program
• Partnering with Bugcrowd on this
• Rewards could include:
• Recognition
• Monetary reward
• Device reward
• Schwag!

View Slide

Conclusion

View Slide

Conclusion
• Very few green ﬁelds in infosec
to impact early on
• IoT at this level is still
malleable
• Much work to be done, but we
can leverage lessons learned in
the past
• BuildItSecure.ly could help
keep IoT from spinning any
further out of control
• Plus, it’ll be fun!

View Slide

Thanks! Questions?
Mark Stanislav
[email protected] 
@markstanislav 
Zach Lanier
[email protected] 
@quine
http://BuildItSecure.ly/
@BuildItSecurely
greeted = sendGreetz(terp, bNull, cji, jono, dugsong, donb, 
cesar, sa7ori, bkelly, jcran, mortman, banshee, jack_daniel, 
m0nk_dot, natron, zek, blueroses, procto, alexhutton, 
int0x80, k8em0, treyford, hypatia, mthrailkill, G13, wendy); 
 
if(!greeted) 
" goto fail;

View Slide

The Internet of Things: We've Got to Chat

The Internet of Things: We've Got to Chat

Mark Stanislav

More Decks by Mark Stanislav

Other Decks in Technology

Featured

Transcript