View
627
Download
1
Category
Preview:
Citation preview
The Dark Ages of IoT Security
Prof. Stefano Zanero, PhD
Agenda
What is the Internet of Things
IoT (in)security
A real-world case study
The (scary) future of IoT security
Conclusions
What is the Internet of Things ?
What is the Internet of Things
The IoT is the network of physical objects or "things" embedded with electronics, software,
sensors, and network connectivity, which enables these objects to collect and exchange data
Source: Wikipedia
What is the Internet of Things
Things are physical objects
Things are connected with existing network infrastructure
Things collect data – physical world’s probes (!)
Things can be remotely controlled
Things exchange data with (some)thing
What is the Internet of Things
(personal) things
What is the Internet of Things
(home) things
What is the Internet of Things
(industrial) things
What is the Internet of Things
(medical) things
IoT (in)security
IoT (in)security
What is information security ?
Confidentiality
Integrity
Availability
The so called CIA paradigm (or triad) What about IoT security?
IoT (in)security
IoT Security != Device Security
IoT (in)security
Why? Think about mobile security world ! Mobile security is
The security of the mobile device
The security of installed apps
The security of 3rd party apps’ back-end systems
The security of pre-installed apps’ back-end (e.g., apps
store)
Now back to the IoT universe..
IoT (in)security
Defining attack surface
“the attack surface describes all of the differentpoints where an attacker could get into
a system, and where they could get data out”
What about IoT attack surface ?
Source: OWASP
IoT (in)security
EcosystemAccess Control
Device Memory Device Physical Interfaces
Device Web Interface
Device Firmware
Device Network Services
Administrative Interface
Local Data Storage
Cloud Web Interface
Third-party Backend APIs
Update Mechanism
Mobile Application
Vendor Backend APIsEcosystem
Communication Network Traffic
IoT (in)security
Now, let’s talk about vulnerabilities
No alien technology, no extra-terrestrial bugs
OWASP defines an ad-hoc list for IoT Welcome to the OWASP IoT Top Vulnerabilities
It represents a list of vulnerabilities not risks
In 2014 the list was a canonical Top 10
Currently 13 vulnerabilities are included
IoT (in)security
1. Username Enumeration
2. Weak Passwords
3. Account Lockout
4. Unencrypted Services
5. Two-factor Authentication
6. Poorly Implemented Encryption
7. Update Sent Without Encryption
8. Update Location Writable
9. Denial of Service
10. Removal of Storage Media
11. No Manual Update Mechanism
12. Missing Update Mechanism
13. Firmware Version Display and/or Last Update Date
IoT (in)security
Slightly random thoughts on IoT security
IoT is “happening” with a rapidly (chaotic) development without appropriate considerations on security
More devices == more data == more cyber attacks
“Things” are probes in everyone’s life
Smart TV, cameras, thermostats are literally “watching” us !
Devices firmware update will be ruled by market – see ya security in 18 months?
Real-world case studies
Real-world case studies
Source: HP research on smart watches
Real-world case studies
Source: Rapid7 research on baby monitoring systems
Real-world case studies
Source: HP research on home security systems
The (scary) future of IoT security
The (scary) future of IoT security
Skynet is waiting
The (scary) future of IoT security
50 BILLIONobjects by 2020
Source: Cisco
The (scary) future of IoT security
Complexity. That’s the problem.
The Internet of Things is wild, open and no one will pay for secure (every)thing
Vendors are urgently called to implement solution secure by design to reduce the risks
An extensive standardization on “how things should be securely implemented” could be truly a panacea
Conclusions
Conclusions
We are brewing a perfect cyber-physical storm with unfathomable consequences
We are using complex networks of smart devices on which we increasingly rely for critical infrastructures and safety-critical systems, without humans in the loop
We have issues with zero-days as well as forever-days
We need significant engineering and research efforts to get this done and avert the storm
Thank you!s.zanero@securenetwork.it
Recommended