This talk summarizes the state of IoT security, specifically as it relates to Industrial Control and Energy. When hearing the buzz-word “Internet of Things,” we typically think of the consumer world: smart toasters and connected fridges. However, there is a staggering number of networked embedded devices that perform life- and mission-critical tasks that our daily lives depend on. Industrial Control Systems (ICS) are not unique snowflakes anymore but use the same ubiquitous technology as found in consumer IoT Devices. This presentation summarizes our experiences at Senrio exploiting embedded system and discusses the reasons why these insecure design patterns exist; including business drivers and technology factors. We will share stories and anecdotes based on 10 years of research, training and consulting (including real vulnerabilities and how they work).
5. Senrio’s Unique Perspective
• Stephen A. Ridley, Founder
and CEO
- Background in Defense &
Intelligence as vulnerability
researcher
- Senior Security Architect at
McAfee
- Chief Information Security
Officer at major financial
services firm
- Co-authored Android Hacker’s
Handbook
- Founder and Senior
Researcher at Xipiter,
providing services and training
to Fortune 500 and
government clients
Extensive Security and Embedded Device Expertise
Stephen Ridley co-
authored the Android
Hackers’ handbook
Sold out trainings at Black Hat for the last five years; private
trainings for government, military, and private industry clients
• In last few years, spoken
(and taught) about device
security on every continent
except Antarctica
• Keynoted major information
security conferences.
6. Senrio’s Unique Perspective
• Have created and sold thousands of
unique hardware-based security
research tools: http://www.int3.cc
• Original research turned into
industry’s leading training on
mobile/device security:
- http://armexploitation.com
- Software Exploitation Via Hardware
Exploitation
- http://Automation-Exploitation.com
• As a services company served
Fortune 500 brands in ICS,
Medtech, Retail, embedded
systems as well as government
agencies
At the Forefront of Embedded Device Security Research
Developed customer tools; Shikra named one of the best
embedded security research tools by Rapid 7
Senrio included in Gartner Market Guide on OT Security
and rated “Transformer” by Current Analysis
“The market needs a comprehensive answer to the IoT dilemma but today there
are few solutions to this challenge. Senrio offers a much-needed new approach,”
Christina Richmond, Program Director, Security Services, IDC.
7. IoT Home Controller
• Summer Project for Interns: $200 each
to purchase IoT devices online
• Smart smoke alarm, used ATM,
webcam, smart home controller, smart
thermostat, NAS, smart wall outlet,
game console, point-of-sales system,
Android tablet, etc
• Vera Lite Home Controller by Mi Casa
Verde
• Trivial to compromise < 2 weeks by an
intern
• Discovered vulnerabilities that would
allow an attacker to retrieve the ssh
private keys used to accessing the
manufacturer’s backend by
downloading the firmware from the
manufacturer’s website
Mi Casa Verde VeraLite Home Controller, $99 on
Amazon
As Safe as Leaving Your Key under the Doormat
8. Remote Power Management Unit
• Originally published by Christian Science
Monitor on May 18: NetBooter NP-02B
made by SynAccess Networks
• Senrio found hidden functionality that lets
attackers reset passwords, revert to
default settings and lock administrators
out
• Exotic hardware and firmware no longer
keeps manufacturers safe
• Sensitive placement leads to unforeseen
consequences: ability to remotely turn off
servers, signage or critical systems
• Inexpensive/low value device deployed in
high-impact use cases
9. WiFi Camera
• Discovered and exploited a remote code execution vulnerability in the latest
firmware of the D-Link DCS-930L Network Cloud Camera.
• The result of a stack overflow in a service that processes remote commands
• The vulnerable function copies data from an incoming string to a stack
buffer, overwriting the return address of the function.
• This vulnerability can be exploited with a single command which contains
custom assembly code and a string crafted to exercise the overflow.
• Affects more than one model: code re-uses means vulnerability reuse
• More on our blog and articles via ThreatPost, Security Week, and Network
World.
11. What is the “Internet Of Things?!”
A new breed of miniature computers that, in contrast to a PC or server,
have a single-purpose operating system communicating with other
devices and/or the Internet
= Networked Embedded Device
ICS is IoT!
Embedded devices have been around for decades
What’s new is the unprecedented connectivity & ubiquity
Gimmicks, hype and hyperbole Pragmatic business needs and
financial rationale
Consumer IoT Enterprise IoT
New Wireless Tech & Cheap
SoCs Drive Adoption
16. Moving from ASICs to SoCs
ASIC
• “Application Specific Integrated
Circuit”
Custom Chips
• Developed specifically for a task
• Expensive!
• Based on “baked in logic”
• Simple “mask ROMs”
• No need for “firmware”.
• Generally use “read-only” solid
state storage
SoCs (and FPGAs)
• “System On Chip”
General purpose Chips
• Requires software (aka
firmware) to make them specific
to business case.
• Generally use read/write solid
state storage for firmware.
• Firmware is generally:
• Real-Time Operating System
(RTOS)
• Embedded OS
• “bare metal code”
The root-cause for why “ICS is IoT”!
17. SoCs require firmware!
ROM (Read Only
Memory)
• PROM was a one-time Programmable
ROM, which made testing firmware
dramatically faster and easier
• PROM was susceptible to losing data
over time or when exposed to UV light
• EPROM took advantage of this by putting
a window over the die to allow erasing
ROM begat PROM, and PROM, EPROM.
Quick refresher on Solid State Storage…
18. SoCs require firmware!
Quick refresher on Solid State Storage…
SoCs store their
business logic in
read/writeable
FLASH as “firmware”
…and, EPROM led to EEPROM
• Electronically Erasable PROMs could be erased
without UV light
• However, the entire EEPROM must be erased
before writing
• By combining several small EEPROMS on one
chip in ‘banks’, Toshiba invented FLASH
• Now most devices use FLASH which is where
Firmware is stored for IoT and ICS!
19. Most Popular SoCs are ARM!
PLC
• There is one in your
cellphone!
• Set-top boxes
• ATMs and Payment systems
• PLCs and HMIs
• Raspberry Pis!
• everywhere!
Point Of
Sale
20. Most Popular SoCs are ARM!
ATMega
used in
Arduinos!
STM32
used in
IoT
• IoT and ICS use the same
SoCs/hardware
• IoT and ICS use the same
kinds of software/firmware
• IoT and ICS use the same
communications protocols
• PLCs even use the same
embedded webservers and
FTP daemons!
23. Attack Vectors
• Bad code can
affect entire
product line
• Firmware
extracted via
hardware
• Simple
vulnerabilities in
hardware/firmwar
e can propagate
all the way up to
exploit desktops
and HMI systems
Traditional
Attack vector
New IoT Attack
Vector
Malware, code
injection, shell script
Compromised firmware,
reconfiguration, misuse
25. SW/HW Uncanny Valley
Originally conceived of by Japanese roboticist Masahiro
Mori in 1970 to explain the psychological reaction to
anthropomorphic robots or other humanoid figures.
• General feeling of
unease when
leaving the
comfort zone of
the own domain
• Industry building a
house of cards
• HCCEmbedded:
third party
vulnerability in
firmware
26. Obscurity No More
• STUXNET changed the game for Industrial
Control - spreads via USB sticks
• Cost of high capital bypassed by finding
universal vulnerabilities in supply chain or
weaponizing cheaper equipment
• Increased research focus on Industrial Control
Systems:
- SCADA exploit modules within the Metasploit
framework increased from 7 before Stuxnet to 57
- 0day vulnerabilities for sale: 22 modules exploiting
11 zero-day vulnerabilities.
• Shodan puts ICS devices at your fingertips:
- Traditional search engines like Google index the
web content intended for user consumption
- Shodan indexes headers which are intended for
machine-to-machine communication
- Finding targets for a publicly available exploits is
akin to searching Google for the nearest Kinko’s
Industrial Control IS a Target
27. Going Dark Not An Option
• Isolating or “air gapping” critical
systems from the Internet is a fallacy
in the 21st century
- Isolated networks can get infected
intentionally (worms like Stuxnet)
- Insider threat
- Unintentional compromise by
connecting an infected computer
during service or maintenance of the
system.
• Need for connectivity and greater
insight is driving the smart grid effort
Dealing With the Realities of a Connected Future
28. Solving for a New Threat Model
Traditional Threat
Model:
• Code injection
• Malware
• Device compromise
IoT Threat Model
• Malicious
reconfiguration
(safety/reliability)
• Pivot to high value
networks
• Reroute traffic, use
data streams
• DDoS and botnets
Why Traditional Security
does not Work for IoT:
• No homogeneity
• Size/weight constrains
• No user interaction
• Difficult to detect breach
• No on-device memory
• Signature-based systems
not scalable
• Exploits not detected by
traditional methods
• Inside-out does not work
• Air-gapping is not 100%
secure
• Firewalls and IDS cause
downtime and don’t alert
on the right things
Leverage Unique IoT Behavior for Protection
Using IoT
Characteristics for
Protection
• Predictable
behavior
• Dedicated
functionality
• IP connectivity