University of Central Florida 2015 中国互联网安全大会 China Internet Security Conference 智能设备安全漏洞研究和防护 Smart vs. Security: IoT Security and Protections Yier Jin Security in Silicon Department of Electrical Engineering and Computer Science University of Central Florida Lab (SSL) yier.jin@eecs.ucf.edu IoT and Wearable Devices 2015 中国互联网安全大会 China Internet Security Conference Assorted images found online. IoT Forecast 2015 中国互联网安全大会 China Internet Security Conference 2015 中国互联网安全大会 China Internet Security Conference IoT in Commercials • How About Security? Wireless Remote Control Big Data Cloud Computin g Consta nt Access 2015 Machine Learning 中国互联网安全大会 China Internet Security Conference Security Security and Privacy • Security Concerns – “ThingBot”: More than 750,000 phishing and SPAM emails launched from “ThingBots” including televisions, fridges – WeMo “Light Switch” firmware can be remotely controlled • Privacy Concerns – Personal data is often collected without users’ awareness 中国互联网安全大会 – The “big personal data” includes too much information • Safety Concerns 2015 China Internet Security Conference When industrial-level damages can be – Remote smart car hacking (Charlie Miller and Chris Valasek) – Medical infusion pumps vulnerabilities to cyber attack (FDA) caused through device-level hacking, • National Security – Power industrial control systems, etc. can wegrid, still ignore the issues of IoT security threats? CASE study - World • How secure are 2015 current IoT/networked devices? 中国互联网安全大会 China Internet Security Conference Power Grid 2015 中国互联网安全大会 China Internet Security Conference Vehicle 2015 中国互联网安全大会 China Internet Security Conference Weapon 2015 中国互联网安全大会 China Internet Security Conference CASE study – my lab 中国互联网 安全大会 • How secure are current2015 IoT/networked devices? China Internet Security Conference Google Nest Thermostat • Functionality – Smart thermostat (self-learning, auto-away, Nest app, Nest leaf) • Exploitation and Payload 国互联网安全大会 – Bypass firmware verification and install 中 customized China Internet Security Conference userland – Remote control and user privacy collection • Security Impact – Through the backdoor, remote access capability can be inserted for hackers to exploit the device and the local network remotely 2015 2015 中国互联网安全大会 China Internet Security Conference TrapX • ARP Spoofing – Compromised Nest – Collect user data in other devices – Local network compromise – Attack interface to infrastructure 2015 中国互联网安全大会 China Internet Security Conference Company A - Protect • Functionality – Smart smoke detector – An important home automation component • Exploitation and Payload – End-user can modify the software core 中 国 互 联 网 安 全 大 会 China Internet Security Conference • Security Impact – Physical damage (attackers may turn off the Protect) – Inconvenience (high quality becomes a burden) 2015 Company B – Smart Band • Functionality – Smart band for health tracking • Wireless Chip • ARM-based Microcontroller • USB – charge only 中国互联网安全大会 • LED Matrix Display China Internet Security Conference • Bluetooth 4.0 pairing to smart phones • Exploitation and Payload – Bypass firmware integrity – Boot any firmware • Security Impact – Learn user’s health information – Privacy breach 2015 Roku • Functionality – Streaming media player • Exploitation and Payload – Telnet root shell spawned on boot 中国互联网安全大会 – Enable U-Boot shell China Internet Security Conference • Secuirty Impact – Allows a user to execute commands as a root user 2015 Belkin Wemo • Functionality – The device is able to turn electronics on and off remotely • Exploitation and Payload 中国互联网安全大会 – Root shell can be accessed China Internet Security Conference • Security Impact – Electronic equipment may be remotely controlled by attackers – Physical damage 2015 Epson Artisan 700/800 • Functionality – All-in-one printer – Wi-Fi connection • Exploitation and Payload – Feature a shell through serial port – Controller menu is available • Security Impact – Information leakage 2015 中国互联网安全大会 China Internet Security Conference Amazon Fire TV Stick • • • Functionality – Stream media to the TV using the HDMI port Exploitation and Payload – User can gain root access 中国互联网安全大会 Security Impact China Internet Security Conference – The device can be rooted for any modifications 2015