1.
Jeff Katz, VP Technology, KIWI.KI GmbH @kraln
PRIVACY AND
SECURITY IN THE IOT

2.
"What would your feelings be, seriously, if your
cat or your dog began to talk to you, and to
dispute with you in human accents? You would be
overwhelmed with horror. I am sure of it. And if
the roses in your garden sang a weird song, you
would go mad. And suppose the stones in the
road began to swell and grow before your eyes,
and if the pebble that you noticed at night had
shot out stony blossoms in the morning?"
Arthur Machen, 1890
2

3.
Talk Outline Approximate Length: 50 minutes
Language: English
• Audience
• Short Bio
• Definitions
• Common IoT Architectures
• Security Topic
• Privacy Topic
• Conclusion

4.
Audience
Architects and Developers of the IoT
You• ’re building a connected device
You• ’re designing a system for connected devices
You• ’re evaluating technologies or platforms for your connected devices
You• ’re buying connected devices
Security Researchers
You• ’re interested in evaluating the security of IoT devices and networks

5.
About Me
• Background in Hardware, Firmware
• 2005: Bypassed Copy Protection in
Nintendo DS
• 2011: Openbeacon Social
• 2012: VP Technology of KIWI
• Let’s develop an access control system
that considers user’s privacy!
• Let’s develop an access control system
that isn’t trivial to hack

6.
Definitions
Security
Freedom from risk or danger, doubt or fear, measures adopted to prevent crime,
espionage, sabotage, a state of being protected
Privacy
Of or belonging to one person or group, not the wider population or public… the
state of being away from other people’s sight or interest
Internet of Things
Connecting everything in order to provide amazing user experiences, security and
privacy be damned

7.
Three Common Architectures
Internet
Device
Gateway
Internet
Device
Phone
Device

8.
Internet Connected Devices
• Device is connected directly to the internet, via WiFi or 3G
• Less powerful devices have weak microcontrollers, embedded
IP stacks
• More powerful devices run embedded Linux
• Typically consumer devices
• Typically connect to cloud services for configuration and
management
Internet
Device

9.
WSN Connected Devices
Device connects through Wireless Sensor Network to Gateway•
device, which has internet connection
Gateway device similar profile to• “Internet Connected Devices”
Networking stacks provided by embedded controllers•
• B2C, B2B, and B2G devices
Typically managed by cloud services•
Gateway
Internet
Device

10.
BTLE “Connected” Devices
Device and Phone speak over BTLE•
Phone has Native App•
Phone acts as internet connection, when needed•
No Networking Stack•
Typically consumer devices•
Usually no Internet required•
Phone
Device

11.
Side note: Medical Devices
• Fu, Jack, Halperin, et al.
• Not “Traditional” IoT, yet…

12.
On Security
• Consider your adversary
• Government?
• Well-funded smart people? (University)
• Dedicated Hacker?
• Script kiddie?
• Defense in depth
• Plan for failure
• Shortcuts hurt in the long term

13.
SimpliSafe
Burglar / Fire Alarm System•
Unencrypted Radio Transmission (• 433 MHz)
No• nonces, handshakes, anything…
Five months after vendor notification, no•
response
Februrary• 2016 Advisory Posted
OTP Microcontroller•

14.
LiFX
Lightbulbs connected via• WiFi and 802.15.4
6LoWPAN Mesh Network
Unprotected firmware read out from•
microcontroller
AES (Symmetric) Crypto, Key stored in firmware•
Same Key on all devices•
WiFi• password sent via WSN

15.
“Smart Lock”
• Damien Cauquil @virtualabs spoke at CCCamp, despite bad
behavior vendor not disclosed
• BTLE Connected door lock, sold in EU and US
• Auth required in app only, protocol unsecured
• Can read out logs without authentication
• Can replay door unlocking
• Can drain battery without credentials

16.
Samsung SmartThings
• Hub & App Ecosystem
• Flawed Oauth Implementation
• Subject to clickjacking and other web security flaws
• Privilege Escalation
• More on Samsung in a bit…

17.
ZigBee / ZigBee Pro
Wireless protocol used in many• IoT Devices
2004• -2007, slightly older standard
Simplicity + Low Cost = Low Security•
Locks, Thermostats, HVAC,• IIoT
Classic ZigBee uses CCMP, known plaintext issues•
OTA Key Delivery• —in plaintext
All devices share Key•
No replay protection•

18.
Optionally Secure
Поспеши́шь--люде́й насмеши́шь – haste makes waste

19.
Attack Surfaces in the IoT
• Hardware / Physical Attack
• Firmware / Physical Attack
• Wireless Communications
• Network Implementations
• Services running on Devices
• Insider Threats
• Mobile
• Cloud
Threat
Complexity
Scale

20.
Common failings
Failure to protect against basics•
Replay attacks, unprotected secrets, bad or non• -existent crypto
Failure to include secure firmware update mechanism•
Failure to authenticate communications•
Failure to protect confidentiality of private communications•
Failure to protect secrets in firmware•
Failure to consider attack surface of wireless devices•

21.
Tools
• Signal Monitoring
• Injection
• Imaging
• SDR - $400
• Ubertooth - $120
• ARM Debugger - $70
• Logic Analyzer - $150
Great presentation at RSA by Joe Grand:
https://www.rsaconference.com/events/us15/agenda/sessions/1619/tools-of-the-
hardware-hacking-trade

22.
On Privacy
• "You have zero privacy anyway. Get over
it.”
Scott McNealy, Sun Microsystems
• "We know where you are. We know where
you've been. We can more or less know
what you're thinking about;"
Eric Schmidt, Google/Alphabet
• “No one likes to see a government folder
with his name on it.”
Stephen King

23.
Security affecting Privacy
• Even “Responsible” companies that collect data often fail to secure it
• Against data breach
• Against government intervention
• Against accidental disclosure
• The most responsible thing to do with data is not to collect it!

24.
Over-collection
Smart Meter - “I need to measure the power consumption in order to charge
an accurate bill”
Also measures: Correlation between power usage and time of day•
Knows when you are home•
Knows what show you are watching on TV•
Smart Thermostat – “I need to know the temperature to regulate your
apartment”
Also measures: Humidity, Motion, Light, Weather•
Knows when you take a shower•
Knows where in your home you are•

25.
Samsung TV Agreement
"Please be aware that if your spoken words include
personal or other sensitive information, that information
will be among the data captured and transmitted to a
third party through your use of Voice Recognition.“
"Samsung takes consumer privacy very seriously. In all
of our Smart TVs we employ industry-standard security
safeguards and practices, including data encryption, to
secure consumers' personal information and prevent
unauthorized collection or use."

26.
Amazon Echo
• Streamed to the cloud
• Processed in the cloud
• Saved in the cloud

27.
Ethics

28.
Ubiquity, Then
Sign up for service, Ignore T&C•
Use service, your data is gathered•
Relationship between you and service is clear, even if• usage is not
Tracked everywhere you use service•
Regulated•

29.
Ubiquity, Now
• Walk down the street

30.
False Dichotomy
• Do we really have to choose?

31.
In Numbers
Cisco Says, By 2019:
• nearly 3.9 billion global Internet users (>51% world’s population)
• 24 billion networked devices and connections globally
• Worth $19 trillion
• 10.5 billion M2M Connections
• The connected home, including smart appliances, home security and
network devices such as printers will make up 50% of M2M Connections

32.
What kind of world are we building?

33.
Jeff Katz, VP Technology, KIWI.KI GmbH @kraln
PRIVACY AND SECURITY
IN THE IOT