Things Gone Wild: When Your Devices Behave Badly

© 2012 IBM Corporation

IBM Security Systems

1© 2014 IBM Corporation

Things Gone Wild:

When Your Devices Behave Badly



2

“Things” hacker



3

This is the “maker” corner of my office



4

A man is stuck in traffic on his way to work.



5

His mind wanders, Did I leave the fridge open?



6

He pulls his smart phone out.



7

The man taps an app on his

smart phone labeled “Home

Automation”



8



Automation”



9



Automation”



10

Everything is fine at home.

The man rolls his eyes and grins at his own obsessive concern



11

But in reality, someone has hacked his home area network.

The refrigerator is spewing ice cubes…



12

The dishwasher is overflowing…



13

The toaster is aflame while the ZoomBot bumps the

counter, sending the toaster toward the curtains.



IBM X-Forceis the foundation for

advanced security and

threat research across

the IBM Security

Framework.



IBM X-Force® Research and Development

Vulnerability

Protection

IP

Reputation

Anti-Spam

Malware

Analysis

Web

Application

Control

URL / Web

Filtering

The IBM X-Force Mission

Monitor and evaluate the rapidly changing threat landscape

Research new attack techniques and develop protection for tomorrow’s security challenges

Educate our customers and the general public

Integrate and distribute Threat Protection and Intelligence to make IBM solutions smarter

Expert analysis and data sharing on the global threat landscape

Zero-day

Research



Coverage

20,000+ devices

under contract

15B+ events

managed per day

133 monitored

countries (MSS)

1,000+ security

related patents

100M+ customers

protected from

fraudulent

transactions

Depth

25B analyzed

web pages & images

12M spam &

phishing attacks daily

86K documented

vulnerabilities

860K malicious IP

addresses

Millions of unique

malware samples

IBM X-Force monitors and analyzes the changing threat landscape.



17

The Internet of Things (IoT): a revolution is occurring just like Cloud, Mobile, Social & Analytics

The Internet of Things will represent

30 billion connected “things” by 2020,

growing from 9.9 billion in 2013.1

These connected "things" are largely

driven by intelligent systems-all

collecting and transmitting data.

Source: IDC, “Worldwide and Regional Internet of Things 2014-2020 Forecast Update by Technology Split”

http://www.idc.com/getdoc.jsp?containerId=252330



18

Smart Homes



19

Smart Energy / Smart Meters (AMI)



20

Side Channel Security Information

Monitor usage and determine:

When fridge is runs its defrost cycle

When the coffee maker kicks on

When you run your electric razor

What you’re watching on TV

To some extent,

this can be done now

Smart meters give

much more granular information

Source: http://www.h-online.com/security/news/item/Smart-meters-reveal-TV-viewing-habits-1346385.html



21

Smart Meter Event Monitoring

Reverse Rotation Detected

Inversion tamper

Removal Tamper

Power Outage / Restoration

Remote Disconnect /

Reconnect Failure /

Success

RF Transceiver Reset

New device joined HAN

Configuration Changed

Firmware Change Complete

Replay Attack



22

Industrial Control / SCADA Systems

Most SCADA systems are to IoT

what flip phones are to mobile



23

Traffic / transport

Utilities / energy

Telecommunications

Public safety

HVAC systems

Occupancy

Elevators/escalators

Smart Cities / Smart Buildings



24

Smarter Prisons?



25

Wearables



26

Medical Devices



27

Biohacking

How are you going

to control this type

of BYOD?



28

The instrumented vehicle; automobile threat surface

Engine Control Unit

Transmission Control Unit

Airbag Control Unit

Anti-lock Braking System

Tire Pressure Monitor

Vehicle to Vehicle

Communications

Instrument Cluster / Telematics

Keyless Entry / Anti-theft

OBD-II

Car Multimedia

Dynamic Stability Control



29 IBM Confidential



30

The IBM model for the Internet of Things

At IBM, we’ve created a

model of the IoT that’s useful

for understanding the security

threats at various data flow

and control transition points.



31

Home automation systems are driving comfort and security enhancements.

• Smart appliances

• Lighting and sound systems

• Televisions

• Thermostats

• Smoke detectors and alarm systems

• Garage doors and door locks

Includes technologies like:

• Local home network, which is often wireless, and then connected to the Internet via a service provider

• Security systems may also have a secondary connection using a mobile network

Connected via:

• Service providers or utilities providing home automation services

• Hobbyists can build their solutions, bypassing the cloud layer, opting instead to connect to their home area network directly from a mobile device or computer.

Available from:



32

Connected vehicles can enhance both safety and control for drivers.

• Emergency assistance

• Remote telemetry reporting, such as speed, location and engine temp

• Remote start

• Remote cabin climate control


• The local network is a controller area network (CAN), to which the electronic control units (ECUs) for brakes, engine, power windows and other components connect.

• Global network is a mobile carrier

• Cloud service is often the auto manufacturer’s network, to which the car identifies itself and is authenticated with an app on a mobile device.

Connected via:

• Automobile manufacturers

Available from:



33

Industrial control and SCADA systems vary wildly by industry, age, and use.

• HVAC systems

• Access control systems

• Energy consumption

• Infrastructure processes like water treatment, oil and gas pipelines, and electrical power transmission and distribution systems


• Older SCADA systems can be controlled over a dial-up line by an operator console segmented from the rest of the network, with no Internet connectivity or ability to control the system from outside the factory network.

• Newer industrial control systems are built on a general-purpose OS, designed to connect to an IP network.

Connected via:

• Legacy designs embedded in factories

• Industrial control service providers

Available from:



34

Smart meters are driving the convergence of operational technology and traditional IT networks.

• Electric, natural gas, or water meters

• Alternative fuels like solar energy and wind power

• Locally sourced microgrids, which generate, distribute, and regulate the flow of electricity to consumers in a small geographic area


• Connection from meter to energy provider’s cloud using communication methods like cell and pager networks, satellite, licensed radio, combination licensed and unlicensed radio, or power line communication

• Analyzed telemetry is provided to billing systems and available to customers through a web portal or mobile app

Connected via:

• Electric utilities

• Municipalities

Available from:



35

Implantable medical devices are improving levels of patient care.

• Pacemakers and cardioverter defibrillators

• Cochlear implants

• Insulin pumps

• Camera capsules

• Neuromonitoring systems


• Current connectivity provided over radio frequency to specialized control devices and is limited in range

• There is pressure to widen connectivity so patients would have access to their data over patient portals, with the entire ecosystem of healthcare providers and insurers accessing a unified view of patient care information

Connected via:

• Medical device manufacturers

Available from:



36

The Internet of Things brings a range of threats and attack vectors.

Threat vectors

• Web application

vulnerabilities

• Exploits

• Man in the middle

• Password attacks

• Information gathering /

data leakage /

eavesdropping

• Rogue clients

Backdoor access to a building

maintenance program was used to

access floor plans for a business.

Using a CD playing MP3 files in a

car’s audio system, researchers

were able to access all the ECUs in

the vehicle, and disable brake functions

while the car was travelling at 40 mph.

Network-connected lighting was

compromised to access local Wi-Fi

network passwords.



Each layer in the Internet of Things is susceptible to a variety of attack vectors.

A. Password attacks

B. Web application vulnerabilities

C. Rogue clients / malicious firmware

D. Man in the middle attacks

E. Information gathering / data leakage /

eavesdropping

F. Command injection and data corruption

Things

Local network

Global network

Cloud service

Controlling

device

A

A

B

A

A

B

B

D

D

D

C

C

F

E

E

E



38

IoT exposes varying threat surfaces, and requires security specific to each category of device.

Hardware manufacturers need strategies specific to each category of device:

A secure operating system with trusted firmware guarantees

A unique identifier

Strong authentication and access control

Data privacy protection

Strong application security



39

IBM recommends manufacturers adhere to a set of best practices to address the security challenges of the IoT.

Follow the Open Web Application Security Project (OWASP) IoT Top 10 practices.

Build a secure design and development practice

Perform regular penetration testing on products

Follow industry guidance, such as the IBM Automotive Security Point of View.



40



41

Connect with IBM X-Force Research & Development

Find more on SecurityIntelligence.com

IBM X-Force Threat Intelligence Reports and Researchhttp://www.ibm.com/security/xforce/

Twitter@ibmsecurity and @ibmxforce

IBM X-Force Security Insights Blog

www.SecurityIntelligence.com/topics/x-force

http://www.ibm.com/security/xforce/

https://twitter.com/IBMSecurity

http://www.twitter.com/ibmxforce

http://www.securityintelligence.com/topics/x-force

http://blogs.iss.net/

http://blogs.iss.net/



42

www.ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole

discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any

way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response

to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated

or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure

and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to

be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,

products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE

MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole

discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any

way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response

to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated

or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure

and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to

be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,

products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE

MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

http://www.ibm.com/security

http://www.ibm.com/security

Things Gone Wild: When Your Devices Behave Badly

Software

Transcript of Things Gone Wild: When Your Devices Behave Badly