IOT Security - OWASP Suffolk Chapter Meeting 22 June 2021

OWASP Suffolk Chapter Meeting 22 June 2021

These are the edited notes from the Zoom chat of the talk on: 

'IoT Security - Importance, threats, best practice' by Ilya Kudryavtsev.  most of the headings shown here are related to things that Ilya mentioned in his talk...

Trivia. 

The talk was by Ilya Kudryavtsev, which made some people think of the TV series: The Man From Uncle'. 

The English actor in that series ended up working in the US (NCIS) and the American ended up working in the UK (Hustle).

https://en.wikipedia.org/wiki/Illya_Kuryakin

https://en.wikipedia.org/wiki/Napoleon_Solo

Aside: 

So where do ransomware payments actually go?

https://www.bleepingcomputer.com/news/security/mysterious-ransomware-payment-traced-to-a-sensual-massage-site/

Zettabytes: 

https://en.wikipedia.org/wiki/Byte#Multiple-byte_units

Modbus: 

https://en.wikipedia.org/wiki/Modbus

Databases of IOT devices:

 https://defpass.com/

https://information.rapid7.com/iotseeker.html

https://nakedsecurity.sophos.com/2018/03/22/the-password-to-your-iot-device-is-just-a-google-search-away/

Alexa:

https://www.the-ambient.com/features/weird-ways-echo-can-be-hacked-how-to-stop-it-231

https://voicebot.ai/2020/08/13/amazon-patched-an-alexa-hacking-vulnerability-discovered-by-cybersecurity-researchers-in-june/

https://www.toptal.com/arduino/esp8266-arduino-tutorial-alexa-hack

https://aws.amazon.com/

Spot, the Robot Dog from Boston Dynamics:

https://www.bostondynamics.com/

 https://www.bostondynamics.com/spot

https://en.wikipedia.org/wiki/Spot_(franchise)

Trivia: Dave said: I'm reminded of the episode of the IT Crowd where the bomb disposal robot breaks down and they ask what OS it is running.

https://hackaday.com/tag/spot/

https://news.ycombinator.com/item?id=25671452

https://www.engineering.com/story/boston-dynamics-makes-its-industrial-service-dog-smarter-and-takes-it-off-leash

Specs: https://www.bostondynamics.com/spot

https://dev.bostondynamics.com/   <-- API

NEWS: https://techcrunch.com/2021/06/21/hyundai-completes-deal-for-controlling-interest-in-boston-dynamics/

So the Boston Dynamics Spot is now the The Hyundai Spot?

Power Grid Problems:

https://en.wikipedia.org/wiki/December_2015_Ukraine_power_grid_cyberattack

https://en.wikipedia.org/wiki/BlackEnergy

https://en.wikipedia.org/wiki/List_of_major_power_outages

https://github.com/AvivShabtay/BlackEnergyDriver

https://en.wikipedia.org/wiki/SCADA

Circuit breakers: 

https://en.wikipedia.org/wiki/Circuit_breaker

https://en.wikipedia.org/wiki/Denial-of-service_attack#Distributed_attack

https://thehackernews.com/2018/04/iot-hacking-thermometer.html

One member commented: Our village lost power for 1-second today. It happens occasionally. You know it's happened because house alarms are triggered and security lights come on. Everything in the house with a digital clock is flashing 00:00. Only the laptops remain unscathed. Annoying if you have a games console on as it needs to run through an integrity check. This was 1-second. Rural life.

Zero-Trust (as opposed to Zero-Proof)

https://en.wikipedia.org/wiki/Tamperproofing
https://en.wikipedia.org/wiki/Zero_trust_security_model
https://en.wikipedia.org/wiki/Passwordless_authentication
https://www.gov.uk/government/collections/secure-by-design

Whilst Ilya was talking about Microsoft Azure and IOT...

https://azure.microsoft.com/en-gb/overview/iot/

https://www.techrepublic.com/article/microsoft-well-give-you-100000-if-you-can-hack-our-azure-sphere-iot-platform/

https://www.bitdefender.com/box/blog/iot-news/microsoft-pays-374000-bounties-hackers-find-azure-sphere-iot-vulnerabilities/

https://docs.microsoft.com/en-us/learn/certifications/azure-iot-developer-specialty/

https://www.cloudcredential.org/certifications/internet-of-things/

Questions:

Q. What is right way to start learning more about IoT Security?

https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Top_10

The internet is a great place to start. YouTube, Google. Loads of content out there. You can then narrow your focus once you get an overall idea of how it all fits together and which area you are interested in. some people like to play with devices in a safe lab environment (not connected to the InterWeb). Some people like to take things apart, figure out how they work, and make them work a different way..

https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf

Q:- Outdated IoT devices are going to be a bigger threat considering the growth of technology, what approaches can be considered to keep devices relevantly free from vulnerability?

https://www.intertrust.com/blog/owasps-top-10-iot-vulnerabilities-and-what-you-can-do/

A member commented: Yep. There are many scanners out there just looking for old/unpatched IoT devices

https://www.shodan.io/ (Used to be free. Now paywalled...)

https://alternativeto.net/software/shodan/?license=free

A member commented: Annoyingly these crawlers are adding to the bandwidth drain

Q:- Scanners look for vulnerabilities, but how can patches be updated in secured manner?

A member commented:  "If" there are patches...

A member commented:  There can be patch in case firmware is home grown

A member commented:  Depends on the device, who is using it, and the security policy (if there is one). For your own IoT device it's down to you to mitigate the risks and keep your device patched

Q: - (Whilst Ilya was showing how the Sun could be used to power encryption cracking...) So what do you do whilst the entire energy output of the sun is diverted? Isn’t the Earth going to get cold?

(I think this was a rhetorical question...)

Q:- Who here has IoT devices?

Several members commented: Me

One member commented:  I have none.

Q&A:- Do you think correct network segmentation can help mitigate some of these risks?

A member commented: The difficulty is ‘correct’ segmentation…

A member commented: How many firewalls are set up correctly?

A member commented:  Good question though

https://en.wikipedia.org/wiki/Network_segmentation

A member commented: Better iOT design would mitigate a lot of the risks…

Q:- Where should people look for good design patterns for IoT? Peer reviewed patterns and open-source are (imo) a much better bet than proprietary ecosystem, or worse, vendor locked-in solutions.

You can sign up to the ioXt https://www.ioxtalliance.org/

https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf

https://www.checkmarx.com/wp-content/uploads/2015/07/OWASP_TOP_10_IoT_Explained.pdf

https://www.checkmarx.com/tag/internet-of-things/

https://www.checkmarx.com/tag/vulnerable-iot-objects/

https://www.checkmarx.com/in-the-news/iot-will-ever-secure-application-code/

Q:- Great lists of what can go wrong but I'm thinking more about secure recipes, a bit like the AWS builder's library but for IOT?

A member commented:   Security is constantly evolving. When someone invents some new security feature/protocol/device someone else quickly breaks it.

A member commented:  IOT is the Wild West. But there are very few Sheriffs!

A member commented:   Like Cyber Security, IoT is still evolving

---

Missed the Talk?

The YouTube recording of the Talk...

---

There were lots of thanks to Ilya for the talk.