IOActive, Inc. Copyright ©2017. All Rights Reserved. What incentive for Security in IoT? Dr. Cédric LEVY-BENCHETON @clevybencheton ISACA Luxembourg Chapter 15 June 2017
IOActive, Inc. Copyright ©2017. All Rights Reserved.
What incentive for Security in IoT?
Dr. Cédric LEVY-BENCHETON
@clevybencheton
ISACA Luxembourg Chapter
15 June 2017
IOActive, Inc. Copyright ©2017. All Rights Reserved.
Summary
• Introduction
• Vulnerabilities in Consumer and Industrial IoT
• Recommendations
2
IOActive, Inc. Copyright ©2017. All Rights Reserved.
What is IoT?
3
IOActive, Inc. Copyright ©2017. All Rights Reserved.
Defining IoT
• NIST SP 800-183 proposes 5 primitives for “Network of Things”
Sensor, Aggregator (ex: sensor cluster), Communication Channel,
External Utility (eUtility), Decision trigger
• ITU-T Y.2060 defines IoT as
“a global infrastructure for the information society, enabling advanced
services by interconnecting (physical and virtual) things based on
existing and evolving interoperable information and communication
technologies.”
There is currently no well-accepted definition of IoT
4
IOActive, Inc. Copyright ©2017. All Rights Reserved.
Why IoT-fy your product?
5
• Money money money £££ €€€ $$$ ¥¥¥
– Data collection and processing
– New business models: data reseller, targeted ads, etc.
– Competitors do IoT, hence we must do IoT
– Competitors don’t do IoT, let’s be the first one!
• Customers have their own interests (do they?)
– Connectivity is needed, mobility is important
– Statistics and remote control
– Convergence and interconnection with devices and services
– More functionalities than non-IoT product, reasonable price
– Non-connected version is not available
IOActive, Inc. Copyright ©2017. All Rights Reserved. 6
Security for IoT
¯\_(ツ)_/¯
IOActive, Inc. Copyright ©2017. All Rights Reserved.
This presentation will…
• Define IoT assets and their associated threats
• Analyse findings from multiple penetration test
• Link with Safety and Privacy (including the GDPR)
• Discuss incentives
IOActive, Inc. Copyright ©2017. All Rights Reserved.
IoT at a glance
8
Software
Hardware
Firmware, Bootloader
Device CloudMobileNetworksNetworks
Multiple attack vectors, direct and indirect
IOActive, Inc. Copyright ©2017. All Rights Reserved.
Threats and assets
• Threats to the Internet of Things
• Assets targeted
9
Compromised behaviour Privacy concerns
Outdated software and libraries
Safety concerns
Communication on insecure networksUnavailability of networks
IoT devicesMobile applications
Sensors and actuators
Privacy
Poor vendor support
Cloud
Manipulation of data
Network connectivity
IOActive, Inc. Copyright ©2017. All Rights Reserved.
“The S in IoT stands for Security”
10
IOActive, Inc. Copyright ©2017. All Rights Reserved.
Common vulnerabilities to the IoT
• Result of multiple penetration tests
– Holistic approach (device, mobile, network, cloud, etc.)
– Highlight the impact on safety and privacy
• Sectors in scope
Consumer IoT
• Automotive (vehicles out of scope)
• Medical
• Smart Home
Industrial IoT
• Energy (including Smart Grid)
• ICS/SCADA (including Robots)
IOActive, Inc. Copyright ©2017. All Rights Reserved.
Top 5 Vulnerability Types
Top 5 CIoT Vulnerability
1. Insecure/Lack of Encryption
2. Authentication Issues
3. Information Disclosure
4. Buffer Overflow
5. SDLC-related
12
Top 5 IIoT Vulnerability
1. Authentication Issues
2. Buffer Overflow
3. Insecure/Lack of Encryption
4. SDLC-related
5. Insecure Access Control
Collection of user information Security assumptions
(segregated network)
IOActive, Inc. Copyright ©2017. All Rights Reserved.
Top 5 Assets Impacted (attack vectors)
Top 5 CIoT Assets
1. Network
2. Device | Firmware
3. Device | Software
4. Mobile and Web Apps
5. Bootloader
13
Top 5 IIoT Assets
1. Device | Software
2. Web Service
3. Network
4. Device | Administration Panel
5. Mobile and Web Apps
IOActive, Inc. Copyright ©2017. All Rights Reserved.
A discussion on results
14
• Traditional findings are not our main findings
– Weak default credentials, hardcoded credentials, backdoor, etc.
– Some findings but not the majority
• Looking for an explanation…
– Penetration Test requires a certain level of maturity
– Security testing:
• To assess the security of 3rd party products
• As a requirement (from clients, for compliance, etc.)
Still, we have security issues: security is not easy
IOActive, Inc. Copyright ©2017. All Rights Reserved.
Risk-level of vulnerabilities
• Understand possible consequences
– Risk-level = impact x likelihood
15
An attacker will look for critical and high-risk vulnerabilities
Critical26%
High11%
Medium35%
Low12%
Informational16%
Critical14%
High27%
Medium43%
Low10%
Informational6%
IIoTCIoT
IOActive, Inc. Copyright ©2017. All Rights Reserved.
Effort to fix vulnerabilities
16
Good news:
Most vulnerabilities require a low effort to fix
CIoTIIoT
High
Medium
Low
9%
26%
65%
High
Medium
Low
7%
27%
66%
IOActive, Inc. Copyright ©2017. All Rights Reserved.
So what are the incentives to invest?
17
Corporate StrategyRegulation
SafetyPrivacy
Market differentiator
Business interest
Clients’ demand
IOActive, Inc. Copyright ©2017. All Rights Reserved.
Safety in IoT
• Safety: protect human lives from the machine
– Probabilistic approach to system failure
– Incidents are (mostly) accidental
• Security for Safety
– Protect safety functions against cyber threats
– Ensure that no threat can impact safety
A security issue impacting safety can kill people
18
IOActive, Inc. Copyright ©2017. All Rights Reserved.
Privacy in IoT
• Privacy: protect information that identify a user
– Protection of the data collected, exchanged and processed
– A subset of confidentiality + a legal approach
– “Data is the new oil” - data theft on the rise (haveibeenpwned.com)
• Privacy becomes critical with the GDPR
– Beyond the traditional PII: Obligation of reporting leaks, huge fines!
– No defined standard nor framework (yet)
– Applicable starting May 2018
A security issue impacting privacy can kill business
19
IOActive, Inc. Copyright ©2017. All Rights Reserved.
Impact on Safety and Privacy
Consumer IoT
• Safety risk: 23% of all vulnerabilities
– Main issues in automotive and medical:
device hijack, crash
– Not a concern by manufacturers (!)
• Privacy issue: 22% of all vulnerabilities
– Mostly user-related data (name, e-mail
address)
– Insecure data handling
Data protection policy not applied
Industrial IoT
• Safety risk: 11% of all vulnerabilities
– Most issues require direct access (device,
LAN)
– Main issues when connected to the internet:
default password, telnet enabled.
• Privacy issue: 28% of all vulnerabilities
– Not a priority
– Mostly not user-related data (asset tracking,
credential leaks)
If you can’t protect it, don’t connect it
20
IOActive, Inc. Copyright ©2017. All Rights Reserved.
Recommendations
• Understand cyber threats– Domain-specific and IoT-related
– Evaluate your current maturity level
• Define security requirements– Minimum and advanced
– Security, safety, privacy
– Device, network, services
• Implement security requirements– Training on Secure Coding Practices
– Code review and penetration testing
– Security support (i.e. patching)
• DO NOT DEVELOP YOUR OWN CRYPTO!
21
Security-by-designIntroduce security
concepts at the earliest
stages of the lifecycle:
• Planning
• Design
• Early implementations
• Release
• Maintenance
• End of Life
IOActive, Inc. Copyright ©2017. All Rights Reserved.
Conclusions
• IoT security is NOT as bad as expected…
– When security is not a new domain
– Penetration testing is only one part of security
• IoT security requires a holistic approach
– e.g. a secure device does not protect from insecure apps
– Integrate non-system components (e.g. developers)
• IoT Security shall adapt
– To the maturity level, to the sector, to business objectives, etc.
– To regulation
22
IOActive, Inc. Copyright ©2017. All Rights Reserved.
What incentive for Security in IoT?
Thank you
Questions?