SlideShare a Scribd company logo

HKG18-219 - Threat Modeling for IoT

Linaro, profile picture
Linaro

The document discusses threat modeling for Internet of Things (IoT) security, highlighting the discovery of vulnerabilities in IoT devices, including examples like the Mirai botnet and Jeep hacking. It contrasts two threat modeling approaches: one focusing on system architecture and the other on policy and capability, emphasizing the importance of validating sensor data and secure software updates. The document concludes that threat models should be dynamic and guide development priorities as new application areas emerge.

Technology
1 of 15
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
HKG18-219: Threat Modeling for IoT David Brown
IoT Security ● 2016 DEF Con, found 47 new vulnerabilities in 23 IoT devices ● Mirai Botnet https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai- botnet targeted DDoS attack, cameras, DVRs, etc ● TRENDnet Webcam: http://www.technewsworld.com/story/78891.html, vulnerable camera could be viewed externally
IoT Security (cont.) ● Jeep: https://blog.kaspersky.com/blackhat-jeep-cherokee-hack-explained/9493/ over cell network took control of a Jeep. ○ WiFi password wasn’t very random, guess space in the dozens ○ Chained through vulnerability in multimedia computer ○ CAN bus isolation failed with vulnerability in an MCU that could be “upgraded” without authentication ○ Total control over vehicle, including brakes and steering
Threat Modeling ● “Threat Modeling: Designing for Security”, by Adam Shostack ○ What are you building? ○ What can go wrong? ○ What should you do about those things that can go wrong? ○ Did you do a decent job of analysis?
Threat Modeling (cont.) ● Nickolai Zeldovich, https://youtu.be/GqmQg-cszw4: MIT 6.858 Computer Systems Security, Fall 2014, Introduction, Threat Models ○ Policy: What is the desired behavior (what is and isn’t allowed)? ○ Threat Model: What is the attacker capable of? ○ Mechanism: What do we do about it?
Threat Modeling (cont.) ● Two approaches ● Shostack focuses on architecture of system ● Zeldovich focuses on policy and capability ● I found Zeldovich’s approach easier to organize and follow
The example app ● Important to focus on a specific application, ● Can also focus on a specific part, such as a protocol (but be careful, see Jeep example, parts interact)
HKG18-219 - Threat Modeling for IoT
High-level example ● Policy: The data collection host should be able to determine that a given sensor device is valid, and only accept data from valid sensors ● Threat: ○ Attacker can generate arbitrary network packets ○ Attacker cannot brute-force modern crypto algorithms ○ Attacker cannot read from the device’s internal flash ● Mechanism: ○ Enforce DTLS with PSK ciphersuite ● Thoughts: ○ How do we get the secret onto the device ○ Take LWM2M: network secret negotiates device secret ○ (secrets are important, see HKG18-407)
High-level example ● Policy: The data collection host should be able to determine that a given sensor device is valid, and only accept data from valid sensors ● Threat: ○ Attacker can generate arbitrary network packets ○ Attacker cannot brute-force modern crypto algorithms ○ Attacker can read from the device’s internal flash ● Attacker can spoof device (violating policy) ● Not obvious, though: ○ Buffer overflow in a protocol allows read of arbitrary memory ○ SWD/JTAG: forget fuses, or reverse fuses ○ Flash protected from read, but CRC reads and can be watched
Policy Interaction ● Two policies: ○ Policy: The data collection host should be able to determine that a given sensor device is valid, and only accept data from valid sensors ○ Policy: When sensor data is available, it should be sent to the data collection host in a timely manner ● Not only prevent attacks, but prevent denial of service: ○ Jam network ○ Bogus packets cause device to be rejected
Lower-level example ● Concerning software update: ○ The device should accept upgrades from a valid upgrade host and run these new versions ○ The device should only accept upgrades from a valid upgrade host ● Threat: ○ The attacker can spoof network traffic from upgrade host ○ The attacker can reply old data ○ The attacker cannot break RSA ● Mechanism: ○ Digitally sign images with RSA ○ Have increase-only version numbers
Lower-level example ● Concerning software update: ○ The device should accept upgrades from a valid upgrade host and run these new versions ○ The device should only accept upgrades from a valid upgrade host ● Threat: ○ The attacker can spoof network traffic from upgrade host ○ The attacker can reply old data ○ The attacker cannot break RSA ● Attack: ○ The attacker spoofs upgrade host ○ Sends invalid upgrades, with bad signatures ○ Device drains battery, or wears out flash repeatedly rejecting the upgrade ● This one is hard
Conclusions ● Model document will be dynamic ● Use model to drive development priorities ○ e.g. storing secrets ● Will grow as we move to new application areas
Thank You #HKG18 HKG18 keynotes and videos on: connect.linaro.org For further information: www.linaro.org

More Related Content

PDF
HKG18-113- Secure Data Path work with i.MX8M
Linaro
 
PPTX
HKG18-223 - Trusted FirmwareM: Trusted boot
Linaro
 
PDF
Wirelessconnect
Firman Indrianto
 
PPT
Meletis Belsis - IMS Security
Meletis Belsis MPhil/MRes/BSc
 
PDF
Resilient IoT Security: The end of flat security models
Milosch Meriac
 
PDF
z/OS Authorized Code Scanner
Luigi Perrone
 
PPT
Trusted computing introduction and technical overview
Sajid Marwat
 
PPT
Fortinet FortiOS 5 Presentation
NCS Computech Ltd.
 
HKG18-113- Secure Data Path work with i.MX8M
Linaro
 
HKG18-223 - Trusted FirmwareM: Trusted boot
Linaro
 
Wirelessconnect
Firman Indrianto
 
Meletis Belsis - IMS Security
Meletis Belsis MPhil/MRes/BSc
 
Resilient IoT Security: The end of flat security models
Milosch Meriac
 
z/OS Authorized Code Scanner
Luigi Perrone
 
Trusted computing introduction and technical overview
Sajid Marwat
 
Fortinet FortiOS 5 Presentation
NCS Computech Ltd.
 

What's hot (20)

PPTX
Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
Dan Griffin
 
PPTX
Fortinet
ABEP123
 
PDF
High end security for low-end microcontrollers
Milosch Meriac
 
PPTX
Trusted platform module copy
Rishi Kumar
 
PDF
MikroTik User Guide
seolangit4
 
PDF
Security Gateway CP R70
dzihiro
 
PDF
Property-Based TPM Virtualization
Marcel Winandy
 
PDF
Trusted Computing Base
Vasily Sartakov
 
PDF
Kernel Mode Threats and Practical Defenses
Priyanka Aash
 
PPTX
Security for io t apr 29th mentor embedded hangout
mentoresd
 
PDF
LAS16-100K1: Welcome Keynote
Linaro
 
PPTX
Fortinet sandboxing
Nick Straughan
 
PDF
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
The Linux Foundation
 
PPTX
LAS16-300K2: Geoff Thorpe - IoT Zephyr
Shovan Sargunam
 
PDF
CSF18 - BitLocker Deep Dive - Sami Laiho
NCCOMMS
 
PPTX
Trusted Platform Module (TPM)
k33a
 
PDF
Shape your remote connection to your GCE instance
DevOps Indonesia
 
PDF
Fortigate fortiwifi-80f-series
Julian Ernesto Martinez Oliva
 
PPT
UTM Basic Rev 1.2 (Modified)
NCS Computech Ltd.
 
PPTX
OwnYIT CSAT + SIEM
NCS Computech Ltd.
 
Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
Dan Griffin
 
Fortinet
ABEP123
 
High end security for low-end microcontrollers
Milosch Meriac
 
Trusted platform module copy
Rishi Kumar
 
MikroTik User Guide
seolangit4
 
Security Gateway CP R70
dzihiro
 
Property-Based TPM Virtualization
Marcel Winandy
 
Trusted Computing Base
Vasily Sartakov
 
Kernel Mode Threats and Practical Defenses
Priyanka Aash
 
Security for io t apr 29th mentor embedded hangout
mentoresd
 
LAS16-100K1: Welcome Keynote
Linaro
 
Fortinet sandboxing
Nick Straughan
 
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
The Linux Foundation
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
Shovan Sargunam
 
CSF18 - BitLocker Deep Dive - Sami Laiho
NCCOMMS
 
Trusted Platform Module (TPM)
k33a
 
Shape your remote connection to your GCE instance
DevOps Indonesia
 
Fortigate fortiwifi-80f-series
Julian Ernesto Martinez Oliva
 
UTM Basic Rev 1.2 (Modified)
NCS Computech Ltd.
 
OwnYIT CSAT + SIEM
NCS Computech Ltd.
 
Ad

Similar to HKG18-219 - Threat Modeling for IoT (20)

PPTX
Internet of things security "Hardware Security"
Ahmed Mohamed Mahmoud
 
PDF
Homeland of Things Framework BSides Augusta 2017
Daniel West
 
PDF
Track 5 session 1 - st dev con 2016 - need for security for iot
ST_World
 
PDF
Cybersecurity Issues in Emerging Technologies 1st Edition Leandros Maglaras (...
fisberngodoo
 
PDF
IoT Hardware Teardown, Security Testing & Control Design
Priyanka Aash
 
PPTX
Security in IoT
gr9293
 
PDF
Hack one iot device, break them all!
Justin Black
 
PPTX
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
Rapid7
 
PPTX
Information Technology Strategy by Group 3
ipm03sivaadithyas
 
DOCX
Final Research Project - Securing IoT Devices What are the Challe.docx
tjane3
 
DOCX
Final Research Project - Securing IoT Devices What are the Challe.docx
lmelaine
 
PDF
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
DOC
Wireless networks security
elango30
 
PPTX
Securing Internet of Things
Rishabh Sharma
 
PDF
Track 5 session 4 - st dev con 2016 - life cycle management for web
ST_World
 
PDF
A condition-based distributed approach for secured privacy preservation of no...
International Journal of Reconfigurable and Embedded Systems
 
PDF
Information Security Technology for IPv6-based IoT (Internet-of-Things)
IJAEMSJORNAL
 
PDF
Security in the Internet of Things
BHAVANA KONERU
 
PPTX
IoT Security Risks and Challenges
OWASP Delhi
 
PPTX
Introduction to IoT Security
CAS
 
Internet of things security "Hardware Security"
Ahmed Mohamed Mahmoud
 
Homeland of Things Framework BSides Augusta 2017
Daniel West
 
Track 5 session 1 - st dev con 2016 - need for security for iot
ST_World
 
Cybersecurity Issues in Emerging Technologies 1st Edition Leandros Maglaras (...
fisberngodoo
 
IoT Hardware Teardown, Security Testing & Control Design
Priyanka Aash
 
Security in IoT
gr9293
 
Hack one iot device, break them all!
Justin Black
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
Rapid7
 
Information Technology Strategy by Group 3
ipm03sivaadithyas
 
Final Research Project - Securing IoT Devices What are the Challe.docx
tjane3
 
Final Research Project - Securing IoT Devices What are the Challe.docx
lmelaine
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
Wireless networks security
elango30
 
Securing Internet of Things
Rishabh Sharma
 
Track 5 session 4 - st dev con 2016 - life cycle management for web
ST_World
 
A condition-based distributed approach for secured privacy preservation of no...
International Journal of Reconfigurable and Embedded Systems
 
Information Security Technology for IPv6-based IoT (Internet-of-Things)
IJAEMSJORNAL
 
Security in the Internet of Things
BHAVANA KONERU
 
IoT Security Risks and Challenges
OWASP Delhi
 
Introduction to IoT Security
CAS
 
Ad

More from Linaro (20)

PDF
Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
Linaro
 
PDF
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
Linaro
 
PDF
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
Linaro
 
PDF
Bud17 113: distribution ci using qemu and open qa
Linaro
 
PDF
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
Linaro
 
PDF
HPC network stack on ARM - Linaro HPC Workshop 2018
Linaro
 
PDF
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
Linaro
 
PDF
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
Linaro
 
PDF
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
Linaro
 
PDF
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
Linaro
 
PDF
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
Linaro
 
PDF
HKG18-100K1 - George Grey: Opening Keynote
Linaro
 
PDF
HKG18-318 - OpenAMP Workshop
Linaro
 
PDF
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
Linaro
 
PDF
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
Linaro
 
PDF
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
Linaro
 
PDF
HKG18-TR08 - Upstreaming SVE in QEMU
Linaro
 
PPTX
HKG18-120 - Devicetree Schema Documentation and Validation
Linaro
 
PDF
HKG18-500K1 - Keynote: Dileep Bhandarkar - Emerging Computing Trends in the D...
Linaro
 
PDF
HKG18-317 - Arm Server Ready Program
Linaro
 
Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
Linaro
 
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
Linaro
 
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
Linaro
 
Bud17 113: distribution ci using qemu and open qa
Linaro
 
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
Linaro
 
HPC network stack on ARM - Linaro HPC Workshop 2018
Linaro
 
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
Linaro
 
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
Linaro
 
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
Linaro
 
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
Linaro
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
Linaro
 
HKG18-100K1 - George Grey: Opening Keynote
Linaro
 
HKG18-318 - OpenAMP Workshop
Linaro
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
Linaro
 
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
Linaro
 
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
Linaro
 
HKG18-TR08 - Upstreaming SVE in QEMU
Linaro
 
HKG18-120 - Devicetree Schema Documentation and Validation
Linaro
 
HKG18-500K1 - Keynote: Dileep Bhandarkar - Emerging Computing Trends in the D...
Linaro
 
HKG18-317 - Arm Server Ready Program
Linaro
 

Recently uploaded (20)

PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 

HKG18-219 - Threat Modeling for IoT

  • 1. HKG18-219: Threat Modeling for IoT David Brown
  • 2. IoT Security ● 2016 DEF Con, found 47 new vulnerabilities in 23 IoT devices ● Mirai Botnet https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai- botnet targeted DDoS attack, cameras, DVRs, etc ● TRENDnet Webcam: http://www.technewsworld.com/story/78891.html, vulnerable camera could be viewed externally
  • 3. IoT Security (cont.) ● Jeep: https://blog.kaspersky.com/blackhat-jeep-cherokee-hack-explained/9493/ over cell network took control of a Jeep. ○ WiFi password wasn’t very random, guess space in the dozens ○ Chained through vulnerability in multimedia computer ○ CAN bus isolation failed with vulnerability in an MCU that could be “upgraded” without authentication ○ Total control over vehicle, including brakes and steering
  • 4. Threat Modeling ● “Threat Modeling: Designing for Security”, by Adam Shostack ○ What are you building? ○ What can go wrong? ○ What should you do about those things that can go wrong? ○ Did you do a decent job of analysis?
  • 5. Threat Modeling (cont.) ● Nickolai Zeldovich, https://youtu.be/GqmQg-cszw4: MIT 6.858 Computer Systems Security, Fall 2014, Introduction, Threat Models ○ Policy: What is the desired behavior (what is and isn’t allowed)? ○ Threat Model: What is the attacker capable of? ○ Mechanism: What do we do about it?
  • 6. Threat Modeling (cont.) ● Two approaches ● Shostack focuses on architecture of system ● Zeldovich focuses on policy and capability ● I found Zeldovich’s approach easier to organize and follow
  • 7. The example app ● Important to focus on a specific application, ● Can also focus on a specific part, such as a protocol (but be careful, see Jeep example, parts interact)
  • 9. High-level example ● Policy: The data collection host should be able to determine that a given sensor device is valid, and only accept data from valid sensors ● Threat: ○ Attacker can generate arbitrary network packets ○ Attacker cannot brute-force modern crypto algorithms ○ Attacker cannot read from the device’s internal flash ● Mechanism: ○ Enforce DTLS with PSK ciphersuite ● Thoughts: ○ How do we get the secret onto the device ○ Take LWM2M: network secret negotiates device secret ○ (secrets are important, see HKG18-407)
  • 10. High-level example ● Policy: The data collection host should be able to determine that a given sensor device is valid, and only accept data from valid sensors ● Threat: ○ Attacker can generate arbitrary network packets ○ Attacker cannot brute-force modern crypto algorithms ○ Attacker can read from the device’s internal flash ● Attacker can spoof device (violating policy) ● Not obvious, though: ○ Buffer overflow in a protocol allows read of arbitrary memory ○ SWD/JTAG: forget fuses, or reverse fuses ○ Flash protected from read, but CRC reads and can be watched
  • 11. Policy Interaction ● Two policies: ○ Policy: The data collection host should be able to determine that a given sensor device is valid, and only accept data from valid sensors ○ Policy: When sensor data is available, it should be sent to the data collection host in a timely manner ● Not only prevent attacks, but prevent denial of service: ○ Jam network ○ Bogus packets cause device to be rejected
  • 12. Lower-level example ● Concerning software update: ○ The device should accept upgrades from a valid upgrade host and run these new versions ○ The device should only accept upgrades from a valid upgrade host ● Threat: ○ The attacker can spoof network traffic from upgrade host ○ The attacker can reply old data ○ The attacker cannot break RSA ● Mechanism: ○ Digitally sign images with RSA ○ Have increase-only version numbers
  • 13. Lower-level example ● Concerning software update: ○ The device should accept upgrades from a valid upgrade host and run these new versions ○ The device should only accept upgrades from a valid upgrade host ● Threat: ○ The attacker can spoof network traffic from upgrade host ○ The attacker can reply old data ○ The attacker cannot break RSA ● Attack: ○ The attacker spoofs upgrade host ○ Sends invalid upgrades, with bad signatures ○ Device drains battery, or wears out flash repeatedly rejecting the upgrade ● This one is hard
  • 14. Conclusions ● Model document will be dynamic ● Use model to drive development priorities ○ e.g. storing secrets ● Will grow as we move to new application areas
  • 15. Thank You #HKG18 HKG18 keynotes and videos on: connect.linaro.org For further information: www.linaro.org