SlideShare a Scribd company logo

Io t slides_iotvillage

Download as PPTX, PDF
A
agmoneyy

This document discusses security issues in the Internet of Things (IoT) supply chain and proposes some solutions. It begins with an overview of IoT concepts like hardware, operating systems, communication protocols, and the roles of original design manufacturers, cloud service providers, and original equipment manufacturers. It then outlines common security vulnerabilities at various stages, including lack of authentication, exposed debugging interfaces, default passwords, and backdoors. The document suggests implementing security by design and liability for manufacturers. It concludes by advocating a defense-in-depth approach and community projects to improve IoT security.

1 of 59
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
Security the IoT World!
Hello! I am Aaron Guzman Pentester Chapter Leader for OWASP CSA HTCIA You can find me at: @scriptingxss
Agenda The Basics IoT? The concepts Digging a little deeper Supply Chain Push out those ideas to market The realities Numbers on the rise The issues Pfft...whats security? But wait, my privacy The Resolutions Saving the world
The Basics IoT What Exactly is IoT?
“The Internet of Things (IoT) is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment..Source: http://www.gartner.com/it-glossary/internet-of-things/
Source http://postscapes.com/what-exactly-is-the-internet-of-things- infographic
The Concepts IoT Digging a little deeper
Hardware
IoT OS and Frameworks
Platform = The Cloud
Io t slides_iotvillage
Protocols for Communication ❏ Zigbee ❏ Wi-Fi ❏ NFC ❏ Z-Wave ❏ CoAP ❏ 6LoPAN ❏ XMPP ❏ BLe ❏ SOAP ❏ REST ❏ MQTT ❏ Lutron ❏ RFID ❏ GSM
Io t slides_iotvillage
Hubs
4.9 Billion Connected Devices in 2015 Source:http://www.gartner.com/newsroom/id/2905717
Pads Leads Traces Silkscreens Analog vs Digital Layers (4) Reflow PCB source: https://learn.sparkfun.com/tutorials/electronics-assembly
❏ VxWorks ❏ Marvell ❏ Broadcom ❏ Texas Instruments ❏ Intel ❏ AMD ❏ NXP ★ Create the device drivers Board Support Packages (BSP)
Original Design Manufacturer (ODM) ❏ designs and manufactures a product ❏ eventually rebranded by another firm for sale ❏ allow the brand firm to produce (either as a supplement or solely) without having to engage in the organization or running of a factory. ❏ own cloud infrastructures for customers ❏ Provide SDKs ★ Many ODMs in China ★ A dime a dozen http://en.wikipedia.org/wiki/Original_design_manufa cturer
Cloud Service Providers ❏ Amazon ❏ Microsoft ❏ Google ❏ Thingsworx ❏ ODM Clouds ❏ Have their own SDKs ❏ Who knows where else? http://en.wikipedia.org/wiki/Original_design_manufa cturer
Original Equipment Manufacturer (OEM) ❏ Manufacturers who resell another company's product under their own name and branding. ❏ Offers its own warranty, support and licensing of the product. http://en.wikipedia.org/wiki/Original_design_manufa cturer
IoT Supply Chain Process BSP ODM OEM ★ Each likely to outsource development work and have multiple teams CSP
Keep in Mind
Hardware comes from everywhere
PMs Primary Roles Sales Engineers
Supply Chain Process (Cont) Sales ★ Get the business ★ Outreach ★ Create relationships PM’s ★ Prioritizes ★ Objective Based ★ Project specific to engineer team Engineers ★ Write Code ★ May not be a big team ★ Different workflows per dev team ★ Split up into features. I.E UI team, UX team, backend, Android, iOS
Io t slides_iotvillage
Anyone Looking at Security??
Io t slides_iotvillage
Vectors ❏ UART ❏ JTAG ❏ EEPROM ❏ SPI ❏ SOIC ❏ I2C Tools ❏ Shikra (UART SPI JTAG) ❏ Bus Pirate ❏ JTagulator ❏ GoodFET ❏ flashrom ❏ EE Tools ❏ Chipquick Hardware Security (Exploitation) Source:my linksys 1900ac :)
Common ❏ TCP ❏ ToolChains (Libs) ❏ UART ❏ JTAG ❏ Layer 7 ❏ EEPROM ❏ Bluetooth Less Common ❏ TCP ❏ Flash ❏ GSM ❏ GPS ❏ I2C ❏ Kernel (115 CVEs 2014) Embedded Security Source:http://lwn.net/talks/2015/kr-lca- 2015.pdf
Wireless Security aka RF ❏ Zigbee (2.4GHZ 915MHZ) ❏ Killerbee Framework ❏ Soon Xipiter’s “RFCat Zigbee” ❏ Atmel ❏ 802.11 ❏ Hundreds of tools ❏ Z-Wave ❏ Z-force ❏ Bluetooth LE ❏ nRF51822 - v1.0 ❏ Proprietary bands ❏ TI C1111
First time sniffing BLE traffic source:http://securityreactions.tumblr.com/
Android App Security ❏ Webview Security ❏ Privacy ❏ Client-side Inject ❏ AndroidManifest.xml ❏ Permissions ❏ Activities, Broadcast Receivers, Services ❏ Android APIs ❏ Memory Security ❏ addJavascriptInterface ❏ Secure Storage ❏ Transport Security ❏ SSL Pinning
iPhone App Security ❏ UIWebView Security ❏ Privacy ❏ Client-side Inject ❏ Data Protection ❏ Cloud API security ❏ iOS SDK API ❏ Memory Security ❏ Injection Attacks ❏ Memory Corruption ❏ Transport Security ❏ SSL Pinning ❏ Blackbox Assessments ❏ Logging ❏ Homekit
❏ Network Security ❏ ACLs ❏ Systems ❏ DB ❏ Web servers ❏ LBs ❏ Daemons ❏ Application Security ❏ Language ❏ Frameworks ❏ 3rd Party Libs Web App / Operational Security A lot of work!!!....
❏ Windows ❏ OSX ❏ Old School CD setup ❏ Data storage ❏ Data permissions ❏ Persistence Desktop Apps
source:http://securityreactions.tumblr.com/
source:http://securityreactions.tumblr.com/
Known Security Downfalls
source:http://securityreactions.tumblr.com/
“Because computers go through so many hands before they’re delivered to you, there’s a serious concern that anyone could backdoor the computer without your knowledge Source: Jonathan Brossard-http://resources.infosecinstitute.com/hardware-attacks- backdoors-and-electronic-component-qualification/
What not to do ❏ UART pins exposed unauthenticated or using simple passwords ❏ Manufacturing Debugging Scripts ❏ Backdoors using secret user agents ❏ Private Keys on devices (Dont rely on obscurity) ❏ Default Passwords ★ Ton of other backdoors from software down to HDL code in the chipset
Secure It Already (Embedded) ❏ Restrict Shell with tamper resistant epoxy and silk screen ❏ Very long passwds ❏ Update Kernel and Packages ❏ Harden OS by removing unused code ❏ Secure updates ❏ Secure C Functions ❏ Verify and test code
Io t slides_iotvillage
Regulatory Impact
“Implement “security by design.” Rather than grafting security on as an afterthought, build it into your products or services at the outset of your planning process Source:https://www.ftc.gov/system/files/documents/plain-language/pdf0199- carefulconnections-buildingsecurityinternetofthings.pdf
FTC and EU Commission ❏ Privacy By Design ❏ Security By Design ❏ Categorization of IoT devices ❏ Biggest Consumer Protection http://www.ftc.gov/news-events/press-releases/2013/04/ftc-seeks- input-privacy-and-security-implications-internet-things
Io t slides_iotvillage
Io t slides_iotvillage
Io t slides_iotvillage
Io t slides_iotvillage
Io t slides_iotvillage
Something is Missing
IoT Supply Chain How can we make it more secure?
Fixing The IoT ❏ LIABILITY! ❏ Security service agreements with ODMs ❏ Legal repercussions ❏ Community Projects ❏ Security Awareness ❏ Security Processes into SDLC ❏ A common certification standard (Wi-FI & Zigbee) ★ Realistic? ……… Maybe
Defense in Depth!!!
How to help
Io t slides_iotvillage
Thanks! Any questions? You can find me at: @scriptingxss aaron.guzman@owasp.org

More Related Content

PPTX
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Chase Schultz
 
PPTX
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
PDF
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
PPTX
Firmware analysis 101
veerababu penugonda(Mr-IoT)
 
PDF
Mickey pacsec2016_final
PacSecJP
 
PDF
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
veerababu penugonda(Mr-IoT)
 
PDF
Beginners guide on how to start exploring IoT 2nd session
veerababu penugonda(Mr-IoT)
 
PDF
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Chase Schultz
 
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
Firmware analysis 101
veerababu penugonda(Mr-IoT)
 
Mickey pacsec2016_final
PacSecJP
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
veerababu penugonda(Mr-IoT)
 
Beginners guide on how to start exploring IoT 2nd session
veerababu penugonda(Mr-IoT)
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 

What's hot (20)

PDF
IoT security zigbee -- Null Meet bangalore
veerababu penugonda(Mr-IoT)
 
PDF
The art of android hacking
Abhinav Mishra
 
PDF
Hacking Windows 95 #33c3
Zoltan Balazs
 
PPT
Firewalls (Distributed computing)
Sri Prasanna
 
PDF
Owasp top 10
veerababu penugonda(Mr-IoT)
 
PPT
[ENG] IPv6 shipworm + My little Windows domain pwnie
Zoltan Balazs
 
PPTX
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
PPTX
ShadyRAT: Anatomy of targeted attack
Vladyslav Radetsky
 
PDF
Practical cryptanalysis for hackers
Hacks in Taiwan (HITCON)
 
PDF
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference
 
PDF
From printed circuit boards to exploits
virtualabs
 
PPTX
Corporate Espionage without the Hassle of Committing Felonies
John Bambenek
 
PPTX
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
 
PDF
Let's Hack a House
Synack
 
PPTX
Webinar On Ethical Hacking & Cybersecurity - Day2
Mohammed Adam
 
PDF
The Internet of Things: We've Got to Chat
Duo Security
 
PDF
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Anant Shrivastava
 
PDF
FRONTIERS IN CRYPTOGRAPHY
LINE Corporation
 
PDF
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Mender.io
 
PDF
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthinkspa
 
IoT security zigbee -- Null Meet bangalore
veerababu penugonda(Mr-IoT)
 
The art of android hacking
Abhinav Mishra
 
Hacking Windows 95 #33c3
Zoltan Balazs
 
Firewalls (Distributed computing)
Sri Prasanna
 
Owasp top 10
veerababu penugonda(Mr-IoT)
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
Zoltan Balazs
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
ShadyRAT: Anatomy of targeted attack
Vladyslav Radetsky
 
Practical cryptanalysis for hackers
Hacks in Taiwan (HITCON)
 
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference
 
From printed circuit boards to exploits
virtualabs
 
Corporate Espionage without the Hassle of Committing Felonies
John Bambenek
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
 
Let's Hack a House
Synack
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Mohammed Adam
 
The Internet of Things: We've Got to Chat
Duo Security
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Anant Shrivastava
 
FRONTIERS IN CRYPTOGRAPHY
LINE Corporation
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Mender.io
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthinkspa
 
Ad

Similar to Io t slides_iotvillage (20)

PPTX
Successful Industrial IoT patterns
John Mathon
 
PPTX
Hugo Fiennes - Security and the IoT - Electric Imp
Business of Software Conference
 
PPTX
IoT Security Risks and Challenges
OWASP Delhi
 
PDF
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
PDF
WSO2Con EU 2015: IoT in Finance
WSO2
 
PPTX
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
PDF
[TestWarez 2017] Securing the Internet of Things
Stowarzyszenie Jakości Systemów Informatycznych (SJSI)
 
PDF
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 
PDF
IOT Exploitation
Cysinfo Cyber Security Community
 
PDF
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
ssuser57b3e5
 
PPTX
Security Testing for IoT Systems
Security Innovation
 
PDF
IoT – Breaking Bad
NUS-ISS
 
PDF
Bridgera enterprise IoT security
Ron Pascuzzi
 
PDF
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
Brian Knopf
 
PDF
Best Practices for Design Hardware APIs
Matt Haines
 
PDF
IoT Security and Privacy Considerations
Kenny Huang Ph.D.
 
PDF
This Time, It’s Personal: Why Security and the IoT Is Different
Justin Grammens
 
PDF
Successful Industrial IoT Patterns
WSO2
 
PPTX
Fundamental Best Practices in Secure IoT Product Development
Mark Szewczul, CISSP
 
PPTX
IoT security
YashKesharwani2
 
Successful Industrial IoT patterns
John Mathon
 
Hugo Fiennes - Security and the IoT - Electric Imp
Business of Software Conference
 
IoT Security Risks and Challenges
OWASP Delhi
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
WSO2Con EU 2015: IoT in Finance
WSO2
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
[TestWarez 2017] Securing the Internet of Things
Stowarzyszenie Jakości Systemów Informatycznych (SJSI)
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 
IOT Exploitation
Cysinfo Cyber Security Community
 
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
ssuser57b3e5
 
Security Testing for IoT Systems
Security Innovation
 
IoT – Breaking Bad
NUS-ISS
 
Bridgera enterprise IoT security
Ron Pascuzzi
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
Brian Knopf
 
Best Practices for Design Hardware APIs
Matt Haines
 
IoT Security and Privacy Considerations
Kenny Huang Ph.D.
 
This Time, It’s Personal: Why Security and the IoT Is Different
Justin Grammens
 
Successful Industrial IoT Patterns
WSO2
 
Fundamental Best Practices in Secure IoT Product Development
Mark Szewczul, CISSP
 
IoT security
YashKesharwani2
 
Ad

Io t slides_iotvillage

  • 2. Hello! I am Aaron Guzman Pentester Chapter Leader for OWASP CSA HTCIA You can find me at: @scriptingxss
  • 3. Agenda The Basics IoT? The concepts Digging a little deeper Supply Chain Push out those ideas to market The realities Numbers on the rise The issues Pfft...whats security? But wait, my privacy The Resolutions Saving the world
  • 5. “The Internet of Things (IoT) is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment..Source: http://www.gartner.com/it-glossary/internet-of-things/
  • 9. IoT OS and Frameworks
  • 10. Platform = The Cloud
  • 12. Protocols for Communication ❏ Zigbee ❏ Wi-Fi ❏ NFC ❏ Z-Wave ❏ CoAP ❏ 6LoPAN ❏ XMPP ❏ BLe ❏ SOAP ❏ REST ❏ MQTT ❏ Lutron ❏ RFID ❏ GSM
  • 14. Hubs
  • 15. 4.9 Billion Connected Devices in 2015 Source:http://www.gartner.com/newsroom/id/2905717
  • 16. Pads Leads Traces Silkscreens Analog vs Digital Layers (4) Reflow PCB source: https://learn.sparkfun.com/tutorials/electronics-assembly
  • 17. ❏ VxWorks ❏ Marvell ❏ Broadcom ❏ Texas Instruments ❏ Intel ❏ AMD ❏ NXP ★ Create the device drivers Board Support Packages (BSP)
  • 18. Original Design Manufacturer (ODM) ❏ designs and manufactures a product ❏ eventually rebranded by another firm for sale ❏ allow the brand firm to produce (either as a supplement or solely) without having to engage in the organization or running of a factory. ❏ own cloud infrastructures for customers ❏ Provide SDKs ★ Many ODMs in China ★ A dime a dozen http://en.wikipedia.org/wiki/Original_design_manufa cturer
  • 19. Cloud Service Providers ❏ Amazon ❏ Microsoft ❏ Google ❏ Thingsworx ❏ ODM Clouds ❏ Have their own SDKs ❏ Who knows where else? http://en.wikipedia.org/wiki/Original_design_manufa cturer
  • 20. Original Equipment Manufacturer (OEM) ❏ Manufacturers who resell another company's product under their own name and branding. ❏ Offers its own warranty, support and licensing of the product. http://en.wikipedia.org/wiki/Original_design_manufa cturer
  • 21. IoT Supply Chain Process BSP ODM OEM ★ Each likely to outsource development work and have multiple teams CSP
  • 23. Hardware comes from everywhere
  • 25. Supply Chain Process (Cont) Sales ★ Get the business ★ Outreach ★ Create relationships PM’s ★ Prioritizes ★ Objective Based ★ Project specific to engineer team Engineers ★ Write Code ★ May not be a big team ★ Different workflows per dev team ★ Split up into features. I.E UI team, UX team, backend, Android, iOS
  • 29. Vectors ❏ UART ❏ JTAG ❏ EEPROM ❏ SPI ❏ SOIC ❏ I2C Tools ❏ Shikra (UART SPI JTAG) ❏ Bus Pirate ❏ JTagulator ❏ GoodFET ❏ flashrom ❏ EE Tools ❏ Chipquick Hardware Security (Exploitation) Source:my linksys 1900ac :)
  • 30. Common ❏ TCP ❏ ToolChains (Libs) ❏ UART ❏ JTAG ❏ Layer 7 ❏ EEPROM ❏ Bluetooth Less Common ❏ TCP ❏ Flash ❏ GSM ❏ GPS ❏ I2C ❏ Kernel (115 CVEs 2014) Embedded Security Source:http://lwn.net/talks/2015/kr-lca- 2015.pdf
  • 31. Wireless Security aka RF ❏ Zigbee (2.4GHZ 915MHZ) ❏ Killerbee Framework ❏ Soon Xipiter’s “RFCat Zigbee” ❏ Atmel ❏ 802.11 ❏ Hundreds of tools ❏ Z-Wave ❏ Z-force ❏ Bluetooth LE ❏ nRF51822 - v1.0 ❏ Proprietary bands ❏ TI C1111
  • 32. First time sniffing BLE traffic source:http://securityreactions.tumblr.com/
  • 33. Android App Security ❏ Webview Security ❏ Privacy ❏ Client-side Inject ❏ AndroidManifest.xml ❏ Permissions ❏ Activities, Broadcast Receivers, Services ❏ Android APIs ❏ Memory Security ❏ addJavascriptInterface ❏ Secure Storage ❏ Transport Security ❏ SSL Pinning
  • 34. iPhone App Security ❏ UIWebView Security ❏ Privacy ❏ Client-side Inject ❏ Data Protection ❏ Cloud API security ❏ iOS SDK API ❏ Memory Security ❏ Injection Attacks ❏ Memory Corruption ❏ Transport Security ❏ SSL Pinning ❏ Blackbox Assessments ❏ Logging ❏ Homekit
  • 35. ❏ Network Security ❏ ACLs ❏ Systems ❏ DB ❏ Web servers ❏ LBs ❏ Daemons ❏ Application Security ❏ Language ❏ Frameworks ❏ 3rd Party Libs Web App / Operational Security A lot of work!!!....
  • 36. ❏ Windows ❏ OSX ❏ Old School CD setup ❏ Data storage ❏ Data permissions ❏ Persistence Desktop Apps
  • 41. “Because computers go through so many hands before they’re delivered to you, there’s a serious concern that anyone could backdoor the computer without your knowledge Source: Jonathan Brossard-http://resources.infosecinstitute.com/hardware-attacks- backdoors-and-electronic-component-qualification/
  • 42. What not to do ❏ UART pins exposed unauthenticated or using simple passwords ❏ Manufacturing Debugging Scripts ❏ Backdoors using secret user agents ❏ Private Keys on devices (Dont rely on obscurity) ❏ Default Passwords ★ Ton of other backdoors from software down to HDL code in the chipset
  • 43. Secure It Already (Embedded) ❏ Restrict Shell with tamper resistant epoxy and silk screen ❏ Very long passwds ❏ Update Kernel and Packages ❏ Harden OS by removing unused code ❏ Secure updates ❏ Secure C Functions ❏ Verify and test code
  • 46. “Implement “security by design.” Rather than grafting security on as an afterthought, build it into your products or services at the outset of your planning process Source:https://www.ftc.gov/system/files/documents/plain-language/pdf0199- carefulconnections-buildingsecurityinternetofthings.pdf
  • 47. FTC and EU Commission ❏ Privacy By Design ❏ Security By Design ❏ Categorization of IoT devices ❏ Biggest Consumer Protection http://www.ftc.gov/news-events/press-releases/2013/04/ftc-seeks- input-privacy-and-security-implications-internet-things
  • 54. IoT Supply Chain How can we make it more secure?
  • 55. Fixing The IoT ❏ LIABILITY! ❏ Security service agreements with ODMs ❏ Legal repercussions ❏ Community Projects ❏ Security Awareness ❏ Security Processes into SDLC ❏ A common certification standard (Wi-FI & Zigbee) ★ Realistic? ……… Maybe
  • 59. Thanks! Any questions? You can find me at: @scriptingxss aaron.guzman@owasp.org

Editor's Notes

  • #18: In embedded systems, a board support package (BSP) is implementation of specific support code (software) for a given (device motherboard) board that conforms to a given operating system. It is commonly built with a bootloader that contains the minimal device support to load the operating system and device drivers for all the devices on the board. Some suppliers also provide a root file system, a toolchain for making programs to run on the embedded system (which would be part of the architecture support package), and configurators for the devices (while running). http://en.wikipedia.org/wiki/Board_support_package
  • #31: RTOS - vxworks
  • #32: http://www.ti.com/tool/packet-sniffer https://code.google.com/p/z-force/
  • #37: Common in cameras, routers malware worms?
  • #48: First, companies should build security into their devices at the outset, rather than as an afterthought. As part of the security by design process, companies should consider: (1) conducting a privacy or security risk assessment; (2) minimizing the data they collect and retain; and (3) testing their security measures before launching their products. Second, with respect to personnel practices, companies should train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization. Third, companies should retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers. Fourth, when companies identify significant risks within their systems, they should implement a defense-indepth approach, in which they consider implementing security measures at several levels. Fifth, companies should consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network. Finally, companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities.
  • #56: Liability
  • #59: lets keep rippin them!!!