Upgrade to Pro — share decks privately, control downloads, hide ads and more …

IoT - How to fight the tyre fire

IoT - How to fight the tyre fire

Presented at BSides Wellington 2017.

Everyone knows that IoT is a tyre fire but what can we do to start putting it out? Take a tour through the new OWASP IoT Top 10, well-known IoT security cockups, other issues and maybe some personal anecdotes about things to be aware of and some possible ways of fixing them.


Tom Isaacson

November 23, 2017


  1. IoT - How to fight the tyre fire Tom Isaacson

  2. None
  3. IoT? “The Internet of Things (IoT) is the network of

    physical devices, vehicles, home appliances, and other items embedded with electronics, software, sensors, actuators, and network connectivity which enable these objects to connect and exchange data.” (Wikipedia)
  4. Bollocks IoT = Embedded devices + Network connectivity First embedded

    device: Apollo Guidance Computer (first flew in 1966) First webcam: Trojan Room coffee pot (1991) First router: “Bread Truck” (1976)
  5. None
  6. Why is IoT such a tyre fire? • Numbers •

    8.4 billion IoT devices. (Gartner) • 2016: 6.4 billion – increase of 31% • 2020: 20.4 billion • Longevity • 10 to 20 years • Minimal/non-existent UI • Shit security
  7. Mirai botnet • Over 200,000 devices in original botnet •

    623 Gbps attack on Krebs • 1 Tbps attack on Dyn • Source code released • Default credentials for some 60+ devices found in the source code • Hangzhou XiongMai devices all had the default: • Username = root • Password = xc3511 • White label devices sold to other companies for their own products.
  8. Reaper botnet • Based in part on Mirai. • Includes

    nine attacks affecting routers from D-Link, Netgear, and Linksys, as well as internet-connected surveillance cameras, including those sold by companies like Vacron, GoAhead, and AVTech. • Anywhere between 10,000-20,000 and a million devices. • Has not yet been used.
  9. Hajime botnet • More sophisticated implementation than Mirai and Reaper.

    • Terminal message “Just a white hat, securing some systems”. • 300,000 devices. • Also not yet used.
  10. Why so shit? • No legal requirement for security in

    products. • Being discussed in US, Europe, etc. • Still not clear how this would work. • FTC suing D-Link over insecure routers and webcams. • No consumer interest in security as a feature. • Australia considering a “security rating” scheme. • Companies drop products or go bust. • Source code and keys in escrow? • Ability to install your own firmware, e.g. OpenWRT/LEDE.
  11. OWASP Top 10 IoT Vulnerabilities (2014) 1. Insecure Web Interface

    2. Insufficient Authentication/Authorization 3. Insecure Network Services 4. Lack of Transport Encryption/Integrity Verification 5. Privacy Concerns 6. Insecure Cloud Interface 7. Insecure Mobile Interface 8. Insufficient Security Configurability 9. Insecure Software/Firmware 10. Poor Physical Security
  12. 1. Insecure Web Interface “Attacker uses weak credentials, captures plain-text

    credentials or enumerates accounts to access the web interface.” • A1:2017 Injection • A7:2017 Cross-Site Scripting (XSS) • A13:2017 Cross-Site Request Forgery (CSRF)
  13. 2. Insufficient Authentication/Authorization • “Attacker uses weak passwords, insecure password

    recovery mechanisms, poorly protected credentials or lack of granular access control to access a particular interface.” • A2:2017 Broken Authentication • Mirai
  14. 3. Insecure Network Services • “Attacker uses vulnerable network services

    to attack the device itself or bounce attacks off the device.” • Unnecessary open ports. • UPnP (Universal Plug and Play) exposing ports to internet. • Wifi access to network, e.g. iKettle.
  15. 4. Lack of Transport Encryption/Integrity Verification • “Attacker uses the

    lack of transport encryption to view data being passed over the network.” • A5:2017 Broken Access Control • Devices not always connected to internet. • Certificates expire. • Complicated by need for secure inter-device/inter-manufacturer communications. • Ryan Kurte – “Building a Certificate Authority with Yubikeys”, Chch Hacker Con 2017 • Explains PKI with emoji.
  16. 5. Privacy Concerns • “Attacker uses multiple vectors such as

    insufficient authentication, lack of transport encryption or insecure network services to view personal data which is not being properly protected or is being collected unnecessarily.” • A5:2017 Broken Access Control • Covers device, mobile app and cloud service. • EU General Data Protection Regulation (GDPR) - 25th May 2018 • Requirements for User Consent and Pseudonymisation. • Legal obligation to notify the Supervisory Authority of data breach without undue delay (72 hours?). • A fine up to 20,000,000 EUR (34,363,000 NZD) or up to 4% of the annual worldwide turnover of the preceding financial year (whichever is greater).
  17. 6. Insecure Cloud Interface • “Attacker uses multiple vectors such

    as insufficient authentication, lack of transport encryption and account enumeration to access data or controls via the cloud website.” • A1:2017 Injection • A7:2017 Cross-Site Scripting (XSS) • A13:2017 Cross-Site Request Forgery (CSRF)
  18. 7. Insecure Mobile Interface • “Attacker uses multiple vectors such

    as insufficient authentication, lack of transport encryption and account enumeration to access data or controls via the mobile interface.” • Bluetooth • SIG releasing “Launch Studio”, no provision for security. • No best practice? • National Institute of Standards and Technology (NIST) “Guide to Bluetooth Security”.
  19. 8. Insufficient Security Configurability • “Attacker uses the lack of

    granular permissions to access data or controls on the device. The attacker could also us the lack of encryption options and lack of password options to perform other attacks which lead to compromise of the device and/or data.”
  20. 9. Insecure Software/Firmware • “Attacker uses multiple vectors such as

    capturing update files via unencrypted connections, the update file itself is not encrypted or they are able to perform their own malicious update via DNS hijacking.” • No OpenWRT
  21. 10. Poor Physical Security • “Attacker uses vectors such as

    USB ports, SD cards or other storage means to access the Operating System and potentially any data stored on the device.”
  22. Firmware Updates • Need to be able to update firmware.

    • Most users don’t bother to update. • Updating with no UI is usually difficult. • Automatic updates? • Depends on device. • Needs to be tested on all hardware variants. • LockState bricked some of their locks (recommended by AirBnB) with a firmware update. • Download path needs to be secure. • Out of date CA bundles. • Certificate loss, e.g. Logitech Harmony Link. • Update path needs to be secure. • Supply-side attacks becoming more common – e.g. CCleaner, MeDoc, Mint, Transmission. • Multiple certificates held by separate people?
  23. Summary • IoT is going to get worse before it

    gets better. • 8.4 billion devices out there. • Devices in development still to be released. • Developers are stupid. • Developers need help! • Low-hanging fruit / dumb shit is easy. • More complex problems don’t have solutions yet. • CI tools. • Hajime versus Mirai/Reaper? • Possible movie idea.