Embed Size (px)
Citation preview
Connected World and Security Risks IOTBY KAUSHIK DASHTTP: / /TWITTER.COM/THEKAUSHIK
8th Sep 2015
Do you want the red pill or the blue pill? You take the blue pill—the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill—you stay in Wonderland, and I show you how deep the rabbit hole goes. Click next when you are ready.
Quick Summary : IOT Verticals
HEALTH CARE / LIFE SCIENCE• Patient Care• Remote Diagnostics• Bio Wearable • Food Sensors• Equipment Monitoring• Elderly Monitoring
SMART HOME / CONSUMER • Wearable• Smart thermostat• Pet feeding• Smoke alarm• Washer• Refrigerators• Home Security
INFRASTRUCTURE• HVAC• Smart city• Waste management• Smart building• Temperature control• Electric Vehicle
TRANSPORT / URBAN MOBILITY• Traffic routing• Telematics• Smart Parking• Public Transport
INDUSTRIAL SYSTEM / SENSORS• Speed, Temperature• Flow, Motor• Heat, Cool, Valve• Pressure, Light, Position• Fan, Laser, Robot Arm
In todays connected world security issues can be found on various IOT devices. Below is a list of various IOT verticals. Each vertices can have its own set of security issues.
Lets talk aboutJUST CHOOSING ANY RANDOM IOT DEVICE
BABY MONITOR VULNERABILITIESHOME SECURITY
Why this topic? Reason behind choosing Baby Monitoring - Home Security as topic:
1. Most recent IOT related security issue. Last reported on 2nd Sep 2015
2. Many of the vulnerabilities still exists and has not been patched. Makes an interesting case study.
3. Baby monitors fulfill an intensely personal use case for IoT. They are usually placed near infants and toddlers, are intended to bring peace of mind to new parents, and are marketed as safety devices
4. Modern baby monitoring solutions will have additional features like pulse check, audio, intruder alarm etc. Hackers gaining access to such features can give personal trauma to the end user.
5. As Engadget mentions, “Industrial spies could also take advantage of the devices' flaws to steal secrets or keep an eye on high-profile execs who use their phones or computers to connect to their kids' internet baby monitors. ”
6. Similar issues can be found on various other monitoring devices.
7. With millions of IOT devices connected to internet and easy to hack it may be easy for a hacker to gain access to millions of them and use their processing power to launch powerful DDoS attack.
Consumer Devices referred hereDevice Model Vendor
iBaby M6 iBaby Labs, Inc.
iBaby M3S iBaby Labs, Inc
Philips In.Sight B120/37 Philips Electronics N.V
Summer Baby Zoom WiFi Monitor & Internet Viewing System
Summer Infant
Lens Peek-a-View Lens Laboratories(f)
Gynoii Gynoii, Inc.
TRENDnet WiFi Baby Cam TV-IP743SIC TRENDnet
Nature of IOT device manufactureImportant information to consider Brands manufacturing IOT devices tends to use components from 3rd party suppliers. The suppliers runs extremely large operations and produces millions of components every year. Due to the nature of such time-lagged supply, individual components may have months to years old software before being assembled into final product, hence producing vulnerable IOT devices.
Security Vulnerabilities 1/2Known vulnerabilities but ships with new devices
Vulnerability Description SolutionClear text used for Local API
Devices built with commodity components and software often fail to use modern cryptographic standards for LAN/local communications.
Simple use of common encrypted protocols, such as HTTPS and SSH can solve these problems
Clear text used for Cloud API
Devices uses web API to connect to cloud server and often misses out on adopting encryption across the board in order to ensure privacy and authenticity.
All APIs should follow authentication protocols and should follow across the board. Often some specific urls gets missed out of the authentication and hackers can find them out. Using web standards like Oauth 2.0 for APIs can eliminate such issues.
Unencrypted Storage
Devices stores the recorded video on local storage. Without encryption anyone can manage to access the drive and read data from it.
Hardware or software based drive encryption mechanisms will solve these problems.Example: The Trusted Computing Group Opal drive provides industry accepted standardization for self-encrypting drives
Security Vulnerabilities 2/2Known vulnerabilities but ships with new devices
Vulnerability Description SolutionRemote Shell Access IOT devices often ship with default or un -
configured portable OS, ideally a Linux system or a POSIX kernel along with utilities like BusyBox which will have access to Shell. A Shell access is an easy door for hackers.
Often the production system will never need a Shell access. Shell access should be disabled/removed from these products.
Backdoor Accounts Manufacturers often include default accounts, service accounts or guest accounts which may be impossible to disable. Often they uses an easy to guess password or same password across multiple devices. Sometime even though the the password are unique the algorithm used to generate these passwords are easy to guess
Disable any guest/unnecessery accounts for publicly available products.Make sure when the end user logs in for first time during setup he/she is forced to change the password with enforcement of complex/unguessable password.
UART Access Universal Asynchronous Receiver/ Transmitter (UART) often bypass normal authentication via serial cable connection. Such connections are usually helpful for diagnostic but hackers can easily gain access to them.
IOT devices with UART or similar access should be tamper-evident. Example: Opening a CPU cover for certain desktops raises an alarm unless that’s disabled from BIOS using BIOS password. Similar alarm mechanism can be added.
Security Vulnerabilities 1/3New vulnerabilities discovered recently dated: 2nd Sep 2015
Vulnerability Description SolutionPublic information leak Ibabycloud.com has vulnerability where any authenticated user have
access to other authenticated users video recording using direct URL.Access camera's details, including video-recording filenames: [URL REMOVED FOR THE SECURITY REASON]Access a camera's video recording: [URL REMOVED FOR THE SECURITY REASON]
This is a typical case of Direct Object Reference. Providing access to media over authentication mechanism like Oauth would solve these issues. More on DOR here https://goo.gl/iowmF2
Backdoor Credentials Devices like iBaby M3S have UART access and can be accessed using very generic credential.via Telnet or UARTUsername: adminPassword: adminSome of the devices have access to both local web server and OS. Local Web ServerReachable via http://{device_ip}/cgi-bin/{script_path}Username: userPassword: [REMOVED FOR THE SECURITY REASON]
Firmware upgrade is needed to disable local admin login and web login.
Security Vulnerabilities 2/3New vulnerabilities discovered recently dated: 2nd Sep 2015
Vulnerability Description SolutionCross Site Scripting Probably one of the most common
vulnerability.In Weaved cloud web service, as an authenticated user we can find multiple pages have a mixture of reflective and stored XSS in them.Example:[URL REMOVED FOR THE SECURITY REASON]With this access, a valid streaming session could be generated and eavesdropped upon by an attacker
Rather than having a URL based GET method a proper API implementation should be used with authentication.
Security Vulnerabilities 3/3New vulnerabilities discovered recently dated: 2nd Sep 2015
Vulnerability Description SolutionAuthentication Bypass Webservice of MySnapCam has option to
manage camera functionalities over web. HTTP Get request can be used to add a new user to a camera without any valid session by the camera administrator. When a user is created by a hacker the email validation is also sent to the hacker for verification and can be approved by the hacker.
Add an arbitrary user to any camera: [URL REMOVED FOR THE SECURITY REASON]
Customer can have the device running only on local network unless the issue can be patched.
Conclusion 1. Keeping device firmware up to date is very important for all IOT devices. At the same time
manufacturers should have easy way to provide firmware updates using OTA along with force auto update for major security issues.
2. Since the processing power of most IOT device is limited an end to end encryption will be hard to achieve as it needs more processing power. Manufacturers should follow industrial standards and good practices while building these products.
3. Availability of IOT devices over web should be restricted to VPN. This adds additional steps to regular workflow but is a secure way.
Interesting concepts about future IOTAPPENDIX AND FUN
In the future, the whole house will issue fire hazard warnings. Illustration: Dan Woodger
Welcome to pocket picking 2.0 Illustration: Dan Woodger
THANK YOU KEEP SAFE
