Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
“The Insecurity of Industrial Things”
ICS Cyber Security Conference
© 2016 Senrio Inc
1
http://senr.io
Twitter: @xipitersec
The Insecurity of
Industrial Things
Stephen A. Ridley (CTO, Senrio Inc)
Jamison Utter ...
“The Insecurity of Industrial Things”
ICS Cyber Security Conference
© 2016 Senrio Inc
We hate to break it to you…
“…but OT...
“The Insecurity of Industrial Things”
ICS Cyber Security Conference
© 2016 Senrio Inc
Before we explain this:
it helps if ...
Senrio’s Unique Perspective
• Stephen A. Ridley, Founder
and CEO
- Background in Defense &
Intelligence as vulnerability
r...
Senrio’s Unique Perspective
• Have created and sold thousands of
unique hardware-based security
research tools: http://www...
IoT Home Controller
• Summer Project for Interns: $200 each
to purchase IoT devices online
• Smart smoke alarm, used ATM,
...
Remote Power Management Unit
• Originally published by Christian Science
Monitor on May 18: NetBooter NP-02B
made by SynAc...
WiFi Camera
• Discovered and exploited a remote code execution vulnerability in the latest
firmware of the D-Link DCS-930L...
“The Insecurity of Industrial Things”
ICS Cyber Security Conference
© 2016 Senrio Inc
We hate to break it to you…
ICS is I...
What is the “Internet Of Things?!”
A new breed of miniature computers that, in contrast to a PC or server,
have a single-p...
Cheaper Connectivity!
Legacy Systems Get Connected to IP-based/ Ethernet Networks
Programmable Logic
Controllers (PLCs)
Connected Manufacturing Floor
Communication via Ethernet Everywhere!
Traffic Control in the Cloud
Seriously, everything has an RJ45 Jack Now
Industry choosing SoCs over ASICs
The root-cause for why “ICS is IoT”!
ASIC SoC
$$$ $
Moving from ASICs to SoCs
ASIC
• “Application Specific Integrated
Circuit”
Custom Chips
• Developed specifically for a tas...
SoCs require firmware!
ROM (Read Only
Memory)
• PROM was a one-time Programmable
ROM, which made testing firmware
dramatic...
SoCs require firmware!
Quick refresher on Solid State Storage…
SoCs store their
business logic in
read/writeable
FLASH as ...
Most Popular SoCs are ARM!
PLC
• There is one in your
cellphone!
• Set-top boxes
• ATMs and Payment systems
• PLCs and HMI...
Most Popular SoCs are ARM!
ATMega
used in
Arduinos!
STM32
used in
IoT
• IoT and ICS use the same
SoCs/hardware
• IoT and I...
“The Insecurity of Industrial Things”
ICS Cyber Security Conference
© 2016 Senrio Inc
So ICS devices and IoT use the same
...
“The Insecurity of Industrial Things”
ICS Cyber Security Conference
© 2016 Senrio Inc
So now, “software guys” can triviall...
Attack Vectors
• Bad code can
affect entire
product line
• Firmware
extracted via
hardware
• Simple
vulnerabilities in
har...
©2016 Senrio LLC
Primitive thinking for Evolutionary Issues
Firewalls, Border Controls, Air
Gaps
Boundless Networking
Anti...
SW/HW Uncanny Valley
Originally conceived of by Japanese roboticist Masahiro
Mori in 1970 to explain the psychological rea...
Obscurity No More
• STUXNET changed the game for Industrial
Control - spreads via USB sticks
• Cost of high capital bypass...
Going Dark Not An Option
• Isolating or “air gapping” critical
systems from the Internet is a fallacy
in the 21st century
...
Solving for a New Threat Model
Traditional Threat
Model:
• Code injection
• Malware
• Device compromise
IoT Threat Model
•...
http://senr.io
Twitter: @xipitersec
ICS is IoT, IT is OT, and
all of these are the
“Digital Society”
Stephen A. Ridley (CT...
Upcoming SlideShare
Loading in …5
×

The Insecurity of Industrial Things

663 views

Published on

This talk summarizes the state of IoT security, specifically as it relates to Industrial Control and Energy. When hearing the buzz-word “Internet of Things,” we typically think of the consumer world: smart toasters and connected fridges. However, there is a staggering number of networked embedded devices that perform life- and mission-critical tasks that our daily lives depend on. Industrial Control Systems (ICS) are not unique snowflakes anymore but use the same ubiquitous technology as found in consumer IoT Devices. This presentation summarizes our experiences at Senrio exploiting embedded system and discusses the reasons why these insecure design patterns exist; including business drivers and technology factors. We will share stories and anecdotes based on 10 years of research, training and consulting (including real vulnerabilities and how they work).

Published in: Devices & Hardware
  • Be the first to comment

The Insecurity of Industrial Things

  1. 1. “The Insecurity of Industrial Things” ICS Cyber Security Conference © 2016 Senrio Inc 1
  2. 2. http://senr.io Twitter: @xipitersec The Insecurity of Industrial Things Stephen A. Ridley (CTO, Senrio Inc) Jamison Utter (VP, Senrio Inc)
  3. 3. “The Insecurity of Industrial Things” ICS Cyber Security Conference © 2016 Senrio Inc We hate to break it to you… “…but OT is IT, and ICS is ‘IoT’”
  4. 4. “The Insecurity of Industrial Things” ICS Cyber Security Conference © 2016 Senrio Inc Before we explain this: it helps if we give you our background…
  5. 5. Senrio’s Unique Perspective • Stephen A. Ridley, Founder and CEO - Background in Defense & Intelligence as vulnerability researcher - Senior Security Architect at McAfee - Chief Information Security Officer at major financial services firm - Co-authored Android Hacker’s Handbook - Founder and Senior Researcher at Xipiter, providing services and training to Fortune 500 and government clients Extensive Security and Embedded Device Expertise Stephen Ridley co- authored the Android Hackers’ handbook Sold out trainings at Black Hat for the last five years; private trainings for government, military, and private industry clients • In last few years, spoken (and taught) about device security on every continent except Antarctica • Keynoted major information security conferences.
  6. 6. Senrio’s Unique Perspective • Have created and sold thousands of unique hardware-based security research tools: http://www.int3.cc • Original research turned into industry’s leading training on mobile/device security: - http://armexploitation.com - Software Exploitation Via Hardware Exploitation - http://Automation-Exploitation.com • As a services company served Fortune 500 brands in ICS, Medtech, Retail, embedded systems as well as government agencies At the Forefront of Embedded Device Security Research Developed customer tools; Shikra named one of the best embedded security research tools by Rapid 7 Senrio included in Gartner Market Guide on OT Security and rated “Transformer” by Current Analysis “The market needs a comprehensive answer to the IoT dilemma but today there are few solutions to this challenge. Senrio offers a much-needed new approach,” Christina Richmond, Program Director, Security Services, IDC.
  7. 7. IoT Home Controller • Summer Project for Interns: $200 each to purchase IoT devices online • Smart smoke alarm, used ATM, webcam, smart home controller, smart thermostat, NAS, smart wall outlet, game console, point-of-sales system, Android tablet, etc • Vera Lite Home Controller by Mi Casa Verde • Trivial to compromise < 2 weeks by an intern • Discovered vulnerabilities that would allow an attacker to retrieve the ssh private keys used to accessing the manufacturer’s backend by downloading the firmware from the manufacturer’s website Mi Casa Verde VeraLite Home Controller, $99 on Amazon As Safe as Leaving Your Key under the Doormat
  8. 8. Remote Power Management Unit • Originally published by Christian Science Monitor on May 18: NetBooter NP-02B made by SynAccess Networks • Senrio found hidden functionality that lets attackers reset passwords, revert to default settings and lock administrators out • Exotic hardware and firmware no longer keeps manufacturers safe • Sensitive placement leads to unforeseen consequences: ability to remotely turn off servers, signage or critical systems • Inexpensive/low value device deployed in high-impact use cases
  9. 9. WiFi Camera • Discovered and exploited a remote code execution vulnerability in the latest firmware of the D-Link DCS-930L Network Cloud Camera. • The result of a stack overflow in a service that processes remote commands • The vulnerable function copies data from an incoming string to a stack buffer, overwriting the return address of the function. • This vulnerability can be exploited with a single command which contains custom assembly code and a string crafted to exercise the overflow. • Affects more than one model: code re-uses means vulnerability reuse • More on our blog and articles via ThreatPost, Security Week, and Network World.
  10. 10. “The Insecurity of Industrial Things” ICS Cyber Security Conference © 2016 Senrio Inc We hate to break it to you… ICS is IoT!
  11. 11. What is the “Internet Of Things?!” A new breed of miniature computers that, in contrast to a PC or server, have a single-purpose operating system communicating with other devices and/or the Internet = Networked Embedded Device ICS is IoT! Embedded devices have been around for decades What’s new is the unprecedented connectivity & ubiquity Gimmicks, hype and hyperbole Pragmatic business needs and financial rationale Consumer IoT Enterprise IoT New Wireless Tech & Cheap SoCs Drive Adoption
  12. 12. Cheaper Connectivity! Legacy Systems Get Connected to IP-based/ Ethernet Networks Programmable Logic Controllers (PLCs)
  13. 13. Connected Manufacturing Floor Communication via Ethernet Everywhere!
  14. 14. Traffic Control in the Cloud Seriously, everything has an RJ45 Jack Now
  15. 15. Industry choosing SoCs over ASICs The root-cause for why “ICS is IoT”! ASIC SoC $$$ $
  16. 16. Moving from ASICs to SoCs ASIC • “Application Specific Integrated Circuit” Custom Chips • Developed specifically for a task • Expensive! • Based on “baked in logic” • Simple “mask ROMs” • No need for “firmware”. • Generally use “read-only” solid state storage SoCs (and FPGAs) • “System On Chip” General purpose Chips • Requires software (aka firmware) to make them specific to business case. • Generally use read/write solid state storage for firmware. • Firmware is generally: • Real-Time Operating System (RTOS) • Embedded OS • “bare metal code” The root-cause for why “ICS is IoT”!
  17. 17. SoCs require firmware! ROM (Read Only Memory) • PROM was a one-time Programmable ROM, which made testing firmware dramatically faster and easier • PROM was susceptible to losing data over time or when exposed to UV light • EPROM took advantage of this by putting a window over the die to allow erasing ROM begat PROM, and PROM, EPROM. Quick refresher on Solid State Storage…
  18. 18. SoCs require firmware! Quick refresher on Solid State Storage… SoCs store their business logic in read/writeable FLASH as “firmware” …and, EPROM led to EEPROM • Electronically Erasable PROMs could be erased without UV light • However, the entire EEPROM must be erased before writing • By combining several small EEPROMS on one chip in ‘banks’, Toshiba invented FLASH • Now most devices use FLASH which is where Firmware is stored for IoT and ICS!
  19. 19. Most Popular SoCs are ARM! PLC • There is one in your cellphone! • Set-top boxes • ATMs and Payment systems • PLCs and HMIs • Raspberry Pis! • everywhere! Point Of Sale
  20. 20. Most Popular SoCs are ARM! ATMega used in Arduinos! STM32 used in IoT • IoT and ICS use the same SoCs/hardware • IoT and ICS use the same kinds of software/firmware • IoT and ICS use the same communications protocols • PLCs even use the same embedded webservers and FTP daemons!
  21. 21. “The Insecurity of Industrial Things” ICS Cyber Security Conference © 2016 Senrio Inc So ICS devices and IoT use the same tech!
  22. 22. “The Insecurity of Industrial Things” ICS Cyber Security Conference © 2016 Senrio Inc So now, “software guys” can trivially hack hardware!
  23. 23. Attack Vectors • Bad code can affect entire product line • Firmware extracted via hardware • Simple vulnerabilities in hardware/firmwar e can propagate all the way up to exploit desktops and HMI systems Traditional Attack vector New IoT Attack Vector Malware, code injection, shell script Compromised firmware, reconfiguration, misuse
  24. 24. ©2016 Senrio LLC Primitive thinking for Evolutionary Issues Firewalls, Border Controls, Air Gaps Boundless Networking Anti-Virus, Signature Detection Cognitive Security Passing the Problem Prevention Detection and Response Owning our own Security
  25. 25. SW/HW Uncanny Valley Originally conceived of by Japanese roboticist Masahiro Mori in 1970 to explain the psychological reaction to anthropomorphic robots or other humanoid figures. • General feeling of unease when leaving the comfort zone of the own domain • Industry building a house of cards • HCCEmbedded: third party vulnerability in firmware
  26. 26. Obscurity No More • STUXNET changed the game for Industrial Control - spreads via USB sticks • Cost of high capital bypassed by finding universal vulnerabilities in supply chain or weaponizing cheaper equipment • Increased research focus on Industrial Control Systems: - SCADA exploit modules within the Metasploit framework increased from 7 before Stuxnet to 57 - 0day vulnerabilities for sale: 22 modules exploiting 11 zero-day vulnerabilities. • Shodan puts ICS devices at your fingertips: - Traditional search engines like Google index the web content intended for user consumption - Shodan indexes headers which are intended for machine-to-machine communication - Finding targets for a publicly available exploits is akin to searching Google for the nearest Kinko’s Industrial Control IS a Target
  27. 27. Going Dark Not An Option • Isolating or “air gapping” critical systems from the Internet is a fallacy in the 21st century - Isolated networks can get infected intentionally (worms like Stuxnet) - Insider threat - Unintentional compromise by connecting an infected computer during service or maintenance of the system. • Need for connectivity and greater insight is driving the smart grid effort Dealing With the Realities of a Connected Future
  28. 28. Solving for a New Threat Model Traditional Threat Model: • Code injection • Malware • Device compromise IoT Threat Model • Malicious reconfiguration (safety/reliability) • Pivot to high value networks • Reroute traffic, use data streams • DDoS and botnets Why Traditional Security does not Work for IoT: • No homogeneity • Size/weight constrains • No user interaction • Difficult to detect breach • No on-device memory • Signature-based systems not scalable • Exploits not detected by traditional methods • Inside-out does not work • Air-gapping is not 100% secure • Firewalls and IDS cause downtime and don’t alert on the right things Leverage Unique IoT Behavior for Protection Using IoT Characteristics for Protection • Predictable behavior • Dedicated functionality • IP connectivity
  29. 29. http://senr.io Twitter: @xipitersec ICS is IoT, IT is OT, and all of these are the “Digital Society” Stephen A. Ridley (CTO, Senrio Inc) Jamison Utter (VP, Senrio Inc)

×