Briefing given to the FBI in July 2017 regarding Cybersecurity threats.

1. IoT Security
Frank H. Siepmann,CISM,CISSP, ISSAP, NSA-IAM, NSA-IEM

2. What Is the Internet ofThings (IoT)?
ITU’s Definition:
“Internet of things (IoT): A global
infrastructure for the information
society, enabling advanced
services by interconnecting
(physical and virtual) things based
on existing and evolving
interoperable information and
communication technologies”
Source: International Telecom Union Rec. ITU-T Y.2060 (06/2012)

3. Categories of IoT Devices
 Network IoT device (I): Devices that only exist to ensure
Internet connectivity. Examples are Home routers, Home
Automation Hubs, etc.
 IoT only devices (II): Devices that have been created because of
the Internet connectivity. Examples would be: Amazon’s Echo
and Google Home
 Legacy IoT enabled devices (III): Devices that have been
around for years or decades that are modified to allow for
Internet connectivity. Examples: Internet enabled Fridge,
ConnectedThermostats, etc.

4. Common IoTTechnologyVendors
 Major Software Platforms
 AndroidThings – Google
 Windows 10 IoT – Microsoft
 Home Kit – Apple
 AWS IoT platform – Amazon
 Bosch IoT Suite – Bosch
 Device Connection Platform – Ericsson
 IoT Foundation Device Cloud – IBM
 IoT Analytics Platform – CISCO
 Etc.
 Hardware Platforms
 Atmel Microcontroller
 Texas Instruments
 ARM
 Qualcomm IoT
 Intel IoT
 SamsungArtik IoT
 LANTronix
 SierraWireless
 Etc.

5. Ecosystems where IoT is being used
 Home
 Internet connectivity (e.g. Router)
 TV,TIVO,VoIP, Home cameras,
 Home automation (e.g. Locks)
 Amazon Echo, Google Home, etc.
 Car
 Entertainment Center, Hotspot,
Maintenance, Remote control
 Industry
 Smart Sensors
 Programable Logic Controllers (PLC)

6. Why are IoT DevicesVulnerable?
 Cost
 Manufacturing cost < 60 Cents (Source: Goldman Sachs)
 Full-blown Linux running on single board computer for $5 (Raspberry Zero)
 Processing Power
 Many IoT devices are very limited in Resources (Single Core, RAM < 500 MB)
 History
 Traditionally Security has not been an issue in the various ecosystems
 User Negligence
 Vendor supplied password not changed
 Insecure protocols (e.g.WEP) not turned off
 ProprietaryTechnology
 Not leveraging proven frameworks
 Segmentation/Trust
 Relying on “traditional” trust models
 Inability to Update
 No Update mechanism available to address a new security flaw
Raspberry Pi Zero: $5

7. IoT Attack Surface
 Internet
 Flaws in Internet facing Services
 Security Flaws in Implementation
 Wireless
 Use of InsecureWireless Protocol
 Security through Proprietary Protocol
 Security by “Distance”
 Physical
 Device is not physically secured
Software Defined Radio (SDR) receives signals 950 – 2150 MHZ all
for < $25

8. Shodan – IoT Search Engine
Shodan
• Search Engine for Internet
Connected Devices
• Shows which devices are
connected to the Internet,
where they are located and
who is using them
• Within minutes a list of
vulnerable devices on the
Internet can be compiled

9. Wigle.net –Wireless Search Engine
Wigle.net
• Consolidates location and
information of wireless
networks world-wide to a
central database
• Site is crowdsourced with
people war-driving and
uploading their data
• Database can be queried by
applications via an API

10. Physical Security of IoT devices
Ring – Doorbell
• Doorbell that usesWiFi to
connect to Ring’s service,
recording video and allowing
for Intercom
• WiFi password is stored on
the device
• Device is programmed via a
USB connector
• No physical securing of
device, besides some screws

11. IoT “Special” Attack
Vibration Speaker
• Vibration Speakers (VS) get
connected to surfaces that
are used to emit sound
• Connecting theVS to the
outside of a door with glass
allows to control devices like
Amazon’s Alexa or Google’s
Home
• The possibilities are endless

12. Examples of IoT Attacks
Webcams used for DDoS
• Webcams with a security vulnerability
were used to launch one of the largest
DDoS attacks against Dyn, a DNS
service provider.
• Leveraging an amplification attack the
sheer number of devices was the
reason why the DDoS was initially
successful.
Home Router attacks
• Wireless Home Routers of various
vendors have been targeted by
malware. Redirecting DNS calls.
• One malware actually tries to secure the
router by identifying other infections
and trying to remove those.
SAMSUNG Fridge
• Samsung offers fridges that allow for
your Google Calendar to be displayed.
At least one model was vulnerable to a
man –in-the-middle-attack, not
checking the SSL certificate presented
by Google (or in this case an attacker).
OnStar used to control car
• OnStar, used in GM vehicles, allowed for
an attacker to eavesdrop on
communication.With that they were
able to unlock the car and start it.
• Jeep had to recall 1.4m vehicles due to
hackers being able to hijack most of the
car’s electronic functions.

13. Devil’s Ivy –
Vulnerability in gSoap Library used in IoT
 gSoap is a framework used by many IoT companies to implement the Open NetworkVideo
Interface Forum (ONVIF) protocol, used by e.g. Security cameras
 Small company behind gSOAP, known as Genivia, says that at least 34 companies use the code
in their IoT products (mainly physical security products)
 Genivia provided updated code that fixed the security vulnerability on 6/21/2017 all within 24h
of notification according to Genivia’s website.
 Genivia uses static code analysis! However, the flaw was two levels down.
 Many vendors struggling to get code out to the devices since updating the devices is in some
cases not possible, or users do not know about the flaw or are not skilled to perform an update
With a built-in update mechanism that acts independent from a user, the devices could
be updated as soon as a new firmware is available.
24h for new code, not bad!

14. Countermeasures
 Leverage Existing Frameworks
 Some IoT vendors have the tendency to “re-invent” the wheel e.g. Samsung fridge. This creates a
“uniqueness” that can result in vulnerabilities used but not publicly addressed.
 Other people with much better cyber security skills can do the work in fixing vulnerabilities for the IoT
company.
 Segmentation/Trust Relationships
 IoT devices that have Internet connectivity should not be part of a ecosystem that traditionally trusts each
other just by being a member.
 Additional mechanisms are needed to establish trust with a IoT device that has Internet connectivity e.g.
signing of messages end-to-end.
 Do not rely on Users for Security
 Studies have shown over and over that users are the weak link. One study showed that many IoT users do not
change the vendor set password.Vendors will need to “force” users to be secure.
 Built-In Update mechanisms
 Security “is a journey” an old saying but still true.What is secure today, might be vulnerable tomorrow.

15. EconomicTimes 08/13/17 –
“Over 50 Billion IoT Connected Devices By 2020”
What does this mean for Cybersecurity and Privacy?
 Increased complexity when implementing security controls and defining
regulations.
 Market will expand horizontally and vertically, creating even tighter pricing with
security being one cost factor to shave off.
 The large number of IoT devices by itself will face the same risks as cloud. If it fails,
it will fail really big.
 Regulations and laws will require adjustments.Already one case with Amazon’s
Echo and voice recording Amazon keeps.
 Users will need to learn with IoT being in their homes that someone is watching
and hearing them all the time – maybe not in real-time.

16. QUESTIONS ?

17. Contact Information
Frank H. Siepmann
CISM, CISSP, ISSAP, NSA-IAM, NSA-IEM
Email: Frank.Siepmann@1SSA.NET
Phone: +1-571-982-9907

18. APPENDIX

19. Sources
 ESET survey - https://cdn5-
prodint.esetstatic.com/Imported_from_GWS2_0/US/resources/press/ESET_ConnectedLiv
es-DataSummary.pdf
 The EconomicTimes – http://economictimes.indiatimes.com/tech/internet/50-billion-iot-
connected-devices-by-2020-report/articleshow/59580306.cms
 WIRED - https://www.wired.com/2016/08/jeep-hackers-return-high-speed-steering-
acceleration-hacks/
 The Register - https://www.theregister.co.uk/2015/08/24/smart_fridge_security_fubar/
 Forbes - https://www.forbes.com/sites/thomasbrewster/2015/10/01/vigilante-malware-
makes-you-safer/#4b31988b1fd5
 WIRED - https://www.wired.com/2015/07/gadget-hacks-gm-cars-locate-unlock-start/
 Devil’s Ivy - https://www.wired.com/story/devils-ivy-iot-vulnerability/
 VS Attack - https://www.youtube.com/channel/UCi-qfzbdNLFoJCUq8jRF3xw