SlideShare a Scribd company logo

IoTNEXT 2016 - SafeNation Track

Download as PPTX, PDF
Priyanka Aash
Priyanka Aash

Task Force on IoT Security About CISO Platform Largest DDOS Attack Against DYN How can we minimize the risk? IoT Architectural Layers Components of an IoT Node

1 of 36
1 Las Vegas comes to Bengaluru! IoTNext 2016 - SafeNation Track • Arvind Tiwary • Ravi Mishra • Vishwas Lakkundi • Devesh Bhatt
2 Task Force on IoT Security IoT Forum & CISO platform join hands to create IoT Security Task force Readying up the Nation for #IoTSecurity The task force is chartered to develop threat models, controls and assist players in new techno-legal- commercial arrangements to improve IoT Security Fresh thinking around Security for IOT
3 The Indus Entrepreneurs (TiE) Network 15,000+ Members globally 58 Chapters spread across the globe 18 Across Countries 2,500+ Charter Members Globally 1999 Started the Bangalore Chapter 750+ Members in Bangalore 1,000+ Startups at TiE Bangalore 75+ events per year in Bangalore 1992 TiE Silicon Valley was started 125+ Mentors/CMs in Bangalore
4 TiE IoT Forum Activities : 12 Billion Indian IoT Market ▪ June 5 Open House (Attended by 125+ participants) ▪ June 26 Communication (Connectivity workshop attended by over 25 participants) ▪ Aug 6 BlueTooth (Technical deep dive session attended by over 35 participants) ▪ Aug 22 Survelliance Workshop with B.PAC for schools, (attended by over 25 participants) ▪ Sep 11 MOU with IESA Press coverage in leading online and print media ▪ Sep 11 Smart Water-Power & Internet Public utilities for the city of Future (TiE IESA Bangalore attended by 280+ participants) ▪ Sep 18 IoT in Retail (attended by 65+ participants) ▪ Nov 13 Crowdfunding Your IoT Product ( attended by 75+ participants) ▪ Nov 19 MEMS Technical deep dive session ( Attended by 30+ participants) ▪ Nov 20 Smart Devices : Leveraging Consumerization and Open Innovation for the Future ( TiE IESA Hyderabad 65+ particpants) ▪ Feb 20 IoT based Smart Grid Core of Sustainable Living ( TiE IESA Delhi 50+ Participants) ▪ Feb 26 Contiki IoT workshop : Middleware for IoT ( RBCCPS Bangalore 40 participants) ▪ March 10 Workshop Demystifying IoT (TiE IESA Pune 50 participants) ▪ March 10 Smart Vehicles The IoT Future ( TiE IESA Pune 50 participants) ▪ May 9 IoT Innovation Showcase by 16 Startups (150+ Participants) ▪ June 25 Smart Agriculture and Smart Healthcare ( TiE IESA with pan India Colleges and Universities) 175+ Participants ▪ Sep 25 IoT Security a IEEE partner event ( IEEE partner 75 +) ▪ Dec 4 – 5 IEEE Bangalore: Leveraging Use cases to Validate IoT Opportunities ( partner event 200+) ▪ Dec 9 -10 IoT Next 2015 ( 700+ particpants, 60 Speakers, 20 Starups) 2014 2015 20 + events, 2000 Attendees , 280+ Startups
5 About CISO Platform • IoT Security • Cyber Crisis Management • Cyber Security Index • Top N Threats & Controls Mapping • Enterprise Security Architecture • Using AI for Security Decisions Current Research Areas Include • Help CISOs make right IT Security decisions using our Decision Tools, Content and Peer Collaboration • Build community based knowledge repository in form of structured research and reference documents Industry’s 1st Dedicated Collaboration Platform for CISOs and Senior IT Security Leaders with the vision to:
6 FRIDAY OCTOBER 21, 2016 DO YOU REMEMBER THIS DATE??
7 LARGEST DDOS ATTACK AGAINST DYN
8 Why Did Dyn Fail ▪ A large network of compromised devices was used to flood Dyn’s servers with traffic ▪ In particular servers used as part of Dyn’s enterprise offerings were targeted ▪ Dyn wasn’t able to handle the additional traffic, and its servers either stopped responding or responses were substantially delayed.
9 Who Did it and Why?
10 How can we minimize the risk? ▪ Use multiple DNS providers. This way, if one experiences problems, we can use the others as backup ▪ This requires additional tools and setup to make sure information is synchronized across different providers ▪ We can maintain some DNS servers in house to provide limited service to internal users and as a last resort if we are not targeted, but experience issues due to collateral damage ▪ Adjust our DNS configuration to allow for caching of our records (increase “Time to Live”)
11 IoT Architectural Layers End Nodes Hubs Gateway Platform Applications Touchpoints Temp Sensor Vibration Sensor Fitness tracker Electric Meter Switch Actuator Router Nodes Edge Router Smartphone LPWAN Basestations Opensource Commercial Device Management Access Management Security End user City Managers System Admin City One Operations Center Apps SMS Email Social Media 3rd Party
12 Components of an IoT Node Microcontroller RF Transceiver External Memory Sensors/ ActuatorsPower Source/ Storage Energy Harvesting Hardware Layers Low-level Device Drivers Energy-aware RTOS (optional), Protocols and Middleware App Interfaces for Sensors, Communication, Processing..
13 Security of Nodes ▪ Securing the end nodes (physical accessibility) ▪ Securing the network links ▪ Securing remote device management ▪ Securing admin operations ▪ OS security configurations ▪ Patching and firmware updates ▪ Reverse engineering of just one node can lead to insecure n/w!
14 Threat Model
15 Components of an IoT Gateway Microprocessor Applications Local Storage/Database Local/Edge AnalyticsPower Source Local UI Protocol Translators/Proxies Cloud ConnectivitySecurity
16 Security of Gateways ▪ Protocol Translation vs End-to-End Encryption ▪ Secure On-boarding of Devices ▪ Secure Boot ▪ Firewalls ▪ Intrusion Prevention System ▪ Access Control Policy ▪ Root of Trust and TPM ▪ Security Updates
17 Threat Model
18 APPLICATION SECURITY
19 Types of Threats Spoofed packets, etc. Buffer overflows, illicit paths, etc. SQL injection, XSS, input tampering, etc. Network Host Application Threats against the network Threats against the host Threats against the application
20 BlackHat ▪ Total talks – 117 ▪ Top 5 domains ▪ Malware - 22 talks ▪ Platform security: VM, OS, Host, Container - 21 talks ▪ Exploit development - 15 talks ▪ Android, IOS security - 13 talks ▪ Internet of Things- 13 talks DEFCON ▪ Total talks – 100 ▪ Top 5 domains ▪ Internet of Things - 19 talks ▪ Network security - 13 talks ▪ Application security - 10 talks ▪ Critical infrastructure protection - 7 talks ▪ Penetration testing - 7 talks BHUSA and DEFCON Talk Trends
21 Detailed Trends BlackHat DEFCON
22 KEY ATTACKS OF 2016
23 1. Building trust and enabling innovation for voice enable IOT by Lynn Terwoerds (BHUSA) 2. Let's Get Physical Network Attacks Against Physical Security Systems (DEFCON) 3. A lighbulb Worm? by Colin o Flynn (BHUSA) 4. Can You Trust Autonomous Vehicles? by Jianhao Liu, Chen Yan, Wenyuan Xu (DEFCON) 5. Picking Bluetooth Low Energy Locks from a Quarter Mile Away by Anthony Rose (DEFCON) TOP Talks
24 1. BLE is Bluetooth Low Energy designed for apps that don't need to exchange large amounts of data ✓ Operates on 2.4 Ghz frequency ✓ car locks , bike locks, padlocks, door locks , gun cases, lockers, ATMs, Airbnb etc. ✓ short range <100m and consumes very less energy ✓ Total 3 billion devices per year 2. Attack Set up ✓ ubertooth one ✓ Bluetooth dongle ✓ high beam antenna ✓ raspberry pi Picking BLE Locks from a Quarter Mile Away by Anthony Rose
25 1. Sniffing -Plain text passwords ➢ war dialing by roaming around using ubertooth one ➢ The high beam antenna makes it easier to capture far away signals. ➢ the attacker sniffs the BLE traffic, get the dump, takes out the user password ➢ uses HCI and Bluetooth dongle to sends the authentication requests to the devices and it opens up 2. Replay attacks ➢ Devices like ceomate, Elecycle , vians and lagute use encryption (256 AES) ➢ sniff the complete packet as it is with the password in the encrypted form and still can break into the lock Picking BLE Locks from a Quarter Mile Away by Anthony Rose
26 3. Fuzzing devices (okidokey) ▪ This exploits the fail safe mechanism in the devices ▪ initially claimed that they had AES 256 plus custom developed encryption (which is not a good idea) ▪ The attacker when sniffed the traffic, he noticed message packets having some commands and couple of random keys which looked very difficult to break ▪ first part is an op code and the second part is the actual key ▪ the attacker changed the 3rd byte to 0, the device went into error state and since there was no error state defined, it just unlocks itself ▪ It came out that their patented crypto was the culprit wherein they were using the previous keys to do XOR to get the new keys. Picking BLE Locks from a Quarter Mile Away by Anthony Rose
27 4. Decompiling APKs ▪ This was done with the danalock doorlock. ▪ download apk--->dex to jar→ Anaylse ▪ reveals encryption method and hardcoded passwords ▪ XOR (password, thisishtesecret) and store it in the table 5. Device spoofing ▪ This was done with bitlock, which is a padlock for the bikes ▪ This is possible where the user authentications happens in a webserver and there is nothing stored on the device ▪ The attacker here impersonates as the lock and actually steals the sensitive encrypted nonce from the user. Picking BLE Locks from a Quarter Mile Away by Anthony Rose
28 Picking BLE Locks from a Quarter Mile Away by Anthony Rose
29 Picking BLE Locks from a Quarter Mile Away by Anthony Rose
30 ✓ encryption (256 AES) ✓ random nonce ✓ strong passwords, multi factor authentication ✓ no hard coded passwords CONTROLS
31 Fresh thinking around Security for IOT Fresh Thinking around Security for IoT
32 Fresh Thinking: Is the Emperor Naked?
33 Urban City: Does every house need to be a Fort Knox? ▪ The Wild West ▪ The Frontier Town ▪ The City ▪ The Mega Polis ▪ The Township Rights of Self Defence and Delegated Policing in Cyberspace? The Cyber Rights
34 Going Forward.. ▪ Technical Roadmap ▪ Community Engagement ▪ Deep practitioners ▪ Architectural www.IoTForIndia.org
35 ❖ https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/ ❖ https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive- internet-outage/ ❖ https://www.blackhat.com/us-16/briefings.html ❖ https://www.defcon.org/html/defcon-24/dc-24-index.html ❖ https://isc.sans.edu/presentations/dyndnsattack.pptx ❖ https://www.mdsec.co.uk/2016/10/building-an-iot-botnet-bsides-manchester-2016/ Special thanks to: ❖ Lynn Terwoerds for “Building trust and enabling innovation for voice enable IOT” ❖ Ricky Lawshae for “Let's Get Physical Network Attacks Against Physical Security Systems” ❖ Eyal and Colin o Flynn for “A lighbulb Worm” ❖ Jianhao Liu, Chen Yan, Wenyuan Xu for “Can You Trust Autonomous Vehicles? ” ❖ Anthony Rose and Ben Rasmsey “Picking Bluetooth Low Energy Locks from a Quarter Mile Away ” REFERENCES
36 Thank You

More Related Content

IoTNEXT 2016 - SafeNation Track

  • 1. 1 Las Vegas comes to Bengaluru! IoTNext 2016 - SafeNation Track • Arvind Tiwary • Ravi Mishra • Vishwas Lakkundi • Devesh Bhatt
  • 2. 2 Task Force on IoT Security IoT Forum & CISO platform join hands to create IoT Security Task force Readying up the Nation for #IoTSecurity The task force is chartered to develop threat models, controls and assist players in new techno-legal- commercial arrangements to improve IoT Security Fresh thinking around Security for IOT
  • 3. 3 The Indus Entrepreneurs (TiE) Network 15,000+ Members globally 58 Chapters spread across the globe 18 Across Countries 2,500+ Charter Members Globally 1999 Started the Bangalore Chapter 750+ Members in Bangalore 1,000+ Startups at TiE Bangalore 75+ events per year in Bangalore 1992 TiE Silicon Valley was started 125+ Mentors/CMs in Bangalore
  • 4. 4 TiE IoT Forum Activities : 12 Billion Indian IoT Market ▪ June 5 Open House (Attended by 125+ participants) ▪ June 26 Communication (Connectivity workshop attended by over 25 participants) ▪ Aug 6 BlueTooth (Technical deep dive session attended by over 35 participants) ▪ Aug 22 Survelliance Workshop with B.PAC for schools, (attended by over 25 participants) ▪ Sep 11 MOU with IESA Press coverage in leading online and print media ▪ Sep 11 Smart Water-Power & Internet Public utilities for the city of Future (TiE IESA Bangalore attended by 280+ participants) ▪ Sep 18 IoT in Retail (attended by 65+ participants) ▪ Nov 13 Crowdfunding Your IoT Product ( attended by 75+ participants) ▪ Nov 19 MEMS Technical deep dive session ( Attended by 30+ participants) ▪ Nov 20 Smart Devices : Leveraging Consumerization and Open Innovation for the Future ( TiE IESA Hyderabad 65+ particpants) ▪ Feb 20 IoT based Smart Grid Core of Sustainable Living ( TiE IESA Delhi 50+ Participants) ▪ Feb 26 Contiki IoT workshop : Middleware for IoT ( RBCCPS Bangalore 40 participants) ▪ March 10 Workshop Demystifying IoT (TiE IESA Pune 50 participants) ▪ March 10 Smart Vehicles The IoT Future ( TiE IESA Pune 50 participants) ▪ May 9 IoT Innovation Showcase by 16 Startups (150+ Participants) ▪ June 25 Smart Agriculture and Smart Healthcare ( TiE IESA with pan India Colleges and Universities) 175+ Participants ▪ Sep 25 IoT Security a IEEE partner event ( IEEE partner 75 +) ▪ Dec 4 – 5 IEEE Bangalore: Leveraging Use cases to Validate IoT Opportunities ( partner event 200+) ▪ Dec 9 -10 IoT Next 2015 ( 700+ particpants, 60 Speakers, 20 Starups) 2014 2015 20 + events, 2000 Attendees , 280+ Startups
  • 5. 5 About CISO Platform • IoT Security • Cyber Crisis Management • Cyber Security Index • Top N Threats & Controls Mapping • Enterprise Security Architecture • Using AI for Security Decisions Current Research Areas Include • Help CISOs make right IT Security decisions using our Decision Tools, Content and Peer Collaboration • Build community based knowledge repository in form of structured research and reference documents Industry’s 1st Dedicated Collaboration Platform for CISOs and Senior IT Security Leaders with the vision to:
  • 6. 6 FRIDAY OCTOBER 21, 2016 DO YOU REMEMBER THIS DATE??
  • 7. 7 LARGEST DDOS ATTACK AGAINST DYN
  • 8. 8 Why Did Dyn Fail ▪ A large network of compromised devices was used to flood Dyn’s servers with traffic ▪ In particular servers used as part of Dyn’s enterprise offerings were targeted ▪ Dyn wasn’t able to handle the additional traffic, and its servers either stopped responding or responses were substantially delayed.
  • 9. 9 Who Did it and Why?
  • 10. 10 How can we minimize the risk? ▪ Use multiple DNS providers. This way, if one experiences problems, we can use the others as backup ▪ This requires additional tools and setup to make sure information is synchronized across different providers ▪ We can maintain some DNS servers in house to provide limited service to internal users and as a last resort if we are not targeted, but experience issues due to collateral damage ▪ Adjust our DNS configuration to allow for caching of our records (increase “Time to Live”)
  • 11. 11 IoT Architectural Layers End Nodes Hubs Gateway Platform Applications Touchpoints Temp Sensor Vibration Sensor Fitness tracker Electric Meter Switch Actuator Router Nodes Edge Router Smartphone LPWAN Basestations Opensource Commercial Device Management Access Management Security End user City Managers System Admin City One Operations Center Apps SMS Email Social Media 3rd Party
  • 12. 12 Components of an IoT Node Microcontroller RF Transceiver External Memory Sensors/ ActuatorsPower Source/ Storage Energy Harvesting Hardware Layers Low-level Device Drivers Energy-aware RTOS (optional), Protocols and Middleware App Interfaces for Sensors, Communication, Processing..
  • 13. 13 Security of Nodes ▪ Securing the end nodes (physical accessibility) ▪ Securing the network links ▪ Securing remote device management ▪ Securing admin operations ▪ OS security configurations ▪ Patching and firmware updates ▪ Reverse engineering of just one node can lead to insecure n/w!
  • 15. 15 Components of an IoT Gateway Microprocessor Applications Local Storage/Database Local/Edge AnalyticsPower Source Local UI Protocol Translators/Proxies Cloud ConnectivitySecurity
  • 16. 16 Security of Gateways ▪ Protocol Translation vs End-to-End Encryption ▪ Secure On-boarding of Devices ▪ Secure Boot ▪ Firewalls ▪ Intrusion Prevention System ▪ Access Control Policy ▪ Root of Trust and TPM ▪ Security Updates
  • 19. 19 Types of Threats Spoofed packets, etc. Buffer overflows, illicit paths, etc. SQL injection, XSS, input tampering, etc. Network Host Application Threats against the network Threats against the host Threats against the application
  • 20. 20 BlackHat ▪ Total talks – 117 ▪ Top 5 domains ▪ Malware - 22 talks ▪ Platform security: VM, OS, Host, Container - 21 talks ▪ Exploit development - 15 talks ▪ Android, IOS security - 13 talks ▪ Internet of Things- 13 talks DEFCON ▪ Total talks – 100 ▪ Top 5 domains ▪ Internet of Things - 19 talks ▪ Network security - 13 talks ▪ Application security - 10 talks ▪ Critical infrastructure protection - 7 talks ▪ Penetration testing - 7 talks BHUSA and DEFCON Talk Trends
  • 23. 23 1. Building trust and enabling innovation for voice enable IOT by Lynn Terwoerds (BHUSA) 2. Let's Get Physical Network Attacks Against Physical Security Systems (DEFCON) 3. A lighbulb Worm? by Colin o Flynn (BHUSA) 4. Can You Trust Autonomous Vehicles? by Jianhao Liu, Chen Yan, Wenyuan Xu (DEFCON) 5. Picking Bluetooth Low Energy Locks from a Quarter Mile Away by Anthony Rose (DEFCON) TOP Talks
  • 24. 24 1. BLE is Bluetooth Low Energy designed for apps that don't need to exchange large amounts of data ✓ Operates on 2.4 Ghz frequency ✓ car locks , bike locks, padlocks, door locks , gun cases, lockers, ATMs, Airbnb etc. ✓ short range <100m and consumes very less energy ✓ Total 3 billion devices per year 2. Attack Set up ✓ ubertooth one ✓ Bluetooth dongle ✓ high beam antenna ✓ raspberry pi Picking BLE Locks from a Quarter Mile Away by Anthony Rose
  • 25. 25 1. Sniffing -Plain text passwords ➢ war dialing by roaming around using ubertooth one ➢ The high beam antenna makes it easier to capture far away signals. ➢ the attacker sniffs the BLE traffic, get the dump, takes out the user password ➢ uses HCI and Bluetooth dongle to sends the authentication requests to the devices and it opens up 2. Replay attacks ➢ Devices like ceomate, Elecycle , vians and lagute use encryption (256 AES) ➢ sniff the complete packet as it is with the password in the encrypted form and still can break into the lock Picking BLE Locks from a Quarter Mile Away by Anthony Rose
  • 26. 26 3. Fuzzing devices (okidokey) ▪ This exploits the fail safe mechanism in the devices ▪ initially claimed that they had AES 256 plus custom developed encryption (which is not a good idea) ▪ The attacker when sniffed the traffic, he noticed message packets having some commands and couple of random keys which looked very difficult to break ▪ first part is an op code and the second part is the actual key ▪ the attacker changed the 3rd byte to 0, the device went into error state and since there was no error state defined, it just unlocks itself ▪ It came out that their patented crypto was the culprit wherein they were using the previous keys to do XOR to get the new keys. Picking BLE Locks from a Quarter Mile Away by Anthony Rose
  • 27. 27 4. Decompiling APKs ▪ This was done with the danalock doorlock. ▪ download apk--->dex to jar→ Anaylse ▪ reveals encryption method and hardcoded passwords ▪ XOR (password, thisishtesecret) and store it in the table 5. Device spoofing ▪ This was done with bitlock, which is a padlock for the bikes ▪ This is possible where the user authentications happens in a webserver and there is nothing stored on the device ▪ The attacker here impersonates as the lock and actually steals the sensitive encrypted nonce from the user. Picking BLE Locks from a Quarter Mile Away by Anthony Rose
  • 28. 28 Picking BLE Locks from a Quarter Mile Away by Anthony Rose
  • 29. 29 Picking BLE Locks from a Quarter Mile Away by Anthony Rose
  • 30. 30 ✓ encryption (256 AES) ✓ random nonce ✓ strong passwords, multi factor authentication ✓ no hard coded passwords CONTROLS
  • 31. 31 Fresh thinking around Security for IOT Fresh Thinking around Security for IoT
  • 32. 32 Fresh Thinking: Is the Emperor Naked?
  • 33. 33 Urban City: Does every house need to be a Fort Knox? ▪ The Wild West ▪ The Frontier Town ▪ The City ▪ The Mega Polis ▪ The Township Rights of Self Defence and Delegated Policing in Cyberspace? The Cyber Rights
  • 34. 34 Going Forward.. ▪ Technical Roadmap ▪ Community Engagement ▪ Deep practitioners ▪ Architectural www.IoTForIndia.org
  • 35. 35 ❖ https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/ ❖ https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive- internet-outage/ ❖ https://www.blackhat.com/us-16/briefings.html ❖ https://www.defcon.org/html/defcon-24/dc-24-index.html ❖ https://isc.sans.edu/presentations/dyndnsattack.pptx ❖ https://www.mdsec.co.uk/2016/10/building-an-iot-botnet-bsides-manchester-2016/ Special thanks to: ❖ Lynn Terwoerds for “Building trust and enabling innovation for voice enable IOT” ❖ Ricky Lawshae for “Let's Get Physical Network Attacks Against Physical Security Systems” ❖ Eyal and Colin o Flynn for “A lighbulb Worm” ❖ Jianhao Liu, Chen Yan, Wenyuan Xu for “Can You Trust Autonomous Vehicles? ” ❖ Anthony Rose and Ben Rasmsey “Picking Bluetooth Low Energy Locks from a Quarter Mile Away ” REFERENCES