2017 march isaca security challenges with the internet of things - eric vanderburg

© 2017 JURINNOV, LLC All Rights Reserved.

Security Challenges with the Internet of ThingsISACA MARCH 2017

ERIC VANDERBURG

DIRECTOR, CYBERSECURITY

JURINNOV, A TCDI COMPANY


Topics• Overview• Uses• Challenges• Strategies


IoT security statistics• 93% of IoT early adopters are concerned about IoT security

-Global IoT Report 2017 from IoT Works

• 6.4 billion IoT devices in use today and 5.5 million added per day- Gartner

• 85% of enterprises intend to deploy IoT devices, but only 10% feel confident in the security of those devices– AT&T Cybersecurity Insights Report


Uses of IoTIoT will be everywhere in the future and it is already where you don’t want it


Where is IoT

6

• Camera systems

• Cars• Car apps with minimal security

• Many vulnerabilities identified• Unencrypted credentials

• Lack of integrity checks

• Outdated communication protocols

• Few actually exploited


Where is IoT?• Factories• Programmable Logic Controllers (PLC) for robotic systems

• Industrial control systems

• Smart meters

• Smart homes

• Animals and humans


IoT ToysToys are connected to the Internet/cloud to: ◦ Learn

◦ Exchange data with friends

◦ Obtain software updates

◦ Allow for online customization

◦ Obtain data on surroundings

Targeted to get data on users

Used for surveillance

Good information for thieves


IoT Challenges• DDoS• Ransomware• Surveillance• Backdoors• Data breaches• Botnets


IoT and DDoSProtecting people, places, and assets


October 21, 2016

Internet hosting provider OVH was faced with a 1Tbps DDoS attack

Botnet was entirely comprised of CCTV cameras

Home routers and IP cameras turned into a botnet.

Botnet was used to launch DDoS attacks against the Dyn DNS system targeting sites such as Twitter, Spotify, Amazon, Reddit, Yelp, Netflix, and The New York Times.

September 22, 2016 September 13, 2016

Krebs on Security was hit by a 665Gbps DDoS attack

The site was protected by Akamai, a company that specializes in protecting sites from attacks


DDoS statistics• About 75% of global organizations have been victims of a DDoS

Attack-Neustar

• 3,700 DDoS attacks occur every day -CSO

• Malicious code for DDoS botnets has been found in up to 600,000 IoT devices –PC World


Effects of a DDoS attack• Entire shutdown of a small countries internet capability

• Temporary outage of backbone DNS servers

• Specific attacks can easily take down a single site


Defense strategies• Vulnerability scanning

• Quarantining until remediation

• Review vendor vulnerabilities, firmware release notes, and history. Do they have a track record of resolving vulnerabilities in a timely manner?


Defense strategies• Change default credentials

• Use strong passwords

• Update firmware regularly

• Turn off unused features


IoT and RansomwareProtecting your credentials and identity


IoT and Ransomware• TV

• Phone

• Refrigerator

•Locks

• Smart home devices (lightbulbs, plugs, etc.)

• Automated cars


IoT ransomware news• A hotel in Austria had it’s system compromised that

locked guests out of their rooms until ransom was paid.


Easy Ransomware Targets• Many devices use android or Linux variant.

• Software updates are infrequent or nonexistent.

• Many users do not change default credentials

• If credentials are present they are usually simple


• Hundreds of new ransomware variants just this year this year (over 400% increase since 2015)

Stats

KeRanger

PayCrypt

JobCryptor

HiBuddy

HydraCryptVipasana

Umbrecrypt

LOCKY

CryptoJocker

Nanolocker

LeChiffre

Magic

Ginx

73v3n

Mamba

HDDCryptor

SAMSAMPowerware

Peyta

Jigsaw

Cerber

RadamantRokku


Ransoms• Ransoms range from 0.5 – 5

bitcoins Bitcoin valued at 767 USD or 719 EUR as of December, 2016

Ransoms for organizations are far more


Highest value targets• Banks

• Hospitals

• Universities

• Government Agencies


IoT and SurveillanceProtecting your credentials and identity


Surveillance• Android devices such as Android TVs or cars are

vulnerable.

• Not updated as often nor as easily

• The TV can be off, but the camera and mic are still functioning


Surveillance• CIA tools

•Weeping angel – monitors conversations from TVs

•Malware injected into Huawei, ZTE and Mercury routers

• The tools developed are not shipped with the devices but must be installed by physical media

• The tools do not have the capability to install themselves remotely


Mark Zuckerberg is concernedWhat about you?


January 2017

CIA hacking tool documentation leaked on wikileaks

The FDA announced that cardiac monitoring devices have vulnerabilities that allow them to be hacked.

March 2017


Connected AI• Siri, Alexa, Cortana, etc.

• All requests sent to an AI are recorded

• These recordings may potentially be kept indefinably

• It can record every word heard even if the AI is not in use at the time


Many IP cameras are easily accessible

Default credentials

No password

No firewall

Pierre Derks and restreaming reality


IoT BackdoorsIs IoT the network’s weakest link?


Notable backdoors• 80 models of Sony cameras allow backdoor access for complete

control of the device

• Nearly all DblTek VoIP devices have root backdoor access

• Some Samsung, LG, Asus, and Lenovo devices might be sold with a Trojan or ransomware preinstalled


Devices potentially with backdoors preinstalled• Galaxy Note 2

• LG G4

• Galaxy S7

• Galaxy S4

• Galaxy Note 4

• Galaxy Note 5

• Xiaomi Mi 4i

• Galaxy A5

• ZTE x500

• Galaxy Note 3

• Galaxy Note Edge

• Galaxy Tab S2

• Galaxy Tab 2

• Oppo N3

• Vivo X6 plus

• Nexus 5

• Nexus 5X

• Asus Zenfone2

• LenovoS90

• OppoR7 plus

• Xiaomi Redmi

• Lenovo A850


Recent backdoor firmware found November 2016AFFECTED DEVICES

•ZTE

• Huawei

• Blu

• AdUps firmware (on 700 million devices)

WHAT IT DOES

• Sniffs SMS messages and call logs

• Gathers contact information

• Records GPS location data

• Sends data discreetly to China

• Remotely execute malicious code with root privileges.


IoT Data BreachesData exfiltration from IoT devices


December 2, 2015

CloudPets exposed 2.2 million voice recordings and account info of the 800,000 kids

Data of 6.4 million children breached from Vtech devices.

February 22, 2017 March 13, 2017

US Teledildonicscollected sensitive information on information from IoTadult toys.

Privacy infringement lawsuit settled with claimants.


Predictions• Forrester predicts more than 500,000 IoT devices will be

compromised in 2017

• As adoption increases, so will attacks


What to do• IoT Security needs to be part of the design, not some

tacked on afterthought

• Each part of a device must be examined for potential vulnerabilities

• Have backup systems in place in case an attacker gains access to the device.


IoT Botnets


Mirai• Botnet program responsible for largest breach in history

• Source code is freely available online

• Only takes about 30 minutes to set up


Botnet Overview• Bot• Program that performs automated tasks

• Remote controlled

• AKA: zombie or drone

• Botnet – collection of bots remotely controlled and working together to perform tasks

• Bot herder – bot master


Threat defined – What is done with botnets?• DDoS

• Spam

• Distribute copyrighted material• Torrents

• Data mining

• Hacking

• Spread itself

41


Life Cycle

Exploit◦Malicious code◦Unpatched vulnerabilities◦Trojan◦Password guessing

Rally - Reporting in◦Log into designated IRC channel and PM master

◦Make connection to http server

◦Post data to FTP or http form

42

Exploit Rally Preserve Inventory Await

instructionsUpdate Execute Report

Clean up


Life Cycle

• Preserve• Rootkit

• Encrypt

• Polymorph

• Kill security services, firewall or debugging processes

43



Clean up


Life Cycle

• Inventory• determine capabilities such as RAM, HDD, Processor, Bandwidth,

and pre-installed tools

• Await instructions from C&C server

• Update• Download payload/exploit• Update C&C lists

44



Clean up


Life Cycle

Execute commands◦ DDoS◦ Spam◦ Harvest emails◦ Keylog◦ Screen capture◦ Webcam stream◦ Steal data

Report back to C&C server

Clean up - Erase evidence

45



Clean up


IoT Security StrategiesSecuring IoT, one device at a time


IoT Security Features• Secure booting• Verify software/firmware integrity with digital signatures at

startup• Start up security processes before networking processes

• Access control• Least privilege

• Authentication• Require authentication to network before communicating• Secure storage of credentials


IoT Secure Development• Security needs to be “by design” when developing IoT

solutions

• Account not only for normal people who put convenience first but also for attackers

• Assume the system will fail and build in countermeasures


IoT Implementation Security• Segmentation

• Firewall and IPS

• Vulnerability scanning

• Patch management

• Turn it off if you don’t need it

• Know where the data is stored such as in the cloud and how it is secured.


For more information

216-664-1100

www.jurinnov.com

[email protected]

Twitter: @jurinnov and @evanderburg

1375 Euclid Avenue, Suite 400

Cleveland, Ohio 44115

http://www.jurinnov.com/

2017 march isaca security challenges with the internet of things - eric vanderburg

Technology