things gone wild: when your devices behave badly
DESCRIPTION
How long can we continue to place trust in the everyday devices we rely on? In an age of growing connectedness for everything from manufacturing robots to toothbrushes, the Internet of Things has the potential to morph from a helpful productivity enhancer into a cover for malicious infiltration of your home and office. Learn how makers can build secure "things" and the security controls operators can implement. We'll present a simple model for assessing threats to the IoT ecosystem relevant to your industry and products. Security practitioners will learn how to be effective early adopters, without being victims of "things". View the full on-demand webcast: https://www2.gotomeeting.com/register/481316034TRANSCRIPT
© 2012 IBM Corporation
IBM Security Systems
1© 2014 IBM Corporation
Things Gone Wild:
When Your Devices Behave Badly
© 2014 IBM Corporation
IBM Security Systems
2
“Things” hacker
© 2014 IBM Corporation
IBM Security Systems
3
This is the “maker” corner of my office
© 2014 IBM Corporation
IBM Security Systems
4
A man is stuck in traffic on his way to work.
© 2014 IBM Corporation
IBM Security Systems
5
His mind wanders, Did I leave the fridge open?
© 2014 IBM Corporation
IBM Security Systems
6
He pulls his smart phone out.
© 2014 IBM Corporation
IBM Security Systems
7
The man taps an app on his
smart phone labeled “Home
Automation”
© 2014 IBM Corporation
IBM Security Systems
8
The man taps an app on his
smart phone labeled “Home
Automation”
© 2014 IBM Corporation
IBM Security Systems
9
The man taps an app on his
smart phone labeled “Home
Automation”
© 2014 IBM Corporation
IBM Security Systems
10
Everything is fine at home.
The man rolls his eyes and grins at his own obsessive concern
© 2014 IBM Corporation
IBM Security Systems
11
But in reality, someone has hacked his home area network.
The refrigerator is spewing ice cubes…
© 2014 IBM Corporation
IBM Security Systems
12
The dishwasher is overflowing…
© 2014 IBM Corporation
IBM Security Systems
13
The toaster is aflame while the ZoomBot bumps the
counter, sending the toaster toward the curtains.
© 2013 IBM Corporation
IBM Security Systems
IBM X-Forceis the foundation for
advanced security and
threat research across
the IBM Security
Framework.
© 2013 IBM Corporation
IBM Security Systems
IBM X-Force® Research and Development
Vulnerability
Protection
IP
Reputation
Anti-Spam
Malware
Analysis
Web
Application
Control
URL / Web
Filtering
The IBM X-Force Mission
Monitor and evaluate the rapidly changing threat landscape
Research new attack techniques and develop protection for tomorrow’s security challenges
Educate our customers and the general public
Integrate and distribute Threat Protection and Intelligence to make IBM solutions smarter
Expert analysis and data sharing on the global threat landscape
Zero-day
Research
© 2013 IBM Corporation
IBM Security Systems
Coverage
20,000+ devices
under contract
15B+ events
managed per day
133 monitored
countries (MSS)
1,000+ security
related patents
100M+ customers
protected from
fraudulent
transactions
Depth
25B analyzed
web pages & images
12M spam &
phishing attacks daily
86K documented
vulnerabilities
860K malicious IP
addresses
Millions of unique
malware samples
IBM X-Force monitors and analyzes the changing threat landscape.
© 2014 IBM Corporation
IBM Security Systems
17
The Internet of Things (IoT): a revolution is occurring just like Cloud, Mobile, Social & Analytics
The Internet of Things will represent
30 billion connected “things” by 2020,
growing from 9.9 billion in 2013.1
These connected "things" are largely
driven by intelligent systems-all
collecting and transmitting data.
Source: IDC, “Worldwide and Regional Internet of Things 2014-2020 Forecast Update by Technology Split”
© 2014 IBM Corporation
IBM Security Systems
18
Smart Homes
© 2014 IBM Corporation
IBM Security Systems
19
Smart Energy / Smart Meters (AMI)
© 2014 IBM Corporation
IBM Security Systems
20
Side Channel Security Information
Monitor usage and determine:
When fridge is runs its defrost cycle
When the coffee maker kicks on
When you run your electric razor
What you’re watching on TV
To some extent,
this can be done now
Smart meters give
much more granular information
Source: http://www.h-online.com/security/news/item/Smart-meters-reveal-TV-viewing-habits-1346385.html
© 2014 IBM Corporation
IBM Security Systems
21
Smart Meter Event Monitoring
Reverse Rotation Detected
Inversion tamper
Removal Tamper
Power Outage / Restoration
Remote Disconnect /
Reconnect Failure /
Success
RF Transceiver Reset
New device joined HAN
Configuration Changed
Firmware Change Complete
Replay Attack
© 2014 IBM Corporation
IBM Security Systems
22
Industrial Control / SCADA Systems
Most SCADA systems are to IoT
what flip phones are to mobile
© 2014 IBM Corporation
IBM Security Systems
23
Traffic / transport
Utilities / energy
Telecommunications
Public safety
HVAC systems
Occupancy
Elevators/escalators
Smart Cities / Smart Buildings
© 2014 IBM Corporation
IBM Security Systems
24
Smarter Prisons?
© 2014 IBM Corporation
IBM Security Systems
25
Wearables
© 2014 IBM Corporation
IBM Security Systems
26
Medical Devices
© 2014 IBM Corporation
IBM Security Systems
27
Biohacking
How are you going
to control this type
of BYOD?
© 2014 IBM Corporation
IBM Security Systems
28
The instrumented vehicle; automobile threat surface
Engine Control Unit
Transmission Control Unit
Airbag Control Unit
Anti-lock Braking System
Tire Pressure Monitor
Vehicle to Vehicle
Communications
Instrument Cluster / Telematics
Keyless Entry / Anti-theft
OBD-II
Car Multimedia
Dynamic Stability Control
© 2014 IBM Corporation
IBM Security Systems
29 IBM Confidential
© 2014 IBM Corporation
IBM Security Systems
30
The IBM model for the Internet of Things
At IBM, we’ve created a
model of the IoT that’s useful
for understanding the security
threats at various data flow
and control transition points.
© 2014 IBM Corporation
IBM Security Systems
31
Home automation systems are driving comfort and security enhancements.
• Smart appliances
• Lighting and sound systems
• Televisions
• Thermostats
• Smoke detectors and alarm systems
• Garage doors and door locks
Includes technologies like:
• Local home network, which is often wireless, and then connected to the Internet via a service provider
• Security systems may also have a secondary connection using a mobile network
Connected via:
• Service providers or utilities providing home automation services
• Hobbyists can build their solutions, bypassing the cloud layer, opting instead to connect to their home area network directly from a mobile device or computer.
Available from:
© 2014 IBM Corporation
IBM Security Systems
32
Connected vehicles can enhance both safety and control for drivers.
• Emergency assistance
• Remote telemetry reporting, such as speed, location and engine temp
• Remote start
• Remote cabin climate control
Includes technologies like:
• The local network is a controller area network (CAN), to which the electronic control units (ECUs) for brakes, engine, power windows and other components connect.
• Global network is a mobile carrier
• Cloud service is often the auto manufacturer’s network, to which the car identifies itself and is authenticated with an app on a mobile device.
Connected via:
• Automobile manufacturers
Available from:
© 2014 IBM Corporation
IBM Security Systems
33
Industrial control and SCADA systems vary wildly by industry, age, and use.
• HVAC systems
• Access control systems
• Energy consumption
• Infrastructure processes like water treatment, oil and gas pipelines, and electrical power transmission and distribution systems
Includes technologies like:
• Older SCADA systems can be controlled over a dial-up line by an operator console segmented from the rest of the network, with no Internet connectivity or ability to control the system from outside the factory network.
• Newer industrial control systems are built on a general-purpose OS, designed to connect to an IP network.
Connected via:
• Legacy designs embedded in factories
• Industrial control service providers
Available from:
© 2014 IBM Corporation
IBM Security Systems
34
Smart meters are driving the convergence of operational technology and traditional IT networks.
• Electric, natural gas, or water meters
• Alternative fuels like solar energy and wind power
• Locally sourced microgrids, which generate, distribute, and regulate the flow of electricity to consumers in a small geographic area
Includes technologies like:
• Connection from meter to energy provider’s cloud using communication methods like cell and pager networks, satellite, licensed radio, combination licensed and unlicensed radio, or power line communication
• Analyzed telemetry is provided to billing systems and available to customers through a web portal or mobile app
Connected via:
• Electric utilities
• Municipalities
Available from:
© 2014 IBM Corporation
IBM Security Systems
35
Implantable medical devices are improving levels of patient care.
• Pacemakers and cardioverter defibrillators
• Cochlear implants
• Insulin pumps
• Camera capsules
• Neuromonitoring systems
Includes technologies like:
• Current connectivity provided over radio frequency to specialized control devices and is limited in range
• There is pressure to widen connectivity so patients would have access to their data over patient portals, with the entire ecosystem of healthcare providers and insurers accessing a unified view of patient care information
Connected via:
• Medical device manufacturers
Available from:
© 2014 IBM Corporation
IBM Security Systems
36
The Internet of Things brings a range of threats and attack vectors.
Threat vectors
• Web application
vulnerabilities
• Exploits
• Man in the middle
• Password attacks
• Information gathering /
data leakage /
eavesdropping
• Rogue clients
Backdoor access to a building
maintenance program was used to
access floor plans for a business.
Using a CD playing MP3 files in a
car’s audio system, researchers
were able to access all the ECUs in
the vehicle, and disable brake functions
while the car was travelling at 40 mph.
Network-connected lighting was
compromised to access local Wi-Fi
network passwords.
© 2013 IBM Corporation
IBM Security Systems
Each layer in the Internet of Things is susceptible to a variety of attack vectors.
A. Password attacks
B. Web application vulnerabilities
C. Rogue clients / malicious firmware
D. Man in the middle attacks
E. Information gathering / data leakage /
eavesdropping
F. Command injection and data corruption
Things
Local network
Global network
Cloud service
Controlling
device
A
A
B
A
A
B
B
D
D
D
C
C
F
E
E
E
© 2014 IBM Corporation
IBM Security Systems
38
IoT exposes varying threat surfaces, and requires security specific to each category of device.
Hardware manufacturers need strategies specific to each category of device:
A secure operating system with trusted firmware guarantees
A unique identifier
Strong authentication and access control
Data privacy protection
Strong application security
© 2014 IBM Corporation
IBM Security Systems
39
IBM recommends manufacturers adhere to a set of best practices to address the security challenges of the IoT.
Follow the Open Web Application Security Project (OWASP) IoT Top 10 practices.
Build a secure design and development practice
Perform regular penetration testing on products
Follow industry guidance, such as the IBM Automotive Security Point of View.
© 2014 IBM Corporation
IBM Security Systems
40
© 2014 IBM Corporation
IBM Security Systems
41
Connect with IBM X-Force Research & Development
Find more on SecurityIntelligence.com
IBM X-Force Threat Intelligence Reports and Researchhttp://www.ibm.com/security/xforce/
Twitter@ibmsecurity and @ibmxforce
IBM X-Force Security Insights Blog
www.SecurityIntelligence.com/topics/x-force
© 2014 IBM Corporation
IBM Security Systems
42
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.