Putting the S for Security into IoT

Transcript

1. Putting the S for Security into IoT Tom Isaacson @parsley72

   “The S in IoT stands for security.”

2. My Insecure Career • Degree in Software Engineering • 5

   years making broadcast TV equipment • 3 years contracting in Germany doing dashboard software • 5 years at Navman writing GPS in-car navigation • 3 years at NextWindow doing production SW for touchscreens • 7 years at Navico doing marine electronics • 4 years at Teknique making cameras • Started a new job in January

3. Tools Static analysis: • GHAS CodeQL + Secret scanning •

   SonarQube • Snyk Dependency management: • Snyk • GHAS Dependabot • Mend • OWASP Dependency Check Device scanning: • Nessus

4. Yocto

5. Vulnerable Projects • https://github.com/praetorian-inc/DVRF ◦ Damn Vulnerable Router Firmware (DVRF)

   v0.3 • https://blog.exploitlab.net/2018/01/dvar-damn-vulnerable-arm-router.html ◦ DVAR is an emulated Linux based ARM router running a vulnerable web server that you can sharpen your ARM stack overflow skills with. • https://github.com/OWASP/IoTGoat ◦ The IoTGoat Project is a deliberately insecure firmware based on OpenWrt and maintained by OWASP as a platform to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices. • https://github.com/Vulcainreo/DVID ◦ Damn Vulnerable IoT Device - The first open source vulnerable designed IoT device.

6. praetorian-inc/DVRF Damn Vulnerable Router Firmware (DVRF) v0.3 Archived repo -

   last commit was in 2016 So old the source code is a .tar file No build
7. None
8. None

9. Damn Vulnerable ARM Router (DVAR) No source code, just a

   VMWare image. (No build)

10. Vulcainreo/DVID: Damn Vulnerable IoT Device - The first open source

    vulnerable designed IoT device No build

11. Vulcainreo/DVID: git clone $ git clone https://github.com/Vulcainreo/DVID.git Cloning into 'DVID'...

    remote: Enumerating objects: 2570, done. remote: Counting objects: 100% (625/625), done. remote: Compressing objects: 100% (396/396), done. remote: Total 2570 (delta 188), reused 618 (delta 183), pack-reused 1945 (from 1) Receiving objects: 100% (2570/2570), 14.74 MiB | 2.52 MiB/s, done. Resolving deltas: 100% (373/373), done. Downloading ino/arduino-1.8.16.tar.xz (130 MB) Error downloading object: ino/arduino-1.8.16.tar.xz (54af929): Smudge error: Error downloading ino/arduino-1.8.16.tar.xz (54af92925db18ea3d660410ab750822f0059471a3245f610dffeb40727a7f69a): batch response: This repository is over its data quota. Account responsible for LFS bandwidth should purchase more data packs to restore access. Errors logged to '/home/tom/Documents/GitHub-personal/DVID/.git/lfs/logs/20241020T130939.208390503.log'. Use `git lfs logs last` to view the log. error: external filter 'git-lfs filter-process' failed fatal: ino/arduino-1.8.16.tar.xz: smudge filter lfs failed warning: Clone succeeded, but checkout failed. You can inspect what was checked out with 'git status' and retry with 'git restore --source=HEAD :/'

12. OWASP/IoTGoat The IoTGoat Project is a deliberately insecure firmware based

    on OpenWrt and maintained by OWASP as a platform to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices. https://github.com/OWASP/IoTGoat/wiki No build
13. None

14. CodeQL Part of GitHub Advanced Security (GHAS), also includes Dependabot

    “CodeQL is the code analysis engine developed by GitHub to automate security checks. You can analyze your code using CodeQL and display the results as code scanning alerts.”

15. Implementing CodeQL CodeQL adds huge amounts of build time/effort Example:

    OWASP/IoTGoat • Using a Linux machine with 16 CPU / 64 GB RAM / 600 GB storage • Standard IoTGoat build: 1hr 4mins • CodeQL IoTGoat build: Cancelled after 6 hrs

16. CodeQL on Yocto Similar problem with lengthy builds. Solution: 1.

    Build entire project. 2. Clean app build. 3. Turn on CodeQL. 4. Rebuild app.
17. None

18. CodeQL results

19. GHAS Secret scanning Part of GitHub Advanced Security (GHAS) “GitHub

    scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.”

20. GHAS Supported secrets

21. SonarQube “Detect Bugs & Vulnerabilities - Measure the reliability, security,

    & maintainability of all the languages in your project. Thousands of automated Static Code Analysis rules protecting your code on multiple fronts.” • Cloud • On-prem server • IDE plugin (free)

22. Many languages and frameworks

23. SonarQube builds Even with Yocto we can just run it

    over the entire build with no significant difference.
24. None

25. Use stronger SSL/TLS version

26. None

27. CodeQL fails a PR

28. CodeQL on IoTGoat 2024-11-16T00:33:28.6638681Z 00:33:28.663 INFO EXECUTION FAILURE 2024-11-16T00:33:28.6645047Z 00:33:28.664

    INFO Total time: 39:02.471s 2024-11-16T00:33:28.6656774Z 00:33:28.664 ERROR Error during SonarScanner CLI execution 2024-11-16T00:33:28.6657374Z java.lang.OutOfMemoryError: Java heap space 2024-11-16T00:33:28.6659630Z at org.sonar.duplications.index.PackedMemoryCloneIndex.ensureCapacity(PackedMemoryCloneIndex.java:286) 2024-11-16T00:33:28.6661536Z at org.sonar.duplications.index.PackedMemoryCloneIndex.insert(PackedMemoryCloneIndex.java:251) 2024-11-16T00:33:28.6662552Z at org.sonar.scanner.cpd.index.SonarCpdBlockIndex.insert(SonarCpdBlockIndex.java:73) 2024-11-16T00:33:28.6663466Z at org.sonar.scanner.sensor.DefaultSensorStorage.store(DefaultSensorStorage.java:383) 2024-11-16T00:33:28.6664333Z at org.sonar.api.batch.sensor.cpd.internal.DefaultCpdTokens.doSave(DefaultCpdTokens.java:130) 2024-11-16T00:33:28.6665187Z at org.sonar.api.batch.sensor.internal.DefaultStorable.save(DefaultStorable.java:45) 2024-11-16T00:33:28.6666191Z at com.sonar.cpp.plugin.LexicalAnalyzer.cpd(LexicalAnalyzer.java:89) 2024-11-16T00:33:28.6666843Z at com.sonar.cpp.plugin.LexicalAnalyzer.analyze(LexicalAnalyzer.java:67) 2024-11-16T00:33:28.6667501Z at com.sonar.cpp.plugin.LexicalAnalyzer.analyze(LexicalAnalyzer.java:54) 2024-11-16T00:33:28.6668145Z at com.sonar.cpp.plugin.CFamilySensor.process(CFamilySensor.java:388) 2024-11-16T00:33:28.6668791Z at com.sonar.cpp.plugin.CFamilySensor.execute(CFamilySensor.java:215) 2024-11-16T00:33:28.6669553Z at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:64) 2024-11-16T00:33:28.6670409Z at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:88) 2024-11-16T00:33:28.6671237Z at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:64) 2024-11-16T00:33:28.6672381Z at org.sonar.scanner.scan.SpringModuleScanContainer.doAfterStart(SpringModuleScanContainer.java:82) 2024-11-16T00:33:28.6673432Z at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188) 2024-11-16T00:33:28.6674375Z at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167) 2024-11-16T00:33:28.6675259Z at org.sonar.scanner.scan.SpringProjectScanContainer.scan(SpringProjectScanContainer.java:403) 2024-11-16T00:33:28.6676210Z at org.sonar.scanner.scan.SpringProjectScanContainer.scanRecursively(SpringProjectScanContainer.java:399) 2024-11-16T00:33:28.6677210Z at org.sonar.scanner.scan.SpringProjectScanContainer.doAfterStart(SpringProjectScanContainer.java:368) 2024-11-16T00:33:28.6678185Z at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188) 2024-11-16T00:33:28.6679105Z at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167) 2024-11-16T00:33:28.6680012Z at org.sonar.scanner.bootstrap.SpringGlobalContainer.doAfterStart(SpringGlobalContainer.java:137) 2024-11-16T00:33:28.6680956Z at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188) 2024-11-16T00:33:28.6681879Z at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167) 2024-11-16T00:33:28.6682605Z at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:72) 2024-11-16T00:33:28.6683168Z at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:66) 2024-11-16T00:33:28.6683959Z at org.sonarsource.scanner.lib.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:41) 2024-11-16T00:33:28.6684866Z at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 2024-11-16T00:33:28.6685632Z at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) 2024-11-16T00:33:28.6686407Z at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

29. Snyk “Open Source Developer Security - Stay protected with integrated

    IDE checks, native Git scanning, CI/CD & production checks.” • Originally a dependency manager • Added static code analysis • Apparently some AI crap in there now

30. Snyk static analysis

31. None
32. None

33. Dependabot Part of GitHub Advanced Security (GHAS), same as CodeQL.

    “Dependabot alerts notify you when your code relies on a package that has security vulnerabilities and even generates pull requests to update the vulnerable dependencies.” Doesn’t support Yocto
34. None

35. Mend “Mend (formerly WhiteSource) is a tool that helps manage

    open-source software security and compliance, including dependencies.” Doesn’t support Yocto (keeps saying they will but it’s been several years…)
36. None

37. Licenses

38. OWASP Dependency Check “OWASP Dependency-Check is a free tool that

    helps identify and report on vulnerabilities in third-party libraries and dependencies used by software applications.” Doesn’t support Yocto. Does support SPDX and CycloneDX, which Yocto can export.

39. Nessus “Nessus is a platform developed by Tenable that scans

    for security vulnerabilities in devices, applications, operating systems, cloud services and other network resources.” To scan a device: 1. Create a scan for everything. 2. Set the IP address of your device. 3. Give it an SSH account and password/certificate.
40. None

41. Nessus: IP Forwarding Enabled Description The remote host has IP

    forwarding enabled. An attacker can exploit this to route packets through the host and potentially bypass some firewalls / routers / NAC filtering. Unless the remote host is a router, it is recommended that you disable IP forwarding. Solution On Linux, you can disable IP forwarding by doing : echo 0 > /proc/sys/net/ipv4/ip_forward

42. Nessus: Network Time Protocol (NTP) Mode 6 Scanner Description The

    remote NTP server responds to mode 6 queries. Devices that respond to these queries have the potential to be used in NTP amplification attacks. An unauthenticated, remote attacker could potentially exploit this, via a specially crafted mode 6 query, to cause a reflected denial of service condition. Solution Restrict NTP mode 6 queries. Ref https://www.ibm.com/support/pages/ibm-aix-disable-ntp-mode-6-and-7-queries

43. Nessus: SSH Terrapin Prefix Truncation Weakness (CVE- 2023-48795) Description The

    remote SSH server is vulnerable to a man-in-the-middle prefix truncation weakness known as Terrapin. This can allow a remote, man-in- the-middle attacker to bypass integrity checks and downgrade the connection's security. Note that this plugin only checks for remote SSH servers that support either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and do not support the strict key exchange countermeasures. It does not check for vulnerable software versions. Solution Contact the vendor for an update with the strict key exchange countermeasures or disable the affected algorithms. See Also https://terrapin-attack.com/

44. Conclusions Static analysis: • GHAS CodeQL + Secret scanning: Pretty

    basic. • SonarQube: Best but fiddly to setup. • Snyk: Very easy to setup, pretty basic. Dependency management: • Snyk: Doesn’t work with Yocto. • GHAS Dependabot: Doesn’t work with Yocto, no logging. • Mend: Also does licences. Doesn’t work with Yocto. • OWASP Dependency Manager: TBC Device scanning: • Nessus: Good but pricing model doesn’t fit. ◦ Nessus Essentials is free?