Iot Security, Internet of Things
Se está descargando tu SlideShare.
×
Eche un vistazo a continuación
Más Contenido Relacionado
Presentaciones para usted (20)
Similares a Security Testing for IoT Systems (20)
Más de Security Innovation (20)
Más reciente (20)
Security Testing for IoT Systems
- 1. Risk-Based Testing for IoT Systems Ed Adams 11 June 2019
- 2. About Me • CEO by day; engineer by trade (and heart) • Mechanical Engineer, Software Engineer • Research Fellow, Ponemon Institute • Privacy by Design Ambassador, Canada • In younger days, built non-lethal weapons systems for US Federal Government
- 3. Agenda Security Risks of IoT Devices • Risk-based Testing Essentials • IoT Device Considerations • Securing Our Digital Future
- 4. So many connected “things”…
- 5. Good Ol’ Days: Devices Were Just Devices • Ran on a little code; made to serve a specific purpose • Cash payments • Real-time changes; no “wait for compile” and see • Had to be physically at the device to access/change • Sharing data meant print, verbal, film, CD, etc.
- 6. Today’s Devices are Still Devices but... • Run on LOTS of code; made to serve single/multiple purposes • Make changes from anywhere via cellular or Wi-Fi connection • Sharing data is instantaneous and digital
- 7. The Mirai Botnet (aka Dyn Attack) A not so oldie but goodie • Domain Name System (DNS) service disrupted • Affected nearly 1/3 of all Internet users in US and Europe • No access to (short list): • Amazon.com • Comcast • DirecTV • GitHub • Netflix • Twitter • PayPal • Starbucks • Verizon • Visa • Walgreens • Xbox Live • PlayStation Network • iHeart Radio • BBC • NY Times • GrubHub • Slack Millions of IoT Devices (printers, IP cameras, baby monitors) infected with Mirai malware and used to flood Dyn with traffic (DDoS)
- 8. More Recent IoT Trouble Consumer & Medical Devices • 465,000 vulnerable pacemakers from St. Jude • Implantable cardiac devices have vulnerabilities • Unauthorized remote access • Deplete battery, change pacing, or deliver shocks • Owlet WiFi Baby Heart Monitor • Alerts parents when babies have heart troubles • Connectivity element makes them exploitable • TRENDnet SecurView Webcam • Faulty software anyone who obtained a camera’s IP address could look through it and listen as well • Transmitted user login credentials in clear, readable text • Mobile app stored login information in clear, readable text Best intentions exploited via careless manufacture configuration
- 9. Governments & Customers Getting Involved • FTC vs D-Link: The legal risks of IoT insecurity • Lawsuit against D-Link • Claims company put thousands of customers at risk • Unauthorized access to its IP cameras and routers • Customers vs John Deere: The business risks of IoT • US farmers dispute rights to repair their tractors • Contain embedded software (it’s an IoT device) • Company issued a new license agreement • Prohibits software modification on its tractors • Ensure all repairs are done by John Deere contractors
- 10. Skimmers • Evolved from mag stripe readers Bluetooth and cellular transmitters • devices keep getting smaller • embedded inside pumps and PoS devices • Future skimmers • Embedded devices that don't steal credit card data but rather attack your networks directly.
- 11. Agenda • Security Risks of IoT Devices Risk-based Testing Essentials • Weak Links, Soft Spots, Blind Spots • Securing Our Digital Future
- 12. Convenience-Risk Trade Offs • Building in security takes time initially; equates to money • Time to market pressures often trump this investment • Security can equate to safety in consumer IoT devices • Ease of setup and operation • Consumers want devices to “just work” • Quick setup and minimal configuration required • Often means little to no authentication or default (same for all devices) • When vulnerabilities discovered, patching is the answer • But IoT patching can be difficult, impossible, and illegal Consumers demand easy and convenient features, until they backfire
- 13. Today’s IoT Deployment in Practice • How is testing IoT different from our other platforms, e.g., web, mobile cloud? The answer is it’s not very different. • Most IoT devices are connected to many of the following: • Mobile App • APIs • Cloud Infrastructure • Web App • KEYPOINT: IoT is not a magical technology, but a mash up of many different technologies – and at its core, it’s just almost all software Sources: “International Journal of Web Portals” Ahmedi, Sejdiu, et al; Geoff Vaughan Security Innovation, Inc.
- 14. Top 4 IoT Security Weak Points • Insufficient Security Awareness • Humans #1 weak point: building, deploying, using • Weak Physical Security • Debug interfaces (JTAG, UART, etc.) and USB ports allow unintended device or data access • Infrequent Updates • Firmware, device apps, admin apps/interfaces • Expensive and/or remote IoT devices long lifespan (difficult to update) • Weak Data Protection • Data at rest/transit uses weak encryption techniques • Lack of dedicated security chips and modules to store sensitive data.
- 15. 3 Must-have IoT Security Considerations • “Shift left” • Think security earlier and more often in system design • Account for resources that will be able to provide security updates • Could be vendor, e.g., maintenance agreement, and/or internal staff, e.g., patching • KEYPOINT: Every component needs to be tested as part of the ecosystem • Not just individual IoT device testing Sources: “Dr. Dobbs” Larry Smith; Geoff Vaughan Security Innovation, Inc.
- 16. Start with “Simple” Questions • How is the IoT deployed in our organization today, and who owns it or its respective components? • IoT inventory and business activity/role • Don’t expect the word “IoT” to show up in project docs • Do we know what data is collected, stored and analyzed? Have we assessed the legal, security and privacy implications? • Governance policies cover data captured at thousands of sensors? • Do we have contingency plans in place in case our IoT “things” are hijacked or modified for unintended purposes? Driven by Key Threats & Attack Surface
- 17. Start by Assessing IoT Risk/Liability IoT Connection Chain Ownership Threats Device hardware/firmware Vendor X Known vulnerabilities with Vendor products Patching process for Vendor X products Mobile application Vendor Y Secure SDLC activities for Vendor Y Web application Us Our own Secure SDLC activities/process Information/Data management Us Storage and transport of data Where is it encrypted? Channels of transmission Telco X Security guarantees/SLA with Telco X User authentication/roles Us Enumerate each role and authorized activity Authentication for each role
- 18. US FTC IoT Security Best Practices* • Build security into devices at the outset, rather than as an afterthought • Train employees about the importance of security • Ensure security is managed at an appropriate level in the organization • Ensure outside service providers are capable of maintaining reasonable security, and provide oversight of providers • Consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk • Keep unauthorized users from accessing device data, or personal info • Monitor connected devices; provide security patches for known risks * https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices
- 19. Agenda • Security Risks of IoT Devices • Risk-based Testing Essentials IoT Device Considerations • Securing Our Digital Future
- 20. Testing IoT Devices • ~8-10 very technology specific areas to consider • Component Identification and Classification • Static Firmware Analysis • Dynamic Debugging • Peripheral Hacking • Protocols and Data Sniffing • WIFI • BLE • SDR • Cellular • USB • Hardware Hacks • JTAG • UART • SPI • Obtain from vendor website • Web search: support and community forums • Reverse the mobile application • Sniffing the OTA update mechanism • Dumping it from the device Tools such as Binwalk, IDA Pro, Radare2 can be usefulSimilar to other network-based testing • What services are running? • What communication protocols are being used? • What ports are open? • What version is running? Known vulnerability? Sources: Attify, Security Innovation
- 21. Agenda • How Connected Are We? • Nothing Ever Goes Wrong… Right? • IoT Device Considerations Securing Our Digital Future
- 22. Top 5 IoT Security Tips TIPS Secure the Device OS and Firmware Ensure Sufficient Data Protection Secure the Physical Device Secure the Communication Channel Enforce Authentication and Authorization
- 23. Secure the Device OS and Firmware Security Controls Ensure updates are over a secure channel, signed and verified Ensure bootloader firmware is secure and has not been tampered with Ensure installed bootloader is verified at every stage of boot sequence Ensure device makes use of full disk encryption Disable unnecessary services running on the device Protect against fuzzing and buffer overflow attacks Ensure that binaries are compiled and signed for security
- 24. Ensure Sufficient Data Protection Security Controls Encrypt data at rest using strong and known encryption techniques Ensure device uses dedicated security chips and modules to store sensitive data Avoid usage of hard-coded credentials or cryptographic key Do not collect data not essential for device functionality Avoid usage of weak, broken, or risky cryptographic algorithms Log all secure data access and alter events Ensure authentication and authorization to all PII
- 25. Secure the Physical Device Security Controls Ensure data storage is not directly accessible Test debug interfaces (JTAG, UART, etc.) and USB ports for unintended device or data access Ensure tamper protection/resistance techniques are in use Limit the admin functionalities present on the device
- 26. Secure the Communication Channel Security Controls Secure the Wi-Fi interface via secure configurations (encryption, password, etc.) and drivers Ensure protection against Denial-of-Service (DoS) and fuzzing attacks Secure the exposed services and keys during device enrollment Audit the file, printer and device sharing mechanism in place regularly Secure the Bluetooth interface via secure configurations (discovery modes, PIN, etc.) and drivers Verify that secure Bluetooth modes are in use Ensure sensitive data is not sent over unencrypted bus lines
- 27. Enforce Authentication and Authorization Security Controls Ensure role-based access control is currently in place Mandate the use of multi-factor authentication for privileged accounts Ensure that a strong password management policy is in place
- 28. Summary of Tips for Securing IoT Systems • Know your technology vendor’s track record • Update your evaluation process, if necessary • Invest in security training for all in-house systems staff • From “Don’t Click on Sh*t” toTechnical/Configuration for IT/Ops teams • Perform proactive penetration testing • Obtain right to do so from 3rd-parties • Adopt a "defense-in-depth" strategy • e.g.,WAF between IoT devices and cloud admin app? • Eliminate all hardcoded default passwords and backdoors IoT Security Toolkit: https://tinyurl.com/y4zxw577
- 29. Engage with Security Professionals •Have a chat with us •Bug Bounty Programs •Non-hostile relationship with “researchers” •Vulnerability Disclosure Program •Direct Relationship • Use as independent 3rd-party • Share info about good/bad ones
- 30. Questions? @AppSec eadams@securityinnovation.com Want a whitepaper? ….and/or Tip Sheet?
