55
SESSION ID: #RSAC ASD-T10 Security Research HP Fortify on Demand @danielmiessler Daniel Miessler Securing the Internet of Things: Mapping Attack Surface Areas Using the OWASP IoT Top 10

RSAC2015-OWASP-IoT-Miessler.pdf

Embed Size (px)

Citation preview

Page 1: RSAC2015-OWASP-IoT-Miessler.pdf

SESSION ID:

#RSAC

ASD-T10

Security ResearchHP Fortify on Demand

@danielmiessler

Daniel Miessler

Securing the Internet of Things: Mapping Attack Surface Areas Using the OWASP IoT Top 10

Page 2: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

2

! HP Fortify on Demand ! Security Research & Development ! Penetration Testing ! OWASP Project Leader (IoT, Mobile)

Page 3: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

The Plan

3

! Let’s Talk About Naming ! A Vision of the Future (Universal Daemonization) ! Why IoT is Currently Broken ! Examples From Research ! The OWASP IoT Project ! Applying What We’ve Learned ! One more thing…

Page 4: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

What does it mean?

4

Page 5: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

What does it mean?

5

! [ WIKIPEDIA ] The Internet of Things (IoT) is the network of physical objects or "things" embedded with electronics, software, sensors and connectivity to enable it to achieve greater value and service by exchanging data with the manufacturer, operator and/or other connected devices.

! [ OXFORD ] A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.

Page 6: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

Better Names

6

! Universal Daemonization ! Universal Object Interaction ! Programmable Object Interfaces (POIs) ! Transfurigated Phase Inversion

Page 7: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

The Real Internet of Things

7

Page 8: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

The Real Internet of Things

8

Page 9: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

Universal Daemonization

9

Page 10: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

The Current IoT Security Problem

10

Page 11: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

The Current IoT Security Problem

11

network ! services, encryption, firewall, input…

Page 12: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

The Current IoT Security Problem

12

networkapplication ! authN, authZ, input validation, etc.

Page 13: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

The Current IoT Security Problem

13

networkapplication

mobile ! insecure APIs, lack of encryption, etc.

Page 14: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

The Current IoT Security Problem

14

networkapplication

mobilecloud ! yadda yadda AuthSessionAccess

Page 15: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

IoT Security is the Worst-of-All-Worlds

15

networkapplication

mobilecloudIoT ! net + app + mobile + cloud = IoT

! yadda yadda AuthSessionAccess

! insecure APIs, lack of encryption, etc.

! authN, authZ, input validation, etc.

! services, encryption, firewall, input…

Page 16: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

The Current IoT Security Problem

16

networkapplication

mobilecloudIoT

1 + 1 = 5

Page 17: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

IoT Security Fail Examples

17

networkapplication

mobilecloudIoT

Page 18: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

IoT Security Fail Examples (Authentication)

18

networkapplication

mobilecloudIoT

! 10/10 security systems accept ‘123456’! Account enumeration! Lack of account lockout

Page 19: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

IoT Security Fail Examples (Update Systems)

19

networkapplication

mobilecloudIoT

! No signing of updates! Download over FTP! Server was world-writeable! Server held ALL products

Page 20: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

IoT Security Fail Examples

20

networkapplication

mobilecloudIoT

! 10/10 security systems accept ‘123456’! 10/10 security systems with no lockout! 10/10 security systems with enumeration! SSH listeners with root/“” access! 6/10 web interfaces with XSS/SQLi! 70% of devices not using encryption! 8/10 collected personal information! 9/10 had no two-factor options! Unauthenticated video streaming! Completely flawed software update systems

Page 21: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

The Need for a Methodology

21

networkapplication

mobilecloudIoT

Page 22: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

Mapping IoT Attack Surface Areas

22

Page 23: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT: I1 — Insecure Web Interface

23

Page 24: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT: I1 — Insecure Web Interface

24

Page 25: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT: I2 — Insecure Network Services

25

Page 26: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT: I3 — Lack of Transport Encryption

26

Page 27: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT: I5 — Privacy Concerns

27

Page 28: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT: I6 — Insecure Cloud Interface

28

Page 29: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT: I7 — Insecure Mobile Interface

29

Page 30: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT: I8 — Insufficient Security Configurability

30

Page 31: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT: I9 — Insecure Software/Firmware

31

Page 32: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT: I10 — Poor Physical Security

32

Page 33: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT Project Goals

33

1. Understand the main attack surface areas for any IoT device or ecosystem

Page 34: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT Project Goals

34

1. Understand the main attack surface areas for any IoT device or ecosystem

2. As a tester, be able to hit the major issues for each surface area for the product you’re testing

Page 35: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT Project Goals

35

1. Understand the main attack surface areas for any IoT device or ecosystem

2. As a tester, be able to hit the major issues for each surface area for the product you’re testing

3. As a manufacturer, be able to ensure that you’ve done your due diligence in security across the main surface areas

Page 36: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT Project Goals

36

1. Understand the main attack surface areas for any IoT device or ecosystem

2. As a tester, be able to hit the major issues for each surface area for the product you’re testing

3. As a manufacturer, be able to ensure that you’ve done your due diligence in security across the main surface areas

4. As a developer, be able to ensure that you’re avoiding the top security issues while building your particular component

Page 37: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT Project Goals

37

1. Understand the main attack surface areas for any IoT device or ecosystem

2. As a tester, be able to hit the major issues for each surface area for the product you’re testing

3. As a manufacturer, be able to ensure that you’ve done your due diligence in security across the main surface areas

4. As a developer, be able to ensure that you’re avoiding the top security issues while building your particular component

5. As a consumer, ensure you’re using the technology safely

Page 38: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT Project Goals

38

1. Understand the main attack surface areas for any IoT device or ecosystem

2. As a tester, be able to hit the major issues for each surface area for the product you’re testing

3. As a manufacturer, be able to ensure that you’ve done your due diligence in security across the main surface areas

4. As a developer, be able to ensure that you’re avoiding the top security issues while building your particular component

5. As a consumer, ensure you’re using the technology safely

Page 39: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT Project Organization

39

Page 40: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT Project (Context-based Recommendations)

40

Page 41: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT Project (Consumer Recommendations)

41

Page 42: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT Project (FAQ)

42

1. If IoT is just a collection of other technologies, why not just use existing OWASP projects?

Page 43: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT Project (FAQ)

43

1. If IoT is just a collection of other technologies, why not just use existing OWASP projects? (one place, multiple spaces)

2. Why call it a Top 10 List, which is traditionally a list of vulnerabilities?

Page 44: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT Project (FAQ)

44

1. If IoT is just a collection of other technologies, why not just use existing OWASP projects? (one place, multiple spaces)

2. Why call it a Top 10 List, which is traditionally a list of vulnerabilities? (tradition, approachability)

3. Why not have X category, or Y category, or you should move I7 to I2, etc.

Page 45: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

OWASP IoT Project (FAQ)

45

1. If IoT is just a collection of other technologies, why not just use existing OWASP projects? (one place, multiple spaces)

2. Why call it a Top 10 List, which is traditionally a list of vulnerabilities? (tradition, approachability)

3. Why not have X category, or Y category, or you should move I7 to I2, etc. (excellent, come help)

https://lists.owasp.org/mailman/listinfo/owasp_internet_of_things_top_ten_project

Page 46: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

How to Apply This

46

Concept Application

Page 47: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

How to Apply This

47

The Internet of Things is not just about sensors and machines. It’s about people, and how they will continuously interact with their environments through their personal assistants and Universal Daemonization.

Concept Application

Page 48: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

How to Apply This

48

The Internet of Things is not just about sensors and machines. It’s about people, and how they will continuously interact with their environments through their personal assistants and Universal Daemonization.

You now know the future before others do, and can use that knowledge to inform better decisions.

Concept Application

Page 49: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

How to Apply This

49

The Internet of Things is not just about sensors and machines. It’s about people, and how they will continuously interact with their environments through their personal assistants and Universal Daemonization.

You now know the future before others do, and can and use that knowledge to inform better decisions.

IoT Security is broken for three reasons: it’s worst-of-all-worlds scenario, nobody is paid to secure IoT, and 1+1=5 when it comes to security and complexity.

Concept Application

Page 50: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

How to Apply This

50

The Internet of Things is not just about sensors and machines. It’s about people, and how they will continuously interact with their environments through their personal assistants and Universal Daemonization.

You now know the future before others do, and can use that knowledge to inform better decisions.

IoT Security is broken for three reasons: it’s worst-of-all-worlds scenario, nobody is paid to secure IoT, and 1+1=5 when it comes to security and complexity.

You can now identify the common causes for the mistakes, and look out for them in projects you consult on.

Concept Application

Page 51: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

How to Apply This

51

The Internet of Things is not just about sensors and machines. It’s about people, and how they will continuously interact with their environments through their personal assistants and Universal Daemonization.

Know the future before others do, and use that knowledge to inform better decisions.

IoT Security is broken for three reasons: it’s worst-of-all-worlds scenario, nobody is paid to secure IoT, and 1+1=5 when it comes to security and complexity.

You can now identify the common causes for the mistakes, and look out for them in projects you consult on.

The OWASP IoT Top 10 Project maps IoT attack surface areas and gives contextual and prescriptive guidance on how to avoid vulnerabilities within each.

Concept Application

Page 52: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

How to Apply This

52

The Internet of Things is not just about sensors and machines. It’s about people, and how they will continuously interact with their environments through their personal assistants and Universal Daemonization.

Know the future before others do, and use that knowledge to inform better decisions.

IoT Security is broken for three reasons: it’s worst-of-all-worlds scenario, nobody is paid to secure IoT, and 1+1=5 when it comes to security and complexity.

You can now identify the common causes for the mistakes, and look out for them in projects you consult on.

The OWASP IoT Top 10 Project maps IoT attack surface areas and gives contextual and prescriptive guidance on how to avoid vulnerabilities within each.

You can now use the OWASP IoT Project as a tangible guide to securing the IoT systems you work with.

Concept Application

Page 53: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

Other IoT Resources

! Build It Securely Project (connects SMBs with researchers) ! Mark Stanislav and Zach Lanier

! I am the Cavalry (focuses on automotive IoT security) ! Josh Corman

! IoT Firmware Testing Training ! Paul Asadoorian (BlackHat)

53

Page 54: RSAC2015-OWASP-IoT-Miessler.pdf

#RSAC

Just One More Thing…

! OWASP IoT Top 10 Mini-poster ! ! Card stock ! Two-sided ! Covers Top 10 Surface Areas ! Available for download as well

54