Smau Milano 2015 - Stefano Zanero

The Dark Ages of IoT Security

Prof. Stefano Zanero, PhD

Agenda

What is the Internet of Things

IoT (in)security

A real-world case study

The (scary) future of IoT security

Conclusions

What is the Internet of Things ?


The IoT is the network of physical objects or "things" embedded with electronics, software,

sensors, and network connectivity, which enables these objects to collect and exchange data

Source: Wikipedia


Things are physical objects

Things are connected with existing network infrastructure

Things collect data – physical world’s probes (!)

Things can be remotely controlled

Things exchange data with (some)thing


(personal) things


(home) things


(industrial) things


(medical) things

IoT (in)security

IoT (in)security

What is information security ?

Confidentiality

Integrity

Availability

The so called CIA paradigm (or triad) What about IoT security?

IoT (in)security

IoT Security != Device Security

IoT (in)security

Why? Think about mobile security world ! Mobile security is

The security of the mobile device

The security of installed apps

The security of 3rd party apps’ back-end systems

The security of pre-installed apps’ back-end (e.g., apps

store)

Now back to the IoT universe..

IoT (in)security

Defining attack surface

“the attack surface describes all of the differentpoints where an attacker could get into

a system, and where they could get data out”

What about IoT attack surface ?

Source: OWASP

IoT (in)security

EcosystemAccess Control

Device Memory Device Physical Interfaces

Device Web Interface

Device Firmware

Device Network Services

Administrative Interface

Local Data Storage

Cloud Web Interface

Third-party Backend APIs

Update Mechanism

Mobile Application

Vendor Backend APIsEcosystem

Communication Network Traffic

IoT (in)security

Now, let’s talk about vulnerabilities

No alien technology, no extra-terrestrial bugs

OWASP defines an ad-hoc list for IoT Welcome to the OWASP IoT Top Vulnerabilities

It represents a list of vulnerabilities not risks

In 2014 the list was a canonical Top 10

Currently 13 vulnerabilities are included

IoT (in)security

1. Username Enumeration

2. Weak Passwords

3. Account Lockout

4. Unencrypted Services

5. Two-factor Authentication

6. Poorly Implemented Encryption

7. Update Sent Without Encryption

8. Update Location Writable

9. Denial of Service

10. Removal of Storage Media

11. No Manual Update Mechanism

12. Missing Update Mechanism

13. Firmware Version Display and/or Last Update Date

IoT (in)security

Slightly random thoughts on IoT security

IoT is “happening” with a rapidly (chaotic) development without appropriate considerations on security

More devices == more data == more cyber attacks

“Things” are probes in everyone’s life

Smart TV, cameras, thermostats are literally “watching” us !

Devices firmware update will be ruled by market – see ya security in 18 months?

Real-world case studies


Source: HP research on smart watches


Source: Rapid7 research on baby monitoring systems


Source: HP research on home security systems



Skynet is waiting


50 BILLIONobjects by 2020

Source: Cisco


Complexity. That’s the problem.

The Internet of Things is wild, open and no one will pay for secure (every)thing

Vendors are urgently called to implement solution secure by design to reduce the risks

An extensive standardization on “how things should be securely implemented” could be truly a panacea

Conclusions

Conclusions

We are brewing a perfect cyber-physical storm with unfathomable consequences

We are using complex networks of smart devices on which we increasingly rely for critical infrastructures and safety-critical systems, without humans in the loop

We have issues with zero-days as well as forever-days

We need significant engineering and research efforts to get this done and avert the storm

Thank [email protected]