UBIQUITOUS: AT WHAT COSTS?The absolute need for security in the fundamental phases of Internet of Things

WHITE PAPER | JANUARY 2017

MISON RIGGINS

ABSTRACTAs our generation grows more “tech-needy” and our

children’s generation grows “tech-dependent,” the

appeal of surrounding oneself with “Internet of Things”

(IoT), where all appliances become interconnected tech

gadgets with access to the Internet, will outweigh the

thought of cyber security. This begs the question: At

what cost are we choosing innovative convenience? This

paper will attempt to delve into the broader security

issues that arise from whole-heartedly embracing IoT

into our lives without ensuring security is at its core in

development. The scope of this paper will be limited to

the broader concepts of IoT, resulting security issues,

and a recommendation of best practices.

Page 1 WHITE PAPER | JANUARY 2017

CONTENTS

- 2 PREFACE

- 3 INTRODUCTION

- 3 INTERNET OF THINGS

- 5 RESULTING SECURITY ISSUES - 6 SCENARIO 1: RISKS OF HOME AUTOMATION - 7 IMPLICATIONS - 9 SCENARIO 2: POTENTIAL PROPENSITIES OF REMOTE OPERATIONS - 10 IMPLICATIONS

- 12 RECOMMENDATIONS

- 15 FURTHER RESEARCH

- 16 CONCLUSION

- 16 RESOURCES

- 17 WORK CITED

- 18 APPENDIX A

- 18 LIST OF IMAGES & FIGURES

Page 2 WHITE PAPER | JANUARY 2017

It’s the spring of 2005, a gaggle of excited chattering high school students crowd the subway heading toward downtown Seoul where the Ubiquitous Exhibition is being held. Their teacher, Anna T., is in the midst of them smiling and nodding.

“Anna T., what are we going to see there?” asks one curious student. “What kind of things are they showing?” inquires another. Anna T. just smiles and boldly says, “Things of our future.”

Little did she know, the ubiquitous novelties they observed and experienced that day would later be coined, “Internet of Things” (IoT) or “Internet of Everything” (IoE):

• A door knocker that records sound and video of visitors and displays it on a Smart TV • A watch that acts as a door key, car key, “home manager,” and credit card • A fridge that scans bar codes of store bought items and reorders said items when they are running low • A picture frame that changes paintings/images by voice command

• A Smart TV that enables viewers to purchase clothing being worn by the actors or items being displayed on set in a TV show or movie that they are currently watching at the touch of a button or voice command • A shower that adjusts its temperature by calculating the temperature of the air in the room • A room that dims or brightens by voice command

• A house equipped with a virtual butler: Speak, Ask, or Command and things begin to move….a vacuum cleaner is activated and starts to clean, the weather and traffic report is displayed on one of the many screens set up throughout the house, items are bought online, the oven begins preheating, etc. • A car that displays video feed from the house with the ability to acknowledge and send commands to turn lights on/off, adjust the thermostat, turn the oven or stove on/off, lock doors and windows, turn the security system on/off, etc.

PREFACE “Anna T., what are we going

to see there?” asks one

curious student.

“What kind of things are

they showing?” inquires

another.

Anna T. just smiles and

boldly says, “Things of

our future.”

Page 3 WHITE PAPER | JANUARY 2017

As our generation grows more “tech-needy” and our children’s generation grows “tech-dependent,” the appeal of surrounding oneself with “Internet of Things” (IoT), where all appliances become interconnected tech gadgets with access to the Internet, will outweigh the thought of cyber security. This begs the question: At what cost are we choosing innovative convenience?

IoT as a multi-faceted industry must be built upon a solid security-based foundation. This paper will attempt to delve into the broader security issues that arise from whole-heartedly embracing IoT into our lives without ensuring security is at its core in development. The scope of this paper will be limited to the broad concepts IoT, resulting security issues, and a recommendation of best practices.

The buzz-words, IoT or IoE, encompass a plethora of technological fields that have been thrown together in an alphabet soup. With that in mind, in the broadest sense of the term, IoT is the basis for the concept of interconnecting multiple devices to each other as well as to the Internet. Bradley, Barbier, and Handler (2013), key technologists from CISCO, expound upon this concept by stating,

Technology and business trends are ushering in the age of IoE, creating an unprecedented opportunity to connect the unconnected: people, processes, data, and things [through] smart grids, smart buildings, connected healthcare and patient monitoring, smart factories, connected private education, connected commercial (ground) vehicles, connected marketing and advertising, and connected gaming and entertainment, among others. (p.5)

The “age of IoE” trend is fast becoming a way of life and the household norm as more and more gadgets are no longer novelties but essentials in the home, office, schools, medical centers, industrial centers, and transportation. “In the Internet of Things vision, every physical object has a virtual component that can produce and consume services. Such extreme interconnection will bring unprecedented convenience and economy, but it will also require novel approaches to ensure its safe and ethical use” (Roman, Najera, and Lopez 2011). Thus, cyber security awareness as well as integrated foundational security measures are key aspects in IoT development going forward.

Page 3 WHITE PAPER | JANUARY 2017

INTRODUCTION

Figure 1Outer Lying Reaches of IoT http://eecatalog.com/caciufo/wp-content/uploads/2014/07/AD-LINK-business-areas.png

INTERNET OF THINGS – BROAD CONCEPT

Page 4 WHITE PAPER | JANUARY 2017

The current predominant methodology of ‘interconnectedness’ among devices is through the use of Internet Protocol (IP) and Radio Frequency Identification (RFID) technology within small, low-powered chips inserted into the device. The compact size and small footprint endear this technology to creating IoT’s into mass commodities. They are connected through “three types of connections—machine-to-machine (M2M), person-to-machine (P2M), and person-to-person (P2P)” (Bradley, Barbier, and Handler, 2013, p.5). Some of the common IoT connections include:

1. Ethernet for home automation systems 2. Web interfaces 3. Web requests/firmware 4. Smartphone applications 5. RTOS1 6. Wi-Fi 7. Zigbee2 8. Bluetooth (James Lyne, 2015)

These connections enable Smart TVs to become all-in-one big-screen computers with online capabilities, such as streaming, web searches, gaming, voice recognition, video conferencing, and more. The cumbersome CPU is no longer needed, giving users sleeker designs with more space. As ideal as it sounds, these Smart TVs pose a major security threat since firewalls, antivirus-ware, and IDSes have been stripped from the programming to stream-line the product. Through default passwords on the many preloaded web apps on the Smart TV, malicious actors can easily gain access into the connected network, escalate privileges, and soon that expensive, sleek Smart TV has become a spycam that records your every move. Average consumers buying such products have been conditioned to use plug and

play with little to no training in basic cyber security measures like changing default passwords before hooking a device up to the Internet.

Even though history plainly reveals that computer and software technology has always added security measures as an afterthought, IoT cannot be handled in the same way. We as a whole must strive to be a more cyber security aware generation concerning computers, mobiles, and IoTs. Techies and non-techies aside, from developers and engineers to CEOs and their staff to end users young and old, we all must have basic cyber security concepts ingrained in our everyday lives just as we breathe every breath.

Page 4 WHITE PAPER | JANUARY 2017

INTERNET OF THINGS – BROAD CONCEPT

1 Real-Time Operating System (RTOS) serves real-time application process data as it comes in, typically without buffering delays by providing deterministic execution pattern. For more information, see www.rtos.com

2 Zigbee is a wireless technology (IEEE 802.15.4 based specification) that serves as an open global standard to address the unique needs of low-cost, low-power wireless M2M networks.

“We as a whole must strive

to be a more cyber security

aware generation concerning

computers, mobiles,

and IoTs. ”

Page 4 WHITE PAPER | JANUARY 2017

Page 5 WHITE PAPER | JANUARY 2017

While interconnected automation devices like the Smart TV offer a more convenient lifestyle, cyber security threats as well as physical security threats raise flags when IoT is welcomed with open arms. “Today, the worst damage that current information security threats could cause is a loss of revenue. Yet the damage of future threats could be severe and could cause loss of lives” (Dlamini, Eloff, and Eloff, 2009). Two scenarios that could happen as a result of a blindfolded adoption of the IoT without considering the risks involved are laid out below.

RESULTING SECURITY ISSUES

“Today, the worst damage that current information security

threats could cause is a loss of revenue. Yet the damage of

future threats could be severe and could cause loss of lives.”

(Dlamini, Eloff, and Eloff, 2009)

Page 6 WHITE PAPER | JANUARY 2017

In June 2014, Columbia University researchers Yossef Oren and Angelos Keromytis exposed a flaw in the Hybrid Broadcast-Broadband Television Standard (HbbTV) used on millions of European smart TVs. HbbTV has been adopted by 90% of smart TV manufacturers in Europe to add interactive HTML content to terrestrial, cable, and satellite signals. Oren and Keromytis revealed that the HbbTV standard is vulnerable to large-scale exploitations that would be “remarkably difficult to detect.”

This so-called “red button” attack, named after the red button on a user’s remote control, would enable a hacker to intercept the sound, picture, and accompanying data sent by a broadcast. The attacker then becomes the broadcaster, feeding whatever content he wants to the victim—and receiving data sent by the victim to various smart TV apps. A hacker could use this exploit to display bogus commercials on a victim’s TV screen, or log into the victim’s Facebook account and post with that person’s name.

What this type of attack reveals is the paltry amount of security inherent in this new generation of connected devices. A smart TV (or any smart device) needs to be every bit as secure as your computer system, and most aren’t. Where your computer is protected (somewhat) by a firewall application, most smart TVs do not have even this basic level of protection. This leaves them vulnerable to attacks that wouldn’t be near as successful on a more secure personal computer.

– excerpt from Miller’s The Internet Of Things: How Smart TVs, Smart Cars, Smart Homes, And Smart Cities Are Changing The World, Chapter 3.

SCENARIO 1: RISKS OF HOME AUTOMATION

Not only can the malicious hacker take control over the content streamed to the Smart TV, but its hardware can also be compromised. The Smart TV’s camera could conceivably become a spy cam, allowing the attacker to watch your family’s every move even without the TV screen being on. Moreover, once the device has been compromised, it is easy to escalate the attack in order to glean user credentials for the router, Internet Service Provider (ISP), or even various user accounts to applications such as Netflix, Youtube, Amazon Prime, etc. These credentials will allow him/her to, at best, run up charges to one’s account and, at worst, access other IoT devices within the household to wreak potentially dangerous havoc.

Many interconnected devices use the RF technology; so, when one fails, it has a domino effect. Leopold (2015) explains, “Among the most vulnerable points in networks ranging from home offices to the proposed Internet of Everything are radio frequency, or RF, links that will be used to tie together potentially

billions of devices.” Another factor in this case is the inherent weaknesses of a Smart TV in combination with the insecurity of many web interfaces. OWASP representative, Daniel Miessler, recently identified “Insecure Web Interface3” as the number one security threat for IoT at the RSA Conference 2015.

IMPLICATIONS

“Many interconnected devices use the RF technology;

so, when one fails, it has a domino effect..”

3 See Appendix A for the complete list of OWASP’s Internet of Things Top Ten Security Issues.

Page 7 WHITE PAPER | JANUARY 2017

Web Interfaces pose a serious threat because attack vectors include using weak credentials, capturing plain-text credentials, or enumerating accounts to access the web interface. OWASP explains that such issues are the root causes to web interface insecurities. The reason being, “Insecure web interfaces are prevalent as the intent is to have these interfaces exposed only on internal networks; however threats from the internal users can be just as significant as threats from external

users” (Miessler, 2015). When escalated, breaches can lead to data loss, data corruption, lack of accountability, denial of access, and/or complete device takeover. To prevent such disastrous results, product engineers must include quality assurance (QA) checks that examine the interface manually along with automated testing tools to identify other issues such as cross-site scripting (XSS)4.

Page 8 WHITE PAPER | JANUARY 2017

4 Cross-Site Scripting (XSS) – enables attackers to inject malicious client-side script into web pages viewed by other users.

IMPLICATIONS

Figure 2 Connected devices estimates by Gartner: http://www.gartner.com/newsroom/id/3165317

Page 9 WHITE PAPER | JANUARY 2017

Consider the possible risks accompanying home automation in the era of the IoT. A hacker somewhere in China identifies an exploitable vulnerability in electronic stoves. The hacker discovers that the vulnerability could allow him/her to covertly switch a compromised stove on/off and adjust the heat to whatever he/she likes. The hacker creates an exploit that will search the IoT for all stoves that have not been patched for the identified vulnerability. He sets it free on the Internet. Voila! His exploit identifies a couple of vulnerable stoves on the IoT, one of which is owned by Mrs van der Merwe in South Africa.

Mrs van der Merwe left a turkey in her oven ready to cook as she left home for work. She had planned that just before she leaves work she would remotely switch on her stove and let it start cooking slowly while she is stuck in the Johannesburg traffic jam. On a very busy day her trip would take a minimum of two hours and by the time she arrives home the food would be ready and still warm.

Unknown to Mrs van der Merwe, the hacker decides to take control of her stove and puts it at maximum power to burn the turkey. She comes home to find the house in smoke. The damage is minor—delayed dinner, an increase in electricity bills, and if worse could result in the house burning down.

– excerpt from Dlamini, Eloff, and Eloff’s Internet of Things: Emerging and future scenarios from an Information Security Perspective, 2009, p. 4.

SCENARIO 2: POTENTIAL PROPENSITIES OF REMOTE OPERATION

That same hacker could also scan for other similar stoves in the surrounding areas so he can exploit the vulnerability and own a “botnet5 of stoves.” He decides to get creative and use the botnet to turn all the compromised stoves on at the same time at high temperatures to overtax the power grid and bring down the main power station, shutting down the whole district. (See Figures 3 and 4 below)

Across the world, another nefarious individual sees that he can buy cheap USB rubber duckies in bulk quantities for $200. He decides to acquire 500 of them and then proceeds to crack the digital component over night by googling for the hack codes. He lies low until Black Friday when he knows the parking lots will be full. While everyone is inside shopping for their holiday gifts and good deals, he strews these benign looking USB rubber duckies across the parking lot of Best Buy. Then he goes home and watches on the previously hacked CCTV cams while he wreaks mass panic by activating the malicious code in the gadgets, setting fire to them remotely with a stroke of a button on his Smart Phone.

How is this possible? Panelist Ed Skoudis, during the RSA Conference 2015, opens our eyes to the “Internet of Evil Things”: a proliferation of small, cheap devices often with no replay prevention in protocols, XSS, or command injection.

IMPLICATIONS

“A hacker wreaks mass panic by activating malicious code

in USB rubber duckies, setting fire to them remotely with

a single tap on his Smart Phone.”5 Botnet, or zombie army, is a number of compromised internet-connected computers that a malicious hacker secretly has control of in order to use their resources to mount a powerful attack like Distributed Denial of Service (DDoS).

Page 10 WHITE PAPER | JANUARY 2017

The lack of innate security features results in:

• Light control devices that could be used to cause a fire; • Toys that could catch fire by causing them to heat up from replicating commands a thousandfold; • XSS injections into the device that essentially download compromised firmware to the device providing access to your network; and • Commoditization of malicious hardware: so low-cost, it becomes disposable hacking technology (Skoudis 2015, slide 6) Cyber warfare quickly escalates into daunting terrorist attacks—disposable hack gadgets, cheap, innocuous-seeming rubber duckies become miniature landmines. The IoT, once an innovative technology of convenience, becomes the IoET—the Internet of Evil Things— which wreaks widespread havoc, like regular modern-day Gremlins.

Page 11 WHITE PAPER | JANUARY 2017

IMPLICATIONS

Figure 4 Power Station Failure Main

Figure 3Substation Failure

“Lack of innate security features

can result in the ‘Internet of

Evil Things.’ ”

Though the movie reference may seem far-fetched, if IoT does not have security in its most basic programming architecture, then compromises to the embedded tech would be comparable to pouring water on innocent little Gizmo. While IoT is still in production (or better yet in its design phase for each product), “the opportunity exists to design solutions that include basic privacy and security controls. We cannot roll out IoT and then consider the implications of privacy and security concerns. IoT privacy and Security controls need to be in the DNA of the solutions” (Dlamini, Eloff, and Eloff, 2009). The old paradigm of slapping on firewalls, antivirus software, or Intrusion Prevention Systems (IPS) will not work for IoT. Dlamini, Eloff, and Eloff all adamantly stress, “It is therefore of vital importance for information security experts to proactively combine their efforts in comprehending and trying to understand the kinds of threats that they are likely to face in the future Internet of Things” (p. 5). Let’s take a look at some of these collaborative efforts.

Several key cyber security engineers are researching ways to shore up RF links, which are particularly vulnerable to hacking. This known attack surface poses a major problem as RF links are predominantly used to control drones as well as a multitude of interconnected devices that form an Internet of Things/Sensors. Exploiting inherent vulnerabilities in RF links, nefarious actors can gain control of many such devices. Thus, “much attention is being focused on how to secure the vulnerable points in a growing network of networks” (Leopold, 2015).

One method is to integrate block ciphers into IoT security. Leopold explains, “A block cipher is a method of encrypting text in which a cryptographic key and algorithm are applied to a block of data.” He further clarifies, “All proposals are designed to be “lightweight” so they can be implemented on wireless networks relying on RF links, including RFID links that are expected to play a key role in tying together sensors, devices and the data they generate” (Leopold, 2015).

Along the same lines, another developer, SecureRF, approaches the RF links issue with the concept of “algebraic erasure,” a low-power, public-key crypto method that targets IoT applications (Leopold, 2015). Shelton insists that SecureRF’s approach outperforms existing commercial security methods in “providing identification, authentication and encryption security for low-power devices found on the Internet of Things” (qtd. in Leopold, 2015). In fact, he announced that their algebraic erasure approach actually outperformed a current method called Elliptic Curve Cryptography in terms of speed and power consumption.

RECOMMENDATIONS

“IoT privacy and Security

controls need to be in the

DNA of the solutions.”

(Dlamini, Eloff, and Eloff, 2009)

Page 12 WHITE PAPER | JANUARY 2017

While securing RF links are important, Kaprica Security chose to tackle the problems of Return-Oriented Programming (ROP) and memory corruption attacks on the weaknesses of fundamental binary execution flow. An ROP attack is when someone alters the natural order of a code. Commands are given to jump order or reorder the execution of the code like reordering the words within a book (Simon Hartley, 2015, p.7). Memory corruption is a result of buffer/heap/stack overflow attacks that can be likened to writing over the words in the book.

Figure 5 depicts a properly working binary execution flow whereas Figure 6 shows how ROP or memory corruption attacks affect the flow.

The solution Kaprica Securities discovered is a security technology, called Runtime Application Self Protection (RASP), which can be built into an application or application runtime environments. RASP is capable of controlling application execution while detecting and preventing real-time attacks. The benefits include:

• Affordable, automatic, fast, one-time binary transformation requiring no special skills or manipulation of new code,

• Utilized as standalone or part of defense in-depth security strategies, and

• Requires NO additional or cumbersome source code (Hartley, 2015).

Built-in RASP will essentially block attackers from taking advantage of binary execution weaknesses. Hartley (2015) enlightens us: “The idea is that you take pages of memory that should only contain data (not code) and mark them as No Execute6. In theory, this stops attackers from utilizing memory in data pages (like buffers) as places to put shell code” (p.8). Moreover, “randomization is a basic RASP technique to “inoculate” an app binary, rendering ROP and memory corruption attacks inert since the attacker would have to rebuild the attack for each and every binary, which would not be practical” (Hartley, 2015, p.8). Thus, RASP offers one avenue of alleviating some surface attack points.

Page 13 WHITE PAPER | JANUARY 2017

RECOMMENDATIONS

6 Meaning, the CPU is not allowed to treat the pages of memory like code.

Figure 5Binary Execution Review

Figure 6 ROP or Memory Corruption Attack

1 1

2 2

3 3

4 4

5 5

“From designers to developers

to consumers, we have a

responsibility to know and

infuse “security” into the

product itself.”

As cyber security engineers and developers continue to brainstorm and implement security solutions, a need still exists for a collaborative effort in spreading consumer awareness and more so cyber security awareness. To that affect, OWASP suggests a multi-tiered approach:

1. Understand the main attack surface areas for any IoT device or ecosystem 2. As a tester, be able to hit the major issues for each surface area for the product you’re testing 3. As a manufacturer, be able to ensure that you’ve done your due diligence in security across the main surface areas 4. As a developer, be able to ensure that you’re avoiding the top security issues while building your particular component 5. As a consumer, ensure you’re using the technology safely (Meissler, 2015).

All levels of the design and development process—including the consumers who utilize IoT devices—have a responsibility to know and infuse “security” into the product itself.

To expound on the best use practices of IoT, a cutting-edge cyber security awareness training firm, Inspired eLearning, now offers online training courses on this subject matter as well as various other top cyber security awareness issues. In their interactive educational course training module, the IoT Best Practices are identified as:

• Encrypt data stored or transmitted, especially with Cloud Services,

• Safeguard privacy (no collection or sharing with third party entities), • Centralized authentication and administration features, • Purchase from reputable venders [who provide] security updates for the life of the product, • Update firmware regularly, • Change the Admin and default passwords, and • Turn off unneeded data/storage connection features (e.g., NFC, Bluetooth, Wi-Fi Direct, etc.). (Inspired eLearning 2015, S-161-HS: Internet of Things & Home Security)7

Just as implanted electronic chips in every inanimate object with which we surround ourselves will become the “new norm,” cyber security awareness must become second nature to our public at large.

Page 14 WHITE PAPER | JANUARY 2017

RECOMMENDATIONS

7 More information on this course can be found at http://www. inspiredelearning.com/courses/security-awareness/s-161/internet- of-things

“ IoT demands a new functional security model.”

As IoT is rapidly becoming the next technological breakthrough since virtual machines and cloud computing, several prerequisites must be addressed. IoT inventors need to research and implement ways to embed security features before production. Ideally, the IoT devices and connection links will be designed with defense-in-depth security strategies as their core foundation.

Moving forward, areas that still need to be investigated are how to incorporate “kill switches,” synchronization efforts and faster communication avenues. Built-in remote kill switches, or even a physical Off button, might keep attacks from escalating. On the other hand, they may introduce another slew of problems, including safety issues of affected products when suddenly deactivated. Additionally, lapses in real-time communication between interconnected devices are currently suppressing the immediate release of IoT automated vehicles. More research and development are essential in “time-aware systems and synchronization to further the development of safety critical systems such as IoT transportation vehicles” (Marc Weiss, et al. 2015, p. 22). The implications of IoT on the very fabric of life as we now know it are already causing ripple effects.

Consequently, the highest priority of IoT at present is to rethink the idea of “security as an afterthought.” Moreover, “The currently well known Information Security services such as confidentiality, integrity, and availability will be insufficient and has to be drastically expanded to include services such as access control for real-time end-to-end-environments and critical

infrastructure protection” (Dlamini, Eloff, and Eloff, 2009). IoT demands a new functional security model.

In short, the federal and international head figures of Information Security must collaborate and come to a consensus of regulatory information assurance measures that need to be part of the process of IoT development before they are released for public consumption. Robert Bigman, a former chief information security officer at the CIA, points out that a lack of federal policy governing the Internet of Things has left a security vacuum. He states, “There’s a bigger problem than the need for voluntary security standards, we don’t have any governance policy or regulations at the federal level over this entire issue of the Internet of Things” (qtd. in Lyngaas, 2015). To take Bigman’s statement one step further, just as the “Internet” is not relegated to a certain country but affects us worldwide, IoT is also a global issue that must be addressed by all parties involved. International standards for IoT implementations and productions are an absolute necessity.

FURTHER RESEARCH

Page 15 WHITE PAPER | JANUARY 2017

“Ideally, the IoT devices and

connection links will be

designed with defense-in-

depth security strategies as

their core foundation. ”

The age of Internet of Things is no longer a figment of a science-fiction movie. It is our present and our future. With all innovative and cutting-edge technology, regulatory standards and safety measures are always a concern. In this respect, IoT is no different. As a multi-faceted industry, IoT and all its array of devices and implications must be built upon a solid security-based foundation with consumer awareness at its forefront. This paper attempts to touch upon the broader security issues that arise from blindly embracing IoT into our

lives without ensuring proper security measures are in place. The scope of this paper is limited to include basic IoT concepts, known security issues, best practices, and areas of further research. The bottom line is: IoT should not be reduced to a “rat race” of who can release a better, faster product; rather, IoT should be the turning point in our collective mindset of tackling cyber security issues in product design, development, and deployment.

CONCLUSION

Page 16 WHITE PAPER | JANUARY 2017

2016 Mobile World Congress: “Security of Internet of Things.” Video link: https://www.youtube.com/watch?v=y_j_j1F-DbM&feature=youtu.be

CISCO: The smart and connect Vehicle and the Internet of Things. 2013. PowerPoint Presentation link: http://tf.nist.gov/seminars/WSTS/PDFs/1-0_Cisco_FBonomi_ConnectedVehicles.pdf

IoT Security Summit 2015: “IoT Security: The Ugly Truth, Mike Muller CTO, ARM.” Video link: https://www.youtube.com/watch?v=j2qAkWDSDkg

Kaprica Security: PowerPoint Presentation on “How to secure IoT without expensive & time consuming re-engineering or source code changes.” June 17, 2015. Video link: https://www.youtube.com/watch?v=iEMruhRaQn4

OWASP: Internet of Things Top Ten. PowerPoint Presentation link: https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf

RSAC TV: Interview with Billy Rios. Scroll down for Video link: https://www.rsaconference.com/events/us15/agenda/sessions/1577/home-sweet-owned-a-look-at-the-security-of-iot

RSAC TV: RSA Asia Pacific & Japan Conference 2016 “Quick Look: IoT Security and Risk Management.” Video link: https://www.rsaconference.com/videos/quick-look-iot-security-and-risk-management

RESOURCES

Bradley, Joseph, Joel Barbier, and Doug Handler. 2013. “Embracing the Internet of Everything to capture your share of $14.4 trillion:

More relevant, valuable connections will improve innovation, productivity, efficiency & customer experience,” CISCO. [White Paper].

http://www.cisco.com/web/about/ac79/docs/innov/IoE_Economy.pdf

Dlamini, M.T., M.M. Eloff, and J.H.P. Eloff. 2009. “Internet of Things: Emerging and future scenarios from an Information Security

perspective,” Information and Computer Security Architectures Research Group. Southern Africa Telecommunication Networks

and Applications Conference (SATNAC 2009). August–September. Swaziland, p. 6.

http://researchspace.csir.co.za/dspace/bitstream/10204/4411/1/Dlamini4_2009.pdf

Folk, Chris, Dan C. Hurley, Wesley K. Kaplow, and James F.X. Payne. 2015. “The security implications of the Internet of Things,” AFCEA

International Cyber Committee. February. [White Paper]. http://www.afcea.org/mission/intel/documents/InternetofThingsFINAL.pdf

Hartley, Simon and Sagar Momin. 2015. “How to secure IoT with Kaprica Runsafe RASP technology.” Kaprica Security, INC. August 17.

[White Paper]. https://www.kaprica.com/assets/flyers/runsafe_white_paper.pdf

Leopold, George. 2015. “NIST Looks to Secure the IoT,” Tabor Communications Publications: EnterpriseTech. June 18. [eJournal]. http://

www.enterprisetech.com/2015/06/18/nist-looks-to-secure-the-iot/

Lyne, James. 2015. “Internet of Things: The Big Hacks, Malware and Exploits of 2014 and What Is To Come,” RSA 2015 Conference April

20-24. April 21. [Presentation Notes].

Lyngaas, Sean. 2015. “NIST official: Internet of Things in indefensible,” FCW: The business of federal technology. April 16. [Online

Article]. https://fcw.com/articles/2015/04/16/iot-is-indefensible.aspx

Miessler, Daniel. 2015. “Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project.” RSA

2015 Conference April 20-24. April 21. [Presentation]. https://www.rsaconference.com/writable/presentations/file_upload/asd-t10-

securing-the-internet-of-things-mapping-iot-attack-surface-areas-with-the-owasp-iot-top-10-project.pdf

Miller, Michael. 2015. The Internet of Things: How smart TVs, smart cars, smart homes, and smart cities are changing the world. [Kindle

Version]. Indianapolis: Pearson Education, Que.

Roman, Rodrigo, Pablo Najera, and Javier Lopez. 2011. Securing the Internet of Things,” Computer, vol.44, no.9, pp.51-58. September.

[Online Article]. http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6017172&isnumber=6017158

Skoudis, Ed. 2015. “The Six Most Dangerous New Attack Techniques and What’s Coming Next,” RSA 2015 Conference April 20-24.

April 21. [Panel Discussion, online PowerPoint Presentation]. https://www.rsaconference.com/writable/presentations/file_upload/exp-

t08r-the-six-most-dangerous-new-attack-techniques-and-whats-coming-next.pdf

Weiss, Marc, et al. 2015. NIST Technical Note 1867: Time-Aware Applications, Computers, and Communication Systems (TAACCS).

February. [NIST Publication]. http://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.1867.pdf

WORK CITED

Page 17 WHITE PAPER | JANUARY 2017

APPENDIX A – TOP TEN SECURITY ISSUES ON INTERNET OF THINGS

Issue IoT Top Ten Security Issues from OWASP (RSA 2015)

I-1 Insecure Web Interface

I-2 Insufficient Authentication/Authorization

I-3 Insecure Network Services

I-4 Lack of Transport Encryption

I-5 Privacy Concerns

I-6 Insecure Cloud Interface

I-7 Insecure Mobile Interface

I-8 Insufficient Security Configurability

I-9 Insecure Software/Firmware

I-10 Poor Physical Security

© 2018 Inspired eLearning LLC. inspiredelearning.com

Image 1 - The Internet of Things Move In – cover Image 2 - Internet of Things – page 4 Image 3 - IoT Industries – page 7 Figure 1 - Outer Lying Reaches of IoT – page 3 Figure 2 - Connected Devices Estimate – page 8 Figure 3 - Substation Failure – page 11 Figure 4 - Main Power Station Failure – page 11 Figure 5 - Binary Execution Review – page 13 Figure 6 - ROP or Memory Corruption Attack – page 13

LIST OF IMAGES AND FIGURES