First step in the quest for manufacturing cyber-resilient IoT devices Panasonic Corporation Jun Sato Chih-Hsiang HITCON 2020@TAIPEI
About me ・佐藤 淳 ・ Jun Sato ・ Past experience in system development and operation ・ Joined Panasonic in 2019 and involved in IoT security ・ CISSP , GCFA
Background
Increasing attacks targeting IoT Number of Attacks Observed by NICTER Darknet Sensors Breakdown of Observed Attacks by NICTER Darknet Sensors (2018) No. Packets (ten billion) Other Attacks targeting IoT devices (Web Camera, Routers, etc.) Number of cyber attacks continue to increase Cybersecurity Research Institute - Cyber Security 2019 About half of observed attacks targeting IoT devices Appending 5 - Cyber Security Related Data - NICTER Observation サイバーセキュリティ戦略本部 サイバーセキュリティ2019 Results NICTER 観測結果より) (別添5 サイバーセキュリティ関連データ集 https://www.nisc.go.jp/active/kihon/pdf/cs2019.pdf
Sudden Increase in IoT Malware The number of IoT malware has more than “New trends in the world of IoT threats ”, Kaspersky Lab, September 18, 2018 https://securelist.com/new-trends-in-the-world-of-iot-threats/87991/ tripled from 2017 in just the first half of 2018
IoT Malware Wreaking Havoc Number of IoT malware infections rising rapidly, with no end in sight https://www.securityweek.com/hide-%E2%80%98n-seek-botnet-targets-smart-homes https://www.securityweek.com/over-500000-iot-devices-vulnerable-mirai-botnet https://www.ithome.com.tw/news/123708 https://arstechnica.com/information-technology/2018/05/hackers-infect-500000- consumer-routers-all-over-the-world-with-malware/?amp=1 https://www.ithome.com.tw/news/129449 https://www.ithome.com.tw/news/132271
IoT Malware Infections and Associated Damages Infect Spread Infect, Spread and leverage for use in attacks Cyber Attacks Victims unknowingly become attackers
Regulations by Government United States Europe ・ Oregon HB 2395 amending ORS 646.607 ・ EU Sales of Goods Directive (SGD) ・ Cyber Shield Act of 2019 (S. 2664) ・ EU Digital Content Directive (DCD) ・ SB-327 Information Privacy: Connected Devices ・ UK legislation for consumer IoT devices by design ・ IoT Cybersecurity Improvement Act of 2019 ・ Germany IT security law 2.0 ・ Executive Order on Securing the Information and Communications Technology ・ Finland Cybersecurity Label and Services Supply Chain (Executive Order 13873) People's Republic of China Japan ・ 2019 Order of the Ministry of Internal Affairs and Communications No. 12 ・ Cybersecurity Law of the People's Republic of China - 中 华 人民共和国网 络 安全法 ・ Partial revision to “Telecommunications Business Act” and “Act on ・ Public Comments on the Provisions on the Administration of the National Institute of Information and Communications Technology, Cybersecurity Vulnerabilities Independent Administrative Agency” - 网 络 安全漏洞管理 规 定 ( 征求意 见 稿 ) ・ 2017 Notification of the Ministry of Economy, Trade and Industry No. 19 ・ Data Security Law of the People’s Republic of China New laws being enacted globally - 中 华 人民共和国数据安全法 govern IoT security
Expectations for "Manufacturers to ensure product security" Procurement of secure parts / Security for shipped products components Product updates after shipment (Chips, software, etc.) Manufac Parts Supplier turer Security Discovery of vulnerabilities Users Organizations / Proper configuration and usage of Development / selling security Researchers products products Retail Governments Proper explanation and initial Alerts to users configuration of products Guidance to Manufacturers
Existing Panasonic Activities on Product Security
As A Corporate Risk Cyberattacks are a major corporate risk in Panasonic https://www.panasonic.com/global/corporate/sustainability/management/riskmanagement.html https://www.panasonic.com/global/corporate/sustainability/pdf/sdb2019e.pdf
Supporting Panasonic Brand Product Security 1 2 Minimize Incident Risk Response Essential knowledge (Awareness / Technical)
Panasonic Product Security Activities Design In-Use Plan Implement Test Product Lifecycle Shipment Discard Secure Coding Vulnerability Incident Threat Analysis Secure Design Testing Response Static Analysis (Security Testing) Incident Minimize Risk Containment
Cyber Security in Panasonic Cyber Security Activities in Panasonic Manufacturing System IT Security Product Security Security Factory, Information System Product Manufacturing Web-site, PC, Server, Manufacturing system Product and Services Network, Data and and Production provided by Panasonic Application Machine in Panasonic CSIRT FSIRT PSIRT Info. Systems related Manufacturing related Product Security Center department department
Incident Response Framework at Panasonic Planning Design Implement Verity(Test) On market Incident Coordinators Security Institution FIRST, IPA(JP), CERT(US), JPCERT/CC(JP) ISPs, Vendors, Academics, Individuals Panasonic Panasonic PSIRT AP-IRT LS-IRT CNS-IRT AM-IRT IS-IRT
Panasonic IoT Threat Intelligence Project
Challenges in Product Security • Incident response requires trigger (internal/external notification) • Not relying on external organization to collect threat information Proactively analyze / utilize threat information New threat New vulnerability Requires trigger New threat New vulnerability
Panasonic IoT Threat Intelligence Platform Concept Collect malware targeting home electronics Analysis of malware characteristics IoT Threats IoT Threats Collection Analysis IoT Device Protection Through the platform, goal is to strengthen overall IoT security More secure products
IoT Threat Collection - Malware targeting home electronics On-going Real time collection using IoT home electronics On-going Ability to collect attacks against products in development On-going Increase global coverage of observation points
IoT Threat Analysis – Analyze Characteristics of IoT Malware Collect Malware On-going (Honeypot) Collect Malware Targeting Process this flow automatically IoT Home Electronics Behavior Analysis (IoT Sandbox) IoT Malware On-going Analysis Results Behavior analysis specialized for IoT malware Statistical Analysis On-going Auto-processing from collection to analysis/statistics
IoT Device Protection – Feedback to Product Developer Collect threat (Honeypot) On-going Share attack overview / IoT malware analysis to product developer Malware Analysis Coming Soon Threat Analysis (Statics app, elasticsearch) Risk analysis for products in development • Categorize attack against product in development with standard framework (e.g. MITRE ATT&CK) • Analyze targeted vulnerabilities to assess countermeasures for products • Product specific characteristics Vulnerability Impact
Accomplishments – November 2017 – Jun 2020 IoT Threat Collection Attacks Collected 603,589,498 Malware Collected 56,426 IoT Malware Collected 12,634 Home electronics with 2 types malicious files placed ※ ※ The home appliance was not infected and there were no damages IoT Threat Analysis (Malaware Analysis) Of the top 10 destination IP addresses, besides DNS (8.8.8.8), all are malware distribution sites (malicious sites) Top 3 destination countries are USA, China, Japan (Followed by Germany, England, S. Korea, S. Africa, Brazil , France, Egypt . )
About me ・張智翔 ・ Jimmy ・ Panasonic Cyber Security Lab ・ Past experience in software / system development ・ Joined Panasonic in 2018 and involved in IoT security
Analysis example of Collected Threat Information
Attack trend • Peak in Dec 2019 • Peak in June 2020 • Total attack number decreasing since Feb, 2020 2019/12 2020/06
Top 10 Attacked Protocols • Peak in Dec 2019 • Remote attacks against Microsoft SQL, targeting servers with weak password • Peak in June 2020 • UPnP vulnerability “ Call Stranger ” was disclosed 2020/06 Decrease from 600 mil to 0.25 mil UPnP 2019/12 MsSQL
Top 5 Attacked Protocols 2020/4 2020/5 2020/6 • Attacks to MSSQL dropped in May • Attacks to UPnP from China and US soared in June. • telnet, ssh, UPnP are targets constantly in the Top5
Top 10 Attack Sources by Country • Peak in Dec 2019 • Attack Source by Country: China and Taiwan • Peak in June 2020 • Attack Source by Country: China and the USA
Top 5 Attack Sources by Country • China is constantly Top1 since this April. • Observed many attacks against 1900 (UPnP), 1433 (MSSQL). 2020/4 2020/5 2020/6
Attack trends against Home IoT Appliances • Devices being attacked have ports open such as Web, UPnP, SMB, etc. Attack Trend Against Physical Honeypots 300 #1 Security camera 250 200 Attacks [K] 150 100 #2 Home camera 50 #3 BD recoder #4 Intercom 0 2018Q1 2018Q2 2018Q3 2018Q4 2019Q1 2019Q2 2019Q3 2019Q4 2020Q1 Dehumidifier Refrigerator Home camera Intercom BD recoder TV Wash machine Security camera Air condinctioner
Attacks against security cameras • Top 2 China, the USA • Almost all attacks are against 1900 (UPnP), 80 (http) • Observed a lot of “M - SEARCH” messages. Probably: - Search for vulnerable devices to use in SSDP reflection attacks
Recommend
More recommend