2. What Is the Internet ofThings (IoT)?
ITUโs Definition:
โInternet of things (IoT): A global
infrastructure for the information
society, enabling advanced
services by interconnecting
(physical and virtual) things based
on existing and evolving
interoperable information and
communication technologiesโ
Source: International Telecom Union Rec. ITU-T Y.2060 (06/2012)
3. Categories of IoT Devices
๏ Network IoT device (I): Devices that only exist to ensure
Internet connectivity. Examples are Home routers, Home
Automation Hubs, etc.
๏ IoT only devices (II): Devices that have been created because of
the Internet connectivity. Examples would be: Amazonโs Echo
and Google Home
๏ Legacy IoT enabled devices (III): Devices that have been
around for years or decades that are modified to allow for
Internet connectivity. Examples: Internet enabled Fridge,
ConnectedThermostats, etc.
4. Common IoTTechnologyVendors
๏ Major Software Platforms
๏ AndroidThings โ Google
๏ Windows 10 IoT โ Microsoft
๏ Home Kit โ Apple
๏ AWS IoT platform โ Amazon
๏ Bosch IoT Suite โ Bosch
๏ Device Connection Platform โ Ericsson
๏ IoT Foundation Device Cloud โ IBM
๏ IoT Analytics Platform โ CISCO
๏ Etc.
๏ Hardware Platforms
๏ Atmel Microcontroller
๏ Texas Instruments
๏ ARM
๏ Qualcomm IoT
๏ Intel IoT
๏ SamsungArtik IoT
๏ LANTronix
๏ SierraWireless
๏ Etc.
5. Ecosystems where IoT is being used
๏ Home
๏ Internet connectivity (e.g. Router)
๏ TV,TIVO,VoIP, Home cameras,
๏ Home automation (e.g. Locks)
๏ Amazon Echo, Google Home, etc.
๏ Car
๏ Entertainment Center, Hotspot,
Maintenance, Remote control
๏ Industry
๏ Smart Sensors
๏ Programable Logic Controllers (PLC)
6. Why are IoT DevicesVulnerable?
๏ Cost
๏ Manufacturing cost < 60 Cents (Source: Goldman Sachs)
๏ Full-blown Linux running on single board computer for $5 (Raspberry Zero)
๏ Processing Power
๏ Many IoT devices are very limited in Resources (Single Core, RAM < 500 MB)
๏ History
๏ Traditionally Security has not been an issue in the various ecosystems
๏ User Negligence
๏ Vendor supplied password not changed
๏ Insecure protocols (e.g.WEP) not turned off
๏ ProprietaryTechnology
๏ Not leveraging proven frameworks
๏ Segmentation/Trust
๏ Relying on โtraditionalโ trust models
๏ Inability to Update
๏ No Update mechanism available to address a new security flaw
Raspberry Pi Zero: $5
7. IoT Attack Surface
๏ Internet
๏ Flaws in Internet facing Services
๏ Security Flaws in Implementation
๏ Wireless
๏ Use of InsecureWireless Protocol
๏ Security through Proprietary Protocol
๏ Security by โDistanceโ
๏ Physical
๏ Device is not physically secured
Software Defined Radio (SDR) receives signals 950 โ 2150 MHZ all
for < $25
8. Shodan โ IoT Search Engine
Shodan
โข Search Engine for Internet
Connected Devices
โข Shows which devices are
connected to the Internet,
where they are located and
who is using them
โข Within minutes a list of
vulnerable devices on the
Internet can be compiled
9. Wigle.net โWireless Search Engine
Wigle.net
โข Consolidates location and
information of wireless
networks world-wide to a
central database
โข Site is crowdsourced with
people war-driving and
uploading their data
โข Database can be queried by
applications via an API
10. Physical Security of IoT devices
Ring โ Doorbell
โข Doorbell that usesWiFi to
connect to Ringโs service,
recording video and allowing
for Intercom
โข WiFi password is stored on
the device
โข Device is programmed via a
USB connector
โข No physical securing of
device, besides some screws
11. IoT โSpecialโ Attack
Vibration Speaker
โข Vibration Speakers (VS) get
connected to surfaces that
are used to emit sound
โข Connecting theVS to the
outside of a door with glass
allows to control devices like
Amazonโs Alexa or Googleโs
Home
โข The possibilities are endless
12. Examples of IoT Attacks
Webcams used for DDoS
โข Webcams with a security vulnerability
were used to launch one of the largest
DDoS attacks against Dyn, a DNS
service provider.
โข Leveraging an amplification attack the
sheer number of devices was the
reason why the DDoS was initially
successful.
Home Router attacks
โข Wireless Home Routers of various
vendors have been targeted by
malware. Redirecting DNS calls.
โข One malware actually tries to secure the
router by identifying other infections
and trying to remove those.
SAMSUNG Fridge
โข Samsung offers fridges that allow for
your Google Calendar to be displayed.
At least one model was vulnerable to a
man โin-the-middle-attack, not
checking the SSL certificate presented
by Google (or in this case an attacker).
OnStar used to control car
โข OnStar, used in GM vehicles, allowed for
an attacker to eavesdrop on
communication.With that they were
able to unlock the car and start it.
โข Jeep had to recall 1.4m vehicles due to
hackers being able to hijack most of the
carโs electronic functions.
13. Devilโs Ivy โ
Vulnerability in gSoap Library used in IoT
๏ gSoap is a framework used by many IoT companies to implement the Open NetworkVideo
Interface Forum (ONVIF) protocol, used by e.g. Security cameras
๏ Small company behind gSOAP, known as Genivia, says that at least 34 companies use the code
in their IoT products (mainly physical security products)
๏ Genivia provided updated code that fixed the security vulnerability on 6/21/2017 all within 24h
of notification according to Geniviaโs website.
๏ Genivia uses static code analysis! However, the flaw was two levels down.
๏ Many vendors struggling to get code out to the devices since updating the devices is in some
cases not possible, or users do not know about the flaw or are not skilled to perform an update
With a built-in update mechanism that acts independent from a user, the devices could
be updated as soon as a new firmware is available.
24h for new code, not bad!
14. Countermeasures
๏ Leverage Existing Frameworks
๏ Some IoT vendors have the tendency to โre-inventโ the wheel e.g. Samsung fridge. This creates a
โuniquenessโ that can result in vulnerabilities used but not publicly addressed.
๏ Other people with much better cyber security skills can do the work in fixing vulnerabilities for the IoT
company.
๏ Segmentation/Trust Relationships
๏ IoT devices that have Internet connectivity should not be part of a ecosystem that traditionally trusts each
other just by being a member.
๏ Additional mechanisms are needed to establish trust with a IoT device that has Internet connectivity e.g.
signing of messages end-to-end.
๏ Do not rely on Users for Security
๏ Studies have shown over and over that users are the weak link. One study showed that many IoT users do not
change the vendor set password.Vendors will need to โforceโ users to be secure.
๏ Built-In Update mechanisms
๏ Security โis a journeyโ an old saying but still true.What is secure today, might be vulnerable tomorrow.
15. EconomicTimes 08/13/17 โ
โOver 50 Billion IoT Connected Devices By 2020โ
What does this mean for Cybersecurity and Privacy?
๏ Increased complexity when implementing security controls and defining
regulations.
๏ Market will expand horizontally and vertically, creating even tighter pricing with
security being one cost factor to shave off.
๏ The large number of IoT devices by itself will face the same risks as cloud. If it fails,
it will fail really big.
๏ Regulations and laws will require adjustments.Already one case with Amazonโs
Echo and voice recording Amazon keeps.
๏ Users will need to learn with IoT being in their homes that someone is watching
and hearing them all the time โ maybe not in real-time.