Skip to main content

IOT Security - OWASP Suffolk Chapter Meeting 22 June 2021

OWASP Suffolk Chapter Meeting 22 June 2021

These are the edited notes from the Zoom chat of the talk on: 

'IoT Security - Importance, threats, best practice' by Ilya Kudryavtsev.  most of the headings shown here are related to things that Ilya mentioned in his talk...

Trivia. 

The talk was by Ilya Kudryavtsev, which made some people think of the TV series: The Man From Uncle'. 

The English actor in that series ended up working in the US (NCIS) and the American ended up working in the UK (Hustle).

https://en.wikipedia.org/wiki/Illya_Kuryakin

https://en.wikipedia.org/wiki/Napoleon_Solo

Aside: 

So where do ransomware payments actually go?

https://www.bleepingcomputer.com/news/security/mysterious-ransomware-payment-traced-to-a-sensual-massage-site/

Zettabytes: 

https://en.wikipedia.org/wiki/Byte#Multiple-byte_units

Modbus: 

https://en.wikipedia.org/wiki/Modbus

Databases of IOT devices:

 https://defpass.com/

https://information.rapid7.com/iotseeker.html

https://nakedsecurity.sophos.com/2018/03/22/the-password-to-your-iot-device-is-just-a-google-search-away/

Alexa:

https://www.the-ambient.com/features/weird-ways-echo-can-be-hacked-how-to-stop-it-231

https://voicebot.ai/2020/08/13/amazon-patched-an-alexa-hacking-vulnerability-discovered-by-cybersecurity-researchers-in-june/

https://www.toptal.com/arduino/esp8266-arduino-tutorial-alexa-hack

https://aws.amazon.com/

Spot, the Robot Dog from Boston Dynamics:

https://www.bostondynamics.com/

 https://www.bostondynamics.com/spot

https://en.wikipedia.org/wiki/Spot_(franchise)

Trivia: Dave said: I'm reminded of the episode of the IT Crowd where the bomb disposal robot breaks down and they ask what OS it is running.

https://hackaday.com/tag/spot/

https://news.ycombinator.com/item?id=25671452

https://www.engineering.com/story/boston-dynamics-makes-its-industrial-service-dog-smarter-and-takes-it-off-leash

Specs: https://www.bostondynamics.com/spot

https://dev.bostondynamics.com/   <-- API

NEWS: https://techcrunch.com/2021/06/21/hyundai-completes-deal-for-controlling-interest-in-boston-dynamics/

So the Boston Dynamics Spot is now the The Hyundai Spot?

Power Grid Problems:

https://en.wikipedia.org/wiki/December_2015_Ukraine_power_grid_cyberattack

https://en.wikipedia.org/wiki/BlackEnergy

https://en.wikipedia.org/wiki/List_of_major_power_outages

https://github.com/AvivShabtay/BlackEnergyDriver

https://en.wikipedia.org/wiki/SCADA

Circuit breakers: 

https://en.wikipedia.org/wiki/Circuit_breaker

https://en.wikipedia.org/wiki/Denial-of-service_attack#Distributed_attack

https://thehackernews.com/2018/04/iot-hacking-thermometer.html

One member commented: Our village lost power for 1-second today. It happens occasionally. You know it's happened because house alarms are triggered and security lights come on. Everything in the house with a digital clock is flashing 00:00. Only the laptops remain unscathed. Annoying if you have a games console on as it needs to run through an integrity check. This was 1-second. Rural life.

Zero-Trust (as opposed to Zero-Proof)

https://en.wikipedia.org/wiki/Tamperproofing
https://en.wikipedia.org/wiki/Zero_trust_security_model
https://en.wikipedia.org/wiki/Passwordless_authentication
https://www.gov.uk/government/collections/secure-by-design

Whilst Ilya was talking about Microsoft Azure and IOT...

https://azure.microsoft.com/en-gb/overview/iot/

https://www.techrepublic.com/article/microsoft-well-give-you-100000-if-you-can-hack-our-azure-sphere-iot-platform/

https://www.bitdefender.com/box/blog/iot-news/microsoft-pays-374000-bounties-hackers-find-azure-sphere-iot-vulnerabilities/

https://docs.microsoft.com/en-us/learn/certifications/azure-iot-developer-specialty/

https://www.cloudcredential.org/certifications/internet-of-things/

Questions:

Q. What is right way to start learning more about IoT Security?

https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Top_10

The internet is a great place to start. YouTube, Google. Loads of content out there. You can then narrow your focus once you get an overall idea of how it all fits together and which area you are interested in. some people like to play with devices in a safe lab environment (not connected to the InterWeb). Some people like to take things apart, figure out how they work, and make them work a different way..

https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf

Q:- Outdated IoT devices are going to be a bigger threat considering the growth of technology, what approaches can be considered to keep devices relevantly free from vulnerability?

https://www.intertrust.com/blog/owasps-top-10-iot-vulnerabilities-and-what-you-can-do/

A member commented: Yep. There are many scanners out there just looking for old/unpatched IoT devices

https://www.shodan.io/ (Used to be free. Now paywalled...)

https://alternativeto.net/software/shodan/?license=free

A member commented: Annoyingly these crawlers are adding to the bandwidth drain

Q:- Scanners look for vulnerabilities, but how can patches be updated in secured manner?

A member commented:  "If" there are patches...

A member commented:  There can be patch in case firmware is home grown

A member commented:  Depends on the device, who is using it, and the security policy (if there is one). For your own IoT device it's down to you to mitigate the risks and keep your device patched

Q: - (Whilst Ilya was showing how the Sun could be used to power encryption cracking...) So what do you do whilst the entire energy output of the sun is diverted? Isn’t the Earth going to get cold?

(I think this was a rhetorical question...)

Q:- Who here has IoT devices?

Several members commented: Me

One member commented:  I have none.

Q&A:- Do you think correct network segmentation can help mitigate some of these risks?

A member commented: The difficulty is ‘correct’ segmentation…

A member commented: How many firewalls are set up correctly?

A member commented:  Good question though

https://en.wikipedia.org/wiki/Network_segmentation

A member commented: Better iOT design would mitigate a lot of the risks…

Q:- Where should people look for good design patterns for IoT? Peer reviewed patterns and open-source are (imo) a much better bet than proprietary ecosystem, or worse, vendor locked-in solutions.

You can sign up to the ioXt https://www.ioxtalliance.org/

https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf

https://www.checkmarx.com/wp-content/uploads/2015/07/OWASP_TOP_10_IoT_Explained.pdf

https://www.checkmarx.com/tag/internet-of-things/

https://www.checkmarx.com/tag/vulnerable-iot-objects/

https://www.checkmarx.com/in-the-news/iot-will-ever-secure-application-code/

Q:- Great lists of what can go wrong but I'm thinking more about secure recipes, a bit like the AWS builder's library but for IOT?

A member commented:   Security is constantly evolving. When someone invents some new security feature/protocol/device someone else quickly breaks it.

A member commented:  IOT is the Wild West. But there are very few Sheriffs!

A member commented:   Like Cyber Security, IoT is still evolving

---

Missed the Talk?

The YouTube recording of the Talk...

---

There were lots of thanks to Ilya for the talk.


Comments

Popular posts from this blog

December 2021

Dec ember.   The final and twelfth month in the year, although that 'dec' at the start of the name looks like it is something to do with the number ten. As was mentioned last month, The Thirsty Robot is now going to publish the summary every month, although this one is again very late! So, here is a short summary of some of what you may have missed in December's online meetings at The Thirsty Robot: Warning, warning... Where is Will Robinson when you need him? And did the  Netflix 'Lost In Space'  reboot robot kind of use the iconic: 'Danger, Will Robinson!' catch-phrase from the  original (there was one!) series  visually when its head-display went red? ('Reboot robot' is a gorgeous phrase,btw!)  But, anyway, continuing the theme of visual warnings: https://www.etsy.com/shop/UnsafeWarnings Photo by Breana Panaguiton on Unsplash Yep - a classic 'Thirsty Robot' topic! Warning signs for things that the official ones seem to have somehow overlo

Thursday 12th August 2021

Here's some of what you missed at The Thirsty Robot: Technical Musings Technology Topic - Alternative Operating Systems Not what you might be expecting... There was no mention of Windows or macOS in this discussion. Instead the chat circled around alternative Linuxes, and particularly Kali - the specialised 'security-oriented' community-project offering from Offensive Security .  If you aren't familiar with the extreme customisation that security people prefer in their operating systems, then the words 'specialised' and 'security' are the most important keywords here. Kali is not intended to be used as a general purpose operating system by ordinary people - for that you should use something designed to be as easy to install and maintain as possible:  Mint Linux being just one example of a popular 'distro' that fulfills those 'straight-forward' and 'easy to use' criteria. A lot of people use Mint Linux as an alternative to the W

Thursday 14th May 2021

Here's some of what you missed at The Thirsty Robot: Technical Musings Technology Topic - The 5 Stages of Hacking Discussion turned immediately to Security this time. The fifth stage of Hacking was mentioned, in the context of digital forensics. Hang on, you might be thinking, the fifth stage of Hacking isn't Forensics! Photo of one of the 5 Stages by  Antoine Julien  on  Unsplash Let's refresh our memories about those 5 stages first. No, not that sort of stage! - Reconnaissance - Scanning - Gaining Access - Maintaining Access - Cover(ing) Tracks Now, if you are talking about Ethical Hacking, then that fifth stage is often changed - to Forensics. And some people insist on calling it 'digital forensics', to differentiate it from dusting for fingerprints, looking at blood splatter patterns and all those other 'Witless Silence' tropes. (The long-used incorrect spoonerism of a famous BBC crime drama was first given a mass audience in the 1999 Easter Special epi