Io t slides_iotvillage

Security the IoT World!

Hello!I am Aaron Guzman PentesterChapter Leader for OWASP CSA HTCIAYou can find me at:@scriptingxss

Agenda

The BasicsIoT?

The conceptsDigging a little deeper

Supply ChainPush out those ideas to market

The realitiesNumbers on the rise

The issuesPfft...whats security? But wait, my privacy

The ResolutionsSaving the world

The BasicsIoT

What Exactly is IoT?

“The Internet of Things (IoT) is

the network of physical objects that contain embedded

technology to communicate and sense or interact with their internal states or the external

environment..Source: http://www.gartner.com/it-glossary/internet-of-things/

Source http://postscapes.com/what-exactly-is-the-internet-of-things-infographic

The ConceptsIoT

Digging a little deeper

Hardware

IoT OS and Frameworks

Platform = The Cloud

Protocols for Communication

❏ Zigbee❏ Wi-Fi❏ NFC❏ Z-Wave❏ CoAP❏ 6LoPAN❏ XMPP❏ BLe❏ SOAP❏ REST❏ MQTT❏ Lutron❏ RFID❏ GSM

Hubs

4.9 BillionConnected Devices in 2015

Source:http://www.gartner.com/newsroom/id/2905717

PadsLeadsTracesSilkscreensAnalog vs DigitalLayers (4)Reflow

PCB

source: https://learn.sparkfun.com/tutorials/electronics-assembly

❏ VxWorks❏ Marvell❏ Broadcom❏ Texas Instruments❏ Intel❏ AMD❏ NXP★ Create the device

drivers

Board Support Packages (BSP)

Original Design Manufacturer (ODM)

❏ designs and manufactures a product❏ eventually rebranded by another firm for sale❏ allow the brand firm to produce (either as a

supplement or solely) without having to engage in the organization or running of a factory.

❏ own cloud infrastructures for customers❏ Provide SDKs

★ Many ODMs in China★ A dime a dozen

http://en.wikipedia.org/wiki/Original_design_manufacturer

Cloud Service Providers

❏ Amazon❏ Microsoft❏ Google❏ Thingsworx❏ ODM Clouds❏ Have their own SDKs❏ Who knows where else?

http://en.wikipedia.org/wiki/Original_design_manufacturer

Original Equipment Manufacturer (OEM)

❏ Manufacturers who resell another company's product under their own name and branding.

❏ Offers its own warranty, support and licensing of the product.

http://en.wikipedia.org/wiki/Original_design_manufacturer

IoT Supply Chain Process

BSP ODM OEM

★ Each likely to outsource development work and have multiple teams

CSP

Keep in Mind

Hardware comes from everywhere

PMs

Primary Roles

Sales Engineers

Supply Chain Process (Cont)

Sales★ Get the

business★ Outreach★ Create

relationships

PM’s★ Prioritizes ★ Objective

Based★ Project

specific to engineer team

Engineers★ Write Code★ May not be a

big team★ Different

workflows per dev team

★ Split up into features. I.E UI team, UX team, backend, Android, iOS

Anyone Looking at Security??

Vectors❏ UART❏ JTAG❏ EEPROM❏ SPI❏ SOIC ❏ I2C

Tools❏ Shikra (UART SPI JTAG)❏ Bus Pirate❏ JTagulator❏ GoodFET❏ flashrom❏ EE Tools ❏ Chipquick

Hardware Security (Exploitation)

Source:my linksys 1900ac :)

Common❏ TCP❏ ToolChains (Libs)❏ UART❏ JTAG❏ Layer 7❏ EEPROM❏ Bluetooth

Less Common❏ TCP❏ Flash❏ GSM❏ GPS❏ I2C❏ Kernel (115 CVEs 2014)

Embedded Security

Source:http://lwn.net/talks/2015/kr-lca-2015.pdf

Wireless Security aka RF❏ Zigbee (2.4GHZ 915MHZ)

❏ Killerbee Framework

❏ Soon Xipiter’s “RFCat Zigbee”

❏ Atmel❏ 802.11

❏ Hundreds of tools❏ Z-Wave

❏ Z-force❏ Bluetooth LE

❏ nRF51822 - v1.0❏ Proprietary bands

❏ TI C1111

First time sniffing BLE traffic

source:http://securityreactions.tumblr.com/

Android App Security❏ Webview Security

❏ Privacy❏ Client-side Inject

❏ AndroidManifest.xml❏ Permissions

❏ Activities, Broadcast Receivers, Services

❏ Android APIs❏ Memory Security❏ addJavascriptInterface

❏ Secure Storage❏ Transport Security

❏ SSL Pinning

iPhone App Security❏ UIWebView Security

❏ Privacy❏ Client-side Inject

❏ Data Protection❏ Cloud API security❏ iOS SDK API

❏ Memory Security❏ Injection Attacks❏ Memory Corruption❏ Transport Security

❏ SSL Pinning❏ Blackbox

Assessments❏ Logging❏ Homekit

❏ Network Security❏ ACLs

❏ Systems ❏ DB❏ Web servers❏ LBs❏ Daemons

❏ Application Security❏ Language ❏ Frameworks❏ 3rd Party Libs

Web App / Operational Security

A lot of work!!!....

❏ Windows

❏ OSX

❏ Old School CD setup

❏ Data storage

❏ Data permissions

❏ Persistence

Desktop Apps

source:http://securityreactions.tumblr.com/

source:http://securityreactions.tumblr.com/

Known Security

Downfalls

source:http://securityreactions.tumblr.com/

“Because computers go through so many hands before they’re

delivered to you, there’s a serious concern that anyone could backdoor the computer

without your knowledgeSource: Jonathan Brossard-http://resources.infosecinstitute.com/hardware-attacks-backdoors-and-electronic-component-qualification/

What not to do

❏ UART pins exposed unauthenticated or using simple passwords

❏ Manufacturing Debugging Scripts❏ Backdoors using secret user agents❏ Private Keys on devices (Dont rely on

obscurity)❏ Default Passwords★ Ton of other backdoors from software

down to HDL code in the chipset

Secure It Already (Embedded)

❏ Restrict Shell with tamper resistant epoxy and silk screen

❏ Very long passwds❏ Update Kernel and

Packages❏ Harden OS by

removing unused code

❏ Secure updates❏ Secure C Functions❏ Verify and test

code

Regulatory Impact

“Implement “security by

design.” Rather than grafting security on as an afterthought, build it into your products or services at the outset of your

planning processSource:https://www.ftc.gov/system/files/documents/plain-language/pdf0199-carefulconnections-buildingsecurityinternetofthings.pdf

FTC and EU Commission

❏ Privacy By Design❏ Security By Design❏ Categorization of IoT devices❏ Biggest Consumer Protection

http://www.ftc.gov/news-events/press-releases/2013/04/ftc-seeks-input-privacy-and-security-implications-internet-things

Something is Missing

IoT Supply ChainHow can we make it more secure?

Fixing The IoT

❏ LIABILITY!❏ Security service agreements with ODMs❏ Legal repercussions❏ Community Projects❏ Security Awareness❏ Security Processes into SDLC❏ A common certification standard (Wi-FI &

Zigbee)

★ Realistic? ……… Maybe

Defense in Depth!!!

How to help

Thanks!

Any questions?

You can find me at:@scriptingxss

[email protected]