Security for the Internet of Things (IoT) John Yeoh, IoT Working Group

Security for the Internet of Things (IoT) John Yeoh, IoT Working Group Cloud Security Alliance, 2015

Agenda Introduction IoT Security Challenges IoT Threat Discussion Working Group Activities Cloud Security Alliance, 2015

Welcome and Definitions Let s look at how ITU-T Y.2060 defines the IoT IoT: a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies. Device: a piece of equipment with the mandatory capabilities of communication and the optional capabilities of sensing, actuation, data capture, data storage and data processing. Thing: an object of the physical world (physical things) or the information world (virtual things), which is capable of being identified and integrated into communication networks. AWS s IoT Cloud service includes elements known as Thing Shadows, which are virtual representations of physical things. These thing shadows allow the enterprise to track the state of physical things even when network connectivity is disrupted. The IoT enables the collection of data using sensors that can be deployed or embedded Cloud just Security about Alliance, 2015. anywhere Source: ITU-T Y.2060

Many different examples of use cases for IoT Implementations Examples Today: Healthcare Smart medical devices; smart exam rooms Retail smart billboards, smart vending machines, Consumer wearables; smart home devices Manufacturing connected robotics Automobiles Digital Short Range Comms (DSRC) for v2v/v2i/v2x Construction embedded sensors in concrete the sensors measure the internal temperature and humidity Allows scheduling optimization for concrete curing time Sensors transmit using Bluetooth-LE at range of 30 feet Managers use smartphones to collect data from site Tomorrow 3D-printed microfish that swim into your blood stream and identify toxins; deliver medicine (UCSD research) or report back on findings coupled with the ability to harvest power from RF signals

Industry-specific Security Guidance SMART CITIES include next generation services that support connected living. Use cases include intelligent parking, pollution monitoring, efficient public transport (e.g., light priority), efficient lighting, etc). SMART Retail include new services such as proximity advertising, smart fitting rooms/mirrors, intelligent vending machines, automated check-out, inventory management, etc. SMART Health includes tele-medicine/ tele-surgery, implantable medical devices, smart bedsides, intelligent pill caps, remote and continuous monitoring, and many more capabilities that will enhance patient health Practical Guidance (Cheat Sheets) IoT IDM IoT Monitoring Focused Research Reports Hardware Security Analysis Detection of rogue IoT Devices

IoT Security Challenges

New Challenges to IoT Security Lack of mature IoT technologies and business processes Standards supporting the IoT have not yet been fully developed, leaving the market open to competing platforms, protocols, and interfaces. Lots of choices available operating systems, messaging protocols, communication protocols, hardware options This lack of standardization drives increased complexity which can introduce vulnerabilities and provides attackers with a way to infiltrate the enterprise. Limited guidance for lifecycle maintenance and management of IoT devices Guidance on the secure configuration of the limited capability operating systems that underlie many IoT edge devices is limited or nonexistent. Performing firmware, software and patch updates for IoT devices will require a new approach with considerations given to identifying update provisioning obligations and responsibilities throughout the supply chain. Keeping track of IoT devices and the software and firmware on each device is also an issue. The amount of IoT devices alone introduces a challenge to effectively managing them.

New Challenges to IoT Security The IoT introduces unique physical security concerns Many IoT edge devices will be deployed in exposed environments, allowing attackers to more easily acquire them for further lab analysis (e.g., retrieving sensitive material). IoT Privacy concerns are complex and not always readily evident Some privacy concerns are not readily identifiable and some concerns are not solvable by simply enforcing confidentiality protections, identity or location to transactions. There is a lack of standards for authentication and authorization of IoT devices Many different options to choose from related to selection of authentication and authorization for various device-to-device communications No clear solution yet for an enterprise-wide IoT authentication framework

New Challenges to IoT Security Auditing and Logging standards are not defined for IoT components Obtaining near real-time situational awareness of the security posture of IoT devices will be difficult. Many devices will be single-purpose sensors that may not be capable of tracking all interactions with the device. Other devices may be limited in their ability to instantiate an RF connection for the purpose of sending audit logs, based on battery constraints. Another challenge is aggregating log data from many widespread IoT segments into a single event management system, and then actually being able to derive some intelligence from the activities within each of these segment Rules must also be created based on an understanding of IoT attack patterns Exploration needed in the area of behavioral analysis of IoT systems to support anomaly detection

IoT Startups Do Not Always Value Security A survey of IoT-based startups by Priya Kuber from our CSA IoT WG found: Startups often don t consider information stored on a device as sensitive (any sensitive data is stored on a server), Users want to share information (sharing mentality) Startups rely heavily on the use of COTS services (supply chain issues?) Most startups are using AES, although most also consider encryption to be not important No security applied to the development environment No threat modeling of products No secure firmware updates Investors don t seem to care about security, much more focus on functionality But, Most devices don t share a master key shared across devices; admin at server side

IoT Threat Discussion Cloud Security Alliance, 2015

There are new types of threats sprouting up drones aid in reconnaissance activities Security researchers have developed a Flying Drone with a custommade tracking tool capable of sniffing out data from the devices connected to the Internet better known as the Internet-of-things. http://thehackernews.com/2015/08/hacking-internet-of-things-drone.html Can map devices communicating over ZigBee by capturing beacon requests Image courtesy praetorian.com

There are new types of threats sprouting up Vibrating IoT components 'Funtenna' uses sound waves, radio to hack internet of things. https://www.rt.com/usa/311689-funtenna-hacking-sound-waves/ Malware is loaded to an IoT device Turns infected devices into transmitters to allow for covert channel instantiation By vibrating the physical prongs on general-purpose i/o circuits at a frequency of the attackers choice Vibrations are then picked up over AM radio

New Devices Being Integrated into other Physical Platforms can Introduce Significant Risk Hackers Cut a Corvette s Brakes Via a Common Car Gadget http://www.wired.com/2015/08/hackers-cut-corvettes-brakes-via-common-car-gadget/ Compromise of a 2-inch-square gadget that s designed to be plugged into cars and trucks dashboards and used by insurance firms and trucking fleets to monitor vehicles location, speed and efficiency. By sending carefully crafted SMS messages to one of those cheap dongles connected to the dashboard of a Corvette, the researchers were able to transmit commands to the car s CAN bus the internal network that controls its physical driving components turning on the Corvette s windshield wipers and even enabling or disabling its brakes. Vulnerability Note VU#209512 Issued stating: These devices are plugged into a vehicle's on-board diagnostics port (OBD-II), usually located under the wheel. The device itself contains a GPS receiver, cellular chip, and on board microprocessors which communicates with the vehicle's CAN bus to gather info (speed, braking, etc) The device then communicates via the cell network to the service provider to share data on the vehicle's operation. Impact: A remote, unauthenticated attacker may be able to execute arbitrary code on the device. In addition, a remote, unauthenticated attacker may be able to cause the vehicle damage or passengers injuries if the device is compromised.

There are New Attacks that are more of a Novelty but Show that Security is Often Ignored in consumer IoT developments Hackers Can Seize Control of Electric Skateboards and Toss Riders. http://www.wired.com/2015/08/hackers-can-seize-control-of-electricskateboards-and-toss-riders-boosted-revo/ Faceplant exploit allows complete control over a digital skateboard since no encryption nor authentication is applied to the Bluetooth LE link that connects the board to the handheld remote Attacker can jam the link and then re-connect their laptop with the board in place of the remote

IoT Threat Discussion Control systems, vehicles, and even the human body can be accessed and manipulated causing injury or worse through unauthorized access to physical sensing, actuation and control systems (including vehicle, SCADA, implantable and non-implanted medical devices, manufacturing plants and other cyber-physical implementations of the IoT). Health care providers can improperly diagnose and treat patients based on modified health information or manipulated sensor data. Cloud Security Alliance, 2015.

IoT Threat Discussion Loss of vehicle control can be caused by denial-of-service against internal bus communications Safety-critical information such as warnings of a broken gas line can go unnoticed through DDoS of IoT sensor information Critical infrastructure damage can occur through override of safety critical features or power supply /temperature regulation. Malicious parties can steal identities and money based on leakage of sensitive information including Personal Health Information (PHI).

IoT Threat Discussion Unanticipated leakage of personal or sensitive information can occur by aggregating data from many different systems and sensors, or the merging of personal data that has been collected under differing consumer privacy preferences and expectations. Unauthorized tracking of people s locations can occur through usage pattern tracking based on asset usage time and duration. Unauthorized tracking of people s behaviors and activities can occur through examination of location-based sensing data that exposes patterns and allows analysis of activities, often collected without explicit notice to the individual.

IoT Threat Discussion Unlawful surveillance through persistent remote monitoring capabilities offered by small-scale IoT devices Inappropriate profiles and categorizations of individuals can be created through examination of network and geographic tracking and IoT metadata. Manipulation of financial transactions through unauthorized POS and mpos access Monetary loss arising from the inability to provide service

IoT Threat Discussion Vandalism, theft or destruction of IoT assets that are deployed in remote locations and lack physical security controls Ability to gain unauthorized access to IoT edge devices to manipulate data by taking advantage of the challenges related to updating software and firmware of embedded devices (e.g., embedded in cars, houses, medical devices). Ability to gain unauthorized access to the Enterprise network by compromising IoT edge devices and taking advantage of trust relationships.

IoT Threat Discussion Ability to create botnets by compromising large quantities of IoT edge devices. Ability to impersonate IoT devices by gaining access to keying material held in devices that rely upon software-based trust stores. Unknown fielding of compromised devices based on security issues within the IoT supply chain

Activities Cloud Security Alliance, 2015

Define lifecycle controls for IoT devices 1. Plan Consider he supporting infrastructure required for security management and monitoring. Identify appropriate interfaces to existing security equipment, updating network architectures to segment specific IoT enclaves. 2. Deploy Secure configurations 3. Manage Management of the edge devices themselves, the software and firmware that is loaded onto those edge devices, licenses, and the application of routine patch updates to mitigate vulnerabilities in the devices. 4. Monitor & Detect Planning for the capture of security-relevant data and establishment of rules for identifying events or combinations of events-of-interest should be conducted early on in the engineering lifecycle 5. Remediate Update incident response plans to incorporate new IoT systems and define the procedures for handling compromise events. 6. Dispose Establish policies and procedures for the secure disposition of devices that have held sensitive information or key material that could provide access to sensitive information.

Define lifecycle controls for IoT devices (continued) The planning process should focus on a series of topics with questions such as Where will the device reside (corporate network, other)? What audit capability does the device have? What are the normal operating thresholds for the devices and what should trigger an alert (if outside of that threshold)? Document the roles and services of each device type. Establish an access control matrix for each device. Determine cipher suites required for protection of data and device functions What are the privacy controls for data? What are the ramifications of electronic abuse on safety of stakeholders?

What are we doing? Initiatives Security Guidance for Early Adopters of IoT IAM Securing Devices And collaborating with other organizations Securing Smart Cities FCC Technological Advisory Committee Global City Teams Challenge Establishing and testing smart cities How to get involved? www.cloudsecurityalliance.org/groups/iot

IoT and the 20 Critical Security Controls / Cloud Controls Matrix Look for an update to the 20 Critical Security Controls that includes a mapping to IoT security guidance coming this week Additional work on aligning the 20 Critical Controls with the IoT is also being conducted CSA also working on mapping the Cloud Controls Matrix (CCM) to IoT Security Guidance To be released February 2016

???? Cloud Security Alliance, 2015