NANOG 69: Security Track

Transcription

1 Embedded devices (aka IoT) as a community problem Moderator: Krassimir Tzvetanov

2 Disclaimer In order to foster an open discussion all of the presenters are going to share their personal opinion which may not be the one of their current employer This is not a Mirai talk

3 Agenda Ongoing issues with embedded devices - CPE, IoT, etc. Numbers of infected devices? Potential for new infections? Mutations? What are the security vendors doing to improve the situation? Do we see discrepancy in the response between different vendors? What are the service providers doing? What should be the government/regulator's involvement?

4 Vendors Ongoing issues with embedded devices - CPE, IoT, etc. Why do we keep on seeing the lack of best practices? Why do we keep on seeing poor vendor response or no response? What are the CPE/IoT vendors doing to improve the situation? Do we see discrepancy in the response between different vendors?

5 Service providers What are the service providers doing? Methods of mitigation of active attacks? Proactive approaches? Working with the vendors?

6 Regulators and government What should be the government/regulator's involvement? Can this be resolved through regulatory means? If yes, why? If not, why?

7 Presenters Tim April Ron Winward Paul Ebersman Allan Friedman Christian Dawson Jesse Sowell

8 Next presenter

9 Tim April Sr. Security Akamai tapril@people.ops-trust.net Researches and Responds to threats against Akamai and the Internet

10 The S in IoT is for Security. [1] 1: NANOG 69: Security Track

11 Nothing new BASHLITE (Gafgyt, Lizkebab, Torlus and LizardStresser) [1] Internet Census of 2012 [2] Linksys 2009 (CVE , default user/password) Many others

12 Next presenter

13 Ron Winward Security Evangelist, Radware ron.winward@radware.com

14 6.4 Billion Connected Things in 2016

15 IoT market penetration : internet-users/

16 FTC Takes D-Link to Court Jan 5, 2017 D-Link failed to take reasonable steps to secure its routers and IP cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras. D-Link promoted security: Easy to secure & Advance network Security D-Link did not address well-known security flaws: Hard-coded credentials (guest/guest) Command injection software flaw Mishandling of private key to sign D-Link software Key left openly available on public website for 6 months D-Link mobile app leaves users login credentials unsecured in clear, readable text on the device

17 IoT Manufacturer Security Recommendations Need for a rearchitected, purpose-built embedded IoT software platform with: Robust and easy OTA (Over The Air) updates Require (at least allow) user to change default admin username & pass Disable unnecessary services by default (telnet, SSH, smb, FTP) Do not run webserver as root, run it chrooted Do not keep hidden backdoors they will be discovered! Avoid UPnP-IGD (Internet Gateway Device) Protocol Enforce strong password and use strong cryptographic hashes to store them Hardening of OS and all communications stacks (IP, Bluetooth) Create a vulnerability disclosure program, consider bug bounty program

18 Next presenter

19 Paul Ebersman DNS Comcast Paul_Ebersman@comcast.com

20 Challenges ISPs can t mandate Lowest price wins Simple over secure Lousy default configs and passwords Not auto-update

21 Issues with IoT devices Bugs (time-b.netgear.com anyone?) ID ing w/nat: Who s got the penny? Malware/infection Amplification attacks Can t ACL against yourself Can t upgrade or patch

22 What can ISPs do? BCP 38/84, DOCSIS SAV on Beat on vendors customer links/peering points Name and shame? Filter customer ports ala: Discounts for vetted gear? internet/list-of-blocked-ports/ Clean up DNS, SNMP, NTP, etc. reflectors 1 st Tier and customer education UUCP?

23 Next presenter

24 Allan Friedman National Telecommunications & Information Administration (Dept. of Commerce) Failed cryptographer, failed economist, failed professor, current technocrat. How can we use voluntary, industry-led practices to address botnets and network-based risks?

25 Building on Existing Work The vast majority of security work has been industry-led. Government can play some role: 2012 Industry Botnet Group, led by the White House NTIA s Multistakeholder work Government as the catalyst, bridging across sectors Vulnerability Research Disclosure IoT Patching Transparency Is there further work we can do to bring different parts of the ecosystem

26 Next presenter

27 Christian Dawson Executive Director, Internet Infrastructure Coalition (i2coalition) Former President of web hosting company ServInt, which operates three data centers How important is it to be part of the discussion of how governments set network cybersecurity requirements?

28 Today s Cybersecurity Standards have mostly been derived from partnership with industry. are based on voluntary adherence to policy frameworks, notably the NIST Cybersecurity Framework (NIST CSF). are based on existing standards, guidelines, and practices. require regular interaction with legislative officials to maintain, and to steer clear of disruptive alternatives.

29 Next presenter

30 Jesse Sowell Organization affiliations: Postdoctoral Cybersecurity Fellow, Stanford University Center for International Security and Cooperation Senior Advisor, M3AAWG Problem: Like Internet security, IoT security requires both technical and coordination (governance) mechanisms to effectively incent changes in the market for not only functional, but secure, devices Who can contribute to creating these incentives?

31 IoT Security and Governance Emerging state of IoT manufacturing high clockspeed industry + commodity components + low margin market failure for IoT security features Easy to blame IoT manufacturers, but responsibility is distributed collective action problem, notoriously difficult in any context who are the broader market participants? components, assembly, distribution, wholesale, resale, deployment Questions (for the panel and audience): Where along this value network can we incent better security features? Who in the broader market can create economic pressure on which points in the value network?

32 Open discussion 1. Approach a microphone 2. State your name 3. If you a representing an organization, please, announce its name as well

33 Thank you!