Peeling the Layers of Security for IoT Applications
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 17 | |
| Author | ||
| License | CC Attribution - NonCommercial - ShareAlike 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this | |
| Identifiers | 10.5446/50520 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
5
11
12
17
00:00
Software developerEvent horizonInformation securityBitException handlingSlide ruleInternet der DingeCartesian coordinate systemAngleHacker (term)Information securityGroup actionGrass (card game)Dependent and independent variablesPoint (geometry)Different (Kate Ryan album)Computer clusterSound effectField (computer science)Proper mapComplex (psychology)Principal idealVideoconferencing
03:10
Software developerEvent horizonQuantum cryptographyPrototypeInformation securitySurfaceComputer hardwareTelecommunicationCommunications protocolPhase transitionSlide ruleHacker (term)PasswordPrototypeBoom (sailing)BitInformation privacyCartesian coordinate systemSurfacePhysical systemComputer hardwareMultiplication signFocus (optics)TelecommunicationOpticsFiber (mathematics)Software testingVapor barrierPoint (geometry)Personal identification numberSoftware developerGame controllerPower (physics)Communications protocolProjective planeMoment (mathematics)Pulse (signal processing)Hecke operatorCybersexInterface (computing)Electronic mailing listLevel (video gaming)Open setSystem callCASE <Informatik>GoogolInformation securityVermaschtes NetzSoftwareTime zoneSingle-precision floating-point formatRemote administrationDifferent (Kate Ryan album)AuthenticationElectric power transmissionResultantEmailVideo gameNeuroinformatikConnected spacePlastikkarteDisk read-and-write headTraffic reportingLogicTerm (mathematics)Tracing (software)RiflingServer (computing)Expert systemProcess (computing)Service (economics)EncryptionWireless LANTorusScripting languageRevision controlFreewareOffice suiteNatural numberGame theorySoftware protection dongleMereologySemiconductor memoryQuantumOvalHypermediaKey (cryptography)Wave packetData storage deviceComplex systemWordArithmetic meanDevice driverPoint cloudRouter (computing)Arithmetic progressionMenu (computing)Proper mapInternetworkingRoutingInstance (computer science)Context awarenessForcing (mathematics)19 (number)Quantum cryptographyInternet der DingeRoboticsSet (mathematics)Gateway (telecommunications)Product (business)Identity managementDialectState of matterRootDemosceneSign (mathematics)CryptographyPhase transitionOperator (mathematics)Antivirus softwareMathematicsMIDISelf-organizationThermische ZustandsgleichungFlash memoryComputer configurationMultilaterationWeb 2.0Mobile appMeeting/InterviewComputer animation
Transcript: English(auto-generated)
00:07
A little bit schizophrenic session this, with a lot of topics, very broad, spending a lot of different flavours, I guess. So I'm going to talk a little bit about security in IoT applications.
00:25
I'm going to take a little bit of a different angle to it than the hacking of a rifle. I'm going to talk a little bit about the biggest pitfalls to avoid when you make an IoT application.
00:41
So let's see. So why am I showing you this slide of sheep? Well and a lot of them actually. What typically happens when you get too many sheep on the field, the grass turns
01:02
brown and actually no one are able to get any grass. And this is a principle actually coming from economics called the tragedy of the commons. It was phrased in 1833 and the whole point was that there was this public pastures
01:22
in England and anyone could just unleash, I think it was actually cows in the original thesis, anyone could just unleash their cows, the grass there. And everyone did. And of course the grass was overeaten and died and then no one could actually feed
01:45
their animals there. And I would claim that this is a little bit the same situation that security in the internet of things is facing today. So there is this big race to be first, to really innovate fast.
02:01
And it's complex applications. So companies are really competing to be first and there is a cost, there is a cost to implementing this properly and securely and therefore no one are properly incentivized to secure their
02:20
applications. But one of the big challenges is, as I will argue a little bit later, is that in fact if the grass, if we overfeed, if the actions of every player here can end up damaging IoT for everyone, it's really the situation where no one are incentivized to take the
02:46
responsibility and the accumulated effect of that can actually be negative for everyone. So before I really drop into it, I realized that I could show a video, even though I
03:01
told this guy that I wouldn't, so let's see if it works, to kind of introduce myself a little bit. So let's see, okay, I don't have sound, do I need to put in, okay, let me just
03:24
skip this slide. Okay, so this is me, this is a younger version of me, not as much grey hair. What you actually saw there was Quel Snit some years ago. So I was a part of a team that hacked this exotic security technology called quantum cryptography.
03:43
And this was really a chicken that turned into a whole pen or egg or a feather that turned into a chicken. So this is how it looked. This is a security system that's only used, mostly used by defense, like military
04:05
organizations. Some of the banks, most secure banks in the world use it and no one will admit that they use it because they believe in the security by not saying what they use. And this is in a lab in Geneva, I had gotten access to this system through the
04:22
Swiss Army and the news headline was, when Einar Lunde introduced it, it was like Norwegian scientist hacked Pentagon. So that was a nice lesson learned about how media will spin things. And so I have a background as a quantum hacker, I like to say.
04:45
And we got a lot of press, French, I hope, I believe this is about this story, but it's not easy to say. And so what really happened there? What's the timeline?
05:01
Okay, so if you look kind of at the timeline of quantum cryptography, this technology, I will not dig into the details of how it works, but just the principle was established in 1984. That was the first paper that kind of told you that you can do security systems this way.
05:21
In about sometimes in the 80s, the first prototype came, you will get different answers depending on which research team you ask of when it happened, because everyone will claim they were the first. And then early 2000s, the first companies were established. And then in 2010, the first major hack, this was the hack I was a part of doing,
05:44
was published. And then I could ask, how can this happen? This is a security system. And I will say that there are two major things that went on. It was a race to be the first to release these kind of systems to the market.
06:05
It was this classic situation where it was about trying to be there first, not necessarily being completely secure, because if you went bankrupt in the meantime because someone else outraced you, then it doesn't matter. The other thing is that I would say it's incompatible to be an engineer building
06:24
a system and be someone who are able to test the security of the system at the same time, because the engineer will debug, will try to make it work. This is complex things. This is single photons, single light particles, dark fibers, a lot of optics,
06:40
a lot of electronics, FJS is a complex system. So the engineer will try to make it work and will try to prove that it works. It's debugging. When something doesn't work, you will just try to fix it. Whereas the hacker thinks, how can I exploit this? And this is incompatible thoughts to have within a single person or even within a single team is my claim.
07:01
But what really is interesting is that today the markets are not yet recovered from the publication of these hacks. So these companies still are below the revenue projection that they believed would be the case.
07:20
So then let's talk about IOT. Well, we can debate the term is a little bit used a lot these days in a lot of different contexts, but I would say that about mid 90s, the concept was established, well established, and then early 2000s, I wouldn't call it prototypes, but at least some products,
07:41
LG launched a fridge, I think in 2001, that could read the barcode of everything you put in it, and then it could tell you, yeah, you need to make lasagna because you already have all the ingredients and they are about to expire. And it flopped major, I think it was $20,000 and it flopped
08:02
gigantically around 2000. But now I would say there are a lot of successful IOT companies. You have Fitbit, you have the wearables, you have Nest that has been discussed, et cetera. And as such, we are in this situation where I put a question mark, big publications of security issues, in my opinion, can even at least
08:23
temporarily or permanently reduce the benefit and the value we can get from IOT. And that's a serious situation because why, what's really the value of IOT? I mean, one thing could be to start a company and make a lot of money,
08:41
et cetera, et cetera. But it's really about making our lives easier. We don't want to mow the lawn. We want the robot to do that so we can play around with our kids. We don't want to be programming our thermostat. We want to know it so we can spend more time doing,
09:01
living our lives and living out our potential, creating more value. And you can almost debate if we are already at the state where these publications are happening. So since we're in Norway, I can talk about hacks for a long time.
09:23
But since we're in Norway, I took a Norwegian one. It was also mentioned in the previous talk. So this is a Norwegian security expert, Maria Mu, and she is a pacemaker. And she realized it was possible to hack her pacemaker.
09:41
And you could say, why would anyone do that? Well, a lot of people ask me, why do anyone sit down and hack a medical device? And the answer is, well, it's when they get, when a security expert has to rely on the medical device. That's typically when they get hacked because they freak out. I read this paper about this security expert who had tested a lot of medical devices
10:03
and got admitted to a hospital, and he woke up from narcosis and just looked around. He was like, shit, I hacked that one, I hacked that one, I hacked that one. And I freaked out and wanted to rip out all the cards. There hasn't been any real issues with this because there isn't a lot of money in it.
10:24
So that's kind of typically the hacks happen for publicity because your life relies on it or for money. An interesting note is that Dick Cheney has a pacemaker as well. And then they actually removed the connectivity, the remote connectivity from that
10:40
because they were afraid that someone would hack it and kill him. Privacy, I want to talk a little bit about privacy because security is one thing in the IoT, but privacy is another one. Perhaps the reason for my question in the former talk. So this is a headline some years ago.
11:04
There was this baby monitor that suddenly was talking to a child. So a lot of people that I talk to, we have our phones and Google knows more about me than I know, LinkedIn knows more about me than I know myself. And a lot of people that I know say privacy is dead.
11:21
I don't care. I don't have anything to hide. Well, there is this nice quote by a Norwegian professor who typically says, when I go to the bathroom to do my business, I close the door, not because I have something to hide, but because I like privacy. And I think privacy is not dead.
11:40
I think this is, as this example shows as well, that the final debate around privacy has not been taken yet. We might end up in a 1984 scenario, but there is a lot of forces in the industry at this point that at least wants to establish the technology to avoid that happening.
12:06
The good news is that the governments are starting to realize that something is happening. So this is from February 23rd. It's pretty recent. And this is ASUS. This is a company that makes gateways and routers. Probably a lot of you people have ASUS routers at home.
12:23
And the FTC, the Federal Trade Commission in the US, are starting to sue companies if they don't secure their devices properly. Meaning, this is ASUS managed to take this deal with the US government
12:42
and then now they have to do security audits for the next 10 years to avoid having to pay a lot of money, I don't know. But at least this was kind of a shout-out to the Internet of Things industry, saying that if you don't secure your devices properly, we are going to sue you and we are going to drag you to court.
13:03
Okay, why is IoT security different from cybersecurity? I would say, well, the attack surface is increased. So the traditional, because, I mean, the cybersecurity scene has been around for a long time,
13:21
but typically that has been someone attacking your computer or attacking a server somewhere, and it's through that TCP connection or through the Internet connection. What's happening now is that it starts to look like this. So you have your app and you have the cloud and then you have a router and then the phone talks directly to the router
13:40
and then you have a network of devices that talk to each other and perhaps some of them coordinate and pass traffic along in a mesh network. So the attack surface has become much bigger. From the hacker that sees remote and just knows that he's talking to a computer, you can talk about people driving up to your house
14:01
and try to talk directly to these devices or hack the router, or it's become much more complex. Accessibility to hardware is something that's changed, and in a sense you can say that it hasn't changed. People have always been able to access the hardware, but what has changed is that when I buy the phone or a wearable,
14:25
the company that sold that to me owns it. I cannot flash it with what I, okay, I can root my phone, but in most cases you cannot update the software on the device. So from the situation with the computer where you could assume that the user could do anything,
14:44
you're in a situation where you have a smart thermostat and the company that made that smart thermostat doesn't want you to tamper with it. But it's sitting in your home, so you can crack it open, you can start to probe, you can buy a rifle and crack it open, start to probe.
15:02
So accessibility to the hardware has changed. And limited processing power. So when you have a thermostat or when you have a light bulb even, it's not a full computer, so you can't install antivirus and have processes that is monitoring what's going on. So it's a little bit different game.
15:22
But the technology is here. I would claim that it's not like a lot of innovation is needed to make the IoT secure. It's more about using the technology that already exists. Okay, so I'm going to go through a few pitfalls in the IoT application.
15:44
So it's not like if you do all of these things, your application will be secure. But if you do all of these things, at least you avoid the biggest pitfalls as I see it. So the time it takes to break into your device increases from weeks to months to years, hopefully.
16:02
So first you need to secure the hardware layer. So this is a debug dongle. And actually it's fascinating because a lot of the talks, I would claim that BlackCat and these conferences are turning into the Darwin Awards of security. Because it's really like, oh, we came to this chip and then we figured out we need to,
16:25
it's encrypted or there is some encryption key in there. Well, we attached a debug dongle and hey, we could access all the memory. So it's not about, it's often close to the Darwin Awards.
16:40
So on the hardware side, I would say use devices with embedded flash if you can choose. Or use devices that are able to store the keys inside the device itself. Don't store the keys or credentials on an external EEPROM or some external memory. Because then that will be attacked. Compartmentalize the embedded software,
17:01
meaning that you should make sure that if one part of your software is compromised, say a driver, perhaps you're using third-party software, can you trust it? You don't know. So compartmentalize it, make sure that that software, all software doesn't have system-wide access to everything.
17:23
And then the third, lock the debug interface. And this is kind of, to me, is very frustrating because this is a trivial technology. Almost all, if you're using a device that cannot lock the debug interface, use a different device. Basically you shouldn't be using it, but it's trivial technology. And still a lot of security loopholes exist this way.
17:44
If you need a way to unlock, you should do that in an authenticated manner. So use proper authentication to unlock and open the debug interface. A lot of times you see that you can just ground a pin, or power a pin, and suddenly the debug interface is open.
18:01
That's not proper reopening the debug interface. The communication layer. So typically your device has to communicate. So first, put on security and the protocols early in the development phase. Security is not a feature you can put on at the end. I've heard too many instances of people saying that,
18:23
yeah, we figured we needed to use security, but it didn't work right away, so we decided we'd put it on later. And then they get up one week before release, they turn it on, and it doesn't work, and say, okay, we have to release. And then boom, it's out.
18:43
Use secure wired communication interfaces as if they were wireless. A lot of people think that, okay, because it's traces on the PCB, it can't be attacked. That's not true. The attackers will always just search for different entry points,
19:00
and this is one of the entry points they obviously always look at, as we also saw from the previous talk. And I would say use devices that contain hardware accelerators. This is because the end node is limited, so use devices that have AES engines, or have ECC crypto engines on board,
19:21
such that you don't drain all your battery power on doing these cryptographic operations. Okay, and then to the application layer. So this is a word cloud of the most common passwords. And again, I would say BlackCat is turning into these Darwin Awards.
19:42
So typically, how many here heard about this G-Pack, where they drove a Jeep remotely, controlled it and drove it into the ditch? I see some people raising hands. And many of these examples happened there. So they came to a chip, and it's like, okay, the security key is in here.
20:02
And it's like, connected to the debugger, boom, oh, it's open. I can just read it out. And then they came to a password interface and said, okay, let me try password. Oy, it works. Done. So never use static passwords or keys that are hard-coded into the device.
20:23
Always make sure that they can be changed. And don't permit the most common passwords. Don't permit password as a password. One, two, three, four, five. Hackers will try that. The most common password lists are online, and you can just feed them to a tool that will just brute force and try all of them.
20:45
And then always force the user to change passwords or key. So when you have a home router, a new home router, a new IoT device, it shouldn't let you do anything with it before you change the password to a password that's not on the most common password list.
21:06
Okay, final thoughts. The technology is here, so it's possible to secure. The IoT with the technology that is here. So there is no excuses as such. And be a good citizen. Make sure that when you make IoT applications, actually secure them.
21:24
Because the bad press that can come from these hacks is hurting the entire industry. It's not only affecting a single company. When my mother hears that a Jeep can be remote controlled, she says, I will never buy a car with a remote interface.
21:42
I guess in some years she doesn't have an option anymore. But this can really slow down the adoption of IoT. And then finally, security is a process. It's not a feature that you can put on at the end. It's something you have to think about throughout the design phase.
22:01
And you should really have someone. And if you don't have someone in-house, hire someone to think as a hacker. And really try to test the security of your application. Thank you.
22:26
Questions? Yes. Thank you.
23:11
So first question is, if I understand it correctly, it's like if one device gets hacked, does it scale? Can the person hack everything else?
23:26
I would claim that that's already happening. So to a large extent, for instance, as one example, WEP, Web Encryption of your wireless network at home. That went from getting hacked to now scripts to now I can just download AirCrack and just use it as a script key.
23:48
I don't need to understand what's going on at all. So typically this happens. And typically this also happens a little bit because the researchers want to state the seriousness. Because what typically happens, and it actually happened to me as well when we published these results.
24:04
Is that you call the company, I call the CEO and said, hey, we hacked your system. And he said, I don't believe you. I said, well, we actually did. And we made a report I can send you and then you can close it. How do you want it sent? Do you want me to send it as attachment?
24:21
Do you want it in the mail? What are you comfortable with? Whatever you like, send it as attachment because I don't believe you hacked the system. And then, of course, sometimes publicity is all that matters and then making it easy enough. And then to your second question, I would say that that's also hackers are lazy.
24:42
So they have already automated all they can. So I would say, in a sense, there are already tools that will act as a robot and test everything it can. I think there is a barrier when it comes to hardware. At the point when you have to open hardware and start connecting, that's when robots will probably fail, in my opinion.
25:07
At least it will take a long time. It's a valid question. I recently attended a talk with Eugene Kapersky, which is of Kapersky Labs.
25:20
And his focus was really on terrorism, cyber terrorism. And one of the things I didn't mention, one example is that if you can hack a lot of smart thermostats and take control of them, and you can turn on the power, the heating in a lot of houses at the same time, typically the power grid fails.
25:43
So this is, in some sense, a question of national security. And I think there is definitely a lot going on there. But I don't know if I see, I don't believe that there will be an actual war in the sense that, hey, Sweden takes out Norway's Trondheim's power grid.
26:01
Okay, we malfunction some hydro plants and then back and forth. I don't think that's how it will act out. Okay, thank you.