Networked Home Appliances and Vulnerabilities.  by Yukihisa Horibe

100 %
0 %
Information about Networked Home Appliances and Vulnerabilities.  by Yukihisa Horibe
Technology

Published on March 12, 2014

Author: codeblue_jp

Source: slideshare.net

Description

A decade has passed since the introduction of network enabled home appliances into the market. Every year these appliances advance in functionality and inter device integrations, such as the integration with cell phones/smart phones , service servers/ cloud services and more. This has lead to a significant increase in the information and value that the network enabled house hold appliances handle. Under such circumstances a vulnerability in the house hold appliance could be leveraged to gain access to other devices and information. In this presentation I will present whether such risks can be actualised and the changes of functionality and vulnerabilities in network enabled house hold appliances,looking at those changes from a user's and developer'sperspective.

Yukihisa Horibe

Panasonic Corporation Analysis Cente
Panasonic PSIRT member.
Over 10 years of experience in vulnerability research and risk analysis regarding networked household appliances and embedded systems.

Networked Home Appliances and Vulnerabilities. Panasonic Corporation Analysis Center Yukihisa Horibe

Profile 堀部 千壽(Yukihisa Horibe) 2 Panasonic Corporation Analysis Center Panasonic-PSIRT Member Focusing on improving security for networked home appliances Vulnerability assessment of house hold appliances and embedded systems Vulnerability assessment of home service servers Table top analysis of networks including house hold appliances. Over 10 years of experience in security evaluation related work

Agenda 3 Changes in the feature of connected CE products The risks to connect Performance and trends in the Vulnerability Assessment for connected CE products Security functions required for CE products in the time of IoT Closing

Agenda 4 Changes in the feature of connected CE products The risks to connect Performance and trends in the Vulnerability Assessment for connected CE products Security functions required for CE products in the time of IoT Closing

Evolving Home Appliances. 5  Remote Control  Media Server HDD Recorder  Image Upload  Wifi Data Transfer Digital Camera/Video Cam  CDDB Audio System  Browser  Media Player  Smartphone like apps  Browser  Media Player  Smartphone like apps Digital TVDigital TV  Browser  Media Player  Smartphone like apps Digital TV Door Chimes  Notification  Communications  Measurements data transfer Scales Device Integration Smartphone Integration Cloud Integration  Monitoring  Power Control  On Demand Control HEMS  Monitorin  Remote Control Air Conditioner

Historical Overview of Function and Data Information of Networked Home Appliances(~2005:Growth Period) 6 Internet(Household) Cellphones Digital TV Recorders Cooking Appliances 201220102008200620042002 ADSL mova 3G Browser Remote operations Status Notifications

Historical Overview of Function and Data Information of Networked Home Appliances(~2005:Growth Period) 7 Internet (Household) Cellphones Digital TV Recorders Cooking Appliances 201220102008200620042002 ADSL mova 3G Browsers Remote Operation Status Notifications ID/Password Recording Information email address Status Info on operations Access History Most of the functions are contained within each appliance and the information they handle is limited.

Historical Overview of Function and Data Information of Networked Home Appliances(2005~2010:Evolution Phase) 8 Internet(Household) Cellphone Digital TV Recorder Audio System/Music Digital Camera/Camcorders Cooking Appliances Home Related 201220102008200620042002 ADSL FTTH(Optical Fiber) mova 3G Browser Remote Operations CDDB Appliance Integration (DLNA) VOD Status notifications Security: Status Monitoring Door Chime:Visitor Notification HEMS Image Upload

Historical Overview of Function and Data Information of Networked Home Appliances(2005~2010:Evolution Phase) 9 Internet (Household) Cellphones Digital TV Recorder Audio Systems/Music Digital Camera/Camcorder Cooking Appliance Home Related 201220102008200620042002 ADSL FTTH(Fiber Optic) mova 3G ブラウザ 宅外操作 CDDB Device Integration (DLNA) VOD 状態通知 Security Status Monitoring Door Chime Visitor Notifications HEMS Image upload CD Ownership List Payment Info Viewing History “at home” info Operational Info of each appliance Image Information Blog/UL Service Account Visitor Info email Address Content Ownership Info Device Ownership Info Operational Info of each device Power usage info With the increase in server/inter-device integration the importance of information also grew

Historical Overview of Function and Data Information of Networked Home Appliances(2010~:Mature Phase) 10 Internet(Household) Cellphone DigitalTV Recorder Audio System/Music Digital Camera/Cammcorder Health Care Appliances Cooking Appliances Home Related 201220102008200620042002 ADSL FTTH(Fiber Optic) mova 3G smartphone Browser Remote Operations CDDB Device Integration (DLNA) VOD Status Notifications Security Status Monitoring Door Chimes Visitor Notification applications HEMS Smartphone Integration AC Remote Operations Image Upload

Historical Overview of Function and Data Information of Networked Home Appliances(2010~:Mature Phase) 11 Internet(Household) Cellphone Digital TV Recorder Audio System/Music Digital Camera/Cammcorder Health Care Appliances Cooking Appliances Home related 201220102008200620042002 ADSL FTTH(Fiber Optic) mova 3G Smart Phones Browser Remote Operation CDDB 機器連携 (DLNA) VOD Status Notification Security Status Monitoring ドアホン 来客通知 Apps HEMS Smartphone Integration AC Remote Operation Image Upload Payment Info Purchase History Address/Name Blog/SNS Account Physical Info Service Account Operation Info Service Account

Historical Overview of Function and Data Information of Networked Home Appliances(2010~:Mature Phase) 12 Internet(Household) Cellphones Digital TV Recorder Audio System/Music Digital Camera/Camcorder Health Care Appliances Cooking Appliance Home Related 201220102008200620042002 ADSL FTTH(光回線) GSM(cHTML) 広帯域CDMA(HTML/Java) Smartphone ブラウザ 宅外操作 CDDB 機器連携 (DLNA) VOD 状態通知 Security Operational Info ドアホン 来客通知 Apps HEMS スマホ 連携 エアコン 遠隔操作 画像アップロード Cloud Integration allows the information linkage to include everything including smartphones. ID/Passworr Recording history Email Address Device Operation Info Access History CD Ownership List Payment Info Viewing History Vacancy Info Operational Info of each device Image Info Blog/UL Service account info Visitor Info Email address Content Ownership Device Ownership Operational Info of each device. Power Usage Info Payment Info Purchase History 住所氏名 ブログ/SNSアカウント Physical Information Service Account Operation Info Service Account Cloud Integration Address Book Video/Image Account info

The Evolution of Networked Home Appliances Functionality and Information (Near Future) House hold(Audio Visual, Home , Cosmetic) PC, Game terminal,Information terminal Smartphone, Cellphones, Land lines Housing Equipment(Single Family,complexes) 13 Inside the home connecting

The Evolution of Networked Home Appliances Functionality and Information (Near Future) Home Appliances(Audio Visual,House hold,Cosmetic) PC,Game Terminal,Information Terminals Smartphone,Cellphones,Landlines Housing Equipment( Single Family, Complexes) Medical Devices (Individual , Institutional) Public Services(Municipal offices, schools) Public Transportations(Bus、Trains) Cars/Automotive equipment Infrastructure(Power、Gas、Water) Retail(Large scale, individual) 14 Is the era when household appliances , home and public,commercial services are all connected near? Everything is connected Inside the home connecting

Agenda 15 Changes in the feature of connected CE products The risks to connect Performance and trends in the Vulnerability Assessment for connected CE products Security functions required for CE products in the time of IoT Closing

Risks of Home Appliances Having Network Capabilities The possibility of unauthorized access via the network Many devices have global IPs assigned. Possibility of attacks leveraging vulnerabilities in home appliances. Attack by forcing a download of malware Targeted attacks leveraging XSS/CSRF 16 Using search engines you can find sites that hint they are home appliances. Fake Firmware or Contents

CVE-2008-3482 (2008) Network Camera made by Panasonic , Reflected XSS vulnerability Defect in escaping routine of the display on the error page Defcon17 (2009) CSRF vulnerability in household network camera by Panasonic Many vulnerabilities were disclosed for household routers and other embedded web systems. Reported vulnerabilities on CE category: Panasonic case 17 http://jvndb.jvn.jp/ja/contents/2008/JVNDB-2008-000037.html http://www.blackhat.com/presentations/bh-usa-09/BOJINOV/BHUSA09-Bojinov-EmbeddedMgmt-PAPER.pdf

Reported vulnerabilities on CE category: example of other case 18 Year Product Outline Manufacturer 2004 Video recorder Accessible without authentication (springboard) Japan 2008 NAS CSRF (remote data deletion) Japan 2010 Digital camera Arbitrary code execution from SD card Japan 2011 MFP Authentication bypass and more Japan & overseas 2012 Digital TV DoS Japan 2012 Many Devices Arbitrary code execution by UPnP vulnerability Japan & overseas 2013 Digital TV DoS & restart by malformed packets Japan & overseas 2013 Smart phone Intrusion of malware through power cable Japan & overseas 2013 Digital TV Authority seizure & remote control by illegal application Overseas 2013 Lighting system Force unable to turn on Overseas 2013 Home GW Vulnerability in authentication, CSRF and more (electric lock unlock by malicious third party) Overseas 2013 Toilet Hard-Coded Bluetooth PIN Vulnerability Japan With the advancement of function, the reports of vulnerability have been increasing after 2012

Agenda 19 Changes in the feature of connected CE products The risks to connect Performance and trends in the Vulnerability Assessment for connected CE products Security functions required for CE products in the time of IoT Closing

Vulnerability Eradication Efforts at Panasonic 20 Base Knowledge (Awareness/Education) Base foundation of knowledge regarding product security Two pillars supporting Product Security Minimize Risk Incident Response Minimize Risk Incident Response Product Security Improving security of products including house hold appliances is an important requirement for Panasonic Network Home Appliances, Embedded Systems, Services

Response based on product lifecycles. 21 ShippingProduct Lifecycle Contamination Prevention (Avoid building vulnerabilities into) Inspection/Removal (Detect vulnerability and remove) Maintain/Improve (Response after shipping) Response Table Top Risk Analysis (Vulnerability Analysis) Security Design ・Secure Coding ・Static Analysis ・Vulnerability analysis (Security Inspection) ・Incident response The need to respond throughout the product lifecycles Sale/ServiceTestImplementDesignPlan Disposal Minimize Risks Incident Response

Response based on product lifecycles. 22 ShippingProduct Lifecycle Contamination Prevention (Avoid building vulnerabilities into) Inspection/Removal (Detect vulnerability and remove) Maintain/Improve (Response after shipping) Response Table Top Risk Analysis (Vulnerability Analysis) Security Design ・Secure Coding ・Static Analysis ・Vulnerability analysis (Security Inspection) ・Incident response The need to respond throughout the product lifecycles Sale/ServiceTestImplementDesignPlan Disposal Minimize Risks Incident Response

Vulnerability Analysis for Panasonic House hold appliances and embedded systems 23 The number and details for the vulnerability are for vulnerabilities found “pre shipping” The detected vulnerabilities were patched prior to shipping These vulnerabilities do not exist in current products available in the general market. Actual results I will present

Vulnerability assessments for Panasonic house hold appliances and embedded systems 24

Vulnerability assessments for Panasonic house hold appliances and embedded systems 25

Trend of vulnerability : Rise period(2003-05) of Connected CE products 26

Trend of vulnerability : Early progressive period(2006-08)of Connected CE products 27

Trend of vulnerability : late progressive period(2009-10)of Connected CE products 28

Trend of vulnerability : Mature stage(2011-13)of Connected CE products 29

Agenda 30 Changes in the feature of connected CE products The risks to connect Performance and trends in the Vulnerability Assessment for connected CE products Security functions required for CE products in the time of IoT Closing

Historical Overview of Function and Data Information of Networked Home Appliances(2010~:Mature Phase) 31 Internet(Household) Cellphones Digital TV Recorder Audio System/Music Digital Camera/Camcorder Health Care Appliances Cooking Appliance Home Related 201220102008200620042002 ADSL FTTH(光回線) GSM(cHTML) 広帯域CDMA(HTML/Java) Smartphone ブラウザ 宅外操作 CDDB 機器連携 (DLNA) VOD 状態通知 Security Operational Info ドアホン 来客通知 Apps HEMS スマホ 連携 エアコン 遠隔操作 画像アップロード Cloud Integration allows the information linkage to include everything including smartphones. ID/Passworr Recording history Email Address Device Operation Info Access History CD Ownership List Payment Info Viewing History Vacancy Info Operational Info of each device Image Info Blog/UL Service account info Visitor Info Email address Content Ownership Device Ownership Operational Info of each device. Power Usage Info Payment Info Purchase History 住所氏名 ブログ/SNSアカウント Physical Information Service Account Operation Info Service Account Cloud Integration Address Book Video/Image Account info

The Evolution of Networked Home Appliances Functionality and Information (Near Future) Home Appliances(Audio Visual,House hold,Cosmetic) PC,Game Terminal,Information Terminals Smartphone,Cellphones,Landlines Housing Equipment( Single Family, Complexes) Medical Devices (Individual , Institutional) Public Services(Municipal offices, schools) Public Transportations(Bus、Trains) Cars/Automotive equipment Infrastructure(Power、Gas、Water) Retail(Large scale, individual) 32 Is the era when household appliances , home and public,commercial services are all connected near? Everything is connected Inside the home connecting

Future prediction Spread to the whole of human life Rapid increase of device Connect to the various industries 33

Spread to the whole of human life 34 Risk of Serious accident Higher reliability Fire due to incorrect control of CE product Invalidation of electric lock security Accident and runaway of automotive Connect to various device of various manufacturer We want to guarantee at least minimum level security Will you need the standard like Industry standard ? it is not the problem of one company Entire House, Linkage to automotive, home security and gas app… Information assets = life of customer The minimum level security ?

Spread to the whole of human life 35 The risk due to share of authentication information Adoption of SSO is also being investigated in CE products Influence of vulnerability will spread to other services that share authentication information it is not the problem of one provider or one vendor Constantly connected communications, share of authentication information Useful … Authentication provider CE Smart phone application Web service Automotive HEMS game CE Share of authentication information What must we do to make product secure ? SNS application

Rapid increase of device 36 Lighting, switch, sensor, electric socket, etc. Maintenance of various and huge amount of devices After vulnerability is reported, software must be updated Lighting, sensor, electric socket…update all ? How to update ? Service engineers ? Automatic update ? Disclaimer of firmware update Lifetime of CE product is long (over 10 years) Up to when ? The update method, the period to continue to care security ?

Connect to the various industries 37 Diversification of I/F, protocol ECHONET Lite, CAN, DLNA… Bluetooth, NFC, TransferJet, ZigBee, Z-Wave… Original communication protocol, 920MHz… Security verification technology must catch up Only knowledge of the IP network is not enough Knowledge other than the IP network is necessary Knowledge of Non-IT engineers will be needed Think tank beyond the type of industry? Diversification of I/F of the linkage to infrastructure, automotive and healthcare, security technology catch up The structure which takes in knowledge of various fields?

Agenda 38 Changes in the feature of connected CE products The risks to connect Performance and trends in the Vulnerability Assessment for connected CE products Security functions required for CE products in the time of IoT Closing

Closing 39 Several billion of IoT(Internet of Things) will be connected It is difficult to guarantee security by one company The approach beyond the industry/type of industry /position must be needed Unite for the IoT security ! Internet Store Social infrastructure Public Service Housing equipment Automotive in-car device Smart phone Information device PC Connected CE product

Contact 41 Analysis Center Panasonic Corporation http://www2.panasonic.co.jp/aec/ns/index.html Sorry, Japanese Only… Panasonic-PSIRT http://panasonic.co.jp/info/psirt/en/ product-security@gg.jp.panasonic.com

Add a comment

Related presentations

Related pages

CodeBlue01 : Networked Home Appliances and Vulnerabilities ...

Skip navigation Upload. Sign in
Read more

Home Appliances | LinkedIn

View 56855 Home Appliances ... Sales Home Appliances at Home Depot Past Sales Home Appliances at ... Appliances and Vulnerabilities. by Yukihisa Horibe.
Read more

CODE BLUE : International Security Conference in Tokyo ...

will come together for this unique international conference in Tokyo ... Yukihisa Horibe. ... The past decade has seen a proliferation of network ...
Read more

CodeBlue01 : The Current State of Automotive Security by ...

... The Current State of Automotive Security by Chris Valasek ... Networked Home Appliances and Vulnerabilities. by Yukihisa Horibe ...
Read more

Networked Home Appliances(IoT) and Vulnerabilities

Historical Overview of Networked Home Appliances (2005→10: Evolution Phase) Internet (Household) ... vulnerabilities in home appliances.
Read more

All Home Appliances | LinkedIn

All Home Appliances. Articles, experts, jobs, and more: get all the professional insights you need on LinkedIn. Sign up Get more personalized results when ...
Read more

Code Blue 2014 - Concise Courses Information Security ...

Code Blue 2014 According to the ... Thinking about network safety in a public health light: ... Yukihisa Horibe: Networked Home Appliances and Vulnerabilities:
Read more

CODE BLUE Archive : Free Download & Streaming : Internet ...

CODE BLUE Archive InfoCon. Skip to main content. Search the history of over 469 billion pages on the Internet. search Search the Wayback Machine. Featured ...
Read more