iot and industry 4.0 (in-) security - ernw...machine communication using iot • connect embedded...
TRANSCRIPT
Dominik Schneider, Wojtek Przibylla | ERNW GmbH
IoT and Industry 4.0 (In-) Security
#whoarewe
Dominik Schneider, Pentester
Wojtek Przibylla, Pentester
Contact:
ERNW GmbH
Wojtek Przibylla
Carl-Bosch-Str. 4
69115 Heidelberg
Road Map
• History of Automation and IoT
• IoT and Industry 4.0
• Attacks in the wild
• Smart Homes
– KNX
• Conclusion
Timeline of Automation and IoT
1832 1900 1980 1990 1996 1998 2002 2010 2015 2020
Remote controlled boat
Nikola Tesla 1832 Internet 1981 - 1993
European Installation Bus 1991
Internet of Things 1999
2nd Industrial Revolution 1870
Switchboards and
Telephone
1888
Google self driving car Year ???
June 1, 2004
1st Industrial
Revolution
3rd Industrial Revolution
Google Glass 2014
1990s
Smartphones 1994-1996
2011
Personal
Computer
1881
Smartmeter 2010
1712
1960
Internet of Things
• “Internet of Things is the network of
physical objects that contain embedded
technology to communicate and sense
or interact with their internal states or
external environments.” Wikipedia
• German initiative to create smart factories
• Attempt to computerize logistics and Machine-to-
Machine communication using IoT
• Connect embedded systems and smart production
facilities to generate a digital convergence between
industry, business and internal functions and processes.
Industry 4.0
What are those things
Abstract view
Sensor Layer
Communication Layer
Management Layer
Technical view
Sensors
• Collect and process data to determine changes of the physical status
Communication
• Identify and track data of things
• Interconnect devices - RFID/Bluetooth/Wireless/Internet
Platforms / Providers
• Aggregate and control data / things
• Provide management interfaces / UI / APIs
IoT in Numbers
• Gartner: 2020, 25 Billion Connected
"Things" Will Be in Use
Category 2013 2014 2015 2020
Automotive 96.0 189.6 372.3 3,511.1
Consumer 1,842.1 2,244.5 2.874.9 13,172.5
Generic
Business
395.2 479.4 623.9 5,158.6
Vertical
Business
698.7 836.5 1,009.4 3,164.4
Grand Total 3,032.0 3,750.0 4,880.6 25,006.6
Source:www.gartner.com/newsroom/id/2905717
IoT in Numbers II
Where does IoT already affect us?
• Industry / Science / Medical
– Supply chain management
– Factory automation
– Medical devices
– Solar installations
– Quality sensors
• Consumer market
– Mail and delivery
– Smart watches
– Smart car
– Smart homes
– Smart cities
• Military/Public Drones
Automatic weapons
Traffic sensors
Where does IoT already affect us?
• Industry / Science / Medical:
– Supply chain management
– Factory automation
– Medical devices
– Solar installations
– Quality sensors
• Military/Public applications
– Drones
– Traffic sensors
– Face recognition
• Mail and delivery
• Smartwatches
• Smartcar – Connected Car
Why is IoT so innovative/promising?
• Economic reasons: The price of sensors, processors, and networking has come way down. Since WiFi is now
widely deployed, it is relatively easy to add new networked devices to the home and office.”
– Market players see a great potential in IoT • New customers & markets
• “Make your life more comfortable”
• Mobile data plans are cheap
• IPv6 is enabling IoT
• M2M communication
– Intelligent production steps
• Almost unlimited usage scenarios…
YOU
Internet Automation
IoT
Safety Privacy
Security
What is wrong with IoT ?
• Spreading:
– You will have more than just one IoT device
increased attack surface
– Widely used software components
One bug affects several products
• Uniqueness:
– How to patch firmware ?
– Guaranteed interoperability ?
• Privacy:
– Who hast access to your “things” ?
– Where and how does all the data go ?
Types of Deployment
• Requirement: Control via the Internet
– Some kind of gateway is required
1.Direct connection to the gateway
2.Connection to the gateway via a service
provider
– The device has to be registered at a vendor for
service consumption
Potential attack surface
Attacks in the wild I
Attacks in the wild II
Attacks in the wild III
IoT Enabling Technologies
Source: Wikipedia
Protocol Power
Line
Radio-Frequency Data Rate Available
API?
Open Source
C-Bus no yes 3500 bit/s yes no
EnOcean no 902 MHz (North America) 9600 bit/s yes no
Insteon yes yes 13,165 bit/s yes no
KNX yes yes 9600 bit/s yes no
UPB yes no 480 bit/s no no
X10 yes
310 MHz (North America)
433 MHz (Europe)
20 bit/s yes no Sometimes
Zigbee no
2.4 GHz (worldwide)
915 MHz (Americas and Australia)
868 MHz (Europe)
20-250k bps yes no ?
Z-Wave no yes 250k bps yes no
SMART HOME
What is KNX?
• Technology for building home automation systems
• Developed in the 90‘s (back then known as EIB)
Advantages:
• Reduction of energy consumption and costs
• Huge amount of different devices
• Comfortable (controlling via Smartphone / Tablet / Browser)
Some numbers
• Three-quarter of all smart
homes in Germany are
equipped with KNX (in
number 237k, increasing)
• In 2020 there will be an
expected number of one
million smart homes
Taken from: http://www.bitkom.org/files/documents/BITKOM-Praesentation_Smart_Home_in_Deutschland_18_12_2014_02.pdf
Today
• More than 300 vendors are part of the
KNX Group
• Devices for nearly every scenario
• Widely used
How it works
• Address range
– 0.0.0 to 15.15.255
Max ~ 64k devices
• Physical Address
– Every device has ist own
physical address
• Group Address
– Used to connect devices to
each other
– A device can be part of one
or more group addresses
Bus system style
• All components are connected to each
other via the bus line
– Signal reaches all participants
Communication types
• TP (Twisted Pair)
• Powerline
– Communication via Power Supply System
• KNX – RF
– 868 MHz
• KNXnet
– Communication via IP driven network
Base components
• Power Supply
• Interface
(programming)
• Switch actuator
• Sensor
• Bus Line
Smart?
Web Interfaces
• Web application or app on
smartphone
• Hundreds of web interfaces
on the internet without
authentication
• Embedded webserver on
KNX devices
How to find Smart Home Visualizations?
• Like always Just Google!
• Visit vendor website for testing visualizations online
– Use the gathered information for a more specific google
search
• Make use of specific Google search filters
– inurl, intitle, …
How to find Smart Home Systems?
• Again Just Google!
• „Hilton Mainz KNX“
Smarthome Crawler
• Small Python Script with ~25 lines of Code
• Search is done via a specific URL pattern
• Required Time for /16 network about 8
Minutes with a Timeout of 0.5s
• Many Results especially on scanning static ip
address ranges ;)
KNXnet/IP
• Ability to control the
installation via IP
driven network (e.g.
Smartphone)
• On top of UDP
Nmap Script Scan
• knx-gateway-discover.nse
– Can discover multiple gateway
via one single packet
– Multicast
• knx-gateway-info.nse
– Identifies a KNX gateway on
UDP port 3671 by sending a
KNX Description Request
knx-gateway-info:
-- | Body:
-- | DIB_DEV_INFO:
-- | KNX address: 15.15.255
-- | Decive serial: 00ef2650065c
-- | Multicast address: 0.0.0.0
-- | Device friendly name: IP-Viewer
-- | DIB_SUPP_SVC_FAMILIES:
-- | KNXnet/IP Core version 1
-- | KNXnet/IP Device Management version 1
-- | KNXnet/IP Tunneling version 1
-- |_ KNXnet/IP Object Server version 1
nmap --script knx-gateway-discover -e eth0
There are even bigger installations!
• Telekom Frankfurt
• LVM Versicherung Münster (14185 Devices)
• Deutsche Börse AG Frankfurt
• Flughafen Köln Bonn
• Max-Planck-Institut Greifswald (1112 Devices)
• Mittdeldeutscher Rundfunk Leipzig (4050 Devies)
• …
The other side of the coin…
• Attack surface increases
• Web Visualizations contain common
web vulnerabilities
– XSS
– Stacktraces
– …
• Burglar 4.0
Attack Scenario
• Is there a setup that the installation can be controlled by an
attacker remotely without visualization? – YES!
• Requirements: – Physical connection to the bus (KNXnet/IP interface)
– Software for sending and receiving KNXnet/IP packets (Raspberry Pi + eibd)
– Remote Connection (UMTS Stick)
– Power Supply for Raspberry Pi (Power Bank)
Attack Setup
DEMO TIME
What about security on the bus ?
• Confidentiality?
• Integrity?
• Authentication?
Quotations from the standard
• Für KNX war und ist das Thema Sicherheit von keiner großen
Bedeutung, da man für eine Verletzung der Sicherheit lokal Zugriff auf
das Netzwerk haben muss. Im Fall von KNX TP (EIB) und KNX PL
bedeutet das, dass man dafür sogar den physikalischen Zugriff auf die
Netzwerkkabel benötigt, was in fast allen Fällen unmöglich ist, da die
Kabel innerhalb des Gebäudes oder unter der Erde verlegt sind.
• Aus diesem Grund spielen Sicherheitsaspekte für KNX-Medien auf der
Feldebene eine untergeordnete Rolle.
• Es ist eher unwahrscheinlich, dass legitimierte Benutzer eines
Netzwerks über Mittel zum Abfangen und Entschlüsseln verfügen, um
KNXnet/IP anschließend zu verfälschen, ohne die KNX-Normen
intensiv studiert zu haben.
How to secure this?
• No Bus to the outside
• Make use of bus line separation with line couplers
this requires a concept
• Ensure that the requirements in the KNX Security
Checklist are followed (KNX Association)
• Need for new specification
– Take a look at KNX secure devices!
WHAT ELSE IS OUT THERE ?
After all these new kind of devices…
EVA
„A Smarter Way to Shower“
• Messures the distance between
a person and the device.
• An App can be used to get
statistical information like water
consumption.
Smart Garden
Is there a connectivity problem?
Samsung Smart Fridge
• Exposed Gmail passwords
– MitM Attack
– Unproper Certificate
Validation
– Logfiles of Google Calendar
The Wink case
• Due to a problem on the
vendor site, the smart home
hubs stopped working
• All smart home devices
connected to the smart hub
also stopped working
Qivicon outtage
Source: http://www.heise.de/newsticker/meldung/Deutsche-Telekom-Ausfall-des-Qivicon-Servers-legt-Smart-Homes-lahm-2832456.html
News from IFA 2015
Conclusion I
• Don’t put things on the internet that are not
properly secured for it.
• But nowadays and in the future more and
more devices will be reachbale via the
Internet
Conclusion II
• We need user awareness
Does my shoe really need internet connectivity ?
• Smart devices will affect everybody
Even those who don’t use it
• Evaluate your deployment scenario
Make use of encryption and authentication
Questions ?