high tech, high threat · connectivity. internet connectivity is either contained in the item...

@petermorin123@petermorin123

High Tech, High ThreatNext Generation Cyber Challenges


Peter Morin, CISSPDirector, Cyber Security ConsultingKPMG LLP

• Specialize in security of critical infrastructure, incident response, threat hunting, etc.

• Worked in the past for the various military and government agencies

• CISSP, CISA, CRISC, CGEIT, GCFA


Disney Trip• This is my 12yr old daughter, Charlotte.• She is a coder and all-around techno-

lover.• We recently went our yearly trip to

Disney World• Charlotte is always looking at

something technology related to see or learn from.


Disney Trip

• She found this scavenger hunt at Epcot called “Agent P’s World Showcase Adventure”

• Based on Disney’s Phineas and Ferb cartoon.

• It allows you to use your smart device to interact with sensors that are a part of various puzzles

* And yes, that is a GoPro on her head!


Disney Trip


Disney Trip

• Interactive displays, cameras, gesture recognition software and proximity and position sensors that interface with the user’s smart device

• These sensors affect the interactive experience or game elements of the attraction

• Disney has spent over $1 billion


Preventive Burglar Light Intrusion Detection by soundIndoor Climate Monitoring Energy Saving Mode lights off

Anyware Smart Adaptor light socket - $75


What makes this IoT?Connectivity

Internet connectivity is either contained in the item itself, or a connected hub, smartphone, or base station.

ExpressingEnables interactivity with people and the physical world - means to create products that interact intelligently with the real world

SensingTrack and measure activity in the world

LocalizationThe need for position based applications

User InterfaceUsers need a way to view and understand the data captured by IoT.

Small form factorAllows for deployments where space is at premium

Energy EfficiencyNeed to be able to operate for a year or more unattended

using a conservative amount of energy or be able to wake up only periodically to relay data.

Embedded ProcessorsDevices contain some computing power if only to

be able to parse incoming data and transmit it.

Source: Digital temperature sensor


Sensors for everything!!

Source: National Control Devices / BLE demo SensorActivity

Pressure Sensors and Barometers

Temperature and Humidity Sensors

Proximity Sensors

Hall-Effect Sensors

Accelerometers

Gesture Sensors

Gas Sensing

Energy Monitoring

Gyroscopes

Moisture Sensors

Vibration Sensors

Color/Light Sensors

Compass

Magnetometers

Position Sensors

Average consumer cost for a sensor (incl. board, etc.) - $55-70USD


Average Sensor Cost

Source: Statista 2018

$0.44USD - Why???

• Increase in IoT sensor technology vendors are entering the marketplace

• IoT sensor components are constantly being optimized

• Modern IoT sensors are out-of-the-box technology


IoT In The US

• 3,000 Companies• $125B In Funding• $613B In Valuation• 342,000 Employees


IoT - By the Numbers…

• 2018 – 7 billion devices worldwide• 2020 – 20 billion devices• Almost surpassed the world’s

population of 7.53 billion1

• 7.19 billion mobile devices2

• 1.2 billion cars on earth

Source: 1 World Bank, 2 Ericsson Mobility Report June 2018


IoT to Surpass non-IoT by 2022

Source: 2018 Ericsson Mobility Repot


IoT Remains Vulnerable

IoT Village at DEF CON 26: 55+ vulnerabilities 0-days - Buffer Overflow, Command

Injection, Local Privilege Escalation Badge reader and door lock

controller, smart scale, smart lock, wearables, light bulbs, smart irrigation systems and Amazon’s Alexa


IoT Risk Report

• Forescout looked at 7 common IoT devices– IP-connected security systems– IP-connected infrastructure – Smart video conferencing– Connected printers– VoIP phones– Smart refrigerators– Smart lightbulbs

Source: https://www.forescout.com/wp-content/uploads/2016/10/iot-enterprise-risk-report.pdf


Key Findings

• 7 devices hacked in 3 minutes - but can take weeks to remediate

• Once infected, hackers can plant backdoors to launch automated botnet DDoS attack

• Jamming or spoofing to hack smart security systems - control motion sensors, locks and cameras


Key Findings

• Exploited config settings to evade authentication on VoIP phones allow for snooping and recording of calls

• Hacked connected HVAC to force critical rooms (i.e. server rooms) to overheat critical infrastructure


Mirai’s distant cousin… IoTroop

• DDoS attacks against financial institutions• DNS amplification attack with traffic volumes

peaking at 30Gb/s. • Routers, wireless IP cameras by TP-Link, Linksys,

Synology, etc.• Toolkit can be updated as new vulnerabilities are

identified• CVE-2017–8225, a known bypass authentication

vulnerability affecting the wireless IP cameras.


Worldwide IoT Security Spending Forecast

2016 2017 2018 2019 2020 2021

912M 1.1B 1.5B 1.9B 2.5B 3.1B

Securing IoT

Source: Gartner (March 2018) - https://www.gartner.com/newsroom/id/3869181

Through 2020, the biggest inhibitor to growth for IoT security will come from a lack of prioritization and implementation of security

best practices and tools in IoT initiative planning.


Where do IoT Vendors See Themselves?


Consumer IoT Devices


Smart Home User Awareness

• 5/10 smart TV users haven’t updated the software apps on their devices in over a month, changed the default password or updated the firmware

• 6/10 have not updated their router firmware – ever.

• 1/10 use one password for all their devices• 6/10 have different passwords for each

device• 7/10 changed the password +3 months ago

Source: Bitdefender Survey


Internet of Toys…

• Security is a primary concern with connected toys—especially since kids are involved.

• Barbie can Listen to a child and keep a conversation due to its connection to a Wi-Fi network – a hacked doll could be turned into a spying device

• Sales of smart-connected toys will reach $8.4 billion by 2020

Source: Juniper Research


Wearables

Worldwide shipments of wearable devices believed to have reached 122 million in 2018 with 6.2% growth from 2017.

Source: IDC Forecast


Smart Home

• Wi-Fi connected Trane ComfortLink XL850 thermostats

• Weak auth mechanism and hardcoded credentials

• Uses custom protocol and predictable port number to administer remote access to all device functions


openHab


openHab – over 1000 supported things!


Insulin Pumps

• Johnson and Johnson OneTouch Ping Insulin Pump

• 114,000 patients affected• Spoof communications between

the remote control and the pump• Deliver unauthorized insulin

injections


ICSA-15-174-01

ICS-CERT Statement, re: Hospira Symbiq Infusion System:

“Internet-enabled smart IV pump that's in fairly widespread use contains remote exploits that would allow attackers to take control of the device.”Disconnect the affected product from the network.


ICSA-15-174-01Hospira’s very alarming response:

“Ensure that unused ports are closed, including Port 20/FTP and Port 23/TELNET. Monitor and log all network traffic attempting to reach the affected product via Port 20/FTP, Port 23/TELNET and Port 8443. Contact Hospira’s technical support to change the default password used to access Port 8443 or close it.”


Diquee Killer IoT Robot Vacuum

• Wi-Fi capabilities, a webcam with night vision, and smartphone-controlled

• CVE-2018-10987, CVE-2018-10988• Obtain super-user rights on the vacuum -

remotely, view video and images, and physically move the vacuum

• Default username and password admin:888888


Industrial IoT


Win32/Industroyer

• Malware framework used on the Ukraine’s power grid on December 17, 2016

• Cut a fifth of Kiev, the capital, off power for one hour (300K)

• Open closed breakers in an infinite loop, causing the substation to de-energize

• Biggest threat to power grids since Stuxnet


Traffic Issues?

• Research by Caesar Cerrudo from IOActive• $100 device will cause traffic problems on

the roads of most major US cities• Hacked Sensys Networks VDS240 wireless

vehicle detection systems• 40 U.S. cities, including San Francisco, Los

Angeles, New York City, Washington, DC.


Traffic Issues?• Signal sensor (induction) loops• Detect vehicles passing or arriving

at a certain point, for instance approaching a traffic light

• Feed information wirelessly about traffic flow

• Affect control systems into thinking that clear or not

• This caused traffic signals to respond accordingly


Traffic Issues?• Wireless sensor –

magnetometer that is installed in a small hole

• Access point – processes, stores and relays sensor data

• All communication is performed without encryption

• AP does not authenticate sensors – just trusts all wireless data


Traffic Issues?

• Vendor claims that SNP radio transmissions never carry commands and no opportunity to embed malicious instructions

• Caveat that the attacker had to be close to the sensor – used a drone


DDoS Killing us…

• Brickerbot– When the malware connects to a device with

their default usernames and passwords -- often easily found on the internet -- the malware corrupts the device's storage, leading to a state of permanent denial-of-service (PDoS) attack, also known as "bricking.“

– Can require replacement or re-installation of the device


Internet-Exposed Protocols


Looking to the Future


Lack of Standards

• IoT is a virtual ‘Wild West’ with few rules• Little regulatory oversight• Masses of pioneers competing to strike their fortune• One of the single most important hurdles going forward -

improve interoperability of IoT solutions and help define the minimum security standards


Lack of Standards

• That is not to say that there isn’t movement in standards building

• “Thread” networking protocol– Google’s Nest, Samsung, ARM Holdings, Freescale Semiconductors,

and Silicon Labs– Aim at standardizing IoT network communications

• Intel, Cisco, AT&T, GE and IBM are working together to build standards for industrial IoT use.


Lack of Standards

• AllSeen Alliance (merged with Open Connectivity Foundation)– Cisco, Qualcomm, Microsoft, LG and HTC – Working to create an interoperable peer

connectivity and communications framework. – IoTivity open source project – AllJoyn open source IoT framework


Risk-Based Approach

• Assess risk by identifying threats, vulnerabilities, and consequences

• Always determine what you mitigation plan is going to be based on a risk assessment

• Make this an ongoing process!• Evaluate whether that device needs to

be connected and whether it is secure enough for your environment.


Threat Modeling

• These threats to organizations can be somewhat unique

• Allow you identify assets you are trying to protect and from what actor

• Determines the consequences of inaction

• Ensures your plans are cost effective


Know Your Tech

• Configuration management database (CMDB) of the smart devices on your network

• Where are you using the $50 sensor??• Which IoT devices do you use and what is the

relationship between them? • Know their weaknesses• Which type of communication do they operate

on (Wi-Fi, BT, NFC, ZigBee, etc.)? • Keep software up to date (i.e. patching)


Some other Steps

• IoT in the enterprise– Don’t allow IoT to connect to your network unless you need to

(personal devices out of the workplace)– Create a separate, firewalled, monitored IoT network– Turn off what you don’t need via firewall– Make sure you have the latest firmware– Avoid products that can’t be updated– Ensure these devices are part of your patch strategy


Some other Steps

• IoT in the enterprise– Be wary about cloud connected devices– Regularly assess devices– Ensure that people can’t physically access these IoT

devices to avoid local password resets, etc.– Enable encryption whenever possible


Establish Strong Partnerships• Local law enforcement• Vendors• Fusion centers• US-CERT / ICS-CERT• MS-ISAC• Universities• Public/Private Partnerships• FIRST• Online Trust Alliance• Share and coordinate with others


Questions? Comments?

Peter [email protected]: @petermorin123

http://www.petermorin.com

high tech, high threat · connectivity. internet connectivity is either contained in the item...

Documents