Let's talk a little bit about IoT security for the kind of systems that we're putting together with single board computers, and sensors, and custom devices. IoT security is kind of the elephant in the room. We know that it's concerned. But how do we deal with it? What should we concentrate on? We're going to talk about some of the basic security concerns for IoT devices. We'll talk about a tool that you could use for your own security exploration, Kali Linux. And then we'll talk about just some other issues that you should consider in your designs. I'm not going to claim to be a security expert. But what I will say is, it's clear when you're working in this part of the industry that you always have to provide for security concerns as part of your designs. There's a contingent of classes within the program that support more detailed security discussion. You could certainly look at those. Recently, I had a chance to go to Black Hat and Def Con, which are leading conferences for security, over 20,000 attendees. And while I was there, I got a chance to take classes on hacking IoT devices and hardening Linux. And it really opened up a lot of things for consideration. The Def Con hacker communities just the list of them should give you some idea of the kind of areas where you have to be concerned about people's skill sets for abusing or using your devices in a way that you didn't expect. The community deals with security issues around IoT, industrial controls, medical devices, wireless devices, tamper based devices, things that are based on AI. There's so many different things that the different hacker communities focus on. It's good to immerse yourself in this a bit and start to understand where your concerns might be for devices that you make. When I was at Black Hat, I was lucky enough to take a couple classes. One from a company called Payatu and the other from a company called InGuardians. And in those classes I broke into things. I was shown how to break into an MTTQ broker, a CoAP server, a CANbus controller, embedded Linux low level interfaces Isquare CNSPI. So all these things that we've mentioned are things that, That support our development of connected devices. Each one of them also becomes a security concern that we have to take care of. On the Linux side, we went through a lot of different web and Linux system elements that potentially could be abused. And we talked about ways to harden those things. So again, I'm not going to try and go through each one of these but I will give you a pointer at some references for you to dig into some of those yourself. Some of my observations on this, I found it interesting really to do this kind of security hacking. It doesn't require fancy tool sets. Kali Linux is an amazing set of tools and it's open source and available. And there's other utilities of course like Wireshark that are there for people to use or abuse. You might need a multimeter, you might need a breadboard, a little bit of electronic knowledge goes a long way. But generally speaking, it's not really necessary to have any kind of fancy tool sets to do this work. IoT devices unfortunately are particularly vulnerable. It was brought up many times that because there may be older systems, systems that don't get regular updates, or systems that weren't built with appropriate security features, that it's very common that these devices are attacked. What you need to realize is if your device is connected to a network, at some point, someone is going to try to talk to it that shouldn't. And it's only a matter of time before something relatively mild in an issue on your device could become a public vulnerability. So you need to be prepared either as an individual or a company level for security breaches and how you're going to respond to them. You have to realize the severity of the potential legal reputation costs. Other disruptions that could impact your business. These are some typical attack surfaces that people will see as they're talking to devices, and ways that hackers might try to move into your device system. For the devices themselves, if you're using mobile or some kind of applications to talk to them, hackers can come through storage, databases, communications, they can learn hardcoded key information. They can break encryption, or they might make a man-in-the-middle attack where they put something in your network that responds correctly to both sides but then allows other commands to be issued. The network side itself is also concerned. If you're using some kind of custom protocols, those things can often be broken. People will capture radio traffic and they analyze it, replay it, potentially use it to inject commands. Again, breaking encryption, not using communication protocols with security. For instance, an HTTP page that doesn't have security could certainly be a path in your system. So these are all things that you have to consider. On the cloud and in the website, there's a number of different attack modes that people use. Cross site scripting, injecting SQL commands, forging requests or commands,Eor either at the client or server side, Executing remote code that works on your system, breaking into storage, using authentication. There's so many different paths. What should you do to deal with these things? Devices also at the hardware level have their own issues. A J tag port that's left open for someone to get into your system and look at what stored there could certainly be an issue even though you had intended it to be made for maintenance or servicing. The actual sensing interfaces of your devices can be spoofed. The communications elements, the storage elements, all of these things. Again, you have to consider as you're creating devices, they'd have to provide a level of security for people to use. This is a list from OWASP, the web security agency that kind of goes through some of the top IoT security concerns. The number one is an insecure web interface. Because certainly if your device is providing an interface, it's easy enough to create an alternate client that tries to communicate with that interface. And if it's done insecurely, you'll run into issues. People also tend to avoid using encryption during development and sometimes when the systems go out into the world that encryption never gets used. If that's the case, your traffic is certainly subject to being recorded and analyzed. You can go through the list yourself, the configuration of security, physical security for the devices, paths to the devices through the cloud. All these things are issues. And OWASP does a good job of collecting these up and reminding us of things that we should do for each of these. So do take a look at the poster link that's here and visit their site for more information. My Payatu company that did my IoT hacking class had their own list of concerns. And again, some of these things probably are starting to look familiar, whether it's coming in through storage or through updating firmware. The number one here was hardcoded sensitive information. If you're using some kind of a hardcoded password for your maintenance folks to deal with devices, you can trust that that'll end up on the web fairly quickly, and other people might use it to get into your devices. So again, another list of considerations to think about. What you need to do, of course in your engineering effort is come up with what kind of process you're going to be using for doing security testing. It starts with gathering up what your security requirements are, and then starting to build out a plan for doing recon, penetration testing, looking at specific attack surfaces or modeling threats. And then trying to make sure that your firmware is hardened against these things in your devices. It's an iterative process like for any design cycle. And you can continue to strengthen your devices as long as you can continue to update their firmware. Generally, it's recommended that your security focuses on third party elements. Because those are the things that the hacker community is going to have the most access to finding issues with. This would be things like Linux itself, network stacks, R tosses, certainly any security issues that it's recommended to look at for those tools you should. Eventually, we might see that bills of material for the software in a system become part of security certification so that people can be sure that the versions that you're using of different software elements are secure and are being dealt with appropriately. One tool that I highly recommend and I got to use quite a bit in my testing and security classes was Kali Linux. Kali is a version of Debian that includes over 600 penetration testing tools. It's free, open source, very easy to use and understand. Probably the biggest struggle is getting your arms around everything that's there. It's regularly updated. And there's support for using it on single board computers like the Raspberry Pi and the BeagleBone. Really good book for digging into Kali is learning Kali Linux by Messier. I thought that was a great introduction at a fairly detailed level to all the tools that are available. Again, just an amazing array of tools for gathering information, for doing vulnerability analysis, wireless attacks, password attacks, lots of password tools. It's a very broad arena, you're not going to become an expert at it overnight. But if you address, again, the most common issues that you're likely to see in your devices, Kali could be one of the tools that helps you do that. There are more and more focus on standards for securing systems. UL introduced a series of standards called 2900 that was really focused on vulnerability and weakness evaluation for devices moving into healthcare, industrial control, and life safety. So you can expect as you work with companies on devices and device designs that this level of certification may become more and more challenging for you. Another place to get good information on how to deal with your cybersecurity issues is NIST. NIST has a security development plan that they suggest. Where you use sort of an iterative, identify, protect, detect, respond, and recover approach to dealing with issues that you run into in your system. Again, I'm not going to go through this in detail here. But I highly recommend that you download the report and take a look at some of the recommendations for how to deal with a cybersecurity plan for your designs. Last, I'll just say, be careful out there. One thing you might be tempted to do is to grab a copy of Kali and try to do some hacking and testing of your own, which I certainly encourage but be careful about how you do it. You don't want to touch any systems that you don't have permission to. It's very easy to slip into something illegal or something that could be a privacy concern. It's better to set up your own local system that's not connected to something outside. And keep in mind the list of hacking ethics. If you're going to be doing this kind of work, you want to have clear goals. You want to have permission if you're using someone's system. You want to keep records of what you're doing. And you don't want to do any harm to yourself for others. And if you do find some security issues, you certainly want to report them as they're needed by the owner of the system. There are penetration test practice sites online. If you get interested in doing some of this work, there's lots to explore on the web. For yourself, do the easy things first. Protect your passwords, use strong passwords. Especially on a Raspberry Pi, never leave the default password. Make sure you update your OSs for security patches. On Linux, this means doing the apt-get update and upgrade cycle regularly. Only open up access on your systems to services that you're going to use. If you're not using something, close it off. That way somebody coming in wouldn't be able to access it. Be careful about how you deal with keys and certificates. Never post anything security related inside code or text files that might end up on a public tool like GitHub or AWS. If you have the option, you can also change away from the well known IP ports from 0 to 1023 and start using other ports that again a hacker doing some searching may not actually use. And be very careful where you get your tools and your network connections. Make sure you're talking to something reliable. These are the easy things that you can do to stay safe. There's a lot to dig into here. Do take some time to consider how you would approach security and review some of these sources for guidelines.
