The Internet of Things. Steven M. Bellovin November 24,

Similar documents
Keys and Passwords. Steven M. Bellovin October 17,

Data Analytics for IoT: Applications to Security and Privacy. Nick Feamster Princeton University

Designing a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,

Restech. User Security AVOIDING LOSS GAINING CONFIDENCE IN THE FACE OF TODAY S THREATS

ANDROID PRIVACY & SECURITY GUIDE ANDROID DEVICE SETTINGS

System Structure. Steven M. Bellovin December 14,

IT-Security Challenges in the Internet of Things. Christian Graffer Product Manager Endian

Internet of Things Toolkit for Small and Medium Businesses

Home Automation: Survivor Privacy Risks & Strategies

Linux in the connected car platform

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

Introduction. Read on and learn some facts about backup and recovery that could protect your small business.

Internet of Things (IoT) Attacks. The Internet of Things (IoT) is based off a larger concept; the Internet of Things came

NRENs and IoT Security: Challenges and Opportunities. Karen O Donoghue TICAL 2018 Cartagena 4 September 2018

Top 10 Considerations for Securing Private Clouds

Cyber Security Basics. Presented by Darrel Karbginsky

IT SECURITY FOR LIBRARIES PART 1: SECURING YOUR LIBRARY BRIAN PICHMAN EVOLVE PROJECT

AoT: Authentication and Access Control for the Entire IoT Device Life-Cycle

BEST PRACTICES FOR PERSONAL Security

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

SIP and VoIP What is SIP? What s a Control Channel? History of Signaling Channels

Smart speakers (like the Amazon Echo shown here), appliances, and equipment connect to the Internet, allowing you to access information using voice

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

HikCentral V1.3 for Windows Hardening Guide

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Train employees to avoid inadvertent cyber security breaches

5 IT security hot topics How safe are you?

PRACTICING SAFE COMPUTING AT HOME

Bark: Default-Off Networking and Access Control for the IoT. James Hong, Amit Levy, Laurynas Riliskis, Philip Levis Stanford University

Protecting the Home Front

A Guide to Closing All Potential VDI Security Gaps

Password Managers: Devil s in the Details

UNLOCKED DOORS RESEARCH SHOWS PRINTERS ARE BEING LEFT VULNERABLE TO CYBER ATTACKS

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

What someone said about junk hacking

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

UNCLASSIFIED//FOR OFFICIAL USE ONLY INDUSTRIAL CONTROL SYSTEMS CYBER EMERGENCY RESPONSE TEAM

Simple and Powerful Security for PCI DSS

How to Improve Your. Cyber Health. Cybersecurity Ten Best Practices For a Healthy Network

HikCentral V.1.1.x for Windows Hardening Guide

Securing the Connected Car. Eystein Stenberg Product Manager Mender.io

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

ClearPath OS 2200 System LAN Security Overview. White paper

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Protecting Smart Buildings

Omar Alrawi. Security Evaluation of Home-based IoT Deployments

PCI Compliance Updates

12. Mobile Devices and the Internet of Things. Blase Ur, May 3 rd, 2017 CMSC / 33210

802-Not-11. The Forgotten Wireless Device Threats. CONfidence 2010 RenderLab.net, Churchofwifi.org, NMRC.org

Meeting 39. Guest Speaker Dr. Williams CEH Networking

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

App Instructions. Quick Start Guide. works with the Google Assistant

Methodology USA UK AUSTRALIA CANADA JAPAN N=1,008 MOE=+/-3% N=1,044 MOE=+/- 3% N=1,028 MOE=+/- 3% N=1,025 MOE=+/- 3% N=1,005 MOE=+/- 3%

Authentication Methods

CSI: VIDEO SURVEILLANCE CONVERTING THE JUGGERNAUT

White Paper The IoT Threat Landscape and Top Smart Home Vulnerabilities in 2018

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

RouterCheck Installation and Usage

Vitheia IoT Services

Securing CS-MARS C H A P T E R

2 User Guide. Contents

Wireless LAN Security (RM12/2002)

Lessons Learned from 4,000 Security Assessments. Sadik Al-Abdulla Security Practice Director, CDW

BUYING DECISION CRITERIA WHEN DEVELOPING IOT SENSORS

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

ANATOMY OF AN ATTACK!

Computer Network Vulnerabilities

PCI Compliance. What is it? Who uses it? Why is it important?

Any conversation about virtualization for small- and medium-sized businesses (SMBs) usually starts around

Application Firewalls

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

How Secured2 Uses Beyond Encryption Security to Protect Your Data

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

Integrated Access Management Solutions. Access Televentures

SECURITY TESTING. Towards a safer web world

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Analyzing Systems. Steven M. Bellovin November 26,

Physical Tamper Resistance

ASERCOM cyber-security guideline for connected HVAC/R equipment

Legal Issues Surrounding the Internet of Things and Other Emerging Technology

Outline Key Management CS 239 Computer Security February 9, 2004

Communication Models in Internet of Things: A Survey

Resilient IoT Security: The end of flat security models

Security Automation Best Practices

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

John Coggeshall Copyright 2006, Zend Technologies Inc.

BOARD DIRECTOR CONCERNS ABOUT CYBER AND TECHNOLOGY RISK

Security Specification

2013 ISACA IT Risk/Reward Barometer Mexico Consumer Results. October

Managing EUC Threats. 3 Simple Ways To Improve Endpoint SECURITY

Securing the Connected Car. Eystein Stenberg CTO Mender.io

Best Practices in Securing a Multicloud World

Copyright

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

Security Awareness & Best Practices Best Practices for Maintaining Data Security in Your Business Environment

Penetration testing a building automation system

Security Audit What Why

Transcription:

The Internet of Things Steven M. Bellovin November 24, 2014 1

What is the Internet of Things? Non-computing devices...... with CPUs... and connectivity (Without connectivity, it s a simple embedded system) Examples: thermostats, fitness sensors, home appliances, TVs, cars, light switches, toys, medical devices (including implanted ones), etc. Steven M. Bellovin November 24, 2014 2

Embedded Systems Dedicated CPU for particular purpose Used since the late 1970s A CPU and some one-time programming is cheaper than random logic Used when modestly complex decisions are needed Steven M. Bellovin November 24, 2014 3

Security Issues Embedded and IoT systems run programs Such programs can be (and frequently are) buggy Buggy code is often insecure code But does the attacker have access? Steven M. Bellovin November 24, 2014 4

Back to Our Threat Model What is the attacker s access? Break into your house? Send you malicious TV programs? Plant a malicious radio transmitter near your device? Hack into your device via the Internet? Hack into some cloud server? Different devices have different risks I m not worried about someone breaking into my house to attack my coffee maker (though there have been reports of malware-infected e-cigarettes) Steven M. Bellovin November 24, 2014 5

Attacks Default passwords Fake firmware Ordinary hacking Data-driven attacks Steven M. Bellovin November 24, 2014 6

Why is This Different? Many people never change (or don t know of) the password Most people don t think about the security of, say, their TV There s no antivirus software for IoT computers Much IoT software is never patched Steven M. Bellovin November 24, 2014 7

The Patch Problem People don t know about installing patches Some devices aren t easy to patch you need an administrative interface to tell it to find and install the patch Old models software versions aren t patched The lifespan of most gadgets is longer than the software support lifetime from the manufacturer There are always new models (I bought a new printer 6 months ago. There s now a replacement model that s 25% cheaper.) Steven M. Bellovin November 24, 2014 8

Famous Holes VoIP phones (hacked here at CU) HP printers (hacked here at CU) Routers with (deliberate?) back doors Baby monitor cameras Car tire pressure monitors Many more and the Internet of Things is just getting started... Steven M. Bellovin November 24, 2014 9

IoT Architecture Note: this is a plausible but imaginary architecture Most of these pieces exist, but may not be connected as I envision Things talk to Hubs Hubs talk to Vendor Servers Managers talk to Things via Hubs Steven M. Bellovin November 24, 2014 10

Router House 1 Many Things don t talk to the Internet directly Hub Wrong interface, e.g., Bluetooth instead of WiFi Hub Hubs Hub... Don t support full TCP/IP stacks (though they could) Thing Thing Thing Thing Thing Don t implement security, user interface, etc. Steven M. Bellovin November 24, 2014 11

Thing Internet Home IoT Phone Local managers (which may be apps on a phone or computer) talk to hubs Thing Hubs talk to devices via Router private protocols House 1 Router House n Hub Hubs talk to vendor Hub servers Hub... Manager Hub Hub Hub Things may talk to each other via hubs, but probably use the vendor servers Thing Thing Thing Thing Thing Vendor servers may talk to each other Thing Thing Thing Thing Thing Steven M. Bellovin November 24, 2014 12

Why Have Vendor Servers? Many devices cannot be called directly (e.g., Nest thermostats), because of limited battery power: they re not always online NATs prevent direct inward calls from outside of the house Devices may not have enough CPU power for some tasks (e.g., voice recognition on Amazon Echo) Vendors like the service model it forces users to keep coming back Vendors like to gather data (with all that implies for privacy) Steven M. Bellovin November 24, 2014 13

(Privacy and the IoT) Some of the data captured is scary, e.g., on a Samsung smart TV Logs when, where, how long you use your TV Facial recognition camera (data nominally stays local) Voice command: Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party Hackers can retrieve all of that data from the TV (Source: http://www.brennancenter.org/analysis/ im-terrified-my-new-tv-why-im-scared-turn-thing) Steven M. Bellovin November 24, 2014 14

The Full Architecture Vendor Server Vendor Server Vendor Server Thing Internet Phone Thing Router House 1 Router House n Hub Hub Hub... Manager Hub Hub Hub Thing Thing Thing Thing Thing Thing Thing Thing Thing Thing Steven M. Bellovin November 24, 2014 15

Any Component Can Be Attacked Things Hubs Servers Links? Steven M. Bellovin November 24, 2014 16

Link Security It s relatively easy to encrypt links It s probably not that important, if people have secure home WiFi networks But primary exposure from a compromised link is the devices at either end, including sending corrupted firmware Also: is there authentication data, such as passwords? Steven M. Bellovin November 24, 2014 17

Ownership Who can control a Thing? Obviously, only the owner should be allowed to How does the Thing know who the owner is? What if the Thing is sold? What if the house is sold? Remember that Things have little or no user interface Solution is Thing-dependent, but will frequently rely on a physical reset everything request Steven M. Bellovin November 24, 2014 18

Authentication Do not use passwords for Thing-to-Hub or Hub-to-Server authentication How do Things connected to different Hubs and different Servers authenticate each other? More precisely, how do they establish that they have the same owner? Complex cryptographic protocols may be necessary Steven M. Bellovin November 24, 2014 19

Corrupted Things Consequences are Thing-dependent Obvious risk: private data collected by the Thing Possible risk: physical devices controlled by the Thing (this is a cyber-physical system) Possible risk: the human reaction to corrupted data Can attack Hubs, and possibly Servers via the Hubs Steven M. Bellovin November 24, 2014 20

Corrupted Hubs Can attack Things or Servers Can attack other Hubs, Manager, or other home computers (The computers are already at considerable risk... ) Can change access control rules Steven M. Bellovin November 24, 2014 21

Access Control Users may have complex access control rules Who can change the thermostat? Within what limits? What about read access? (The Supreme Court has worried that at what hour each night the lady of the house takes her daily sauna and bath is private information.) Note: we know that setting access control rules properly is very hard Steven M. Bellovin November 24, 2014 22

Corrupted Servers Biggest risk: corrupted firmware but can be digitally signed Can send evil commands to Things Private data can be stolen from them Authentication data can be stolen Steven M. Bellovin November 24, 2014 23

Defenses Request filters Cryptography Authorization Intrusion detection Steven M. Bellovin November 24, 2014 24

Request Filters Things should incorporate sanity filters Example: Nest thermostats reject preposterous settings and will always activate if temperatures go outside certain ranges But it isn t always possible to detect bad commands Steven M. Bellovin November 24, 2014 25

Cryptography All messages should be cryptographically authenticated Encrypt messages to the extent possible but don t cripple the IDS Avoid passwords but Servers probably have to accept passwords, to allow direct logins from web browsers Steven M. Bellovin November 24, 2014 26

Authorization Don t do authorization on the Servers they re more exposed to attack Authorization is intimately tied to ownership must be possible to buy and sell Things Steven M. Bellovin November 24, 2014 27

Intrusion Detection There are many avenues for attack, and many components Use intrusion detection to detect ongoing attacks or other compromised components Example: alert the owner (via the Manager) if a sanity filter is used It might be a real, physical failure, e.g., the furnace has failed, so the house is too cold, or it might be an attack but either way, the owner needs to know Steven M. Bellovin November 24, 2014 28

How Are We Doing? The industry isn t doing a very good job Elementary cryptography isn t being used, or isn t being used properly Too much software is never updated Insufficient attention to threat model Steven M. Bellovin November 24, 2014 29

Security Analysis: Internet Thermostats I recently decided to investigate Internet thermostats Control and monitor my house temperature remotely Are there security risks? Steven M. Bellovin November 24, 2014 30

One Popular Brand Some thermostats have built-in web servers Simplest mode: direct connection to thermostat Alternate mode: thermostat and user connect to company s web site; company can generate alert emails Note: no hub for this brand Steven M. Bellovin November 24, 2014 31

What s at Risk? Turning off someone s heat in the middle of winter? Turning on the heat in the summer? Run heat and air conditioning simultaneously? Steven M. Bellovin November 24, 2014 32

Local Management Steven M. Bellovin November 24, 2014 33

Local Problems No https people can eavesdrop Uses Basic Authentication : The most serious flaw in Basic authentication is that it results in the essentially cleartext transmission of the user s password over the physical network.... Because Basic authentication involves the cleartext transmission of passwords it SHOULD NOT be used (without enhancements) to protect sensitive or valuable information. No read-only mode Steven M. Bellovin November 24, 2014 34

Remote Management Steven M. Bellovin November 24, 2014 35

Remote Problems Https but only to the server Unencrytped traffic from the server to the thermostats (The words security and encyption are not mentioned in the API manual... ) Passwords are sent in the clear across the Internet Passwords are stored in bulk on the server Steven M. Bellovin November 24, 2014 36

Privacy Issues Energy consumption patterns Al Gore s thermostat setting? Japanese office thermostat settings? Vacation schedules (burglary risk?) Steven M. Bellovin November 24, 2014 37

Defenses Can t touch thermostat software Add layering access controls on top of built-in controls Use crypto tunnels Filter setting change requests Steven M. Bellovin November 24, 2014 38

Last-Ditch Defenses Add a low-limit heat switch in parallel Add a high-limit heat switch in series These are hardware devices, not software Protect against bugs What if they fail? Independent failure modes; protect against each other Steven M. Bellovin November 24, 2014 39

How to Analyze This? Hard to know all the threats Approach: see what is made available, and ask who might want it Reason by analogy and effect Check the gold standard (Au): Authentication, Authorization, Audit Steven M. Bellovin November 24, 2014 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback