high tech, high threat · connectivity. internet connectivity is either contained in the item...
TRANSCRIPT
@petermorin123@petermorin123
High Tech, High ThreatNext Generation Cyber Challenges
@petermorin123@petermorin123
Peter Morin, CISSPDirector, Cyber Security ConsultingKPMG LLP
• Specialize in security of critical infrastructure, incident response, threat hunting, etc.
• Worked in the past for the various military and government agencies
• CISSP, CISA, CRISC, CGEIT, GCFA
@petermorin123@petermorin123
Disney Trip• This is my 12yr old daughter, Charlotte.• She is a coder and all-around techno-
lover.• We recently went our yearly trip to
Disney World• Charlotte is always looking at
something technology related to see or learn from.
@petermorin123@petermorin123
Disney Trip
• She found this scavenger hunt at Epcot called “Agent P’s World Showcase Adventure”
• Based on Disney’s Phineas and Ferb cartoon.
• It allows you to use your smart device to interact with sensors that are a part of various puzzles
* And yes, that is a GoPro on her head!
@petermorin123@petermorin123
Disney Trip
@petermorin123@petermorin123
Disney Trip
• Interactive displays, cameras, gesture recognition software and proximity and position sensors that interface with the user’s smart device
• These sensors affect the interactive experience or game elements of the attraction
• Disney has spent over $1 billion
@petermorin123@petermorin123
Preventive Burglar Light Intrusion Detection by soundIndoor Climate Monitoring Energy Saving Mode lights off
Anyware Smart Adaptor light socket - $75
@petermorin123@petermorin123
What makes this IoT?Connectivity
Internet connectivity is either contained in the item itself, or a connected hub, smartphone, or base station.
ExpressingEnables interactivity with people and the physical world - means to create products that interact intelligently with the real world
SensingTrack and measure activity in the world
LocalizationThe need for position based applications
User InterfaceUsers need a way to view and understand the data captured by IoT.
Small form factorAllows for deployments where space is at premium
Energy EfficiencyNeed to be able to operate for a year or more unattended
using a conservative amount of energy or be able to wake up only periodically to relay data.
Embedded ProcessorsDevices contain some computing power if only to
be able to parse incoming data and transmit it.
Source: Digital temperature sensor
@petermorin123@petermorin123
Sensors for everything!!
Source: National Control Devices / BLE demo SensorActivity
Pressure Sensors and Barometers
Temperature and Humidity Sensors
Proximity Sensors
Hall-Effect Sensors
Accelerometers
Gesture Sensors
Gas Sensing
Energy Monitoring
Gyroscopes
Moisture Sensors
Vibration Sensors
Color/Light Sensors
Compass
Magnetometers
Position Sensors
Average consumer cost for a sensor (incl. board, etc.) - $55-70USD
@petermorin123@petermorin123
Average Sensor Cost
Source: Statista 2018
$0.44USD - Why???
• Increase in IoT sensor technology vendors are entering the marketplace
• IoT sensor components are constantly being optimized
• Modern IoT sensors are out-of-the-box technology
@petermorin123@petermorin123
IoT In The US
• 3,000 Companies• $125B In Funding• $613B In Valuation• 342,000 Employees
@petermorin123@petermorin123
IoT - By the Numbers…
• 2018 – 7 billion devices worldwide• 2020 – 20 billion devices• Almost surpassed the world’s
population of 7.53 billion1
• 7.19 billion mobile devices2
• 1.2 billion cars on earth
Source: 1 World Bank, 2 Ericsson Mobility Report June 2018
@petermorin123@petermorin123
IoT to Surpass non-IoT by 2022
Source: 2018 Ericsson Mobility Repot
@petermorin123@petermorin123
IoT Remains Vulnerable
IoT Village at DEF CON 26: 55+ vulnerabilities 0-days - Buffer Overflow, Command
Injection, Local Privilege Escalation Badge reader and door lock
controller, smart scale, smart lock, wearables, light bulbs, smart irrigation systems and Amazon’s Alexa
@petermorin123@petermorin123
IoT Risk Report
• Forescout looked at 7 common IoT devices– IP-connected security systems– IP-connected infrastructure – Smart video conferencing– Connected printers– VoIP phones– Smart refrigerators– Smart lightbulbs
Source: https://www.forescout.com/wp-content/uploads/2016/10/iot-enterprise-risk-report.pdf
@petermorin123@petermorin123
Key Findings
• 7 devices hacked in 3 minutes - but can take weeks to remediate
• Once infected, hackers can plant backdoors to launch automated botnet DDoS attack
• Jamming or spoofing to hack smart security systems - control motion sensors, locks and cameras
@petermorin123@petermorin123
Key Findings
• Exploited config settings to evade authentication on VoIP phones allow for snooping and recording of calls
• Hacked connected HVAC to force critical rooms (i.e. server rooms) to overheat critical infrastructure
@petermorin123@petermorin123
@petermorin123@petermorin123
@petermorin123@petermorin123
Mirai’s distant cousin… IoTroop
• DDoS attacks against financial institutions• DNS amplification attack with traffic volumes
peaking at 30Gb/s. • Routers, wireless IP cameras by TP-Link, Linksys,
Synology, etc.• Toolkit can be updated as new vulnerabilities are
identified• CVE-2017–8225, a known bypass authentication
vulnerability affecting the wireless IP cameras.
@petermorin123@petermorin123
Worldwide IoT Security Spending Forecast
2016 2017 2018 2019 2020 2021
912M 1.1B 1.5B 1.9B 2.5B 3.1B
Securing IoT
Source: Gartner (March 2018) - https://www.gartner.com/newsroom/id/3869181
Through 2020, the biggest inhibitor to growth for IoT security will come from a lack of prioritization and implementation of security
best practices and tools in IoT initiative planning.
@petermorin123@petermorin123
Where do IoT Vendors See Themselves?
@petermorin123@petermorin123
Consumer IoT Devices
@petermorin123@petermorin123
Smart Home User Awareness
• 5/10 smart TV users haven’t updated the software apps on their devices in over a month, changed the default password or updated the firmware
• 6/10 have not updated their router firmware – ever.
• 1/10 use one password for all their devices• 6/10 have different passwords for each
device• 7/10 changed the password +3 months ago
Source: Bitdefender Survey
@petermorin123@petermorin123
Internet of Toys…
• Security is a primary concern with connected toys—especially since kids are involved.
• Barbie can Listen to a child and keep a conversation due to its connection to a Wi-Fi network – a hacked doll could be turned into a spying device
• Sales of smart-connected toys will reach $8.4 billion by 2020
Source: Juniper Research
@petermorin123@petermorin123
Wearables
Worldwide shipments of wearable devices believed to have reached 122 million in 2018 with 6.2% growth from 2017.
Source: IDC Forecast
@petermorin123@petermorin123
Smart Home
• Wi-Fi connected Trane ComfortLink XL850 thermostats
• Weak auth mechanism and hardcoded credentials
• Uses custom protocol and predictable port number to administer remote access to all device functions
@petermorin123@petermorin123
openHab
@petermorin123@petermorin123
openHab – over 1000 supported things!
@petermorin123@petermorin123
Insulin Pumps
• Johnson and Johnson OneTouch Ping Insulin Pump
• 114,000 patients affected• Spoof communications between
the remote control and the pump• Deliver unauthorized insulin
injections
@petermorin123@petermorin123
ICSA-15-174-01
ICS-CERT Statement, re: Hospira Symbiq Infusion System:
“Internet-enabled smart IV pump that's in fairly widespread use contains remote exploits that would allow attackers to take control of the device.”Disconnect the affected product from the network.
@petermorin123@petermorin123
ICSA-15-174-01Hospira’s very alarming response:
“Ensure that unused ports are closed, including Port 20/FTP and Port 23/TELNET. Monitor and log all network traffic attempting to reach the affected product via Port 20/FTP, Port 23/TELNET and Port 8443. Contact Hospira’s technical support to change the default password used to access Port 8443 or close it.”
@petermorin123@petermorin123
Diquee Killer IoT Robot Vacuum
• Wi-Fi capabilities, a webcam with night vision, and smartphone-controlled
• CVE-2018-10987, CVE-2018-10988• Obtain super-user rights on the vacuum -
remotely, view video and images, and physically move the vacuum
• Default username and password admin:888888
@petermorin123@petermorin123
Industrial IoT
@petermorin123@petermorin123
Win32/Industroyer
• Malware framework used on the Ukraine’s power grid on December 17, 2016
• Cut a fifth of Kiev, the capital, off power for one hour (300K)
• Open closed breakers in an infinite loop, causing the substation to de-energize
• Biggest threat to power grids since Stuxnet
@petermorin123@petermorin123
Traffic Issues?
• Research by Caesar Cerrudo from IOActive• $100 device will cause traffic problems on
the roads of most major US cities• Hacked Sensys Networks VDS240 wireless
vehicle detection systems• 40 U.S. cities, including San Francisco, Los
Angeles, New York City, Washington, DC.
@petermorin123@petermorin123
Traffic Issues?• Signal sensor (induction) loops• Detect vehicles passing or arriving
at a certain point, for instance approaching a traffic light
• Feed information wirelessly about traffic flow
• Affect control systems into thinking that clear or not
• This caused traffic signals to respond accordingly
@petermorin123@petermorin123
Traffic Issues?• Wireless sensor –
magnetometer that is installed in a small hole
• Access point – processes, stores and relays sensor data
• All communication is performed without encryption
• AP does not authenticate sensors – just trusts all wireless data
@petermorin123@petermorin123
Traffic Issues?
• Vendor claims that SNP radio transmissions never carry commands and no opportunity to embed malicious instructions
• Caveat that the attacker had to be close to the sensor – used a drone
@petermorin123@petermorin123
DDoS Killing us…
• Brickerbot– When the malware connects to a device with
their default usernames and passwords -- often easily found on the internet -- the malware corrupts the device's storage, leading to a state of permanent denial-of-service (PDoS) attack, also known as "bricking.“
– Can require replacement or re-installation of the device
@petermorin123@petermorin123
Internet-Exposed Protocols
@petermorin123@petermorin123
Internet-Exposed Protocols
@petermorin123@petermorin123
Internet-Exposed Protocols
@petermorin123@petermorin123
Internet-Exposed Protocols
@petermorin123@petermorin123
Looking to the Future
@petermorin123@petermorin123
Lack of Standards
• IoT is a virtual ‘Wild West’ with few rules• Little regulatory oversight• Masses of pioneers competing to strike their fortune• One of the single most important hurdles going forward -
improve interoperability of IoT solutions and help define the minimum security standards
@petermorin123@petermorin123
Lack of Standards
• That is not to say that there isn’t movement in standards building
• “Thread” networking protocol– Google’s Nest, Samsung, ARM Holdings, Freescale Semiconductors,
and Silicon Labs– Aim at standardizing IoT network communications
• Intel, Cisco, AT&T, GE and IBM are working together to build standards for industrial IoT use.
@petermorin123@petermorin123
Lack of Standards
• AllSeen Alliance (merged with Open Connectivity Foundation)– Cisco, Qualcomm, Microsoft, LG and HTC – Working to create an interoperable peer
connectivity and communications framework. – IoTivity open source project – AllJoyn open source IoT framework
@petermorin123@petermorin123
Risk-Based Approach
• Assess risk by identifying threats, vulnerabilities, and consequences
• Always determine what you mitigation plan is going to be based on a risk assessment
• Make this an ongoing process!• Evaluate whether that device needs to
be connected and whether it is secure enough for your environment.
@petermorin123@petermorin123
Threat Modeling
• These threats to organizations can be somewhat unique
• Allow you identify assets you are trying to protect and from what actor
• Determines the consequences of inaction
• Ensures your plans are cost effective
@petermorin123@petermorin123
Know Your Tech
• Configuration management database (CMDB) of the smart devices on your network
• Where are you using the $50 sensor??• Which IoT devices do you use and what is the
relationship between them? • Know their weaknesses• Which type of communication do they operate
on (Wi-Fi, BT, NFC, ZigBee, etc.)? • Keep software up to date (i.e. patching)
@petermorin123@petermorin123
Some other Steps
• IoT in the enterprise– Don’t allow IoT to connect to your network unless you need to
(personal devices out of the workplace)– Create a separate, firewalled, monitored IoT network– Turn off what you don’t need via firewall– Make sure you have the latest firmware– Avoid products that can’t be updated– Ensure these devices are part of your patch strategy
@petermorin123@petermorin123
Some other Steps
• IoT in the enterprise– Be wary about cloud connected devices– Regularly assess devices– Ensure that people can’t physically access these IoT
devices to avoid local password resets, etc.– Enable encryption whenever possible
@petermorin123@petermorin123
Establish Strong Partnerships• Local law enforcement• Vendors• Fusion centers• US-CERT / ICS-CERT• MS-ISAC• Universities• Public/Private Partnerships• FIRST• Online Trust Alliance• Share and coordinate with others
@petermorin123@petermorin123
Questions? Comments?
Peter [email protected]: @petermorin123
http://www.petermorin.com