SlideShare a Scribd company logo

Countering Cybersecurity Risk in Today's IoT World

Brad Nicholas
Brad Nicholas

Understanding the security implications of IoT transformation, with real world examples including the Chrysler Jeep Hack

Related slideshows

Next Dimension + Cisco Smart Manufacturing
Next Dimension + Cisco Smart ManufacturingNext Dimension + Cisco Smart Manufacturing
Next Dimension + Cisco Smart Manufacturing
 
AI is the Catalyst of IoT
AI is the Catalyst of IoTAI is the Catalyst of IoT
AI is the Catalyst of IoT
 
IIoT Endpoint Security
IIoT Endpoint Security IIoT Endpoint Security
IIoT Endpoint Security
 
1 of 34
Download to read offline
COUNTERING CYBERSECURITY RISK in today’s IoT world Brad Nicholas Anajali Gurnani Brett Heliker
THE RIGHT SECURITY FRAMEWORK We cannot solve our problems with the same thinking we used when we created them. —Albert Einstein Security controls are shifting away from the traditional perimeter Adoption of cloud platforms and security as a service will continue Where and how data is stored is key to evaluating risks
ACCELERATING PROGRAM MATURITY STARTS WITH A COMMON LANGUAGE FOR THE PRODUCTS AND SERVICES A COMPANY CAN BUY
ASSESS RISKS IN A STRUCTURED WAY AND DEVELOP A ROADMAP DEVICES APPS NETWORK DATA PEOPLE IDENTIFY PROTECT DETECT RESPOND RECOVER (NIST FRAMEWORK) Pre-compromise Post-compromise
A CULTURE OF SECURITY FACILITATES RESPONSIBLE BUSINESS German steel mill suffers “massive damages” after hackers accessed a blast furnace that workers could not properly shut down 1 2 Recipient of targeted email is tricked into downloading malware to their computer Attackers make their way from corporate network into production networks to access systems controlling plant equipment 3
MAKE SECURITY A SHARED RESPONSIBILITY COMMUNICATE Spearhead security as a product. Make it bold and important internally. INNOVATE Be strategic about security architecture and standardization. ACCELERATE Leverage agile practices to iterate and improve controls implementation. INTEGRATE Move security testing as close to the developer as possible.
THE NEW IOT VULNERABILITIES a few examples
IOT ADDS THE “PHYSICAL WEB” IoT is about the physical web of everything around you A whole slew of smart connected products + services are coming Multiple networks, all interacting with you or on your behalf MORE COMPLEXITY NEW ATTACK SURFACES COMPOUND EFFECTS
SMART PRODUCTS NEED BROADER, NON-TRADITIONAL EXPERTISE • Krebs & Cisco: IoT Reality: Smart Devices, Dumb Defaults “Consider whether you can realistically care for and feed the security needs of yet another IoT thing that is: -chewing holes in your network defenses; -gnawing open new critical security weaknesses; -bred by a vendor that seldom and belatedly patches; -tough to wrangle down and patch” • NW World: 500K WeMo users could be hacked; CERT issues advisory “when CERT tried to contact Belkin, Belkin chose not to respond at all” • IBM: Smart Building Security Risks “Connected building systems fly under the Cybersecurity radar, creating a Shadow IoT” http://www.networkworld.com/article/2226371/microsoft-subnet/500-000-belkin-wemo-users-could-be-hacked--cert-issues-advisory.html http://krebsonsecurity.com/2016/02/iot-reality-smart-devices-dumb-defaults/ http://www.techrepublic.com/article/ibm-x-force-finds-multiple-iot-security-risks-in-smart-buildings/
WE HAVE A LONG WAY TO GO • Hidden, hardcoded credentials and passwords • Credentials stored as static text within files • Insecure default configurations • Insufficient network segmentation enabling attacks from within • Weak support and nonexistent updates, exacerbated by economics • Some/all of the above present in combination IBM smart building infographic
THE CHRYSLER JEEP HACK Lessons to be Learned WITH MUCH THANKS TO: Charlie Miller & Chris Valasek White-hat Superheroes
thecavalry.org “Modern [vehicles] are computers on wheels and are increasingly connected and controlled by software. Dependence on technology in vehicles has grown faster than effective means to secure it.”
MICRO-CONTROLLERS, EMBEDDED SOFTWARE AND NETWORKING EVERYWHERE Federally mandated “OBD” vehicle diagnostics since 1996 Dozens of networked control systems and millions of lines of code “Black boxes” silently record vehicle dynamics “OnStar” telematics since 1996 Fleet management, and usage based insurance are now widespread Remote access adds MAJOR security implications, mandating disciplined design Graphic: Quora
CONNECTED VEHICLES A MASSIVE OPPORTUNITY An executive order from the White House in March 2015 called for federal agencies with fleets of more than 20 vehicles to use telematics systems whenever possible to improve vehicle efficiencies E.O. section 3(g)(iii): Collecting and utilizing as a fleet efficiency management tool, as soon as practicable but not later than two years after the date of this order, agency fleet operational data through deployment of vehicle telematics at a vehicle asset level for all new passenger and light duty vehicle acquisitions and for medium duty vehicles where appropriate https://www.whitehouse.gov/sites/default/files/docs/eo_13693_implementing_instructions_june_10_2015.pdf
VULNERABILITIES * * circa first half 2015
How hackable is your car? Most Hackable: Jeep Cherokee, Escalade, Infiniti Q50, 2010 Prius The Q50’s radio & adaptive controls (adaptive cruise control and adaptive steering) were directly connected to engine and braking systems. Older cars are least hackable. Not a confidence inspiring trend.. http://illmatics.com/remote%20attack%20surfaces.pdf
RollJam $32 Hacks keyless entry systems, alarm systems and garage door openers Proven on Nissan, Cadillac, Ford, Toyota, Lotus, Volkswagen,and Chrysler vehicles; Cobra and Viper alarm systems; and Genie and Liftmaster garage door openers. http://www.wired.com/2015/08/hackers-tiny-device-unlocks-cars-opens-garages/
OwnStar Any On-Star equipped GM car could be located, unlocked and started via the phone app uses SSL encryption, Kamkar says it doesn’t properly check the certificate http://arstechnica.com/security/2015/07/ownstar-researcher-hijacks-remote-access-to-onstar/
Progressive ‘Snapshot’ “The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates,no secure boot, no cellular authentication,no secure communicationsor encryption,no data execution prevention or attack mitigation technologies… basically it uses no security technologies whatsoever.” http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-insurance-dongle-totally-insecure/
TomTom OBDII dongle Used to reduced insurance rates for customers. Hacked by UCSD by sending SMS messages to control the CAN bus to control brakes, steering, etc. Confirmed in Corvette, Prius, Escape. http://www.wired.com/2015/08/hackers-cut-corvettes-brakes-via-common-car-gadget/
DEALERS AND MECHANICS • Infections of equipment used by mechanics and dealerships to update car software and run vehicle diagnostics. • An infected vehicle can spread an infection to a dealership’s testing equipment, which in turn would spread the malware to every vehicle the dealership services.
THE INDUSTRY HAS TO DO BETTER. WE CAN ALL HELP.
DON’T HIDE BEHIND THE DMCA • Auto Alliance and General Motors actively make legal threats against anyone who tinkers with the code in their own vehicles, and actively fight proposed auto exemptions in the Digital Millennium Copyright Act. • “The proposed exemption could introduce safety and security issues as well as facilitate violation of various laws designed specifically to regulate the modern car, including emissions, fuel economy, and vehicle safety regulations” - GM http://copyright.gov/1201/2015/comments-032715/class%2021/General_Motors_Class21_1201_2014.pdf • “a vehicle owner does not own a copy of the relevant computer programs in the vehicle.” - GM • John Deere argues that “bypassing of cars’ protection mechanisms could allow drivers to listen to pirated music, audio books or films, adding that this might encourage others to partake in the enjoyment of illegal material.”
IAMTHECAVALRY.ORG 5 STAR AUTOMOTIVESAFETYPROGRAM 1. Safety by Design via standards compliance and secure software development lifecycle 2. Third Party Collaboration between the automotive industry and security researchers 3. Evidence Capture: tamper evident, forensically-sound logging and evidence capture 4. Security Updates in a prompt and agile manner (not a mailed USB drive) 5. Segmentation and Isolation: internet-connected infotainment systems shouldn’t be able to talk to brakes or transmission. https://www.iamthecavalry.org/domains/automotive/5star/
A FEW ATTACK VECTORS • Bluetooth, WiFi, keyless entry • Cellular gateways (e.g., modems, Femtocells) • OnStar or OnStar-like cellular radio • Insecure OS configuration, update media, interprocess comms • Static, clear text/hex strings in executable files • Android app on the driver’s phone synched to the car’s network • Malicious audio file burned onto a CD in the car’s stereo. • Radio-readable tire pressure monitoring systems
BLAH BLAH BLAH WHAT DOES IT ALL MEAN?
http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
BUT IT WASN’T DESIGNED THAT WAY! HOW DID THEY DO THAT?
A CASCADE OF VULNERABILITIES • You can reach a cell network from the Internet • You can port scan the car from the cell network! • The car is listening to the cell network in an un-protected manner • The head unit (radio/nav) runs an OS that isn’t configured properly • The head unit’s application software is not secured properly • The head unit is connected to both vehicle CAN networks (infotainment and powertrain) • Head unit nav upgrade software delivery includes flashing tools and lots of commented script files • The CAN interface firmware in the head unit isn’t code signed http://illmatics.com/Remote%20Car%20Hacking.pdf
Countering Cybersecurity Risk in Today's IoT World
http://www.computerworld.com/article/2952186/mobile-security/chrysler-recalls-14m-vehicles-after-jeep-hack.html
SO HOW DID CHRYSLER HELP CUSTOMERS FIX THEIR VEHICLES? • Plug in a USB flash drive you receive in the mail, then update the firmware in the head unit or • Go to a dealer and they’ll take care of it • No remote software updates
DOES THAT SEEM RIGHT TO YOU?
ATTACK MITIGATION - BEST PRACTICES • Hardware based cryptography that supports attestation, authentication and encryption services • Secure boot and code signing • Restricted processes • Multi-stage communications • Secure software updates

More Related Content

Countering Cybersecurity Risk in Today's IoT World

  • 1. COUNTERING CYBERSECURITY RISK in today’s IoT world Brad Nicholas Anajali Gurnani Brett Heliker
  • 2. THE RIGHT SECURITY FRAMEWORK We cannot solve our problems with the same thinking we used when we created them. —Albert Einstein Security controls are shifting away from the traditional perimeter Adoption of cloud platforms and security as a service will continue Where and how data is stored is key to evaluating risks
  • 3. ACCELERATING PROGRAM MATURITY STARTS WITH A COMMON LANGUAGE FOR THE PRODUCTS AND SERVICES A COMPANY CAN BUY
  • 4. ASSESS RISKS IN A STRUCTURED WAY AND DEVELOP A ROADMAP DEVICES APPS NETWORK DATA PEOPLE IDENTIFY PROTECT DETECT RESPOND RECOVER (NIST FRAMEWORK) Pre-compromise Post-compromise
  • 5. A CULTURE OF SECURITY FACILITATES RESPONSIBLE BUSINESS German steel mill suffers “massive damages” after hackers accessed a blast furnace that workers could not properly shut down 1 2 Recipient of targeted email is tricked into downloading malware to their computer Attackers make their way from corporate network into production networks to access systems controlling plant equipment 3
  • 6. MAKE SECURITY A SHARED RESPONSIBILITY COMMUNICATE Spearhead security as a product. Make it bold and important internally. INNOVATE Be strategic about security architecture and standardization. ACCELERATE Leverage agile practices to iterate and improve controls implementation. INTEGRATE Move security testing as close to the developer as possible.
  • 8. IOT ADDS THE “PHYSICAL WEB” IoT is about the physical web of everything around you A whole slew of smart connected products + services are coming Multiple networks, all interacting with you or on your behalf MORE COMPLEXITY NEW ATTACK SURFACES COMPOUND EFFECTS
  • 9. SMART PRODUCTS NEED BROADER, NON-TRADITIONAL EXPERTISE • Krebs & Cisco: IoT Reality: Smart Devices, Dumb Defaults “Consider whether you can realistically care for and feed the security needs of yet another IoT thing that is: -chewing holes in your network defenses; -gnawing open new critical security weaknesses; -bred by a vendor that seldom and belatedly patches; -tough to wrangle down and patch” • NW World: 500K WeMo users could be hacked; CERT issues advisory “when CERT tried to contact Belkin, Belkin chose not to respond at all” • IBM: Smart Building Security Risks “Connected building systems fly under the Cybersecurity radar, creating a Shadow IoT” http://www.networkworld.com/article/2226371/microsoft-subnet/500-000-belkin-wemo-users-could-be-hacked--cert-issues-advisory.html http://krebsonsecurity.com/2016/02/iot-reality-smart-devices-dumb-defaults/ http://www.techrepublic.com/article/ibm-x-force-finds-multiple-iot-security-risks-in-smart-buildings/
  • 10. WE HAVE A LONG WAY TO GO • Hidden, hardcoded credentials and passwords • Credentials stored as static text within files • Insecure default configurations • Insufficient network segmentation enabling attacks from within • Weak support and nonexistent updates, exacerbated by economics • Some/all of the above present in combination IBM smart building infographic
  • 11. THE CHRYSLER JEEP HACK Lessons to be Learned WITH MUCH THANKS TO: Charlie Miller & Chris Valasek White-hat Superheroes
  • 12. thecavalry.org “Modern [vehicles] are computers on wheels and are increasingly connected and controlled by software. Dependence on technology in vehicles has grown faster than effective means to secure it.”
  • 13. MICRO-CONTROLLERS, EMBEDDED SOFTWARE AND NETWORKING EVERYWHERE Federally mandated “OBD” vehicle diagnostics since 1996 Dozens of networked control systems and millions of lines of code “Black boxes” silently record vehicle dynamics “OnStar” telematics since 1996 Fleet management, and usage based insurance are now widespread Remote access adds MAJOR security implications, mandating disciplined design Graphic: Quora
  • 14. CONNECTED VEHICLES A MASSIVE OPPORTUNITY An executive order from the White House in March 2015 called for federal agencies with fleets of more than 20 vehicles to use telematics systems whenever possible to improve vehicle efficiencies E.O. section 3(g)(iii): Collecting and utilizing as a fleet efficiency management tool, as soon as practicable but not later than two years after the date of this order, agency fleet operational data through deployment of vehicle telematics at a vehicle asset level for all new passenger and light duty vehicle acquisitions and for medium duty vehicles where appropriate https://www.whitehouse.gov/sites/default/files/docs/eo_13693_implementing_instructions_june_10_2015.pdf
  • 15. VULNERABILITIES * * circa first half 2015
  • 16. How hackable is your car? Most Hackable: Jeep Cherokee, Escalade, Infiniti Q50, 2010 Prius The Q50’s radio & adaptive controls (adaptive cruise control and adaptive steering) were directly connected to engine and braking systems. Older cars are least hackable. Not a confidence inspiring trend.. http://illmatics.com/remote%20attack%20surfaces.pdf
  • 17. RollJam $32 Hacks keyless entry systems, alarm systems and garage door openers Proven on Nissan, Cadillac, Ford, Toyota, Lotus, Volkswagen,and Chrysler vehicles; Cobra and Viper alarm systems; and Genie and Liftmaster garage door openers. http://www.wired.com/2015/08/hackers-tiny-device-unlocks-cars-opens-garages/
  • 18. OwnStar Any On-Star equipped GM car could be located, unlocked and started via the phone app uses SSL encryption, Kamkar says it doesn’t properly check the certificate http://arstechnica.com/security/2015/07/ownstar-researcher-hijacks-remote-access-to-onstar/
  • 19. Progressive ‘Snapshot’ “The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates,no secure boot, no cellular authentication,no secure communicationsor encryption,no data execution prevention or attack mitigation technologies… basically it uses no security technologies whatsoever.” http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-insurance-dongle-totally-insecure/
  • 20. TomTom OBDII dongle Used to reduced insurance rates for customers. Hacked by UCSD by sending SMS messages to control the CAN bus to control brakes, steering, etc. Confirmed in Corvette, Prius, Escape. http://www.wired.com/2015/08/hackers-cut-corvettes-brakes-via-common-car-gadget/
  • 21. DEALERS AND MECHANICS • Infections of equipment used by mechanics and dealerships to update car software and run vehicle diagnostics. • An infected vehicle can spread an infection to a dealership’s testing equipment, which in turn would spread the malware to every vehicle the dealership services.
  • 22. THE INDUSTRY HAS TO DO BETTER. WE CAN ALL HELP.
  • 23. DON’T HIDE BEHIND THE DMCA • Auto Alliance and General Motors actively make legal threats against anyone who tinkers with the code in their own vehicles, and actively fight proposed auto exemptions in the Digital Millennium Copyright Act. • “The proposed exemption could introduce safety and security issues as well as facilitate violation of various laws designed specifically to regulate the modern car, including emissions, fuel economy, and vehicle safety regulations” - GM http://copyright.gov/1201/2015/comments-032715/class%2021/General_Motors_Class21_1201_2014.pdf • “a vehicle owner does not own a copy of the relevant computer programs in the vehicle.” - GM • John Deere argues that “bypassing of cars’ protection mechanisms could allow drivers to listen to pirated music, audio books or films, adding that this might encourage others to partake in the enjoyment of illegal material.”
  • 24. IAMTHECAVALRY.ORG 5 STAR AUTOMOTIVESAFETYPROGRAM 1. Safety by Design via standards compliance and secure software development lifecycle 2. Third Party Collaboration between the automotive industry and security researchers 3. Evidence Capture: tamper evident, forensically-sound logging and evidence capture 4. Security Updates in a prompt and agile manner (not a mailed USB drive) 5. Segmentation and Isolation: internet-connected infotainment systems shouldn’t be able to talk to brakes or transmission. https://www.iamthecavalry.org/domains/automotive/5star/
  • 25. A FEW ATTACK VECTORS • Bluetooth, WiFi, keyless entry • Cellular gateways (e.g., modems, Femtocells) • OnStar or OnStar-like cellular radio • Insecure OS configuration, update media, interprocess comms • Static, clear text/hex strings in executable files • Android app on the driver’s phone synched to the car’s network • Malicious audio file burned onto a CD in the car’s stereo. • Radio-readable tire pressure monitoring systems
  • 26. BLAH BLAH BLAH WHAT DOES IT ALL MEAN?
  • 28. BUT IT WASN’T DESIGNED THAT WAY! HOW DID THEY DO THAT?
  • 29. A CASCADE OF VULNERABILITIES • You can reach a cell network from the Internet • You can port scan the car from the cell network! • The car is listening to the cell network in an un-protected manner • The head unit (radio/nav) runs an OS that isn’t configured properly • The head unit’s application software is not secured properly • The head unit is connected to both vehicle CAN networks (infotainment and powertrain) • Head unit nav upgrade software delivery includes flashing tools and lots of commented script files • The CAN interface firmware in the head unit isn’t code signed http://illmatics.com/Remote%20Car%20Hacking.pdf
  • 32. SO HOW DID CHRYSLER HELP CUSTOMERS FIX THEIR VEHICLES? • Plug in a USB flash drive you receive in the mail, then update the firmware in the head unit or • Go to a dealer and they’ll take care of it • No remote software updates
  • 33. DOES THAT SEEM RIGHT TO YOU?
  • 34. ATTACK MITIGATION - BEST PRACTICES • Hardware based cryptography that supports attestation, authentication and encryption services • Secure boot and code signing • Restricted processes • Multi-stage communications • Secure software updates