Embed Size (px)
Citation preview
SECURING THE INTERNET OF THINGSChristopher Frenz
THE NEED FOR IOT SECURITY???
MIRAI BOTNET AND DDOS
ATTACK ON DYN• 1.2 Tbps DDoS Attack
from 100K malicious endpoints
• Brought down Twitter, Netflix, Reddit, CNN, Paypal, and others
• 145K domains affected
• Dyn lost 14.5 domains as customers
Image –downdetector.com
LOCALIZED TARGETS
IOT IN HEALTHCARE
PRIVACY ISSUES AS WELL
MIRAI• What makes these attacks so scary is not the
level of sophistication of the malware itself, but actually its lack of sophistication in how it gains control of IoT devices.
• The source code or Mirai is available:• https://github.com/jgamblin/Mirai-Source-Code
• Mirai and the related Bashlight malware make use of default usernames and passwords
SCANNER.C
• This Mirai source code file scanner.clists a combination of 62 default user names and passwords
• Sophos estimates that this simple list of passwords is enough to compromise hundreds of thousands IoT devices
User Name Password User Name Password User Name Passwordroot xc3511 admin 1111 root zlxx.root vizxv root 666666 root 7ujMko0vizxvroot admin root password root 7ujMko0admin
admin admin root 1234 root systemroot 888888 root klv123 root ikwbroot xmhdipc Administrator admin root dreamboxroot default service service root userroot juantech supervisor supervisor root realtekroot 123456 guest guest root 0root 54321 guest 12345 admin 1111111
support support guest 12345 admin 1234root (none) admin1 password admin 12345
admin password administrator 1234 admin 54321root root 666666 666666 admin 123456root 12345 888888 888888 admin 7ujMko0adminuser user ubnt ubnt admin 1234
admin (none) root klv1234 admin passroot pass root Zte521 admin meinsm
admin admin1234 root hi3518 tech techroot 1111 root jvbzd mother fucker
admin smcadmin root anko
OWASP IOT TOP 10
Vulnerability Rank Vulnerability Name1 Insecure Web Interface2 Insufficient Authentication/Authorization3 Insecure Network Services4 Lack of Transport Encryption/Integrity Verification
5 Privacy Concerns6 Insecure Cloud Interface7 Insecure Mobile Interface8 Insufficient Security Configurability9 Insecure Software/Firmware10 Poor Physical Security
IOT CRUSHER
WHERE IS ALL MY DATA?
• Organizations should have a map of where all of their data assets are and where their data flows to
• This effort needs involve more than just IT. A surprising amount of sensitive data may not be under the control of IT (HR, Finance, etc)
• Finance sending data to an external vendor for revenue cycle management or collections
• Paper based records such as a morgue logbook may still have PII• Shadow IT, BYOD, etc
• This map should include data collected and distributed by IoTdevices like security cameras, medical devices, etc.
INTERNAL FIREWALLS, NETWORK SEGMENTATION, INTERNAL IDS
• Traffic to and from IoT devices should be isolated as much as possible from the rest of your network – VLANs, ACLs, etc.
• In healthcare it is becoming common to place a firewall in front of network enabled medical equipment to restrict traffic flows
• IDS and threat detection is not just a good idea at the perimeter – it should be used to examine internal traffic as well
ZERO TRUST
• With increasing virtualization of servers and desktops security at the virtual machine level should not be ignored
• Software Defined Networking and security products like NSX and Hyper-V network virtualization make approaching zero trust networks more feasible
TOP 10 IOT SECURITY CONTROLS FOR IOT DEVELOPERS
• No default passwords or hardcoded passwords post initial setup• Account Lockouts after 3-5 failed logins• Password complexity filters• No unsecured connections• No administrative access on internet facing interfaces• Network level access controls• Update Mechanisms• Encryption at rest• Differing account access levels • Privacy by Design Principles
http://www.codeguru.com/IoT/understanding-iot-security-for-iot-developers.html
HOW DO WE GET MANUFACTURERS TO CARE
• Consumers need to put economic pressure on manufacturers to produce secure devices
• Customers need to vote with their wallet and not purchase products that cannot be properly secured
• The average consumer does not know enough about security to make good decisions as to which products are secure and which are not
IOT NUTRITION LABELMakes it easy for non-savvy consumers to compare the security of IoT devices
If enough industry backing can be gained where the use of such labelling becomes commonplace vendors will strive to eliminate red Xs from their label
ENOUGH MOMENTUM?
QUESTIONS
• https://www.linkedin.com/in/christopherfrenz/
