The Dark Ages of IoT Security
-
Upload
luca-de-fulgentis -
Category
Technology
-
view
417 -
download
0
Transcript of The Dark Ages of IoT Security
The Dark Ages of IoTSecurity
Agenda
§ What is the Internet of Things§ IoT (in)security§ A real-world case studies§ The (scary) future of IoT security
What is the Internet of Things ?
What is the Internet of Things
The IoT is the network of physical objects or "things" embedded with electronics, software,
sensors, and network connectivity, which enables these objects to collect and exchange data
Source: Wikipedia
What is the Internet of Things
§ Things are physical objects§ Things are connected with existing network infrastructure
§ Things collect data – physical world’s probes (!)§ Things can be remotely controlled§ Things exchange data with (some)thing
What is the Internet of Things
(personal) things
What is the Internet of Things
(home) things
What is the Internet of Things
(industrial) things
What is the Internet of Things
(medical) things
IoT (in)security
IoT (in)security
§ What is information security ?§ Confidentiality
§ Integrity
§ Availability
§ The so called CIA paradigm (or triad)§ What about IoT security?
IoT (in)security
IoT Security != Device Security
IoT (in)security
§ Why? Think about mobile security world !§ Mobile security is
§ The security of the mobile device
§ The security of installed apps
§ The security of 3rd party apps’ back-end systems
§ The security of pre-installed apps’ back-end (e.g., apps
store)
§ Now back to the IoT universe..
IoT (in)security
§ Defining attack surface
“the attack surface describes all of the differentpoints where an attacker could get into
a system, and where they could get data out”
§ What about IoT attack surface ?
Source: OWASP
IoT (in)security
EcosystemAccess Control Device Memory Device Physical
InterfacesDevice Web Interface
Device Firmware Device Network Services
Administrative Interface
Local Data Storage
Cloud Web Interface
Third-‐party Backend APIs
Update Mechanism
Mobile Application
Vendor Backend APIs Ecosystem Communication Network Traffic
IoT (in)security
§ Now, let’s talk about vulnerabilities
§ No alien technology, no extra-terrestrial bugs
§ OWASP defines an ad-hoc list for IoT§ Welcome to the OWASP IoT Top Vulnerabilities§ It represents a list of vulnerabilities not risks
§ In 2014 the list was a canonical Top 10
§ Currently 13 vulnerabilities are included
IoT (in)security1. Username Enumeration2. Weak Passwords3. Account Lockout4. Unencrypted Services5. Two-factor Authentication6. Poorly Implemented Encryption7. Update Sent Without Encryption8. Update Location Writable9. Denial of Service10. Removal of Storage Media11. No Manual Update Mechanism12. Missing Update Mechanism13. Firmware Version Display and/or Last Update Date
IoT (in)security
§ Slightly random thoughts on IoT security
ü IoT is “happening” with a rapidly (chaotic) development without appropriate considerations on security
ü More devices == more data == more cyber attacks
ü “Things” are probes in everyone’s life
ü Smart TV, cameras, thermostats are literally “watching” us !ü Devices firmware update will be ruled by market – see ya security in 18 months?
Real-world case studies
Real-world case studies
Source: HP research on smart watches
Real-world case studies
Source: Rapid7 research on baby monitoring systems
Real-world case studies
Source: HP research on home security systems
The (scary) future of IoT security
The (scary) future of IoT security
Skynet is waiting
The (scary) future of IoT security
50 BILLIONobjects by 2020
Source: Cisco
The (scary) future of IoT security
§ Complexity. That’s the problem.§ The Internet of Things is wild, open and no one will pay for secure (every)thing
§ Vendors are urgently called to implement solution secure by design to reduce the risks
§ An extensive standardization on “how things should be securely implemented” could be truly a panacea
Thank you