All the Internet of Things – Episode 5: The S in IoT is for Security

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello and welcome to episode 5 of in effort and digit keys all the internet-of-things a six-part series that covers everything you need to know about IOT this video series has built up from the basics to more advanced topics as we take you through the journey of IOT best practices in previous episodes we've discussed the transports protocols and services you need to craft your IOT functionality we've also showed off working example code for sending and receiving data with MP OTT versus rest and when to use Wi-Fi ethernet cellular or Bluetooth so that you can start making the right decisions for which transports and protocols to use so you'd think that you have everything you need to design and manufacture your IOT product right whoa that wasn't supposed to happen but it does demonstrate the most important but often forgotten element of IOT design and perhaps not coincidentally what we'll be discussing in this episode security [Music] the running joke is that the s in IOT stands for security because it's never there but safety and security something you will need to think about all steps of your design process there's going to be billions of IOT devices online around the world many of which will be connected to the Internet and almost all of them will be unmonitored a 2015 survey by authentication service provider auth0 found that 85 percent of IOT developers admitted to being pressured to get a product to market before adequate security could be implemented and as an engineer you're probably used to that pressure to get a part to market which means selling features often get more attention than security with more and more of these connected devices being rushed to market they've become a lucrative target the 2016 mirai botnet attack used unsecured CCTV cameras that were connected to the Internet to launch a crippling denial of service attack that Happ wasn't even one using the cameras to spy on people it was just using the tcp/ip stack of the embedded leaks device to send lots of junk traffic and we're not even getting into the hacks that could really threaten human safety like remote-controlled ovens or self-driving cars so while it might not seem like a big deal when you have an unsophisticated IOT device that has maybe just a temperature sensor and a modem that device can be used as a launching point for coordinated attack platform and if you do have sensors like cameras or microphones those could be remotely enabled and turned into listening spy devices having security as a priority for your engineering and working team will not just help you sleep well at night as we've seen with the European GDP regulations privacy and security are being legislated having poor security will now get you find or banned in the marketplace it's nearly impossible to add security after the fact so if you want to avoid a devastating recall listen up and take security seriously now before we start looking at attack and defense mechanisms let's talk about why your hardware might get hacked knowing what people want to do with your hard work will give you a sense of the actors involved and their motivations why would anyone want to hack your hardware when we talk about hacking your hardware we mean unauthorized access and use to the device and data within it that doesn't necessarily mean we purposing or improving it after all we're makers here at Adafruit and modifying off-the-shelf hardware is an engineer's favorite pastime so for example recycling a Bluetooth step counter into a doggie activity tracker it's not hacking but being able to access read and modify that same step counter data without permission from the owner would be for IOT devices that connect to the internet there are a few common reasons receive for compromising Hardware the first common type of hack is creating a DDoS botnet that is for distributed denial of service attacks DDoS attacks used several or even thousands of compromised or co-opted computers also known as BOTS to inundate an online service with coordinated data requests which overwhelm the target and take it offline this can be used as part of a revenge scheme to punish a competitor or as a protection racket to demand money in exchange for calling off the attack and it's popular because there's plenty of software packages to manage botnets and that means it doesn't require a lot of skill to do as we mentioned earlier the infamous Merai malware infected thousands of IOT camera devices to turn them into a launch platform for DDoS attacks by automatically hacking into and taking over insecure IOT devices the Murai virus quickly spread through thousands of cameras kicked to the internet turning them into BOTS and then sometime later those bots were wielded in the DDoS attack botnet infected devices will have degraded performance but are very hard to detect if you don't know what to look for and with the proliferation of cryptocurrency some botnets are being turned into crypto farms where your device is used to mind virtual cash so far this has been happening with hacked servers and desktop computers but we'll see this more and more as IOT devices become more powerful some single board computers are now nearly desktop speed and if you're controlling thousands of them it can add up we suppose it's better than attacking a third party but that hashing software will make your device slow down and that could cause support issues when your customers are disappointed with the performance of your IOT product botnet hacks are extremely common but you'll also see hacks that attempt to steal personal data especially passwords and payment information without question you should avoid having any way for your IOT device to interact with money either sending or receiving because that will make it a huge target that goes extra if the money is untraceable such as cryptocurrency because it's so easy to launder storing and managing credit card data is so incredibly dangerous that's beyond the scope of this video suffice to say that there are whole industries surrounding mandated PCI compliance you will need to follow those rules if you want to process credit cards usernames and passwords if their extractable are valuable on the black market they're used to try and log into other services with reused or shared logging info where money or compute resources may be available finally the user data see how many steps they took per day or video from Wi-Fi cameras may be used to harass or views your customers these sorts of hacks are sometimes one at a time exposures where customers tricked into giving someone their password but sometimes an entire back-end database will be downloaded and having that data exposed will be devastates your customers once your parks are known as untrustworthy it's extremely hard to regain that customer trust so treat their data as if it was your own which it kind of is let's take a look at the types of attacks that can be used to compromise IOT devices so that we know what to defend against [Music] Sun Tzu wrote if you know the enemy and you know yourself you need not fear the result of a hundred battles and knowing what to defend against will let you prioritize your time and energy attacks are how your opponent will be trying to crack your security so they can gain control or extract information from your IOT device some attacks are easy to counter some are extremely hard how much time and money that you spend will depend on what your protecting and protecting against the most common type of attack is an automated logging tool that will try to connect to every IP address on our network and log in using default passwords or common passwords for example if an IOT cameras can't get to the open Internet it has a default password logging of admin admin that would be super easy to automate with a script every time a new IOT device is sold on the market with a default login that's added to that hacking list so that the script will try anything it can these tools are incredibly effective because they can sweep through millions of IP addresses around the world while the hacker is sound asleep luckily this attack is really easy to defend against and you must spend the effort most obvious is just don't have a default password instead have the password distributed with the product on a sticker just like your Wi-Fi router has you can guess who got bit by the security flaw for after many years make sure the password is long enough and complex enough and cannot be guessed and don't use public information in generating the password like a MAC address a close relative to that tak is the automated vulnerability exploit tool say you have the bestest longest password but it turns out there's a flaw in the firmware or operating system you're running that flaw can be exploited to allow an outsider access into the device even without a password the good news is that these exploits are not very common if you've configured your IOT operating system well the bad news is that when they do happen they can be catastrophic there's no defense against them other than upgrading or patching the software and there's no way to predict or protect against it even the most expensive and proprietary systems can have these flaws in this case all you can do is take steps to minimize the risk and maximize the ability to repair if at all possible do not have a public-facing internet administration system disable SSH FTP telnet web serving as well as any other service you can do without one the latest operating systems and have a way for users to update the firmware or have an automatic update that can be fetched and installed by the system itself if there's an app have it remind the user to update constantly and if possible have a way of contacting customers so you can let them know if there's an emergency upgrade it's better to have it and not need it than need it and not have it the next most common set of attacks will group together and call these sniffing spoofing replay and men in the middle group sniffing is the ability to listen in on the communications going on inside or through your device spoofing is being able to trick the device into trusting something it should not we play is sending data often sniff data over again to the device sometimes this lets the hacker repeat an event sort of like spending the same quarter twice men in the middle attacks are a little like a cross between sniffing and spoofing you get in the middle of the device communications shuffling data back and forth but modifying the data to suit the hacking needs these techniques are often used together for example let's say you have an IOT device with a login website you've got a unique password but you forgot to require encryption for the connection your customer logs into the device from the coffee shop across the street and it turns out that the coffee shops network has been hacked due to that default login password on the Wi-Fi router and someone is listening to all that Wi-Fi traffic they record the login and password for the IOT device and then they reuse it that's a sniffing attack or say you want to defend against the automated exploits class attacker so Ukraine over-the-air firmware update service that will send updated firmware once a week a hacker buys one of your devices and listens into the network traffic during the firmware update and discovers you forgot to authenticate the connection with some effort she able to craft a custom form or upgrade that creates a default login backdoor and deploys in an automated fashion across the internet targeting every installation of the device for global domination that's a spoofing attack that's not all the attacks you have to worry about there's a long tail of many more ways to trick computer devices after all computers do whatever we ask without judgment for some companies especially ones with health safety or money on the line there's a lot of continuous research needed to keep up to date with attack vectors and stay ahead for most others it's better to follow the best practices will outline than do nothing and as your company and product succeeds you can invest more into improving the security such as hiring specialists some things that you shouldn't focus all your time on is worrying about your hardware manufacturing modifying your design to add spy technology to the PCB we're not saying it's impossible just that while these sorts of attacks get a lot of attention they are very expensive and time-consuming compared to the automated attack scripts that are your greatest risk when you outsource your manufacture there are some risks involved your contract manufacture is most likely to swap components on you using lower quality or cloned components or perhaps they'll sell off your IP to a competitor rather than trying to modify your hardware if you're the kind of company that has to seriously worry about state level attackers with vast resources you're also the kind of company that owns their own manufacturer or can afford to staff that cm with auditors that said after you go into manufacture it's not a bad idea to disassemble and inspect a few random boards from your fabrication run to catch quality and security issues such as are those unique passwords really unique have their firmware images cryptographically signed and authenticated and then verify them post manufacture by your in-house team or a trusted auditor of course this isn't all the different ways are going to get attacked just some of the most common ones so how are you learn to protect your design [Music] attack surface reduction is a security principle that you can use to guide your choices when designing an IOT product or service the attack surface of a hardware or software environment is all the different ways where an unauthorized user can try to insert or extract data keeping the attack surface as small as possible is a basic but necessary security measure with IOT there's two services you'll have to contend with the thing itself say an internet-connected temperature sensor and the service whether that's a deferred IL Google cloud or Microsoft Azure let's start with device security starting from the easiest first here are a dozen or so guidelines for device security again this isn't everything but it's an excellent start number one require a login and password this is number one because it's the bare minimum don't have an open network accessible interface to your IOT device you may think oh nobody's gonna guess the URL or the port number but that's the first thing hackers will find out even it's on an intranet requires some authentication number two don't have default logins and passwords we mentioned this before but it bears repeating because it's so common make sure your device has a unique I'm guessing full password by default number three two factor authentication in addition to a username and password maybe have an SMS or time-based second factor this will protect you even when the password is sniffed or stolen two-factor is free and pretty easy to implement these days you no longer have to distribute a physical token since everyone has a mobile phone number four require tls/ssl whenever users are device to connect to the internet whether over Wi-Fi or cellular use the latest version of TLS sometimes called SSL or HTTPS TLS will encrypt all data between the device and the service protecting both this will greatly reduce your risk of sniffing a few years ago my controllers were older and smaller and couldn't effectively want a tila stack nowadays there's no excuse to skip it number four and a half authenticate host certificates TLS is not just data encryption it's also server authentication so if you're using TLS make sure your device is checking the fingerprint or certificate chain of the servers is connecting - we've seen some TLS implementations where it's possible to skip this which makes men in the middle attacks possible number 5 turn off any unused services if you have an embedded Linux or are tossed for your device make sure there are no services left on file showing remote login mail servers etc these days most of these services are not enabled by default but check anyways sometimes they're left on during development and are forgotten when the firmware makes it to release five-and-a-half don't accept any inbound connections at all if you can don't allow any way for outside parties to connect into the device if you have a debugging port left open that's just another surface that can be attacked number six require physical access for important configurations we've seen some Wi-Fi cameras that can be controlled over the internet but if you want to change the access point password you need to plug it into a computer and change this setting over USB this reduces the surface that can be attacked by automated scripts number seven individualized revocable authentication keys an order for your device to connect to this service shed SART has some sort of authentication key or password as you'll remember from earlier make sure that you have a unique key or password for each device even if the user never sees these you shouldn't reuse them you'll also need to have a way to revoke or reinstate keys if they're lost corrupted or stolen number eight data paranoia even though you may only be shuffling data from your IOT device to your IOT service don't trust that data is well formatted this is often forgotten in the rush to complete and ship firmware but you should assume that attackers will try to send corrupted or malformed chunks of data to both sides of the connection to corrupt memory clean up and data fully this will also keep your device running smoothly if the network connection is flaky number nine updatable firmware boot loaders are the best and it's a good idea to have one on your device there's many that can be white only so that deployed firmware it can't be read back out being able to update firmware will help customers recover the device it's bricked hacked or there's an important security update we like USB boot loaders the best or ones where you insert an SD card with a file having updatable firmware increases your attack surface a bit because it gives another access point into your device but we think that if someone has physical access they can connect the jtech programmer to race and we program it anyways number 10 secure storage for authentication keys embedded Linux devices have a regular file system and microcontrollers often store their code in flash memory so if your hard coding authentication keys in flash or EEPROM it can be read out yes even if you have a chip that has formal read back turned off it's sometimes possible to glitch chips into revealing their secrets your microcontroller memory should not be considered a secure storage instead you may want to consider using a secure element chip these chips are designed to withstand common decapping and glitching attacks and can't be programmed with your private key at the factory then that can't never leaves a secure chip so instead of having the key sit in my controller memory what could be read out data that needs to be authenticated or encrypted it's sent back and forth through the IC it's a little extra cost but it's a nice way to keep the secrets in a lockbox number 11 over-the-air updates this one is a little tricky not having over-the-air is risky because then there's no way to send important security updates on the other hand having over-the-air is risky because it allows the attacker to completely take over the device if they hack it we think over there is a good idea but you definitely need to combine it with a prior rules firmware must be transmitted over an authenticated encrypted connection having firmware be signed with public key cryptography if the private key is the storing the device is a common idea but be aware that private keys can and do leak out so that should not be the only way that you verify firmware is valid we've also seen more than one company accidentally can brick their devices with a mistaken overthere update some even require a physical recall so if you do have over there updates make sure you'll always have a way for physical access wall back number twelve have a security contact this is last but it's actually super easy make sure that your website has a policy and a way for folks to contact you if they think there's a security problem there are lots of amateur and expert security researchers are out there who are not only your customers but potential customers and many eyes can make laws obvious then those many eyes will let you know if they find a flaw don't let those emails go unread had someone who is an assigned security contact who will read and respond to any and all bug reports small gifts and rewards can encourage responsible disclosure and will motivate smart folks to help you out next up service security servers have been hacked since the first ones were put online there's a lot of information out there on best security practices many of the recommendations we made for devices still stand require TLS two-factor and strong passwords scrubbed needed to prevent buffer overflows or cross-site scripting attacks there's a few more that relate specifically to IOT services misconfigured or glitching devices can turn them into unintentional mini denial of service attacks if you get a device that is repeatedly sending your service bad data make sure you have a way of throttling connectivity so that other customers don't get locked out contact or alert the customer to let them know about the misbehaving device provide a device health dashboard things like power and bandwidth usage when reporting back to the service can help you spot if defenses have turned into Bitcoin miners of course these reports could be manipulated if the device is completely taken over you shouldn't only rely on them help protect customers from compromised accounts developers will accidentally commit their authentication keys it happens all the time that's why we had that earlier guideline to allow Ezequiel vacation a favor you can do it for your users is to watch github paste me and other code sharing services for credentials don't actually search for key values of course look for stuff like your service name and words like password api or key protect yourself from compromised look out for world readable or misconfigured cloud storage buckets and servers git repositories and web directories and of course for both your IT device and service if it has a web interface it should be protected against standard website hacking techniques like remote code execution path traversal cross-site request forgery and SQL injection there's lots of scanning services you can run against the website as well as on the code itself to find the most egregious errors use monitoring services on your own service so meta hosting a service makes you an open target and especially if you have a firm or deployment service someone taking control of your site could not only take down your site but they could take control of all the devices too so checking your daily storage bandwidth and compute resource usage graphs it's a good way to see if anything is amiss [Music] this video is fairly short compared to the decades of security research out there so we aren't able to cover everything just the big picture but here's the most important thing to realize i OT will never be completely secure by definition having something be electronic and networkable means it can be hacked and if you're in business long enough your device will eventually have security flaws exposed now it shouldn't be happen too often and hopefully it isn't something obvious but there's just too much current an IOT device for it to be completely bug free recognizing that you will never be 100% secure is that second half of sensors quote about knowing the enemy and knowing thyself and that will guide you through your IOT part design you should assume that your former will be decompiled and that your service database will be downloaded so think about how you can minimize the impact of those events don't store plaintext data that once released is devastating don't write your own cryptographic functions that once reverse-engineered unravel your networks authentication scheme if you have to store data securely rely on experts at services that do it well they can be partners and let you focus on the customer experience while taking care of security and most importantly care about your customer data to you a leak database is a statistic to them it's a tragedy tell them that their security matters may open about how you're going to do it and listen when experts are trying to warn you about security flaws [Music] when it comes to the internet and data security your work is never done as technology gets more connected and complex there will be new hacking techniques discovered we want to stress that security is not a one-and-done step of your product but a philosophy that you'll need to keep in mind from prototype and deployment to long-term support IOT inherits many of the security problems Network computers have had for decades so it's important for us as hardware engineers to learn from our fellow software and network engineers as designers of IOT devices you must use modern best practices in delivering secure products to end-users the reverse is also true investigate the marking you're entering to see what security practices your competition practices or ignores keep tabs on the laces hacking announcements to make sure that your products are not similarly vulnerable reevaluate security on a periodic basis to review threats and revise software access codes and architecture as needed being transparent and open about security practices before during an afront issue will also demonstrate your commitment to security and fixing things when needed and it will happen we hope that during this episode you realize how important it is to secure your IOT project some of the best ways to go about it and what to keep in mind when purchasing IOT devices we hope that you've enjoyed this video series on the growing world of the Internet of Things and when you're ready to get started with some hands-on experience please check that all the IOT projects from digit key and Adafruit and check back to the final video in the series where we design a device with digit keys IOT studio you

Info

Channel: Adafruit Industries

Views: 4,289

Rating: undefined out of 5

Keywords: adafruit, electronics, diy, arduino, hardware, opensource, projects, raspberry, pi, computer, raspberrypi, microcontrollers, limor, limorfried, ladyada, STEAM, STEM, python, microbit, circuitpython, neopixel, neopixels, raspberry pi, circuitplaygound, nyc, make, makers, micro:bit, adafrit, adafruit promo code, ada fruit, adafruit coupons, raspberry pi zero, micropython, machine learning, ai, tensorflow, security, iot, digikey, digi-key

Id: ISHqKL1okno

Channel Id: undefined

Length: 27min 2sec (1622 seconds)

Published: Thu Sep 12 2019