How to protect yourself against the IoT invasion? How to implement controls on your home network? Presentation done @ SANSFIRE Washington June 2016

1. $HOME Sweet $HOME
SANSFIRE 2016 - Xavier Mertens

2. $ cat ~/whoami.xml
<profile>
<real_name>Xavier Mertens</real_name>
<day_job>Freelance Security Guy</day_job>
<night_job>Hacker, Blogger</night_job>
<![CDATA[
www.truesec.be
blog.rootshell.be
isc.sans.edu
www.brucon.org
]]>
</profile>

3. $ cat ~/.profile
• I like (your) data
• Playing “Active Defense”
• I prefer t-shirts than ties
• Geek and gadgets over!

4. $ cat ~/disclaimer.txt
“The opinions expressed in this presentation
are those of the speaker and do not necessarily
reflect those of past, present employers,
partners or customers.”

5. $HOME Sweet $HOME

6. $HOME Sweet $HOME

7. Agenda
• A Revolution Entered Our Homes
• Internet of Nightmares
• Mitigations
• Conclusions

11. Fidonet:
2:291/715.9
Aminet:
39:120/201.9

12. BBS Fidonet UUCP IP (SLIP) “Broadband” Mobile
What’s next?

13. Today?
• More bandwidth at home that when I started
to work for ISP’s (1996)
• SLA @ home (Kids complaint when offline)

14. Today?

15. Today?

16. $DATA
• Family pictures
• Administrative docs (taxes, insurances,
invoices)
• Medias (MP3, movies, books)
• $YOU

17. Before:
Internet LAN
Firewall
Ingress Traffic

18. Today:
Internet LAN
Firewall
Egress Traffic

19. IoT Botnet

20. IoT Botnet
Source: https://www.emaze.com/@AIFFFTIO/IoT-Health-ppt

24. Google Too!
More info: https://developers.google.com/brillo/

25. Agenda
• A Revolution Entered Our Homes
• Internet of Terrors
• Mitigations
• Conclusions

26. Resistance is Futile!

27. Growing Attack Surface

29. “Smart”?
“having or showing a quick-witted intelligence”

30. TrueSec 30
Smart Devices? Really?

31. Smart-ization…
Adding a communication module to an object
doesn’t make it “smart”…

32. TrueSec 32

33. TrueSec 33

34. What is the difference
between…

39. Sensors Software Connectivity Bigdata
Vulnerability
Exploit
MitM PrivacyAbuse

40. OWASP
• Insecure Web Interface
• Insufficient Authentication/
Authorization
• Insecure Network Services
• Lack of Transport Encryption
• Privacy Concerns
• Insecure Cloud Interface
• Insecure Mobile Interface
• Insufficient Security Configurability
• Insecure Software/Firmware
• Poor Physical Security

41. Developers…

43. We already fail to patch regular computers…
… what about IoT devices?

44. TrueSec 44
SecurityFeatures
Ease of Use

45. TrueSec
Agenda
• A Revolution Entered Our Homes
• Internet of Terrors
• Mitigations
• Conclusions
45

47. <warning>
This section focuses on devices connected
to your IP home network
</warning>

48. Rule #0
• Think twice:“Do you really need this
device?”
• Agreed… very difficult for the most of us!

49. • What is the MAC address of the device?
• What are the network requirement?
(DNS, NTP, SNMP, Syslog)
• What are the open ports required? To
which IP address(es)?
• Can the device be upgraded?
• Are firmwares signed?
• Can we backup/restore the config?
Rule #1

50. Rule #2
• Assign a fixed DHCP lease to known
devices
host myflattv {
hardware ethernet aa:bb:cc:dd:ee:ff;
fixed-address 192.168.1.100;
option routers 192.168.1.1;
default-lease-time 3600;
}

51. Rule #3
• Implement an egress filter
• Any:Any to Any:Any, Drop & Log
• Allow only required traffic (see rule #1)

52. Rule #4
• Segmentation

53. Rule #5
• Use a local resolvers (DNS queries) and log

54. Rule #6
• Disable unsafe protocols like SSDP/UPnP
• Risk of DDoS (amplification attack)

55. Rule #7
• Capture the traffic from unknown devices
(http://blog.rootshell.be/2015/03/17/the-
lack-of-network-documentation/)

56. Rule #8
• Be offensive!
• Know your enemy

57. Hardware

58. Hardware

59. TrueSec
Topology
59
Ethernet Switch
Router
Server
Device1 Device2
Firewall

60. Software Shopping

61. Commercial $olution$
PA200, Sophos UTM Home Edition,
<insert your preferred $VENDOR>

62. TrueSec
Virtualize!
62
KVM (“Kernel-basedVirtual Machine”),VirtualBox,
ESX, XenServer, …

63. Security Onion
Security Onion is a Linux distro for intrusion
detection, network security monitoring, and log
management. Core components are: Snort,
Suricata, Bro, OSSEC, Sguil,
Squert, Snorby, ELSA, Xplico, NetworkMiner, and
many other security tools.

64. Security Onion

65. Security Onion

66. Security Onion

67. pfSense
The pfSense project is a free network
firewall distribution, based on the FreeBSD
operating system with a custom kernel and
including third party free software packages for
additional functionality.
pfSense software, with the help of the package
system, is able to provide the same functionality
or more of common commercial firewalls

68. pfSense

69. Keep an Eye on ARP
• arpwatch is a nice tool to track new/
changing MAC addresses
Apr 17 11:36:03 shiva arpwatch: new station 10.90.14.85 34:a3:95:c5:d2:e5 eth0

70. Keep an Eye on ARP

71. Next Level…
Detecting Suspicious Devices On-The-Fly!
(https://isc.sans.edu/forums/diary/Guest+diary+Detecting
+Suspicious+Devices+OnTheFly/18993)

72. Next Level…
• Inspect HTTP(S) traffic for suspicious data,
vulnerabilities (who said “hacking”?)
• MitM, ettercap, sslstrip, BurpSuite

73. Agenda
• A Revolution Entered Our Homes
• Internet of Terrors
• Mitigations
• Conclusions

74. 5 Tips to Keep in Mind
• IoT is there and will(is) invade(ing) our
homes
• Think “IoT” == “Computers” (same issues)
• Smart != Safe
• Tools exists to control them
• Ask yourself:“Do I need it?”

75. Thank you!
@xme
xavier@rootshell.be
xmertens@isc.sans.edu