A Shared and Collaborative Responsibility 19 June 2018 OTA & IoT: A Shared and Collaborative Responsibility Kevin Meynell Manager, Technical & Operational Engagement meynell@isoc.org
The number of IoT devices connected to the Internet will be more than 2.5x the global population by 2020 (Gartner)
As more and more devices are connected, privacy and security risks increase. And most consumers don’t even know it.
What type of risks? Unlocking doors, turning on cameras, shutting down critical systems and theft of personal property. Large IoT-based attacks have crippled global access to high-profile Internet services for several hours. People’s safety might even be at risk. 2
22 ~8.3/day ~1.2/day ~5.4/day ~0.4/day ~1/day Real Threats & Incidents Malware Blocked ~8.3/day Phishing Blocked ~1.2/day Botnets Blocked ~5.4/day Scams Blocked ~0.4/day Spam Blocked ~1/day PUP Blocked Threats Blocked Per Home, Per Day 22 Source: Symantec
Real Threats & Incidents The Internet Society 2/16/2019 Real Threats & Incidents TRENDnet Webcam (2010) Cameras transmitted login credentials in the clear, and stored them on mobile apps unencrypted Anyone who obtained the IP address could login and view the stream Mirai botnet (2016) – Huge DDoS attack launched against Dyn using IoT devices Primarily targeted Linux-based peripherals and IoT devices, using default logins to infect with malware. Affected major services across the Internet, including Netflix, Amazon, PayPal, Twitter, etc.. Jeep SUV (2016) Researchers were able to use cellular network and firmware vulnerability to hijack CAN bus Could make it speed-up, slow-down, and move the power steering servos Cardiac devices (2017) – https://tnc18.geant.org/core/presentation/184 Vulnerability in transmitter that reads device data and remotely shares it Could administer incorrect pacing and shocks
Only 2 weeks ago – VPNFilter! The Internet Society 2/16/2019 Only 2 weeks ago – VPNFilter! Targets certain routers & NAS devices with known exploits and/or those using default credentials Spying on traffic, overwriting firmware to render it non-functional + looking for SCADA industrial control systems Persistent - devices need to be factory reset to remove malware, which is itself disruptive Industry is not adequately addressing fundamental security, privacy and life-safety issues. Many manufacturers are new to the networking and Internet arena, and lack experience. There are STRONG competitive pressures for speed to market and cost reduction. Security and privacy cost money, require specialized skills, and slow down the development process. The proliferation of devices, and corresponding interactions with other devices, increase the “surface” available for cyberattack. Poorly secured devices affect the security of the Internet and other devices globally, not just locally.
IoT Challenges (in my house) The Internet Society 2/16/2019 IoT Challenges (in my house) Cable modem, router, switch 2 x WiFi access points 2 Apple Macs, 2 PCs iPhones (4), iPads (6), Android tablet, Android phone 1 x Synology RAID server (multimedia, backup and security) 1 x network printer Smart televisions (3), multimedia systems (2), gaming controller (1) Home security devices – security cameras (2), burglar alarm, smoke and fire sensors Home automation – lighting controls (2), would like to add temperature control At least 30 devices in use, plus a few redundant ones
What is going on? I’m a reasonably astute technical user; The Internet Society 2/16/2019 What is going on? I’m a reasonably astute technical user; I bought devices that support SSL/TLS management, IPv6, configurable security, and encrypted data transmission + storage; and, I have (some) idea how to do network monitoring. BUT I’m time poor, not at home much, and can’t monitor everything; I’ve little/no idea who these devices are communicating with, and who is communicating with them; I’ve little/no idea what data is being collected, and where it’s going; Many devices have stopped being supported (usually 1-2 years); Some of the ‘secure’ aspects have been deprecated (e.g. TLSv1).
The challenges we face
A connected world offers the promise of convenience, efficiency and insight, but creates a platform for shared risk. Many of today’s IoT devices are rushed to market with little consideration for basic security and privacy protections.
New devices, new vulnerabilities The Internet Society 2/16/2019 New devices, new vulnerabilities The attributes of many IoT devices present new and unique security challenges compared to traditional computing systems. Device Cost/Size/Functionality Volume of identical devices (homogeneity) Long service life (often extending far beyond supported lifetime) No or limited upgradability or patching Physical security vulnerabilities Access Limited user interfaces (UI) Limited visibility into, or control over, internal workings Embedded devices Unintended uses BYOIoT Industry is not adequately addressing fundamental security, privacy and life-safety issues. Many manufacturers are new to the networking and Internet arena, and lack experience. There are STRONG competitive pressures for speed to market and cost reduction. Security and privacy cost money, require specialized skills, and slow down the development process. The proliferation of devices, and corresponding interactions with other devices, increase the “surface” available for cyberattack. Poorly secured devices affect the security of the Internet and other devices globally, not just locally.
Key Challenge: IoT Ecosystem Apps and Platforms Cloud & Web Services Devices & Sensors Three Dimensions: Combination of devices, apps, platforms & services Data flows, touch points & disclosures Lack of defined standards Impacts on Sustainability Issues: Lifecycle supportability Data retention / ownership
Who is responsible? Developers and users of IoT devices and systems have a collective obligation to ensure they do not expose others and the Internet itself to potential harm. We need a collective approach, addressing security challenges on all fronts.
Two views of IoT Security Inward Security Focus on potential harms to the health, safety, and privacy of device users and their property stemming from compromised IoT devices and systems. Outward Security Focus on potential harms that compromised devices and systems can inflict on the Internet and other users. Example of outward risk: A home appliance may continue to function well as far as the direct user is concerned, and s/he may be unaware that it is part of a botnet participating in a DDoS attack Toaster example: - Someone may use it against you, and remotely decide to burn your hands our even your house (inward security related issue) Your toaster works ok but is being used for a major DDOS attack (outward) At ISOC, our focus is on the impact that IoT security and privacy has on the Internet and other users.
The myth of low cost devices The Internet Society 2/16/2019 The myth of low cost devices Often claimed that it’s not economical for vendors to maintain low-cost devices My PCs and router were cheaper than my smart televisions and cameras Windows (7 and above) has regular updates My router has periodic firmware and operating system Smart televisions got a couple of updates and nothing after 1 year Cameras had regular updates for 2 years – then nothing since So presumably it’s possible to provide ongoing support with sufficient critical mass. How do we encourage/mandate that?
Something must be done!
We want manufacturers and suppliers of consumer IoT devices and services to adopt security and privacy guidelines to protect the Internet and consumers from cyber threats.
https://otalliance.org/iot/ Online Trust Alliance Founded as Industry Trade Organisation in 2007 65 members (e.g. DigiCert, Symantec, Verisign, Microsoft, Twitter, Coles) Internet Society and OTA merged in April 2017, with OTA members becoming ISOC members Objectives and Activities: Promote best practices in protection of user security, privacy and identity, including data stewardship Develop meaningful self-regulation Consensus driven process with input from industry and policy-makers Multi-stakeholder working group – 100 plus participants Face-To-Face meetings / Public Call for Comments/Ongoing refinement/Working Group Focus Unique from other IoT-related frameworks. Many others focus just on security or interoperability or privacy, and few take into account the lifecycle issues associated with these offerings, such as how to hand over a smart home or what to do when software upgrades are no longer available for a long-lived device such as a garage door opener. This includes devices/sensors, mobile apps and backend services. Most frameworks focus on just the devices, but a system is only as strong as its weakest link. https://otalliance.org/iot/
What are we doing? There are ~40 different IoT industry bodies! BUT… The Internet Society 2/16/2019 What are we doing? There are ~40 different IoT industry bodies! BUT… OTA decided to take broad multi-stakeholder approach to assess IoT risks, and address security, privacy and life-cycle sustainability in IoT products and services OTA’s IoT Trustworthy Working Group (ITWG) was established in January 2015, chartered with development of an IoT Trust Framework Consultation with more than 100 device manufacturers, major retailers, security and private experts, consumer testing and advocacy organisations, and governments Published IoT Security & Privacy Trust Framework in March 2016, updated several times, latest version (v2.5) released June 2017
OTA IoT Security & Privacy Trust Framework The Internet Society 2/16/2019 OTA IoT Security & Privacy Trust Framework 40 principles in 4 key areas to secure IoT devices and their data: Security – ensure devices use cryptographic protocols by default, only open physical and virtual ports and services that are required, regular monitoring of security settings, verifiable patches User Access & Credentials – strong authentication, storing of credentials, and anti-brute forcing measures Privacy, Disclosure & Transparency – what data is being transferred, only collecting data with affirmative user support, disclose end-of-life security and patch support Notifications – sending authenticated messages to users https://otalliance.org/iot/
The Internet Society 2/16/2019 Okay, but so what? Other IoT frameworks exist (e.g. OWASP, IOTSF), but tend to focus on specific areas like interoperability and security OTA is arguably the only holistic IoT framework - security, privacy and lifecycle, although has overlaps with many of the others More than 100+ stakeholders from industry, government and consumer advocates contributed to the Framework Several leading manufacturers agreed to support, and several retailers planning to use OTA framework as filter for carrying products Working with consumer testing and review organisations – initially producing rankings than certification programmes (e.g. Consumers International) Framework is conformant with NTIA IoT Multistakeholder recommendations
IoT Trust by Design Work with manufacturers and suppliers to adopt and implement the OTA IoT Trust Framework Mobilize consumers to drive demand for security and privacy capabilities as a market differentiator Encourage policy and regulations to push for better security and privacy features in IoT Consumers We want to raise awareness of the privacy and security risks and encourage consumers to voice their concerns Policymakers and Regulators We want policymakers to create a policy environment that favors strong security and privacy features in IoT products and services
Connect us with manufacturers and suppliers providing IoT products and services to adopt the OTA IoT Trust Framework Help us spread the word about the privacy and security risks of consumer IoT products and services Encourage policymakers to support better security and privacy features in IoT offerings Promote OTA recommendations to policymakers, as captured in the IoT Security for Policymakers paper Suggest key events and partners to broaden awareness of IoT security and privacy Recommend civil society and other partners to help us extend our reach