Security Nightmare of IoT Devices

Scott Wu, CEO, NewSky Security

Richard Yim, VP Product Management, People Power Company

1. Background

2. Threat Events

3. Proposed Solution

4. Case Study

500 IoT Devices in Homes 202016 billion IoT devices in 2016, 30% higher than 2015

The Enterprise Security Nightmare

IoT => Hackers 2.0

• 28 billion IoT devices by 2020

• $1.9 trillion IoT annual revenue

Enterprise Breach Costs

• 67% enterprise (known) attacked

• $12.8M cost per incident response

11 Billion

28 Billion

0

5,000

10,000

15,000

20,000

25,000

30,000

2014 2020

IoT Future

Today with the People Power IoT Suite we’re helping deliver, manage and monetizesmart home services for Security, Energy and Care, in ways never before possible.

ManageDeployConnect Engage Learn

The People Power IoT Suite

A comprehensive IoT software solutionfor service providers and manufacturers.

Sources: NewSky Research Lab

Smart TV: Ransomware

Smart watch: Bitcoin Mining

Smart Car: OBDII Sniffing

Costco Payment: Breaking QR Code

AVAR Paper

NewSky Red Team Broke Into IoT Devices

Why Anti-Malware fails for IoT infrastructure?

Why Firewals fail for IoT infrastructure?

1. Background

2. Threat Events

3. Proposed Solution

4. Case Study

Recent IoT Attack Incidents - Dyn DDoS

• Many Fortune 500 companies went offline

• Botnet of 360K infected IoT devices

360,000 IoT zombies in Dyn

attack

384 million IoT zombies in the wild!

IoT zombies grow to 1.7 billion in 2020!

Recent IoT Attack Incidents - Growing Botnet

WannaCry Ransomware – Kill KillSwitch!!!???

● 200k Windows computers infected in 48 hours● First “wormy” ransomware [ MS17-010]● Accidental hero triggered Killswitch

Mirai IoT botnet: DDoS Killswitch!

● Vuln of Atmel’s ZLL Touchlink protocol

● Attack simultaneously on all lamps within range

● Enables attacker to turn all the city lights on or off.

Philips Hue – City Scale Chain Reaction Attack

Video

Smart Meter Hack à national power network

● Denial of Service (DoS) via communication racing

● Denial of Service (DoS) via battery drain of the key fob

● Hijack and Control

Kevo Smart Lock – Unauthorized access to buildings

“How to Hack a Bluetooth Lock”

Hacking IoT Devices has become a hobby for some

CVE-2016-10115 : Netgear Arlo WebcamFactory Default: 12345678

DISASSEMBLED /BIN/VZDAEMON

CVE-2016-10115 : Netgear Arlo WebcamFactory Default: 12345678

• Video Replay: break in when owner not home

• Video Spoofing: Feed fake video

CVE-2016-10115 : Netgear Arlo WebcamFactory Default: 12345678

• Factory set password scheme• “adjective” + “noun” + “a 3 digit number”

• Our 3 test webcams• misty lake 940

uneven sparrow 969lucky sky 878

CVE-2016-10116 : Netgear Arlo WebcamCode Cracking with GPU

• $150 GPU AMD Radeon R9 390

• 2.5 hours to crack “mistylake940”

• Targeted attack!

CVE-2016-10116 : Netgear Arlo WebcamCode Cracking with GPU

1. Background

2. Threat Events

3. Proposed Solution

4. Case Study

AI Based IoT Security Framework

Proposing AI based IOT Intrusion Protection

Demo Video

1. Background

2. Threat Events

3. Proposed Solution

4. Case Study

Home security &

energythat learns

Smart home solutions at are simple to setup, easy to expand, with AI bots and voice control bringing “peace of mind” to end users and service providers

IoT Case Study: Smart Home SolutionsRisks:

● Utility Service Providers exploring digital transformation - Smart Homes● Huge amounts of data, 90% processed locally with Intelligent Bots● Data, identify theft or falsification, device manipulation, IP theft

Pain Points:● Network edge will be target for attacks● Utility clients demand thorough security hardening, and quarterly

assessment on its Smart Home IoT kits (SLA)● New devices, new threats become an “IT Security Battlefield”

How The Industry needs to address pain points:● IoT security assessment including device-cloud-mobile subsystems● Next generation IoT Gateways, together with robust, enterprise-class

security to ensure Service Providers protect their customers and brand

Cloud-Network Security (AI-Bots)

People PowerIoT Suite

Our device APIs support

Files, Video, and Data.

HTTPS, WSS, MQTTRTSP, RTMPS.

Near-instantaneous synchronization.

We create software for gateways. We operate on several gateways / routers today and open source some of this technology.

802.11 (Wi-Fi) Radios / Ethernet / IP

• RCS Thermostats• Radio Thermostat of America

802.15.4 Radios (ZigBee, Thread)

• Centralite Pearl Thermostat

Honeywell

Sensibo

Weather.com

CloudAI

NewSkyIoT Security

AmazonAlexa

Cloud to Cloud Direct Integration

Only cloud based system can segment, isolate and prevent IoT Malware propagations

Iot innovations are great but….

Secure IoT Traffic is Key

+ Demand Response

+ Jiggle Elimination

+ Learning Algorithms

+ Cybercrime Sensing

PeoplePowerCompanyWebringAItoIoTservices

Q & AN

NewSkySecuritySecureeverydevice

For utilities, telecom and cable providers;Providing new recurring revenues and reduced churn.

scottwu@newskysecurity.com richard@peoplepower.com

THE HAGUE (AFP) - An 11-year-old "cyber ninja" stunned an audience of security experts on Tuesday by hacking into their bluetooth devices to manipulate a teddy bear and show how interconnected smart toys "can be weaponised".

PUBLISHEDMAY 18, 2017, 8:49 AM