2017 March ISACA Security Challenges with the Internet of Things - Eric Vanderburg

© 2017 JURINNOV, LLC All Rights Reserved.
Security Challenges with
the Internet of Things
ISACA MARCH 2017
ERIC VANDERBURG
DIRECTOR, CYBERSECURITY
JURINNOV, A TCDI COMPANY

Topics
• Overview
• Uses
• Challenges
• Strategies

IoT security statistics
• 93% of IoT early adopters are concerned about IoT security
-Global IoT Report 2017 from IoT Works
• 6.4 billion IoT devices in use today and 5.5 million added per day
- Gartner
• 85% of enterprises intend to deploy IoT devices, but only 10% feel
confident in the security of those devices
– AT&T Cybersecurity Insights Report

Uses of IoT
IoT will be everywhere in the future and it is already where you don’t want it

Where is IoT
6
• Camera systems
• Cars
• Car apps with minimal security
• Many vulnerabilities identified
• Unencrypted credentials
• Lack of integrity checks
• Outdated communication protocols
• Few actually exploited

Where is IoT?
• Factories
• Programmable Logic Controllers (PLC) for robotic systems
• Industrial control systems
• Smart meters
• Smart homes
• Animals and humans

IoT Toys
Toys are connected to the
Internet/cloud to:
◦Learn
◦Exchange data with friends
◦Obtain software updates
◦Allow for online
customization
◦Obtain data on surroundings
Targeted to get data on
users
Used for surveillance
Good information for
thieves

IoT Challenges
• DDoS
• Ransomware
• Surveillance
• Backdoors
• Data breaches
• Botnets

IoT and DDoS
Protecting people, places, and assets

October 21, 2016
Internet hosting provider OVH was
faced with a 1Tbps DDoS attack
Botnet was entirely comprised of
CCTV cameras
Home routers and IP
cameras turned into a
botnet.
Botnet was used to launch
DDoS attacks against the
Dyn DNS system targeting
sites such as Twitter, Spotify,
Amazon, Reddit, Yelp, Netflix,
and The New York Times.
September 22, 2016 September 13, 2016
Krebs on Security was hit by a
665Gbps DDoS attack
The site was protected by Akamai,
a company that specializes in
protecting sites from attacks

DDoS statistics
• About 75% of global organizations have been victims of a DDoS
Attack
-Neustar
• 3,700 DDoS attacks occur every day
-CSO
• Malicious code for DDoS botnets has been found in up to 600,000
IoT devices
–PC World

Effects of a DDoS attack
• Entire shutdown of a small countries internet capability
• Temporary outage of backbone DNS servers
• Specific attacks can easily take down a single site

Defense strategies
• Vulnerability scanning
• Quarantining until remediation
• Review vendor vulnerabilities, firmware release notes,
and history. Do they have a track record of resolving
vulnerabilities in a timely manner?

Defense strategies
• Change default credentials
• Use strong passwords
• Update firmware regularly
• Turn off unused features

IoT and Ransomware
Protecting your credentials and identity

IoT and
Ransomware
• TV
• Phone
• Refrigerator
•Locks
• Smart home devices
(lightbulbs, plugs, etc.)
• Automated cars

IoT ransomware news
• A hotel in Austria had it’s system compromised that
locked guests out of their rooms until ransom was paid.

Easy Ransomware Targets
• Many devices use android or Linux variant.
• Software updates are infrequent or nonexistent.
• Many users do not change default credentials
• If credentials are present they are usually simple

• Hundreds of new ransomware variants just this year this
year
(over 400% increase since 2015)
Stats
KeRanger
PayCrypt
JobCryptor
HiBuddy
HydraCryptVipasana
Umbrecrypt
LOCKY
CryptoJocker
Nanolocker
LeChiffre
Magic
Ginx
73v3n
Mamba
HDDCryptor
SAMSAM
Powerware
Peyta
Jigsaw
Cerber
Radamant Rokku

Ransoms
• Ransoms range from 0.5 – 5
bitcoins
Bitcoin valued at 767 USD or 719 EUR as of
December, 2016
Ransoms for organizations are far
more

Highest value targets
• Banks
• Hospitals
• Universities
• Government Agencies

IoT and Surveillance
Protecting your credentials and identity

Surveillance
• Android devices such as Android TVs or cars are
vulnerable.
• Not updated as often nor as easily
• The TV can be off, but the camera and mic are still
functioning

Surveillance
• CIA tools
•Weeping angel – monitors conversations from TVs
•Malware injected into Huawei, ZTE and Mercury routers
• The tools developed are not shipped with the devices but
must be installed by physical media
• The tools do not have the capability to install themselves
remotely

Mark Zuckerberg is concerned
What about you?

January 2017
CIA hacking tool
documentation
leaked on wikileaks
The FDA
announced that
cardiac
monitoring
devices have
vulnerabilities
that allow them
to be hacked.
March 2017

Connected AI
• Siri, Alexa, Cortana, etc.
• All requests sent to an AI are recorded
• These recordings may potentially be kept indefinably
• It can record every word heard even if the AI is not in use
at the time

Many IP
cameras are
easily
accessible
Default credentials
No password
No firewall
Pierre Derks and
restreaming reality

IoT Backdoors
Is IoT the network’s weakest link?

Notable backdoors
• 80 models of Sony cameras allow backdoor access for complete
control of the device
• Nearly all DblTek VoIP devices have root backdoor access
• Some Samsung, LG, Asus, and Lenovo devices might be sold with a
Trojan or ransomware preinstalled

Devices potentially with backdoors preinstalled
• Galaxy Note 2
• LG G4
• Galaxy S7
• Galaxy S4
• Galaxy Note 4
• Galaxy Note 5
• Xiaomi Mi 4i
• Galaxy A5
• ZTE x500
• Galaxy Note 3
• Galaxy Note
Edge
• Galaxy Tab S2
• Galaxy Tab 2
• Oppo N3
• Vivo X6 plus
• Nexus 5
• Nexus 5X
• Asus Zenfone
2
• LenovoS90
• OppoR7 plus
• Xiaomi Redmi
• Lenovo A850

Recent backdoor firmware found November 2016
AFFECTED DEVICES
•ZTE
• Huawei
• Blu
• AdUps firmware (on 700 million
devices)
WHAT IT DOES
• Sniffs SMS messages and call
logs
• Gathers contact information
• Records GPS location data
• Sends data discreetly to China
• Remotely execute malicious
code with root privileges.

IoT Data Breaches
Data exfiltration from IoT devices

December 2, 2015
CloudPets exposed 2.2
million voice recordings
and account info of the
800,000 kids
Data of 6.4
million children
breached from
Vtech devices.
February 22, 2017 March 13, 2017
US Teledildonics
collected sensitive
information on
information from IoT
adult toys.
Privacy infringement
lawsuit settled with
claimants.

Predictions
• Forrester predicts more than 500,000 IoT devices will be
compromised in 2017
• As adoption increases, so will attacks

What to do
• IoT Security needs to be part of the design, not some
tacked on afterthought
• Each part of a device must be examined for potential
vulnerabilities
• Have backup systems in place in case an attacker gains
access to the device.

IoT Botnets

Mirai
• Botnet program responsible for largest breach in history
• Source code is freely available online
• Only takes about 30 minutes to set up

Botnet Overview
• Bot
• Program that performs automated tasks
• Remote controlled
• AKA: zombie or drone
• Botnet – collection of bots remotely controlled and working
together to perform tasks
• Bot herder – bot master

Threat defined – What is done with botnets?
• DDoS
• Spam
• Distribute copyrighted material
• Torrents
• Data mining
• Hacking
• Spread itself
41

Life Cycle
Exploit
◦Malicious code
◦Unpatched vulnerabilities
◦Trojan
◦Password guessing
Rally - Reporting in
◦Log into designated IRC
channel and PM master
◦Make connection to http
server
◦Post data to FTP or http
form
42
Exploit Rally Preserve Inventory
Await
instructions
Update Execute Report
Clean
up

Life Cycle
• Preserve
• Rootkit
• Encrypt
• Polymorph
• Kill security services, firewall or debugging processes
43
Await
instructions
Clean
up

Life Cycle
• Inventory
• determine capabilities such as RAM, HDD, Processor, Bandwidth,
and pre-installed tools
• Await instructions from C&C server
• Update
• Download payload/exploit
• Update C&C lists
44
Await
instructions
Clean
up

Life Cycle
Execute commands
◦ DDoS
◦ Spam
◦ Harvest emails
◦ Keylog
◦ Screen capture
◦ Webcam stream
◦ Steal data
Report back to C&C server
Clean up - Erase evidence
45
Await
instructions
Clean
up

IoT Security Strategies
Securing IoT, one device at a time

IoT Security Features
• Secure booting
• Verify software/firmware integrity with digital signatures at
startup
• Start up security processes before networking processes
• Access control
• Least privilege
• Authentication
• Require authentication to network before communicating
• Secure storage of credentials

IoT Secure Development
• Security needs to be “by design” when developing IoT
solutions
• Account not only for normal people who put convenience
first but also for attackers
• Assume the system will fail and build in countermeasures

IoT Implementation Security
• Segmentation
• Firewall and IPS
• Vulnerability scanning
• Patch management
• Turn it off if you don’t need it
• Know where the data is stored such as in the cloud and
how it is secured.

For more information
216-664-1100
www.jurinnov.com
eav@jurinnov.com
Twitter: @jurinnov and @evanderburg
1375 Euclid Avenue, Suite 400
Cleveland, Ohio 44115

2017 March ISACA Security Challenges with the Internet of Things - Eric Vanderburg

More Related Content

What's hot (20)

Viewers also liked (15)

Similar to 2017 March ISACA Security Challenges with the Internet of Things - Eric Vanderburg (20)

More from Eric Vanderburg (20)

Recently uploaded (20)

2017 March ISACA Security Challenges with the Internet of Things - Eric Vanderburg

Editor's Notes