Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Hacker Proof: Building Secure Software
Similar to Hacker Proof: Building Secure Software (20)
Recently uploaded
Recently uploaded (20)
Hacker Proof: Building Secure Software
- 1. IOActive, Inc. Copyright ©2016. All Rights Reserved. Cesar Cerrudo @cesarcer CTO, IOActive Labs Hacker proof: building secure software
- 2. By 2020 200 Billion connected things Source: Source IDC, CISCO, INTEL
- 3. Everything is being “connected”
- 5. We are becoming more and more and more digital
- 17. Source: CVE Details Top 50 Vendors By Total Number Of "Distinct" Vulnerabilities in 2015
- 18. Security from day one The later you add security, the more difficult and expensive it becomes
- 19. Input validation Don’t trust any input
- 20. Encrypt “Everyone” fails at crypto
- 21. Secure by default Enable the minimum needed functionality, and make it secure
- 22. Reduce Information leakage Every bit of information your system provides is useful for attackers
- 23. Avoid Security through obscurity Your software will be reverse engineered
- 24. Secure the supply chain The security of your product = The sum of the security of all its components
- 25. Education is key Educate yourself, your team, your company
- 30. The moral of the story… Don’t wait until people’s private parts are scalded to make your software more secure
- 31. IOActive, Inc. Copyright ©2016. All Rights Reserved. Cesar Cerrudo @cesarcer CTO, IOActive Labs Thanks
Editor's Notes
- Some say that by 2020, there will be 200 billion connected things. If we take a small connected thing and line up 200 billion of them, that’s enough to wrap around the earth several hundred times.
- These multi-billions of connected things means that everything is being connected: Cars, planes, homes, cities, even animals like a cow are being connected.
- We are putting software everywhere. This is changing the way we live, the way we behave and interact with things around us.
- We depend more and more on technology as it deeply integrates into our lives. But this technology dependence makes us very vulnerable if technology fails. Think about what happens when you are on the road and your smartphone runs out of battery or you lose it. It’s like the end of the world, because you lost access to your email, your calendar, your contacts, your apps, and without all that you can’t do anything. In moments like that, you realize that you can’t live without technology. Because of this increasing technology dependence, it’s very important that the technology is always available, protected and secure.
- I’m here today because I’m really worried about our future and I want to talk about the serious cyber security problems affecting technology. I have been a professional hacker for more than 15 years. I find cyber security problems in technology in order to make it more secure. After doing this for many years, I’m really worried and also extremely frustrated, because I keep seeing the same cyber security problems over and over again and we are not getting better. And while we depend more and more on technology, the technology is more and more insecure.
- Maybe you don’t know it, but most technology is vulnerable and can be hacked, we see examples of this every day:
- -Cars have been hacked.
- -I hacked traffic systems.
- -A popular US smart home alarm system was hacked.
- -Implantable medical devices like pacemakers were hacked; people could be killed.
- -Plane systems were hacked too. Imagine the impact of this.
- -We have had critical infrastructure hacked too, like a power grid and a dam.
- -We have had critical infrastructure hacked too, like a power grid and a dam.
- -Mobile Banking Apps were also found vulnerable and easy to hack.
- -Smart city technology is vulnerable to hacking too. These are just a few examples; the list could be endless.
- Every year thousands of cyber security problems are identified in different technologies from known technology vendors. Some of the vendors in this chart are the best at cyber security, but still have lots of security problems. Guess how the vendors that are worst at cyber security are doing? You probably guessed right, they are doing really badly. If we don’t want to be the worst at cyber security, what we could do? Building secure software is not simple, but there are some basic recommendations we can follow.
- Cyber security must be present from day one, from the very beginning when you start designing your products, and continue being present and integrated during the product life cycle, at all stages. The later you add cyber security, the more difficult and expensive it becomes, because once you have your product already designed and architected, you have already built on top of that and it’s not easy to change the architecture of a finished product. It’s as if you built a bridge, and after you finish and it’s being used you realize that the foundation is weak. You will probably face a big mess trying to fix that, not to mention that the bridge can’t be used until you fix it. The later you think about security, the more problems you will get. You have to integrate security within your whole development process from day one.
- Your software must not trust any input. You must assume all input is evil input. The best way is to use a whitelist approach, accepting only valid and known input and rejecting the rest. Sometimes you might think that the input would come from a trusted source, but software is very dynamic and often changes; what comes from a trusted source today can come from an untrusted one tomorrow, and that’s when things go wrong. For instance, when you open up an API for public use, it won’t be just you using the API anymore, it could be anyone, and you can’t trust everyone.
- Over time, everyone has failed at encryption, and by “everyone” I mean almost every big and not-so-big software vendor. That’s because it’s very difficult to properly implement encryption and at the same time make it easy to use. You must always be careful with implementing encryption, making sure it’s properly audited by experts. Also, make sure you don’t invent your own “encryption.” It’s a common mistake to think that nobody will know it because you invented it, or that it will be difficult to break. It’s a big mistake; software can be reverse engineered and easily decoded. Most communications can be easily intercepted, so you must encrypt communications by default or at least allow encryption. Another important use for encryption is for encrypting and digitally signing software updates, because if you don’t encrypt and sign them, someone can easily reverse engineer and modify the updates, and your software could end up using an untrusted and modified update with malicious code. You have to protect from this by checking that the updates are not modified, and that they’re delivered over a secure communication channel.
- It’s a good practice to deploy software with almost all functionality disabled by default, and let the user enable what he really needs. In this way you can reduce the attack surface (the areas that could be hacked) and provide more security to users by making sure the most common functionality has strong security by default. It’s a common mistake to deploy software with a lot of functionality enabled by default, because this increases the attack surface by giving attackers more possibilities to hack the system.
- Every bit of information your system provides is useful to attackers. Usually software will give away some information without authenticating users; anyone can interact with the system and get some information back. This could be useful for users, for instance by showing the software version, release date, etc. But this is also very useful for attackers, since the more information they can get from a system the easier it is to attack it. By reducing the amount of information that is provided without authentication, you make attackers’ work more difficult. Everything you can do to make attackers’ work more difficult ends up increasing security.
- Many companies wrongly think that a protocol is hacker safe because it’s custom made, or because it’s not based on a standard. That’s a dangerous and common assumption made by people not familiar with hacking. It doesn’t matter whether your protocol is unknown, because it can be reverse engineered and hacked. Also, sometimes developers hide things inside software, such as passwords, usernames, etc. This is a big mistake too. Assume always that your software will be reverse engineered, and don’t hide anything inside. Anything you hide will probably be found.
- There is also a complex scenario with many different legacy technologies, many layers, and a long supply chain. Many companies don’t produce all components for a product; they have many third-party providers. It only takes one insecure component for the whole product to become insecure; the security of the product is the sum of the security of all of its components. You need to make sure all components are secure so that the whole system is secure.
- Invest in cyber security education for everyone at your company. Engineers, developers, decision makers – everyone should learn about cyber security depending on their needs. Developers need to learn how to develop software securely, software architects need to learn how to architect products securely, decision makers should learn that cyber security is important, and so on. You need to learn how to build products securely.
- In order to get a good picture of how cyber security problems could affect companies, let’s do an educational exercise, please follow up with me. Do we have software engineers here? Please raise your hands, thanks, there you are. I bet there are many here. Let’s suppose we all work at this fictitious company called Future Things. Our company is doing great, we have many IoT products. One of our best and more successful products is a smart toilet. Our smart toilet is great, it’s the market leader and we are all really happy with it. Let’s see a very short video about our product. Play video (1 min aprox)
- As you can see, our smart toilet is really cool, it heats the seat, it has lights, and it plays music... I wonder how it would be to hear music from inside or below the toilet, I guess it could be inspiring sometimes, who knows, no more reading at the toilet, just listen to music and enjoy your moment at the toilet. It also has a remote control where you can set the water pressure and temperature of the integrated bidet to comfortably clean your private parts while you listen to music. You can also flush the toilet from there, play music, etc. It’s great; it’s a really cool remote control that can control all functions of our toilet. We have sold 500,000 toilets worldwide and they keep selling. It’s the most popular smart toilet and its popularity keeps growing every day, people even publish selfies while using it. People can’t live without it. Our product is great, it’s a worldwide success, everything is going perfectly, but...
- As you can see, our smart toilet is really cool, it heats the seat, it has lights, and it plays music... I wonder how it would be to hear music from inside or below the toilet, I guess it could be inspiring sometimes, who knows, no more reading at the toilet, just listen to music and enjoy your moment at the toilet. It also has a remote control where you can set the water pressure and temperature of the integrated bidet to comfortably clean your private parts while you listen to music. You can also flush the toilet from there, play music, etc. It’s great; it’s a really cool remote control that can control all functions of our toilet. We have sold 500,000 toilets worldwide (show in slide) and they keep selling. It’s the most popular smart toilet and its popularity keeps growing every day, people even publish selfies while using it. People can’t live without it. (show Our product is great, it’s a worldwide success, everything is going perfectly, but...
- Something can always go wrong when we build insecure products. As many other companies have, it seems our company Future Things didn’t build the smart toilet system in a secure way, and it has some cyber security vulnerabilities that open the system to possible cyber attacks. After seeing the video and some of the functionality, can anyone identify a possible cyber security threat? Yes/No? If you were a hacker you would identify many. Using a hacker mindset, I can identify a possible interesting cyber security threat. When you have worked for many years doing offensive cyber security, you get used to putting yourself in developers’ minds and identifying what they could have done wrong; their possible mistakes. Let’s see, the remote control uses infrared or radio frequency for communicating with the smart toilet. Since it’s not a very common communication mechanism for smart things, developers probably assumed that they shouldn’t have to worry about security or they didn’t think about security at all, because who would try to hack the remote control? And who will know how the communication protocol works if it’s custom made? Then there is probably no security protection in the communication protocol; no encryption, no authentication, which means that an attacker after learning the protocol could send any command over infrared or radio frequency to the smart toilet without any problems. Another possible security mistake made by developers could be a lack of input validation at the smart toilet software for the commands it gets from the remote control. Since the software was made by same developers, they probably thought, why validate the commands if only their remote control will be sending them, and it’s a trusted source so why worry? Knowing these problems, let’s use our evil hacker mind to build a cyber attack. Since we have a communication protocol that is not protected (not encrypted, no authentication, etc.), as an attacker we just need to reverse engineer it in order to learn the protocol and commands. It takes time but once we do that, we can create our own remote control using some cheap electronics and some easy programming – nowadays programming radio or infrared transceivers is pretty easy. Since there is no validation for the commands being processed by the smart toilet software, our attack device could send commands for setting the bidet water pressure and temperature more than the maximum allowed by official remote control functionality. Because there is no validation at the smart toilet software, as an attacker, we can send any values we want and they will be accepted and processed. Usually hardware functionality has a limit that is higher that the software enforced limit. For instance, if the remote control only allowed water temperature up to 40 degrees Celsius, we can bypass that limitation since we aren’t using the remote control, so we can set the water temperature to 80 degrees, and do the same with the pressure. Once we set the bidet water pressure and temperature extremely high, we can turn the bidet on and if someone is using the smart toilet, we can scald his private parts (show picture). If we know that our neighbor has this smart toilet, we can hack it and scald his private parts. Or play around our neighborhood with our attack device, trying it at many homes. If the remote control is infrared, we could even create a mobile app to use with smartphones with infrared functionality, and distribute it as an enhancement to the smart toilet, I’m sure someone will probably bite. Remember I said we are using our evil hacking mind. This may sound funny and an extreme example, but it could be 100% real, this is just an example of what could happen to any of the companies you currently work at if your software is not secure.
- If you don’t want to end up with these problems, then learn from the example: Don’t wait until people’s private parts are scalded to make your software more secure. We should take cyber security seriously and start doing something about it right now. I have no problem with having no job because technology becomes very secure, so please make me jobless.