Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by John Johnson

Published byAlberta Rogers Modified over 5 years ago

Similar presentations

Presentation on theme: "Presented by John Johnson"— Presentation transcript:

1 Presented by John Johnson
Hacking IOT: A Case Study on Baby Monitor Exposures and Vulnerabilities “Frameworks Aren’t Enough” By the Rapid7 Team Presented by John Johnson

2 Why this paper? Survey of multiple brands of an IOT device
Starting point for discussing the surface area for attacking IOT Another style of paper than we have read previously Why security nihilism is a thing

3 Just a little too new… IOT devices have blown up recently
But no security pipeline is in place to deal with the appearance of vulnerabilities IOT are typically a hodgepodge of commodity software, each with a different patching entity

4 Baby monitors Surveillance placed willingly in the house
Watching what is presumably your most prized relative And still totally unregulated

5 Speculative end user pains
IOT devices can be exploited to pivot inside a secure network Home networks are typically undefended beyond a firewall Parents who work from home may be particularly at risk DDOS mitigation is often disruptive to innocent users

6 A peek at different vulnerabilities

7 To be more specific

8 Many different types of vendor
A vendor who practically lives off the grid (No Contact) A vendor who kicks the can (“Not my fault!”) A vendor who thinks you are the devil (“Why are you hacking us???”) A Good Vendor™ who cares

9

10

11

12 Different study by Veracode
Looks at different types of IOT devices and their security features Done by a different security company Same similar results

13 Many different things to compromise
Credit to Veracode: IoT Security Research Study

14 That’s not too bad! Credit to Veracode: IoT Security Research Study

15 Okay, this isn’t great but we can live with it!
Credit to Veracode: IoT Security Research Study

16

17 Well that’s… pretty bad
Credit to Veracode: IoT Security Research Study

18

19 Remember this slide? Credit to Veracode: IoT Security Research Study

20 Title Credit to Cisco for this diagram

21 There are many moving parts in an IOT infrastructure
In your house: Device, sensor, gateway, router, phone Not in your house: backend storage, backend backups, virtual machine servers(think EC2 servers), company infrastructure Intangible: OS on each of the above devices, phone apps, programs

22 Every element in the IOT stack can fall to a different department/person
Is each expert following best practices? What about at the seams between components? What happens if something goes wrong? Do you have experts who handle incident response? On a budget? In a brand new company of 10 people?

23 Recommendations Get vendors to use an established framework
Get more security people on board at vendor companies Defense in Depth

24

25 Thank You!

Download ppt "Presented by John Johnson"

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
Protection from Internet Theft By James Seegars. What Is Hacking? Definition – A)To change or alter(Computer Program) – B) To gain access to (a computer.

Protection from Internet Theft By James Seegars. What Is Hacking? Definition – A)To change or alter(Computer Program) – B) To gain access to (a computer.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
What is Cloud Computing? o Cloud computing:- is a style of computing in which dynamically scalable and often virtualized resources are provided as a service.

What is Cloud Computing? o Cloud computing:- is a style of computing in which dynamically scalable and often virtualized resources are provided as a service.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.

SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.

1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
1 We’ve been p0wn’d? Review of 2015 Surface Transportation Cybersecurity Incidents 2015 TRB Session 850 Edward Fok USDOT/FHWA – Resource Center.

1 We’ve been p0wn’d? Review of 2015 Surface Transportation Cybersecurity Incidents 2015 TRB Session 850 Edward Fok USDOT/FHWA – Resource Center.
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.

Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
Topic 5a Operating System Fundamentals. What is an operating system? a computer is comprised of various types of software device drivers (storage, I/O,

Topic 5a Operating System Fundamentals. What is an operating system? a computer is comprised of various types of software device drivers (storage, I/O,
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:

November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:
1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.

1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.

Similar presentations

Ads by Google