OWASP Internet of Things (IoT) Top 10

Transcript

1. OWASP IoT Top 10 Tom Isaacson @parsley72

2. None
3. None
4. None
5. None
6. None
7. None
8. None

9. OWASP Projects OWASP = Open Web Application Security Project Top

   10s for: • Web Application Security (annual, since 2003) • Mobile (2011, 2014, 2016) • IoT (2014, 2018) • Embedded Application Security (Incubator) • Cloud (?)

10. IoT? “The Internet of things (IoT) describes the network of

    physical objects—“things”— that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the Internet.” (Wikipedia)

11. It’s a Buzzword IoT = Embedded devices + Network connectivity

    First embedded device: Apollo Guidance Computer (first flew in 1966) First router: “Bread Truck” (1976) First webcam: Trojan Room coffee pot (1991)

12. Why is IoT such a big deal? • Numbers •

    2018: 7 billion IoT devices • 2019: 26.66 billion • 2020: 31 billion • 2021: 35 billion • 2025: 75 billion • Minimal/non-existent UI • Longevity • 10 to 20 years • Not many standards • No requirement for companies to continue support. • What happens when companies go bust?

13. Mirai botnet (2016) • Developed by three college students for

    DDOSing other Minecraft servers • Over 200,000 devices in original botnet • 623 Gbps attack on Krebs • 1 Tbps attack on Dyn • Source code released • Default credentials for some 60+ devices found in the source code • Hangzhou XiongMai devices all had the default: • Username = root • Password = xc3511 • White label devices sold to other companies for their own products.

14. Reaper botnet • Based in part on Mirai. • Includes

    nine attacks affecting routers from D-Link, Netgear, and Linksys, as well as internet-connected surveillance cameras, including those sold by companies like Vacron, GoAhead, and AVTech. • Anywhere between 10,000-20,000 and a million devices. • Has not yet been used.

15. Mirai Okiru/Satori botnet • Variation of Mirai. • CVE-2017–17215 —

    a vulnerability in Huawei Home Gateway routers (Huawei HG532), patched last November 2017. Attacks that use an exploit for this vulnerability targets port 37215. • CVE-2014-8361 — a command injection vulnerability in Realtek SDK miniigd Universal Plug and Play (UPnP) SOAP interface (patched May 2015). Attacks that exploit this vulnerability target port 52869. • 280,000 devices. • Source code released. • Also not yet used.

16. Hajime botnet • More sophisticated implementation than Mirai and Reaper.

    • Terminal message “Just a white hat, securing some systems”. • 300,000 devices. • Also not yet used.

17. OWASP Top 10 IoT Vulnerabilities (2018) 1. Weak, Guessable or

    Hardcoded Passwords 2. Insecure Network Services 3. Insecure Ecosystem Interfaces 4. Lack of Secure Update Mechanism 5. Use of Insecure or Outdated Components 6. Insufficient Privacy Protection 7. Insecure Data Transfer and Storage 8. Lack of Device Management 9. Insecure Default Settings 10. Lack of Physical Hardening

18. 1. Weak, Guessable, or Hardcoded Passwords “Use of easily bruteforced,

    publicly available, or unchangeable credentials, including backdoors in firmware or client software that grants unauthorized access to deployed systems.” • A2:2017 Broken Authentication • Mirai / Reaper / Hajime attack default/hardcoded telnet passwords.

19. 2. Insecure Network Services “Unneeded or insecure network services running

    on the device itself, especially those exposed to the internet, that compromise the confidentiality, integrity/authenticity, or availability of information or allow unauthorized remote control.” • Unnecessary open ports. • Universal Plug and Play (UPnP) exposing ports to internet. • IPv6 can bypass Network Address Translation (NAT). • Telnet, e.g. iKettle.

20. 3. Insecure Ecosystem Interfaces “Insecure web, backend API, cloud, or

    mobile interfaces in the ecosystem outside of the device that allows compromise of the device or its related components. Common issues include a lack of authentication/authorization, lacking or weak encryption, and a lack of input and output filtering.” • All of the OWASP Web App top 10 • All of the OWASP Mobile top 10 • All of the OWASP Cloud top 10 • Mobile app mustn’t use client-side authentication.

21. 4. Lack of Secure Update Mechanism “Lack of ability to

    securely update the device. This includes lack of firmware validation on device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.”

22. Requirements for Firmware Updates • Need to be able to

    update firmware. • Most users don’t bother to update. • Updating with no UI is usually difficult. • Automatic updates? • Depends on device usage. • Needs to be tested on all hardware variants. • LockState bricked some of their locks (recommended by AirBnB) with a firmware update. • Download path needs to be secure. • Out of date CA bundles. • Update path needs to be secure. • Supply-side attacks becoming more common – e.g. CCleaner, MeDoc, Mint, Transmission.

23. 5. Use of Insecure or Outdated Components “Use of deprecated

    or insecure software components/libraries that could allow the device to be compromised. This includes insecure customization of operating system platforms, and the use of third-party software or hardware components from a compromised supply chain.” • Can use tools like GitHub Dependabot and Snyk to spot insecure/outdated components. • Assumes the device is still supported and can get updates (see #4). • Ripple20

24. 6. Insufficient Privacy Protection “User’s personal information stored on the

    device or in the ecosystem that is used insecurely, improperly, or without permission.” • A3:2017 Sensitive Data Exposure • Covers device, mobile app and cloud service. • Wifi access to network, e.g. iKettle. • Video/audio files.

25. 7. Insecure Data Transfer and Storage “Lack of encryption or

    access control of sensitive data anywhere within the ecosystem, including at rest, in transit, or during processing.” • A3:2017 Sensitive Data Exposure • A5:2017 Broken Access Control • Certificates expire. • Certificate loss, e.g. Logitech Harmony Link. • Devices not always connected to internet. • Complicated by need for secure inter-device/inter-manufacturer communications. • Secure key storage requires secure enclave. • Video/audio files (from #6).

26. 8. Lack of Device Management “Lack of security support on

    devices deployed in production, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities.” • Not so much for home users. • Think large stores, factories, hospitals, orchards…

27. 9. Insecure Default Settings “Devices or systems shipped with insecure

    default settings or lack the ability to make the system more secure by restricting operators from modifying configurations.” • Most users don’t RTFM or reconfigure the device. • Devices with no UI can be hard to reconfigure. • “admin:admin” from #1

28. 10. Lack of Physical Hardening “Lack of physical hardening measures,

    allowing potential attackers to gain sensitive information that can help in a future remote attack or take local control of the device.” • Requires physical access to the device. • If someone breaks into your house to hack your webcam you have bigger problems. • Evil maid attack. • Can be used to obtain hardcoded passwords or keys (see #1). • Should consumers have the right to their own hardware?

29. Comparison of 2014 to 2018 2014 2018 1 Insecure Web

    Interface Weak, Guessable or Hardcoded Passwords (was #2) 2 Insufficient Authentication/Authorization Insecure Network Services (was #3) 3 Insecure Network Services Insecure Ecosystem Interfaces (was #1, #6, #7) 4 Lack of Transport Encryption/Integrity Verification Lack of Secure Update Mechanism (was #9) 5 Privacy Concerns Use of Insecure or Outdated Components (new) 6 Insecure Cloud Interface Insufficient Privacy Protection (was #5) 7 Insecure Mobile Interface Insecure Data Transfer and Storage (was #4) 8 Insufficient Security Configurability Lack of Device Management (was #8) 9 Insecure Software/Firmware Insecure Default Settings (new) 10 Poor Physical Security Lack of Physical Hardening (same)

30. iKettle • Remote boil from anywhere • Use the Smarter

    app to control your iKettle from wherever you are. • Simple connection • The new generation brings revolutionary secure setup in seconds with BlinkUp™ technology. • More features. Less fuss. • Lets you Integrate, Replenish and Keep Warm for longer. • Select your setting. • Your favoured features ready with Home, Formula and Wake Up mode, allowing you to set alarms and notifications via the Smarter app.

31. iKettle attack 1. De-auth kettle from its usual access point

    - use aireplay-ng. 2. Create fake AP with same SSID but no password. 3. Kettle joins. 4. Connect to telnet service, authenticate using default PIN of ‘000000’. 5. Enter ‘AT-KEY’. 6. Plaintext WPA PSK is then disclosed.

32. iKettle mitigation 1. Deauthentication frame attack - #5 Use of

    Insecure or Outdated Components. Use WPA2 enhanced or WPA3 for Wifi gives you Protected Management Frames (PMF). 2. SSID with no password - #3 Insecure Ecosystem Interfaces. Don’t join SSID with lower security level. 3. Telnet - #2 Insecure Network Services. 4. Default PIN of ‘000000’ - #1 Weak, Guessable, or Hardcoded Passwords, #9 Insecure Default Settings. 5. Plaintext WPA PSK disclosed - #6 Insufficient Privacy Protection, #7 Insecure Data Transfer and Storage.

33. Summary • IoT is going to get worse before it

    gets better • 8.4 billion devices out there. • Devices in development still to be released. • Developers are stupid.

34. Developers need help! • Low-hanging fruit / dumb shit is

    easy. • Don’t leave telnet open. • Don’t hardcode passwords. • More complex problems don’t have solutions yet. • Certificate expiry. • Better tools, e.g. Bluetooth studio? • Continuous Integration (CI) / DevOps tools, e.g. MITM testing. • Training examples: • Damn Vulnerable ARM Router (DVAR) • http://blog.exploitlab.net/2018/01/dvar-damn-vulnerable-arm-router.html • exploit_me - Very vulnerable ARM application • https://github.com/bkerler/exploit_me • National Cybersecurity Center of Excellence (NCCoE) Mitigating IoT Based DDoS Building Block • Blockchain?

35. Economic costs • If devices you manufacture/sell get attacked there’s

    no direct cost. • Loss of sales? • FTC suing D-Link over insecure routers and webcams. • St Jude Medical had their stock shorted by Muddy Waters. • GDPR fines?
36. None