POČÍTAČOVÁ OBRANA A ÚTOK - POU JIŘÍ ZNOJ

Transcription

1 Fakulta elektrotechniky a informatiky Vysoká škola báňská - Technická univerzita Ostrava IoT security POČÍTAČOVÁ OBRANA A ÚTOK - POU JIŘÍ ZNOJ

2 Internet a vast computer network linking smaller computer networks worldwide. The Internet includes commercial, educational, governmental, and other networks, all of which use the same set of communications protocols. dictionary.com Tim Berners-Lee, a British scientist at CERN, invented the World Wide Web (WWW) in 1989

3 Internet World Internet Users and 2018 Population Stats World Regions Population ( 2018 Est.) Population % of World Internet Users 31 Dec 2017 Penetration Rate (% Pop.) Growth Internet Users % Africa 1,287,914, % 453,329, % 9,941 % 10.9 % Asia 4,207,588, % 2,023,630, % 1,670 % 48.7 % Europe 827,650, % 704,833, % 570 % 17.0 % Latin America / Caribbean 652,047, % 437,001, % 2,318 % 10.5 % Middle East 254,438, % 164,037, % 4,893 % 3.9 % North America 363,844, % 345,660, % 219 % 8.3 % Oceania / Australia 41,273, % 28,439, % 273 % 0.7 % WORLD TOTAL 7,634,758, % 4,156,932, % 1,052 % % Czech Republic 10,555,130 9,323, %

4 Internet The Indexed Web contains at least 4.51 billion pages (Saturday, 07 April, 2018). The size of the internet is predicted to be 1yb [yottabyte] or 1,000,000,000,000,000 gb (1 quadrillion gigabytes).

5 Things from Internet of Things (IoT) A thing, in the context of the Internet of things (IoT), is an entity or physical object that has a unique identifier, an embedded system and the ability to transfer data over a network. - internetofthingsagenda.techtarget.com Transform chair into a smart chair unique identity ability to communicate senses (Sight, Hearing, Taste, Touch, Smell) machines, vehicles could be controled from enywhere in the world person with a heart monitor implant farm animal with a biochip transponder automobile that has built-in sensors to alert the driver when tire pressure is low any other natural or man-made object that can be assigned an IP address and provided with the ability to transfer data over a network.

6 IoT (Internet of Things) a network of everyday devices, appliances, and other objects equipped with computer chips and sensors that can collect and transmit data through the Internet. dictionary.com Internet (Million of Web Services) + Things (Billions of sensors, motors, displays, toys, cars, robots, ) system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction. Kevin Ashton first mentioned the Internet of Things in 1999

7 IoT - Examples

8 IoT - prediction World people population billion Washington Post and Consumer Reports 2017 Holiday Tech Gift Guide where at least 12 out of 17 gifts were IoT devices.

9 IoT - prediction

10 IoT - prediction

11 IoT - prediction

12 IoT - prediction Avast: With IoT growth predicted to more than triple by 2025 to over 75 billion connected things Gartner: typical home could contain more than 500 smart devices by 2022 Dutch Government Invest in security of Internet of Things

13 IoT IPv6 adoption is just a matter of time scalability (number of adresses) Solving the NAT barrier Multi-Stakeholder Support (end devices can have multiple addresses)

14 IoT - technologies Wi-Fi low-energy Bluetooth NFC RFID NFC is a subset of RFID technology NFC tags are short range (up to 4 inches / 10cm), RFID tags can be scanned from a greater distance of up to 300 feet (100 meters) NFC is capable of two-way or P2P communication You can scan multiple RFID tags at once, but only one NFC tag at a time

15 IoT - technologies ZigBee Z-Wave 6LoWPAN

16 IoT - used technologies LPWAN Technologies (low-power wide-area networks) LoRa SigFox 7% of all identified IoT projects make use of the new and upcoming LPWA connectivity technology

17 IoT - used technologies

18 IoT - used technologies

19 IoT Security Market Also, the global IoT market is expected to grow from $655.8 billion to $1.7 trillion in 2020

20 IoT Cybersecurity Risk 600 percent increase in overall IoT attacks in 2017 Cybersecurity Risk = threat vulnerability consequence threat location, motivation (financial, political, competition) vulnerability user names consist of an employee s first and last name, no 2fa, password consequence - loss of sensitive data, physical damage, company name

21 IoT Security on four different levels

22 IoT Security on four different levels developing secure end-to-end IoT solutions requires approach that involves multiple levels and fuses together important security features across four layers even if your smart hub is secure, never forget that the devil is in the details: a tiny thing such as a light bulb could serve as an entry-point for hackers Always change the default password Don t share serial numbers, IP addresses and other info

23 IoT Security on Device Layer the physical thing or product (HW and SW) Software verification and authentication today largely rely on the public key infrastructure (PKI) encryption and certificate scheme. With a private key, the vendor signs his data or his executable file. Effective and secure connectivity must be powered by a smart device able to handle security, encryption, authentication, timestamps, caching, proxies, firewalls, connection loss, etc.

24 IoT Security on Device Layer

25 chip security IoT Security on Device Layer Trusted Platform Module (TPM), a hardware-based root of trust secure booting to ensure only verified software will run on the device physical security protection against attackers with physical access to the device

26 stores RSA encryption keys specific to the host system for hardware authentication IoT Security on Device Layer - TPM Hardware security modules (HSM) are tamper-resistant devices that can securely generate, store and use pairs of keys. A subset of hardware security modules is the Trusted Platform Module (TPM) EK RSA key pair, not accessible by SW SRK created when user or admin takes ownership of the system generated from password and EK AIK protects device agains unauthorized fw and sw modification

27 IoT Security on Device Layer Even the security chip on a credit card, a very low-resource device (as little as 4,000 bytes of storage, for example), has some built-in hardware security and cryptography Another thing that Internet of Things devices do, is that some of them ask for more permissions than they need to. Each extra permission in an IoT device adds another vulnerability layer which can be exploited. The fewer permissions, the more secure your device is.

28 IoT Security on Device Layer - TPM Do equipment vendors provide rootkit malware protection? Is the device vulnerable during installation? Are devices regularly tested for malicious rootkits? Does the IoT architecture enable remote testing of firmware? Can regular service procedures of automation devices introduce vulnerabilities? Can we detect rootkit malware problems?

29 IoT Security on Communications Layer

30 IoT Security on Communications Layer sensitive data are trasmitted / recieved over physical layer (WiFi, or Ethernet) networking layer (IPv6, Modbus or OPC-UA) application layer (MQTT, CoAP or web-sockets) unsecure communication channels can be susceptible to man-in-the-middle attacks or similar.

31 IoT Security on Communications Layer Data-centric security solutions data is safely encrypted while in transit (and at rest) except users (person, device, system, or app) who have encryption key Firewalls and intrusion prevention systems examine traffic flows to detect unwanted intrusions and prevent malicious activities on the communication layer it is usually a bad idea to allow a connection from the Internet to the device software on the device acts as a server, that only communicates with the cloud and does not allow anyone to connect With correct labeling, each message can be handled according to the appropriate security policy different access controlls to different types of messages

32 IoT Security on Communications Layer Can we patch devices remotely? Does IoT architecture limit the damage of unauthorised intrusions? Can third party testing play a role? How should I protect against edge vulnerabilities? Are there unintended linkages across segments of a large IoT system? When should data be stored on the device or the cloud? Which data elements need encryption and to what level? What types of firewalls are used in the IoT cloud? Does the business have the correct culture to address IoT security risks?

33 IoT Security on Cloud Layer

34 IoT Security on Cloud Layer Cloud is software backend of the IoT solution where are data from devices received, analysed and interpreted to generate informations and perform actions Cloud providers are expected to deliver secure and efficient cloud services by default

35 IoT Security on Cloud Layer Sensitive information stored in the cloud (i.e., data at rest) must be encrypted Verify the integrity of other cloud platforms or third party applications that are trying to communicate with your cloud services Digital certificates can play a key role for identification and authentication people usually use password, in some cases 2FA (password + 1-time password generator) devices use certificates, can encrypt channel device cloud

36 IoT Security on Management Layer

37 IoT Security on Management Layer ensuring security from manugacture, through installation to liquidation except security by design, in a life cycle, there is need for policy enforcement regular auditing vendor control

38 IoT Security on Management Layer activity monitoring track, log, detect suspicious activity regular security patches secure remote control send commands to a device is a very powerful, sensitive feature need for update software, resetting device, new config, new functionality, Bugs in software -- even old and well-used code -- are discovered on a regular basis, but many IoT devices lack the capability to be patched, which means they are permanently at risk The key to secure updates and remote control is to ensure that a device does not allow incoming connections (Communication Layer), yet has a bi-directional connection, is correctly secured (Device Layer), uses a message switch as the communications channel (Management Layer) and is correctly implemented

39 IoT Security on Management Layer Can maintenance processes introduce new vulnerabilities? Are access and privilege levels correct for an IoT implementation? Are updates in software or firmware digitally signed or authenticated?

40 IoT top 10 issues 1 Insecure Web Interface 2 Insufficient Authentication/Authorization (default password 1234, admin, ) 3 Insecure Network Services (Telnet, FTP) 4 Lack of Transport Encryption 5 Privacy Concerns 6 Insecure Cloud Interface 7 Insecure Mobile Interface (wireless access points) 8 Insufficient Security Configurability (password policy, data encryption, different levels of access) 9 Insecure Software/Firmware (update encryption) 10 Poor Physical Security

41 IoT Types of IoT attackers

42 IoT Internet of Things botnet

43 2016 IoT botnet Mirai more than half a million smart home devices (such as DVRs, CCTV cameras, routers and printers) were used to conduct a series of large-scale DDoS attacks. (In 2014 a large botnet would have devices) The botnet, using primarily compromised webcams, flooded popular websites with up to 1.2 Tbps in the largest distributed denial of service attack ever recorded ( ) Cisco: average DDoS attack size is increasing steadily and approaching 1.2 Gbps and globally the number of DDoS attacks greater than 1 Gbps grew 172% in 2016 and will increase 2.5-times to 3.1 million by 2021 for example Twitter, Spotify, and Airbnb wasn t accessible

44 IoT botnet Mirai IP addresses of Mirai-infected devices were spotted in 164 countries Vietnam: 12.8% of Mirai botnet IPs

45 IoT botnet Mirai Name Password Name Password Name Password root xc3511 admin smcadmin root jvbzd root vizxv admin 1111 root anko root admin root root zlxx. admin admin root password root 7ujMko0vizxv root root 1234 root 7ujMko0admin root xmhdipc root klv123 root system root default Administrator admin root ikwb root juantech service service root dreambox root supervisor supervisor root user root guest guest root realtek support support guest root 0 root (none) guest admin admin password admin1 password admin 1234 root root administrator 1234 admin root admin user user admin admin (none) ubnt ubnt admin 7ujMko0admin root pass root klv1234 admin 1234 admin admin1234 root Zte521 admin pass root 1111 root hi3518 admin meinsm tech tech mother f***er [censored]

46 IoT botnet Mirai botnet picture video Stop using default/generic passwords. Disable all remote (WAN) access to your devices. scan the following ports to verify if your device has opened following ports: SSH (22), Telnet (23) and HTTP/HTTPS (80/443) you can use this tool

47 IoT botnet Mirai

48 IoT DDoS 2016 Dyn cyberattack attack on web-domain provider Dyn It's unclear whether Mirai is the only botnet being used in the incident.

49 IoT botnet Mirai The source code for Mirai has been published in several hacker forums as opensource. Since the source code was published to the public, the techniques have been adapted in other malware projects. In 2017 a new version of the famous Mirai botnet appeared, to mine cryptocurrencies.

50 IoT botnets in April 2017 Hajime botnet compromised more than 300,000 devices - its purpose remains unknown according to an article published in April 2017, more than 1,000 IP camera models by 354 different vendors had a dangerous vulnerability in the built-in web server. in October 2017 was discovered botnet Reaper - there may be up to two million vulnerable devices. It could become cyberweapon in 2018 we can expect not only IP cameras, but other devices too will envolve into zombie IoT networks

51 IoT entry point to penetrate networks Compromised IoT devices used as an entry point to penetrate the IT and OT network perimeter. IoT devices can be used to penetrate a well-protected network There is evidence that video surveillance systems, as well as other IoT systems, have already been used in targeted attacks

52 IoT Attacks via shared technologies Attacks via shared technologies technologies: ARM CPU architecture Linux OS MQTT (Message Queuing Telemetry Transport) - publish-subscribe-based messaging protocol

53 IoT app device s user interface social engineering dictionary or brute force (nearly 60% of users reuse the same password) encryption storing more info than needs Buffer overflows This happens when a device tries to store too much data into a temporary storage space

54 IoT Vulnerability exploitation Every software has its vulnerabilities Code injection, Cross Site Scripting,

55 IoT Malware attacks

56 IoT Malware attacks - ransomware IOT ransomware ransomware attacks can be very lucrative for cybercriminals we can expect targeting IoT systems, such as smart building components, elements of smart city or public transit infrastructure in many ways todays attacks are similar to early attacks on IT (relativly unsophisticated)

57 IoT new way to traditional crime Penetration of Internet of Things technologies into the sphere of traditional crime Data from IP cameras, smart home, smart city devices can be used to plan and coordinate traditional (non-cyber) crimes Hacking into the sensors controlling the temperature in a power station could trick the operators into making a catastrophic decision; taking control of a driverless car could also end in disaster

58 IoT Smart home

59 IoT Spying In October 2017 internet connected smartwatches for children have been found to contain security vulnerabilities which allow hackers access to track wearer's location eavesdrop on conversations even communicate with the child user. Share is not okay Hackers and scammers Repeatly being targeted by companies It is creepy to be monitored all the time Secondary motives when collecting data Sharing data is okay Free services offered in return for your data Improvement of social and commercial interactions

60 IoT Preparing for the future Windows 95 support until in 2001 Windows 2000 support until in 2010 Windows XP support until in 2014 Windows Vista support until 2017 Windows 7 support until 2020 Windows 8 support until 2023 Windows 10 support until 2025

61

62 IoT Preparing for the future Microsoft ended Skype support for older Windows Phone

63 IoT Preparing for the future Samsung never bothered updating the fridge After two years, that fridge was apparently out of date and no longer supported

64 Solution: IoT Preparing for the future My parents have a fridge 20 years If this fridge would be smart, it will not receive security update Who would provide update for a product that old? Could you buy something (the same model) the same as 20 years ago?

65 IoT Spying - Smart TV Smart TV can track what you watch listen to conversations watching you what can you do to prevent spying disable smart interactivity feature use Apple TV, Amazon Fire Tv, ChromeCast, Nvidia Shield TV, Roku instead - they're designed by people with a clue about security disconnect it from your local network, don t set your Wi-Fi password don t buy smart TV

66 IoT apocalyptic scenarios Smart locker doesn t unlock, smart heating is not working, smart alarm goes crazy, TV shows video of you from yesterday, your smart car is gone Your smart home was hacked, or your unlocked smart phone was stolen Addiction to technologies can t exist without internet, electricity Vendors, advertisements Metadata, government power in wrong hands

67 IoT World Economic Forum report The World Economic Forum recently commissioned a report to create a set of guidelines, designed for board-level use, that address the challenges and risks of cyber security in emerging markets based on hyper-connected technologies

68 IoT Open Web Application Security Project (OWASP) The IoT Attack Surface Areas Project Vulnerabilities mware_analysis

69 IoT hopeful IoT security bill minimum security requirements for federal procurements of connected devices The legislation requires vendor commitments: That their IoT devices are patchable. That the devices don t contain known vulnerabilities. That the devices rely on standard protocols. That the devices don t contain hard-coded passwords.

70 IoT hopeful IoT security bill EU lawmakers want create rules that force companies to meet tough security standards and go through multi-pronged certification processes to guarantee privacy. Commission would encourage companies to come up with a labelling system for internet-connected devices that are approved and secure

71 IoT attacks examples In 2015, a UK based telecom and internet provider Talk Talk were subject to several cyber security breaches where customers data was exposed as it was stored unencrypted in the cloud The firm has announced that millions of people have had their credit card and bank details stolen In 2015, a hacker was able to raise the dosage limit on medication delivered to patients through a Hospira drug infusion pump The Uber data breach which took place in October 2016 and exposed the data of 57 million customers and drivers Uber said that it had paid hackers $100,000 to destroy data