Embed Size (px)
Citation preview
COUNTERING CYBERSECURITY RISKin today’s IoT world
Brad NicholasAnajali Gurnani
Brett Heliker
THE RIGHT SECURITY FRAMEWORK
We cannot solve our problems with the same thinking we used when we created them.
—Albert Einstein
Security controls are shifting away
from the traditional perimeter
Adoption of cloud platforms and security
as a service will continue
Where and how data is stored is key to evaluating
risks
ACCELERATING PROGRAM MATURITY STARTS WITH A COMMON LANGUAGE FOR THE PRODUCTS AND SERVICES A
COMPANY CAN BUY
ASSESS RISKS IN A STRUCTURED WAY AND DEVELOP A ROADMAP
DEVICES
APPS
NETWORK
DATA
PEOPLE
IDENTIFY PROTECT DETECT RESPOND RECOVER
(NIST FRAMEWORK)
Pre-compromise
Post-compromise
A CULTURE OF SECURITY FACILITATES RESPONSIBLE BUSINESS
German steel mill suffers “massive damages” after
hackers accessed a blast furnace that workers could not
properly shut down
1
2Recipient of targeted email is tricked into
downloading malware to their computer Attackers make their
way from corporate network into production
networks to access systems controlling
plant equipment
3
MAKE SECURITY A SHARED RESPONSIBILITY
COMMUNICATE Spearhead security as a product. Make it bold and important internally.
INNOVATE Be strategic about security architecture and standardization.
ACCELERATE Leverage agile practices to iterate and improve controls implementation.
INTEGRATE Move security testing as close to the developer as possible.
THE NEW IOT VULNERABILITIES
a few examples
IOT ADDS THE “PHYSICAL WEB”IoT is about the physical web of
everything around you
A whole slew of smart connected products + services are coming
Multiple networks, all interacting with you or on your behalf
MORE COMPLEXITYNEW ATTACK SURFACES
COMPOUND EFFECTS
SMART PRODUCTS NEED BROADER, NON-TRADITIONAL EXPERTISE
• Krebs & Cisco: IoT Reality: Smart Devices, Dumb Defaults“Consider whether you can realistically care for and feed the security needs of yet another IoT thing that is:-chewing holes in your network defenses;-gnawing open new critical security weaknesses;-bred by a vendor that seldom and belatedly patches;-tough to wrangle down and patch”
• NW World: 500K WeMo users could be hacked; CERT issues advisory“when CERT tried to contact Belkin, Belkin chose not to respond at all”
• IBM: Smart Building Security Risks“Connected building systems fly under the Cybersecurity radar, creating a Shadow IoT”
http://www.networkworld .com/article/2226371/microsoft-subnet/500-000-belk in-wemo-users-could-be-hacked--cert-issues-advisory.htmlhttp://krebsonsecurity.com/2016/02/iot-reality-smar t-devices-dumb-defaults/
http://www.techrepublic.com/article/ibm-x-force- finds-mult iple- iot-secur ity-risks-in-smart-buildings/
WE HAVE A LONG WAY TO GO• Hidden, hardcoded
credentials and passwords• Credentials stored as static
text within files• Insecure default
configurations• Insufficient network
segmentation enabling attacks from within
• Weak support and nonexistent updates, exacerbated by economics
• Some/all of the above present in combination
IBM smart building infographic
THE CHRYSLER JEEP HACKLessons to be Learned
WITH MUCH THANKS TO:Charlie Miller & Chris Valasek
White-hat Superheroes
thecavalry.org
“Modern [vehicles] are computers on wheels and are increasingly connected and controlled by
software.
Dependence on technology in vehicles has grown faster than effective means to secure it.”
MICRO-CONTROLLERS, EMBEDDED SOFTWARE AND NETWORKING EVERYWHERE
Federally mandated “OBD” vehicle diagnostics since 1996
Dozens of networked control systems and millions of lines of code
“Black boxes” silently record vehicle dynamics
“OnStar” telematics since 1996
Fleet management, and usage based insurance are now widespread
Remote access adds MAJOR security implications, mandating disciplined design Graphic: Quora
CONNECTED VEHICLES A MASSIVE OPPORTUNITY
An executive order from the White House in March 2015 called for federal agencies with fleets of more than 20 vehicles to use telematics systems whenever possible to improve vehicle efficiencies
E.O. section 3(g)(iii):
Collecting and utilizing as a fleet efficiency management tool, as soon as practicable but not later than two years after the date of this order, agency fleet operational data through deployment of vehicle telematics at a vehicle asset level for all new passenger and light duty vehicle acquisitions and for medium duty vehicles where appropriate
https://www.whitehouse.gov/sites/default/f iles/docs/eo_13693_implementing_instructions_june_10_2015.pdf
VULNERABILITIES *
* circa first half 2015
How hackable is your car?
Most Hackable: Jeep Cherokee, Escalade, Infiniti Q50, 2010 Prius
The Q50’s radio & adaptive controls(adaptive cruise control and adaptive steering) were directly connected to
engine and braking systems.
Older cars are least hackable.Not a confidence inspiring trend..
http://illmatics.com/remote%20attack%20surfaces.pdf
RollJam$32
Hacks keyless entry systems, alarm systems and garage
door openers
Proven on Nissan, Cadillac, Ford, Toyota, Lotus, Volkswagen, and
Chrysler vehicles; Cobra and Viper alarm systems; and Genie
and Liftmaster garage door openers.
http://www.wired.com/2015/08/hackers-t iny-dev ice-unlocks-cars-opens-garages/
OwnStarAny On-Star equipped GM car
could be located, unlocked and started via the phone app
uses SSL encryption, Kamkar says it doesn’t
properly check the certificate
http://arstechnica.com/security/2015/07/ownstar-researcher-hijacks-remote-access-to-onstar/
Progressive ‘Snapshot’
“The firmware running on the dongle is minimal and insecure.
It does no validation or signing of firmware updates, no secure boot, no
cellular authentication, no secure communications or encryption, no data
execution prevention or attack mitigation technologies… basically it
uses no security technologies whatsoever.”
http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-insurance-dongle-totally-insecure/
TomTom OBDII dongle
Used to reduced insurance rates for customers.
Hacked by UCSD by sending SMS messages to
control the CAN bus to control brakes, steering, etc. Confirmed in Corvette,
Prius, Escape.
http://www.wired.com/2015/08/hackers-cut-corvettes-brakes-via-common-car-gadget/
DEALERS AND MECHANICS
• Infections of equipment used by mechanics and dealerships to update car software and run vehicle diagnostics.
• An infected vehicle can spread an infection to a dealership’s testing equipment, which in turn would spread the malware to every vehicle the dealership services.
THE INDUSTRY HAS TO DO BETTER.WE CAN ALL HELP.
DON’T HIDE BEHIND THE DMCA• Auto Alliance and General Motors actively make legal threats against anyone who
tinkers with the code in their own vehicles, and actively fight proposed auto exemptions in the Digital Millennium Copyright Act.
• “The proposed exemption could introduce safety and security issues as well as facilitate violation of various laws designed specifically to regulate the modern car, including emissions, fuel economy, and vehicle safety regulations” - GM http://copyright.gov/1201/2015/comments-032715/class%2021/General_Motors_Class21_1201_2014.pdf
• “a vehicle owner does not own a copy of the relevant computer programs in the vehicle.” - GM
• John Deere argues that “bypassing of cars’ protection mechanisms could allow drivers to listen to pirated music, audio books or films, adding that this might encourage others to partake in the enjoyment of illegal material.”
IAMTHECAVALRY.ORG5 STAR AUTOMOTIVE SAFETY PROGRAM
1. Safety by Design via standards compliance and secure software development lifecycle
2. Third Party Collaboration between the automotive industry and security researchers
3. Evidence Capture: tamper evident, forensically-sound logging and evidence capture
4. Security Updates in a prompt and agile manner (not a mailed USB drive)
5. Segmentation and Isolation: internet-connected infotainment systems shouldn’t be able to talk to brakes or transmission.
https://www.iamthecavalry.org/domains/automotive/5star /
A FEW ATTACK VECTORS• Bluetooth, WiFi, keyless entry
• Cellular gateways (e.g., modems, Femtocells)
• OnStar or OnStar-like cellular radio
• Insecure OS configuration, update media, interprocess comms
• Static, clear text/hex strings in executable files
• Android app on the driver’s phone synched to the car’s network
• Malicious audio file burned onto a CD in the car’s stereo.
• Radio-readable tire pressure monitoring systems
BLAH BLAH BLAHWHAT DOES IT ALL MEAN?
http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
BUT IT WASN’T DESIGNED THAT WAY!HOW DID THEY DO THAT?
A CASCADE OF VULNERABILITIES• You can reach a cell network from the Internet
• You can port scan the car from the cell network!• The car is listening to the cell network in an un-protected
manner
• The head unit (radio/nav) runs an OS that isn’t configured properly
• The head unit’s application software is not secured properly
• The head unit is connected to both vehicle CAN networks (infotainment and powertrain)
• Head unit nav upgrade software delivery includes flashing tools and lots of commented script files
• The CAN interface firmware in the head unit isn’t code signedhttp://illmatics.com/Remote%20Car%20Hacking.pdf
http://www.computerworld.com/article/2952186/mobile-security/chrysler-recalls-14m-vehicles-after-jeep-hack.html
SO HOW DID CHRYSLER HELP CUSTOMERS FIX THEIR VEHICLES?
• Plug in a USB flash drive you receive in the mail, then update the firmware in the head unit
or
• Go to a dealer and they’ll take care of it
• No remote software updates
DOES THAT SEEM RIGHT TO YOU?
ATTACK MITIGATION - BEST PRACTICES
• Hardware based cryptography that supports attestation, authentication and encryption services
• Secure boot and code signing
• Restricted processes
• Multi-stage communications
• Secure software updates
