follow the money, follow the crime

© 2012 IBM Corporation

IBM Security Systems

1© 2014 IBM Corporation

Things Gone Wild:When Your Devices Behave Badly



2

“Things” hacker



3

This is the “maker” corner of my office



4

A man is stuck in traffic on his way to work.



5

His mind wanders, Did I leave the fridge open?



6

He pulls his smart phone out.



7

The man taps an app on his smart phone labeled “Home Automation”



8




9




10

Everything is fine at home.The man rolls his eyes and grins at his own obsessive concern



11

But in reality, someone has hacked his home area network.The refrigerator is spewing ice cubes…



12

The dishwasher is overflowing…



13

The toaster is aflame while the ZoomBot bumps the counter, sending the toaster toward the curtains.



IBM X-Forceis the foundation for advanced security and threat research across the IBM Security Framework.



IBM X-Force® Research and Development

VulnerabilityProtection

IPReputation

Anti-Spam

MalwareAnalysis

WebApplication

Control

URL / WebFiltering

The IBM X-Force Mission Monitor and evaluate the rapidly changing threat landscape

Research new attack techniques and develop protection for tomorrow’s security challenges

Educate our customers and the general public

Integrate and distribute Threat Protection and Intelligence to make IBM solutions smarter

Expert analysis and data sharing on the global threat landscape

Zero-dayResearch



Coverage

20,000+ devices under contract

15B+ events managed per day

133 monitored countries (MSS)

1,000+ security related patents

100M+ customers protected from

fraudulent transactions

Depth

25B analyzed web pages & images

12M spam & phishing attacks daily

86K documented vulnerabilities

860K malicious IP addresses

Millions of unique malware samples

IBM X-Force monitors and analyzes the changing threat landscape.



17

The Internet of Things (IoT): a revolution is occurring just like Cloud, Mobile, Social & Analytics

The Internet of Things will represent 30 billion connected “things” by 2020, growing from 9.9 billion in 2013.1

These connected "things" are largely driven by intelligent systems-all collecting and transmitting data.

Source: IDC, “Worldwide and Regional Internet of Things 2014-2020 Forecast Update by Technology Split”

http://www.idc.com/getdoc.jsp?containerId=252330



18

Smart Homes



19

Smart Energy / Smart Meters (AMI)



20

Side Channel Security Information

Monitor usage and determine:

When fridge is runs its defrost cycle

When the coffee maker kicks on

When you run your electric razor

What you’re watching on TV

To some extent, this can be done now

Smart meters give much more granular information

Source: http://www.h-online.com/security/news/item/Smart-meters-reveal-TV-viewing-habits-1346385.html



21

Smart Meter Event Monitoring

Reverse Rotation Detected

Inversion tamper

Removal Tamper

Power Outage / Restoration

Remote Disconnect / Reconnect Failure / Success

RF Transceiver Reset

New device joined HAN

Configuration Changed

Firmware Change Complete

Replay Attack



22

Industrial Control / SCADA Systems

Most SCADA systems are to IoT

what flip phones are to mobile



23

Traffic / transport

Utilities / energy

Telecommunications

Public safety

HVAC systems

Occupancy

Elevators/escalators

Smart Cities / Smart Buildings



24

Smarter Prisons?



25

Wearables



26

Medical Devices



27

Biohacking

How are you going to control this type of BYOD?



28

The instrumented vehicle; automobile threat surface

Engine Control Unit

Transmission Control Unit

Airbag Control Unit

Anti-lock Braking System

Tire Pressure Monitor

Vehicle to Vehicle Communications

Instrument Cluster / Telematics

Keyless Entry / Anti-theft

OBD-II

Car Multimedia

Dynamic Stability Control



29 IBM Confidential



30

The IBM model for the Internet of Things

At IBM, we’ve created a model of the IoT that’s useful for understanding the security threats at various data flow and control transition points.



31

Home automation systems are driving comfort and security enhancements.

• Smart appliances• Lighting and sound systems• Televisions• Thermostats• Smoke detectors and alarm systems• Garage doors and door locks

Includes technologies like:

• Local home network, which is often wireless, and then connected to the Internet via a service provider

• Security systems may also have a secondary connection using a mobile network

Connected via:

• Service providers or utilities providing home automation services• Hobbyists can build their solutions, bypassing the cloud layer, opting

instead to connect to their home area network directly from a mobile device or computer.

Available from:



32

Connected vehicles can enhance both safety and control for drivers.

• Emergency assistance • Remote telemetry reporting, such as speed, location and engine

temp• Remote start• Remote cabin climate control


• The local network is a controller area network (CAN), to which the electronic control units (ECUs) for brakes, engine, power windows and other components connect.

• Global network is a mobile carrier• Cloud service is often the auto manufacturer’s network, to which the

car identifies itself and is authenticated with an app on a mobile device.

Connected via:

• Automobile manufacturers

Available from:



33

Industrial control and SCADA systems vary wildly by industry, age, and use.

• HVAC systems• Access control systems• Energy consumption• Infrastructure processes like water treatment, oil and gas pipelines,

and electrical power transmission and distribution systems


• Older SCADA systems can be controlled over a dial-up line by an operator console segmented from the rest of the network, with no Internet connectivity or ability to control the system from outside the factory network.

• Newer industrial control systems are built on a general-purpose OS, designed to connect to an IP network.

Connected via:

• Legacy designs embedded in factories• Industrial control service providers

Available from:



34

Smart meters are driving the convergence of operational technology and traditional IT networks.

• Electric, natural gas, or water meters• Alternative fuels like solar energy and wind power• Locally sourced microgrids, which generate, distribute, and regulate

the flow of electricity to consumers in a small geographic area


• Connection from meter to energy provider’s cloud using communication methods like cell and pager networks, satellite, licensed radio, combination licensed and unlicensed radio, or power line communication

• Analyzed telemetry is provided to billing systems and available to customers through a web portal or mobile app

Connected via:

• Electric utilities• Municipalities

Available from:



35

Implantable medical devices are improving levels of patient care.

• Pacemakers and cardioverter defibrillators• Cochlear implants• Insulin pumps• Camera capsules• Neuromonitoring systems


• Current connectivity provided over radio frequency to specialized control devices and is limited in range

• There is pressure to widen connectivity so patients would have access to their data over patient portals, with the entire ecosystem of healthcare providers and insurers accessing a unified view of patient care information

Connected via:

• Medical device manufacturers

Available from:



36

The Internet of Things brings a range of threats and attack vectors.

Threat vectors

• Web application vulnerabilities

• Exploits

• Man in the middle

• Password attacks

• Information gathering / data leakage / eavesdropping

• Rogue clients

Backdoor access to a buildingmaintenance program was used to access floor plans for a business.

Using a CD playing MP3 files in a car’s audio system, researcherswere able to access all the ECUs

in the vehicle, and disable brake functions while the car was travelling at 40 mph.

Network-connected lighting wascompromised to access local Wi-Fi network passwords.



Each layer in the Internet of Things is susceptible to a variety of attack vectors.

A. Password attacks

B. Web application vulnerabilities

C. Rogue clients / malicious firmware

D. Man in the middle attacks

E. Information gathering / data leakage / eavesdropping

F. Command injection and data corruption

Things

Local network

Global network

Cloud service

Controlling device

A

A

B

A

A

B

B

D

D

D

C

C

F

E

E

E



38

IoT exposes varying threat surfaces, and requires security specific to each category of device.

Hardware manufacturers need strategies specific to each category of device:

A secure operating system with trusted firmware guarantees

A unique identifier

Strong authentication and access control

Data privacy protection

Strong application security



39

IBM recommends manufacturers adhere to a set of best practices to address the security challenges of the IoT.

Follow the Open Web Application Security Project (OWASP) IoT Top 10 practices.

Build a secure design and development practice

Perform regular penetration testing on products

Follow industry guidance, such as the IBM Automotive Security Point of View.



40



41

Connect with IBM X-Force Research & Development

Find more on SecurityIntelligence.com

IBM X-Force Threat Intelligence Reports and Research:// . . / /http www ibm com security x

force/

Twitter@ibmsecurity and @ibmxforce

IBM X-Force Security Insights Blog. . / / -www SecurityIntelligence com topics x force

http://www.ibm.com/security/xforce/



https://twitter.com/IBMSecurity

https://twitter.com/IBMSecurity

http://www.twitter.com/ibmxforce

http://www.twitter.com/ibmxforce

http://www.securityintelligence.com/topics/x-force

http://blogs.iss.net/



42

www.ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

http://www.ibm.com/security

http://www.ibm.com/security

follow the money, follow the crime

Technology

ibm corporation things

ibm security framework

advanced security

ibm xforce mission monitor

intelligent systems

security related patents

tomorrows security challenges

smart phone