1. Brian Knopf
brian@brksecurity.com
@doyouqa

2.  Director of Application Security,
Belkin International (owners of
Linksys)
 Member, UPnP Task Force
 Previously Principal Test Architect,
Office of the CTO at Rapid7
 20+ years of experience in IT, QA,
Development and Security
 Programming,disassembling and
reverse engineering since age 5

3.  What is IoT?
 Why is IoT Important?
 Components of IoT
 IoT Attacks
 How Do I Protect My Environment?
 Future of IoT
 Conclusion

4. Source: Wikipedia.org http://en.wikipedia.org/wiki/IOT

5. Source: Gartner http://www.gartner.com/newsroom/id/2636073

6.  Originated at the Auto-ID center at MIT
 Started with RFID, Electronic Product Code tags to connect
devices
 Self-configuring was the key
 Evolved into connected advanced wireless devices
 No single IoT protocol currently

7. Source: Gartner http://www.gartner.com/newsroom/id/2636073

8.  Hundreds of manufacturers creating
devices
 Everyday devices now connected
and communicating valuable data
 Makes environments smarter
 Improves power conservation
 Provides sense of security
 Connects M2M and M2B

9. Pain Management 1970’s Pain Management 2010’s

10. Source: Postscapes http://postscapes.com/what-exactly-is-the-internet-of-things-infographic

11. • Turn your electronics on/off, monitor them from
anywhere
• Create rules,schedules,and receive
notifications
• Get insight into home energy or water usage
• Compatible with iOS and Android
Source: http://www.belkin.com

12. • GPS tracking device for pets
• Track how much exercise they get
• Receive notifications when they leave user configured
zone
• Uses Google Maps for setup
• Mobile and web apps for tracking and notifications
• Same technology used to track company vehicles
• Now cheaper and more accessible to average person
Source: http://www.pettracker.com/

13. • 3-factor authentication (Nymi,smart phone, cardiac
rhythm)
• Integration with Windows,Mac OS, Android,and iOS
• Uses Bluetooth Low Energy
• Motion detection for gesture recognition
• Looking at integration with cars to unlock and start them
• Potential to replace identification or PIN for financial
transactions
• Is this more secure than a password?
Source: http://www.getnymi.com

14. Protocols
• ZigBee
• Z-Wave
• 6LoWPAN
• NFC
• RFID
• Bluetooth
• Bluetooth Low Energy
• INSTEON
• Lutron
• MQTT
Source: Postscapes http://postscapes.com/what-exactly-is-the-internet-of-things-infographic

15.  IEEE 802.15.4
 2.4GHz frequency worldwide (16 channels)
 Regional 915Mhz (Americas) & 868Mhz (Europe)
 Powered and battery operated devices
 Multiple star topology and inter-personal area
network (PAN) communication
 AES-128 security
 2010 – 40% Market Share
 2016 – 55% Market Share

16. ZC
ZED
ZR
ZR
ZED ZED ZED
ZR
ZED
ZED
ZR
ZED
ZED
ZED
ZED
ZigBee Mesh
Network
 ZigBee Coordinator - ZC
 ZigBee Router - ZR
 ZigBee End Device - ZED
• ZigBee Coordinator - ZC
• Only one
• Trust Center
• Network information
• ZigBee Router - ZR
• Plug-in not battery
powered
• Passes data from ZED
to ZC
• MitM Heaven
• ZigBee End Device - ZED
• Talks to ZC or ZR

17. Source: Postscapes http://postscapes.com/what-exactly-is-the-internet-of-things-infographic

18.  Hardware,software,protocol solutions
 Allow innovation and automation
 Software connects APIs between
services
 Hardware to speak to everything
 Protocol to bridge physical layer
Sources: http://www.ifttt.com, http://www.ninjablocks.com, http://www.revolv.com,

19.  Access to personal information
 Can be used to protect physical location
 Share some technology with traditional networked devices
 Updates are mostly manual if available
 Some endpoint devices are not updateable at all (ZigBee,Z-Wave)
 Consumers rarely think about patching
 Consumers are dependent on manufacture updates
 Many built on SDKs from chip vendors and manufactures with no
security expertise
 Use 3rd Party libraries as black boxes

20.  Consumer - Loosely connected devices that may or may not have
rules integrating them
 Enterprise – Technologies like Closed Loop Lifecycle Management
(CL2M) enable businesses to see how their products are being used,
track maintenance status,and share information securely
 Enterprise users are charging,synching,and connecting IoT devices
to corporate assets
 The dividing line will disappear

21. Sources: http://www.vizualiiz.com, http://professional.medtronic.com, http://www.nike.com, http://www.progressive.com, http://retailnext.net, http://www.skylanders.com, https://onlycoin.com
 Banking
 Insurance
 Retail
 Health
& Fitness
 Medical
 Entertainment
 Asset
Management

22. Sources: http://www.getnymi.com,http://www.yubico.com, http://myidkey.com/
Do these improve security
or make people feel safer?

23.  Some IoT devices rely on Wi-Fi credentials only
 Hard to use products fail
 Accounts should depend on class of products
 Take measures to counter ease of use & improve security
 Perception vs Reality
 P2P vs Server Relay
 Which is safer?

25.  IoT protocols open parallel wireless networks
 Strong encryption + bad implementation = 0 benefit
 Increase in attack surface
 More devices to patch and maintain
 Cannot backport fixes
 Dependent on vendor updates
 Where do IT teams draw the responsibility line?

26.  Impact of IoT on BYOD
 What is allowed on systems?
 What is allowed in the network?
 What glue services make sense for your company?
 Is it worth the risk?
 How can you stop them?
 Are you watching outbound?

27. Source: http://www.veracode.com

28.  3rd party libraries getting attacked
 Developers select based on features and popularity
 Rarely audit code or understand them
 Poorly architected, bad code, and not well reviewed
 CriticalVulns
 UPnP (libupnp, miniupnp)
 GnuTLS
 OpenSSL
 GoToFail (Apple SSL)
 OpenSSH
 LibYAML

30. • Researcher: Nitesh Dhanjani
• User browses to website
containing Java exploit code
• Laptop on network compromised
with malware
• Infected laptop turns lights off
• Attack pauses when bridge is
unplugged
• Attack resumes when bridge is
plugged back in
Exploit Source: Nitesh Dhanjani http://www.dhanjani.com/blog/2013/08/hacking-lightbulbs.html

31. • Researcher: HD Moore
• Cameras were searchable on
Internet
• Scanned 3% of Internet
• Found 250,000 devices running
services,5000 vulnerable
• Some vendors had disabled auto
answer by default
• Able to capture passwords and
documents
• Audio outside rooms was captured
Exploit Source: HD Moore, R7 http://www.nytimes.com/2012/01/23/technology/flaws-in-videoconferencing-systems-put-
boardrooms-at-risk.html?_r=0

32. • Researcher: Daniel Crowley
• No authentication on web console
• Unconfirmed authentication bypass
• Firmware can be modified from
attacks
• Server-side request forgery
enables devices to bypass firewall
and be used as a proxy
Exploit Source: Daniel Crowley of Trustwave SpiderLabs https://www.youtube.com/watch?v=PSRPE49lGYw

33. • Used UPnP buffer overflow
to exploit WeMo
• Able to turn on and off the
device rapidly
• We had a patch available
before the researcher
notified us of the issue
• Valid UPnP requests still
work within the network
Exploit Source: Daniel Buentello using UPnP vulnerability discovered by HD Moore http://hackaday.com/2013/01/31/turning-the-belkin-wemo-into-a-deathtrap/

35.  2010 study by Tufin Technologies,
supported by UK's Association of Chief
Police Officers
 "...23% of "uni" students have hacked into
IT systems.
 32% thought hacking was "cool.“
 28% considered it to be easy.
The hackers offered a variety of motivations for their behavior: curiosity,
fun, while "an entrepreneurial 15% revealed that they hacked to make
money.“
Source: Fast Company http://www.fastcompany.com/1690541/it-security-firm-fear-students, image from Infosec Reactions - http://securityreactions.tumblr.com/

36. Exploit Source: Joshua Wright http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf
• Researcher: Joshua Wright
• Presented at ToorCon 11 - 2009
• Framework for ZigBee exploitation
• Presentation and source are easy to
find
• Hardware is cheap and easy to get
• Wireshark has built in tool for
cracking ZigBee Network (NWK)
encryption

38. Source: https://greatscottgadgets.com/ubertoothone/, http://www.kismetwireless.net
• Open source affordable Bluetooth development
platform
• Class 1 Bluetooth device
• Bluetooth & BTLE injection & monitoring
• 802.11 FHSS monitoring and injection
• Basic spectrum monitoring
• Works with Kismet sniffer
• Commercial Bluetooth equipment starts at
$10,000
• Cost: $115

39.  10 MHz to 6 GHz operating frequency
 Half-duplex transceiver
 Compatible with GNU Radio, and Software
Defined Radio (SDR)
 Software-configurable RX and TX gain
baseband filter
 Open source hardware
 Lots of applications already written to decode
wireless using this
 Cost: $330
Source: https://greatscottgadgets.com/hackrf/, http://www.sharebrained.com/2014/05/28/portapack-h1-imminent/

40.  Universal bus interface
 Talks to most chips via PC serial
terminal
 Comes with debugger software
and BIOS/flash programmers
 Cost: $30
Source: http://dangerousprototypes.com/docs/Bus_Pirate
• Supports
• 1-Wire
• I2C
• SPI
• JTAG
• Asynchronous serial
• MIDI
• PC keyboard
• HD44780 LCD
• & more

41.  Texas Insturments CC1110
 2x SmartRF boards
 1 Debugger
 Documentation
 Software for sniffing & controlling hardware
 Flash programmer
 Cost: $76
 Paired with Z-Force exploit framework from
researchers
Source:Behrang Fouladi & Sahand Ghanoun, Sensepost http://research.sensepost.com/conferences/2013/bh_zwave, http://research.sensepost.com/tools/embedded/zforce

43. Offensive Security Defensive Security

44.  New technologies, limited
standards,competing protocols,
and more attack surface may
scare you…
 GO BACK TO BASICS
• Secure By Design
• Secure By Default
• Secure In Deployment
• Defense In Depth

45. Secure by
Design
Secure architecture
and code
Threat analysis
Vulnerability
reduction
Secure by
Default
Attack surface area
reduced
Unused features
turned off by default
Minimum privileges
used
Secure in
Deployment
Protection:
Detection, defense,
recovery, and
management
Process: How to
guides, architecture
guides
People: Training
Source: Josh Abraham (Jabra)

46.  Defense In Depth is critical
 Separate classes of systems,devices,and users
 What do IoT devices need access to?
 Limit password reuse
 Password Management
 Multi-factor authentication

47.  Industry collaboration to improve security of embedded OS
and protocols is critical
 Groups like BuildItSecure.ly trying to improve collaboration
between vendors and security researchers
 Improvements to standards like ZigBee HA 1.3
 UPnP+ certification requiring Device Protection
 Secure Elements / TPM for firmware protection

48. • Does deploying
biometric sensors to
employees put a
company at risk if the
data is compromised?
• What compliance
issues arise based on
the data being
collected and whether
companies have
access to it?
Source:
http://www.computerworld.com/s/article/9247137/Pros_and_Cons_of_Using_Fitness_Trackers_for_Employee_Wellness?taxonomyId=220

49.  IoT brings awareness,automation, & security to enterprise
environments
 Rapid growth of IoT devices and vendors without security focus
 Insecure devices expanding network attack surface
 Plan your IoT implementation based on use cases
 Select devices to fit use cases rather than individual issues
 Threat Model, plan,remediate,mitigate
 The protection line has moved, adjust your goals

50.  Thank you for attending
 Contact brian@brksecurity.com for additional information on
IoT & Security
 Thanks to Amanda Honea, Dianne Asis,& my family for their
support
 Thanks to Terry Gold for the invitation and in-depth biometrics
discussions
 Questions?