SlideShare a Scribd company logo

IOT Security

S
Sylvain Martinez

A look at the main security risks and impact related to IOT devices as well as what are the key steps to improve IOT security.

1 of 27
Download to read offline
IOT SECURITY VERSION: 1.2a DATE: 24/10/2018 AUTHOR: SYLVAIN MARTINEZ REFERENCE: ESC13-MUSCL CLASSIFICATION: Public
2 • IOT definition; • IOT trends, • IOT innovation and integration; • Cyber security risks • IOT contribution to cyber security risk; • Main risk overview; • Security as an afterthought; • Embedded vulnerabilities; • Embedded backdoors; • Unsupported devices; • Unpatchable devices; • Main impacts overview; • IOT used as a bot; • IOT used to access network; • IOT used to spy/attack you; • IOT physical impact; • IOT Self destruct button; • IOT security overview; • Traffic analysis; • Code analysis; • Firmware analysis; • Online search; • Follow best practise; CONTENTS PUBLIC FUTURESECURITYIMPACTRISKCONTEXT • Future of IOT
IOT DEFINITION FUTURESECURITYIMPACTRISKCONTEXT 3PUBLIC THE INTERNET OF THINGS ANY PHYSICAL OBJECT THAT CAN BE CONNECTED TO THE INTERNET Icons from the Noun Project unless specified otherwise
IOT TRENDS FUTURESECURITYIMPACTRISKCONTEXT 4PUBLIC Source: information is beautiful
IOT INOVATION AND INTEGRATION FUTURESECURITYIMPACTRISKCONTEXT 5PUBLIC Idea: information is beautiful
CYBER SECURITY RISK FUTURESECURITYIMPACTRISKCONTEXT 6PUBLIC GLOBALIZATION & DIGITALIZATION ITSYSTEMRELIANCE ATTACK SURFACE PAST FUTURE 100% 0% TIME GROWTH MONEY & GEOPOLITICAL GAIN THREATACTORSSKILLS ATTACK VECTORS PAST FUTURE 100% 0% TIME GROWTH ATTACK SURFACE ATTACKVECTORS CYBER SECURITY RISKS PAST FUTURE 100% 0% TIME GROWTH CYBER SECURITY RISKS’ PROBABILITY AND IMPACT ARE INCREASING. THEIR ABILITY TO DISRUPT COMPANIES BUSINESS OPERATION HAVE GROWING FINANCIAL, REPUTATIONAL AND LEGAL NEGATIVE CONSEQUENCES SOURCE: ELYSIUMSECURITY LTD – Please refer to us when re-using this diagram + =
IOT CONTRIBUTION TO CYBER SECURITY RISK FUTURESECURITYIMPACTRISKCONTEXT 7PUBLIC GLOBALIZATION & DIGITALIZATION ITSYSTEMRELIANCE ATTACK SURFACE PAST FUTURE 100% 0% TIME GROWTH SOURCE: ELYSIUMSECURITY LTD
MAIN RISKS OVERVIEW FUTURESECURITYIMPACTRISKCONTEXT 8PUBLIC SECURITY IS AN AFTERTHOUGH EMBEDDED VULNERABILITIES EMBEDDED BACKDOORS UNSUPPORTED DEVICES UNPATCHABLE DEVICES
SECURITY IS AN AFTERTHOUGHT FUTURESECURITYIMPACTRISKCONTEXT 9PUBLIC LOW COST LOW RESOURCES 3RD PARTY RELIANCE & LOW PERFORMANCE + ADDED SECURITY = PERFORMANCE IMPACT & HIGHER COST
EMBEDDED VULNERABILITIES FUTURESECURITYIMPACTRISKCONTEXT 10PUBLIC OLD LIBRARIES & COMPONENTS BAD CONFIGURATION OPEN PORTS
EMBEDDED BACKDOORS FUTURESECURITYIMPACTRISKCONTEXT 11PUBLIC P A S S W O R D 1 2 3 DEFAULT PASSWORDS DEBUG FUNCTIONS ”VENDOR” ACCESS
UNSUPPORTED DEVICES FUTURESECURITYIMPACTRISKCONTEXT 12PUBLIC SHORT LIFESPAN VENDOR CLOSED DIFFICULT TO UPDATE NO SUPPORT HELP
UNPATCHABLE DEVICES FUTURESECURITYIMPACTRISKCONTEXT 13PUBLIC ROM BASED VULNERABILITY OUT OF REACH PHYSICAL DANGER
MAIN IMPACTS OVERVIEW FUTURESECURITYIMPACTRISKCONTEXT 14PUBLIC USED AS A BOT/DOS USED AS AN ENTRY TO YOUR NETWORK USED TO SPY/ATTACK YOU PHYSICAL IMPACT PRODUCT DESTRUCTION
IOT USED AS A BOT FUTURESECURITYIMPACTRISKCONTEXT 15PUBLIC MIRAI, GAFGYT, AIDRA MIRAI • TELNET OPEN • 61 DEFAULT PASSWORDS • 1TBPS • ROUTERS, IP CAMERAS, ETC. ANIMATED MIRAI GIF FROM WIKIMEDIA
IOT USED TO ACCESS NETWORK FUTURESECURITYIMPACTRISKCONTEXT 16PUBLIC 1 2 3 4 5 • IOT DEVICE INITIATES THE CONNECTION • IOT CALLS “HOME” • IOT BYPASSES FIREWALL PROTECTION 6 VENDOR IOT PROXY
IOT USED TO SPY/ATTACK YOU FUTURESECURITYIMPACTRISKCONTEXT 17PUBLIC
IOT PHYSICAL IMPACT FUTURESECURITYIMPACTRISKCONTEXT 18PUBLIC
IOT SELF DESTRUCT BUTTON FUTURESECURITYIMPACTRISKCONTEXT 19PUBLIC MIKROTIK ROUTER RUSSIAN GOOD SAMARITAN PATCH NOKIA HEALTH SCALE REFUNDED AND DISABLED
IOT SECURITY OVERVIEW FUTURESECURITYIMPACTRISKCONTEXT 20PUBLIC TRAFFIC ANALYSIS CODE ANALYSIS FIRMWARE ANALYSIS ONLINE SEARCH / SHODAN SECURITY DESIGN BEST PRACTISE
TRAFFIC ANALYSIS FUTURESECURITYIMPACTRISKCONTEXT 21PUBLIC • INTERCEPT TRAFFIC • LOOK AT PASSWORDS SENT • LOOK AT ENCRYPTION • LOOK AT TOKENS USER VENDOR
CODE ANALYSIS FUTURESECURITYIMPACTRISKCONTEXT 22PUBLIC • CONNECT TO THE DEVICE • INSPECT SOFTWARE INSTALLED • LOOK AT SCRIPTS • STRINGS IN BINARY USER VENDOR • NO DEFAULT PASSWORD • NO BACKDOOR FOR SUPPORT • CODE ANALYSIS TOOLS • THREAT ANALYSIS TOOLS
FIRMWARE ANALYSIS FUTURESECURITYIMPACTRISKCONTEXT 23PUBLIC • EXTRACT FIRMWARE • DISASSEMBLE FIRMWARE • REVIEW MAIN FUNCTIONS USER VENDOR • FIRMWARE ORIGIN? • ANALYSE SOURCE CODE • PENTEST RESULTS REVIEW
ONLINE SEARCH FUTURESECURITYIMPACTRISKCONTEXT 24PUBLIC • GOOGLE SEARCH VENDOR • SHODAN SEARCH DEVICE AND IP • IS YOUR IP VULNERABLE? USER VENDOR • SHODAN SEARCH DEVICE • WHITE PAPER REVIEW • THREAT INTELLIGENCE
FOLLOW BEST PRACTISE FUTURESECURITYIMPACTRISKCONTEXT 25PUBLIC VENDOR UK CODE OF PRACTICE FOR CONSUMER IOT SECURITY 1. NO DEFAULT PASSWORDS 2. IMPLEMENT A VULNERABILITY DISCLOSURE POLICY 3. KEEP SOFTWARE UPDATED 4. SECURELY STORE CREDENTIALS AND SECURITY-SENSITIVE DATA 5. COMMUNICATE SECURELY 6. MINIMISE EXPOSED ATTACK SURFACES 7. ENSURE SOFTWARE INTEGRITY 8. ENSURE THAT PERSONAL DATA IS PROTECTED 9. MAKE SYSTEMS RESILIENT TO OUTAGES 10. MONITOR SYSTEM TELEMETRY DATA 11. MAKE IT EASY FOR CONSUMERS TO DELETE PERSONAL DATA 12. MAKE INSTALLATION AND MAINTENANCE OF DEVICES EASY 13. VALIDATE INPUT DATA https://www.gov.uk/government/publications/secure-by-design
FUTURE OF IOT FUTURESECURITYIMPACTRISKCONTEXT 26PUBLIC IOT FRAMEWORK IOT REGULATION IOT BREACH FINES IOT INTEGRATION IOT FUSION
© 2018 ElysiumSecurity Ltd. All Rights Reserved www.elysiumsecurity.com ABOUT ELYSIUMSECURITY LTD. ELYSIUMSECURITY provides practical expertise to identify vulnerabilities, assess their risks and impact, remediate those risks, prepare and respond to incidents as well as raise security awareness through an organization. ELYSIUMSECURITY provides high level expertise gathered through years of best practices experience in large international companies allowing us to provide advice best suited to your business operational model and priorities. ELYSIUMSECURITY provides a portfolio of Strategic and Tactical Services to help companies protect and respond against Cyber Security Threats. We differentiate ourselves by offering discreet, tailored and specialized engagements. ELYSIUMSECURITY operates in Mauritius and in Europe, a boutique style approach means we can easily adapt to your business operational model and requirements to provide a personalized service that fits your working environment.

More Related Content

IOT Security