Fun with IoT

Fun with IoT

Fun with IoT

Fun with IoT

Fun with IoT

[...]
require 'net/telnet'

coffee_machine_ip = '10.10.42.42'
password = '1234'
password_prompt = 'Password: '
delay_before_brew = 17
delay = 24

sleep delay_before_brew
con = Net::Telnet.new('Host' => coffee_machine_ip)
con.cmd('String' => password, 'Match' => /#{password_prompt}/)
con.cmd('sys brew')
sleep delay
con.cmd('sys pour')
con.close

Fun with IoT

(Not) Fun with IoT

(Not) Fun with IoT

(Not) Fun with IoT

(Not) Fun with IoT

(Not) Fun with IoT

What Drives the Modern Day Attacks?

What Drives the Modern Day Attacks?

IoT Ransomware

"Devices from pacemakers to cars could be rendered useless by ransomware infections"

IoT Ransomwear

IoT Ransomware

"Attackers held an Austrian hotel network for ransom, demanding $1,800 in bitcoin to unlock the network."

"Romantik Seehotel Jägerwirt did indeed fall victim to ransomware that affected its electronic key system--by preventing the hotel from generating new key cards."

It's about the IoT Ecosystem!

Customize My Pal Violet to say out your child's name!

IoT Data Breach

"A cyber attack on digital toymaker VTech Holdings exposed the data of 6.4 million children, the company said on Tuesday, in what experts called the largest known hack targeting youngsters."

Press release: Data Breach on VTech Learning Lodge

IoT DDoS

"Mirai-infected devices [...] mostly CCTV cameras [...] Other victimized devices included DVRs and routers."

"Using a hit-and-run tactic, the attack peaked at 280 Gbps and 130 Mpps, both indicating a very powerful botnet."

Mirai Is Still Active

Go play with a Mirai honeypot!

IoT Surveillance

"with access to Samsung Smart TVs, allowing a television’s built-in voice control microphone to be remotely enabled while keeping the appearance that the TV itself was switched off, called “Fake-Off mode.” Although the display would be switched off, and LED indicator lights would be suppressed, the hardware inside the television would continue to operate, unbeknownst to the owner."

"In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials."

Avoid Problems Repeatedly Seen in IoT Devices

• Use SSL for connections to the IoT device or the cloud
• Provide mutual authentication between the client and the server
• Enforce and use strong passwords
• Support 2FA for IoT cloud interfaces
• Protect against account harvesting, and implement account lockout
• Proper vulnerability management, and actively patch vulnerabilities found or reported
• Provide signed or encrypted firmware updates

Insecurity in the Internet of Things

Review the OWASP Internet of Things Top Ten Project

• I1 Insecure Web Interface
• I2 Insufficient Authentication/Authorization
• I3 Insecure Network Services
• I4 Lack of Transport Encryption
• I5 Privacy Concerns
• I6 Insecure Cloud Interface
• I7 Insecure Mobile Interface
• I8 Insufficient Security Configurability
• I9 Insecure Software/Fireware
• I10 Poor Physical Security

Internet of Things Top Ten

Review the OWASP Internet of Things Top Ten Project

• I1 Insecure Web Interface
• I2 Insufficient Authentication/Authorization
• I3 Insecure Network Services
• I4 Lack of Transport Encryption
• I5 Privacy Concerns
• I6 Insecure Cloud Interface
• I7 Insecure Mobile Interface
• I8 Insufficient Security Configurability
• I9 Insecure Software/Fireware
• I10 Poor Physical Security

Internet of Things Top Ten

3 demos

Questions to ask 🤔

What's the insecurity?

Why should we care?

What's the fix?

People 🕵🏻👩🏾‍🔧👨🏻‍💻👩🏼‍🏭

security researcher

home owner

engineer / product manager

Demo A

I3 Insecure Network Services

Choose WiFi ISSS614 🔊

Go to URL lamp.local on 📱 💻 🖥

Demo A: What's the insecurity?

• insecure open WiFi

Demo A: Why should we care?

• cannot rely on device owner's network

Demo A: What's the fix?

• Use WPA2 encrypted WiFi
• Change router's default password
• Use devices on a separate home network

Demo B

I1 Insecure Web Interface

Choose WiFi ISSS614 🔊

Go to URL lamp.local on 📱 💻 🖥

Access oven and sniff packets

Demo B

I4 Lack of Transport Encryption

Choose WiFi ISSS614 🔊

Go to URL lamp.local on 📱 💻 🖥

Access oven and sniff packets

Demo B: What's the insecurity?

• username and password are send over clear text

Demo B: Why should we care?

• private data being sniffed

Demo B: Why should we care?

• decryption key + handshake capture = possible snooping

Demo B: What's the fix?

• use TLS / HTTPS

Demo C

I2 Insufficient Authentication/Authorization

Go to URL https://lamp.local on 📱 💻 🖥

Access oven and scan for devices

Demo C: What's the insecurity?

• default username and password
• full control of the device

#!/bin/bash

while true; do
  echo 0 > /sys/class/gpio/gpio18/value
  sleep 5
done
				

Demo C: Why should we care?

• physical infrastructure compromised

Demo C: What's the fix?

• force users to change default login
• have a mechanism to remotely update

Developing IoT products

• work with security researchers from day 1
• build a mechanism to remotely update firmware
• never rely on the security of device's network
• interoperability is challenging
• unique default password for every device
• use state of the art encryption
• design to limit the scope of damage