The Dark Ages of IoT Security

The Dark Ages of IoTSecurity

Agenda

§ What is the Internet of Things§ IoT (in)security§ A real-world case studies§ The (scary) future of IoT security

What is the Internet of Things ?

What is the Internet of Things

The IoT is the network of physical objects or "things" embedded with electronics, software,

sensors, and network connectivity, which enables these objects to collect and exchange data

Source: Wikipedia


§ Things are physical objects§ Things are connected with existing network infrastructure

§ Things collect data – physical world’s probes (!)§ Things can be remotely controlled§ Things exchange data with (some)thing


(personal) things


(home) things


(industrial) things


(medical) things

IoT (in)security

IoT (in)security

§ What is information security ?§ Confidentiality

§ Integrity

§ Availability

§ The so called CIA paradigm (or triad)§ What about IoT security?

IoT (in)security

IoT Security != Device Security

IoT (in)security

§ Why? Think about mobile security world !§ Mobile security is

§ The security of the mobile device

§ The security of installed apps

§ The security of 3rd party apps’ back-end systems

§ The security of pre-installed apps’ back-end (e.g., apps

store)

§ Now back to the IoT universe..

IoT (in)security

§ Defining attack surface

“the attack surface describes all of the differentpoints where an attacker could get into

a system, and where they could get data out”

§ What about IoT attack surface ?

Source: OWASP

IoT (in)security

EcosystemAccess Control Device Memory Device Physical

InterfacesDevice Web Interface

Device Firmware Device Network Services

Administrative Interface

Local Data Storage

Cloud Web Interface

Third-‐party Backend APIs

Update Mechanism

Mobile Application

Vendor Backend APIs Ecosystem Communication Network Traffic

IoT (in)security

§ Now, let’s talk about vulnerabilities

§ No alien technology, no extra-terrestrial bugs

§ OWASP defines an ad-hoc list for IoT§ Welcome to the OWASP IoT Top Vulnerabilities§ It represents a list of vulnerabilities not risks

§ In 2014 the list was a canonical Top 10

§ Currently 13 vulnerabilities are included

IoT (in)security1. Username Enumeration2. Weak Passwords3. Account Lockout4. Unencrypted Services5. Two-factor Authentication6. Poorly Implemented Encryption7. Update Sent Without Encryption8. Update Location Writable9. Denial of Service10. Removal of Storage Media11. No Manual Update Mechanism12. Missing Update Mechanism13. Firmware Version Display and/or Last Update Date

IoT (in)security

§ Slightly random thoughts on IoT security

ü IoT is “happening” with a rapidly (chaotic) development without appropriate considerations on security

ü More devices == more data == more cyber attacks

ü “Things” are probes in everyone’s life

ü Smart TV, cameras, thermostats are literally “watching” us !ü Devices firmware update will be ruled by market – see ya security in 18 months?

Real-world case studies


Source: HP research on smart watches


Source: Rapid7 research on baby monitoring systems


Source: HP research on home security systems

The (scary) future of IoT security


Skynet is waiting


50 BILLIONobjects by 2020

Source: Cisco


§ Complexity. That’s the problem.§ The Internet of Things is wild, open and no one will pay for secure (every)thing

§ Vendors are urgently called to implement solution secure by design to reduce the risks

§ An extensive standardization on “how things should be securely implemented” could be truly a panacea

Thank you

The Dark Ages of IoT Security

Technology

Transcript of The Dark Ages of IoT Security