SlideShare a Scribd company logo

iotsecurity-171108154118.pdf

K
KerimBozkanli

This document discusses IoT security and the risks posed by insecure IoT devices. It describes the author's background and journey working with embedded systems and information security. Key topics covered include common IoT device architectures and attack surfaces, the Mirai malware which exploited default credentials to form botnets for DDoS attacks, and lessons learned around using strong unique passwords, limiting exposed interfaces and ports, and avoiding public internet access when possible.

Technology
1 of 42
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
IoT Security IoT Security Narudom Roongsiriwong, CISSP Narudom Roongsiriwong, CISSP November 8, 2017 November 8, 2017
WhoAmI ● Lazy Blogger – Japan, Security, FOSS, Politics, Christian – http://narudomr.blogspot.com ● Information Security since 1995 ● Embedded System since 2002 ● Head of IT Security and Solution Architecture, Kiatnakin Bank PLC (KKP) ● Consultant for OWASP Thailand Chapter ● Committee Member of Cloud Security Alliance (CSA), Thailand Chapter ● Committee Member of Thailand Banking Sector CERT (TB-CERT) ● Consulting Team Member for National e-Payment project ● Contact: narudom@owasp.org
My Journey to IoT Security
Microcontroller and Assembly Language ● 1986 Studied Electrical Engineering, Chulalongkorn University ● 1987 Worked Part-Time, Controllers Using Zilog Z80 ● 1989 Was Apprenticed at Intronics, Using Intel 8048 ● 1989 Designed Heat Exchanger Controller as a Senior Project, Using Intel 8031 (My Favorite 8051)
Network Security ● 1995 Started Working at Information and Telecommunication Services (ITS) as Business Development ● Was Assigned to Market a Firewall, “Eagle Raptor” ● Started My Life in Information Security
Embedded System and C/C++ ● 2002 Started a Company, Structure and Composites, Embedded System Design for Bridge and Building Structure Monitoring ● 2004 First WiFi IP Based Bridge Structure Monitoring System ● 2004 Became a Special Instructor in Embedded System Design at Faculty of Engineering, Thammasat University ● 2006 My Company Went Broke ● 2007 Joined Incotec Automation (Thailand) ● 2009 Joined Chanwanich, Project Implementation on Smart Card, PLC and Information Security
Information Security Fundamental
What is Security?  “The quality or state of being secure—to be free from danger”  A successful organization should have multiple layers of security in place:  Physical security  Personal security  Operations security  Communications security  Network security  Information security
What is Information Security?  The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information  Necessary tools: policy, awareness, training, education, technology
Security Concepts Security Concepts Core Design Confidentiality Integrity Availibility Authentication Authorization Accountability Need to Know Least Privilege Separation of Duties Defense in Depth Fail Safe / Fail Secure Economy of Mechanisms Complete Mediation Open Design Least Common Mechanisms Psychological Acceptability Weakest Link Leveraging Existing Components
Confidentiality-Integrity-Availability (CIA) To ensure that information and vital services are accessible for use when required To ensure the accuracy and completeness of information to protect business processes To ensure protection against unauthorized access to or use of confidential information
Security vs. Usability Security Usability
Security vs. Safety (General Usage) ● Security is concerned with malicious humans that actively search for and exploit weaknesses in a system. ● Safety is protection against mishaps that are unintended (such as accidents)
Why Secure IoT Ecosystems
Problems of IoT Security ● Initial design was for private communication network then moved to IP network and later on the Internet ● Firmware updates are hard or nearly impossible after installations ● Started with basic security then found the security flaws and attached more complex security requirements later ● Low security devices from early design are still out there and used in compatible fall-back mode
Flaw in Design https://thehackernews.com/2017/08/car-safety-hacking.html
Flaw in Library https://threatpost.com/bad-code-library-triggers-devils-ivy-vulnerability-in-millions-of- iot-devices/126913/
Rises of Threats Target IoT Devices https://securelist.com/honeypots-and-the-internet-of-things/78751/
Types of IoT Classified by Communication ● Client Type – Most of implementation – e.g. payment terminal, IP Camera (call back to server), Smart Cars ● Server Type – e.g. IP Camera (built-in web interface) ● Peer-to-Peer or Mesh
Typical IoT Infrastructure Control Server IoT Device Private or Public Internet Public Internet Configuration App Callback and wait for commands Remote control Remote Control App Configure or Update Firmware Configure
Typical Attack: Fake Control Server Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App Fake Control Server
Typical Attack: Attack on Device Open Ports Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App
Typical Attack: Attack on Server Open Ports Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App Attack
Typical Attack: Steal Credential Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App
Typical Attack: Inject Bad Configuration or Firmware Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App Inject Bad Configuration or Firmware Inject Bad Configuration
Typical Attack: Sniff Data on Private Network IoT Device Private Internet Public Internet Callback and wait for commands Remote control Remote Control App Control Server
Other Attack Surface Areas → See OWASP ● Ecosystem ● Device Memory ● Device Physical Interfaces ● Device Web Interface ● Device Firmware ● Device Network Services ● Administrative Interface ● Local Data Storage ● Cloud Web Interface ● Third-party Backend APIs ● Update Mechanism ● Mobile Application ● Vendor Backend APIs ● Ecosystem Communication ● Network Traffic ● Authentication/Authorization ● Privacy ● Hardware (Sensors) https://www.owasp.org/index.php/IoT_Attack_Surface_Areas
OWASP Top 10 IoT Vulnerabilities 2014 I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption/Integrity Verification I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security
iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdf
Secure IoT Devices That We Use
Mirai Malware ● Malware that turns networked devices running Linux into Malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks botnet in large-scale network attacks ● Primarily targets online consumer devices such as IP cameras Primarily targets online consumer devices such as IP cameras and home routers using a table of more than 60 common and home routers using a table of more than 60 common factory default usernames and passwords, and logs into them factory default usernames and passwords, and logs into them to infect them with the Mirai malware to infect them with the Mirai malware ● First found in August 2016 First found in August 2016 ● Use in DDoS attacks Use in DDoS attacks – 20 September 2016 on the Krebs on Security site which reached 620 20 September 2016 on the Krebs on Security site which reached 620 Gbit/s and 1 Tbit/s attack on French web host OVH Gbit/s and 1 Tbit/s attack on French web host OVH – 21 October 2016 multiple major DDoS attacks in DNS services of DNS 21 October 2016 multiple major DDoS attacks in DNS services of DNS service provider Dyn service provider Dyn – November 2016 attacks on Liberia's Internet infrastructure November 2016 attacks on Liberia's Internet infrastructure ● The source code for Mirai has been published in hacker forums The source code for Mirai has been published in hacker forums as open-source as open-source
What Can We Learn from Mirai Attacks? ● Do not use default passwords for all default usernames ● If possible, do not allow configuration interface from Internet side ● If the IoT devices are used only in the organization, do not expose to the public Internet ● If there is a need to use from the Internet, open only necessary ports and use non-default ports where possible
iotsecurity-171108154118.pdf

More Related Content

PDF
IoT Security
Narudom Roongsiriwong, CISSP
 
PPTX
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
PDF
The bad, the ugly and the weird about IoT
Speck&Tech
 
PDF
IoT Security, Mirai Revisited
Clare Nelson, CISSP, CIPP-E
 
PDF
IoT – Breaking Bad
NUS-ISS
 
PDF
IoT, Security & the Path to a Solution
Dr Laurent Guiraud
 
PDF
Securing the Internet of Things
Christopher Frenz
 
PPTX
IoT security
YashKesharwani2
 
IoT Security
Narudom Roongsiriwong, CISSP
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
The bad, the ugly and the weird about IoT
Speck&Tech
 
IoT Security, Mirai Revisited
Clare Nelson, CISSP, CIPP-E
 
IoT – Breaking Bad
NUS-ISS
 
IoT, Security & the Path to a Solution
Dr Laurent Guiraud
 
Securing the Internet of Things
Christopher Frenz
 
IoT security
YashKesharwani2
 

Similar to iotsecurity-171108154118.pdf (20)

PDF
This Time, It’s Personal: Why Security and the IoT Is Different
Justin Grammens
 
PPTX
Iot(security)
Shreya Pohekar
 
PDF
Io t security defense in depth charles li v1 20180425c
Charles Li
 
PDF
Christopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of Things
Katedra Informatologii. Wydział Dziennikarstwa, Informacji i Bibliologii, Uniwersytet Warszawski
 
PPTX
IoT-Device-Security-DRAFT-slide-presentation
AuliaArifWardana
 
PPTX
IoT, Data Analytics and Big Data Security.pptx
fizarcse
 
PPTX
Security of IOT,OT And IT.pptx
MohanPandey31
 
PPTX
IoT Security, Threats and Challenges By V.P.Prabhakaran
Koenig Solutions Ltd.
 
PPTX
IoT-Device-Security.pptx
ZahidHussainqaisar
 
PDF
IoT Security.pdf
SudhanshiBakre1
 
PPTX
Assign 1_8812814ctm.pptx
pdevang
 
PPTX
Iot cyber security
sajid mehmood
 
PDF
IoT Security and Privacy Concerns: Safeguarding Your Connected Devices
GrapesTech Solutions
 
PPTX
IoT Security Briefing FBI 07 23-2017 final
Frank Siepmann
 
DOCX
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
vrickens
 
PDF
IoT security Q3 2020 overview
Anastasiia Konoplova
 
PDF
[TestWarez 2017] Securing the Internet of Things
Stowarzyszenie Jakości Systemów Informatycznych (SJSI)
 
PPTX
Security Testing for IoT Systems
Security Innovation
 
PDF
A History of IIoT Cyber-Attacks & Checklist for Implementing Security [Infogr...
GlobalSign
 
PPTX
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
mike parks
 
This Time, It’s Personal: Why Security and the IoT Is Different
Justin Grammens
 
Iot(security)
Shreya Pohekar
 
Io t security defense in depth charles li v1 20180425c
Charles Li
 
Christopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of Things
Katedra Informatologii. Wydział Dziennikarstwa, Informacji i Bibliologii, Uniwersytet Warszawski
 
IoT-Device-Security-DRAFT-slide-presentation
AuliaArifWardana
 
IoT, Data Analytics and Big Data Security.pptx
fizarcse
 
Security of IOT,OT And IT.pptx
MohanPandey31
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
Koenig Solutions Ltd.
 
IoT-Device-Security.pptx
ZahidHussainqaisar
 
IoT Security.pdf
SudhanshiBakre1
 
Assign 1_8812814ctm.pptx
pdevang
 
Iot cyber security
sajid mehmood
 
IoT Security and Privacy Concerns: Safeguarding Your Connected Devices
GrapesTech Solutions
 
IoT Security Briefing FBI 07 23-2017 final
Frank Siepmann
 
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
vrickens
 
IoT security Q3 2020 overview
Anastasiia Konoplova
 
[TestWarez 2017] Securing the Internet of Things
Stowarzyszenie Jakości Systemów Informatycznych (SJSI)
 
Security Testing for IoT Systems
Security Innovation
 
A History of IIoT Cyber-Attacks & Checklist for Implementing Security [Infogr...
GlobalSign
 
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
mike parks
 
Ad

Recently uploaded (20)

PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Encapsulation theory and applications.pdf
gurumoop
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Cloud computing and distributed systems.
kkkkkhan
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Ad

iotsecurity-171108154118.pdf

  • 1. IoT Security IoT Security Narudom Roongsiriwong, CISSP Narudom Roongsiriwong, CISSP November 8, 2017 November 8, 2017
  • 2. WhoAmI ● Lazy Blogger – Japan, Security, FOSS, Politics, Christian – http://narudomr.blogspot.com ● Information Security since 1995 ● Embedded System since 2002 ● Head of IT Security and Solution Architecture, Kiatnakin Bank PLC (KKP) ● Consultant for OWASP Thailand Chapter ● Committee Member of Cloud Security Alliance (CSA), Thailand Chapter ● Committee Member of Thailand Banking Sector CERT (TB-CERT) ● Consulting Team Member for National e-Payment project ● Contact: narudom@owasp.org
  • 3. My Journey to IoT Security
  • 4. Microcontroller and Assembly Language ● 1986 Studied Electrical Engineering, Chulalongkorn University ● 1987 Worked Part-Time, Controllers Using Zilog Z80 ● 1989 Was Apprenticed at Intronics, Using Intel 8048 ● 1989 Designed Heat Exchanger Controller as a Senior Project, Using Intel 8031 (My Favorite 8051)
  • 5. Network Security ● 1995 Started Working at Information and Telecommunication Services (ITS) as Business Development ● Was Assigned to Market a Firewall, “Eagle Raptor” ● Started My Life in Information Security
  • 6. Embedded System and C/C++ ● 2002 Started a Company, Structure and Composites, Embedded System Design for Bridge and Building Structure Monitoring ● 2004 First WiFi IP Based Bridge Structure Monitoring System ● 2004 Became a Special Instructor in Embedded System Design at Faculty of Engineering, Thammasat University ● 2006 My Company Went Broke ● 2007 Joined Incotec Automation (Thailand) ● 2009 Joined Chanwanich, Project Implementation on Smart Card, PLC and Information Security
  • 8. What is Security?  “The quality or state of being secure—to be free from danger”  A successful organization should have multiple layers of security in place:  Physical security  Personal security  Operations security  Communications security  Network security  Information security
  • 9. What is Information Security?  The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information  Necessary tools: policy, awareness, training, education, technology
  • 10. Security Concepts Security Concepts Core Design Confidentiality Integrity Availibility Authentication Authorization Accountability Need to Know Least Privilege Separation of Duties Defense in Depth Fail Safe / Fail Secure Economy of Mechanisms Complete Mediation Open Design Least Common Mechanisms Psychological Acceptability Weakest Link Leveraging Existing Components
  • 11. Confidentiality-Integrity-Availability (CIA) To ensure that information and vital services are accessible for use when required To ensure the accuracy and completeness of information to protect business processes To ensure protection against unauthorized access to or use of confidential information
  • 13. Security vs. Safety (General Usage) ● Security is concerned with malicious humans that actively search for and exploit weaknesses in a system. ● Safety is protection against mishaps that are unintended (such as accidents)
  • 14. Why Secure IoT Ecosystems
  • 15. Problems of IoT Security ● Initial design was for private communication network then moved to IP network and later on the Internet ● Firmware updates are hard or nearly impossible after installations ● Started with basic security then found the security flaws and attached more complex security requirements later ● Low security devices from early design are still out there and used in compatible fall-back mode
  • 18. Rises of Threats Target IoT Devices https://securelist.com/honeypots-and-the-internet-of-things/78751/
  • 19. Types of IoT Classified by Communication ● Client Type – Most of implementation – e.g. payment terminal, IP Camera (call back to server), Smart Cars ● Server Type – e.g. IP Camera (built-in web interface) ● Peer-to-Peer or Mesh
  • 20. Typical IoT Infrastructure Control Server IoT Device Private or Public Internet Public Internet Configuration App Callback and wait for commands Remote control Remote Control App Configure or Update Firmware Configure
  • 21. Typical Attack: Fake Control Server Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App Fake Control Server
  • 22. Typical Attack: Attack on Device Open Ports Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App
  • 23. Typical Attack: Attack on Server Open Ports Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App Attack
  • 24. Typical Attack: Steal Credential Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App
  • 25. Typical Attack: Inject Bad Configuration or Firmware Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App Inject Bad Configuration or Firmware Inject Bad Configuration
  • 26. Typical Attack: Sniff Data on Private Network IoT Device Private Internet Public Internet Callback and wait for commands Remote control Remote Control App Control Server
  • 27. Other Attack Surface Areas → See OWASP ● Ecosystem ● Device Memory ● Device Physical Interfaces ● Device Web Interface ● Device Firmware ● Device Network Services ● Administrative Interface ● Local Data Storage ● Cloud Web Interface ● Third-party Backend APIs ● Update Mechanism ● Mobile Application ● Vendor Backend APIs ● Ecosystem Communication ● Network Traffic ● Authentication/Authorization ● Privacy ● Hardware (Sensors) https://www.owasp.org/index.php/IoT_Attack_Surface_Areas
  • 28. OWASP Top 10 IoT Vulnerabilities 2014 I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption/Integrity Verification I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security
  • 39. Secure IoT Devices That We Use
  • 40. Mirai Malware ● Malware that turns networked devices running Linux into Malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks botnet in large-scale network attacks ● Primarily targets online consumer devices such as IP cameras Primarily targets online consumer devices such as IP cameras and home routers using a table of more than 60 common and home routers using a table of more than 60 common factory default usernames and passwords, and logs into them factory default usernames and passwords, and logs into them to infect them with the Mirai malware to infect them with the Mirai malware ● First found in August 2016 First found in August 2016 ● Use in DDoS attacks Use in DDoS attacks – 20 September 2016 on the Krebs on Security site which reached 620 20 September 2016 on the Krebs on Security site which reached 620 Gbit/s and 1 Tbit/s attack on French web host OVH Gbit/s and 1 Tbit/s attack on French web host OVH – 21 October 2016 multiple major DDoS attacks in DNS services of DNS 21 October 2016 multiple major DDoS attacks in DNS services of DNS service provider Dyn service provider Dyn – November 2016 attacks on Liberia's Internet infrastructure November 2016 attacks on Liberia's Internet infrastructure ● The source code for Mirai has been published in hacker forums The source code for Mirai has been published in hacker forums as open-source as open-source
  • 41. What Can We Learn from Mirai Attacks? ● Do not use default passwords for all default usernames ● If possible, do not allow configuration interface from Internet side ● If the IoT devices are used only in the organization, do not expose to the public Internet ● If there is a need to use from the Internet, open only necessary ports and use non-default ports where possible