The growth of Internet of Things (IoT) in our daily life creates immense opportunities and benefits for our society. However, IoT security has not kept up with the same rapid pace of innovation and development. This situation creates substantial security flaws and putting our privacy at risk. This talk will present the new challenges we are facing with the new revolution of IoT, including concrete demonstrations. In addition, we will present possible solutions how to deal with those challenges. Finally, we will do some fun coding by a POC on one of these solutions.
15. The Rugged Manifesto
I recognize that my code will be used in
ways I cannot anticipate, in ways it was
not designed, and for longer than it was
ever intended.
I recognize that my code will be attacked
by talented and persistent adversaries
who threaten our physical, economic and
national security.
I am rugged, not because it is easy, but
because it is necessary and I am up for the
challenge.
Hello everyone.. My name is Guy Rombaut.. I am from Israel (accent). And I am here today because I love technology, I breath it in my daily life.. it’s driven my career.
Or simply, I can say I’m a tech-geek. And if you wonder. I am geekier than I look.
Today I am going to talk about Security in the IoT generation.
I will start with a background to IoT,
I will also Review the current security flaws and the challenges we are facing. We will do related technical exercise.
And I will finish by discussing about the possible solution and the future of Security regarding to IoT.
I will leave time for questions in the end, but definitely you are welcome to stop me and ask anything in case something is not clear.
I would start with few questions.
How many of you have facebook, how many of you use youtube?
Who sent a message via whatsapp in the last 15min, or even now while I am talking?
I can see a lot of hands raised.
People are downloading, uploading, sharing videos, photos, posts
Every minute:
Facebook users share nearly 3 million pieces of content.
Twitter users tweet nearly 300,000 times.
YouTube users upload 80 hours of new videos.
And that’s only from 2014.
It's clear that the Internet of People is a successful revolution.
However, now is the time for the Internet of Things.
Basically, "Things" can communicate between them.
Lighting system can dim and adjust the lights in your living room for a nice atmosphere, sensors are collecting data and control other devices – to enrich our life and make them even easier.
** If you think about it, just not so long ago such things would be only in our dreams or movies.
The growth of Internet of Things (IoT) in our daily life creates immense opportunities and benefits for our society.
** today when you get into your car. You see a booting system. Everything has software. Your phone can recognize you are in the car using bluetooth, and set driving-mode. Apps like waze or google maps will you get live traffic updates. And most amazingly, We are already living in the times of self-driving cars.
Car companies are finally realising that what they sell is just a big computer you sit in.
So far it sounds fantastic.
However, it raises an important question: what happens with all these data, what about security?
This is basically our focus for this talk today.
Before we start talking about security, I would like to show you a small cartoon which is called google, nsa and the self driving car.
It starts with some random guy who’s buying a new google self driving car.
And it goes to the NSA who just heard about it.
That decides to create a small accident. Just because.
Anyone recognize this?
One sunny day, a Tesla car hits the side of a truck while the car’s autopilot mode was engaged. The car failed to see the white truck against the bright sky and ploughed into it.
Now this has nothing to do with security you think, maybe not directly.
But self driving cars are using sensors – ultrasound, radars and so on. Those sensors, can be jammed, spoofed or just muted.
So think about a secnario, when you use your auto-pilot system. And actually someone hack to your system, takes over your ability to control the car, causes an accident and basically.. you die.
It sounds dramatic. However, this is not an imaginary scnario. There are researchers who already hacked to cars: they were able to activate airbags while driving, from a remote computer, and even disable the breaks.
How many people have a smart TV ?
Just in the last few months there was a security breach in samsung TV.
It was used by intelligence organizations, like CIA etc.
https://www.forbes.com/sites/thomasbrewster/2017/03/07/cia-wikileaks-samsung-smart-tv-hack-security/#144debef4bcd
Capturing audio, store passwords etc and uploading it to remote severs, monitoring what you watch.
** The interesting part about it that it is like a Pandora box. The ability to hack is available to almost anyone. Exploits are documented and listed, forums describe DIY step by step etc.
** you don’t have even have to be an hacker. You can just look for the default username and password specified in the manufacture documents and your in. There are bots scanning ports, and trying to brute force the access.
** New crimes: ransom, or releasing photos. If you heard about the cyber attacks in the recent days (hospitals in the UK got infected, big companies in the US etc). That’s only the beginning.
** basically “things” that you use for your security, for example to prevent thiefs, are actually opening back doors for other type of criminals.
And the main reason for that is :
** ** Companies are irresponsible. They build insecure sofware..
And therefore
** Estimates are that over 500,000 IoT devices will be compromised this year. And it just growing.
Now we all came for some techy stuff. I would like to show you how bad is the situation by making our own experiment.
** EXPERIMENT OF WEBCAM – SCAN FOR DEVICES AND PORTS , HACK TO WEBCAM – BRUTE FORCE, EXPLOITS ETC **
Identify:
inurl:"ViewerFrame?Mode=”
IP camera:
http://www.insecam.org/cn/bycity/Amsterdam/
https://www.hackread.com/website-streams-from-private-security-cameras/
Find in the network using nmap
nmap -T4 -A -v 10.46.104.0/24 –
1. Manufacture
2. Brute force
3. Exploit
In the camera:
Show code. Javascript getPwd.. Etc.
So in conclusion.. As IoT grows so quick, its security is not keeping up with the same rapid pace.
And you know what they say…
** Now I don’t tell you smash your devices, but in many cases we don’t think about those stuff. So just being aware is already a good start.
But else what can we do about it?
For the developers who are participating today I want to say: it starts by you being responsible.
It is part of the ethics of being a software engineer.
**And REMEMBER: You are responsible to tell your manager/your company that this is an important concern.
As engineers, we should emphasise security from day one. Or in other words, secure by design.
You have to know your “enemy”: script kiddies, other developers, viruses or maleware and others.
And then ask yourself: If I were evil, how would I abuse this feature?
Establish secure defaults. Disabled features by default (e.g. if you build routers.. remote management).
Separation of duties: an admin can turn features on or off, but it doesn’t make sense that he is able to buy products.
Limiting the scope (e.g. only internal network).
All those examples could be avoided when securing by design.
There are a lot of patterns that can be used. You can google for it.
Consider CIA: Confidentiality – only allow access to data for which the user is permitted
Integrity – ensure data is not tampered or altered by unauthorized users
Availability – ensure systems and data are available to authorized users when they need it
considering each pillar will assist in producing a robust security control.
Another important point is about designing your authentication. When it comes to IoT, How do you actually claim ownership of a device?
How do I assure that only I can configure or control camera, sensor, router etc. How can I make it private?
Default password and username are rarely changed by the user – forget about it. Remember the grandparents I showed you. They don’t know even how to.
So how can it be? There are two important points for validation: something KNOW.. Something HAVE..
For example, It can be a physical unique QR code which is set on box,
or a mechanism of allowing a new device to be claimed for a short period of time (e.g. in bluetooth: discoverable mode).
There are lot of patterns like two factor authentication. Check more about it if you still nor familiar with it.
And last point that I would like to discuss about is what I call “the security of the smart home”.
This is more like adding a layer of security on top of IoT devices.
Most of the IoT devices are connected to a centerlized point. It can be a hub, or even just a wifi router.
If we can add some security layer on that level it can be a game changing.
Smart firewall, link scanning against phishing, antivirus etc are not new – but the idea is to apply it on a different layer.
In the past I was working for AVG/Avast. And I can tell you that we were actually working on such solutions. If you are interested you can google for “Chime Wifi”. It is available in the market in the states. And there are also other companies who develop similar solutions.
But those are only the basics.
Think big..
We can use an artificial intelligence for monitoring the bandwidth and stop possible attacks. For instance, identify the source, inspect the packets for possible exploits.
Monitor the behaviours – is it a bot or a real human?
And it’s just the beginning. The market has so much potential than you can imagine.
So in conclusion:
IoT creates huge opportunities and benefits for our life. However, we must make its security better.
It starts by changing prioritization in the development process, creating new standards and innovating new security solutions: which as you can see.. there is a huge market that is just growing everyday..
And before I finish, it’s your turn to ask questions.
I hope I could teach you something new today. And if you take even one thing from this talk and implement it – I can sleep better.
Thank you.
….
If you look for my github, stackoverflow, askubuntu etc you can find