2. What Is the Internet ofThings (IoT)?
ITU’s Definition:
“Internet of things (IoT): A global
infrastructure for the information
society, enabling advanced
services by interconnecting
(physical and virtual) things based
on existing and evolving
interoperable information and
communication technologies”
Source: International Telecom Union Rec. ITU-T Y.2060 (06/2012)
3. Categories of IoT Devices
Network IoT device (I): Devices that only exist to ensure
Internet connectivity. Examples are Home routers, Home
Automation Hubs, etc.
IoT only devices (II): Devices that have been created because of
the Internet connectivity. Examples would be: Amazon’s Echo
and Google Home
Legacy IoT enabled devices (III): Devices that have been
around for years or decades that are modified to allow for
Internet connectivity. Examples: Internet enabled Fridge,
ConnectedThermostats, etc.
4. Common IoTTechnologyVendors
Major Software Platforms
AndroidThings – Google
Windows 10 IoT – Microsoft
Home Kit – Apple
AWS IoT platform – Amazon
Bosch IoT Suite – Bosch
Device Connection Platform – Ericsson
IoT Foundation Device Cloud – IBM
IoT Analytics Platform – CISCO
Etc.
Hardware Platforms
Atmel Microcontroller
Texas Instruments
ARM
Qualcomm IoT
Intel IoT
SamsungArtik IoT
LANTronix
SierraWireless
Etc.
5. Ecosystems where IoT is being used
Home
Internet connectivity (e.g. Router)
TV,TIVO,VoIP, Home cameras,
Home automation (e.g. Locks)
Amazon Echo, Google Home, etc.
Car
Entertainment Center, Hotspot,
Maintenance, Remote control
Industry
Smart Sensors
Programable Logic Controllers (PLC)
6. Why are IoT DevicesVulnerable?
Cost
Manufacturing cost < 60 Cents (Source: Goldman Sachs)
Full-blown Linux running on single board computer for $5 (Raspberry Zero)
Processing Power
Many IoT devices are very limited in Resources (Single Core, RAM < 500 MB)
History
Traditionally Security has not been an issue in the various ecosystems
User Negligence
Vendor supplied password not changed
Insecure protocols (e.g.WEP) not turned off
ProprietaryTechnology
Not leveraging proven frameworks
Segmentation/Trust
Relying on “traditional” trust models
Inability to Update
No Update mechanism available to address a new security flaw
Raspberry Pi Zero: $5
7. IoT Attack Surface
Internet
Flaws in Internet facing Services
Security Flaws in Implementation
Wireless
Use of InsecureWireless Protocol
Security through Proprietary Protocol
Security by “Distance”
Physical
Device is not physically secured
Software Defined Radio (SDR) receives signals 950 – 2150 MHZ all
for < $25
8. Shodan – IoT Search Engine
Shodan
• Search Engine for Internet
Connected Devices
• Shows which devices are
connected to the Internet,
where they are located and
who is using them
• Within minutes a list of
vulnerable devices on the
Internet can be compiled
9. Wigle.net –Wireless Search Engine
Wigle.net
• Consolidates location and
information of wireless
networks world-wide to a
central database
• Site is crowdsourced with
people war-driving and
uploading their data
• Database can be queried by
applications via an API
10. Physical Security of IoT devices
Ring – Doorbell
• Doorbell that usesWiFi to
connect to Ring’s service,
recording video and allowing
for Intercom
• WiFi password is stored on
the device
• Device is programmed via a
USB connector
• No physical securing of
device, besides some screws
11. IoT “Special” Attack
Vibration Speaker
• Vibration Speakers (VS) get
connected to surfaces that
are used to emit sound
• Connecting theVS to the
outside of a door with glass
allows to control devices like
Amazon’s Alexa or Google’s
Home
• The possibilities are endless
12. Examples of IoT Attacks
Webcams used for DDoS
• Webcams with a security vulnerability
were used to launch one of the largest
DDoS attacks against Dyn, a DNS
service provider.
• Leveraging an amplification attack the
sheer number of devices was the
reason why the DDoS was initially
successful.
Home Router attacks
• Wireless Home Routers of various
vendors have been targeted by
malware. Redirecting DNS calls.
• One malware actually tries to secure the
router by identifying other infections
and trying to remove those.
SAMSUNG Fridge
• Samsung offers fridges that allow for
your Google Calendar to be displayed.
At least one model was vulnerable to a
man –in-the-middle-attack, not
checking the SSL certificate presented
by Google (or in this case an attacker).
OnStar used to control car
• OnStar, used in GM vehicles, allowed for
an attacker to eavesdrop on
communication.With that they were
able to unlock the car and start it.
• Jeep had to recall 1.4m vehicles due to
hackers being able to hijack most of the
car’s electronic functions.
13. Devil’s Ivy –
Vulnerability in gSoap Library used in IoT
gSoap is a framework used by many IoT companies to implement the Open NetworkVideo
Interface Forum (ONVIF) protocol, used by e.g. Security cameras
Small company behind gSOAP, known as Genivia, says that at least 34 companies use the code
in their IoT products (mainly physical security products)
Genivia provided updated code that fixed the security vulnerability on 6/21/2017 all within 24h
of notification according to Genivia’s website.
Genivia uses static code analysis! However, the flaw was two levels down.
Many vendors struggling to get code out to the devices since updating the devices is in some
cases not possible, or users do not know about the flaw or are not skilled to perform an update
With a built-in update mechanism that acts independent from a user, the devices could
be updated as soon as a new firmware is available.
24h for new code, not bad!
14. Countermeasures
Leverage Existing Frameworks
Some IoT vendors have the tendency to “re-invent” the wheel e.g. Samsung fridge. This creates a
“uniqueness” that can result in vulnerabilities used but not publicly addressed.
Other people with much better cyber security skills can do the work in fixing vulnerabilities for the IoT
company.
Segmentation/Trust Relationships
IoT devices that have Internet connectivity should not be part of a ecosystem that traditionally trusts each
other just by being a member.
Additional mechanisms are needed to establish trust with a IoT device that has Internet connectivity e.g.
signing of messages end-to-end.
Do not rely on Users for Security
Studies have shown over and over that users are the weak link. One study showed that many IoT users do not
change the vendor set password.Vendors will need to “force” users to be secure.
Built-In Update mechanisms
Security “is a journey” an old saying but still true.What is secure today, might be vulnerable tomorrow.
15. EconomicTimes 08/13/17 –
“Over 50 Billion IoT Connected Devices By 2020”
What does this mean for Cybersecurity and Privacy?
Increased complexity when implementing security controls and defining
regulations.
Market will expand horizontally and vertically, creating even tighter pricing with
security being one cost factor to shave off.
The large number of IoT devices by itself will face the same risks as cloud. If it fails,
it will fail really big.
Regulations and laws will require adjustments.Already one case with Amazon’s
Echo and voice recording Amazon keeps.
Users will need to learn with IoT being in their homes that someone is watching
and hearing them all the time – maybe not in real-time.