Networked Home Appliances and Vulnerabilities.

Panasonic Corporation Analysis CenterYukihisa Horibe

Profile

堀部 千壽（Yukihisa Horibe）

2

Panasonic Corporation Analysis CenterPanasonic-PSIRT Member

Focusing on improving security for networked home appliances

Vulnerability assessment of house hold appliances and embedded systemsVulnerability assessment of home service serversTable top analysis of networks including house hold appliances.Over 10 years of experience in security evaluation related work

Agenda

3

Changes in the feature of connected CE products

The risks to connect

Performance and trends in the Vulnerability Assessment for connected CE products

Security functions required for CE products in the time of IoT

Closing

Agenda

4

Changes in the feature of connected CE products

The risks to connect

Performance and trends in the Vulnerability Assessment for connected CE products

Security functions required for CE products in the time of IoT

Closing

Evolving Home Appliances.

5

Remote Control Media Server

HDD Recorder

Image UploadWifi Data Transfer

Digital Camera/Video Cam

CDDB

Audio System

Browser Media Player Smartphone like apps

Browser Media Player Smartphone like apps

Digital TVDigital TV Browser Media Player Smartphone like apps

Digital TV

Door Chimes Notification Communications

Measurements data transfer

Scales

DeviceIntegration

SmartphoneIntegration

CloudIntegration

Monitoring Power Control On Demand

Control

HEMS Monitorin Remote Control

Air Conditioner

Historical Overview of Function and Data Information of Networked Home Appliances（~2005：Growth Period）

6

Internet（Household）

Cellphones

Digital TV

Recorders

Cooking Appliances

201220102008200620042002ADSL

mova3G

Browser

Remote operations

Status Notifications

Historical Overview of Function and Data Information of Networked Home Appliances（~2005：Growth Period）

7

Internet （Household）

Cellphones

Digital TV

Recorders

Cooking Appliances

201220102008200620042002ADSL

mova3G

Browsers

Remote Operation

Status Notifications

ID/PasswordRecording

Information

email addressStatus Info on

operations

Access History

Most of the functions are contained within each appliance and the information they handle is limited.

Historical Overview of Function and Data Information of Networked Home Appliances（2005~2010：Evolution Phase）

8

Internet（Household）

Cellphone

Digital TV

Recorder

Audio System/Music

Digital Camera/Camcorders

Cooking Appliances

Home Related

201220102008200620042002ADSL

FTTH(Optical Fiber)mova

3G

Browser

Remote Operations

CDDB

Appliance Integration(DLNA)

VOD

Status notifications

Security: Status MonitoringDoor Chime:Visitor Notification

HEMS

Image Upload

Historical Overview of Function and Data Information of Networked Home Appliances（2005~2010：Evolution Phase）

9

Internet (Household)

Cellphones

Digital TV

Recorder

Audio Systems/Music

DigitalCamera/Camcorder

Cooking Appliance

Home Related

201220102008200620042002ADSL

FTTH(Fiber Optic)mova

3G

ブラウザ

宅外操作

CDDB

Device Integration(DLNA)

VOD

状態通知

Security Status MonitoringDoor Chime Visitor Notifications

HEMS

Image upload

CD Ownership List

Payment InfoViewing History

“at home” infoOperational Info of each appliance

Image InformationBlog/UL Service

AccountVisitor Info

email Address

Content Ownership InfoDevice Ownership Info

Operational Info of each device

Power usage infoWith the increase in server/inter-device integration the importance of information also grew

Historical Overview of Function and Data Information of Networked Home Appliances（2010~：Mature Phase）

10

Internet（Household）

Cellphone

DigitalTV

Recorder

Audio System/Music

Digital Camera/Cammcorder

Health Care Appliances

Cooking Appliances

Home Related

201220102008200620042002ADSL

FTTH(Fiber Optic)mova

3Gsmartphone

Browser

Remote Operations

CDDB

Device Integration(DLNA)

VOD

Status Notifications

Security Status MonitoringDoor Chimes Visitor Notification

applications

HEMS

Smartphone Integration

ACRemote Operations

Image Upload

Historical Overview of Function and Data Information of Networked Home Appliances（2010~：Mature Phase）

11

Internet（Household）

Cellphone

Digital TV

Recorder

Audio System/Music

Digital Camera/Cammcorder

Health Care Appliances

Cooking Appliances

Home related

201220102008200620042002ADSL

FTTH(Fiber Optic)mova

3GSmart Phones

Browser

Remote Operation

CDDB

機器連携(DLNA)

VOD

Status Notification

Security Status Monitoringドアホン 来客通知

Apps

HEMS

Smartphone Integration

ACRemote Operation

Image Upload

Payment InfoPurchase History

Address/NameBlog/SNS Account

Physical InfoService Account

Operation InfoService Account

Historical Overview of Function and Data Information of Networked Home Appliances（2010~：Mature Phase）

12

Internet（Household）

Cellphones

Digital TV

Recorder

Audio System/Music

Digital Camera/Camcorder

Health Care Appliances

Cooking Appliance

Home Related

201220102008200620042002ADSL

FTTH(光回線)GSM(cHTML)

広帯域CDMA(HTML/Java)Smartphone

ブラウザ

宅外操作

CDDB

機器連携(DLNA)

VOD

状態通知

Security Operational Infoドアホン 来客通知

Apps

HEMS

スマホ連携

エアコン遠隔操作

画像アップロード

Cloud Integration allows the information linkage to include everything including smartphones.

ID/PassworrRecording history

Email AddressDevice Operation Info

Access History

CD Ownership List

Payment InfoViewing History

Vacancy InfoOperational Info of each device

Image InfoBlog/UL Service

account infoVisitor Info

Email address

Content OwnershipDevice Ownership

Operational Info of each device.

Power Usage Info

Payment InfoPurchase History

住所氏名ブログ/SNSアカウント

Physical Information

Service Account

Operation InfoService Account

Cloud Integration

Address BookVideo/ImageAccount info

The Evolution of Networked Home Appliances Functionality and Information (Near Future)

House hold(Audio Visual, Home , Cosmetic)

PC, Game terminal,InformationterminalSmartphone, Cellphones, Land linesHousing Equipment(Single Family,complexes)

13

Inside the home

connecting

The Evolution of Networked Home Appliances Functionality and Information (Near Future)

Home Appliances（Audio Visual,House hold,Cosmetic)PC,Game Terminal,Information TerminalsSmartphone,Cellphones,LandlinesHousing Equipment( Single Family, Complexes)

Medical Devices (Individual , Institutional)

Public Services（Municipal offices, schools)

Public Transportations（Bus、Trains）

Cars/Automotive equipmentInfrastructure（Power、Gas、Water）Retail(Large scale, individual)

14

Is the era when household appliances , home and public,commercial services are all connected near?

Everything is

connected

Inside the home

connecting

Agenda

15

Changes in the feature of connected CE products

The risks to connect

Performance and trends in the Vulnerability Assessment for connected CE products

Security functions required for CE products in the time of IoT

Closing

Risks of Home Appliances Having Network Capabilities

The possibility of unauthorized access via the network

Many devices have global IPs assigned.

Possibility of attacks leveraging vulnerabilities in home appliances.

Attack by forcing a download of malware

Targeted attacks leveraging XSS/CSRF16

Using search engines you can find sites that hint they

are home appliances.

Fake Firmware or Contents

CVE-2008-3482 (2008)Network Camera made by Panasonic , Reflected XSS vulnerabilityDefect in escaping routine of the display on the error page

Defcon17 (2009)CSRF vulnerability in household network camera by PanasonicMany vulnerabilities were disclosed for household routers and other embedded web systems.

Reported vulnerabilities on CE category: Panasonic case

17

http://jvndb.jvn.jp/ja/contents/2008/JVNDB-2008-000037.html

http://www.blackhat.com/presentations/bh-usa-09/BOJINOV/BHUSA09-Bojinov-EmbeddedMgmt-PAPER.pdf

Reported vulnerabilities on CE category: example of other case

18

Year Product Outline Manufacturer2004 Video recorder Accessible without authentication (springboard) Japan

2008 NAS CSRF (remote data deletion) Japan

2010 Digital camera Arbitrary code execution from SD card Japan

2011 MFP Authentication bypass and more Japan & overseas

2012 Digital TV DoS Japan

2012 Many Devices Arbitrary code execution by UPnP vulnerability Japan & overseas

2013 Digital TV DoS & restart by malformed packets Japan & overseas

2013 Smart phone Intrusion of malware through power cable Japan & overseas

2013 Digital TV Authority seizure & remote control by illegal application Overseas

2013 Lighting system Force unable to turn on Overseas

2013 Home GW Vulnerability in authentication, CSRF and more (electric lock unlock by malicious third party) Overseas

2013 Toilet Hard-Coded Bluetooth PIN Vulnerability Japan

With the advancement of function, the reports of vulnerability have been increasing after 2012

Agenda

19

Changes in the feature of connected CE products

The risks to connect

Performance and trends in the Vulnerability Assessment for connected CE products

Security functions required for CE products in the time of IoT

Closing

Vulnerability Eradication Efforts at Panasonic

20

Base Knowledge

（Awareness/Education）

Base foundation of knowledge regarding product securityTwo pillars supporting Product Security

Minimize RiskIncident Response

Minimize Risk Incident Response

Product Security

Improving security of products including house hold appliancesis an important requirement for Panasonic

Network Home Appliances, Embedded Systems, Services

Response based on product lifecycles.

21

ShippingProduct Lifecycle

Contamination Prevention（Avoid building vulnerabilities into）

Inspection/Removal(Detect vulnerability and

remove）

Maintain/Improve（Response after

shipping）

Resp

onse

Table Top Risk Analysis（Vulnerability

Analysis)

Security Design

・Secure Coding

・Static Analysis

・Vulnerability analysis（Security Inspection）

・Incident response

The need to respond throughout the product lifecycles

Sale/ServiceTestImplementDesignPlan

Disposal

Minimize Risks Incident Response

Response based on product lifecycles.

22

ShippingProduct Lifecycle

Contamination Prevention（Avoid building vulnerabilities into）

Inspection/Removal(Detect vulnerability and

remove）

Maintain/Improve（Response after

shipping）

Resp

onse

Table Top Risk Analysis（Vulnerability

Analysis)

Security Design

・Secure Coding

・Static Analysis

・Vulnerability analysis（Security Inspection）

・Incident response

The need to respond throughout the product lifecycles

Sale/ServiceTestImplementDesignPlan

Disposal

Minimize Risks Incident Response

Vulnerability Analysis for Panasonic House hold appliances and embedded systems

23

The number and details for the vulnerability are for vulnerabilities found “pre shipping”The detected vulnerabilities were patched prior to shippingThese vulnerabilities do not exist in current products available in the general market.

Actual results I will present

Vulnerability assessments for Panasonic house hold appliances and embedded systems

24

Vulnerability assessments for Panasonic house hold appliances and embedded systems

25

Trend of vulnerability : Rise period(2003-05) of Connected CE products

26

Trend of vulnerability : Early progressive period(2006-08)of Connected CE products

27

Trend of vulnerability : late progressive period(2009-10)of Connected CE products

28

Trend of vulnerability : Mature stage(2011-13)of Connected CE products

29

Agenda

30

Changes in the feature of connected CE products

The risks to connect

Performance and trends in the Vulnerability Assessment for connected CE products

Security functions required for CE products in the time of IoT

Closing

Historical Overview of Function and Data Information of Networked Home Appliances（2010~：Mature Phase）

31

Internet（Household）

Cellphones

Digital TV

Recorder

Audio System/Music

Digital Camera/Camcorder

Health Care Appliances

Cooking Appliance

Home Related

201220102008200620042002ADSL

FTTH(光回線)GSM(cHTML)

広帯域CDMA(HTML/Java)Smartphone

ブラウザ

宅外操作

CDDB

機器連携(DLNA)

VOD

状態通知

Security Operational Infoドアホン 来客通知

Apps

HEMS

スマホ連携

エアコン遠隔操作

画像アップロード

Cloud Integration allows the information linkage to include everything including smartphones.

ID/PassworrRecording history

Email AddressDevice Operation Info

Access History

CD Ownership List

Payment InfoViewing History

Vacancy InfoOperational Info of each device

Image InfoBlog/UL Service

account infoVisitor Info

Email address

Content OwnershipDevice Ownership

Operational Info of each device.

Power Usage Info

Payment InfoPurchase History

住所氏名ブログ/SNSアカウント

Physical Information

Service Account

Operation InfoService Account

Cloud Integration

Address BookVideo/ImageAccount info

The Evolution of Networked Home Appliances Functionality and Information (Near Future)

Home Appliances（Audio Visual,House hold,Cosmetic)PC,Game Terminal,Information TerminalsSmartphone,Cellphones,LandlinesHousing Equipment( Single Family, Complexes)

Medical Devices (Individual , Institutional)

Public Services（Municipal offices, schools)

Public Transportations（Bus、Trains）

Cars/Automotive equipmentInfrastructure（Power、Gas、Water）Retail(Large scale, individual)

32

Is the era when household appliances , home and public,commercial services are all connected near?

Everything is

connected

Inside the home

connecting

Future prediction

Spread to the whole of human life

Rapid increase of device

Connect to the various industries

33

Spread to the whole of human life

34

Risk of Serious accident Higher reliabilityFire due to incorrect control of CE productInvalidation of electric lock securityAccident and runaway of automotive

Connect to various device of various manufacturerWe want to guarantee at least minimum level securityWill you need the standard like Industry standard ?

it is not the problem of one company

Entire House, Linkage to automotive, home security and gas app…Information assets = life of customer

The minimum level security ?

Spread to the whole of human life

35

The risk due to share of authentication informationAdoption of SSO is also being investigated in CE productsInfluence of vulnerability will spread to other services that share authentication information

it is not the problem of one provider or one vendor

Constantly connected communications, share of authentication information Useful …

Authentication provider

CE

Smart phone

application

Webservice

Automotive

HEMSgame

CE

Share of authentication

information

What must we do to make product secure ?

SNS

application

Rapid increase of device

36

Lighting, switch, sensor, electric socket, etc.Maintenance of various and huge amount of devices

After vulnerability is reported, software must be updatedLighting, sensor, electric socket…update all ?How to update ?

Service engineers ?Automatic update ?

Disclaimer of firmware updateLifetime of CE product is long (over 10 years)Up to when ?

The update method, the period to continue to care security ?

Connect to the various industries

37

Diversification of I/F, protocolECHONET Lite, CAN, DLNA…Bluetooth, NFC, TransferJet, ZigBee, Z-Wave…Original communication protocol, 920MHz…

Security verification technology must catch upOnly knowledge of the IP network is not enoughKnowledge other than the IP network is necessary

Knowledge of Non-IT engineers will be neededThink tank beyond the type of industry?

Diversification of I/F of the linkage to infrastructure, automotiveand healthcare, security technology catch up

The structure which takes in knowledge of various fields?

Agenda

38

Changes in the feature of connected CE products

The risks to connect

Performance and trends in the Vulnerability Assessment for connected CE products

Security functions required for CE products in the time of IoT

Closing

Closing

39

Several billion of IoT(Internet of Things) will be connected

It is difficult to guarantee security by one companyThe approach beyond the industry/type of industry /position must be needed

Unite for the IoT security !

Internet

Store

Social infrastructure

Public Service Housing equipment

Automotivein-car device

Smart phoneInformation device

PCConnected CE product

Contact

41

Analysis Center Panasonic Corporationhttp://www2.panasonic.co.jp/aec/ns/index.htmlSorry, Japanese Only…

Panasonic-PSIRThttp://panasonic.co.jp/info/psirt/en/product-security@gg.jp.panasonic.com