2. Securing IoT in the
Enterprise
Daniel Miessler, IOActive
May 2017
3. About
3
- Infosec for around 18 years
- Mostly technical testing and enterprise consulting
- Net / app / web / mobile / IoT
- Director of Advisory Services for IOActive
- I do a weekly show on infosec, technology, humans
- Reading, writing, table tennis
- Wrote a book: “The Real Internet of Things”
- @danielmiessler
4. Discuss
4
- A functional definition of IoT
- The IoT Attack Surface
- Securing IoT in the Enterprise
- IoT and Ransomware
5. What is IoT
5
- Lots of definitions out there.
- Some are based on connectivity.
- Some require “embedded”.
- “OXFORD(ish): An extension of the
Internet where everyday objects have
network connectivity, allowing them to
send and receive data.”
29. Caparser
29
https://github.com/danielmiessler/Caparser
• *Capture all internal
traffic from an internal
ecosystem
• *Exercise the product
fully
• Break the .pcap into its
component parts using
tshark
• Extract any sensitive
content from the .pcap.
• Associate the sensitive
content with where it’s
being sent
34. Enterprise IoT
(attack surface)
34
• The biggest threat to enterprises from IoT
is not any specific technology, but
blindness to the attack surface.
‣ Device
‣ Sensors
‣ Administration
‣ Firmware
‣ Network
‣ Mobile
‣ Cloud
‣ Backend APIs
‣ Third-party integrations
35. Enterprise IoT (understand)
35
•Above all else, you have to understand the
components and structure of the system
you’re deploying into your companies.
‣ How many devices?
‣ What types of sensors?
‣ What network are they on?
‣ How are they administered?
‣ What ports are open on these systems?
‣ How is authentication and authorization performed?
36. Enterprise IoT (assess)
36
•This means doing an IoT deployment risk
assessment before implementing any
solution.
‣ What data is being captured?
‣ Via what sensors?
‣ Where is it being sent?
‣ How is it being stored?
‣ Who has access to it?
‣ How will it be updated if a flaw is found?
‣ What can those systems access if they’re compromised?
‣ How bad would it be if this system was unavailable?
‣ What would we do if that happened?
37. Enterprise IoT (data)
37
•Increasingly, we’re going to have to start
thinking about what sensors can perceive,
how that data can be leaked, and the
implications thereof.
‣ Installed systems
‣ Wearables
‣ Are they recording video?
‣ Are they recording audio?
‣ How easy is it to share that content outside?
‣ What could happen if that content went public?
> New sensor project that connects to electrical sockets and tells
you what’s happening inside your house.
38. Enterprise IoT (ransomware)
38
•The way to think about ransomware is this:
if it’s important to you, they’re coming
for it.
‣ Infrastructure
‣ Data
‣ Connectivity
‣ Devices
‣ Systems
‣ IoT
40. Enterprise IoT
(three trends)
40
1. We depend on everyday things (lights,
cars, factories, cameras, logistics) to do
business
2. You gain business efficiency when those
things are network enabled (IoT)
41. Enterprise IoT
(three trends)
41
1. We depend on everyday things (lights,
cars, factories, cameras, logistics) to do
business
2. You gain business efficiency when those
things are network enabled (IoT)
3. Attackers now have a new way to harm
your business.
44. Takeaways
44
1. IoT is about everyday objects becoming interactive.
2. The IoT attack surface is vastly underestimated.
45. Takeaways
45
1. IoT is about everyday objects becoming interactive.
2. The IoT attack surface is vastly underestimated.
3. Before you deploy IoT internally, you need a risk assessment on
that specific ecosystem.
46. Takeaways
46
1. IoT is about everyday objects becoming interactive.
2. The IoT attack surface is vastly underestimated.
3. Before you deploy IoT internally, you need a risk assessment on
that specific ecosystem.
4. Consider what’s being captured, via what methods, and how it’s
being stored and accessed.
47. Takeaways
47
1. IoT is about everyday objects becoming interactive.
2. The IoT attack surface is vastly underestimated.
3. Before you deploy IoT internally, you need a risk assessment on
that specific ecosystem.
4. Consider what’s being captured, via what methods, and how it’s
being stored and accessed.
5. Be prepared for that system to be compromised or unavailable.
48. Takeaways
48
1. IoT is about everyday objects becoming interactive.
2. The IoT attack surface is vastly underestimated.
3. Before you deploy IoT internally, you need a risk assessment on
that specific ecosystem.
4. Consider what’s being captured, via what methods, and how it’s
being stored and accessed.
5. Be prepared for that system to be compromised or unavailable.
6. Expect ransomware attacks, because IoT means putting our critical
dependencies on the network.
Ok, thanks for having me today.
We’re going to talk about IoT Security and how it affects the enterprise.
So I wanted to break my comments today into four main areas.
A definition of IoT, the IoT Attack Surface, Securing IoT in the Enterprise, and Ransomware
Let’s start with defining IoT.
So with that out of the way, let’s talk about the attack surface that IoT presents.
The central question I had when I got into this was,
“How do I conceptualize an approach to hacking a given IoT thing, regardless of what it is?”
People think they have this device.
But it really has a web interface on it.
Oh, and a mobile app.
Oh, and the mobile app works from the internet, so there’s cloud functionality as well.
So after doing a bunch of research on products I created the OWASP Internet of Things project back in like 2010 or so.
So it has a number of sub-projects, each of which lives on its own tab and has its own project leader.
The one I want to focus on is the Attack Surfaces.
So here’s the complete list of them, and let’s look very lighting fast at a few of them.
So that was a few of the attack surfaces, but let’s return back to the network.
This is what most people assume they have.
But this what the traffic really looks like.
I want to see as many conversations as possible, and know what’s in them, so I built a lab that allowed me to see as many parts of the conversation as possible.
I then exercise the app in every way possible, touching every component. Web app, mobile, internet, etc. And what I do is put a HONEY TOKEN into my interactions. Something like Wombat27!
And here’s a tap you can use for this, by the way, if you don’t do it through a virtual network.
So what I did was wrote a tool that automates a lot of this, called Caparser.
What it does is: (slide)
A lot of the magic is in this tshark syntax, which finds every IP.
I then use tcpdump to break every conversation out individually into its own pcap.
Then I grep for sensitive content in each connection!
So let’s talk about how all this pertains to the enterprise.
You can’t defend what you don’t understand.
New system that plugs sensors into wall outlets and can infer through AI/ML what’s happening in the office.
Maybe you have a system that reads serial numbers.
Maybe you have cameras that do OCR.
Maybe it’s a heating and lighting system.
If you lose money if it’s down, then there’s a good chance you’ll pay for it to be up. Expect ransomware for it.
Remember the definition of IoT: Everyday objects put on the network.
As a business, we depend on everyday things.
You make more money when you can control these things using computers.
And attackers can now use these two facts to make billions.
This is the simplest way to understand IoT security as it pertains to business.
So here’s a quick encapsulation of what we talked about.
At the highest most important level, IoT means taking things that used to be analog and making them digital.
Most people vastly underestimate how easy it is to attack IoT systems.
You need to assess any IoT system you’re considering putting in your environment across multiple dimensions.
We also need to be thinking about the sensor capabilities of these IoT systems, and how the data they collect will be accessed and used.
We absolutely must be prepared for these essentials to become unavailable or insecure.
How do we respond?
We can’t wait until it happens to figure that out.
And finally, expect ransom-based attacks to increase as the dependence on IoT increases.
The more valuable IoT systems become, the more dependent we’ll be on them, and the more valuable they’ll become to attackers.
So that’s what I wanted to talk about today.
I hope you got some value from it, feel free to reach out if you’d like to chat about anything, and I’m happy to take any questions.