How To Shield An IoT Product From The OWASP IoT Top 10

I think so okay like I said how to shield an IOT product from the OS top-10 about me basically probably like most of you here I'm a hacker at kind of breaks I actually normally do the breaks decide not to builder but I do both I do trainings and on my free time I like to do a lot of karate and slacklining some when I'm not as hit in front of a computer you want to reach me Twitter Linkedin um you can find me it's easy okay about my company well a couple of years ago I've been working as a freelancer for a long time and a couple years ago I decided okay let's try to

get a bigger and founded a small company and we do basically IOT security as the main thing um since this is um this is a non-commercial amount if there's students among you we do we're having a class on IOT security bootcamp in Cologne and we're giving up two spaces for students so everybody anybody knows a student that wants to participate and come to learn for free you know please give them the information we'd love to have them alright so what I'm gonna talk about basically we're gonna start with a little bit of an introduction to make sure we're all on the same page about IOT the architectures and the simple stuff then we're going to move into IOT

security so what's the current status attack surface is maybe some design principles after that we're gonna jump into the wasp IOT top ten and a little bit about the project the list that came out and how you can use it and how you can test for it and if we have time time the track last night it should work but if we have time we can go interactively through some use cases together I'm more of a discussion okay so IOT hands up who knows about IOT and does stuff thing home automation and stuff like that and if you do security for IOT alright three pointer okay good all right so I don't have to tell you I

ot is basically the Internet of Things that's what it stands for and it is a collection of in connected objects and I think what different and you know we already had that in the internet we have everything connected distributed what makes it different is that we have interactions with the physical world so you normally have sensors and actors that are actually doing stuff and picking up information from the real world so they're transforming analog data into digital data and actioning stuff normally use it for automation monitoring data collection but not in IOT you know we're RT people who tend to put sting things into categories and you know put things in boxes so we know what

they are label them IOT is not different there's different labels and stuff mostly because of the use cases and that technology is involved so there's a whole bunch of them the three I've see the most is consumer IOT which is basically anything you had you know you use that to the end-user so thermostats smartwatches smart plugs maybe your TV kettle eggs trade you know the works I tend to put out a motive into a separate category category because it's just different technologies and there's different there's a lot of more safety rules in place because for that and then you can you know another big box would be industrial IOT really have for example there's been a big boom on smart

seating so smart parking lots and you know irrigation system from the cities and controlling traffic you can maybe put in your ICS or industrial control system the SCADA or maybe your smart grids and stuff like that into that category so IOT it's you know it's not the question of when it's getting big it's already getting in there it doesn't matter where you get your data from and how many devices people say you have the important thing is that it's going up the amount of devices being connected is going up it has a hockey stick curve right so the exact number of billions and where you get it is not the important thing the important thing is

to know it's it's here and it's growing it's still it's gonna be a bigger part of our lives every day and everything's getting connected even stuff that shouldn't so for example I ran into a lexical edit connected toilet seat not necessarily something really need you know there's this use case for that but most people really don't really knew it if you're bored some day at work or something like that take a look at this Twitter account Internet they find a whole bunch of that's connected that maybe shouldn't be okay so we know about IOT so IOT is actually pretty complex and the reason because of that is that you have you have always different layers and

different things working into it when the first layer would we'll talk about is normally have your devices your scent your sensors or your things and these are based on you know they have a hardware component and then they have software running on them the software that's running on these devices normally called firmware it's normally stripped down of operating system it's down to the bones but yeah it's from well nonetheless next thing you have is communication protocols so how these things connect to the rest of the world and how they talk between each other in some cases you have something like a gateway so typical example of your Gateway would be the you know the Philips you right yes it has something

that bridges between the networking world and the communication for the wireless communication protocols or the wired communication protocols you have in the you know on your sensors and your actors after that you have somewhere where you collect all your data that everything goes in and you typically have a visualization application and action layer on top of that another way to look at it you know a little more of the same but it's shuffle differently you have your device hardware with you know cell systems on chips or MCU sensors actors you have your firmware connectivity and you normally have some sort of mobile application because everybody wants an app to control everything you have a web application

because you have to enroll your users and be able to you know track them and build them for stuff and you know most of the stuff actually works because you have API send backends pumping the blood of the system so since you have that big stack we have to deal with all the complexity the interactions and all the weaknesses of each of these layers independently if you want to make IOT secure so you have to you know look at them all together and each layer separately to make sure that you have what you normally call the defense in debt and that brings us into the security of IOT so any questions so far before I keep on going but this is

supposed to be interactive all right okay so the s ni o T stands for security this running joke on the Internet actually it's sad but true eh it's yeah it's not secure lots of the devices are not being secured and yeah you can find lots of comments like this where you know all your devices are ransoming you to pay someone to throw them to work so quick status of what we seen over the you know testing and working on the over the last couple of years is that most IOT devices are not secure the main reason for that especially doesn't matter of this consumer enterprise the main reason for that especially on the consumers IOT

side is because they have a quick title market right and you know all the competition already has a device we have to have one as well so you have your connected barbecue you have your power tools everything has an app on it and we you know we need to do it as well and it has to be cheap so if anybody has worked in security and doing things quickly and cheap doesn't mean it's good for security normally security is neither cheap nor quick it takes time to do stuff right there's a whole bunch of market places in IOT environments they're just too many of them and most of them are not secure the main reason

because for that is that they don't define the security requirements so if you don't set the bar nobody can try to meet it even if the bar is low and they take for example the first version is a PCI that was you know it's not the best but at least someone was setting something that you have to aim for if you're not doing that you're not going anywhere and then you know most of the most of the time the platform providers and the end users are the ones paying for the end up paying for the security so maybe the platform providers you have a mobile carrier or something like that they're actually paying for the artists before they you

know hopefully the pain for the artist before they take us a new device into their portfolio and they're paying if you know if the device gets hacked they're paying with with a reputation getting smacked on the yellow pages and you know the end users suffer the attacks right because if the device is not secure it's a cheap device you get hacked it's your data is your smart home that doesn't work so at the end you're actually paying for that the wrong way okay so like I said consumer IOT you got cheap devices quick time-to-market and lots of devices and being disposable because after a year or so the you know the Chinese guy who built that doesn't want to support

anymore maybe they turn off the cloud or they go broke and you'd end up with paper holdin on the enterprise set of things what we have is a whole bunch of people closing their eyes and saying yeah we work with proprietary protocols nobody knows how what we're doing so we're safe in a security by security or we're just using binary protocols nobody can understand that yeah right okay then you have if you go deeper into operational technologies you have a bigger problem most of these systems were built a long time ago and they are built to be running for at least 15 to 20 years you know they're not going to turn them off before that because accounting this is

they have to write it off and that's how the accounting works that's well how those systems were build up to so that's that's actually a big problem lots of them you can you know they say no we don't need to secure it because we're not using personal we're not sending personal information over the wars over the air it's just saying sir data you know them what could happen with that or you know we're using network technology X and and that means that secure but they didn't check most of them forget even to turn on the encryption all the security options they have on that protocol so yeah and of course the typical excuse yeah everything happens

behind in their firewalls so we're secure we don't have to worry about anything and actually in the in the OT world IOT is turning into like a shadow infrastructure like the same thing happened with the cloud services at the beginning we kws because nobody you know people want the data they have and want to be able to monitor their systems and if they go through the normal way they're not gonna be able to get anything done because these guys don't know the technology said no no this is too dangerous so lots of companies are actually buying small solutions they're kind of SIM card connected maybe a Raspberry Pi connected and collated to collecting data off their

infrastructures and they're not telling idea about it okay so what's really sad is that we're actually recite recycling bugs and errors from the past so we're like back into the 90s we should have learned about these things you know with but we're using till you see a lot of clear text particles so you know people forget to turn on heh SSL but stuff like that well mostly the excuse that we don't have the power to do it but most of the chips that you use already have encryption but baked into hardware it may be not the best encryption ever but it's better than plaintext and they have problems with authentication and Trust Management and of course no mature

stacks okay so why don't we just you know build them secure by design uh yeah we should have thought about that before but yeah this is actually the best option if someone calls you know the security expert in when they're on the drawing board it will also it will actually save you a lot of time and money you know those studies out there something normally you will save between ten and twenty times as much money as when you have a the product out on the field and you have to bolt security back onto it but yeah and if you do that of course remember the basic security principle so secure all your data if it's a motion or in rest make sure you

do security faults you know if you have encryption possible keep it on when is stuff like that don't you make sure you use lease privileges so don't run anything everything on the device has a root for example and only give the different roles the access they need for stuff to work make sure you trust them but verify so typical example of this would be a SSL right if you're doing SSL with certificates please check that their certificate on the other side is actually you know they what it should be and not just assume it's right you secure components so when you build stuff make sure that you can update these things and make your the security

the the components you're using are being patched and actively maintained don't just you know in import a whole bunch of JavaScript libraries and let them sit there allow upgrades and factory resets so if someone takes your device and wants to sell it on eBay you want to make sure that you know his Wi-Fi password gets wiped off when he tries to sell it of course make sure you had to default in death and define security requirements so these things can actually work so we didn't do security by design we're bolting it down on something that's already out the door how do we do it so this is actually what you know but you normally get confronted with you

know the rabbits already out of the Hat the products is being sold or maybe you know typical thing you probably all know know the feeling the week before this goes into launch they call it in the pen testing team and you get a report this big and you know oh no now wouldn't the risk how would you manage it so it actually can get get launched the answer the real answer is you have to measure your risk probably you're not going to be able to convince your marketing department to delay the launch for six months to fix it so you're gonna have to live with it because there's no actually there's no quick way to build security

onto it and being realistic it will take you a couple of releases hopefully you have an agile and software releases and you can update it so you can fix the stuff on the run so you know that since there's no easy solution for it how do we actually do it well there's there's a couple of ways one thing what you can do as a risk-based approach or you can do a full-blown analysis if you're doing a good analysis it would also take you some time so no quick solutions so if you're doing your security assessment no the first thing you probably want to do like always find this attack security surface perfectly do some threat

modeling analysis and some risk assessment if you know if you don't know what threats you can use this is where your your or top 10 list comes in coming to play you can always get inspiration and see you know what attacks are out there and what do I have to actually think about if you haven't done this before once you did that you can define what what things you actually want to test see if the you know if it holds its water do some security testing some pen testing and then fix it fix the issues and this is rinse and we wash for every release because you know soft stuff will pop up along the way when you're fixing

issues it's important to prioritize because you know you're gonna have a big list of things you want to go through and you want to make sure that you cover the things you can fix quickly maybe they're not the biggest one but you know you get them off your table and they're done and you want to look for things that give you the biggest impact so the ones that actually have carry the highest risk and if you you know if you don't know how to decide you can always go through the top of the I always IOT top 10 list because they actually so show you the 10 things that are more common and have the

biggest impact and once you do that you know just do a little dance and be happy because you did something good on your day okay so to go a little bit deeper on how you do these things the first thing you want to do is talk about your tax surface what I tend to do is I split it down to four categories you take basically based on the technology is what's going in there and then know-how so what you need to know to be able to attack these things you want to look at everything that's on the device itself so all your hardware related things you know are your interfaces there can you explode it can you put what information

can you pull out of the device because it's not in your control you sold it so if it's an enterprise IOT is probably be put on the mast and a pole 10 10 meters high but if its consumer RT is probably on someone's wrist and you know they can do whatever they want with it at home for more baseball liberties you know what what can you reverse engineer out I won't you know if it's if there's a backdoor or stuff like that I put into you know classical security put all - all into one typical bucket because you know mobile web infrastructure is stuff that most of the security people know about and then I put into another bucket

all everything that has to do with radio and wireless communications okay so once you figure out what are the buckets then you start doing your your threat analysis the important thing to do for that is that you always look at the big picture so don't just focus on one device don't just focus on your use case zoom out and make sure that you involve you take in your threat analysis you take you take a look at everything that's in that ecosystem to make the things work you know from the network to the DNS and everything in there so first thing you want to do is you want to build the diagram you know high level

design of all the things and then you consume in as you go so you know take you know start start with a bird view and then go down into the details and do a couple of inch informations you identify all your components for example you have a d8 a mobile app cloud services and then you took take a look at how these interact with each other normally you know you have to look at the security details on each of these things and then look at all the trust boundaries so what is happening between these different different devices and then you know pick your favorite methodology to do this you can maybe you Stryder vas so you'll try

to look and see you know what happens if someone impersonates the device can you use the credentials he picks offs of the device to connect to the dashboard to connect it to whatnot this will also take a while but it's it will if you haven't done it before it will teach you a lot about your product and you know if try to involve the design the developers and the engineers and the architects who did this because they know the product better than you and the secret from the security point of view so enable them to help you do this they they know the product a lot better than you and they can they know how it works

so once you did this you did your testing you figure out stuff how do you fix stuff so it's really hard to find the the do to find their priorities you can always go for the quick wins so hands up who remembers the Jeep attacks that you know Charlie Miller and sorts did okay so not that many so basically his Jeep a double nobility on their systems and they could they got remote control of a Jeep so the Jeep was running on the highway they did a video look it up on YouTube it's actually pretty fun they didn't know the reporter who did the reporting didn't know that they were hacked gonna hack his he know

they he knew who they were gonna hack his Jeep but it didn't know how so he was just driving on the highway and then someone she no turn tuned up the radio put on the blinkers and they actually turned off his car in the middle of the highway so it was it was not he was not really having fun in that moment so this comes into play because of the quick win so this thing was connected via GSM and the biggest quick win that Jeep pulled off there is they they didn't ask for client isolation and that APN that means anybody who had a SIM card on that network using the same my APN could

connect to the any other car so any other device that's connected in that network and talked with and that's how they off the attack so the quick win was actually calling up the provider like can you turn that off and that's called client isolation that means remote attacks don't work anymore because you can't access a network so that that's what I you know quick wins can do a lot for you and they can't to be really easy so that was five minutes with the with a mobile provider on the phone and the problem with us was off the table no recovery configuration no rolling out new software done and then after you you know fix those things you can take a

look take a look after the highest impact and there's whether your talk ilt tap tanks comes in handy okay so the shortcut is to use the top 10 list you can just test for these so the things that are on this list and review the list and maybe go within to new engineers and ask them if they actually did things related to that list normally you know they will look up with big guys and said no we didn't think about that and you fix it big quickly this does not replace your regular security process I'm not recommending you to do only this but this will you know it will shorten your cycle and get you working and then

you can do the best in the back okay so the peyote project is basically you know one of the OS projects focused on IOT last year so December truth actually was a you know December of last year they came out with an updated list of all the things you can you should test and you can see it start a list we can get more hard-coded passwords network security services so we'll go through list the one by one so we can get more passwords your typical backdoors how you test for this and do stuff you you know you can do brute-force attacks and dictionary tasks if you're doing this on a device make sure to you know reduce the amount

of threads and stuff you have because if you hit a small device with a little CPU with your big laptop you know Hydra with ten threads you're gonna kill it it can't handle that many that many requests so normally you have to tune it down to maybe one thread and give it some time to breathe between all the password attempts then you can the other thing you can do is maybe pull out the firmware search for strings and make a you know if you know how to use Ayya or dry out Chitra you can just try to reverse-engineer it and see how it's doing stuff but normally if you look for strings you'll find a lot of things

remember that the strings tool olynyk's it only works it looks for things strings that are longer than four characters so someone has a password one two or three you won't find it with strings and of course you can just you know Google the defied a default password for that device so you know just look for it and you will probably find it and it will probably work inside your network services I think we all know about it you can just amend the middle attacks or port scans we'll Liberty scans and you will find services that are there that shouldn't be insecure network interfaces and basically is now we talked about that you had web interfaces api's mobile

interfaces maybe have an MQTT cue and these things are exposed to the internet and they're not secured so one of the things you can see a lot on for example with mqtt cues is that the device is allowed to change configuration of other devices so you can write on the cue where you do the configurations instead of just being able to read stuff so yeah make sure you do go into your normal all wast testing for all of these devices and don't reinvent the wheel lack of secure updating this actually can be pretty fun because you know lots of the devices did you give it a firmware in a say okay I'll install it so it will let you brick the device in

the best case or well that it will let you run your own private firm or on it there's actually in consumer 84 smart home stuff like this is actually a couple of manufacturers who are embracing this because they've noticed people want to buy the devices you know to run their own systems on it and they're selling and they're allowing you to do it and actually it's been there is they have doubled or tripled their sales because of that because you know there's a whole bunch of communities running writing their own frameworks for those devices so no they sell it out with their own crappy the firmware on top and you can put in you can build the

open-source projects and put into that so how you test for this and normally do it you just review the upgrade process see what's going on maybe sniff the traffic see if there's there's if there's actually some validation is the package sign or whatnot you can sniff it and yeah reverse-engineer it insecure and outdated components everybody has seen this if you ever done a pen test look like that you can or you know just open browser with a write plug-in it will tell you look this is running this old jQuery version that you know it's vulnerable stuff like that if you build the device or build a system make a bill of material so keep track of the libraries

you're using and all the different components are using then you can feed that into OS dependency check and it will give you a heads up if whatever component you're using is vulnerable and if you already have something have a big component out of the door there's a whole bunch of commercial commercial tools like black/dark check mark and the net and they're not that take that they dissect your product and give you the heads up insufficient privacy protections you know personal identifying information on device and all the ecosystems you can dump the you know the Wi-Fi password for example has to be stored somewhere nobody ends up in the EEPROM flash day so if you dump that

you'll probably find it you know you can they should encrypt it or you know office gate is somewhere to make it harder but it has to be stored somewhere and there's lots of stuff stored in the mobile apps as well we know about this insecure data transfer so make sure you have encryption at rest and in transit lack of device management this is more for the enterprise areas where you have to track how many which devices are out there which versions are running and you know how do you determine them and this will you fight probably find this out with a little bit of typical asking some questions and an audit in security defaults no typical hard-coded your

hardcore the passwords maybe you go through some hard eh export scans and whatnot and you know even though this is the most fun part it's number 10 which is lack of physical hardening because it normally affects just that device that you have in your hands and not the whole ecosystem but this is fun you know you can take the Versa part you look for you look for inter device interfaces so serial interfaces or jtech interfaces and then you connect you can use a nifty hardware like this for for example this is a bus pirate or you can actually there's some lots of stuff like JTAG a new that you can just run on a normal Arduino and be able to

connect to the devices okay to stun alright to sum it all down IOT is getting complex you have a really big attack surface because you have devices for more radio communications app web infrastructure network security it's important planet in advance try to put it into your designs if you're doing stuff like this don't reinvent the wheel there are security frameworks and requirement frameworks you can follow for example the LT security foundation has a pretty good one that's really broad it's not only technical it allows you to go through different things or you can use that the different OS lifts for each of of the areas make sure you test for that and yeah tests for it

tests for the different OS top ten list so if you it has a web component use the web one of a mobile user mobile one and remember not to recycle ball bugs and repeating the mistakes of the fact I'm the past and now I think we can go back into questions or a discussion I brought some use cases but I think will depend on on the time if we go through them we have ten minutes left for questions so but I don't know how many slice you have I can use that the use cases can be ten minutes I could be an hour so it doesn't matter so okay questions anyone comments even a second to bring they might you reference

the the jeep hack yeah right so I mean it was an interesting hack but in reality wasn't really I mean they it was bad security from the point of view of Jeep but yeah the problem didn't lie with Jeep itself the problem lie lies will lied and still lies with some tell co-op or is specifically American telco operators don't do Network isolation so like the g-pack you could have never really done in Europe because my network telco operators here in Europe do client isolation by default right so you wouldn't have been able to to get into that into that network anyway so my client is it's like there's two parts to this problem right there's the actual

device versus to divide the the infrastructure with the device depends on and sometimes we time to forget that part right we don't look at the whole chain of event the whole chain of things if we focus strictly on the I on the device security we're potentially missing something over here right on on the other side of the scale that's exactly what is taking about take a look up the whole ecosystem don't focus on the device make sure you take you you you know you see you see the whole ecosystem from 10,000 feet the bird view so you have all of your components in your view and don't forget something thank you hi thanks for the last

presentation I was very glad that you made the distinction between consumer and what I said in the serial i/o TV because they are very different but my question is for example as security people we love to on home automation for example and make fun of people who do stuff in automated way using IOT but it's a very valid use case and it can make life much easier for out of people especially for example all people or people with special needs so it's very important something that a lot of us can't even relate to or see like something that they could use in their parents home or in their own home as well so in this case what you need to

build the solution you can't really use the Wasco 10 in a sense because you don't really have time to sit and analyze the frameworks yourself or do all that process and in this Tyrael user might have all the resources and ammonia and everything to do this process what kind of is stuff like a normal consumer can do for example to make sure that the Google home or Alex or whatever does born in there grandparents house and doing some automated tasks does not bother security threat to their own like life or something like that by someone just hijacking and starting flipping the lights on and off all time okay so yeah thanks for the question so actually the

best thing you can do is make conscious decision and you know invest your money in people who have done have a good track record right so if the device cost five euros off the internet including shipping from China you you know this nobody took it and took a look at security right it's it's just true it nobody took a look at that they just packed and shipped it so the only thing you can do is actually you know I know there's a project I think it's Peter beer he's working on a trust level project so the idea is that the companies actually have to publish some sort of a self-assessment of the the things they're doing for the IOT affair

for the IOT devices I hope that picks up I think it's a project financed by the Mozilla Foundation so I hope that picks up because then the event you know if you're gonna buy something you can look up oh did they actually publish something or they didn't so if they didn't they either don't know or they don't care so at the end your money talks right try to invest in things that you think that will be better and at the end the end user can't do much more than that because they don't have they don't have to know how to you know pick the price apart and do the deliver security and actually yeah the point you said

about about elderly people and smart homes this is actually a good way to improve their quality of life right I think I think I was a talk the other day I think it was Andy and he has a system in place for his parents for example he has a whole bunch of sensors in for example he has of sensor under his the mat he under by the bed so his mom hasn't gotten up in the morning and pressed on that sensor by 10:00 in the morning he knows she's sick so she just he just gives her a small a simple call hey mom how are you doing and she will tall on having the flu and stuff like

that so it's not invasive but it gives him a system to be able to support his mom who doesn't want to go into a facility and to quickly pick up on a point about the ecosystem being important I think that's true but it's also that there are a lot of weakest layer weak links right so for example even if the vulnerability for the Jeep was not exploitable in Europe and it's just an entry point into a part of the system that has no defense in the depth so they couldn't exploit it with some some feature of the the mobile network but maybe it doesn't matter if you find something else to get into that so Bluetooth or something has to take

over the head unit so I think the problem is that a lot of these things depend on other things being secure but they are not secure by themselves right so that's one of the biggest problems there's actually I saw a use case on automotive security and they hacked the head unit using the the radio so the da B radio hacked the system and that was connected to the campus so they push the exploit through the digital radio so yeah it's not just the client isolation think here another question so it's gonna be the last question then we will finish this more of a comment than a question he does okay but I think a lot of people don't like realize how

much how come on this is in real life I was talking to our key architect and he was telling me how he was driving his Volvo when the dashboard went from Swedish to Chinese all of the sudden and then flew back to Chinese and I never got in the car with him again after that but it's very common and you know the light systems everywhere you can't get very paranoid very quickly thinking about all the stuff that's really insecure around you but I think the brake is a really good start like having some common ground or some kind of shared understanding on how to move forward so thank you for the nice presentation yeah thank you so thank you

Pablo and I guess we can go to the to the next talk Thanks you