1

Las Vegas comes to Bengaluru!

IoTNext 2016 - SafeNation Track

• Arvind Tiwary

• Ravi Mishra

• Vishwas Lakkundi

• Devesh Bhatt

2

Task Force on IoT Security

IoT Forum & CISO platform join hands to create IoT Security Task force

Readying up the Nation for #IoTSecurity

The task force is chartered to develop threat models, controls and assist players in new techno-legal-

commercial arrangements to improve IoT Security

Fresh thinking around Security for IOT

3

The Indus Entrepreneurs (TiE) Network

15,000+Members globally

58Chapters spread across the globe

18Across Countries

2,500+ Charter Members Globally

1999Started the Bangalore Chapter

750+Members in Bangalore

1,000+Startups at TiE Bangalore

75+ events per year in Bangalore

1992TiE Silicon Valley was started

125+Mentors/CMs in Bangalore

4

TiE IoT Forum Activities : 12 Billion Indian IoT Market

▪ June 5     Open House  (Attended by 125+ participants)

▪June 26  Communication (Connectivity workshop attended by over 25 participants)

▪Aug 6      BlueTooth  (Technical deep dive session attended by over 35 participants)

▪ Aug 22   Survelliance Workshop with B.PAC for schools, (attended by over 25 participants)

▪ Sep 11  MOU with IESA Press coverage in leading online and print media 

▪ Sep 11 Smart Water-Power & Internet Public utilities for the city of Future  (TiE IESA Bangalore attended by 280+ participants)

▪ Sep 18  IoT in Retail  (attended by 65+ participants)

▪ Nov 13 Crowdfunding Your IoT Product ( attended by 75+ participants)

▪ Nov 19 MEMS Technical deep dive session ( Attended by 30+ participants)

▪ Nov 20 Smart Devices :  Leveraging  Consumerization and Open Innovation for the Future  ( TiE IESA Hyderabad 65+ particpants)

▪ Feb 20 IoT based Smart Grid Core of Sustainable Living  ( TiE IESA Delhi 50+ Participants)

▪ Feb 26  Contiki IoT workshop : Middleware for IoT ( RBCCPS Bangalore 40 participants)

▪ March 10 Workshop Demystifying IoT  (TiE IESA Pune  50 participants)

▪ March 10 Smart Vehicles  The IoT Future ( TiE IESA Pune  50 participants)

▪ May 9 IoT Innovation Showcase by 16 Startups (150+ Participants)

▪ June 25 Smart Agriculture and Smart Healthcare  ( TiE IESA with pan India Colleges and Universities) 175+ Participants

▪ Sep 25 IoT Security a IEEE partner event ( IEEE partner 75 +)

▪ Dec 4 – 5 IEEE Bangalore: Leveraging Use cases to Validate IoT Opportunities ( partner event 200+)

▪ Dec 9 -10 IoT Next 2015 ( 700+ particpants, 60 Speakers, 20 Starups)

2014 2015

20 + events, 2000 Attendees , 280+ Startups

5

About CISO Platform

• IoT Security • Cyber Crisis Management• Cyber Security Index • Top N Threats & Controls Mapping

• Enterprise Security Architecture • Using AI for Security Decisions

Current Research Areas Include

• Help CISOs make right IT Security decisions using our Decision Tools, Content and Peer Collaboration

• Build community based knowledge repository in form of structured research and reference documents

Industry’s 1st Dedicated Collaboration Platform for CISOs and Senior IT Security Leaders with the vision to:

6

FRIDAY OCTOBER 21, 2016

DO YOU REMEMBER THIS DATE??

7

LARGEST DDOS ATTACK AGAINST DYN

8

Why Did Dyn Fail▪A large network of compromised devices was

used to flood Dyn’s servers with traffic

▪In particular servers used as part of Dyn’s enterprise offerings were targeted

▪Dyn wasn’t able to handle the additional traffic, and its servers either stopped responding or responses were substantially delayed.

9

Who Did it and Why?

10

How can we minimize the risk?

▪Use multiple DNS providers. This way, if one experiences problems, we can use the others as backup

▪This requires additional tools and setup to make sure information is synchronized across different providers

▪We can maintain some DNS servers in house to provide limited service to internal users and as a last resort if we are not targeted, but experience issues due to collateral damage

▪Adjust our DNS configuration to allow for caching of our records (increase “Time to Live”)

11

IoT Architectural Layers

End Nodes Hubs Gateway Platform Applications Touchpoints

Temp Sensor

Vibration Sensor

Fitness tracker

Electric Meter

Switch Actuator

Router Nodes

EdgeRouter

Smartphone

LPWAN Basestations

Opensource

Commercial

Device Management

Access Management

Security

End user

City Managers

System Admin

City One

Operations Center

Apps

SMS

Email

Social Media

3rd Party

12

Components of an IoT Node

Microcontroller

RF Transceiver

External Memory

Sensors/ActuatorsPower Source/

Storage

Energy Harvesting

Hardware Layers

Low-level Device Drivers

Energy-aware RTOS (optional), Protocols and Middleware

App Interfaces for Sensors, Communication, Processing..

13

Security of Nodes

▪Securing the end nodes (physical accessibility)

▪Securing the network links

▪Securing remote device management

▪Securing admin operations

▪OS security configurations

▪Patching and firmware updates

▪Reverse engineering of just one node can lead to insecure n/w!

14

Threat Model

15

Components of an IoT Gateway

Microprocessor

Applications

Local Storage/DatabaseLocal/Edge AnalyticsPower Source

Local UIProtocol

Translators/Proxies

Cloud ConnectivitySecurity

16

Security of Gateways

▪Protocol Translation vs End-to-End Encryption

▪Secure On-boarding of Devices

▪Secure Boot

▪Firewalls

▪Intrusion Prevention System

▪Access Control Policy

▪Root of Trust and TPM

▪Security Updates

17

Threat Model

18

APPLICATION SECURITY

19

Types of Threats

Spoofed packets, etc.

Buffer overflows, illicit paths, etc.

SQL injection, XSS, input tampering, etc.

Network

Host

ApplicationThreats

againstthe network

Threats against the host

Threats against the application

20

BlackHat

▪Total talks – 117▪Top 5 domains▪Malware - 22 talks

▪Platform security: VM, OS, Host, Container - 21 talks

▪Exploit development - 15 talks

▪Android, IOS security - 13 talks

▪Internet of Things- 13 talks

DEFCON

▪Total talks – 100

▪Top 5 domains

▪Internet of Things - 19 talks

▪Network security - 13 talks

▪Application security - 10 talks

▪Critical infrastructure protection - 7 talks

▪Penetration testing - 7 talks

BHUSA and DEFCON Talk Trends

21

Detailed Trends

BlackHat DEFCON

22

KEY ATTACKS OF 2016

23

1. Building trust and enabling innovation for voice enable IOT by Lynn Terwoerds (BHUSA)

2. Let's Get Physical Network Attacks Against Physical Security Systems (DEFCON)

3. A lighbulb Worm? by Colin o Flynn (BHUSA)

4. Can You Trust Autonomous Vehicles? by Jianhao Liu, Chen Yan, Wenyuan Xu (DEFCON)

5. Picking Bluetooth Low Energy Locks from a Quarter Mile Away by Anthony Rose (DEFCON)

TOP Talks

24

1. BLE is Bluetooth Low Energy designed for apps that don't need to exchange large amounts of data

✓ Operates on 2.4 Ghz frequency

✓ car locks , bike locks, padlocks, door locks , gun cases, lockers, ATMs, Airbnb etc.

✓ short range <100m and consumes very less energy

✓ Total 3 billion devices per year

2. Attack Set up✓ ubertooth one

✓ Bluetooth dongle

✓ high beam antenna

✓ raspberry pi

Picking BLE Locks from a Quarter Mile Away by Anthony Rose

25

1. Sniffing -Plain text passwords

➢ war dialing by roaming around using ubertooth one

➢ The high beam antenna makes it easier to capture far away signals.

➢ the attacker sniffs the BLE traffic, get the dump, takes out the user password

➢ uses HCI and Bluetooth dongle to sends the authentication requests to the devices and it opens up

2. Replay attacks

➢ Devices like ceomate, Elecycle , vians and lagute use encryption (256 AES)

➢ sniff the complete packet as it is with the password in the encrypted form and still can break into the lock

Picking BLE Locks from a Quarter Mile Away by Anthony Rose

26

3. Fuzzing devices (okidokey)

▪This exploits the fail safe mechanism in the devices

▪initially claimed that they had AES 256 plus custom developed encryption (which is not a good idea)

▪The attacker when sniffed the traffic, he noticed message packets having some commands and couple of random keys which looked very difficult to break

▪first part is an op code and the second part is the actual key

▪the attacker changed the 3rd byte to 0, the device went into error state and since there was no error state defined, it just unlocks itself

▪It came out that their patented crypto was the culprit wherein they were using the previous keys to do XOR to get the new keys.

Picking BLE Locks from a Quarter Mile Away by Anthony Rose

27

4. Decompiling APKs▪This was done with the danalock doorlock.

▪download apk--->dex to jar→ Anaylse

▪reveals encryption method and hardcoded passwords

▪XOR (password, thisishtesecret) and store it in the table

5. Device spoofing▪This was done with bitlock, which is a padlock for the bikes

▪This is possible where the user authentications happens in a webserver and there is nothing stored on the device

▪The attacker here impersonates as the lock and actually steals the sensitive encrypted nonce from the user.

Picking BLE Locks from a Quarter Mile Away by Anthony Rose

28

Picking BLE Locks from a Quarter Mile Away by Anthony Rose

29

Picking BLE Locks from a Quarter Mile Away by Anthony Rose

30

✓encryption (256 AES)✓random nonce✓strong passwords, multi factor authentication✓no hard coded passwords

CONTROLS

31

Fresh thinking around Security for IOTFresh Thinking around Security for IoT

32

Fresh Thinking: Is the Emperor Naked?

33

Urban City: Does every house need to be a Fort Knox?

▪The Wild West

▪The Frontier Town

▪The City

▪The Mega Polis

▪The Township

Rights of Self Defence and Delegated Policing in Cyberspace?

The Cyber Rights

34

Going Forward..

▪Technical Roadmap

▪Community Engagement▪ Deep practitioners

▪ Architectural

www.IoTForIndia.org

35

❖ https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/❖ https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-inte

rnet-outage/❖ https://www.blackhat.com/us-16/briefings.html❖ https://www.defcon.org/html/defcon-24/dc-24-index.html❖ https://isc.sans.edu/presentations/dyndnsattack.pptx❖ https://www.mdsec.co.uk/2016/10/building-an-iot-botnet-bsides-manchester-2016/

Special thanks to:❖ Lynn Terwoerds for “Building trust and enabling innovation for voice enable IOT”❖ Ricky Lawshae for “Let's Get Physical Network Attacks Against Physical Security

Systems”❖ Eyal and Colin o Flynn for “A lighbulb Worm”❖ Jianhao Liu, Chen Yan, Wenyuan Xu for “Can You Trust Autonomous Vehicles? ”❖ Anthony Rose and Ben Rasmsey “Picking Bluetooth Low Energy Locks from a Quarter

Mile Away ”

REFERENCES

36

Thank You