IoT Device Security

IoT Device Security. CHAPTER 5. Presented by :.

Acknowledgements. OWASP: Open Web Application Security Project ISACA: Information Systems Audit and Control Association EC-Council.

What Are IoT Devices?. An IoT device is simply an electronic device that is connected to the Internet. There are several basic properties that qualify a device as an “IoT” device: A physical device/object Contains controller(s), sensor(s), and or actuator(s) Connects to the Internet Examples: Amazon Alexa, Samsung Smart TV, Google Home, NEST Security Camera..

“Perfect Storm” for IoT Devices. Higher availability of internet access Connection cost: Decreasing More devices  Wi-Fi capabilities/sensors Technology cost $$  Decreasing.

Trend in IoT Devices. Number of IoT Devices has surpassed the number of humans on the planet Industries: Personal/Consumer Healthcare Automotive Manufacturing Etc..

Home IoT Devices. HOME SMART HOME OUNOS SECURITY CAMERAS THERMOSTAT LIGHTING TV/SPEAKERS LOCKS APPLIANCES IRRIGATION.

IoT Communication. (o). IoT Devices. Gateway. Internet.

Application. Sector Types of Devices Locations Smart Grid Energy Generators, Turbines, Windmills, Batteries, Fuel Cells Oil Rigs, Derricks, Pipelines, Solar Panels, Wind Turbines , Electrical Grids Smart Transportation Vehicles, Lights, Ships, Planes, Tolls, Parking Meters Air, Rail, Marine, Consumer Vehicles, Commercial Vehicles, Navigation Retail POS Systems, Cash Registers, Vending Machines, Tags Cinemas, Shopping Malls, Cafes, Restaurants, Supermarkets, Distribution Centers, Bars Healthcare MRI, Implants, CGM, Pacemaker Hospitals, ER, Clinic, Doctor Office, Labs Consumer/Home Digital Cameras, e-Readers, Dishwashers, Refrigerators, Game Consoles Wiring, Network Access, Fire Safety, HVAC/Climate, Lighting, Entertainment.

OWASP – Top 10 IoT Risks and Vulnerabilities. Vulnerability/Risk Description 1. Weak, Guessable, Hardcoded Passwords Using easily brute-forced, publicly available, or unchangeable credentials 2. Insecure Network Services Unneeded or insecure network services running on the device itself, especially those exposed to the internet, compromise the C.I.A. of information or allow unauthorized remote control 3. Insecure Ecosystem Interfaces Insecure web, backend API, cloud, or mobile interfaces in the ecosystem outside of the device that allows compromise of the device or its related components. 4. Lack of Secure Update Mechanism Lack of ability to securely update the device. Examples include lack of firmware validation on device, lack of secure delivery (plaintext transmission), lack of anti-rollback mechanisms 5. Use of Insecure or Outdated Components Using deprecated or insecure software components/libraries that could allow the device to be compromised. Includes insecure customization of OS platforms, using third-party software, etc. 6. Insufficient Privacy Protection User’s personal information is stored on the device and is used insecurely or without permission 7. Insecure Data Transfer and Storage Lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest, in transit, or during processing 8. Lack of Device Management Lack of security support on devices deployed within production, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities 9. Insecure Default Settings Devices or systems shipped with insecure default settings or lack the ability to make the system more secure by restricting operators from modifying configurations 10. Lack of Physical Hardening Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in future remote attacks or take local control of the device.

IoT Attack Surfaces. Attack Surface Vulnerability Ecosystem Access Control Implicit trust between components Enrollment security Lost access procedures Device Memory Cleartext usernames Cleartext passwords Third-party credentials Device Physical Interfaces User CLI Admin CLI Privilege escalation Device Web Interface SQL Injection XSS Weak Passwords Device Firmware Hardcoded credentials Sensitive information disclosure Encryption keys.

IoT Attack Surfaces (Cont.). Attack Surface Vulnerability Device Network Services Denial of Service Buffer Overflow Poorly implemented encryption Administrative Interface SQL Injection Account lockout Two-factor authentication Local Data Storage Unencrypted data Data encrypted with discovered keys Lack of data integrity checks Cloud Web Interface SQL Injection Weak passwords Username enumeration Third-party Backend APIs Unencrypted PII sent Device information leaked Location leaked.

IoT Attack Surfaces (Cont.). Attack Surface Vulnerability Update Mechanism Update sent without encryption Updates not signed Missing update mechanism Mobile Application Implicitly trusted by device or cloud Insecure data storage Insecure password recovery mechanism Vendor Backend APIs Inherent trust of cloud or mobile application Weak access controls Weak authentication Ecosystem Communicaiton Health checks Ecosystem Commands Pushing updates Network Traffic LAN LAN to Internet Short range.

Example: IoT Attack Scenario. Server. Fake Server.

Defensive Security Measures – IoT. Category IoT Security Consideration Insecure Web Interface Disallow weak user passwords Provide an account lockout mechanism Test interface for SQL injection, XSS, CSRF vulns Insufficient Authentication/Authorization Require strong passwords for authentication Implement two-factor authentication Force password expiration after a certain date Insecure Network Services Ensure all devices operate with minimal ports active Ensure devices do not make network ports or services available to internet via UPnP Review required network services for vulnerabilities Lack of Transport Encryption Ensure traffic is encrypted between system components Ensure SSL/TLS implementations are updated and configured properly Privacy Concerns Ensure only minimal amount of PII is collected from consumers Ensure only non-sensitive data is analyzed Ensure data retention policy is in place.

Defensive Security Measures – IoT (Cont.). Category IoT Security Consideration Insecure Cloud Interface Ensure all cloud interfaces are reviewed for vulnerabilities Ensure any cloud-based web interface disallows weak passwords Ensure all cloud interfaces use transport encryption Insecure Mobile Interface Ensure that any mobile application disallows weak passwords Ensure that any mobile application has an account lockout mechanism Implement two-factor authentication for mobile applications Insufficient Security Configurability Ensure password security options are made available (e.g. Enabling 20 character passwords or enabling two-factor authentication) Ensure encryption options are made available (e.g. Enabling AES-256) Ensure secure logging is available for security events Insecure Software/Firmware Ensure all system devices have update capability and can be updated quickly when vulnerabilities are discovered Ensure update files are encrypted and that the files are also transmitted using encryption Poor Physical Security Ensure the device is produced with a minimal number of physical external ports (e.g. USB ports) Ensure the firmware of Operating System can not be accessed via unintended methods such as through an unnecessary USB port Ensure the product is tamper resistant.

Case: Dyn Botnet DDoS Attack. DDoS Attack in October, 2016  Target: DNS provider Dyn DDoS attack was staged and launched from IoT devices using the Mirai malware Mirai was designed for two main purposes: Find and infect IoT devices to grow the botnet Participate in DDoS attacks based on commands received by remote Command and Control (C&C) infrastructure Mirai operates in three stages: Infect the device Protect itself Launch attack.

Case: Dyn Botnet DDoS Attack (Cont.). Stage 1: Scan for IoT devices that are accessible over the Internet Primarily scans for ports 22, 23, 5747, etc. that are open Can be configured to scan for others Once connected  brute-forces usernames and passwords to login to the device Use the device to scan networks looking for more IoT devices.

Case: Dyn Botnet DDoS Attack (Cont.).

Case: Dyn Botnet DDoS Attack (Cont.). Stage 2: Protect itself Kill other process running on infected device (SSH, Telnet, HTTP) to prevent owner from gaining remote access to device while infected Note: Rebooting the device can remove the malware, but it can become infected again Stage 3: Launch attack Infected device launches different types of attacks HTTP floods, SYN floods, etc.  DDoS-based attacks **Note: Mirai contained a list of known networks in the U.S. to avoid attacking  U.S. Postal Service, Department of Defense.

Case: Dyn Botnet DDoS Attack (Cont.). OVA attacks 09/'8/2016 Mirai source code released Mirai major event timeline https://elie.net/mirai Liberia Lonestar Attack begins 10/31/2016 Miraj surfee 08/01/2016 tbn attacks 10/21/2016 attack 09/21/2016 Deutch Telekom cwMP exploit 1/26/20 '6 Major attacks Mirai author 07/18/2017 New exploits attacker d Other events.