@xme#Devoxx #IoT

$HOME Sweet $HOMEXavier Mertens

TrueSec

@xme#Devoxx #IoT

$ cat ~/whoami.xml<profile> <real_name>Xavier Mertens</real_name> <day_job>Freelance Security Consultant</day_job> <night_job>Hacker, Blogger</night_job> <![CDATA[ www.truesec.be blog.rootshell.be isc.sans.edu www.brucon.org ]]></profile>

@xme#Devoxx #IoT

$ cat ~/.profile

• I like (your) data

• Playing “active defense”

• I prefer (black) t-shirts than ties

• I like to play with gadgets

@xme#Devoxx #IoT

$ cat /opt/disclaimer.txt

“The opinions expressed in this presentation are those of the speakerand do not necessarily reflect those of past, present employers,

partners or customers.”

@xme#Devoxx #IoT

@xme#Devoxx #IoT

@xme#Devoxx #IoT

@xme#Devoxx #IoT

Agenda

• A revolution entered our homes

• “Internet of Terror”

• Issues & Mitigations

@xme#Devoxx #IoT

@xme#Devoxx #IoT

@xme#Devoxx #IoT

@xme#Devoxx #IoT

Do you remember?

2:291/715.939:120/201.9company!bigfoot!vax!xavier

@xme#Devoxx #IoT

@xme#Devoxx #IoT

@xme#Devoxx #IoT

@xme#Devoxx #IoT

@xme#Devoxx #IoT

@xme#Devoxx #IoT

What is the difference between…

@xme#Devoxx #IoT

This…

@xme#Devoxx #IoT

And this…

@xme#Devoxx #IoT

Or this…

@xme#Devoxx #IoT

FAIL!

@xme#Devoxx #IoT

SecurityFeatures

Ease of Use

@xme#Devoxx #IoT

SecurityFeatures

Ease of UseBusiness

@xme#Devoxx #IoT

@xme#Devoxx #IoT

You said “Security”?

@xme#Devoxx #IoT

@xme#Devoxx #IoT

Source: http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

@xme#Devoxx #IoT

@xme#Devoxx #IoT

@xme#Devoxx #IoT

Source: http://www.engadget.com/2011/08/04/researcher-hacks-wireless-insulin-pump-to-push-lethal-doses-giv

@xme#Devoxx #IoT

Source: http://archive.hack.lu/2015/2015-10-20-SEKOIA-Keynote%20Internet%20of%20Tchotchke-v1.0.pdf

@xme#Devoxx #IoT

Source: http://destinhaus.com/driverless-cars-the-car-hack-security-challenge/

@xme#Devoxx #IoT

igbrother is watching you?

@xme#Devoxx #IoT

Tools & Languages

@xme#Devoxx #IoT

Popularity == Nice target

Source: cvedetails.com

@xme#Devoxx #IoT

Security goals

• To protect “data”

• To prevent unauthorised access

• To prevent unauthorised modification

• To prevent loss

@xme#Devoxx #IoT

Security is relative

• Directly related to your business and needs

• Security is measured at a time “T”

• Security level is directly related to the weakest point

• Security must be constantly reviewed and adapted

“Security is a process, not a product” - Bruce Schneider

@xme#Devoxx #IoT

Pivot!“We are always a weakest point for someone else!”

You PartnerMe Trust

@xme#Devoxx #IoT

“Developers think of ways to make things”

“Security peeps think of ways to break things”

Infosec guys VS. developers

@xme#Devoxx #IoT

• Implement boring controls• Make our daily job difficult• Are paranoiac• Don’t know the business

Infosec guys VS. developers

• Just write lines of code• Don’t have a clue about

security• Have short deadlines (“RTM”)• Re-use piece of code (and the

associated bugs)

@xme#Devoxx #IoT

@xme#Devoxx #IoT

Source: Intel

@xme#Devoxx #IoT

Source: OpenDNS The 2015 Internet of Things in the Enterprise Report

@xme#Devoxx #IoT

@xme#Devoxx #IoT

Sensors Software Connectivity Bigdata

VulnerabilityExploit

MitM PrivacyAbuse

@xme#Devoxx #IoT

Top security threats

Source: Capgemini & Sogeti, “Security of the IoT Survey”, Nov 2014

@xme#Devoxx #IoT

Issue #1 - It’s a computer…

• Insecure Web Interface

• Insufficient Authentication/Authorization

• Insecure Network Services

• Lack of Transport Encryption

• Privacy Concerns

Source: https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project

• Insecure Cloud Interface

• Insecure Mobile Interface

• Insufficient Security Configurability

• Insecure Software/Firmware

• Poor Physical Security

@xme#Devoxx #IoT

Issue #2 - In the wild

• Working in our real life!

• Physical access == Pwn3d!

• Access personal data

• Access health data

• Access & control critical data (electricity, gaz, water, cars)

@xme#Devoxx #IoT

Issue #3 - Limited resources

• Slow CPU

• Basic interface (who said “where is the GUI?”)

• Restricted RAM

• Restricted storage

• Restricted API calls

• Restricted features

• Battery usage

@xme#Devoxx #IoT

Issue #4 - Crypto

• Use good crypto (hashing is not crypto)

• Crypto requires resources (see #3)

• Self-made crypto == bad crypto

@xme#Devoxx #IoT

Issue #5 - External resources

• Why reinvent the wheel?

• External resources are buggy / may contain backdoors

@xme#Devoxx #IoT

Issue #6 - Valuable data

• Why store so much data?

• Data classification

• Data privacy

@xme#Devoxx #IoT

Issue #7 - Back to the roots

• IoT will be deployed by old school industries(ex: smart meters)

• Know their business

@xme#Devoxx #IoT

Tips to keep in mind

• IoT is there and will(is) invade(ing) our homes & companies

• Think: “IoT” == “Computers” (same issues)

• Smart != Safe

• Tools exists… but assess them!

• Ask yourself: “Do I need it?”

• Apply critical security controls (1)

(1) http://www.sans.org/critical-security-controls

@xme#Devoxx #IoT

Tips to keep in mind

• Think “data privacy”. Do I need the data in the device? What if data are stolen?

• Implement security from the design (remember “SDLC”)

@xme#Devoxx #IoT

Questions?@xmexavier@truesec.behttps://www.truesec.behttps://blog.rootshell.be