Internet of Things
Risks of Connected Cars
- Computerized engine management systems - Real-time suspension controllers - Navigation systems - Rear seat entertainment - Automated parking systems - Voice activated apps - Digital dashboards - Telematics
Promote Transparency
- Conduct end-to-end risk assessments that account for both internal and third party vendor risks, where possible. - Consider creating a publicly disclosed mechanism for using vulnerability reports. Bug Bounty programs, crowd sourcing - Consider developing and employing a software bill of materials that can be used as a means of building shared trust among vendors and manufacturers.
What is meant by Promote security updates & vulnerability Management
- Consider ways in which to secure the device over network connections or through automated means. Ideally, patches would be applied automatically and leverage cryptographic integrity and authenticity protections to more quickly address vulnerabilities. - Consider coordinating software updates among third-party vendors to address vulnerabilities and security improvements to ensure consumer devices have the complete set of current protections. - Develop automated mechanisms for addressing vulnerabilities. - Develop a policy regarding the coordinated disclosure of vulnerabilities, including associated security practices to address identified vulnerabilities. -Develop an end-of-life strategy for IoT products. Not all IoT devices will be indefinitely patchable and updateable. Developers should consider product sunset issues ahead of time
What is meant by Incorporate Security at the Design Phase
- Enable security by default through unique, hard to crack default user names and passwords. - Build the device using the most recent operating system that is technically viable and economically feasible. Many IoT devices use Linux operating systems, but may not use the most up-to-date operating system. - Use hardware that incorporates security features to strengthen the protection and integrity of the device. For example, use computer chips that integrate security at the transistor level, embedded in the processor, and provide encryption and anonymity. - Design with system and operational disruption in mind. Understanding what consequences could flow from the failure of a device will enable developers, manufacturers, and service providers to make more informed risk-based security decisions. Where feasible, developers should build IoT devices to fail safely and securely, so that the failure does not lead to greater systemic disruption.
Risks of Connected Homes
- Home automation systems (Nest) - Amazon Echo (example of Alexa ordering things from TV) - Amazon Echo data request to be used in murder case - Turn on lights, heat, pre-heat the stove - Smart alarm systems (In fact, some alarm systems can be easily hacked into via browser and easily-guessable passwords. This can give hackers access to doors, alarms, CCTV controls from theoretically anywhere in the world)
Principles for Securing the Internet of Things
- Incorporate Security at the Design Phase - Advance Security Updates & Vulnerability Management - Build on Proven Security Practices - Prioritize Security Measures According to Potential Impact - Promot Transparency across IoT - Connect Carefully & Deliberately
What is meant by prioritizing by potential impact
- Know a device's intended use and environment, where possible. - Perform a "red-teaming" exercise, where developers actively try to bypass the security measures needed at the application, network, data, or physical layers. - Identify and authenticate the devices connected to the network, especially for industrial consumers and business networks.
What is meant by Build on Recognized Security Practices
- Start with basic software security and cybersecurity practices and apply them to the IoT ecosystem in flexible, adaptive, and innovative ways. - Practice defense in depth. Developers and manufacturers should employ a holistic approach to security that includes layered defenses against cybersecurity threat - Participate in information sharing platforms to report vulnerabilities and receive timely and critical information about current cyber threats and vulnerabilities from public and private partners.
Connect Carefully & Deliberately
Advise IoT consumers on the intended purpose of any network connections. Direct internet connections may not be needed to operate critical functions of an IoT device, particularly in the industrial setting. Information about the nature and purpose of connections can inform consumer decisions. Make intentional connections. There are instances when it is in the consumer's interest not to connect directly to the Internet, but instead to a local network that can aggregate and evaluate any critical information. Industrial Control Systems have standards for example Build in controls to allow manufacturers, service providers, and consumers to disable network connections or specific ports when needed or desired to enable selective connectivity. Depending on the purpose of the IoT device, providing the consumers with guidance and control over the end implementation can be a sound practice.
Question #2: Who is responsible for IoT security?
As it stands right now there hasn't been much incentive to secure IoT devices. This is a relatively new area, and speed to market often takes precedence over security. Security features are harder to sell than product features, and IoT devices are created by different vendors so there is no universal standard. Even if consumers wanted to assess the relative security of IoT devices there are no established ratings or measures. As a comparison, everyday consumer goods are subjected to rigorous testing by manufacturers and testing labs, but a similar approach is not taken to assess the security of IoT devices. For example, the devices used in the DYN attack were compromised using default credentials which demonstrates a complete lack of attention to security. So to answer the question, it's currently a bit ambiguous where the responsibility for IoT security lies. You have one company design a device, another supply component software, another operate the network in which the device is embedded, and then you have the user that deploys the device. Given that complexity, IoT security should start at the beginning with product manufacturers during the design phase. Although that's not to say end users of IoT devices should use them recklessly without concern for privacy or the risks they pose. If consumers demanded devices that were secure then manufacturers would ultimately provide more secure devices.
Question #1: Risk Reward Trade Off - Where are we now?
Before jumping into the risk/reward trade of IoT devices I think it would be helpful to give a little context in terms of where we currently are regarding the adoption of IoT, and what the expected growth is. As we'll talk about today you'll hear a common theme that IoT devices are inherently insecure, assuming the recent attacks haven't made that clear enough. Given the large numbers of devices connected today, and estimates for the next several years it becomes clear that there is a real need to address IoT in a more structured and thought out manner So, first things first...Where are we today, and where are we headed? - In 2015 it was estimated that there were 4.8B IoT devices (about 2.8B of those being consumer devices) - That was in 2015. The number is surely higher today, and projected to grow quite rapidly over the next several years. There are varying estimate from the likes of Intel & Cisco that peg the number of connected devices between 20 to 50 billion devices connected by 2020. - Now couple that with the fact that just 20% of IoT applications are tested for vulnerabilities - according to a Ponemon study - and we have major outages like the Dyn attack.
Discuss what a Smart Kiosk is
Each such terminal is either a Windows-based or an Android-based device. The main difference in comparison to ordinary devices is the special kiosk-mode software that runs on public terminals and serves as the user interface. This software provides easy access to specific features of the terminal whilst at the same time restricting access to other features of the device's operating system, including launching a web browser and then virtual keyboard. Accessing these functions provides an attacker with numerous opportunities to compromise the system, as if he was in front of a PC. The research showed that almost any digital public kiosk contains one or multiple security weaknesses which allow an attacker to access hidden features of the OS.
List some targets for a large scale IoT breach
Fleet Management in transportion Security & surveillance applications Inventory & Warehouse Management Industrial management in primary manufacturing
Question #2: What can consumers do?
For IoT users the advice from the Department of Homeland Security is to Connect Carefully & Deliberately. That means to only connect devices to the internet when necessary. So either don't connect at all, or when a connection is required check if an internal network can serve the purpose without connecting to the internet. Aside from being careful about choosing when to connect an IoT device, for individual consumers there are new products coming to market that aim to protect IoT devices attached to an individuals home network, which could include several computers, tablets smartphones, thermostat, smart tv, and other miscellaneous appliances
Question #1: Risk Reward Trade off - What are the Risks
However these benefits don't come without risk. We know IoT devices are insecure, but what are the risks? - The 2016 Kaesparsky report summed it up by saying insecure IoT devices can result in: •The data can be compromised •They can be attacked •And they can be used in an attack Starting with privacy concerns, IoT data can be compromised from insecure devices. This can lead to financial costs, reputational costs and even product recalls if you are an IoT manufacturer. In additional to the financial and reputational costs, attacks on certain IoT devices could cause actual physical harm... - For example, an IoT furnace control fails during cold weather in an unoccupied home leading to frozen pipes and water damage; - An attack on an IoT gas range causes fire and property damage; - Drone navigation systems fail causing personal injuries from a misdirected device. - Also IoT can potentially be a gateway to new forms of ransomware which I think we'll discuss later. An additional aspect further to just the data within or collected by the IoT device being compromised, the devices can be attacked to gain leverage to a company's network. All a hacker needs to do is get into one tiny node on a system and they can gain access to the entire system. So, this would be a case where the introduction of insecure IoT devices to a network could potentially be adding a number of weak links to the overall security of a network. In summary, what do we know? There are a lot of IoT devices out there, there will be a lot more. They aren't always secure however they have the potential to dramatically improve our lives, but don't come without risk.
Question #2: Who can manufacturers do?
In November 2016 The Department of Homeland Security published a document titled the Strategic Principles for Securing the Internet of Things, and even suggested that the government could sue manufactures for failing to "build security into the design phase". So what are some key principles for securing IoT devices? First and foremost, make security part of the design process. It should not be an afterthought. What does that mean? Strong security controls should be something the consumer has to deliberately disable rather than deliberately enable Use the most recent operating system. Many IOT devices use Linux operating systems but not the most up to date . Using the most up to date ensures known vulnerabilities will have been mitigated Use Hardware that incorporates security features. For example, use computer chips that integrate security at the transistor level, embedded in the processor, and provide encryption and anonymity. Also, where feasible, developers should build IoT devices to fail safely and securely, so that the failure does not lead to greater systemic disruption Other best practices include; - Building on existing cyber security protocols such as NIST - Require users to create their own unique login upon first use. - Enabling devices to automatically update when necessary. - Conducting penetration tests to identify and secure vulnerabilities. - Using the right pairing controls, so that users can ensure that their devices are only connected to the networks that they specify, and not a neighbor's or hacker's choice. - Testing new software for known vulnerabilities and exploits. - Encrypting any and all data that is being transmitted to and from the device.
Who is the DHS report aimed at
IoT developers to factor in security when a device, sensor, service, or any component of the IoT is being designed and developed; IoT manufacturers to improve security for both consumer devices and vendor managed devices; Service providers, that implement services through IoT devices, to consider the security of the functions offered by those IoT devices, as well as the underlying security of the infrastructure enabling these services; and Industrial and business-level consumers (including the federal government and critical infrastructure owners and operators) to serve as leaders in engaging manufacturers and service providers on the security of IoT devices.
How have vehicles been hacked
Researchers who have hacked their way into computers that control dashboard displays, lighting systems or air bags have found their way to ones running transmission systems, engine cylinders and, in the most advanced cars, steering controls. Nearly all of these systems speak a common digital language, a computer protocol created in the 1980s when only motorists and their mechanics had access to critical vehicle controls.
Question #1: Risk Reward Trade off - What are the Benefits
So, even though we know IoT devices are insecure, there is still rapid growth in their adoption. That being the case there must be some benefits. So what are those benefits? - Starting off we can think of some of the most obvious examples to list...my FitBit motivates me to reach fitness goals, my connected thermostat - if I had one - allows me to control the temperature in my home and save money, and so on. - But in addition to those consumer related IoT devices there applications that go beyond comfort and efficiency and provide safety. IoT technology has the potential to reduce the number of auto accidents and injuries, it has the ability to warn workers in manufacturing facilities when there are unsafe conditions. They can capture critical patient data that can in an emergency. So aside for the luxury of comfort and convenience there is a real benefit that could ultimately save human lives. - Lastly, from the commercial aspect IoT devices have the ability to track data we weren't able to capture before. This can lead to better decision making and delivery of products and services that meet the needs of consumers.
Describe IoT's role in the evolution of Ransomware (i.e. locking doors, controlling heating systems, etc...for extortion payments)
When we talk about ransomware we typically think of malware that encrypts a person's files, and then charges the victim a ransom to access their own data. Now introduce that concept to IoT devices and consider the many applications that they are used in. Hackers now have the ability to do more than just make data inaccessible. Here's a few examples of how this has played out so far.... There was the example of the hotel in the Swiss Alps where guests were locked out of their rooms unless the hotel agreed to pay a ransom. From what I read this was a relatively inexpensive ransom at 2 bitcoins and the hotel ultimately paid. Although it wasn't expensive, this is a scary concept as it could potentially make it's way to vehicles locking individuals out of their cars. Another hypothetical examples would be taking control of a heating system within your home, and charging a ransom to restore it. Another real life example is the San Francisco transit system, which was a victim of ransomware on their ticket machines in November of last year. The demand was for a $73,000 ransom roughly, however the transit system did not pay the ransom and allowed free ridership while the systems were down. This is an area to definitely keep an eye on since we know ransomware is prevalent as is the usage of IoT devices.
Risks of Connected Medical Deivces
o Patient privacy issues o Battery exhaustion o Device Malfunction o Death threats and extortion o Remote assassination scenario
Risks of Connected Kiosks
o Ticket terminals in movie theatres o Bike rental terminals o Service kiosks in government organizations o Booking and information terminals at airports o Passenger infotainment terminals in city taxis