2. Director of Application Security,
Belkin International (owners of
Linksys)
Member, UPnP Task Force
Previously Principal Test Architect,
Office of the CTO at Rapid7
20+ years of experience in IT, QA,
Development and Security
Programming,disassembling and
reverse engineering since age 5
3. What is IoT?
Why is IoT Important?
Components of IoT
IoT Attacks
How Do I Protect My Environment?
Future of IoT
Conclusion
6. Originated at the Auto-ID center at MIT
Started with RFID, Electronic Product Code tags to connect
devices
Self-configuring was the key
Evolved into connected advanced wireless devices
No single IoT protocol currently
8. Hundreds of manufacturers creating
devices
Everyday devices now connected
and communicating valuable data
Makes environments smarter
Improves power conservation
Provides sense of security
Connects M2M and M2B
11. • Turn your electronics on/off, monitor them from
anywhere
• Create rules,schedules,and receive
notifications
• Get insight into home energy or water usage
• Compatible with iOS and Android
Source: http://www.belkin.com
12. • GPS tracking device for pets
• Track how much exercise they get
• Receive notifications when they leave user configured
zone
• Uses Google Maps for setup
• Mobile and web apps for tracking and notifications
• Same technology used to track company vehicles
• Now cheaper and more accessible to average person
Source: http://www.pettracker.com/
13. • 3-factor authentication (Nymi,smart phone, cardiac
rhythm)
• Integration with Windows,Mac OS, Android,and iOS
• Uses Bluetooth Low Energy
• Motion detection for gesture recognition
• Looking at integration with cars to unlock and start them
• Potential to replace identification or PIN for financial
transactions
• Is this more secure than a password?
Source: http://www.getnymi.com
14. Protocols
• ZigBee
• Z-Wave
• 6LoWPAN
• NFC
• RFID
• Bluetooth
• Bluetooth Low Energy
• INSTEON
• Lutron
• MQTT
Source: Postscapes http://postscapes.com/what-exactly-is-the-internet-of-things-infographic
15. IEEE 802.15.4
2.4GHz frequency worldwide (16 channels)
Regional 915Mhz (Americas) & 868Mhz (Europe)
Powered and battery operated devices
Multiple star topology and inter-personal area
network (PAN) communication
AES-128 security
2010 – 40% Market Share
2016 – 55% Market Share
16. ZC
ZED
ZR
ZR
ZED ZED ZED
ZR
ZED
ZED
ZR
ZED
ZED
ZED
ZED
ZigBee Mesh
Network
ZigBee Coordinator - ZC
ZigBee Router - ZR
ZigBee End Device - ZED
• ZigBee Coordinator - ZC
• Only one
• Trust Center
• Network information
• ZigBee Router - ZR
• Plug-in not battery
powered
• Passes data from ZED
to ZC
• MitM Heaven
• ZigBee End Device - ZED
• Talks to ZC or ZR
18. Hardware,software,protocol solutions
Allow innovation and automation
Software connects APIs between
services
Hardware to speak to everything
Protocol to bridge physical layer
Sources: http://www.ifttt.com, http://www.ninjablocks.com, http://www.revolv.com,
19. Access to personal information
Can be used to protect physical location
Share some technology with traditional networked devices
Updates are mostly manual if available
Some endpoint devices are not updateable at all (ZigBee,Z-Wave)
Consumers rarely think about patching
Consumers are dependent on manufacture updates
Many built on SDKs from chip vendors and manufactures with no
security expertise
Use 3rd Party libraries as black boxes
20. Consumer - Loosely connected devices that may or may not have
rules integrating them
Enterprise – Technologies like Closed Loop Lifecycle Management
(CL2M) enable businesses to see how their products are being used,
track maintenance status,and share information securely
Enterprise users are charging,synching,and connecting IoT devices
to corporate assets
The dividing line will disappear
21. Sources: http://www.vizualiiz.com, http://professional.medtronic.com, http://www.nike.com, http://www.progressive.com, http://retailnext.net, http://www.skylanders.com, https://onlycoin.com
Banking
Insurance
Retail
Health
& Fitness
Medical
Entertainment
Asset
Management
23. Some IoT devices rely on Wi-Fi credentials only
Hard to use products fail
Accounts should depend on class of products
Take measures to counter ease of use & improve security
Perception vs Reality
P2P vs Server Relay
Which is safer?
24.
25. IoT protocols open parallel wireless networks
Strong encryption + bad implementation = 0 benefit
Increase in attack surface
More devices to patch and maintain
Cannot backport fixes
Dependent on vendor updates
Where do IT teams draw the responsibility line?
26. Impact of IoT on BYOD
What is allowed on systems?
What is allowed in the network?
What glue services make sense for your company?
Is it worth the risk?
How can you stop them?
Are you watching outbound?
28. 3rd party libraries getting attacked
Developers select based on features and popularity
Rarely audit code or understand them
Poorly architected, bad code, and not well reviewed
CriticalVulns
UPnP (libupnp, miniupnp)
GnuTLS
OpenSSL
GoToFail (Apple SSL)
OpenSSH
LibYAML
29.
30. • Researcher: Nitesh Dhanjani
• User browses to website
containing Java exploit code
• Laptop on network compromised
with malware
• Infected laptop turns lights off
• Attack pauses when bridge is
unplugged
• Attack resumes when bridge is
plugged back in
Exploit Source: Nitesh Dhanjani http://www.dhanjani.com/blog/2013/08/hacking-lightbulbs.html
31. • Researcher: HD Moore
• Cameras were searchable on
Internet
• Scanned 3% of Internet
• Found 250,000 devices running
services,5000 vulnerable
• Some vendors had disabled auto
answer by default
• Able to capture passwords and
documents
• Audio outside rooms was captured
Exploit Source: HD Moore, R7 http://www.nytimes.com/2012/01/23/technology/flaws-in-videoconferencing-systems-put-
boardrooms-at-risk.html?_r=0
32. • Researcher: Daniel Crowley
• No authentication on web console
• Unconfirmed authentication bypass
• Firmware can be modified from
attacks
• Server-side request forgery
enables devices to bypass firewall
and be used as a proxy
Exploit Source: Daniel Crowley of Trustwave SpiderLabs https://www.youtube.com/watch?v=PSRPE49lGYw
33. • Used UPnP buffer overflow
to exploit WeMo
• Able to turn on and off the
device rapidly
• We had a patch available
before the researcher
notified us of the issue
• Valid UPnP requests still
work within the network
Exploit Source: Daniel Buentello using UPnP vulnerability discovered by HD Moore http://hackaday.com/2013/01/31/turning-the-belkin-wemo-into-a-deathtrap/
34.
35. 2010 study by Tufin Technologies,
supported by UK's Association of Chief
Police Officers
"...23% of "uni" students have hacked into
IT systems.
32% thought hacking was "cool.“
28% considered it to be easy.
The hackers offered a variety of motivations for their behavior: curiosity,
fun, while "an entrepreneurial 15% revealed that they hacked to make
money.“
Source: Fast Company http://www.fastcompany.com/1690541/it-security-firm-fear-students, image from Infosec Reactions - http://securityreactions.tumblr.com/
36. Exploit Source: Joshua Wright http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf
• Researcher: Joshua Wright
• Presented at ToorCon 11 - 2009
• Framework for ZigBee exploitation
• Presentation and source are easy to
find
• Hardware is cheap and easy to get
• Wireshark has built in tool for
cracking ZigBee Network (NWK)
encryption
37.
38. Source: https://greatscottgadgets.com/ubertoothone/, http://www.kismetwireless.net
• Open source affordable Bluetooth development
platform
• Class 1 Bluetooth device
• Bluetooth & BTLE injection & monitoring
• 802.11 FHSS monitoring and injection
• Basic spectrum monitoring
• Works with Kismet sniffer
• Commercial Bluetooth equipment starts at
$10,000
• Cost: $115
39. 10 MHz to 6 GHz operating frequency
Half-duplex transceiver
Compatible with GNU Radio, and Software
Defined Radio (SDR)
Software-configurable RX and TX gain
baseband filter
Open source hardware
Lots of applications already written to decode
wireless using this
Cost: $330
Source: https://greatscottgadgets.com/hackrf/, http://www.sharebrained.com/2014/05/28/portapack-h1-imminent/
40. Universal bus interface
Talks to most chips via PC serial
terminal
Comes with debugger software
and BIOS/flash programmers
Cost: $30
Source: http://dangerousprototypes.com/docs/Bus_Pirate
• Supports
• 1-Wire
• I2C
• SPI
• JTAG
• Asynchronous serial
• MIDI
• PC keyboard
• HD44780 LCD
• & more
44. New technologies, limited
standards,competing protocols,
and more attack surface may
scare you…
GO BACK TO BASICS
• Secure By Design
• Secure By Default
• Secure In Deployment
• Defense In Depth
45. Secure by
Design
Secure architecture
and code
Threat analysis
Vulnerability
reduction
Secure by
Default
Attack surface area
reduced
Unused features
turned off by default
Minimum privileges
used
Secure in
Deployment
Protection:
Detection, defense,
recovery, and
management
Process: How to
guides, architecture
guides
People: Training
Source: Josh Abraham (Jabra)
46. Defense In Depth is critical
Separate classes of systems,devices,and users
What do IoT devices need access to?
Limit password reuse
Password Management
Multi-factor authentication
47. Industry collaboration to improve security of embedded OS
and protocols is critical
Groups like BuildItSecure.ly trying to improve collaboration
between vendors and security researchers
Improvements to standards like ZigBee HA 1.3
UPnP+ certification requiring Device Protection
Secure Elements / TPM for firmware protection
48. • Does deploying
biometric sensors to
employees put a
company at risk if the
data is compromised?
• What compliance
issues arise based on
the data being
collected and whether
companies have
access to it?
Source:
http://www.computerworld.com/s/article/9247137/Pros_and_Cons_of_Using_Fitness_Trackers_for_Employee_Wellness?taxonomyId=220
49. IoT brings awareness,automation, & security to enterprise
environments
Rapid growth of IoT devices and vendors without security focus
Insecure devices expanding network attack surface
Plan your IoT implementation based on use cases
Select devices to fit use cases rather than individual issues
Threat Model, plan,remediate,mitigate
The protection line has moved, adjust your goals
50. Thank you for attending
Contact brian@brksecurity.com for additional information on
IoT & Security
Thanks to Amanda Honea, Dianne Asis,& my family for their
support
Thanks to Terry Gold for the invitation and in-depth biometrics
discussions
Questions?