Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Internet of Things.

Published byJuliet Janice Shaw Modified over 7 years ago

Similar presentations

Presentation on theme: "The Internet of Things."— Presentation transcript:

1 The Internet of Things

2 For Discussion What is the Internet of Things? Security and Privacy
Attack Surface Areas Previous IoT Research Is it Getting Any Better? Protect Yourself

3 What is the Internet of Things?
Wikipedia definition - the inter-networking of physical devices, vehicles (also referred to as "connected devices" and "smart devices"), buildings, and other items embedded with electronics, software, sensors, actuators, and network connectivity which enable these objects to collect and exchange data. Even though this term has stuck, it’s not necessarily a very good definition. This definition could include things like web servers and other things that have been around on the internet for a long time, but we don’t really consider them “IoT” I’m not sure what the right definition is, but one thought is to consider devices that were once “dumb” like a toaster but is now “smart”, connected to the internet, as IoT devices. Even though consumer routers have been around before IoT was a thing, we typically throw them in the mix since they are the gateways for most consumer IoT devices. Whatever the definition, these devices are here to stay and precautions need to be taken when using them, especially in these early days of IoT.

4 Security and Privacy Gartner says 8.4 Billion connected “Things” in use for 2017 Devices combine web applications, mobile applications, back-end systems, locally stored data, cloud stored data and much more Vulnerabilities multiple exponentially for IoT devices Security and Privacy take a back seat for manufacturers trying to get products to market as quickly as possible Gartner sees massive use of IoT devices Devices combine many different areas with each one have their own set of vulnerabilities which in turn combine to create a device that has not one or two vulns, but 50 or 60 vulns. And to add insult to injury, many of the vulns that are appearing in IoT devices are vulns that started showing up 10 years ago. Much of that has to do with the way firmware is betting put togther, something I’ll talk a bit more about later. So when you’re talking IoT device vulns, it isn’t like talking about a handful of vulns found in a mobile app, it’s talking about web app vulns, mobile app vulns, network vulns, database vulns, it’s really everything that makes helps a particular IoT device perform its function. Probably the biggest reason for these devices going to market with so many vulns is the race to get these products to market by the manufacturers. As much as security and privacy are an afterthought on many things today, for IoT devices, it’s barely even on the radar. More like just over the horizon out of sight. The lack of security has not gone unnoticed…

5 Security and Privacy FTC ordered Asus to maintain a security program for the next 20 years FTC charged D-Link with inadequate security measures on routers and cameras New York state forced a smart lock maker to improve its security Privacy laws vary state to state with no updated laws at the federal level Recent report showed a wide range of data exposure for back-end systems used by mobile app developers In Feb 2016 Asus settle with the FTC over vulns in its routers. Subject to independent audits the next 20 years. Earlier this year the FTC filed suit against D-Link in regards to security issues associated with their routers and IP cameras. New York state forced a smart lock maker to add encryption to protect passwords, electronic keys and other credentials on the locks and prompt users to change the default password during initial setup. Various states have been putting privacy laws in place to help protect user privacy when it comes to new technology, but the laws vary greatly from state to state and the last privacy law put into place at the federal level other than HIPAA and COPPA was in 1974. And just to add to the existing issues, a report just came out about the wide range of data exposure from back-end systems used by mobile app developers. And almost all IoT devices have a companion mobile app.

6 Attack Surface Areas Around 20 attack surface areas on the OWASP IoT Project Ex. Web Interfaces, physical interfaces, firmware, network, cloud, mobile, API, etc. Each attack surface has multiple potential vulns Many of the vulns discovered are years or decades old Firmware packages use old and/or unsupported versions of 3rd party components Ubiquiti network gear hijacked due to 20-year old PHP build Let’s briefly talk about attack surface areas. Talk through examples Multiple vulns per attack surface as mentioned earlier Many of the vulns discovered are things we saw during the early days of web apps, mobile apps and many old network vulns like not bothering to encrypt data transmission. Firmware packages on IoT devices are simply scary. The often use old and/or unsupported versions of 3rd party components and I’ll add a little bit about that shortly. And a fine example of this, Ubiquiti devices were vulnerable due to using a PHP version from 1997

7 Previous IoT Research XSS, weak credentials, account harvesting, unencrypted network services Multiple devices using the same certificate with private key on device Some things we found during previous IoT research. One of the more noteworthy issues is the use of SSL certificates, that being the use of the same cert on hundreds of thousands of devices and this example the private key was also on the device.

8 Previous IoT Research Another example that is humorous and sad all at the same time. This http web server was found being used in a handful of firmware on popular consumer routers. While it does includes some current features, the author did this as experiment, not as something for production. But a developer somewhere found it and it was free so it was used. Props by the way to the site owner on keeping his site 90’s old school. Many of the devices were running a web service that has been abandoned.

9 Previous IoT Research Old versions of Busybox dating back to 2005
Versions of Dropbear dating back to 2008 Out of date versions of OpenSSL back to 2002 Blank admin passwords Password stored locally in the clear Lack of updates And speaking of firmware components…

10 Is it getting any better?
Not really Pressure to get these low margin devices to market Firmware is a mish mash of components found on the internet Low processing power means many devices can’t handle security overhead Lack of security leading to botnets and DDoS attacks Data breaches Botnets The Mirai botnet is an IoT specific botnet and has infected hundreds of thousands of devices. It was used in a DDoS attack against the Krebs on Security site which reached 620Gb/s and a reported attack against web host OVH reached 1Tb/s. Almost 1 million Deutsche Telekom routers were crashed by exploitation attempts from a varian of Mirai And there’s new malware called Persirai that’s targeting 1000 different models of IP cameras and it takes advantage of UPnP Data breaches, there was a recent study of 553 IT decision makers which found that 78% thought it was somewhat likely that their organization would experience data loss or theft due to IoT devices in the next two years.

11 Protect Yourself Segment, Segment, Segment … your network
Set up a separate wireless network for your IoT devices Routers themselves have issues Set up a personal firewall Disable UPnP on consumer routers At this point you are probably wondering if you should not use or toss out the IoT devices you have now. Personally I still use IoT devices even though I know the issues more than most. Bottom line, many of these devices are useful like smart thermostats, security cameras, amazon echo devices, etc. But you do need to protect yourself if you are going to use these. Do not put them on your primary home network.

Download ppt "The Internet of Things."

Similar presentations

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or 415.514-3333 UCSF Campus VPN.

OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or UCSF Campus VPN.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
MongoDB Sharding and its Threats

MongoDB Sharding and its Threats
By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.

By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Adam Leidigh Brandon Pyle Bernardo Ruiz Daniel Nakamura Arianna Campos.

Adam Leidigh Brandon Pyle Bernardo Ruiz Daniel Nakamura Arianna Campos.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
In the old days... You Your computer. Then came... The Network.

In the old days... You Your computer. Then came... The Network.
Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.

Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.
Smart Machines, Smart Privacy: Rules of the Road and Challenges Ahead The views expressed are those of the speaker and not necessarily those of the FTC.

Smart Machines, Smart Privacy: Rules of the Road and Challenges Ahead The views expressed are those of the speaker and not necessarily those of the FTC.
Cloud Computing Project By:Jessica, Fadiah, and Bill.

Cloud Computing Project By:Jessica, Fadiah, and Bill.
Engineering Secure Software. Agenda  What is IoT?  Security implications of IoT  IoT Attack Surface Areas  IoT Testing Guidelines  Top IoT Vulnerabilities.

Engineering Secure Software. Agenda  What is IoT?  Security implications of IoT  IoT Attack Surface Areas  IoT Testing Guidelines  Top IoT Vulnerabilities.
Internet Safety and Productivity Tips Presented by ITS Kerri Sorenson and Sean Hernandez December 11, 8:30-9:00 am.

Internet Safety and Productivity Tips Presented by ITS Kerri Sorenson and Sean Hernandez December 11, 8:30-9:00 am.
Computer Security By Duncan Hall.

Computer Security By Duncan Hall.
Virus Assignment JESS D. How viruses affect people and businesses  What is a virus? A computer virus is a code or a program that is loaded onto your.

Virus Assignment JESS D. How viruses affect people and businesses  What is a virus? A computer virus is a code or a program that is loaded onto your.
Education – Partnership – Solutions Information Security Office of Budget and Finance Christopher Giles Governance Risk Compliance Specialist The Internet.

Education – Partnership – Solutions Information Security Office of Budget and Finance Christopher Giles Governance Risk Compliance Specialist The Internet.
1 #UPAugusta2016. 2 3 Today’s Topics What are Deadly IT Sins? Know them. Fear them. Fix them. #UPAugusta201 6.

1 #UPAugusta Today’s Topics What are Deadly IT Sins? Know them. Fear them. Fix them. #UPAugusta201 6.

Similar presentations

Ads by Google