A Survey of IoT Security & Mitigation Tactics Jonathan Wiley & Matthew Burke Secure Software Design, CYSE 411, Dr. Kun Sun
Main Topics Of Discussion What is IoT? Vulnerabilities Threats (Malware/Attacked in the Wild) Mitigation Test IoT off the Shelf
Network Adapter + Object What is IoT? Internet of Things or IoT deals with the advent of new devices with embedded chips that have computational power along with network capabilities. WiFi - [insert object] Network Adapter + Object What is the IoT? In the minds of the business and IT executives surveyed, the IoT is associated with “ever-greater levels of connectivity; more intelligence built into devices, objects, and systems; and a strong data and applied learning orientation.” These views “sync-up well with the macro trends of more powerful and pervasive computing and storage, the further blurring of the physical and the virtual and the harnessing of big data for real-world functional activities.” “whatever, put a chip in it.”
Popular IoT Devices Thermostats Refrigerators Watch Doorlock Doorbell Home Alarm Systems Baby Monitors What is the IoT? In the minds of the business and IT executives surveyed, the IoT is associated with “ever-greater levels of connectivity; more intelligence built into devices, objects, and systems; and a strong data and applied learning orientation.” These views “sync-up well with the macro trends of more powerful and pervasive computing and storage, the further blurring of the physical and the virtual and the harnessing of big data for real-world functional activities.”
Impact of IoT Devices
Economic Expansion According to CompTIA (Information Technology Industry and Association figures
Benefit and Expectation of IoT Devices
Reason for IoT Expansion Cost savings from operational efficiencies New/better streams of data to improve decision-making Staff productivity gains Better visibility/monitoring of assets throughout the organization New/better customer experiences.
Organizational View of Iot Security
Vulnerabilities! For the purposes of showing a wide variety of vulnerabilities in the IoT sector. We are going to showcase them from the OWASP IoT Top 10 Vulns 2014 Good testing checklist for anyone looking to get into penetration testing.
Vulnerabilities Insecure Web Interface (1) Vulnerable web interface/portal for the device. Basic web attacks usually come to play here. If you understand web vulnerabilities you can usually successful exploit the device. Exploitability: Weak Credentials Capture Plain-text credentials Account Enumeration SQLi or XSS
Vulnerabilities Insufficient Authentication/Authorization (2) Failures come from allowing simple passwords/ no password complexity policy, credentials being sent in the clear, or role based security. Exploitability: Weak passwords Lack of 2FA Insecure password recovery Poorly protected credentials
Vulnerabilities Insecure Network Services (3) Failures arise from misconfiguration, not reviewing open ports, ports exposed by UPnP Exploitability: Buffer Overflow Exploitable UDP Services DOS Vulnerable Services
Vulnerabilities Lack of Transport Encryption (4) Failures come from not encrypting network traffic either over the internet or within the internal network. Making sure encryption is properly configured. Not rolling your own encryption. Exploitability: Unencrypted Services via LAN Misconfigured SSL/TLS
Vulnerabilities Privacy Concerns (5) Not properly encrypting private data either at rest or in transit. Not properly identifying and protecting private data on device. Only collecting data that is necessary for the device to perform its function. Exploitability: Collection of Unnecessary PII Unencrypted PII
Vulnerabilities Insecure Cloud Interface (6) Cloud service that device subscribes to has inherent flaws in execution such as not encrypting network traffic, weak password, or allow account enumeration. Exploitability: No Account Lockout Credentials Exposed in Network Traffic
Vulnerabilities Insecure Mobile Interface (7) More centralized to local mobile devices, but falls along the same lines of most interface security holes. Exploitability: Account Enumeration No Account Lockout Credentials Sent in the Clear
Vulnerabilities Insufficient Security Configurability (8) Mirrors itself from what it means in the normal IT Security realm from an asset management standpoint. The inability to set up security configurations to manage the device. No role based security, password complexity settings, or logging. Exploitability: Lack of Granular Permission Model No Security Monitoring No Security Logging Lack of Password Security Options
Vulnerabilities Insecure Software/Firmware (9) One of the big security concerns in the IoT realm is the inability to provide software patches to vulnerable devices. If a device is not patchable it will be cracked. Having access to firmware can lead to flash and redeploy or reverse engineering. Exploitability: No Update Functionality Firmware Contains Sensitive Information
Vulnerabilities Poor Physical Security (10) Failures arise from device being easy to disassemble to get access to unencrypted storage on the device or ports on the device that can easily flash the firmware. Exploitability: Open USB Ports w/ Access to Software Removal of Storage Media
Threats Threats in the IoT space are not that unique aside from a couple aspects. We can see that a lot of these vulnerabilities stem from issues that have been at least combated in some way in the IT security sector. Threats in this space are objects that in the past did not have networking capabilities. What are the threats? “Smart” [insert object] Cameras Malware (next)
Threats (Malware) Two different malware threats to go over today. Mirai & BrickerBot Mirai Exploit Flow: Scan/Enumerate -> Default Creds -> Drop Payload -> Added to Botnet BrickerBot Exploit Flow: Scan/Enumerate -> Default Creds -> Drop Payload -> Call Customer Support
Mitigation Biggest areas in my opinion you can focus on to make the IoT space more secure. Do not allow default management credentials. Encrypt messages over the internet/LAN Asset management Use established IoT platforms (Android Thing/AWS IoT) Encrypt data
In Practice The Quest for the Vulnerable IoT Device Because it's fun to break things
Target Acquired
What’s it do? It's a light switch with a WiFi card, specifically an ESP 8266 (i think) Network Packets sent by UDP Not encrypted :( I’m not cool enough yet to do firmware extracts/flashing with custom firmware Let's start sniffing
Deconstructed
Bummer. Connected to EcoPlug network -> started sniffing Connected with phone sent configs Jackpot.
Who ya gonna call. I could probably find a lot more vulnerabilities, but that seems pretty big. I’ll stop there cause i'm tired. Which ones did it hit on our list of vulns? Insecure Cloud/Web Interface Lack of Transport Encryption Insecure Software/Firmware Poor Physical Security (pushing it)
Why do we care? Because devs don't and they cause holes in our networks. It was just a WiFi light switch this time, but these devices are moving into every aspect of our lives. Next time it could be your temperature control, refrigerator, energy meter, etc. Understanding how networks work and the vulnerabilities helps us assist in the design process by adding security early. Hope this helped a bit.
References http://worth1000.s3.amazonaws.com/submissions/757500/757822_dbc0_1024x2000.jpg https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf https://www.forbes.com/sites/gilpress/2016/09/02/internet-of-things-by-the-numbers-what-new-surveys-found/#2f3034b016a0 http://ieeexplore.ieee.org/document/7004894/?part=1 https://www.spiceworks.com/marketing/reports/iot-trends/ https://www.postscapes.com/internet-of-things-market-size/ https://www.forbes.com/sites/louiscolumbus/2016/11/27/roundup-of-internet-of-things-forecasts-and-market-estimates-2016/#266141ea292d https://www.fool.com/investing/general/2016/01/18/internet-of-things-in-2016-6-stats-everyone-should.aspx https://arstechnica.com/security/2017/04/brickerbot-the-permanent-denial-of-service-botnet-is-back-with-a-vengeance/ https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/