Attack simulations of viable cities (smart facilities) Associate prof. Robert Lagerström KTH Royal Institute of Technology
Sustainable cities, energy, transportation, …
Digital solutions will drive progress towards the sustainable development goals
Cyber threats
How come this happens over and over again?
Complexity in a software
Complexity in an Organization
Complexity in smart cities
Ukraine Power Grid
“We want to be seen, and we want to send you a message” Spear phishing Exploring and collecting Malicious firmware TDOS Malware (KillDisk)
Smart facilities Advanced attacks not needed New IoT devices often lack basic security features!
Penetration testing https://www.svt.se/nyheter/vetenskap/har-hackas- elsparkcykeln-av-kth-studenten
Recently found vulnerabilities in IoT (by KTH students) Aldin Burdzovic, Jonathan Matsson, Pontus Johnson, and Robert Lagerström, CVE-2019-12941, AutoPi Wi-Fi/ NB and 4G/LTE devices allows an attacker to perform a brute-force attack or dictionary attack to gain access to the WiFi network, which provides root access to the device. Arvid Viderberg, Pontus Johnson, and Robert Lagerström, CVE-2019-12944, Glue Smart Lock 2.7.8 devices do not properly block guest access in certain situations where the network connection is unavailable. Arvid Viderberg, Pontus Johnson, and Robert Lagerström, CVE-2019-12943, Insecure permission, password reset function, in TTLock Open Platform. Arvid Viderberg, Pontus Johnson, and Robert Lagerström, CVE-2019-12942, Insecure permission, account revocation mechanism, in TTLock Open Platform. Theodor Olsson, Albin Larsson Forsberg, Pontus Johnson, and Robert Lagerström, CVE-2019-12821, Vulnerability in the app 2.0 of the Shenzhen Jisiwei i3 robot vacuum cleaner, while adding a device to the account using a QR-code. Theodor Olsson, Albin Larsson Forsberg, Pontus Johnson, and Robert Lagerström, CVE-2019-12820, Vulnerability in the app 2.0 of the Shenzhen Jisiwei i3 robot vacuum cleaner, possible MiTM attack on http. Ludvig Christensen, Daniel Dannberg, Pontus Johnson, and Robert Lagerström, CVE-2019-12797, Vulnerability in a clone version of an ELM327 OBD2 Bluetooth device, hardcoded PIN leading to arbitrary commands to an OBD-II bus of a vehicle.
National Vulnerability Database
Google Chrome vulnerabilities - known
IoT honeypot experiment
Automatic Quantitative Data-driven Attack Simulations
CAD & SIMULATIONS HAVE REVOLUTIONIZED OTHER ENGINEERING FIELDS Computer Aided Design (CAD) Computer aided design and quantitative simulations have revolutionized engineering. Could you imagine building today’s fighter jets without CAD and simulation software? Would you fly with an airplane where the risks are identified, prioritized and tracked by subjective and qualitative measures?
The concept of threat modeling lets you simulate attacks on small and abstract Models created manually, like our Web Server Component , as well as large enterprise-wide Models with thousands of Objects that are automatically generated based on existing data sources. Once a Model in created, all that remains is the assignment of high value assets, with an expected Cost of loss and an entry point for the Attacker . Based on the simulation data and Based on the threat model the most Various attack scenarios can be simulated by attack paths, reports on risk exposure, probable attack paths from the Attacker’s placing the Attacker on e.g., the Internet, as an critical weaknesses and expected loss entry point (red) to the high value assets in Insider etc. can be created. the model (blue) can be generate and visualize automatically. Furthermore, the simulations will have no Security controls that can lower the impact on availability or have any active The Attacker will take the path of least risk exposure can also be suggested, connection to the actual systems. resistance based on the built in statistics as which can be applied and evaluated well as the status of the Objects’ Defenses. against the expected cost.
Attack simulations
Attack simulations Let’s assume that our most valued asset is our house and that we are worried someone might break in. As far as we now, there are two possible ways in, through the window or through the door. BREAK INTO HOUSE OR BREAK IN THROUGH WINDOW BREAK IN THROUGH DOOR
To break in through the door, the attacker will have to have access to the door AND bypass the door. How easy or hard that is for the attacker depends on the parameters of the door and the fence BREAK INTO HOUSE OR BREAK IN THROUGH WINDOW BREAK IN THROUGH DOOR • Door material AND • Lock quality ACCESS TO DOOR BYPASS DOOR OR OR • Barb wire USE KEY PICK LOCK BYPASS FENCE • Fence hight USE TOOL
Depending on the parameters of e.g. the door, it will be tougher or easier* to bypass the door with different types of attacks. In the simulation, we sample these values and provide Time-to-compromise (TTC) distribution(s) to reach high value assets. BREAK INTO HOUSE TTC is the success rate of an attack over time i.e. the more time the attacker gets to spend trying, % the more likely he/she will be succeeding. time BREAK INTO HOUSE OR BYPASS DOOR Lock Door TTC BREAK IN THROUGH WINDOW BREAK IN THROUGH DOOR Quality Material Poor Poor 4 AND Good Poor 25 … … … ACCESS TO DOOR BYPASS DOOR OR OR BYPASS FENCE USE KEY PICK LOCK BYPASS FENCE Heigh USE Barb Wire TTC t TOOL 0 False 0 0 True 0 2 True 3 … … …
The attacker might also exploit some unknown BREAK INTO HOUSE vulnerability or “zero- day”. Here exemplified JUMP DOWN as squeeze down the CHIMNEY % chimney. time BREAK INTO HOUSE OR BREAK IN THROUGH WINDOW BREAK IN THROUGH DOOR If there is data available about specific AND products and their vulnerabilities, this can be inserted into the tool. ACCESS TO DOOR BYPASS DOOR In this example, we know that Bob delivers terrible fences. OR BYPASS FENCE USE KEY PICK LOCK BYPASS FENCE Heigh USE Barb Wire TTC t BOB’S RUSTY CHAIN LINK TOOL 0 False 0 → STEAL SPARE 0 True 0 KEY 2 True 3 … … … BREAK INTO NEIGHBOUR’S HOUSE Looking at our security situation from a broader picture lets us capture structural vulnerabilities as well. In the example, the attacker might exploit a big hole in our neighbors house to steal our spare key.
Goals with VASA (Viable cities Attack Simulation & threAt modeling) The main goal is to develop a threat modeling and attack simulation approach specifically designed for smart facilities, a key concept in viable cities. Ethical hacking of smart components will also take place in order to improve the attack simulations.
KTMM (KTH Threat Modeling Method) KTMM consists of five (six) phases. 0) scope & delimitations, 1) business analysis, 2) system definition & decomposition, 3) threat analysis, 4) attack & resilience analysis, and 5) risk assessment & recommendations. Currently tested at JM, Coor, and Stena Fastigheter.
Vanguard
How to participate? Penetration testing / ethical hacking of systems / IoT devices Threat modeling & attack simulations - with KTMM - with Vanguard (for AWS)
Contact robertl@kth.se www.kth.se/profile/robertl www.foreseeti.com
Recommend
More recommend