Solar Decathlon Cysec

Presentation ILaura Cerrito, Maunil Sanghavi, Alexis

Moore, Daniel Delaney, Assaf Kipnis, Justin Frech

Project Goals

● Construct a zero energy balance self sustaining house

● Give the house "smart" features● Compete successfully in the DOE Solar

Decathlon● Make the house a viable marketable product

○ Competition model○ Home model

Security Goals

● Promote security within all aspects of the project (Beyond CS scope)

● Increase marketability● Provide security mitigation to CIA/P

concerns● Promote security through flexibility

throughout the house's lifecycle● Provide fallback and disaster recovery plans

for both competition and home models

Learning

The house will receive data from environmental sensors and use that information to make decisions on:● Energy conservation

○ Turn appliances on/off○ Window shade control

● Maximizing resident comfort○ Climate control

Learning/Smart Features

Learning:● Weather patterns (Built in weather station)● Time of day / outside light (Sensors)● Room capacity (Sensors)● Power usage (Appliances)

Smart:● Centralized appliance control(Mobile app)● Built in wireless network

High Level Security Concerns

● Confidentiality○ Aggregation of user data○ Mobile app usage (User profiles)

● Integrity○ Sensor/appliance data flow into sensor module

■ Wired■ Wireless

○ Wireless network dependability○ Weather data authentication○ Appliance communication

High Level Security Concerns (cont.)

● Availability○ Weather station data○ Sensor data○ Sensor module ○ Appliance data○ Mobile application○ Wireless network○ Communication with service providers(Power,

internet etc.)

High Level Security Concerns (cont.)

● Privacy○ Power consumption aggregation(smart meter)○ Resident movements and habits○ Personal information on network

CS Team Goals

Create software and infrastructure for learning features and control● Web Server (Windows Server 2008)● DataBase (MongoDB)● Learning algorithm● Alternate website (Main is done by VisTech)● Mobile application (Android)

CS Team Level Security Concerns

● Confidentiality○ Aggregation of usage data (Power, appliances etc.)○ Centralized billing information○ Centralized payment information

● Integrity○ Flow of data from sensor module to webserver○ Flow of data into and within the DB○ Communication with mobile application and website○ Historical data (Weather)

CS Team Level Security Concerns (cont.)

● Availability○ Server data○ DB data○ WiFi communications○ User profiles○ Physical machine (Server/DB)

● Privacy○ Personal information (User profiles)○ Stored learned information (Learning algorithm

output)○ Historical information

Usage and Threat Scenarios

● Decathlon Model○ No outside attackers○ No privacy concerns○ Focus on integrity and availability○ Disaster recovery as a high value○ Marketability - Creates shift in focus towards future

use (Home model)

Usage and Threat Scenarios (Cont.)

● Home Model○ Outside attackers ○ Privacy as a high value target○ Flexibility of interchangeable parts

■ Hardware■ Software■ Appliances■ Sensors

Attacker Models

● Honest but Curious○ Users with low access levels○ Users of a potential outside mobile application

■ Judges (competition model)● Malicious

○ Identity thieves ○ Disgruntled employees (Utility companies)○ Recreational hackers○ DoS networks○ Burglars (Gather information from smart features)

Solar Decathlon Cysec

Presentation IILaura Cerrito, Maunil Sanghavi, Alexis

Moore, Daniel Delaney, Assaf Kipnis, Justin Frech

Asset Identification (Back End)

● Operating System○ Windows Server 2008 R2

● Web Server○ Windows Server 2008 R2

● Database○ MongoDB

● Wireless Router ○ NetGear N750

● Programming Languages○ Java and PHP

Identified Vulnerabilities

● NoSQL injection(DB)● Script injection attacks(DB)● No encryption of data files (DB)● No encryption in transit or rest (DB)● No auditing ability (DB)● Passwords and usernames stored in MD5

hash by default (DB)● Privilege escalation(OS)● Directory Traversal attack(OS)● XSS(server)

Mitigation

● Explicitly encrypt sensitive info in the DB● Must "hide" traffic behind HTTP proxy for in

transit encryption(Server)● Define permissions on HTTP proxy● All user input must be sanitized ● Change MD5 hash to SHA256● Create detached audit table ● Access control lists● Disallow users to upload any documents● Disallow any user input on the app or site

Asset Identification (Front End)

● Additional server (Disconnected from Internet) (in discussion)○ Jurors

● Programming languages○ HTML5○ JSON - Mobile app○ Java - Android

Identified Vulnerabilities

● NoSQL injections● JavaScript injections● Session Hijacking● Fuzzing attacks● Certificate Spoofing

Mitigations

● Input sanitation● Access control lists● Encrypt server communications

○ Incoming ○ outgoing

● Preemptive fuzzing

Identification of chokepoints

● Central module (EE control)○ All house communications

● Sensor module (EE control)○ All sensor communications

● CS module (server)● Mobile application

Mitigation

● Discuss with EE's replacement modules○ Fallback to wired connection to Server module

(Xbee)● Secondary server

○ Competition model: Outside the house○ Home Model: Seamless replacement

● Secondary mobile app○ Competition model: Replacement tablet/web app○ Home model: Web app fallback

User Groups

● Competition model○ Superuser

■ All rights ○ Juror

■ View limited data (high level power usage)■ Limited usability (Turn lights on/off)

● Home model○ Superuser

■ All rights○ Visitor

■ Malleable access rights

Solar Decathlon Cysec

Presentation IIILaura Cerrito, Maunil Sanghavi, Alexis

Moore, Daniel Delaney, Assaf Kipnis, Justin Frech

Threat Profile

● Spoofing○ Man in the middle attacks○ Cross site request forgery

● Tampering○ Session hijacking○ Virtual defacement○ Cross Site Scripting (XSS)

● Repudiation○ Modification attacks ○ Certificate spoofing/expiration

Threat Profile (cont.)

● Information Disclosure○ Resident/user data exposure

● DoS○ SYN Spoofing○ Floods (ICMP, UDP, SYN)○ Reflection/amplification attacks

● 0-Day attacks○ Previously unknown attack vectors

Security Strategy4 Layer Defense in Depth

1. Perimeter defense○ Firewall (traffic filtering) ○ Proxy servers○ DoS attacks

2. OS and application security○ Physical access○ Patching○ Service packs

Security Strategy4 Layer Defense in Depth (cont.)

3. Host protection○ Attacks from within the network○ HIDS (Host based IDS)○ Internal firewalls○ Anti-Virus software○ Access policy

4. Data/Information protection ○ Data encryption

■ Transit■ Rest

Security Architecture Model

● Detection○ Identify intrusion○ Follow intrusion path○ IDS (Intrusion Detection System)

● Prevention○ Prevent unauthorized access○ Prevent and control changes○ IPS

● Monitoring○ Security policy and assessments

● Management○ Allow flexibility of the above for future changes

Test Plan

Viewpoints:● Black Box (External)

○ External testing○ Reconnaissance (social engineering)○ Enumeration (nmap)○ Abuse of web protocols

● White Box (Internal)○ Internal testing (attack from within the network)○ Privilege escalation○ Configuration changes

Test Plan (cont.)

Techniques:● Review (Documents, procedures, logs)● Target identification (Network discovery, port

scan, vulnerability scan, wireless scan)● Target vulnerability validation (Password

cracking, penetration testing)● Fuzzing ● Buffer overflow

Questions?