Who is this clown? • Zach Lanier • Director of Research, Cylance • Old net, web/app, mobile/ embedded security research/ pen test type • Previously at Accuvant Labs and Duo Security • Co-author, "Android Hacker's Handbook" (Wiley, April 2014)
Agenda • Challenges Faced • Some “Lessons” • Field Innovations (?) in IoT Security • Solutions “we” would like to see • Case Studies / Predictions • Q&A
About the Internet of Things • “The Internet of Things is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.” (Gartner IT Glossary) • “Machine to machine (M2M) refers to technologies that allow both wireless and wired systems to communicate with other devices of the same type.” • IoT Growth Estimates • Gartner: 26 billion units by 2020 • ABI Research: 30 billion units by 2020
Challenges: “Process” • Verification of healthcare professionals' credentials • (i.e. "are you actually a doctor?") • Rights / privileges (technical) should be predicated on these credentials, such as "STOP HEART COMMAND”
Challenges: “User Awareness/Behavior” • Users may not know how to update device firmware or apps • If that’s even a capability • Disparity in management: web console v. mobile app v. physical “update” button • Lack of feedback or notification for updates or errors • How does a user know their IoT or medical device was updated or, worse, compromised?
Example: Home Automation Gateway Magical cloud service/site M ZigBee ZigBee ZigBee HTTPS HTTPS HTTPS Mobile app Web browser "Gateway" Lights Pool pump Automated cat entertainment toy XSS, CSRF, auth bugs, etc. Key extraction, replay, injection, etc. Unfettered console access, no priv sep for services, same "support" creds on multiple devices
Electric Imp • Easy build and deployment environment • Provides cloud service for messaging, fleet management/tracking, etc. • Simple-but-robust libraries • Comms, security, I/O, etc. • Very tight (minimal, no superfluous functionality) firmware and execution environment • Production hardware is near-if-not- completely impossible to instrument/ debug (e.g. JTAG / ICE) • Tied to Imp Cloud for (most) services
Particle • Easy build and deployment environment • Provides cloud service for messaging, fleet management/ tracking, etc. • Simple-but-robust libraries • Comms, security, I/O, etc. • Tied to Particle Cloud for deployment and management • Easy hardware debugging • i.e. dump firmware
Solutions We Would Like To See • On-board crypto co-processors w/strong algorithms/ciphersuites • Power consumption characterized for standard algorithms
Solutions We Would Like To See • On-board crypto co-processors w/strong algorithms/ciphersuites • Power consumption characterized for standard algorithms • e.g. 5mA/hr for RSA verification
Solutions We Would Like To See • On-board crypto co-processors w/strong algorithms/ciphersuites • Power consumption characterized for standard algorithms • e.g. 5mA/hr for RSA verification • Innovations in communications to address lack of connectivity
Solutions We Would Like To See • On-board crypto co-processors w/strong algorithms/ciphersuites • Power consumption characterized for standard algorithms • e.g. 5mA/hr for RSA verification • Innovations in communications to address lack of connectivity • Ready-made frameworks for medical/healthcare security
Solutions We Would Like To See • On-board crypto co-processors w/strong algorithms/ciphersuites • Power consumption characterized for standard algorithms • e.g. 5mA/hr for RSA verification • Innovations in communications to address lack of connectivity • Ready-made frameworks for medical/healthcare security • Communications
Solutions We Would Like To See • On-board crypto co-processors w/strong algorithms/ciphersuites • Power consumption characterized for standard algorithms • e.g. 5mA/hr for RSA verification • Innovations in communications to address lack of connectivity • Ready-made frameworks for medical/healthcare security • Communications • Backend services
Solutions We Would Like To See • On-board crypto co-processors w/strong algorithms/ciphersuites • Power consumption characterized for standard algorithms • e.g. 5mA/hr for RSA verification • Innovations in communications to address lack of connectivity • Ready-made frameworks for medical/healthcare security • Communications • Backend services • Auditing / Accounting
Solutions We Would Like To See • On-board crypto co-processors w/strong algorithms/ciphersuites • Power consumption characterized for standard algorithms • e.g. 5mA/hr for RSA verification • Innovations in communications to address lack of connectivity • Ready-made frameworks for medical/healthcare security • Communications • Backend services • Auditing / Accounting • Access Control / AuthZ / AuthC
Solutions We Would Like To See • On-board crypto co-processors w/strong algorithms/ciphersuites • Power consumption characterized for standard algorithms • e.g. 5mA/hr for RSA verification • Innovations in communications to address lack of connectivity • Ready-made frameworks for medical/healthcare security • Communications • Backend services • Auditing / Accounting • Access Control / AuthZ / AuthC • etc.
Predictions • Malware targeting IoT • Ransomware • Lock user out of device • Siphon data • Physical damage • e.g. overheat device • Attacks against IoT as vector into enterprise/org
Predictions • Malware targeting IoT • Ransomware • Lock user out of device • Siphon data • Physical damage • e.g. overheat device • Attacks against IoT as vector into enterprise/org • Mobile aside, how many connected/IoT devices are people bringing day-in-day-out?