iotnext 2016 - safenation track
TRANSCRIPT
1
Las Vegas comes to Bengaluru!
IoTNext 2016 - SafeNation Track
• Arvind Tiwary
• Ravi Mishra
• Vishwas Lakkundi
• Devesh Bhatt
2
Task Force on IoT Security
IoT Forum & CISO platform join hands to create IoT Security Task force
Readying up the Nation for #IoTSecurity
The task force is chartered to develop threat models, controls and assist players in new techno-legal-
commercial arrangements to improve IoT Security
Fresh thinking around Security for IOT
3
The Indus Entrepreneurs (TiE) Network
15,000+Members globally
58Chapters spread across the globe
18Across Countries
2,500+ Charter Members Globally
1999Started the Bangalore Chapter
750+Members in Bangalore
1,000+Startups at TiE Bangalore
75+ events per year in Bangalore
1992TiE Silicon Valley was started
125+Mentors/CMs in Bangalore
4
TiE IoT Forum Activities : 12 Billion Indian IoT Market
▪ June 5 Open House (Attended by 125+ participants)
▪June 26 Communication (Connectivity workshop attended by over 25 participants)
▪Aug 6 BlueTooth (Technical deep dive session attended by over 35 participants)
▪ Aug 22 Survelliance Workshop with B.PAC for schools, (attended by over 25 participants)
▪ Sep 11 MOU with IESA Press coverage in leading online and print media
▪ Sep 11 Smart Water-Power & Internet Public utilities for the city of Future (TiE IESA Bangalore attended by 280+ participants)
▪ Sep 18 IoT in Retail (attended by 65+ participants)
▪ Nov 13 Crowdfunding Your IoT Product ( attended by 75+ participants)
▪ Nov 19 MEMS Technical deep dive session ( Attended by 30+ participants)
▪ Nov 20 Smart Devices : Leveraging Consumerization and Open Innovation for the Future ( TiE IESA Hyderabad 65+ particpants)
▪ Feb 20 IoT based Smart Grid Core of Sustainable Living ( TiE IESA Delhi 50+ Participants)
▪ Feb 26 Contiki IoT workshop : Middleware for IoT ( RBCCPS Bangalore 40 participants)
▪ March 10 Workshop Demystifying IoT (TiE IESA Pune 50 participants)
▪ March 10 Smart Vehicles The IoT Future ( TiE IESA Pune 50 participants)
▪ May 9 IoT Innovation Showcase by 16 Startups (150+ Participants)
▪ June 25 Smart Agriculture and Smart Healthcare ( TiE IESA with pan India Colleges and Universities) 175+ Participants
▪ Sep 25 IoT Security a IEEE partner event ( IEEE partner 75 +)
▪ Dec 4 – 5 IEEE Bangalore: Leveraging Use cases to Validate IoT Opportunities ( partner event 200+)
▪ Dec 9 -10 IoT Next 2015 ( 700+ particpants, 60 Speakers, 20 Starups)
2014 2015
20 + events, 2000 Attendees , 280+ Startups
5
About CISO Platform
• IoT Security • Cyber Crisis Management• Cyber Security Index • Top N Threats & Controls Mapping
• Enterprise Security Architecture • Using AI for Security Decisions
Current Research Areas Include
• Help CISOs make right IT Security decisions using our Decision Tools, Content and Peer Collaboration
• Build community based knowledge repository in form of structured research and reference documents
Industry’s 1st Dedicated Collaboration Platform for CISOs and Senior IT Security Leaders with the vision to:
6
FRIDAY OCTOBER 21, 2016
DO YOU REMEMBER THIS DATE??
7
LARGEST DDOS ATTACK AGAINST DYN
8
Why Did Dyn Fail▪A large network of compromised devices was
used to flood Dyn’s servers with traffic
▪In particular servers used as part of Dyn’s enterprise offerings were targeted
▪Dyn wasn’t able to handle the additional traffic, and its servers either stopped responding or responses were substantially delayed.
9
Who Did it and Why?
10
How can we minimize the risk?
▪Use multiple DNS providers. This way, if one experiences problems, we can use the others as backup
▪This requires additional tools and setup to make sure information is synchronized across different providers
▪We can maintain some DNS servers in house to provide limited service to internal users and as a last resort if we are not targeted, but experience issues due to collateral damage
▪Adjust our DNS configuration to allow for caching of our records (increase “Time to Live”)
11
IoT Architectural Layers
End Nodes Hubs Gateway Platform Applications Touchpoints
Temp Sensor
Vibration Sensor
Fitness tracker
Electric Meter
Switch Actuator
Router Nodes
EdgeRouter
Smartphone
LPWAN Basestations
Opensource
Commercial
Device Management
Access Management
Security
End user
City Managers
System Admin
City One
Operations Center
Apps
SMS
Social Media
3rd Party
12
Components of an IoT Node
Microcontroller
RF Transceiver
External Memory
Sensors/ActuatorsPower Source/
Storage
Energy Harvesting
Hardware Layers
Low-level Device Drivers
Energy-aware RTOS (optional), Protocols and Middleware
App Interfaces for Sensors, Communication, Processing..
13
Security of Nodes
▪Securing the end nodes (physical accessibility)
▪Securing the network links
▪Securing remote device management
▪Securing admin operations
▪OS security configurations
▪Patching and firmware updates
▪Reverse engineering of just one node can lead to insecure n/w!
14
Threat Model
15
Components of an IoT Gateway
Microprocessor
Applications
Local Storage/DatabaseLocal/Edge AnalyticsPower Source
Local UIProtocol
Translators/Proxies
Cloud ConnectivitySecurity
16
Security of Gateways
▪Protocol Translation vs End-to-End Encryption
▪Secure On-boarding of Devices
▪Secure Boot
▪Firewalls
▪Intrusion Prevention System
▪Access Control Policy
▪Root of Trust and TPM
▪Security Updates
17
Threat Model
18
APPLICATION SECURITY
19
Types of Threats
Spoofed packets, etc.
Buffer overflows, illicit paths, etc.
SQL injection, XSS, input tampering, etc.
Network
Host
ApplicationThreats
againstthe network
Threats against the host
Threats against the application
20
BlackHat
▪Total talks – 117▪Top 5 domains▪Malware - 22 talks
▪Platform security: VM, OS, Host, Container - 21 talks
▪Exploit development - 15 talks
▪Android, IOS security - 13 talks
▪Internet of Things- 13 talks
DEFCON
▪Total talks – 100
▪Top 5 domains
▪Internet of Things - 19 talks
▪Network security - 13 talks
▪Application security - 10 talks
▪Critical infrastructure protection - 7 talks
▪Penetration testing - 7 talks
BHUSA and DEFCON Talk Trends
21
Detailed Trends
BlackHat DEFCON
22
KEY ATTACKS OF 2016
23
1. Building trust and enabling innovation for voice enable IOT by Lynn Terwoerds (BHUSA)
2. Let's Get Physical Network Attacks Against Physical Security Systems (DEFCON)
3. A lighbulb Worm? by Colin o Flynn (BHUSA)
4. Can You Trust Autonomous Vehicles? by Jianhao Liu, Chen Yan, Wenyuan Xu (DEFCON)
5. Picking Bluetooth Low Energy Locks from a Quarter Mile Away by Anthony Rose (DEFCON)
TOP Talks
24
1. BLE is Bluetooth Low Energy designed for apps that don't need to exchange large amounts of data
✓ Operates on 2.4 Ghz frequency
✓ car locks , bike locks, padlocks, door locks , gun cases, lockers, ATMs, Airbnb etc.
✓ short range <100m and consumes very less energy
✓ Total 3 billion devices per year
2. Attack Set up✓ ubertooth one
✓ Bluetooth dongle
✓ high beam antenna
✓ raspberry pi
Picking BLE Locks from a Quarter Mile Away by Anthony Rose
25
1. Sniffing -Plain text passwords
➢ war dialing by roaming around using ubertooth one
➢ The high beam antenna makes it easier to capture far away signals.
➢ the attacker sniffs the BLE traffic, get the dump, takes out the user password
➢ uses HCI and Bluetooth dongle to sends the authentication requests to the devices and it opens up
2. Replay attacks
➢ Devices like ceomate, Elecycle , vians and lagute use encryption (256 AES)
➢ sniff the complete packet as it is with the password in the encrypted form and still can break into the lock
Picking BLE Locks from a Quarter Mile Away by Anthony Rose
26
3. Fuzzing devices (okidokey)
▪This exploits the fail safe mechanism in the devices
▪initially claimed that they had AES 256 plus custom developed encryption (which is not a good idea)
▪The attacker when sniffed the traffic, he noticed message packets having some commands and couple of random keys which looked very difficult to break
▪first part is an op code and the second part is the actual key
▪the attacker changed the 3rd byte to 0, the device went into error state and since there was no error state defined, it just unlocks itself
▪It came out that their patented crypto was the culprit wherein they were using the previous keys to do XOR to get the new keys.
Picking BLE Locks from a Quarter Mile Away by Anthony Rose
27
4. Decompiling APKs▪This was done with the danalock doorlock.
▪download apk--->dex to jar→ Anaylse
▪reveals encryption method and hardcoded passwords
▪XOR (password, thisishtesecret) and store it in the table
5. Device spoofing▪This was done with bitlock, which is a padlock for the bikes
▪This is possible where the user authentications happens in a webserver and there is nothing stored on the device
▪The attacker here impersonates as the lock and actually steals the sensitive encrypted nonce from the user.
Picking BLE Locks from a Quarter Mile Away by Anthony Rose
28
Picking BLE Locks from a Quarter Mile Away by Anthony Rose
29
Picking BLE Locks from a Quarter Mile Away by Anthony Rose
30
✓encryption (256 AES)✓random nonce✓strong passwords, multi factor authentication✓no hard coded passwords
CONTROLS
31
Fresh thinking around Security for IOTFresh Thinking around Security for IoT
32
Fresh Thinking: Is the Emperor Naked?
33
Urban City: Does every house need to be a Fort Knox?
▪The Wild West
▪The Frontier Town
▪The City
▪The Mega Polis
▪The Township
Rights of Self Defence and Delegated Policing in Cyberspace?
The Cyber Rights
34
Going Forward..
▪Technical Roadmap
▪Community Engagement▪ Deep practitioners
▪ Architectural
www.IoTForIndia.org
35
❖ https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/❖ https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-inte
rnet-outage/❖ https://www.blackhat.com/us-16/briefings.html❖ https://www.defcon.org/html/defcon-24/dc-24-index.html❖ https://isc.sans.edu/presentations/dyndnsattack.pptx❖ https://www.mdsec.co.uk/2016/10/building-an-iot-botnet-bsides-manchester-2016/
Special thanks to:❖ Lynn Terwoerds for “Building trust and enabling innovation for voice enable IOT”❖ Ricky Lawshae for “Let's Get Physical Network Attacks Against Physical Security
Systems”❖ Eyal and Colin o Flynn for “A lighbulb Worm”❖ Jianhao Liu, Chen Yan, Wenyuan Xu for “Can You Trust Autonomous Vehicles? ”❖ Anthony Rose and Ben Rasmsey “Picking Bluetooth Low Energy Locks from a Quarter
Mile Away ”
REFERENCES
36
Thank You