In a world where convenience is key, consumers are adopting every new connected device that hits the shelves - and doing so with the assumption that due diligence security has been considered. But recent IoT attacks suggest otherwise. As organizations migrate from a primarily offline to online business model, they are failing to consider IoT’s unique threats which traditional solutions are unable to secure. As a result, steps must be taken to ensure that the device, connections and infrastructure are hardened, especially software which runs IoT devices and is the source of ~90% of attacks. This webinar is ideal for risk, technology, and security professionals that want to understand why a hacker would want to attack their “harmless” IoT device and what the stealth risk to their organization and consumers is. Topics covered include: - IoT security – why it’s so different….and tough - The IoT ecosystem and attack surface - Managing liability - IoT risks to consumers and vendors - Auditing IoT software development

2. What We Do
Software runs the world.
We Reduce its Risk
• Expertise
• Commitment to Excellence
• Trusted Advisor
How we Do It

3. About Security Innovation
• Authority in Software Security
• 15+ years research on software vulnerabilities
• Security testing methodology adopted by SAP, McAfee,
Microsoft, Symantec, and others
• Microsoft MVPs, Privacy by Design Ambassadors, Apple
and Barracuda Hall of Famers, Ponemon Institute Fellows
• Authors of 18 books

4. About Me
• CEO by day; engineer by trade (and heart)
• Mechanical Engineer, Software Engineer
• Ponemon Institute Fellow
• Privacy by Design Ambassador, Canada
• In younger days, built non-lethal weapons
systems for Federal Government

5. Agenda
IoT security – why it’s so different….and tough
• The IoT ecosystem and attack surface
• Managing liability - IoT risks to consumers and vendors
• Auditing IoT development & deployment

6. The ”Good Old Days”
• Devices were just… devices
o Still ran on code; made to serve a specific purpose
o Real-time changes; no “wait for compile” and see
o Had to be physically at the device to access/change
o Sharing data meant print, verbal, film, CD, etc.

7. Today’s IoT Devices
• Devices are still devices, but…
o Run on LOTS of code; made to serve single/multiple purposes
o Real-time changes; no “wait for compile” and see
o Make changes from anywhere via cellular or wifi connection
o Sharing data is instantaneous and digital

8. Dyn DDoS Attack
A not so oldie, but a goodie
• Domain Name System (DNS) service disrupted
• Affected nearly 1/3 of all Internet users in US and Europe
• No access to (short list):
• Amazon.com
• Comcast
• DirecTV
• GitHub
• Netflix
• Twitter
• PayPal
• Starbucks
• Verizon
• Visa
• Walgreens
• Xbox Live
• PlayStation Network
• iHeart Radio
• BBC
• NY Times
• GrubHub
• Slack
Millions of IoT Devices (printers, IP cameras, baby monitors) infected
with Mirai malware and used to flood Dyn with traffic (DDoS)

9. Recent IoT Trouble
Consumer & Medical Devices
• 465,000 vulnerable pacemakers from St. Jude
• Implantable cardiac devices have vulnerabilities
• Unauthorized remote access
• Deplete battery, change pacing, or deliver shocks
• Owlet WiFi Baby Heart Monitor
• Alerts parents when babies have heart troubles
• Connectivity element makes them exploitable
Best intentions exploited via careless manufacture configuration

10. Government & Customers Getting Involved
• FTC vs D-Link: The legal risks of IoT insecurity
• Lawsuit against D-Link
• Claims company put thousands of customers at risk
• Unauthorized access to its IP cameras and routers
• Customers vs John Deere: The business risks of IoT
• US farmers dispute rights to repair their tractors
• Contain embedded software (it’s an IoT device)
• Company issued a new license agreement
• Prohibits software modification on its tractors
• Ensure all repairs are done by John Deere contractors

11. Convenience-Risk Trade Offs
• Building in security takes time initially; equates to money
• Time to market pressures often trump this investment
• Security can equate to safety in consumer IoT devices
• Ease of setup and operation
• Consumers want devices to “just work”
• Quick setup and minimal configuration required
• Often means little to no authentication or default (same for all devices)
• When vulnerabilities discovered, patching is the answer
• But IoT patching can be difficult, impossible, and illegal
Consumers demand easy and convenient features, until they backfire

12. Polling Question
• Do you have an active IoT system/program in use today with
>1,000 devices, sensors, machines, etc. exchanging data?

13. Agenda
• IoT security – why it’s so different….and tough
The IoT ecosystem and attack surface
• Managing liability - IoT risks to consumers and vendors
• Auditing IoT development & deployment

14. • Smart Software Applications
• Access to data for real-time assessment and action
• Distributed Computers
• Facilitate local aggregation and communicate with
centralized servers via public internet
• Embedded/IoT Devices
• Microchips, embedded applications, wireless enabled
• Sensors gather/analyze data better and faster
The Idea is Simple…

15. • Cloud applications and wireless networks accessible by others
• Distributed devices may be used for email, DDoS, and other applications
subjected to social engineering
• Devices may be accessible by unknown or unauthorized people
• Devices may have open connections
• Devices likely lack encryption
• Physical interfaces on the devices leak sensitive data
• Debug ports (JTAG, UART) lead to privileged access on the device
• Radio and network communication protocols (Cellular, WiFi, NFC,
Bluetooth, Zigbee, SDR, etc) can be exploited
• Weak Firmware security can lead to complete device compromise
But Loaded with Attack Vectors…

16. Reality Check: IoT Deployment is Complex

17. IoT vs. Web Application Stack

18. IoT Attack Surface Identification
Element Example
Device hardware Memory, physical interfaces, ports, sensors (light, imaging, location, etc.)
Device firmware Signed/unsigned, update verification, unencrypted files, other software
Mobile
application
Authentication, data in local storage, default passwords, transport encryption,
password security (2FA, TouchID), excessive collection of PII and user data
Web application Admin interface, default/weak passwords, XSS, SQLi, CSRF, brute-force
protection
Radio & network
communication
Cellular, WiFi, TCP/IP, NFC, Bluetooth, Zigbee, etc.
Network services Web services, vendor APIs, custom protocols, unnecessary services, etc.
Authentication/
Authorization
Default/weak credentials, user roles, password reset, session expiry

19. • Insufficient security training
• Humans #1 weak point: building, deploying, using
• Weak Physical Security
• Debug interfaces (JTAG, UART, etc.) and USB ports
allow unintended device or data access
• Infrequent updates
• Firmware, device apps, admin apps/interfaces
• Expensive and/or remote IoT devices long lifespan (difficult to update)
• Weak Data Protection
• Data at rest/transit uses weak encryption techniques
• Lack of dedicated security chips and modules to store
sensitive data.
Top 4 IoT Security Weak Points

20. Polling Question
• What type of testing IoT devices for security do you
practice?

21. Agenda
• IoT security – why it’s so different….and tough
• The IoT ecosystem and attack surface
Managing liability - IoT risks to consumers and vendors
• Auditing IoT development & deployment

22. • Privacy - PII leakage
• Mass surveillance
• Stalking
• Theft
• Data breaches
• Liability
• Reputation
• Botnets, e.g. Mirai, for mass hacking
Main IoT Risks

23. IoT Connection Chain Ownership Threats
Device hardware/firmware Vendor X Known vulnerabilities with Vendor products
Patching process for Vendor X products
Mobile application Vendor Y Secure SDLC activities for Vendor Y
Web application Us Our own Secure SDLC activities/process
Information/Data management Us Storage and transport of data
Where is it encrypted?
Channels of transmission Telco X Security guarantees/SLA with Telco X
User authentication/roles Us Enumerate each role and authorized activity
Authentication for each role
Assessing IoT Risk

24. Threat #12
Compromise
App Password
1.1
Access “in-use”
password
1.2
Guess password
1.3
Access
Password in DB
1.1.1
Sniff network
1.1.2
Phishing attack
1.2.1
Password is
weak
1.2.2
Brute force
attack
1.3.1
Password is in
cleartext
1.3.2
Compromise
database
1.3.2.1
SQL injection
attack
1.3.2.2
Access database
directly
1.3.2.2.1
Port open
1.3.2.2.2
Weak db account
password(s)
Use TLS to encrypt
OpenSSL 1.0.1f
Require strong Password
8+ char, upper, lower,
number, special char
Use Prepared Statements
.NET parameterized queries
OleDbCommand() with
bind variables
Restrict Port Access
Firewall configuration
Enumerate Defenses
For Each Threat

25. • Know your IoT technology vendor’s track record
o Update your evaluation process, if necessary
• Invest in IoT security training for all in-house systems staff
o Coding (if building or interfacing w/ device); Configuration for Ops team
• Perform proactive penetration testing
o Obtain right to do so from 3rd-parties
• Adopt a "defense-in-depth" strategy
o e.g., WAF between IoT devices and cloud admin app?
• Eliminate all hardcoded default passwords and backdoors
IoT Security tipsheet @ end of webcast
Tips for Securing IoT Systems

26. • Build security into devices at the outset, rather than as an
afterthought
• Train employees about the importance of security
• Ensure security is managed at an appropriate level in the organization
• Ensure outside service providers are capable of maintaining reasonable
security, and provide oversight of providers
• Consider a “defense-in-depth” strategy whereby multiple layers of
security may be used to defend against a particular risk
• Keep unauthorized users from accessing device data, or personal info
• Monitor connected devices; provide security patches for known risks
* https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices
US FTC IoT Security Best Practices*

27. Polling Question
• Do you plan to purchase/deliver IoT-specific security
training for your team(s) in the next 12 months?

28. Agenda
• IoT security – why it’s so different….and tough
• The IoT ecosystem and attack surface
• Managing liability - IoT risks to consumers and vendors
Auditing IoT development and deployment

29. • All processes in the development of the technology must be controlled
• All protocols and services used must be monitored
• Each new capability is assessed for risk before going live
The following questions and tables
will start you on your way
High-level Objectives (can’t be met 100%)

30. • How is the IoT deployed in our organization today, and who owns it or its
respective components?
• IoT inventory and business activity/role
• Don’t expect the word “IoT” to show up in project docs
• Do we know what data is collected, stored and analyzed? Have we assessed the
legal, security and privacy implications?
• Governance policies cover data captured at thousands of sensors?
• Do we have contingency plans in place in case our IoT “things” are hijacked or
modified for unintended purposes?
Driven by Key Threats & Attack Surface
Start with “Simple” Questions

31. Query Objective
Is Device Built to “minimum
requirements”?
• Fewest features to obtain business objective
Is Device “tamper proof”? • Detect opening of cover or removing a part of the device
• Disable/Notify upon detection
How is critical data protected? • Encrypted storage
• Boot protection, e.g., Trusted Platform Module (TPM)
How are updates processed? • Secure delivery of firmware upgrades
• Physical access required to update device?
Auditing IoT Device Development

32. Query Objective
Secure SDLC practices for
connecting device to systems
• Follow prescriptive methodology, e.g., Microsoft SDL
• Document/mitigate vulnerabilities for open-source
How are boundaries secured? • Check all interfaces of components being integrated for security
flaws
• API security considered, e.g., input/output sanitation
• Protect against fuzzing and buffer overflow attacks
Authentication key protection • Each device requires device IDs and associated authentication
keys, e.g., generated by a cloud service/app
• Protection mechanism pre- and post-deployment.
Physical security considerations • IoT devices in unsecure locations, e.g., public or unsupervised
spaces
• Check debug interfaces (JTAG, UART, etc.) and USB ports for
unintended device or data access
Auditing IoT System Development/Deployment

33. Query Objective
Is Authentication/Authorization
done properly
• Deploy role-based access control
• Mandate the use of multi-factor authentication for privileged
accounts
• Ensure that a strong password management policy is in place
Is the communication channel
secure?
• Secure the Wi-Fi and Bluetooth interfaces by means of secure
configurations (encryption, password, etc.) and drivers
• Secure the exposed services and keys during device enrollment
• Ensure that sensitive data is not sent over unencrypted bus lines
• Test for side-channel leakage by means of power/timing analysis
and glitching attacks
• Configure TLS to conform with accepted encryption standards
Auditing IoT System Development/Deployment

34. Query Objective
System up-to-date? • OS and device drivers at latest versions
• Automatic update enabled
• All updates are signed and verified
• Bootloader verified at every stage of the boot sequence
Malicious activity protections • Antivirus and antimalware on each device (if disallowed by OS,
what’s the risk?)
Event logging • Reviewed frequently for security breach
• Use of human vs. automated/telemetry stream to cloud service
where it can be analyzed
Physical protection • Access controls
• Logging of physical access, such as USB port use
Cloud credential protection • Used for configuring and operating IoT deployment
• Change password frequently
• Refrain from using credentials on public machines
Auditing IoT/Infrastructure Operator

35. Summary
• Follow the data trail - it’s what hackers are looking for
• Big attack surface = lots of open doors = big problems
• Always treat IoT devices as insecure by default
• Understand who owns what activities (both internal and external)
throughout development and deployment

36. • Standards – Set goals and make it easy
Secure coding standards and policy development
Education – Enable me to make the right
decisions
Computer-based and simulation training for an
authentic environment
• Assessment – Show me the Gaps!
Software, Infrastructure and SDLC assessments
How We Help Clients

37. Questions?

38. IoT Developer Mobile Developer
Cloud Developer
• Fundamentals of Secure Mobile Development
• Creating Secure iOS Code in Swift
• Creating Secure Android Code in Java
• OWASP MOBILE SERIES
• Mobile Threats and Mitigations
• Defending Mobile Data with Cryptography
• Mobile App Authentication and Authorization
• Defending Mobile App Code
• Fundamentals of Secure Development
• Web Vulnerabilities – Threats & Mitigations
• Fundamentals of Secure Cloud Development
• Creating Secure Code - AWS Foundations
• Creating Secure Code - Azure Foundations
Infrastructure/Operations
• Securing Network Access
• Securing Operating System Access
• Securing Cloud Instances
• Essential Security Engineering Principles
• Essential Application Protection
• Essential Data Protection
• Application, Technical & Physical Access Controls
We build customized learning paths for the most contextual training
• Insecure IoT Web Interfaces
• Insecure IoT Authentication and Authorization
• Insecure IoT Network
• Insecure IoT Communications
• Insecure IoT Mobile Interface
• Insecure IoT Firmware
• IoT Embedded Systems Security
• Creating Secure C/C++ Code - IoT
Sample Role-Based eLearning Programs

39. Thank You!
@AppSec | eadams@securityinnovation.com
@SecInnovation
getsecure@securityinnovation.com