Security the IoT World!
Aug 19, 2015
Security the IoT World!
Hello!I am Aaron Guzman PentesterChapter Leader for OWASP CSA HTCIAYou can find me at:@scriptingxss
Agenda
The BasicsIoT?
The conceptsDigging a little deeper
Supply ChainPush out those ideas to market
The realitiesNumbers on the rise
The issuesPfft...whats security? But wait, my privacy
The ResolutionsSaving the world
The BasicsIoT
What Exactly is IoT?
“The Internet of Things (IoT) is
the network of physical objects that contain embedded
technology to communicate and sense or interact with their internal states or the external
environment..Source: http://www.gartner.com/it-glossary/internet-of-things/
Source http://postscapes.com/what-exactly-is-the-internet-of-things-infographic
The ConceptsIoT
Digging a little deeper
Hardware
IoT OS and Frameworks
Platform = The Cloud
Protocols for Communication
❏ Zigbee❏ Wi-Fi❏ NFC❏ Z-Wave❏ CoAP❏ 6LoPAN❏ XMPP❏ BLe❏ SOAP❏ REST❏ MQTT❏ Lutron❏ RFID❏ GSM
Hubs
4.9 BillionConnected Devices in 2015
Source:http://www.gartner.com/newsroom/id/2905717
PadsLeadsTracesSilkscreensAnalog vs DigitalLayers (4)Reflow
PCB
source: https://learn.sparkfun.com/tutorials/electronics-assembly
❏ VxWorks❏ Marvell❏ Broadcom❏ Texas Instruments❏ Intel❏ AMD❏ NXP★ Create the device
drivers
Board Support Packages (BSP)
Original Design Manufacturer (ODM)
❏ designs and manufactures a product❏ eventually rebranded by another firm for sale❏ allow the brand firm to produce (either as a
supplement or solely) without having to engage in the organization or running of a factory.
❏ own cloud infrastructures for customers❏ Provide SDKs
★ Many ODMs in China★ A dime a dozen
http://en.wikipedia.org/wiki/Original_design_manufacturer
Cloud Service Providers
❏ Amazon❏ Microsoft❏ Google❏ Thingsworx❏ ODM Clouds❏ Have their own SDKs❏ Who knows where else?
http://en.wikipedia.org/wiki/Original_design_manufacturer
Original Equipment Manufacturer (OEM)
❏ Manufacturers who resell another company's product under their own name and branding.
❏ Offers its own warranty, support and licensing of the product.
http://en.wikipedia.org/wiki/Original_design_manufacturer
IoT Supply Chain Process
BSP ODM OEM
★ Each likely to outsource development work and have multiple teams
CSP
Keep in Mind
Hardware comes from everywhere
PMs
Primary Roles
Sales Engineers
Supply Chain Process (Cont)
Sales★ Get the
business★ Outreach★ Create
relationships
PM’s★ Prioritizes ★ Objective
Based★ Project
specific to engineer team
Engineers★ Write Code★ May not be a
big team★ Different
workflows per dev team
★ Split up into features. I.E UI team, UX team, backend, Android, iOS
Anyone Looking at Security??
Vectors❏ UART❏ JTAG❏ EEPROM❏ SPI❏ SOIC ❏ I2C
Tools❏ Shikra (UART SPI JTAG)❏ Bus Pirate❏ JTagulator❏ GoodFET❏ flashrom❏ EE Tools ❏ Chipquick
Hardware Security (Exploitation)
Source:my linksys 1900ac :)
Common❏ TCP❏ ToolChains (Libs)❏ UART❏ JTAG❏ Layer 7❏ EEPROM❏ Bluetooth
Less Common❏ TCP❏ Flash❏ GSM❏ GPS❏ I2C❏ Kernel (115 CVEs 2014)
Embedded Security
Source:http://lwn.net/talks/2015/kr-lca-2015.pdf
Wireless Security aka RF❏ Zigbee (2.4GHZ 915MHZ)
❏ Killerbee Framework
❏ Soon Xipiter’s “RFCat Zigbee”
❏ Atmel❏ 802.11
❏ Hundreds of tools❏ Z-Wave
❏ Z-force❏ Bluetooth LE
❏ nRF51822 - v1.0❏ Proprietary bands
❏ TI C1111
First time sniffing BLE traffic
source:http://securityreactions.tumblr.com/
Android App Security❏ Webview Security
❏ Privacy❏ Client-side Inject
❏ AndroidManifest.xml❏ Permissions
❏ Activities, Broadcast Receivers, Services
❏ Android APIs❏ Memory Security❏ addJavascriptInterface
❏ Secure Storage❏ Transport Security
❏ SSL Pinning
iPhone App Security❏ UIWebView Security
❏ Privacy❏ Client-side Inject
❏ Data Protection❏ Cloud API security❏ iOS SDK API
❏ Memory Security❏ Injection Attacks❏ Memory Corruption❏ Transport Security
❏ SSL Pinning❏ Blackbox
Assessments❏ Logging❏ Homekit
❏ Network Security❏ ACLs
❏ Systems ❏ DB❏ Web servers❏ LBs❏ Daemons
❏ Application Security❏ Language ❏ Frameworks❏ 3rd Party Libs
Web App / Operational Security
A lot of work!!!....
❏ Windows
❏ OSX
❏ Old School CD setup
❏ Data storage
❏ Data permissions
❏ Persistence
Desktop Apps
source:http://securityreactions.tumblr.com/
source:http://securityreactions.tumblr.com/
Known Security
Downfalls
source:http://securityreactions.tumblr.com/
“Because computers go through so many hands before they’re
delivered to you, there’s a serious concern that anyone could backdoor the computer
without your knowledgeSource: Jonathan Brossard-http://resources.infosecinstitute.com/hardware-attacks-backdoors-and-electronic-component-qualification/
What not to do
❏ UART pins exposed unauthenticated or using simple passwords
❏ Manufacturing Debugging Scripts❏ Backdoors using secret user agents❏ Private Keys on devices (Dont rely on
obscurity)❏ Default Passwords★ Ton of other backdoors from software
down to HDL code in the chipset
Secure It Already (Embedded)
❏ Restrict Shell with tamper resistant epoxy and silk screen
❏ Very long passwds❏ Update Kernel and
Packages❏ Harden OS by
removing unused code
❏ Secure updates❏ Secure C Functions❏ Verify and test
code
Regulatory Impact
“Implement “security by
design.” Rather than grafting security on as an afterthought, build it into your products or services at the outset of your
planning processSource:https://www.ftc.gov/system/files/documents/plain-language/pdf0199-carefulconnections-buildingsecurityinternetofthings.pdf
FTC and EU Commission
❏ Privacy By Design❏ Security By Design❏ Categorization of IoT devices❏ Biggest Consumer Protection
http://www.ftc.gov/news-events/press-releases/2013/04/ftc-seeks-input-privacy-and-security-implications-internet-things
Something is Missing
IoT Supply ChainHow can we make it more secure?
Fixing The IoT
❏ LIABILITY!❏ Security service agreements with ODMs❏ Legal repercussions❏ Community Projects❏ Security Awareness❏ Security Processes into SDLC❏ A common certification standard (Wi-FI &
Zigbee)
★ Realistic? ……… Maybe
Defense in Depth!!!
How to help