Skip to main content

IOT Security - OWASP Suffolk Chapter Meeting 22 June 2021

OWASP Suffolk Chapter Meeting 22 June 2021

These are the edited notes from the Zoom chat of the talk on: 

'IoT Security - Importance, threats, best practice' by Ilya Kudryavtsev.  most of the headings shown here are related to things that Ilya mentioned in his talk...

Trivia. 

The talk was by Ilya Kudryavtsev, which made some people think of the TV series: The Man From Uncle'. 

The English actor in that series ended up working in the US (NCIS) and the American ended up working in the UK (Hustle).

https://en.wikipedia.org/wiki/Illya_Kuryakin

https://en.wikipedia.org/wiki/Napoleon_Solo

Aside: 

So where do ransomware payments actually go?

https://www.bleepingcomputer.com/news/security/mysterious-ransomware-payment-traced-to-a-sensual-massage-site/

Zettabytes: 

https://en.wikipedia.org/wiki/Byte#Multiple-byte_units

Modbus: 

https://en.wikipedia.org/wiki/Modbus

Databases of IOT devices:

 https://defpass.com/

https://information.rapid7.com/iotseeker.html

https://nakedsecurity.sophos.com/2018/03/22/the-password-to-your-iot-device-is-just-a-google-search-away/

Alexa:

https://www.the-ambient.com/features/weird-ways-echo-can-be-hacked-how-to-stop-it-231

https://voicebot.ai/2020/08/13/amazon-patched-an-alexa-hacking-vulnerability-discovered-by-cybersecurity-researchers-in-june/

https://www.toptal.com/arduino/esp8266-arduino-tutorial-alexa-hack

https://aws.amazon.com/

Spot, the Robot Dog from Boston Dynamics:

https://www.bostondynamics.com/

 https://www.bostondynamics.com/spot

https://en.wikipedia.org/wiki/Spot_(franchise)

Trivia: Dave said: I'm reminded of the episode of the IT Crowd where the bomb disposal robot breaks down and they ask what OS it is running.

https://hackaday.com/tag/spot/

https://news.ycombinator.com/item?id=25671452

https://www.engineering.com/story/boston-dynamics-makes-its-industrial-service-dog-smarter-and-takes-it-off-leash

Specs: https://www.bostondynamics.com/spot

https://dev.bostondynamics.com/   <-- API

NEWS: https://techcrunch.com/2021/06/21/hyundai-completes-deal-for-controlling-interest-in-boston-dynamics/

So the Boston Dynamics Spot is now the The Hyundai Spot?

Power Grid Problems:

https://en.wikipedia.org/wiki/December_2015_Ukraine_power_grid_cyberattack

https://en.wikipedia.org/wiki/BlackEnergy

https://en.wikipedia.org/wiki/List_of_major_power_outages

https://github.com/AvivShabtay/BlackEnergyDriver

https://en.wikipedia.org/wiki/SCADA

Circuit breakers: 

https://en.wikipedia.org/wiki/Circuit_breaker

https://en.wikipedia.org/wiki/Denial-of-service_attack#Distributed_attack

https://thehackernews.com/2018/04/iot-hacking-thermometer.html

One member commented: Our village lost power for 1-second today. It happens occasionally. You know it's happened because house alarms are triggered and security lights come on. Everything in the house with a digital clock is flashing 00:00. Only the laptops remain unscathed. Annoying if you have a games console on as it needs to run through an integrity check. This was 1-second. Rural life.

Zero-Trust (as opposed to Zero-Proof)

https://en.wikipedia.org/wiki/Tamperproofing
https://en.wikipedia.org/wiki/Zero_trust_security_model
https://en.wikipedia.org/wiki/Passwordless_authentication
https://www.gov.uk/government/collections/secure-by-design

Whilst Ilya was talking about Microsoft Azure and IOT...

https://azure.microsoft.com/en-gb/overview/iot/

https://www.techrepublic.com/article/microsoft-well-give-you-100000-if-you-can-hack-our-azure-sphere-iot-platform/

https://www.bitdefender.com/box/blog/iot-news/microsoft-pays-374000-bounties-hackers-find-azure-sphere-iot-vulnerabilities/

https://docs.microsoft.com/en-us/learn/certifications/azure-iot-developer-specialty/

https://www.cloudcredential.org/certifications/internet-of-things/

Questions:

Q. What is right way to start learning more about IoT Security?

https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Top_10

The internet is a great place to start. YouTube, Google. Loads of content out there. You can then narrow your focus once you get an overall idea of how it all fits together and which area you are interested in. some people like to play with devices in a safe lab environment (not connected to the InterWeb). Some people like to take things apart, figure out how they work, and make them work a different way..

https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf

Q:- Outdated IoT devices are going to be a bigger threat considering the growth of technology, what approaches can be considered to keep devices relevantly free from vulnerability?

https://www.intertrust.com/blog/owasps-top-10-iot-vulnerabilities-and-what-you-can-do/

A member commented: Yep. There are many scanners out there just looking for old/unpatched IoT devices

https://www.shodan.io/ (Used to be free. Now paywalled...)

https://alternativeto.net/software/shodan/?license=free

A member commented: Annoyingly these crawlers are adding to the bandwidth drain

Q:- Scanners look for vulnerabilities, but how can patches be updated in secured manner?

A member commented:  "If" there are patches...

A member commented:  There can be patch in case firmware is home grown

A member commented:  Depends on the device, who is using it, and the security policy (if there is one). For your own IoT device it's down to you to mitigate the risks and keep your device patched

Q: - (Whilst Ilya was showing how the Sun could be used to power encryption cracking...) So what do you do whilst the entire energy output of the sun is diverted? Isn’t the Earth going to get cold?

(I think this was a rhetorical question...)

Q:- Who here has IoT devices?

Several members commented: Me

One member commented:  I have none.

Q&A:- Do you think correct network segmentation can help mitigate some of these risks?

A member commented: The difficulty is ‘correct’ segmentation…

A member commented: How many firewalls are set up correctly?

A member commented:  Good question though

https://en.wikipedia.org/wiki/Network_segmentation

A member commented: Better iOT design would mitigate a lot of the risks…

Q:- Where should people look for good design patterns for IoT? Peer reviewed patterns and open-source are (imo) a much better bet than proprietary ecosystem, or worse, vendor locked-in solutions.

You can sign up to the ioXt https://www.ioxtalliance.org/

https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf

https://www.checkmarx.com/wp-content/uploads/2015/07/OWASP_TOP_10_IoT_Explained.pdf

https://www.checkmarx.com/tag/internet-of-things/

https://www.checkmarx.com/tag/vulnerable-iot-objects/

https://www.checkmarx.com/in-the-news/iot-will-ever-secure-application-code/

Q:- Great lists of what can go wrong but I'm thinking more about secure recipes, a bit like the AWS builder's library but for IOT?

A member commented:   Security is constantly evolving. When someone invents some new security feature/protocol/device someone else quickly breaks it.

A member commented:  IOT is the Wild West. But there are very few Sheriffs!

A member commented:   Like Cyber Security, IoT is still evolving

---

Missed the Talk?

The YouTube recording of the Talk...

---

There were lots of thanks to Ilya for the talk.


Comments

Post a Comment

Popular posts from this blog

Thursday 24th June 2021

 Here's some of what you missed at The Thirsty Robot: Technical Musings Technology Topic - Nostalgia & Alternative Universes Maybe it was the recent Summer Solstice, or the change of weather from 'too hot' to 'unsettled', or the leak of Windows 11 , but The Thirsty Robot attendees were in a nostalgic mood. Microsoft's 'Bob' user interface was mentioned, because it is one of those fascinating 'roads almost travelled' that is probably dominant in an alternative universe - but not this one. The idea of making a computer a 'simple to use' device is an old idea, but there are few good implementations...  So, Bob was the classic 'use simple, familiar metaphors' approach. In this case, the inside of a house, where rooms were devoted to various tasks: https://en.wikipedia.org/wiki/Microsoft_Bob   This was back in 1995, and so high resolution, lots of colours and many other 2020's 'standards' just didn't exist then. To ...
Post a Comment
Read more

Thursday 25th February 2021

Here's some of what you missed in the discussion at 'The Thirsty Robot': Technical Musings: Eye Tracking:  So what are you looking at on the screen? We discussed the subject of 'Eye Tracking' and wondered if you could do it with the cameras built into laptops nowadays. Eye tracking can be achieved in a number of ways, but the main usual method uses Infra-Red light to illuminate the eye, and then track the reflection from the cornea (the front part of the eye). Other techniques include tracking the retina (the back) of the eye. Some methods require wearing a special pair of glasses... Eye tracking started out as a technique used by UI researchers to see what people looked at in user interfaces, but over time has been used in a number of other applications, including using it to enable disabled people to control things by moving where their eyes are looking (the senses of fighter aircraft pilots are used in many ways as well...).  Good explanation... Wikipedia Eye Tra...
Post a Comment
Read more

Thursday 14th May 2021

Here's some of what you missed at The Thirsty Robot: Technical Musings Technology Topic - The 5 Stages of Hacking Discussion turned immediately to Security this time. The fifth stage of Hacking was mentioned, in the context of digital forensics. Hang on, you might be thinking, the fifth stage of Hacking isn't Forensics! Photo of one of the 5 Stages by  Antoine Julien  on  Unsplash Let's refresh our memories about those 5 stages first. No, not that sort of stage! - Reconnaissance - Scanning - Gaining Access - Maintaining Access - Cover(ing) Tracks Now, if you are talking about Ethical Hacking, then that fifth stage is often changed - to Forensics. And some people insist on calling it 'digital forensics', to differentiate it from dusting for fingerprints, looking at blood splatter patterns and all those other 'Witless Silence' tropes. (The long-used incorrect spoonerism of a famous BBC crime drama was first given a mass audience in the 1999 Easter Special epi...
Post a Comment
Read more