Securing IoT in the Enterprise Daniel Miessler May 2017
Securing IoT in the Enterprise Daniel Miessler, IOActive May 2017
About - Infosec for around 18 years - Mostly technical testing and enterprise consulting - Net / app / web / mobile / IoT - Director of Advisory Services for IOActive - I do a weekly show on infosec, technology, humans - Reading, writing, table tennis - Wrote a book: The Real Internet of Things - @danielmiessler 3
Discuss - A functional definition of IoT - The IoT Attack Surface - Securing IoT in the Enterprise - IoT and Ransomware 4
What is IoT - Lots of definitions out there. - Some are based on connectivity. - Some require embedded. - OXFORD(ish): An extension of the Internet where everyday objects have network connectivity, allowing them to send and receive data. 5
Attack Surface 6
What do? 7
IoT Security!= Device Security What they think it is 8
IoT Security!= Device Security 9
IoT Security!= Device Security 10
IoT Security!= Device Security 11
OWASP IoT Security 12
OWASP IoT Security Attack surfaces Vulnerabilities Medical Devices Firmware Analysis IoT Event Logging ICS / SCADA 13
OWASP IoT Security Ecosystem (general) Device Memory Device Physical Interfaces Device Web Interface Device Firmware Device Network Services Administrative Interface Local Data Storage Cloud Web Interface Third-party Backend APIs Update Mechanism Mobile Application Vendor Backend APIs Ecosystem Communication Network Traffic Privacy Sensors 14
IoT Attack Surfaces 15
IoT Attack Surfaces 16
IoT Attack Surfaces 17
IoT Attack Surfaces https://github.com/craigz28/firmwalker 18
IoT Attack Surfaces 19
IoT Attack Surfaces 20
IoT Attack Surfaces 21
IoT Attack Surfaces 22
IoT Attack Surfaces 23
IoT Attack Surfaces 24
Network Focus What they think it is 25
Network Focus What it actually is 26
Getting Packet Visibility LAN grep -i Wombat27! TAP Firewall Internet PCAP 27
Get a Tap 28
Caparser *Capture all internal traffic from an internal ecosystem *Exercise the product fully Break the.pcap into its component parts using tshark Extract any sensitive content from the.pcap. Associate the sensitive content with where it s being sent https://github.com/danielmiessler/caparser 29
tshark(s) tshark -r diphone.pcap -q -z conv,ip awk '{print $3}' grep "^[0-9]" sort uniq awk '{print $1}' 30
tshark(s) tshark -r diphone.pcap -q -z conv,ip awk '{print $3}' grep "^[0-9]" sort uniq awk '{print $1}' 31
Caparser Output 32
Enterprise IoT 33
Enterprise IoT (attack surface) The biggest threat to enterprises from IoT is not any specific technology, but blindness to the attack surface. Device Sensors Administration Firmware Network Mobile Cloud Backend APIs Third-party integrations 34
Enterprise IoT (understand) Above all else, you have to understand the components and structure of the system you re deploying into your companies. How many devices? What types of sensors? What network are they on? How are they administered? What ports are open on these systems? How is authentication and authorization performed? 35
Enterprise IoT (assess) This means doing an IoT deployment risk assessment before implementing any solution. What data is being captured? Via what sensors? Where is it being sent? How is it being stored? Who has access to it? How will it be updated if a flaw is found? What can those systems access if they re compromised? How bad would it be if this system was unavailable? What would we do if that happened? 36
Enterprise IoT (data) Increasingly, we re going to have to start thinking about what sensors can perceive, how that data can be leaked, and the implications thereof. Installed systems Wearables Are they recording video? Are they recording audio? How easy is it to share that content outside? What could happen if that content went public? > New sensor project that connects to electrical sockets and tells you what s happening inside your house. 37
Enterprise IoT (ransomware) The way to think about ransomware is this: if it s important to you, they re coming for it. Infrastructure Data Connectivity Devices Systems IoT 38
Enterprise IoT (three trends) 1. We depend on everyday things (lights, cars, factories, cameras, logistics) to do business 39
Enterprise IoT (three trends) 1. We depend on everyday things (lights, cars, factories, cameras, logistics) to do business 2. You gain business efficiency when those things are network enabled (IoT) 40
Enterprise IoT (three trends) 1. We depend on everyday things (lights, cars, factories, cameras, logistics) to do business 2. You gain business efficiency when those things are network enabled (IoT) 3. Attackers now have a new way to harm your business. 41
Takeaways 42
Takeaways 1. IoT is about everyday objects becoming interactive. 43
Takeaways 1. IoT is about everyday objects becoming interactive. 2. The IoT attack surface is vastly underestimated. 44
Takeaways 1. IoT is about everyday objects becoming interactive. 2. The IoT attack surface is vastly underestimated. 3. Before you deploy IoT internally, you need a risk assessment on that specific ecosystem. 45
Takeaways 1. IoT is about everyday objects becoming interactive. 2. The IoT attack surface is vastly underestimated. 3. Before you deploy IoT internally, you need a risk assessment on that specific ecosystem. 4. Consider what s being captured, via what methods, and how it s being stored and accessed. 46
Takeaways 1. IoT is about everyday objects becoming interactive. 2. The IoT attack surface is vastly underestimated. 3. Before you deploy IoT internally, you need a risk assessment on that specific ecosystem. 4. Consider what s being captured, via what methods, and how it s being stored and accessed. 5. Be prepared for that system to be compromised or unavailable. 47
Takeaways 1. IoT is about everyday objects becoming interactive. 2. The IoT attack surface is vastly underestimated. 3. Before you deploy IoT internally, you need a risk assessment on that specific ecosystem. 4. Consider what s being captured, via what methods, and how it s being stored and accessed. 5. Be prepared for that system to be compromised or unavailable. 6. Expect ransomware attacks, because IoT means putting our critical dependencies on the network. 48
Thanks & Contact Daniel Miessler IOActive daniel.miessler@ioactive.com @danielmiessler danielmiessler.com/podcast 49