Skip to main content

IOT Security - OWASP Suffolk Chapter Meeting 22 June 2021

OWASP Suffolk Chapter Meeting 22 June 2021

These are the edited notes from the Zoom chat of the talk on: 

'IoT Security - Importance, threats, best practice' by Ilya Kudryavtsev.  most of the headings shown here are related to things that Ilya mentioned in his talk...

Trivia. 

The talk was by Ilya Kudryavtsev, which made some people think of the TV series: The Man From Uncle'. 

The English actor in that series ended up working in the US (NCIS) and the American ended up working in the UK (Hustle).

https://en.wikipedia.org/wiki/Illya_Kuryakin

https://en.wikipedia.org/wiki/Napoleon_Solo

Aside: 

So where do ransomware payments actually go?

https://www.bleepingcomputer.com/news/security/mysterious-ransomware-payment-traced-to-a-sensual-massage-site/

Zettabytes: 

https://en.wikipedia.org/wiki/Byte#Multiple-byte_units

Modbus: 

https://en.wikipedia.org/wiki/Modbus

Databases of IOT devices:

 https://defpass.com/

https://information.rapid7.com/iotseeker.html

https://nakedsecurity.sophos.com/2018/03/22/the-password-to-your-iot-device-is-just-a-google-search-away/

Alexa:

https://www.the-ambient.com/features/weird-ways-echo-can-be-hacked-how-to-stop-it-231

https://voicebot.ai/2020/08/13/amazon-patched-an-alexa-hacking-vulnerability-discovered-by-cybersecurity-researchers-in-june/

https://www.toptal.com/arduino/esp8266-arduino-tutorial-alexa-hack

https://aws.amazon.com/

Spot, the Robot Dog from Boston Dynamics:

https://www.bostondynamics.com/

 https://www.bostondynamics.com/spot

https://en.wikipedia.org/wiki/Spot_(franchise)

Trivia: Dave said: I'm reminded of the episode of the IT Crowd where the bomb disposal robot breaks down and they ask what OS it is running.

https://hackaday.com/tag/spot/

https://news.ycombinator.com/item?id=25671452

https://www.engineering.com/story/boston-dynamics-makes-its-industrial-service-dog-smarter-and-takes-it-off-leash

Specs: https://www.bostondynamics.com/spot

https://dev.bostondynamics.com/   <-- API

NEWS: https://techcrunch.com/2021/06/21/hyundai-completes-deal-for-controlling-interest-in-boston-dynamics/

So the Boston Dynamics Spot is now the The Hyundai Spot?

Power Grid Problems:

https://en.wikipedia.org/wiki/December_2015_Ukraine_power_grid_cyberattack

https://en.wikipedia.org/wiki/BlackEnergy

https://en.wikipedia.org/wiki/List_of_major_power_outages

https://github.com/AvivShabtay/BlackEnergyDriver

https://en.wikipedia.org/wiki/SCADA

Circuit breakers: 

https://en.wikipedia.org/wiki/Circuit_breaker

https://en.wikipedia.org/wiki/Denial-of-service_attack#Distributed_attack

https://thehackernews.com/2018/04/iot-hacking-thermometer.html

One member commented: Our village lost power for 1-second today. It happens occasionally. You know it's happened because house alarms are triggered and security lights come on. Everything in the house with a digital clock is flashing 00:00. Only the laptops remain unscathed. Annoying if you have a games console on as it needs to run through an integrity check. This was 1-second. Rural life.

Zero-Trust (as opposed to Zero-Proof)

https://en.wikipedia.org/wiki/Tamperproofing
https://en.wikipedia.org/wiki/Zero_trust_security_model
https://en.wikipedia.org/wiki/Passwordless_authentication
https://www.gov.uk/government/collections/secure-by-design

Whilst Ilya was talking about Microsoft Azure and IOT...

https://azure.microsoft.com/en-gb/overview/iot/

https://www.techrepublic.com/article/microsoft-well-give-you-100000-if-you-can-hack-our-azure-sphere-iot-platform/

https://www.bitdefender.com/box/blog/iot-news/microsoft-pays-374000-bounties-hackers-find-azure-sphere-iot-vulnerabilities/

https://docs.microsoft.com/en-us/learn/certifications/azure-iot-developer-specialty/

https://www.cloudcredential.org/certifications/internet-of-things/

Questions:

Q. What is right way to start learning more about IoT Security?

https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Top_10

The internet is a great place to start. YouTube, Google. Loads of content out there. You can then narrow your focus once you get an overall idea of how it all fits together and which area you are interested in. some people like to play with devices in a safe lab environment (not connected to the InterWeb). Some people like to take things apart, figure out how they work, and make them work a different way..

https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf

Q:- Outdated IoT devices are going to be a bigger threat considering the growth of technology, what approaches can be considered to keep devices relevantly free from vulnerability?

https://www.intertrust.com/blog/owasps-top-10-iot-vulnerabilities-and-what-you-can-do/

A member commented: Yep. There are many scanners out there just looking for old/unpatched IoT devices

https://www.shodan.io/ (Used to be free. Now paywalled...)

https://alternativeto.net/software/shodan/?license=free

A member commented: Annoyingly these crawlers are adding to the bandwidth drain

Q:- Scanners look for vulnerabilities, but how can patches be updated in secured manner?

A member commented:  "If" there are patches...

A member commented:  There can be patch in case firmware is home grown

A member commented:  Depends on the device, who is using it, and the security policy (if there is one). For your own IoT device it's down to you to mitigate the risks and keep your device patched

Q: - (Whilst Ilya was showing how the Sun could be used to power encryption cracking...) So what do you do whilst the entire energy output of the sun is diverted? Isn’t the Earth going to get cold?

(I think this was a rhetorical question...)

Q:- Who here has IoT devices?

Several members commented: Me

One member commented:  I have none.

Q&A:- Do you think correct network segmentation can help mitigate some of these risks?

A member commented: The difficulty is ‘correct’ segmentation…

A member commented: How many firewalls are set up correctly?

A member commented:  Good question though

https://en.wikipedia.org/wiki/Network_segmentation

A member commented: Better iOT design would mitigate a lot of the risks…

Q:- Where should people look for good design patterns for IoT? Peer reviewed patterns and open-source are (imo) a much better bet than proprietary ecosystem, or worse, vendor locked-in solutions.

You can sign up to the ioXt https://www.ioxtalliance.org/

https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf

https://www.checkmarx.com/wp-content/uploads/2015/07/OWASP_TOP_10_IoT_Explained.pdf

https://www.checkmarx.com/tag/internet-of-things/

https://www.checkmarx.com/tag/vulnerable-iot-objects/

https://www.checkmarx.com/in-the-news/iot-will-ever-secure-application-code/

Q:- Great lists of what can go wrong but I'm thinking more about secure recipes, a bit like the AWS builder's library but for IOT?

A member commented:   Security is constantly evolving. When someone invents some new security feature/protocol/device someone else quickly breaks it.

A member commented:  IOT is the Wild West. But there are very few Sheriffs!

A member commented:   Like Cyber Security, IoT is still evolving

---

Missed the Talk?

The YouTube recording of the Talk...

---

There were lots of thanks to Ilya for the talk.


Comments

Popular posts from this blog

Thursday 24th June 2021

 Here's some of what you missed at The Thirsty Robot: Technical Musings Technology Topic - Nostalgia & Alternative Universes Maybe it was the recent Summer Solstice, or the change of weather from 'too hot' to 'unsettled', or the leak of Windows 11 , but The Thirsty Robot attendees were in a nostalgic mood. Microsoft's 'Bob' user interface was mentioned, because it is one of those fascinating 'roads almost travelled' that is probably dominant in an alternative universe - but not this one. The idea of making a computer a 'simple to use' device is an old idea, but there are few good implementations...  So, Bob was the classic 'use simple, familiar metaphors' approach. In this case, the inside of a house, where rooms were devoted to various tasks: https://en.wikipedia.org/wiki/Microsoft_Bob   This was back in 1995, and so high resolution, lots of colours and many other 2020's 'standards' just didn't exist then. To ...

December 2021

Dec ember.   The final and twelfth month in the year, although that 'dec' at the start of the name looks like it is something to do with the number ten. As was mentioned last month, The Thirsty Robot is now going to publish the summary every month, although this one is again very late! So, here is a short summary of some of what you may have missed in December's online meetings at The Thirsty Robot: Warning, warning... Where is Will Robinson when you need him? And did the  Netflix 'Lost In Space'  reboot robot kind of use the iconic: 'Danger, Will Robinson!' catch-phrase from the  original (there was one!) series  visually when its head-display went red? ('Reboot robot' is a gorgeous phrase,btw!)  But, anyway, continuing the theme of visual warnings: https://www.etsy.com/shop/UnsafeWarnings Photo by Breana Panaguiton on Unsplash Yep - a classic 'Thirsty Robot' topic! Warning signs for things that the official ones seem to have somehow overlo...

Thursday 26th August 2021

 Here's some of what you missed at The Thirsty Robot: Technical Musings Technology Topic - Robust mobile phones Photo by  Ashkan Forouzani  on  Unsplash The world is a dangerous and challenging place for technology. Not only do batteries run out of power, but places to recharge them are not always easy to find (or afford!). Gravity has a nasty habit of taking technological devices and smashing them into zillions of little pieces - or worse, just wrecking one essential component so that the usefulness (or the pose value) is forever tainted (screens on mobile phones, for example.) Water and other liquids used to be a major problem for portable electronics, with caffeinated fizzy drinks, coffee, and anything else bad being seemingly inexorably attracted to keyboards regardless of the presence of gravity or not.  Advances in sealing phones now give us the dubious luxury of phones which can survive momentary immersion in water, or contact with water, but unlike the a...