This Time, It’s Personal: Why Security and the IoT Is Different
-
Upload
justin-grammens -
Category
Technology
-
view
22 -
download
0
Transcript of This Time, It’s Personal: Why Security and the IoT Is Different
THIS TIME IT’S PERSONALWhy Security and the IoT is Different
Justin Grammens, Lab 651
Fear of the Internet of Things
What We’ll Cover
• About Me
• What is the Internet of Things
• What’s the big deal?
• Example security exploits
• Anti-Patterns that should guarded against
• Emerging security techniques
About Me
• Software Engineer for 20+ years
• Serial Entrepreneur
• Cofounder of Lab 651& IoT Fuse
• Adjunct Professor at University of Saint Thomas teaching IoT
• Publisher of IoT Weekly News
• Excited for the next wave of connected things!
What is the Internet of Things?
Formal: The Internet of things (IoT) is the network of physical devices, vehicles, home appliances, and other items embedded with electronics, software, sensors, actuators, and network connectivity which enable these objects to connect and exchange data.
Practical: The physical world becoming one big information system. We are moving from Internet of Computers (IoC) to IoT. It should actually be called “Things on the Internet”.
IoC vs IoT…What’s the Big Deal?
1. Massive Changes in Scale
2. Impact on the Physical World
Security Needs to Be Addressed at Each Level
Security of IoT vs IoC
• IoT has both information attacks and physical tampering
• Nearly all use wireless communications
• “Denial of sleep” attacks to kill battery
• Devices are expected to run with low power• Operating systems may not support sophisticated security approaches
• Often not easily updatable and no screen / user interface
• It’s not the massive, but smaller scale attacks are more worrisome
IoT vs IoC – Personal Data
• Estimated that the average household generates ~2TB of data a year, by 2020 expected to be 10TB of personal data.
• Researchers found that Vizio & Samsung T.V’s send data to 3rd parties are have known vulnerabilities to listen into your home or what you watch
• FitBit can tell if you are active or not when you say you are• Police used a woman’s Fitbit to discount a story of assault
• Tesla using data logs to disprove claims by automotive reviewers
• Things are becoming personal…
Hacking Devices “Broken Hearts” episode, Homeland, 2012
Yeah, but is this actually possible?
Source: https://www.theverge.com/2017/8/30/16230048/fda-abbott-pacemakers-firmware-update-cybersecurity-hack
Find Open Devices
Open Camera
This is new, but is it?
Mirai Botnet
• Malware infecting IP cameras, routers & DVR players
• Infected between more than 600,000 devices
• Started by 3 college students
• Some countries in Africa were taken offline
• Could have affected more than 185 million devices *
* Source: http://www.newsweek.com/mirai-botnet-brought-down-internet-was-minecraft-stunt-747806
Owlet Baby Monitor
• Monitor your baby’s heartrate & oxygen level
• Base station creates a completely open WiFi
• Anyone in range could • Send data to another
network/server
• Disable alerts
• Nest camera had similar exploit
Jeep Hack
• In 2015 security researchers hacked a Jeep to take control of the vehicle
• Used cellular network and the devices Controller Area Network (CAN)Bus
• Chrysler recalled 1.4 million vehicles to fix this issue
Anti-Patterns
• Doing too much• Just because you can run a full Linux OS, should you?• Consider your end user – do they need root access?• Input validation and buffer overflows need to be checked
• Bugs• Integer overflows• Race conditions• Memory corruption
Anti-Patterns
• Weak encryption
• Service Passwords• No authentication• Default credentials that are easily discoverable• Permanent credentials ( for support ), never changeable• Failure to allow for revocation of credential or privilege• Failure to allow for delegation of privilege to another legitimate party (forces work
arounds)
• Unclear instructions or defaults to the device be online, rather than opt in
Anti-Patterns
• No Authentication• CAN bus how communication happens within an automobile. Never designed
for connections over the internet.
• Default Credentials• EURECOM found 100,000 internet facing IoT devices with default passwords
• Permanent Credentials• ComfortLink thermostat set root passwords that could not be changed. Finally
fixed after 2 years
Online Trust Alliance – IoT Rules
• Default passwords must be prompted to be reset or changed on first use
• All users must adhere to SSL best practices using industry standards
• All device sites and cloud services must use HTTPS encryption
• Manufacturers must conduct penetration testing of devices, applications and services
• Manufacturers must have remediation plans when vulnerabilities are found
• All updates, patches, revision must be signed and verified
• Manufactures must provide a mechanism for the transfer of ownership
Emerging IoT Security Techniques
• TPM ( Trusted Platform Module ) – Cryptographic keys burned into devices as it’s produced
• Two factor (or more) authentication
• Location based as verification• Using a paired device (smartwatch) as access control
• Only send the data that you need and nothing more
Emerging IoT Security Techniques
• Where possible, say no to big data backends• Forbes reports more than 112 million records spilled in 2015• More than a petabyte (1015 bytes) of data accidentally exposed online
• New York Times reported that $50 million stolen from over 100,000 people using “Get Transcripts” service from the IRS
• Instead - use concepts from Distributed Computing Systems• Store data close to the person
• Provide time based access and deletion
Data Type Best Location for Data Consequences If Data Is Lost, or the Network Is Compromised or Disrupted
Sensitive/personal data On a personal device such as a phone, laptop, backup hard drive, or home computer
Loss of employment; public humiliation; bullying or social isolation, which could potentially lead to suicide
Medical data On a local device that can be shared with medical professionals on a timed clock
Blackmailing; loss of employment
Business data (e.g., LinkedIn profile)
On publicly accessible servers (shared)
N/A (this data was created with the intention of sharing it)
Home automation system On a local network within the home without access to a larger network
Loss of access to or control of lights, thermostats, or other home systems
Credit: Calm Technology, Amber Case
Summary
• The world of connected devices ( IoT ) is still an emerging field
• Data available will become increasing personal and unfiltered
• As with prior technology changes:• The IoT ( and mistakes ) will happen whether we like it or not• Apply many of the same security practices from the IoC
• Leverage distributed computing and best practices for data storage
• Always provide mechanisms for updates
Thank You
Justin Grammens
Links:http://lab651.comhttp://iotfuse.com
http://iotweeklynews.com