The security perspective : what are the cyberthreats and ...
The Spread of Cyberthreats: How Hackers Are Connecting ...€¦ · The Spread of Cyberthreats How...
Transcript of The Spread of Cyberthreats: How Hackers Are Connecting ...€¦ · The Spread of Cyberthreats How...
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
15:15 The Spread of Cyberthreats: How Hackers Are Connecting with Smart Buildings David Jones, Irdeto
Sponsored by
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
The Spread of Cyber th reatsHow Hackers are Connecting with Smart Buildings
David W. Jones
November 2018
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
§ DISCLAIMER: The trends and technologies included in this presentation may:
§ Cause distrust in your IoT devices and applications.
§ Become a factor in your IoT Smart Building strategic planning.
§ Be a catalyst for budgetary review & additional cybersecurity spend from your board.
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
Top 5 Non-Consumer IoT Projects 2018*
§ IoT Security Spending* § Device Auth/Identity – 16.2%§ Activity Monitoring – 13%
*source: IoT Analytics, Jan 2018 [excludes consultancy]based on 1,600 global publicly announced projects
# Category Total (%)
Americas (%)
Europe (%)
APAC (%)
1 Smart City 23 34 45 18
2 Connected Industry 17 45 31 20
3 Connected Building 12 53 33 134 Connected Car 11 54 30 12
5 Smart Energy 10 42 35 19
Others (incl: Health, Agri, Retail, Supply Chain) 27 - - -
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com©2017 Irdeto, All Rights Reserved. – www.irdeto.com ©2018 Irdeto, All Rights Reserved. – www.irdeto.com
5
Global Market Forecast: 2016 - 2022§ Smart lighting, switches and
controllers leading growth.
§ Growth in thermo and contact/occupancy sensors.
Q: How is the software on these devices architected, tested, and maintained?
Q: What is the undeniable business benefit to automation – justifying potential cyber risk?
Building Automation Systems Wireless Field Equipment Shipments (in Millions) by Device Type
Global Market Forecast: 2016 - 2022
Source: ABI Research 2018
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
6
§ Smart Location Managementü Conference Roomsü Parkingü Maintenanceü Collaborationü Usage/flow/timing
§ Data Analytics
§ Efficiencyü Solarü Thermal Energyü Lighting
§ Physical Security/Access
§ Change Management
Smart Bu i ld ingBenef i t s
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
Storage
Visualization
AnalyticsDevice Management
Monitoring and Actions
EdgeProcessing
Secure Communication
SDK
SDK
SDK
SDK
Connected FacilityCloud Infrastructure
Applications
7
IoT Platforms – Strengths & Gaps
§ Large IoT platform providers use similar architectures and offer similar capabilities§ Platform features/attributes are often intentionally left open or undefined for purpose of
scale and reach
Standard certificateauthority functionality
Tools for securingcloud infrastructure
Secure commsbased on TLS
PKI-based credentials for
apps & devices
§ In-foundry & in-factory provisioning§ Security of the IoT (edge) devices themselves§ On-premises / non-cloud use cases§ Limited support for non-PKI security§ Vertical-specific device lifecycle management
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
BRAND DAMAGE
NY T
imes re
ported th
at my
products
were
the s
ource
of the In
tern
et outa
ge
across E
urope!
IP LEAKAGE
Our algorith
m is our
bread & butte
r! The
company’s future
depends on it!
COMPROMISEDSAFETY
Our Safety systems ensure
our products don’t harm
people!
IDENTITY THEFT
How do I know that the
device I am connected
to is really my device?
NEXT GEN
RANSOMWARE
All our P
Cs are secure from
Ransom
ware…
. But w
hat
about the 10 times that in
connected devices?
B u s i n e s s T h r e a t s f r o m U n s e c u r e d P l a t f o r m s / S o f t w a r e
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
§ Hacking is a business - Hackers profit by scaling theirmodified versions of software & stealing secrets
§ Today’s IoT devices are prime targets for Botnets,Ransomware 2.0, and other malware
§ Tech advances are empowering an increasinglycapable and tech-savvy hacker
§ Open source and hacker collaboration make for “easylearning”
§ Result: Unsecured software is as readable as a book
$
Problem: All Software is Vulnerable
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
Hacks Damage B rand, In te l lectua l P roper ty , Safety and Cost $$$$
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
11
§ An early glimpse of IoT vulnerabilities.
§ DDos – Distributed Denial of Service.
§ Searched internet for open Telnet ports, tried 61 default passwords to gain access*.
§ Impacted 300k devices – grew beyond scope of intended purpose to 164 countries*.
§ Hacker openly posted the code online for others to use/modify/deploy.
§ Those responsible plead guilty in 2017 to serve 5-10 years in prison**.
§ A new version in May 2018 (Hide & Seek) adds new exploits to the Mirai Botnet code***.
Mira i Botnet (2016 ->)
*source: https://www.csoonline.com/article/3258748/**source: https://www.engadget.com/2017/12/13/mirai-botnet-creators-guilty-plea/?guccounter=1***source: https://www.zdnet.com/article/mirai-botnet-adds-three-new-attacks-to-target-iot-devices/
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
SecuritySpend
HackerProfit
C o n s i d e r t h e B a l a n c e o f t h e D i f f e r e n t B u s i n e s s e s
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
Thought Process?
Developer
Do I have any code vulnerabilities in the lock
tumbler?
Security Architect
I need to have a strong lock on the front door, steel frame, locking windows and alarm system on all ground floor openings – and restricted
network access
Hacker
Test vulnerabilities on target remotely, weaponize with
success, identify next target, and repeat
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
Your Data
Intellectual Property
Personal Information
What do Hackers Look For?
The Path toYour Data
Break the crypto
Look for patterns
Put the Two Together
$$
Leverage
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
Hacker ’ s V iew | No P rotect ion
S T R A I G H T PAT HC L E A R V I S I B I L I T Y
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
R e v e r s e E n g i n e e r i n g
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
Remember, Code is Readable
R E V E R S E E N G I N E E R I N G T O F I N D D E C R Y P T E D D ATA
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
18
An At tacker has the Advantage
§ Most people don’t think maliciously.
§ You release your product. Attacker may not. Forensics of a hack can be difficult.
§ Hacking is magic to most people.
§ Some Hacking Groups are very well-funded
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
AT TA C K S U R FA C E
The Device(the most focus)
Smartphone app(everyone has one)
Communications
The things the device connects to
Cloud (via the Internet)
Anatomy of an At tack
P H A S E S O F A N AT TA C K
Investigation
Leverage a weakness
Modify and repeat
Create an attack
Scale the attack
$$$$
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
20
“My Data is Safe Because it’s Encrypted…”
But the Attack is Different on Exposed Endpoints
§ “Yes, brute forcing encryption is not feasible if proper key entropy is used.”
§ With endpoint access, attackers wait for you to decrypt the data, then take it.
§ So, the attacker goal is to gain privileged access to an endpoint.
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
Security Use Cases – the Intersection of Value and Responsibility
21
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
What is it?§ Smart Buildings driving services growth§ App enables lower service operation costs
§ supports both query and provisioning
Business Risk§ Mobile devices contain potential hacker openings§ Pirated App can be used to “steal” services revenue
Threat Case§ Apps querying data can be used to gain building system knowledge
§ Hacking / breach PR would impact brand§ IP or critical data sold to a competing service business§ Sensitive data can be sold to competitors
§ Apps capable of changing parameters pose risk to safety§ Service disruption – Production downtime / brand impact§ Ransomware the building§ Safety system compromised – Terrorist activity§ Illegal access to buildings for criminal activity
U S E C A S E – S e r v i c e s R e v e n u e P r o t e c t i o nT e c h n i c i a n A p p s
22
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
Our SPIDER Model
SPIDER
▪ Software Protection
▪ Integrity
▪ Diversity
▪ Entanglement
▪ Renewability
23
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
Data Transformation
Data and Source CodeNo Protection
• Program deals with data ie. encryption keys, VM keys etc.
• Reverse engineer or attacker wants to look for meaningful values in data as program executes.
• Possible use of debugger to steal the data values as program executes.
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
Data Transformation Protection - Applied
Data and Source CodeWith Protection
• Transform data into an alternate encoding both at rest and in execution.
• Data transformation is possible while data is being used.
• Possibility of adding two encoded values together without having to decode them first.
• Creates more complicated data dependency graph and semantic modeling tools for data are unable to interpret.
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
Function Inlining Protection - Applied
Source CodeWith Protection
• Hide the functions call. We clone the function being called and transform each clone differently.
• Embed the called functions into the program.
• Apply inlining protection and hide any external function call.
• Apply control flow flattening to the inlined function.
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
Combined Software Protection
Source CodeNo Protection
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
Combined Software Protection - Applied
Source CodeWith Protection
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
TechnologyPrevent Analysis Prevent Tampering Foil Automated
AttacksRenew and
DiversifyStatic Dynamic Static Dynamic
Data Flow Transforms ü ü ü ü ü ü
Control Flow Transforms ü ü ü ü ü
White-box Crypto ü ü ü ü
Secure Store ü ü ü ü ü ü
Integrity Verification ü ü ü ü
Anti-Debug ü ü ü ü
Code Encryption ü ü ü ü ü
O n g o i n g S e c u r i t y S t r a t e g y = D e f e n s e i n D e p t h
©2017 Irdeto, All Rights Reserved. – www.irdeto.com
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
Software Protection
▪ Consists of many techniques and technologies.
▪ Considering the prior slide the following techniques may be most applicable in a security strategy.
30
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
Hacker ’ s V iew | Advanced P rotect ion
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
Finds and fixes issues at architecture and design stages to avoid costly re-engineeringduring coding, validation, and release
Provides thorough reporting that includes detailed attack trees and attack vectors outlining severity, potential, probability, controllability …
Includes multi-dimensionalratings for financial, operational, privacy, and safety risk assessments
Offers actionablesuggestions for mitigations and recommendations for additional securityrequirements
1 23 4
S e c u r i t y D e s i g n R e v i e w
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
CONSIDER SECURITY FROM PRODUCT INCEPTION AND FACTOR IN UPDATEABILITY
REGULARLY RENEW YOUR SECURITY
CONSIDER THE FULL ATTACK SURFACE
THINK HOLISTICALLY,
THINK EASE OF ATTACK,
THINK MULTI-LAYERED DEFENSE
ASK YOUR VENDORS/SUPPLIERS HARD QUESTIONS
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
SECURING DIGITAL ASSETS FOR 20 YEARS
50 MILLION TRANSACTIONS PROTECTED PER DAY
70 MILLION PERSONALIZED SEMICONDUCTOR CHIPS PROVISIONED VIA IRDETO’S KEYS & CREDENTIALS SOLUTION
+5 BILLION DEVICES & APPLICATIONS SECURED
MORE THAN 191 MILLIONCRYPTOGRAPHIC KEYS GENERATED AND UNDER MANAGEMENT
© 2018 Irdeto. All Rights Reserved. – www.irdeto.com
THANK YOU!
David W. Jones Sr. Director Global Business Developmentm: +31 612 112 737e: [email protected]
IrdetoPlease visit: www.irdeto.com