Lightning talk slides from the June 2015 CloudCamp "unconference" focused on "The Internet of Things (IoT)"
"The Internet of (Insecure) Things" - Chandler Howell, Engineering Manager at Nexum @chandlerhowell
About CloudCamp: the event features short lightning talks, an "unpanel" with audience participation and questions, and small breakout clusters around beers and pizza. Hosted by Cohesive Networks at TechNexus.
CloudCamp Chicago lightning talk "The Internet of (Insecure) Things" - Chandler Howell
1. "The Internet of (Insecure)
Things"
Chandler Howell,
Engineering Manager at Nexum
Tweet: @chandlerhowell
#cloudcamp
#cloudcamp
@CloudCamp_CHI
Sponsored by
Hosted by
3. The Internet of (Insecure) Things
1. Smart is the New Dumb
2. When Worlds Collide
3. Failure Modes
4. A Parade of Horrors
5. So What Should I do Now?
5. Smart is the New Dumb
Smart, butVulnerable
Security is not a priority of IoT (yet)
Focus is on
Time to market
Features & Functionality
Focus is NOT on
Security
Maintainability
Longevity
7. When Worlds Collide
Lifecycles are mismatched
Technology lifecycles are very short
Devices go EOL in 3-5 years or less
Consumer lifecycles are longer
Refrigerators, coffee makers, etc. can last 10 years
Industrial Equipment may outlive you
Heavy Equipment can have service lives >50 years
10. Failure Modes
Get Broken
Damage or destroy the device or attached devices
For example…
Plant Control Systems
People with Pacemakers
11. Failure Modes
Get Leveraged
Compromised Device is used as a vector for
other Badness
For Example…
Unlock a Smart Home
Join a botnet
Provide a beachhead for APT
12. Failure Modes
Get Exploited
The device can be used to spy on people, either
directly or indirectly
Yes, even more examples…
Smart TV’s
Data & MetaData Collection
13. A PARADE OF HORRORS
It’s spelled “IoT” but it’s pronounced “Fail”
15. A Parade of Horrors
Consumer Goods
Refrigerators
Smart Fridges found in a botnet (2014)
25% of devices in that large botnet were IoT
Televisions & Electronics
Samsung “Smart TV” Spying
Numerous XSS, local exploits
Light Bulbs
LIFX “Smart” Bulbs authentication flaws
Disclosed credentials for attached wi-fi
16. A Parade of Horrors
Medical Devices
Surgical and anesthesia devices
Ventilators
Drug infusion pumps
Pacemakers
External defibrillators
Patient monitors
Laboratory and analysis equipment
Pretty much every type of failure you can imagine
17. A Parade of Horrors
Cars
Black Boxes
Data stolen or altered
Remote Lock/Unlock and starters
Key fobs and alarm protocols broken
ON*Star
Hacked & Abused by Law Enforcement
Braking & steering controls
Integration with entertainment/dash allowed
access and compromise
18. A Parade of Horrors
Airplanes
Drones
Definitely
In-Flight Entertainment
Definitely
Passenger Flight Control
Maybe
19. A Parade of Horrors
Infrastructure
Traffic Lights
Plaintext wireless
Weak/No Authentication
Industrial Control Systems
2008: Turkish Gas Pipeline Destroyed
2010: Iranian Gas Centrifuges (Stuxnet)
2014: Steel Mill’s Blast Furnace ($17mm in damage)
Utility Meters
Weak Authentication
Inaccurate readings == Fraud
Tampered or otherwise
22. So what should I do?
Realize these are not new problems
Insecure computers are nothing new
Think in terms of Failure Modes
Use these to understand your threats
Expect Novel attack types
Inference Attacks
Side-Channel Attacks
23. So what should I do?
Architect for Insecure Things
Assume devices are insecure by default
If not today, they will be some day
Leverage Security Tools & Processes
Defense-in-Depth
Threat Modeling
Incident Response
24. So what should I do?
Assess whether the Smart is worth the Risk
Don’t forget how to live without IoT
Think of it in Business Continuity Planning
(BCP) or Disaster Recovery (DR) terms
Smart Devices are just another system to fail
25. Get Dumb Again
Like Power Over Ethernet (PoE) light bulbs…
THANK YOU!
Well, that was fun.