Who needs iot security?
2 likes361 views
The document discusses the Internet of Things (IoT) and the importance of IoT security, highlighting vulnerabilities in consumer devices such as an IoT camera. It presents a case study that exposes security flaws, demonstrating how attackers can easily exploit them to gain unauthorized access. The document emphasizes the necessity for improved security practices, certification, and proactive measures in IoT device development to prevent potential larger-scale cyber threats.
Who needs iot security?
- 1. 1 Restricted November 7, 2018 D&E event Marc Witteman Who needs IoT security?
- 2. 2 Restricted 1. What is IoT? 2. Is IoT security important? 3. Case study 4. What’s next? Outline
- 3. 3 Restricted • Traditional internet • connects people with machines • shares data that people create • IoT (Internet of Things) • connects machines to machines • shares data that machines create What’s new in internet? Public 3
- 4. 4 Restricted What is the Internet of Things? internal 4 Source: Vivante
- 6. 6 Restricted IoT example SoC (System on Chip ) Power management Communication
- 7. 7 Restricted Security is all about the chip 7 Memory Interfaces CPU Test logic Geometry LayoutSpeed Security features
- 8. 8 Restricted SOFTWARE COMPLEXITY IN AUTOMOTIVE Lines of Code
- 9. 9 Restricted 1. What is IoT? 2. Is IoT security important? 3. Case study 4. What’s next? Outline
- 10. 10 Restricted Is IoT security important? Remote car hijack Identity theft Medical device disturbance Premium content theft Smart lock bypass
- 12. 12 Restricted How does Information Security work? How to protect? • Cryptography • Access control What to protect? • Confidentiality • Integrity • Availability Primary targets For attackers
- 13. 13 Restricted Are IoT devices sensitive to attacks? • Fast growing market with new unexperienced entrants • Operate in an uncontrolled (hostile) environment • Pressure on time-to-market and cost
- 14. 14 Restricted How does an attacker get access? 14 Find the key or Break the lock Public
- 15. How do attackers work?
- 16. 16 Restricted 1. What is IoT? 2. Is IoT security important? 3. Case study 4. What’s next? Outline
- 17. 17 Restricted Case study: IoT camera • IoT camera bought from China • 17 euros • Many features • Wi-Fi connection • 2-way audio • HD image • Motors for rotating the camera • IR light for night imaging • Logs data to microSD card • Phone app for Android & iOS • …. What can go wrong?
- 18. 18 Restricted Let’s look inside… Let’s open the camera and identify interfaces
- 19. 19 Restricted Inspecting the PCB… Let’s open the camera and identify interfaces Google + a bit of RE: • Ingenic T10 SoC • Heart of the system • MediaTek MT7601 SoM • Wifi comms • DoSilicon FM25Q64A • Storage for OS (linux) • Atmel AT24C02 I2C flash • Storing camera model • MAC address • Transistor array • Powering the motors
- 20. 20 Restricted We found a way in…. • Most embedded systems still have a UART • Of course, this camera too UART TX UART RX
- 21. 21 Restricted This camera prints all sorts of debug information through serial port • Ports of the camera, configuration files… • Users of camera • And passwords • Wifi configuration • SSID + password Oops??!!
- 22. 22 RestrictedINTRODUCTION Demo video from internet: How to configure this camera
- 23. 23 Restricted This camera prints all sorts of debug information through serial port • Even the configuration of the SSID from youtube videos Oops??!!
- 24. 24 Restricted Can we also get access to the OS? Camera has a root password for Linux But all cameras have the same root password This thing has U-boot: can we still boot? • Stop u-boot procedure (hit any key), and print bootargs using printenv • Then append to the bootargs init=/bin/sh : $ setenv bootargs 'console=ttyS1,115200n8 mem=39M@0x0 ispmem=5M@0x2700000 rmem=20M@0x2c00000 init=/linuxrc rootfstype=squashfs rw root=/dev/mtdblock2 rw mtdparts=jz_sfc:256k(boot),2176k(kernel), 3584k(rootfs),2176k(system) init=/bin/sh' • $ boot And you boot without password
- 25. 25 Restricted Can we recover the password? Reverse engineering on several cameras show they all have same configuration Interesting files: • /etc/password root:$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0:0:0::/root:/bin/sh • /etc/shadow does not exist hash above is a MD5 hash collision fun Use any password cracking program to crack the salt$hash string (or google the string) ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0 = md5(“ybdHbPDn” + “hslwificam”) We have the root access password on all cameras
- 26. 26 Restricted Can we get access to other services? We have local root: let’s login and see what is the camera exposing to internet… Telnetd is running: default backdoor on all cameras But wait… there is a RTSP port in 10554 published by the camera… What happens if you try to access it directly? rstp://ip.of.the.cam:10554/tcp/av0_0 User: admin, no pass == access camera stream And in port 81: http / ONVIF interface (you can even move the camera) We can listen in to video broadcasted by all cameras of this type
- 27. 27 Restricted So, where are the cameras? Can we go global? Let’s search for http header strings in Shodan.io • Loads of cameras connected • Thousands of houses offer free spying…
- 29. 29 Restricted Attack recap Camera security fully bypassed & backdoor for free • These cameras are used typically as baby monitors: privacy violation • Linux system: can be used for illicit activities, e.g. bitcoin miners • IoT botnet Mirai almost brought down DNS in parts of the world Case 1: consequences HW attack: Serial port reveals root password Found telnet: users & config exposed Access remotely video stream & all config
- 30. 30 Restricted Lessons learned Takeaway 1: bad security practices + hardware attack == scalability • Use hardened OS, close ports, protect services • Need unique passwords • Run firewalls Takeaway 2: flawed IoT devices == stepping stone for bigger attacks • It’s not just about the device itself, the eco system is at risk Takeaway 3: proper security is not free • Independent review and testing really helps exposing weaknesses and improve security
- 31. 31 Restricted 1. What is IoT? 2. Is IoT security important? 3. Case study 4. What’s next? Outline
- 32. 32 Restricted When should we fix our bugs? • Cost of fixing goes rapidly up • Prevention is better than cure Source: NASA, IBM
- 33. 33 Restricted EU CYBERSECURITY ACT • European cybersecurity certification • Certificates valid in all EU countries • Certification will be voluntary, unless ... • Verify data confidentiality and integrity • Assurance levels: • Basic documentation review • Substantial functional security testing • High penetration testing
- 34. 34 Restricted How to make a secure product? • Training increases security awareness and brings security capabilities • Secure development is about secure process, design, and coding • Certification involves testing and provides assurance that the product is secure • Maintenance keeps an evolving product secure CertificationTraining MaintenanceSecure development Market introduction
- 35. 35 Restricted Riscure support for making secure products • Training & Coaching • Tools for code analysis & security penetration testing • Evaluation & Certification
- 36. 36 Restricted • IoT will be everywhere • Software is getting huge and hard to verify • Security no longer a nice-to-have • Certification needs secure development • Solutions exist to make better products Takeaways
- 37. 37 Restricted Riscure B.V. Frontier Building, Delftechpark 49 2628 XJ Delft The Netherlands Phone: +31 15 251 40 90 www.riscure.com Riscure North America 550 Kearny St., Suite 330 San Francisco, CA 94108 USA Phone: +1 650 646 99 79 inforequest@riscure.com Riscure China Room 2030-31, No. 989, Changle Road, Shanghai 200031 China Phone: +86 21 5117 5435 inforcn@riscure.com Challenge your security