IoT Developers Conference 2015
Security Unintended Consequences:
The Backdoor of Embedded Devices
IOTD-‐08
Security Decisions in IoT
Created by: Clay Melugin, Senior Partner
Wireless Strategy & Business Development for the Connected World
•
Why Security is Important
–
Dark Forces
–
InSecure Consequences
–
Public PercepQon
–
Industry Liability
–
Value to Users
–
Value to the IoT EcoSystem
•
Security Priori<es
–
Regulatory
–
User Privacy
–
Data Security
–
Device Security
•
Security Strategy &
Technology
–
Security Ownership &
Responsibility
–
The IoT Security Layers
–
Technologies Available
•
Hackers
–
Why they Hack
–
How they Hack
•
Inside compromise.
•
Outside compromise.
•
Primary target
à
OS & User
Interfaces
•
Secondary targets
à
Hardware & Network
–
Hacker Rewards
•
Fortune & Fame
•
EducaQon
•
Challenge
–
Hacker Friends or Foes
Security:
The state of being free from danger or threat.
Cybersecurity:
The state of being protected against the criminal or
unauthorized use of electronic data, or the measures taken to
achieve.
Cyberwarfare:
The use of computers to disrupt the acQviQes of an enemy
country, especially the deliberate aZacking of communicaQon
systems and infrastructure.
Security cri<cal system:
A system whose failure could enable, or increase the ability of
others to harm us.
Fred Chang – Director
Darwin Deason InsQtute for Cyber Security Southern Methodist University
Why Security is Important
Benefits
•
Privacy
•
Device Control
•
Confidence
•
Assets
Consequences
•
Liability
•
InvesQgaQons
•
ReputaQon
•
Customer Loss
Privacy
While the US is becoming aware of the need for
a Privacy Policy to protect people from risk it is
important to know that other countries have
Privacy regulaQons in place.
Experts in the Security industry recommend
Canadian Privacy Laws as a best pracQce.
hZp://en.wikipedia.org/wiki/
Canadian_privacy_law
Data Breach vs. Hacked
Data Breach
IdenQty is exposed
+
(any 1 item)
Social Security Number
Medical Record
Financial record
Credit or Debit number
Hacked
When you no longer have
exclusive access & control
over your product.
Whether you know it
our not.
Invest in Security
Legal Obliga<ons
ü
Regulatory
ü
Privacy
ê
Liability Costs
ü
Data Breach
ü
Damages
ü
Negligence
Price the Solu<on
including
Liability Cost
ê
Invest in Security
to reduce
Cost
Value the Database
(Range typically $40 -‐ 176 / user)
Replacement Method
The cost to rebuild the database
if it were totally lost.
Income Method
Discounted Cash Flow of
revenue generated from
database sales, licenses, royalQes
Royalty Method
NPV of licensing an equivalent
database at market pricing.
Fair Market Value
Market data on equivalent database
sales.
OR
Price of Database if sold to a free
buyer, by a free seller, of equal
knowledge.
$
Value Liability & Damages
Data Breach
•
# of Records
$ NoQficaQons
$ VicQm CompensaQon
$ Regulatory Cost
•
RemediaQon
$ InvesQgaQon Process
$ Security Repair/Replace
$ Data Recovery ?
$ Process updates
$ Public RelaQons
$ MarkeQng Offensive
Negligence
•
Damages
$ Lawsuit/Class AcQon
$ Regulatory InvesQgaQon
$ Regulatory Oversight
•
Other
•
Company DevaluaQon
•
Device Recall/Retrofit
•
Design Updates
•
Staff RetenQon or Increase
•
New Product Delays
Data Breach -‐ Cause
19%
Probability of a
Data Breach
within 24 months
Data Breach by Industry
Source: “2014 Cost of Data Breach Study: United States” by IBM and Ponemon InsQtute
19%
Data Breach -‐ Impact
Source: “2014 Cost of Data Breach Study: United States” by IBM and Ponemon InsQtute
Data Breach – Cost by Industry
More Liability
Asset Damage:
–
Database
(CorrupQon, DeleQon or DestrucQon)–
System-‐wide internal infecQon
(aka Sony)–
Implanted Security Breaches
Consumer Ac<ons:
–
Lawsuits
(individual, class acQon)–
Social Media
Government Ac<ons:
–
Government InvesQgaQon
–
Mandated Oversight for 20 years
Dark Forces
.
exist
. . . . . . .
.
.
Dark Forces don’t always aZack
Damages
Electrical Event
• 20 problems in 11-minutes
• 5 electric grids down
• 12 hour power outage
Impact
• 7 million people
• Traffic gridlocked
• Multiple car accidents
• 2 nuclear reactors force to shutdown
• 3.5 million gallons of sewage spilled
• Water safety – Boil water ordered
• Businesses closed – no systems
• Gas stations closed
• Cellular service down
• Public transportation stopped
• 41 airline flights cancelled
Damage
• No damage to Grid was found.
TransportaQon
CriQcal Infrastructure -‐ IoT Targets
(Electric, Gas, Water, TransportaQon)
Electric
Natural Gas
Electrical -‐ Hacking
Natural Gas -‐ Hacking
(Done)
?
Water -‐ Hacking
(Unknown)
?
?
TransportaQon -‐ Hacking
25 Security VulnerabiliQes
per IoT Device on Market
Source: HP Internet of Things Research Study
IoT Devices
Evaluated
• Door Locks • IoT Hubs • Thermostats • Remote Power Outlets • Sprinkler Controllers • Bathroom Scales • Garage Door Openers • Home Alarms • Webcams • Smart TVsOWASP -‐ IoT Top 10 List
Open Web ApplicaQon Security Project
I1 Insecure Web Interface
I2 Insufficient Authentication/Authorization
I3 Insecure Network Services
I4 Lack of Transport Encryption
I5 Privacy Concerns
I6 Insecure Cloud Interface
I7 Insecure Mobile Interface
I8 Insufficient Security Configurability
I9 Insecure Software/Firmware
I10 Poor Physical Security
Source: hZps://www.owasp.org/index.php/
When to Implement Security
•
Concept
•
Design
•
Prototype TesQng
•
Field TesQng
•
ProducQon Release Process
•
Pilot ProducQon
•
ProducQon
•
DistribuQon
•
IniQalizaQon & Set-‐up
•
OperaQon & Monitoring
What to Secure
I/OSensors
• Objects that
connect to Device to provide info or to act under control of the device. • Wired or Wireless • Example • Temp Sensors Device
• The main control
element (the box) on locaQon that collects the data and controls the acQon.
• Sensors and
controls may be integrated inside. Transport • Local-‐Area • BT or BLE • Zigbee • WiFi • Wide-‐Area • Cellular • Private Network • Satellite • Hardwired • Ethernet • PLC Network Infrastructure • Access Control • AuthenQcaQon • AuthorizaQon • Provisioning • Data Transport Data ConnecQon • Internet • VPN
• Point to Point
Host Systems • Servers • Corp Network • Access Control Recipient • Humans • Processes • AutomaQon <-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐Encrypted data -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐>
AZack from the BoZom
hZps://www.blackhat.com/docs/us-‐14/materials/us-‐14-‐Jin-‐Smart-‐Nest-‐Thermostat-‐A-‐Smart-‐Spy-‐ In-‐Your-‐Home.pdf
1.
User credenQals stored unencrypted
2.
Firmware not encrypted
3.
USB open port for any USB connecQon
4.
Firmware upload from any computer
AZack @ Devices
I/O
Sensors
Device
Transport
I/O Sensor Connec<on
Hack:
1. SubsQtute I/O item2. Sniff protocol for keys
3. Change operaQon
Result: Modify device operaQon
by changing Sensor data or Servo response.
Value: Varies widely based on
criQcal nature of device.
Device Level
Hack:
1. Access ports2. Download code base
3. Find User
• IdenQty & Password
• EncrypQon Key
• Network protocols
4. Upload new code
Result: Steal Data, Take Control
Value: Varies widely based on
criQcal nature of device.
Weather Sensor, Smart TV,
Thermostat, Traffic Light
Device
à
Transport
Hack:
1.Transport Analyzer2. Sniff Protocol
3. Find Keys & Data
4. OTA Updates
Result: Spoofing Database,
OTA Control & SW updates.
Value: High
Other AZacks @ Devices
Design Phase
Hack:
1.Test Protocol in Code 2. Non-‐consumer portslabeled on PCB
3. DocumentaQon Thew
4. Auto Boot Loader on
Power-‐up
5. Open OS & Tools
6. No EncrypQon or
Crypto Controller 7. No Security Reviews
8. DocumentaQon
9. Espionage
Result: Design leaves openings
for Hackers. Value:
Priceless
Distribu<on
Hack:
1.Unauthorized reprogramming2. Retail Return Process
3. Online Resellers 4. Awermarket “Refurbished”
Result: Compromised Devices
Value:
High
Produc<on
Hack:
1. Malware on Test or Device Programmer
2. Loose SW Quality &
ConfiguraQon Control 3. Change operaQon
Result: Compromised Devices
Value:
Priceless
Hyper-‐AZacks @ Secured Devices
Crypto Breaking
Methods:
• Data Bus Sniffing• Die Probing
• Spike Glitching
• Power Analysis
• OpQcal EB Scanning
• Alpha RadiaQon
• EMA/DEMA
Goal: Get the Private Key
Time: Months à Years
Cost: $300K -‐ $1 Million
Value: Depends on target
Chip Replacement
Methods:
• Memory chip exchange
• Processor exchange
Goal: Get a compromised
Device into Network
Time: Hours
Cost: < $200
Value: High (only if successful)
Secure Hardware Hack Methods
Development:
Months
Execution:
Minutes
> 100
€
Example:
Spike Attack
Development:
Months
Execution:
Days
> 100.000
€
Example:
Microprobing
Development:
Days
Execution:
Hours
> 10.000
€
Example:
Power Analysis
Manipulating
Observing
Semi-Invasive
Lessons from the PC Ecosystem
1.
Networks have unavoidable risk
2.
Tradi<onal defenses revolve around
•
Access control
•
Monitoring traffic
3.
Next level defense built on “root of trust”
•
Trusted ExecuQon only valid with
HARDWARE ROOT OF TRUST
Trusted Compu<ng
1.
The primary role of a TPM is to provide trust
•
Want to establish an expectaQon of behavior
•
Cryptography provides methods but is not the purpose of a TPM
2.
Adesta<on is the founda<on for trust. Adest before we:
•
release the memory encrypQon key
•
allow it on the corporate network
3.
For network applica<ons, we also want iden<ty
•
Not just any trustworthy machine on the corporate network
•
Not just any trustworthy machine to make charges to an account
•
Specific Authorized and Uncompromised Machines.
4.
TPM uses cryptographic means for adesta<on and iden<ty
•
Never listen, follow or engage an element you do not trust.
Requirements for Hardware Security
New requirements for the hardware
ü
Few Restrictions for Software
Developers
ü
Strong Hardware Security
ü
Easy-to-Use Security Features
ü
Autonomous Security
ü
Self-Checking Hardware
ü
Robust Design
ü
Security Simulation
Crypto Controllers
(Trusted Friends)
hZp://www.infineon.com/cms/en/ applicaQons/chip-‐card-‐security/ embedded-‐security/ hZp://www.atmel.com/ products/security-‐ics/ hZp://www.nxp.com/secure-‐ connecQons/cyber-‐ security.htmlIn an increasingly mobile and connected
digital world data security, data integrity
and data availability are the prerequisites
for sustainable consumer confidence and
successful business models, especially in
the context of an increasing number of
aZacks
AZacks from the Top
Apps & Web
