More Related Content Similar to IoT Security: Cases and Methods (20) More from Leonardo De Moura Rocha Lima (10) IoT Security: Cases and Methods2. Copyright ©2016, @leomrlima
DetroitJUG About me
Leonardo Lima
•Computer engineer, server & embedded SW developer
•From São Paulo, Brasil, now in Austin, TX
•CTO at
•Spec Lead – JSR363
•V2COM’s Representative at JCP Executive Committee
[www.linkedin.com/in/leomrlima]
4. Copyright ©2016, @leomrlima
DetroitJUG What’s the JCP and why should I care?
It’s the way to make Java a healthy, multi-vendor
environment
What happens here impacts on your job
YOU can be part of the change you want for the platform
It’s easy for YOU to join and start: just fill a webform!
5. Copyright ©2016, @leomrlima
DetroitJUG But… how do I join?
1. Go to jcp.org
2. Register to use the site
(there’s a button on the left
side menu)
3. Use the ”get involved
section”
4. Remember to vote on the EC
election if you join until
tomorrow!
8. Copyright ©2016, @leomrlima
DetroitJUG In a study…
Attacks on Internet of Things devices will increase rapidly due to
hypergrowth in the number of connected objects, poor security
hygiene, and the high value of data on IoT devices.
10. Copyright ©2016, @leomrlima
DetroitJUG Cameras
“Every camera [out of 9 models] had one hidden account that a consumer
can’t change because it’s hard coded or not easily accessible. Whether
intended for admin or support, it gives an outsider backdoor access to
the camera.”
11. Copyright ©2016, @leomrlima
DetroitJUG Barbies
”On the service side, ToyTalk’s server domain was susceptible to a known
SSL encryption flaw called POODLE, which could allow attackers to
steal communications and other data. A credentialing issue could also
let attackers probe for further vulnerabilities.”
12. Copyright ©2016, @leomrlima
DetroitJUG Cars
As the two hackers remotely toyed with the
air-conditioning, radio, and windshield
wipers, I mentally congratulated myself on
my courage under pressure. That’s when
they cut the transmission.
Immediately my accelerator stopped working.
As I frantically pressed the pedal and
watched the RPMs climb, the Jeep lost half
its speed, then slowed to a crawl. This
occurred just as I reached a long overpass,
with no shoulder to offer an escape. The
experiment had ceased to be fun.
13. Copyright ©2016, @leomrlima
DetroitJUG Electrical grid
He watched as [the mouse] navigated
purposefully toward buttons
controlling the circuit breakers at a
substation in the region and then
clicked on a box to open the breakers
and take the substation offline. A
dialogue window popped up on screen
asking to confirm the action, and the
operator stared dumbfounded as the
cursor glided to the box and clicked to
affirm. Somewhere in a region outside
the city he knew that thousands of
residents had just lost their lights and
heaters.
14. Copyright ©2016, @leomrlima
DetroitJUG Zombie IoT army!
Massive DDoS attack – 10s of millions –
in DNS infrastructure (from Dyn) last
Friday (October 21, 2016)
Mirai botnet was created exploiting the
vulnerabilities just described (default
passwords)
The code for ”recruiting” devices was
open-sourced, so anyone can take a
swing
16. Copyright ©2016, @leomrlima
DetroitJUG Zombie IoT army - the virus
Mirai’s attack function enables it to
launch HTTP floods and various
network (OSI layer 3-4) DDoS
attacks.
For network layer assaults, Mirai is
capable of launching GRE IP and
GRE ETH floods, as well as SYN and
ACK floods, STOMP (Simple Text
Oriented Message Protocol) floods,
DNS floods and UDP flood attacks.
Mirai uses a brute force technique for
guessing passwords
a.k.a. dictionary attacks based on
the following list
Another interesting thing about Mirai
is its “territorial” nature. The
malware holds several killer scripts
meant to eradicate other worms and
Trojans, as well as prohibiting
remote connection attempts of the
hijacked device.
17. Copyright ©2016, @leomrlima
DetroitJUG Zombie IoT army - the cure
1. Stop using default/generic passwords.
2. Disable all remote (WAN) access to your devices. To verify that your
device is not open to remote access, you can scan the following ports:
SSH (22), Telnet (23) and HTTP/HTTPS (80/443).
20. Copyright ©2016, @leomrlima
DetroitJUG Security, Trust & Privacy
• Endpoint security
• Communication security between the endpoints
• Data distribution and secure storage
• Management and monitoring security of both the
endpoints and the communication mechanism
21. Copyright ©2016, @leomrlima
DetroitJUG ”Broad security”
• Trust – data is coming from known device
• Integrity – data was not tampered with since it
was sent from the device
• Uniqueness – data is not being ”reused”
• Privacy – data is not being used by unauthorized
parties
22. Copyright ©2016, @leomrlima
DetroitJUG Security X Easiness X Cost
• These 3 variables can’t be maximized at the same
time – if you want to maximize one or two, the third
will be minimized
• Many of the attacks mentioned before happened
because of ”wrong” maximization.
• Security aspects have to be thought since the
beginning – adding security later adds more cost and
less security
24. Copyright ©2016, @leomrlima
DetroitJUG Java Security Guidelines
Secure Coding Guidelines for Java SE helps with the most
effective approach to minimizing vulnerabilities is to have
obviously no flaws rather than no obvious flaws
Java Coding Guidelines from CERT is also a good resource to
understand how to program more securely
There’s a page from Oracle that covers many aspects of
security, such as platform security, cryptography and secure
communications
25. Copyright ©2016, @leomrlima
DetroitJUG Java Cryptography Architecture
Provides Cryptography pluggable
support for many different providers
and capacities.
Supports standards like PKCS#11, TLS
and many others
Standard implementations in Java SE
VMs
https://docs.oracle.com/javase/8/docs/te
chnotes/guides/security/crypto/Crypto
Spec.html
26. Copyright ©2016, @leomrlima
DetroitJUG JCA Related Libraries
Oracle’s JVM already includes an implementation that can help
you get started with security
The Legion of Bouncy Castle, aka, https://www.bouncycastle.org/,
has many algorithms for JCA and related, such as X.509
certificates, OpenPGP and Lightweight APIs for TLS and DTLS
(RFC 4347)
Security hardware vendors also provide providers for JCA, so you
can leverage different levels of security with no change in code
27. Copyright ©2016, @leomrlima
DetroitJUG Example of software only encryption
Public/Private Key
Infrastructure +
Symmetric Shared
Secret
Fragility: your keys are
still ”hackable”, as
they’re in non-protected
memory!
28. Copyright ©2016, @leomrlima
DetroitJUG Secure Element
Provides a safe place to execute sensitive code
and store hardware identity and private keys
Hardware protection to prevent tampering
Many form factors
29. Copyright ©2016, @leomrlima
DetroitJUG Secure Element
// Create a PKCS#11 cryptographic provider which uses the Secure Element
Provider myPKCS11Provider = new
sun.security.pkcs11.SunPKCS11(PKCS11_CONFIG);
// The PIN code protecting the Security Element
char [] myPIN = {'0','0','0','0'};
// Create a KeyStore corresponding to the Secure Element
KeyStore.PasswordProtection pinProtection = new
KeyStore.PasswordProtection(myPIN);
KeyStore.Builder ksb = KeyStore.Builder.newInstance("PKCS11",
myPKCS11Provider, pinProtection);
KeyStore ks = ksb.getKeyStore();
// Add the SE as a cryptographic provider
Security.addProvider(myPKCS11Provider);
30. Copyright ©2016, @leomrlima
DetroitJUG Secure Element
// We sign with ECDSA
Signature ecSign = Signature.getInstance("SHA256withECDSA");
// Retrieve the signature key in keystore by it’s alias
PrivateKey privKey = (PrivateKey) ks.getKey("SignKey", myPassword);
// And we sign !
ecSign.initSign(privKey);
ecSign.update(s1.getBytes());
byte[] signature = ecSignCard.sign();
32. Copyright ©2016, @leomrlima
DetroitJUG Summary
• Security is an ever increasing concern
• Security has to be thought from the start of a project
• You can be as secure as you want
• Java has lot of infrastructure for secure IoT devices
Editor's Notes In developing for IoT, security is not often the highest priority: APIs exposed without care and devices deployed with default passwords become gateways to your network and your data. Many best practices can be used to thwart attacks on your devices, but they have to be thought through from the first architectural design. This session covers many recent IoT attacks, their consequences, and how they could have been prevented. It also explores the many security levels one device can have, from totally exposed to completely secured against physical tampering and identity theft. - Where is the value?
- Security and privacy are great implications of connectivity
http://www.mcafee.com/us/security-awareness/articles/mcafee-labs-threats-predictions-2015.aspx https://www.wired.com/2015/12/2015-the-year-the-internet-of-things-got-hacked/ http://fusion.net/story/192189/internet-connected-baby-monitors-trivial-to-hack/
http://www.pcworld.com/article/3012220/security/internet-connected-hello-barbie-doll-can-be-hacked.html https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/#slide-2 https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/ DDoS data: http://www.dailydot.com/layer8/ddos-mirai-iot-botnet-broken-internet/
Source code release: https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/ Image from http://i.imgur.com/DIvzSFq.png https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html http://www.iiconsortium.org/IISF.htm There are many different aspects to consider! Aspects to consider Aspects to consider: there’s no winning it all!! There are many different Java technologies, like JAAS, that are for the server-side of IoT. I considered the embedded side development here. http://www.oracle.com/technetwork/java/seccodeguide-139067.html
https://www.securecoding.cert.org/confluence/display/java/Java+Coding+Guidelines
http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html http://www.oracle.com/technetwork/java/embedded/javacard/overview/index.html
https://javacardforum.com/