Embedded System Security: Learning from Banking and Payment Industry
-
Upload
narudom-roongsiriwong-cissp -
Category
Technology
-
view
999 -
download
0
Transcript of Embedded System Security: Learning from Banking and Payment Industry
![Page 1: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/1.jpg)
Embedded System SecurityEmbedded System SecurityLearning from Banking and Payment IndustryLearning from Banking and Payment Industry
Narudom Roongsiriwong, CISSPNarudom Roongsiriwong, CISSPJuly 19, 2017July 19, 2017
![Page 2: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/2.jpg)
WhoAmI● Lazy Blogger
– Japan, Security, FOSS, Politics, Christian– http://narudomr.blogspot.com
● Information Security since 1995● Embedded System since 2002● Head of IT Security and Solution Architecture,
Kiatnakin Bank PLC (KKP)● Consultant for OWASP Thailand Chapter● Committee Member of Cloud Security Alliance (CSA), Thailand
Chapter● Committee Member of Thailand Banking Sector CERT (TB-CERT)● Consulting Team Member for National e-Payment project ● Contact: [email protected]
![Page 3: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/3.jpg)
Information Security Fundamental
![Page 4: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/4.jpg)
What is Security? “The quality or state of being secure—to be free
from danger” A successful organization should have multiple
layers of security in place: Physical security Personal security Operations security Communications security Network security Information security
![Page 5: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/5.jpg)
What is Information Security? The protection of information and its critical
elements, including systems and hardware that use, store, and transmit that information
Necessary tools: policy, awareness, training, education, technology
![Page 6: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/6.jpg)
Security Concepts
Security Concepts
Core
Design
Confidentiality Integrity Availibility
Authentication Authorization Accountability
Need to Know Least Privilege Separation of Duties
Defense in Depth Fail Safe / Fail Secure
Economy of Mechanisms
Complete Mediation
Open Design Least Common Mechanisms
Psychological Acceptability Weakest Link Leveraging Existing
Components
![Page 7: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/7.jpg)
Confidentiality-Integrity-Availability (CIA)
To ensure that information and vital services are accessible for use
when required
To ensure the accuracy and completeness of information to protect business processes
To ensure protection against
unauthorized access to or use of
confidential information
![Page 8: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/8.jpg)
Security vs. Usability
Security
Usability
![Page 9: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/9.jpg)
Learning from Payment Industry
![Page 10: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/10.jpg)
Why Learn IoT Security from Payment IndustryIoT systems face the same problems as card payment system faced before● Initial design was for private point to point network
then moved to IP network and later on the Internet● Started with basic security then found the security
flaws and attached more complex security requirements later
● Low security devices from early design are still out there and used in compatible fall-back mode
![Page 11: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/11.jpg)
Payment Ecosystem
Four-Party Model
![Page 12: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/12.jpg)
Simplified Authorization Flow for Card Payment1. The customer make a payment. Enter cardholder data into the merchant’s
payment system (POS, e-commerce website).2. The Merchant sends card data to an acquirer/payment processor who will
route data to through the payments system for processing. For e-commerce, a payment gateway may redirect website to the acquirer.
3. The acquirer/processor sends the data to Payment brand4. Payment brand forwards the data to the issuer. The issuer verifies and
make approval. . For e-commerce, a payment gateway may redirect website to the issuer (ex. Verified by VISA).
![Page 13: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/13.jpg)
Simplified Authorization Flow for Card Payment5. If the issuer agrees to fund the purchase, it will generate an
authorization number and routes back to the card brand.6. Payment brand forwards the authorization code back to the
acquirer/processor.7. The acquirer/processor sends the authorization code back to
the merchant.8. The merchant concludes the sale with the customer.
![Page 14: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/14.jpg)
Smart Payment Cards
![Page 15: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/15.jpg)
Architecture● ISO/IEC 7810 standard size
(normally ID-1) card that has embedded integrated circuit with microprocessor
● Provide– Personal identification– Authentication– Data storage– Application processing
● Design– Contact smart card
(ISO/IEC 7816)– Contactless smart card
(ISO/IEC 14443)– Hybrid
C1–VCC
C2–RST
C3–CLK
C4–
C5–GND
C6–VPP
C7–I/O
C8–
![Page 16: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/16.jpg)
Structure and Packaging
Active Chip Side
Chip Adhesive
Chip
Metal Contacts
Card BodyEncapsulation
SubstrateBond Wire
Hotmelt
![Page 17: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/17.jpg)
CPUCPU
RAMRAM
Test LogicTest Logic
ROMROM
EEPROMEEPROMSerial I/OInterfaceSerial I/OInterface
Security Logic
Security Logic
bus
Inside Smart Card● CPU:
– Microprocessor– Cryptographic co-
processors– Random number generator
● Security Logic: Detecting abnormal condition (e.g. low voltage)
● Serial I/O Interface: Contact to the outside world
● Test Logic: Self-test procedure
![Page 18: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/18.jpg)
CPUCPU
RAMRAM
Test LogicTest Logic
ROMROM
EEPROMEEPROMSerial I/OInterfaceSerial I/OInterface
Security Logic
Security Logic
bus
Inside Smart Card● ROM:
– Card operating system– Self-test procedures– Typically 16 KB
● RAM:– ‘scratch pad’ of the processor– typically 512 bytes
● EEPROM:– Cryptographic keys– Pin code– Biometric template– Balance– Application code– Typically 8 kb
![Page 19: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/19.jpg)
Basic Security FeatureHardware● Closed package● Memory encapsulation● Fuses● Security logic (sensors)● Cryptographic co-
processors and random generator
Software● Decoupling applications
and operating system● Application separation
(Java card)● Restricted file access● Life cycle control● Various cryptographic
algorithms and protocols
![Page 20: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/20.jpg)
Card OSThe two primary types of smart card operating systems are● Fixed File Structure
– Files and permissions are set in advance by the issuer– Seldom used for payment cards
● Dynamic Application– Enables developers to build, test, and deploy different on
card applications securely– Updates and security are able to be downloaded and
dynamically changed– MULTOS and JavaCard are the two main OS standards
![Page 21: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/21.jpg)
JavaCard vs MULTOSJavaCard● A standard, flexible tool
box● A known language and
an easy tool for applet developers in cards
● Requires the addition of Global Platform (or similar) to manage the card and its applets
MULTOS● A turn key system● Comes as a complete
package for cards issuers, with its certification authority, language, tools and personalization process
● Global platform is possible
Global Platform – Card application management and issuance in the card as well as in the back-end
![Page 22: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/22.jpg)
Payment Terminal
![Page 23: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/23.jpg)
What Is A Payment Terminal?● Also known as a point of sale terminal, credit card
terminal, EFTPOS terminal, Electronics Data Capture (EDC)
● A device which interfaces with payment cards to make electronic funds transfers
![Page 24: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/24.jpg)
Payment Terminal Reference Design
Source: Maxim Integrated
![Page 25: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/25.jpg)
Payment Terminal Use Case
![Page 26: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/26.jpg)
Terminal Line Encryption (TLE)
POS Terminal
Acquirer/Processor Network
Credit Card Network
Encrypted
EncryptedEncrypted Plain
Private
PSTN
GPRS/3G
DMZ
TLE
![Page 27: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/27.jpg)
EMVIC Card Specifications for Payment Systems
![Page 28: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/28.jpg)
EMV● A technical standard for smart payment cards and
for payment terminals and automated teller machines (ATM)
● The initiative for EMV was taken by Europay, MasterCard and Visa in the 1990s (now managed by EMVCo)
● Support both ISO/IEC 7816 for contact cards, and standards based on ISO/IEC 14443 for contactless cards (MasterCard Contactless, PayWave, ExpressPay).
![Page 29: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/29.jpg)
EMV Specification● Current version is 4.3● Consist of four books
– Book 1 - Application Independent ICC to Terminal Interface Requirements
– Book 2 - Security and Key Management– Book 3 - Application Specification– Book 4 - Cardholder, Attendant, and Acquirer Interface
Requirements
![Page 30: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/30.jpg)
EMV Basics● Highly configurable tool-kit for payment protocols,
offering a choice between:– 3 Card Authentication Methods: SDA, DDA, and CDA;– 5 Cardholder Verification Methods: none, signature, online
PIN, offline unencrypted PIN, and offline encrypted PIN;– 2 types of transactions: on- and off-line transactions.
● Many of these options are parameterized● 3DES is the major symmetric key algorithm with
128-bit key length (effective 112 bits), AES-128 is optional (since July 2010)
![Page 31: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/31.jpg)
Key Infrastructure● Every card has a unique symmetric key MKAC that it
shares with the issuer, derived from the issuer’s master key MKI
● Using MKAC a session key SKAC can be computed, based on the Application Transaction Counter (ATC) on the card which is increased on every interaction and included as a nonce in security-critical steps protocol steps to prevent replays.
● The issuer has a public-private key pair (PI , SI), and the terminal knows this public key PI.
● Cards that support asymmetric crypto also have a public-private key pair (PIC , SIC) and an associated certificate, signed by the issuer
![Page 32: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/32.jpg)
Key Infrastructure: Authenticity of Data● All EMV cards can provide MACs (Message
Authentication Codes) on messages, using the symmetric keys they share with the issuer.– The issuer can check these MACs to verify authenticity of
the messages, but the terminal cannot.– These MACs are included in the Application Cryptograms
(ACs) that the card provides as evidence that it has take some steps in a transaction.
● Cards that support asymmetric crypto can also digitally sign messages.– Not only the issuer can then check the authenticity of these
messages, but also the terminal.
![Page 33: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/33.jpg)
An EMV Protocol Session1. Initialization: selection of the application on the
smart card and reading of some data;2. Card authentication, by means of SDA, DDA, or CDA;
(optionally)3. Cardholder verification, by means of PIN or
signature; (optionally)4. The actual transaction.5. Issuer-to-card script processing, which allows
issuers to update cards in the field. (optionally)
![Page 34: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/34.jpg)
Initialization● Application selection process (card scheme and
product) between the card and the terminal● Initiate application processing
– The terminal sends the get processing options command to the card with any data elements requested by the card during application selection
– The card responses with Application Interchange Profile (AIP) and Application File Locator (AFL)
● The terminal obtains application data indicate by AFL● The terminal checks card restrictions
– Application version number– Application usage control (This shows whether the card is only
for domestic use, etc.)– Application effective/expiration dates checking
![Page 35: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/35.jpg)
Card Authentication Mechanism (CAM)The AIP tells the terminal which methods the cards supports, and the terminal should then choose the ‘highest’ method that both the card and itself support.● SDA (Static Data Authentication):
– The card provides some digitally signed data (including e.g. the card number and expiry date) to the terminal to authenticate itself.
– However, this does not rule out cloning
● DDA (Dynamic Data Authentication):– DDA cards can do asymmetric crypto and have a public/private key pair, and a
signature of the public key to prove its authenticity via a challenge-response mechanism.
– Even though the terminal can authenticate the card but cannot verify that the subsequent transaction is actually carried out by that card.
● CDA (Combined Data Authentication):– CDA repairs this deficiency of DDA. With CDA the card digitally signs all important
transaction data, not only authenticating the card, but also authenticating the transaction.
![Page 36: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/36.jpg)
1.Get the CA public key from ATM / POS storage2.Use the CA public key to verify the Issuer RSA key in Issuer Certificate3.Use the Issuer RSA key to decrypt the SDA Signature and verify that what was signed is
identical to the read card data
SDA (Static Data Authentication)
![Page 37: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/37.jpg)
DDA/CDA
1.Get the CA public key from ATM / POS storage2.Use the CA public key to verify the Issuer RSA key in Issuer Certificate3.Use the Issuer public key to verify the Card public key in Card Certificate4.Use the Card public key to verify the Signature
![Page 38: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/38.jpg)
Cardholder Verification● The card provides the terminal with its list of
Cardholder Verification Method (CVM) Rules, by a PIN, a handwritten signature, or it can simply not be done.
● If cardholder verification is done by means of a PIN, there are three options:– Online PIN, in which case the bank checks the PIN– Offline plaintext PIN, in which case the chip checks the PIN,
and the PIN is transmitted to the chip in the clear– Offline encrypted PIN, in which case the chip checks the
PIN, and the PIN is encrypted (with public key) before it is sent to the card.
![Page 39: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/39.jpg)
Offline Enciphered PIN Verification
![Page 40: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/40.jpg)
EMV Card Transaction Processing
ARQC – Authorization Request CryptogramARPC – Authorization Response Cryptogram
![Page 41: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/41.jpg)
Known attacks and weaknesses of EMV● Mag-stripe cloning using chip information● Reliance of symmetric keys for authenticity
– Not provide true non-repudiation– The terminal can not check the authenticity of cryptograms
● Cloning SDA cards● Faking offline transactions with DDA cards● Faking offline PIN verification● Rollback to unencrypted PIN● Bad random-number generators
![Page 42: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/42.jpg)
Lesson Learned from Card Payment Ecosystem● Security is not only about technology but also process
and risk management (especially on risk appetite)● In multiple party environment, the maximum security
depends on the weakest implementation of the corresponding parties
● All core security concepts are fully implement– Confidentiality: encryption on data transmission– Integrity: message authentication code, certificates– Availability: offline processing– Authentication: card authentication, cardholder verification– Authorization: card issuer authorization– Accountability: message authentication code, transaction log
at payment terminal and issuer
![Page 43: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/43.jpg)
Secure IoT Devices That We Design
![Page 44: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/44.jpg)
Types of IoT Classified by Communication● Client Type
– Most of implementation– e.g. payment terminal, IP Camera (call back to server),
Smart Cars
● Server Type– e.g. IP Camera (built-in web interface)
● Peer-to-Peer or Mesh
![Page 45: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/45.jpg)
Typical IoT Infrastructure
Control Server
IoT Device
Private or PublicInternet
PublicInternet
Configuration App
Callback and wait for commands Remote control
RemoteControl App
Configure or Update Firmware
Configure
![Page 46: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/46.jpg)
Typical Attack: Fake Control Server
Control Server
IoT Device
Private or PublicInternet
PublicInternet
Callback and wait for commandsRemote control
RemoteControl AppFake Control Server
![Page 47: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/47.jpg)
Typical Attack: Attack on Device Open Ports
Control Server
IoT Device
Private or PublicInternet
PublicInternet
Callback and wait for commands Remote control
RemoteControl App
![Page 48: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/48.jpg)
Typical Attack: Attack on Server Open Ports
Control Server
IoT Device
Private or PublicInternet
PublicInternet
Callback and wait for commands Remote control
RemoteControl App
Attack
![Page 49: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/49.jpg)
Typical Attack: Steal Credential
Control Server
IoT Device
Private or PublicInternet
PublicInternet
Callback and wait for commands Remote control
RemoteControl App
![Page 50: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/50.jpg)
Typical Attack:Inject Bad Configuration or Firmware
Control Server
IoT Device
Private or PublicInternet
PublicInternet
Callback and wait for commands Remote control
RemoteControl App
Inject Bad Configuration or Firmware
Inject Bad Configuration
![Page 51: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/51.jpg)
Typical Attack: Sniff Data on Private Network
IoT Device
PrivateInternet
PublicInternet
Callback and wait for commands Remote control
RemoteControl App
Control Server
![Page 52: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/52.jpg)
OWASP Top 10 IoT Vulnerabilities 2014I1 Insecure Web InterfaceI2 Insufficient Authentication/AuthorizationI3 Insecure Network ServicesI4 Lack of Transport Encryption/Integrity VerificationI5 Privacy ConcernsI6 Insecure Cloud InterfaceI7 Insecure Mobile InterfaceI8 Insufficient Security ConfigurabilityI9 Insecure Software/FirmwareI10 Poor Physical Security
![Page 53: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/53.jpg)
![Page 54: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/54.jpg)
![Page 55: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/55.jpg)
![Page 56: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/56.jpg)
![Page 57: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/57.jpg)
![Page 58: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/58.jpg)
![Page 59: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/59.jpg)
![Page 60: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/60.jpg)
![Page 61: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/61.jpg)
![Page 62: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/62.jpg)
![Page 63: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/63.jpg)
Secure IoT Devices That We Use
![Page 64: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/64.jpg)
Mirai Malware● Malware that turns networked devices running Linux into Malware that turns networked devices running Linux into
remotely controlled "bots" that can be used as part of a remotely controlled "bots" that can be used as part of a botnet in large-scale network attacksbotnet in large-scale network attacks
● Primarily targets online consumer devices such as IP cameras Primarily targets online consumer devices such as IP cameras and home routers using a table of more than 60 common and home routers using a table of more than 60 common factory default usernames and passwords, and logs into them factory default usernames and passwords, and logs into them to infect them with the Mirai malwareto infect them with the Mirai malware
● First found in August 2016First found in August 2016● Use in DDoS attacksUse in DDoS attacks
– 20 September 2016 on the Krebs on Security site which reached 620 20 September 2016 on the Krebs on Security site which reached 620 Gbit/s and 1 Tbit/s attack on French web host OVHGbit/s and 1 Tbit/s attack on French web host OVH
– 21 October 2016 multiple major DDoS attacks in DNS services of DNS 21 October 2016 multiple major DDoS attacks in DNS services of DNS service provider Dynservice provider Dyn
– November 2016 attacks on Liberia's Internet infrastructureNovember 2016 attacks on Liberia's Internet infrastructure
● The source code for Mirai has been published in hacker forums The source code for Mirai has been published in hacker forums as open-sourceas open-source
![Page 65: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/65.jpg)
What Can We Learn from Mirai Attacks?● Do not use default passwords for all default
usernames● If possible, do not allow configuration interface
from Internet side● If the IoT devices are used only in the organization,
do not expose to the public Internet● If there is a need to use from the Internet, open
only necessary ports and use non-default ports where possible
![Page 66: Embedded System Security: Learning from Banking and Payment Industry](https://reader033.fdocuments.in/reader033/viewer/2022042707/5a648bbe7f8b9a2c568b5871/html5/thumbnails/66.jpg)