IoT: the emerging security challenge

Considerations for a secure API environment

Razvan Tudor

Chapter Lead IT Security @ ING Software Development Centre

#IoTDS

IoT in numbers

#IoTDS

Out of the ~15 bn devices connected in 2015 almost one third (5bn) represents devices from commercial, industrial and consumer environments

By 2020 forecast is this number will

reach 20 bn out of 30/50 bn devices

while IoT spending will raise to 1 bn

Recent history has shown devices are not immune to cyber threat landscape

IoT security does it worth?

#IoTDS

Not really, it does not make sense. It will take some time before we will see Cyber Attacks involving IoT.

Not feasible. IoT devices cannot be made secure.

IoT should receive the same treatment as traditional IT Security.

What is IoT Security?

Cybercrime in the media

#IoTDS4

Can traditional security work for IoT?

#IoTDS

Information (IT) as well as IoT Security is all about people, technologies and processes BUT IoT Security brings new challenges

IoT ecosystems consists of large numbers of devices, usually fit for purpose with an enormous variety of types of data and information flows

Expected that traditional IT security and new IoT security worlds will merge

Architecture Components

#IoTDS

Network, Device,Platform

Encryption, PKI Analytics

Authentication

API

Business PlatformBusiness

PlatformBusiness PlatformBusiness

Proposition

API

Apps Building Blocks

Infrastructure

Engineering

From API technology…

#IoTDS

An application programming interface (API) is a set of subroutines, protocols, and tools for buildingapplication software.

• Web APIs are the most consumed APIs with JSON, Microservices and RESTful Services representing top technologies used

• It is estimated that more than a quarter of internet traffic comes from API calls

…to attack categories

#IoTDS

Denial of ServiceApplication

VulnerabilitiesPrivileges Functionality

Dyn & Others

Application or

Network

Act as intermediary

(botnet)

Injection

(command, queries,

file, code)

Buffer overflow

XSS, CSRF

JSON Hijacking

Privilege escalation

Unprotected keys

and passwords

Account takeover

Firmware

corruption

Brute forcing

Various abuse

scenarios

(credential)

#IoTDS

One solution: Secure - SDLC

Where is likely to find more code?

#IoTDS

Linux Kernel Modern Car

Windows Operating System Android

Why? Software Complexity

#IoTDS

Irrespective of the figures IoT embedded software complexity is increasing leading to a high demand of software security testing apart from traditional security controls

11

S-SDLC recommended touch points

#IoTDS

Developers TrainingSAST

(Static Application Security Testing)

DAST (Dynamic Application

Security Testing) Pen Testing

• Classroom

• Gameplay

• Integrated IDE checkers

• Security Satellites

• Can identify coding bugs but not design flaws

• False negatives

• Calibration of tool/results

• Does not compensate Pen Test

• Lots of calibration effort

• Good Secure Design + SAST + Pen Testing might save DAST effort

• Keep a balance between effort and results

• Grey Box recommended

• Rotating testers

Secure Design (Threat Modelling)

Solving the issues is easy most of the times

#IoTDS

Cost of fixing a bug in production is 4 times the cost of fixing in SDLC1

1Jones, C.; Software Quality Metrics: Three Harmful Metrics and Two Helpful Metrics, Project Performance International, 6 June 2012

#IoTDS

Lessons learned from the field• Various injection vulnerabilities are all

about input sanitization

• Large scale API consumption requires good API management practices

• Checks and validations are crucial but slowdown performance

• Insecure coding leads to direct object reference issues

• Sometimes is all about headers

• Bruteforcing shall be prevented by design

• CSRF (incl. JSON hijacking) are very common

#IoTDS

Potential solutionsInput & Output

• Type, range, valid chars, length, frequency

• Encoding, whitelisting

API Management• Use API versioning• Response Codes and Error Handling

Checks & Validation• Every call (re)validate (previous) values• Only on GET can skip some validations• Results stored only server-side

#IoTDS

Potential solutions cont’dDirect referencing

• Confidential information avoided in the URL or query string

• API hosted in different (URL) path

Headers• Set correct security headers• Validate CSRF header

Bruteforcing• Banning requests based on IP Address• Limit no of requests per period

CSRF/JSON Hijacking• Validate content type header• Return objects not arrays

#IoTDS

Future of IoT Security (API)

#IoTDS

Future of IoT Security (API)• Most likely traditional IT (Business) Technology will merge with Consumer (IoT)

Technology

• The merge will be facilitate by proliferation of API consumption which will represent one of the biggest security challenges

• Large API numbers and data volumes around API will require a focus on secure development/secure components rather than focus on entire security ecosystem

• Regulation will step in

• Probably security organizations will need to change/adapt

Q&A

#IoTDS