What incentive for Security in IoT? - · PDF file• IoT security requires a holistic approach – e.g. a secure device does not protect from insecure apps – Integrate non-system

IOActive, Inc. Copyright ©2017. All Rights Reserved.

What incentive for Security in IoT?

Dr. Cédric LEVY-BENCHETON

@clevybencheton

ISACA Luxembourg Chapter

15 June 2017


Summary

• Introduction

• Vulnerabilities in Consumer and Industrial IoT

• Recommendations

2


What is IoT?

3


Defining IoT

• NIST SP 800-183 proposes 5 primitives for “Network of Things”

Sensor, Aggregator (ex: sensor cluster), Communication Channel,

External Utility (eUtility), Decision trigger

• ITU-T Y.2060 defines IoT as

“a global infrastructure for the information society, enabling advanced

services by interconnecting (physical and virtual) things based on

existing and evolving interoperable information and communication

technologies.”

There is currently no well-accepted definition of IoT

4


Why IoT-fy your product?

5

• Money money money £££ €€€ $$$ ¥¥¥

– Data collection and processing

– New business models: data reseller, targeted ads, etc.

– Competitors do IoT, hence we must do IoT

– Competitors don’t do IoT, let’s be the first one!

• Customers have their own interests (do they?)

– Connectivity is needed, mobility is important

– Statistics and remote control

– Convergence and interconnection with devices and services

– More functionalities than non-IoT product, reasonable price

– Non-connected version is not available

IOActive, Inc. Copyright ©2017. All Rights Reserved. 6

Security for IoT

¯\_(ツ)_/¯


This presentation will…

• Define IoT assets and their associated threats

• Analyse findings from multiple penetration test

• Link with Safety and Privacy (including the GDPR)

• Discuss incentives


IoT at a glance

8

Software

Hardware

Firmware, Bootloader

Device CloudMobileNetworksNetworks

Multiple attack vectors, direct and indirect


Threats and assets

• Threats to the Internet of Things

• Assets targeted

9

Compromised behaviour Privacy concerns

Outdated software and libraries

Safety concerns

Communication on insecure networksUnavailability of networks

IoT devicesMobile applications

Sensors and actuators

Privacy

Poor vendor support

Cloud

Manipulation of data

Network connectivity


“The S in IoT stands for Security”

10


Common vulnerabilities to the IoT

• Result of multiple penetration tests

– Holistic approach (device, mobile, network, cloud, etc.)

– Highlight the impact on safety and privacy

• Sectors in scope

Consumer IoT

• Automotive (vehicles out of scope)

• Medical

• Smart Home

Industrial IoT

• Energy (including Smart Grid)

• ICS/SCADA (including Robots)


Top 5 Vulnerability Types

Top 5 CIoT Vulnerability

1. Insecure/Lack of Encryption

2. Authentication Issues

3. Information Disclosure

4. Buffer Overflow

5. SDLC-related

12

Top 5 IIoT Vulnerability

1. Authentication Issues

2. Buffer Overflow

3. Insecure/Lack of Encryption

4. SDLC-related

5. Insecure Access Control

Collection of user information Security assumptions

(segregated network)


Top 5 Assets Impacted (attack vectors)

Top 5 CIoT Assets

1. Network

2. Device | Firmware

3. Device | Software

4. Mobile and Web Apps

5. Bootloader

13

Top 5 IIoT Assets

1. Device | Software

2. Web Service

3. Network

4. Device | Administration Panel

5. Mobile and Web Apps


A discussion on results

14

• Traditional findings are not our main findings

– Weak default credentials, hardcoded credentials, backdoor, etc.

– Some findings but not the majority

• Looking for an explanation…

– Penetration Test requires a certain level of maturity

– Security testing:

• To assess the security of 3rd party products

• As a requirement (from clients, for compliance, etc.)

Still, we have security issues: security is not easy


Risk-level of vulnerabilities

• Understand possible consequences

– Risk-level = impact x likelihood

15

An attacker will look for critical and high-risk vulnerabilities

Critical26%

High11%

Medium35%

Low12%

Informational16%

Critical14%

High27%

Medium43%

Low10%

Informational6%

IIoTCIoT


Effort to fix vulnerabilities

16

Good news:

Most vulnerabilities require a low effort to fix

CIoTIIoT

High

Medium

Low

9%

26%

65%

High

Medium

Low

7%

27%

66%


So what are the incentives to invest?

17

Corporate StrategyRegulation

SafetyPrivacy

Market differentiator

Business interest

Clients’ demand


Safety in IoT

• Safety: protect human lives from the machine

– Probabilistic approach to system failure

– Incidents are (mostly) accidental

• Security for Safety

– Protect safety functions against cyber threats

– Ensure that no threat can impact safety

A security issue impacting safety can kill people

18


Privacy in IoT

• Privacy: protect information that identify a user

– Protection of the data collected, exchanged and processed

– A subset of confidentiality + a legal approach

– “Data is the new oil” - data theft on the rise (haveibeenpwned.com)

• Privacy becomes critical with the GDPR

– Beyond the traditional PII: Obligation of reporting leaks, huge fines!

– No defined standard nor framework (yet)

– Applicable starting May 2018

A security issue impacting privacy can kill business

19


Impact on Safety and Privacy

Consumer IoT

• Safety risk: 23% of all vulnerabilities

– Main issues in automotive and medical:

device hijack, crash

– Not a concern by manufacturers (!)

• Privacy issue: 22% of all vulnerabilities

– Mostly user-related data (name, e-mail

address)

– Insecure data handling

Data protection policy not applied

Industrial IoT

• Safety risk: 11% of all vulnerabilities

– Most issues require direct access (device,

LAN)

– Main issues when connected to the internet:

default password, telnet enabled.

• Privacy issue: 28% of all vulnerabilities

– Not a priority

– Mostly not user-related data (asset tracking,

credential leaks)

If you can’t protect it, don’t connect it

20


Recommendations

• Understand cyber threats– Domain-specific and IoT-related

– Evaluate your current maturity level

• Define security requirements– Minimum and advanced

– Security, safety, privacy

– Device, network, services

• Implement security requirements– Training on Secure Coding Practices

– Code review and penetration testing

– Security support (i.e. patching)

• DO NOT DEVELOP YOUR OWN CRYPTO!

21

Security-by-designIntroduce security

concepts at the earliest

stages of the lifecycle:

• Planning

• Design

• Early implementations

• Release

• Maintenance

• End of Life


Conclusions

• IoT security is NOT as bad as expected…

– When security is not a new domain

– Penetration testing is only one part of security

• IoT security requires a holistic approach

– e.g. a secure device does not protect from insecure apps

– Integrate non-system components (e.g. developers)

• IoT Security shall adapt

– To the maturity level, to the sector, to business objectives, etc.

– To regulation

22


What incentive for Security in IoT?

Thank you

Questions?

Documents

What incentive for Security in IoT? - · PDF file• IoT security requires a holistic approach – e.g. a secure device does not protect from insecure apps – Integrate non-system