The Internet of Things: We've Got to Chat

50 %
50 %
Information about The Internet of Things: We've Got to Chat
Technology

Published on February 28, 2014

Author: markstanislav

Source: slideshare.net

Description

Similar to the explosive growth of cloud computing, the "Internet of Things" (IoT) has reached a tipping point where a serious look at the nexus of convenience versus security needs to take place. The cost, size, and complexity of chipsets that allow for Internet-enabled devices have all dramatically shrunk, making the barrier to entry into the IoT market negligible. With Kickstarter and Indiegogo helping to enable entrepreneurs to have their ideas come to market quicker than ever, the IoT expansion is happening faster than most consumers (or security professionals) realize.

This presentation will examine some of the recent failures of IoT security, engineering challenges facing entrepreneurs, and a look at the IoT security researcher quandary. Details will be given about a new effort to help all parties involved proceed with the IoT in a safer, more successful manner. Whether you're a security researcher, software engineer, or product designer, this presentation will represent the thoughtful look at the state of IoT security we desperately need.

The Internet Of Things
 We’ve Got To Chat

Introduction Mark Stanislav Zach Lanier Security Evangelist Sr. Security Researcher

The Internet of Things

About The Internet Of Things “The Internet of Things is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.”, Gartner IT 1 Glossary “Machine to machine (M2M) refers to technologies that allow both wireless and wired systems to communicate with other devices of the 2
 same type.”, Wikipedia IoT Growth Estimates * Gartner: 26 billion units by 3 2020 * ABI Research: 30 billion units by 4 2020 1. http://www.gartner.com/it-glossary/internet-of-things/ 3. http://www.gartner.com/newsroom/id/2636073 2. http://en.wikipedia.org/wiki/Internet_of_Things 4. https://www.abiresearch.com/press/more-than-30-billion-devices-will-wirelessly-conne

There’s A Shift Underway You Should Know About • The IoT growth that we’re all expecting won’t just be from large vendors like Belkin, TRENDnet, Cisco, and Ericsson • 1 Postscapes 2 list Alpha and Wolfram a few hundred IoT-related companies, most of which you’ve likely never heard of • Crowd-funding web sites are going to produce many of the newest IoT devices we all want to use • Entrepreneurs likely have no experience with information security, nor the budget to afford help • They also won’t know what a “security researcher” is or why you’re contacting them… 1. http://postscapes.com/companies/ 2. http://devices.wolfram.com

The Internet of Things “Line of TM Insanity” IP Camera Door Bell Door Lock Egg Tray Sane Reasonable Questionable Insane

Cheap Hardware, Unlimited Possibilities Electric Imp ($25) Gumstix ($169) Intel Quark ($?) Arduino ($75) Raspberry Pi ($35)

Plenty Of Choices, How Do You Determine Security? Philips ($60) INSTEON ($30) LimitlessLED ($23) Vendors could each use different hardware, software, APIs, third-party service providers, and patching mechanisms

The Government Is Watching June 3rd, 2013 1 Software & Information Industry Association asks FTC to be careful with IoT November 21st, 2013 Internet of Things - Privacy and Security in a Connected World Workshop2 January 8th, 2014 3 FTC Commissioner Maureen Ohlhausen sits on panel at CES about IoT February 7th, 2014 FTC approves final order settling charges against TRENDnet, Inc.4 February 18th, 2014 US CERT works with IOActive to resolve Belkin WeMo vulnerabilities5 1. https://www.siia.net/blog/index.php/2013/06/siia-to-ftc-internet-of-things-requires-technology-neutral-policies-and-flexible-privacy-framework/ 2. http://www.ftc.gov/news-events/events-calendar/2013/11/internet-things-privacy-and-security-connected-world 3. http://www.adweek.com/news/technology/will-washington-move-quickly-regulate-internet-things-154863 4. http://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-order-settling-charges-against-trendnet-inc 5. http://www.kb.cert.org/vuls/id/656302

A Case Study in IoT Failure - IZON

IoT Ecosystem

CrowdFunding & IoT Canary Pinoccio Twine Piper Knut Tessel KoolThings Wunderbar

Challenges Faced

What’s Better Than One Vulnerable Device? • If-This-Then-That (IFTTT) supports over 80 platforms, services, and devices • Allows for event-based actions across disparate technologies • If the 2 in CO this room is unsafe, change my lightbulb to be red to warn me • This behavior will become a consumer expectation rather than merely a “nice to have” Interconnected Vulnerable Devices!

Challenges •Hardware security •Software security •Comms/Network security •Platform security •User awareness & behavior •Vulnerability handling & disclosure awareness

Challenges: Hardware Security • Many devices use generic SoCs/boards • Quick development, few security features • i.e. “HW hacking made easy” - serial consoles, FW dumping/ JTAGs, etc. • HW-based trusted execution and HSMs are practically nil • Prevalence/distribution of same components, firmware, etc. means one bug could affect many products • Little expertise required to design, build, and ship an “IoT Product”

Challenges: Hardware Security (Cont’d…) Least common denominator: + Logic analyzer + Bus Pirate = UART headers Console!

Challenges: Software Security • Development environments don’t necessarily make security controls/options “clear” • Selected platform may drive/ restrict language choices • “Me write Python/Ruby/ Node/… pretty one day” (or worse, C) • History repeating…? % grep -Er "s(mem|str)cpy(" .
 …
 ./apps/http-post-auth/http-post-auth.c: strcpy(s->message, "status=");
 ./apps/http-post-auth/http-post-auth.c: strcpy(&s->message[7], msg);
 ./apps/irc/irc.c: memcpy(log, &log[LOG_WIDTH], LOG_WIDTH * (LOG_HEIGHT - 1));
 ./apps/irc/irc.c: memcpy(log, &log[LOG_WIDTH], LOG_WIDTH * (LOG_HEIGHT - 1));
 ./apps/ping6/ping6.c: memcpy(command, (void *)"ping6", 5);
 ./apps/rest-coap/coap-common.c: memcpy(
 ./apps/rest-coap/coap-common.c: memcpy((char*)&buffer[index], option->value, option->len);
 ./apps/rest-coap/coap-common.c: memcpy(&buffer[index], packet->payload, packet->payload_len);
 ./apps/rest-coap/coap-server.c: memcpy(option->value, value, len);
 ./apps/rest-common/buffer.c: memcpy(buffer, data, len);
 ./apps/rest-common/buffer.c: strcpy(buffer, text);
 ./apps/rest-common/rest-util.c: memcpy(p + 4 - size, buf, size);
 ./apps/rest-common/rest-util.c: memcpy(buf, ((char*)(&data)) + 4 - size, size);
 ./apps/rest-common/rest.c: memcpy(temp_etag, etag, size);
 ./apps/rest-http/http-server.c: strcpy(current_header->value, value);
 ./apps/rest-http/http-server.c: strcpy(current_header->value, buffer);
 ./apps/rest-http/http-server.c: memcpy(buffer + index, response->payload, response->payload_len); Quick grep for potentially dangerous functions in someone’s Contiki project

Challenges: Software Security (Cont’d…) • Selected platform often locks dev/ vendor into given OS choice • Proprietary OSes (such as Bro, do you even PIE? Bro, do you ElectricImp) - don’t peek inside the black box! • Linux, Contiki, QNX, et. al (all with their own issues) • Little consideration given to leastpriv, mitigations, hardening, etc. • Third-party dependencies • Inherited bugs/attack surface Bro, do you even randomize? Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.

Challenges: Software Security Cont’d • iOS/Android/other mobile apps with their own security issues • See also “OWASP Mobile Top 10 Risks” • Developer naïveté:
 “HOW COULD/WHY WOULD YOU DO THIS? IT WASN’T SHOWN IN THE MOBILE APP USER INTERFACE!” “Relayr says that developers can have their first Internet of Things App up and running in less than 10 minutes”

Challenges: Comms/Network Security • WiFi goofiness (“device as AP”, no WPA, exploitable behavior, etc.) • Plaintext protocols or poor crypto at transport layer • …or lack of cert pinning where SSL/TLS actually used • Unprotected FW updates/downloads • Otherwise seemingly unnecessary services listening • Telnet, SSH, FTP, you name it… • Shared accounts/auth material for “support” or updates • Use of technologies such as ZigBee and cellular introduce additional security considerations

Example: Sparqee Cell "Cellular made easy"

Wat? TRUST US WITH CREDENTIALS TO YOUR CLEARTEXT PROTOCOL SERVERS

OO se Example: GoPro WiFi Remote lc GoPro Camera lc • Remote acts as access point, lc + bitmap 8484/udp se camera acts as mobile station • Conversation lc Remote/AP does not use + bitmap any lc security - totally open ... sh • Camera scans for HERO-RC- Scan for "HERO-RC-XXXXXX" HERO-RC-123456 HERO-RC-123456 sh XXXXXX (where XX... are the last three octets of the BSSID/ MAC of the remote) Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • Prefers known BSSID, but can be configured to “pair” with new remote Fake AP/Evil twin WiFi RC

Example: “Home Automation Gateway” Key extraction, replay, injection, etc. Lights Mobile app M ig Z HT TP S TPS HT Magical cloud service/site ee B Pool pump ZigBee HTTPS "Gateway" Zig Be e Web browser XSS, CSRF, auth bugs, etc. Unfettered console access, no priv sep for services, same "support" creds on multiple devices Automated cat entertainment toy Linux-based gateway talks RESTful HTTP to “cloud”-based service, receives commands (schedules, metering data, etc.), relays commands to smart plugs/meters via ZigBee

Challenges: * Platform Security • Everything that uses an HTTP GET/POST has become an “API” to the average developer • Authentication? Signed requests? Unlikely. • Input manipulation is a less obvious concern when developers do mobile and embedded • Yup… OWASP {Mobile,Web} Top 10 • Leveraging third-party service providers introduce exponential complexities and further increases potential attack surface • Quick & Dirty cloud infrastructure yields poor accessibility and potentially confidentiality * for our purposes “Platform” also includes supporting infrastructure, services, frameworks, etc.

Real-World IoT Failures TRENDnet, January 1 2012 Various IP camera products would allow anyone with a generic URL to access the camera’s live feed without requiring authentication Belkin, July 2 2012 The WeMo Switch allowed for UPnP actions (e.g. power cycle) that didn’t require authentication to be performed to do so Philips, August 3 2013 The Hue Lighting System utilized the MD5 hash of the MAC address of an authorized system as a “secret token” to control the platform 1. http://console-cowboys.blogspot.com/2012/01/trendnet-cameras-i-always-feel-like.html 2. http://www.issackelly.com/blog/2012/07/30/wemo-hacking/ 3. http://www.dhanjani.com/blog/2013/08/hacking-lightbulbs.html

Real-World IoT Failures, cont’d IZON, October 20131 Video clips of “alerts” were saved in an AWS S3 bucket unencrypted, with no access control preventing someone from viewing the file 2
 2013 [Redacted], December API call to purchase in-app credits for service was done without purchase verification and via clear-text HTTP calls Belkin, February 20143 The WeMo Home Automation API allowed XML injection (XXE) allowing for the potential revealing of filesystem contents 1. https://speakerdeck.com/mstanislav/eyes-on-izon-surveilling-ip-camera-security 2. [Redacted] =) 3. http://www.dhanjani.com/blog/2013/08/hacking-lightbulbs.html

User Awareness & Behavior • Users may not know (let alone care) how to update device firmware or apps • Disparity in management: web console v. mobile app v. physical “update” button • Also they just want to use the !@#$ thing now! • Lack of feedback or notification for updates or errors • How does a user know their IoT device was updated or, worse, compromised?

Vulnerability Handling & Disclosure Awareness • Small vendors (and some big ones) fail to get it, or just simply don’t know • “But, why would anyone want to hack this device? And why would they want to tell us or talk about it publicly?” • Few-to-no resources for small vendors to handle this • Nascency of “IoT” means some researchers may not know either • And we’d like for them to stay out of jail

A New Initiative

Announcing BuildItSecure.ly Our Mission 
 • Provide resources, guidance, community for small IoT developers/builders to make informed security decisions • Incentivize vulnerability research and reporting for these devices ! Our Goal
 Help secure the "Internet of Things” ! This ISN’T…
 • “saving the world” • something that’s happening tomorrow

BuildItSecure.ly Phase 1 - Build Out Gather Advisors & Contributors Collect/build and share resources Establish relationships w/vendors, funding sites • Establish a core team of advisors and content contributors • Curate secure development documents and disclosure guidelines • Build new diagrams, flow charts, info graphics to transfer knowledge • Form relationships with crowd-funding sites, IoT-centric hardware vendors/platform providers, and other relevant organizations

BuildItSecure.ly Phase 2 - Rewards/Incentives • Build a reporting and reward/ incentive program • Partnering with Bugcrowd on this • Rewards could include: • Recognition • Monetary reward • Device reward • Schwag!

Conclusion

Conclusion • Very few green fields in infosec to impact early on • IoT at this level is still malleable • Much work to be done, but we can leverage lessons learned in the past • BuildItSecure.ly could help keep IoT from spinning any further out of control • Plus, it’ll be fun!

Thanks! Questions? Mark Stanislav mstanislav@duosecurity.com
 @markstanislav
 Zach Lanier http://BuildItSecure.ly/ @BuildItSecurely zach@duosecurity.com
 @quine greeted = sendGreetz(terp, bNull, cji, jono, dugsong, donb,
 cesar, sa7ori, bkelly, jcran, mortman, banshee, jack_daniel,
 m0nk_dot, natron, zek, blueroses, procto, alexhutton,
 int0x80, k8em0, treyford, hypatia, mthrailkill, G13, wendy);
 
 if(!greeted)
 " goto fail;

Add a comment

Related presentations

Related pages

The Internet of Things: We've Got to Chat // Speaker Deck

The Internet of Things: We've Got to Chat by Duo Security. ... Duo's Zach Lanier (@quine) & Mark Stanislav (@markstanislav) on IoT (Internet of Things) ...
Read more

The Internet of Things: We've Got to Chat // Speaker Deck

Similar to the explosive growth of cloud computing, the "Internet of Things" (IoT) has reached a tipping point where a serious look at the nexus of ...
Read more

The Internet of Things: We've Got to Chat - Technology

1. The Internet Of Things We’ve Got To Chat ; 2. Introduction Mark Stanislav Security Evangelist ...
Read more

Internet of Things | PubNub

PubNub technology enables you to build Internet of Things applications and devices, ... Secure Chat; Realtime Dashboards ... we've got the reliable, ...
Read more

Free WebCam Chat , Online Video Chat Rooms - BIG- CAM

Online webcam chats and video chat services are ... because we’ve got cell phones, computers, Internet, ... It’s an internet online chat type that is ...
Read more

We Need to Talk About Kevin (2011) - IMDb

... despite the increasingly vicious things he says and does as he grows up. ... We Got This Covered. ... We Need to Talk About Kevin (2011)
Read more

Microsoft – Official Home Page

Try Microsoft Edge, ... Internet Explorer ... We've got just the Xbox One S console you're looking for. Shop now Great ...
Read more

Ubuntu - The leading operating system for PCs, tablets ...

We've got you covered. Explore the Ubuntu Advantage store. ... reliable updates and the enormous Ubuntu ecosystem to a wide range of internet things, ...
Read more

Website Live Chat, Web Chat Software, Chat Features ...

Internal Operator Chat gives your agents a private chat room to collaborate and ask questions of each other ... It's a mobile world and we've got the ...
Read more