Upgrade to Pro — share decks privately, control downloads, hide ads and more …

IoT - How to fight the tyre fire

8d32aaf66676a77ad32a879a8e090887?s=47 Tom Isaacson
February 05, 2018

IoT - How to fight the tyre fire

Presented at OWASP Auckland 2018.

Everyone knows that IoT is a tyre fire but what can we do to start putting it out? Take a tour through the new OWASP IoT Top 10, well-known IoT security cockups, other issues and maybe some personal anecdotes about things to be aware of and some possible ways of fixing them.


Tom Isaacson

February 05, 2018


  1. IoT - How to fight the tyre fire Tom Isaacson

  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. IoT? “The Internet of Things (IoT) is the network of

    physical devices, vehicles, home appliances, and other items embedded with electronics, software, sensors, actuators, and network connectivity which enable these objects to connect and exchange data.” (Wikipedia)
  10. It’s a Buzzword IoT = Embedded devices + Network connectivity

    First embedded device: Apollo Guidance Computer (first flew in 1966) First webcam: Trojan Room coffee pot (1991) First router: “Bread Truck” (1976)
  11. None
  12. None
  13. Why is IoT such a tyre fire? • Numbers •

    8.4 billion IoT devices. (Gartner) • 2016: 6.4 billion – increase of 31% • 2020: 20.4 billion • Longevity • 10 to 20 years • Minimal/non-existent UI • Shit security • “The S in IoT stands for security”.
  14. Mirai botnet • Developed by three college students for DDOSing

    other Minecraft servers • Over 200,000 devices in original botnet • 623 Gbps attack on Krebs • 1 Tbps attack on Dyn • Source code released • Default credentials for some 60+ devices found in the source code • Hangzhou XiongMai devices all had the default: • Username = root • Password = xc3511 • White label devices sold to other companies for their own products.
  15. Reaper botnet • Based in part on Mirai. • Includes

    nine attacks affecting routers from D-Link, Netgear, and Linksys, as well as internet-connected surveillance cameras, including those sold by companies like Vacron, GoAhead, and AVTech. • Anywhere between 10,000-20,000 and a million devices. • Has not yet been used.
  16. Mirai Okiru/Satori botnet • Variation of Mirai. • CVE-2017–17215 —

    a vulnerability in Huawei Home Gateway routers (Huawei HG532), patched last November 2017. Attacks that use an exploit for this vulnerability targets port 37215. • CVE-2014-8361 — a command injection vulnerability in Realtek SDK miniigd Universal Plug and Play (UPnP) SOAP interface (patched May 2015). Attacks that exploit this vulnerability target port 52869. • 280,000 devices. • Source code released. • Also not yet used.
  17. Hajime botnet • More sophisticated implementation than Mirai and Reaper.

    • Terminal message “Just a white hat, securing some systems”. • 300,000 devices. • Also not yet used.
  18. Why so shit? • No legal requirement for security in

    products. • Being discussed in US, Europe, etc. • Still not clear how this would work. • 30 principles for an Open Internet of Things Certification Mark. • No consumer interest in security as a feature. • Internet of Things Alliance Australia (IoTAA) considering a “security rating” or “tick” certification scheme. • IoTAA Security Guideline • National Cybersecurity Center of Excellence (NCCoE) Mitigating IoT Based DDoS Building Block • Common vulnerabilities from open source and open standards • Satori uses CVE-2017-8759 in SOAP/XML, widely used. • CVE-2016-6255 in libupnp found by Matthew Garrett. • CVE-2017-17562 in GoAhead webserver. • Blueborne • Companies EOL products or go bust. • Source code and keys in escrow? • Ability to install your own firmware, e.g. OpenWRT/LEDE.
  19. OWASP Top 10 IoT Vulnerabilities (2014) 1. Insecure Web Interface

    2. Insufficient Authentication/Authorization 3. Insecure Network Services 4. Lack of Transport Encryption/Integrity Verification 5. Privacy Concerns 6. Insecure Cloud Interface 7. Insecure Mobile Interface 8. Insufficient Security Configurability 9. Insecure Software/Firmware 10. Poor Physical Security
  20. 1. Insecure Web Interface “Attacker uses weak credentials, captures plain-text

    credentials or enumerates accounts to access the web interface.” • A1:2017 Injection • A7:2017 Cross-Site Scripting (XSS) • A13:2017 Cross-Site Request Forgery (CSRF)
  21. 2. Insufficient Authentication/Authorization • “Attacker uses weak passwords, insecure password

    recovery mechanisms, poorly protected credentials or lack of granular access control to access a particular interface.” • A2:2017 Broken Authentication • Mirai / Reaper / Hajime attack default/hardcoded telnet passwords.
  22. 3. Insecure Network Services • “Attacker uses vulnerable network services

    to attack the device itself or bounce attacks off the device.” • Unnecessary open ports. • Universal Plug and Play (UPnP) exposing ports to internet. • Wifi access to network, e.g. iKettle.
  23. iKettle • Remote boil from anywhere • Use the Smarter

    app to control your iKettle from wherever you are. • Simple connection • The new generation brings revolutionary secure setup in seconds with BlinkUp™ technology. • More features. Less fuss. • Lets you Integrate, Replenish and Keep Warm for longer. • Select your setting. • Your favoured features ready with Home, Formula and Wake Up mode, allowing you to set alarms and notifications via the Smarter app.
  24. 4. Lack of Transport Encryption/Integrity Verification • “Attacker uses the

    lack of transport encryption to view data being passed over the network.” • A5:2017 Broken Access Control • Devices not always connected to internet. • Certificates expire. • Certificate loss, e.g. Logitech Harmony Link. • Complicated by need for secure inter-device/inter-manufacturer communications.
  25. 5. Privacy Concerns • “Attacker uses multiple vectors such as

    insufficient authentication, lack of transport encryption or insecure network services to view personal data which is not being properly protected or is being collected unnecessarily.” • A5:2017 Broken Access Control • Covers device, mobile app and cloud service.
  26. General Data Protection Regulation (GDPR) • Covers any organisation collecting

    data concerning any EU citizen. • Comes into force on 25th May 2018 • Required to “implement appropriate technical and organisational measures” for handling and processing of personal data: • Pseudonymisation and/or encryption. • Ensuring ongoing confidentiality, integrity, availability and resilience. • Regular testing. • Legal obligation to notify the Supervisory Authority of data breach “without undue delay and, where feasible, not later than 72 hours after having become aware of it”. • Fines • 10M EUR (~17M NZD) or up to 2% of global gross (whichever is greater) for violations of record-keeping, security, breach notification and privacy impact assessment obligations. • 20M EUR (~34M NZD) or up to 4% of global gross (whichever is greater) for violations related to legal justification for processing, lack of consent, data subject rights and cross-border data transfers.
  27. 6. Insecure Cloud Interface • “Attacker uses multiple vectors such

    as insufficient authentication, lack of transport encryption and account enumeration to access data or controls via the cloud website.” • A1:2017 Injection • A7:2017 Cross-Site Scripting (XSS) • A13:2017 Cross-Site Request Forgery (CSRF)
  28. 7. Insecure Mobile Interface • “Attacker uses multiple vectors such

    as insufficient authentication, lack of transport encryption and account enumeration to access data or controls via the mobile interface.”
  29. Bluetooth • No best practice? • National Institute of Standards

    and Technology (NIST) “Guide to Bluetooth Security”. • Revision 2: May 2017 • SIG released Launch Studio: • New interface to guide you through the Bluetooth qualification process • Step-by-step training and tooltips to make it easier to use • Faster product listing search and test plan generation • Integrated declaration ID payments and Qualified Design ID (QDID) lookups • No provision for security!
  30. 8. Insufficient Security Configurability • “Attacker uses the lack of

    granular permissions to access data or controls on the device. The attacker could also us the lack of encryption options and lack of password options to perform other attacks which lead to compromise of the device and/or data.” • Mirai / Reaper / Hajime attack default/hardcoded telnet passwords.
  31. 9. Insecure Software/Firmware • “Attacker uses multiple vectors such as

    capturing update files via unencrypted connections, the update file itself is not encrypted or they are able to perform their own malicious update via DNS hijacking.” • Should consumers have the right to their own hardware? • eFuse – bit that only rights one way. Used by: • Playstation 3 • Xbox 360 • Nintendo Switch • Some Samsung phones
  32. 10. Poor Physical Security • “Attacker uses vectors such as

    USB ports, SD cards or other storage means to access the Operating System and potentially any data stored on the device.” • Requires physical access to the device. • If someone breaks into your house to hack your webcam you have bigger problems. • Evil maid attack.
  33. Firmware Updates • Need to be able to update firmware.

    • Most users don’t bother to update. • Updating with no UI is usually difficult. • Automatic updates? • Depends on device usage. • Needs to be tested on all hardware variants. • LockState bricked some of their locks (recommended by AirBnB) with a firmware update. • Download path needs to be secure. • Out of date CA bundles. • Update path needs to be secure. • Supply-side attacks becoming more common – e.g. CCleaner, MeDoc, Mint, Transmission. • Multiple certificates held by separate people?
  34. Summary • IoT is going to get worse before it

    gets better • 8.4 billion devices out there. • Devices in development still to be released. • Developers are stupid.
  35. Developers need help! • Low-hanging fruit / dumb shit is

    easy. • Don’t leave telnet open. • Don’t hardcode passwords. • More complex problems don’t have solutions yet. • Certificate expiry. • Better tools, e.g. Bluetooth studio? • Continuous Integration (CI) / DevOps tools, e.g. MITM testing. • Training examples: • Damn Vulnerable ARM Router (DVAR) • http://blog.exploitlab.net/2018/01/dvar-damn-vulnerable-arm-router.html • exploit_me - Very vulnerable ARM application • https://github.com/bkerler/exploit_me • National Cybersecurity Center of Excellence (NCCoE) Mitigating IoT Based DDoS Building Block • Blockchain?
  36. Economic costs • If devices you manufacture/sell get attacked there’s

    no direct cost. • Loss of sales? • FTC suing D-Link over insecure routers and webcams. • St Jude Medical had their stock shorted by Muddy Waters. • GDPR fines?
  37. Final point • Hajime versus Mirai/Reaper/Satori? • Possible movie idea.

  38. None