Internet of Things and Embedded Software Security.

Transcription

1 Internet of Things and Embedded Software Security

2 About Us TELEGRID designs, develops and produces hardware tools that allow the Department of Defense to make use of Commercial-Off-The-Shelf (COTS) products and applications. TELEGRID is certified to ISO 9001:2008. TELEGRID is a WOSB founded in 1984.

3 Cybersecurity Attacks 2013 Target Cost $162mm Home Depot Cost $33m The annual global cost of cybercrime against consumers is $113bn - Symantec Anthem Health Insurance Affected 80mm People Office of Personnel Management Affected 22mm People

4 DoD is Doing Very Well The vast majority of companies are more exposed to cyberattacks than they have to be. To close the gaps in their security, CEOs can take a cue from the U.S. military. Once a vulnerable IT colossus, it is becoming an adroit operator of well-defended networks. Today the military can detect and remedy intrusions within hours, if not minutes. From September 2014 to June 2015 alone, it repelled more than 30 million known malicious attacks at the boundaries of its networks. Of the small number that did get through, fewer than 0.1% compromised systems in any way. Given the sophistication of the military s cyber adversaries, that record is a significant feat, Harvard Business Review, September 2015.

5 Internet of Things What is the Internet of Things (IoT)? IoT Market - Business Insider Intelligence 6.7bn IoT devices shipped in 2019 Double the size of the smartphone, PC, tablet, connected car, and the wearable market combined

6 IoT Attack Vectors

7 Embedded Systems - Security Issues Supply Chain Management Multitude of operating systems Software is old Linux Operating System 4 years old Samba File System 6 years old Binary code cannot be patched Real time systems Limits Intrusion Protection Systems Limited processing power and memory Limits Application Layer Firewalls Connected to the Internet

8 Embedded Systems Attacks mm DSL Routers hacked in Brazil for financial fraud by pointing to malicious DNS servers 2014 Proofpoint published a report of 750k malicious s sent from 100k consumer gadgets including routers, televisions and at least one refrigerator Industrial Control Systems Stuxnet, Havex, BE2, etc Jeep Grand Cherokee

9 Easy Security Solutions Change your password 2010 Study by 2 researchers at Columbia University found that of the discoverable embedded devices on the Network 540,000 had factory default root passwords 13% of the total Request the list of open source software You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program, GNU GPLv3

10 Hard Security Solutions Network scanning software Patches Plan for your patches Have system administrator take part in testing Have a system recovery plan Redundancy What would you do if it wasn t a patch? What if it was a zero day attack? Embedded Firewall Stateless vs Stateful - Based on system resources Proxy Devices

11 Harder Security Solutions FIPS Encryption TLS, SSH, SNMPv3 IPSEC PKI/ PKE with two factor authentication RADIUS/ LDAPS 802.1x Application - Kernel Separation Separation Kernel Physical Resource Separation Embedded Hypervisor Multiple OS Implementation

12 Hardest Security Solutions Intrusion Detection Systems Breakpoints are set at specific address in the kernel text where function pointers in the control flow can be checked for redirects Lightweight Intrusion Detection for Resource-Constrained Embedded Control Systems, Jason Reeves, Ashwin Ramaswamy, Michael Locasto, Sergey Bratus, and Sean Smith Control-flow intercepts are distributed randomly throughout the body of the host program to execute the Symbiote code and check results Defending Embedded Systems with Software Symbiotes, Ang Cui and Salvatore J. Stolfo, Department of Computer Science, Columbia University

13 Contact Details Website: POC: Eric Sharret Phone: