welcome to the internet of (insecure) things · the internet of what? “the internet of things is...
TRANSCRIPT
Welcome toThe Internet of
(Insecure) Things
Who am I? Who is Nexum?
I’m Chandler HowellDirector of Engineering at [email protected]@chandlerhowell on Twitter
Nexum is a Network & Security Reseller & Consultancy
Headquartered in ChicagoPresence East of the Mississippi Riverhttp://nexuminc.com
The Internet of (Insecure) Things
1. The Internet of What?
2. Smart is the New Dumb
3. When Worlds Collide
4. Failure Modes
5. A Parade of Horrors
6. So What Now?
THE INTERNET OF WHAT?A few definitions might be handy
The Internet of What?
“The Internet of Things is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment, “ – Gartner
“Spime is a neologism for a futuristic object…that can be tracked through space and time throughout its lifetime” – Wikipedia/Bruce Sterling
The Internet of What?
IoT is massive and getting massiver
'14 '15 '16 '17 '18 '19 '2005
10152025
# of Devices (Billions)
Residential (78%)
Commecial (22%)
Sources: Gartner; Praetorian Security (@praetorianlabs)
SMART IS THE NEW DUMBIronic, really
Smart is the New Dumb
Smart, but Vulnerable Security is not a priority of IoT (yet)
Focus is on Cost Time to market Features & Functionality
Focus is NOT on Security Maintainability Longevity
WHEN WORLDS COLLIDEIs your Internet in my Thing or my Thing in your Internet?
When Worlds Collide
Lifecycles are mismatched
Technology lifecycles are short (18-48 months)
Consumer lifecycles are longer (12-15 years)
Industrial Equipment is supposed to outlive you
When Worlds Collide
IT is not IoT Scale
Network Connectivity
Inventory
Logging & Monitoring
Incident Response
When Worlds Collide
Compliance What IoT data needs a Privacy Policy? What about Data Retention policies? What about standards in general?
Insurance Do you have the right coverage? Are you sure?
Lawsuits Software Liability is coming through IoT
FAILURE MODESHow can I fail thee? Let me count the ways…
Failure Modes
1.Get BrokenDamage or destroy the device or attached devices
2.Get LeveragedUse the device as a vector for Other Badness
3.Get ExploitedUse the device to spy on or steal from the target
A PARADE OF HORRORSIt’s spelled “IoT” but it’s pronounced “Fail”
A Parade of Horrors
Welcome to the Future
A Parade of Horrors
Numerous, Recurring Poor Security Decisions Weak/No Crypto Weak/No transport security Insecure/Default Authentication Root-only devices Security-by-Obscurity Insecure /unsigned images Fail-Open designs Credential Leaks Key & Credential Replay Insecure User Interfaces (XSS, CSRF) Cloud Insecurity Privacy Violations
A Parade of Horrors
Consumer Goods Refrigerators Light Bulbs Televisions & Electronics Smart Watches Home Automation
A Parade of Horrors
Medical Devices Surgical and anesthesia devices Ventilators Drug infusion pumps Pacemakers External defibrillators Patient monitors Laboratory and analysis equipment
Pretty much every type of failure you can imagine
A Parade of Horrors
Cars Miller & Valasek Jeep Hacking Samy’s OwnStar > ON*Star Samy’s RollCode just re-hacked car keyless entry Black Boxes & Telematics Volkswagen hacked themselves
A Parade of Horrors
Airplanes Drones
Definitely (Iranian Gov't, Samy's SkyJack)
In-Flight Entertainment (IFE) Definitely (Ruben Santamarta)
Telemetry, Internet uplinks & SATCOM Probably (Ruben Santamarta)
A Parade of Horrors
Infrastructure NFC & Prox Cards Traffic Lights Industrial Control Systems Utility Meters
SO WHAT NOW?Can I have a hint?
Fortunately, not this.
So what now?
So what now?
Don’t Panic
Think in terms of Failure Modes
Realize these are not new problems
Expect Novel attacks
So what now?
Ashley Madison + Smart TV’s =
So what now?
Know your Key Controls Preventative: Onboarding & Inventory Detective: Monitoring Reactive: Incident Response
Ensure proper Risk Ownership
Have a robust Exceptions Process
So what now?
Assess whether the Smart is worth the Risk
Align Trust & Risk Boundaries
Architect for Insecure Things Assume devices are insecure by default If not today, they will be some day
Avoid proprietary standards & protocols (where possible)
Don't forget how to operate without IoT
So what now?
Leverage Existing Security Tools & Processes
Defense-in-Depth
Threat Modeling
Incident Response
Implement Compensating Controls
So what can I do?
Support/Leverage Emerging IoT Security Groups and Standards, e.g. Online Trust Alliance
Hold the line on security standards for IoT They are not special!
Include the cost of IoIT security in their TCO
Thank You for your time!
Fun Fact: John Bender invented Power-Over-Ethernet (PoE) light bulbs
Well, that was fun.
I try to behave,
but sometimes these things happen...