SlideShare a Scribd company logo

IoT Security Briefing FBI 07 23-2017 final

Download as PPTX, PDF
F
Frank Siepmann

This document discusses Internet of Things (IoT) security. It defines IoT as interconnecting physical devices via communication technologies. It categorizes IoT devices and lists common technology vendors. It then describes why IoT devices are vulnerable in terms of cost, processing power, history of neglecting security, proprietary technologies, and inability to update. Examples of IoT attacks are also provided such as using webcams for DDoS attacks and hacking home routers and cars. The document concludes with recommended countermeasures like leveraging existing frameworks, segmentation, not relying on users, and building in automatic updates.

Internet
1 of 19
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
IoT Security Frank H. Siepmann,CISM,CISSP, ISSAP, NSA-IAM, NSA-IEM
What Is the Internet ofThings (IoT)? ITU’s Definition: “Internet of things (IoT): A global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies” Source: International Telecom Union Rec. ITU-T Y.2060 (06/2012)
Categories of IoT Devices  Network IoT device (I): Devices that only exist to ensure Internet connectivity. Examples are Home routers, Home Automation Hubs, etc.  IoT only devices (II): Devices that have been created because of the Internet connectivity. Examples would be: Amazon’s Echo and Google Home  Legacy IoT enabled devices (III): Devices that have been around for years or decades that are modified to allow for Internet connectivity. Examples: Internet enabled Fridge, ConnectedThermostats, etc.
Common IoTTechnologyVendors  Major Software Platforms  AndroidThings – Google  Windows 10 IoT – Microsoft  Home Kit – Apple  AWS IoT platform – Amazon  Bosch IoT Suite – Bosch  Device Connection Platform – Ericsson  IoT Foundation Device Cloud – IBM  IoT Analytics Platform – CISCO  Etc.  Hardware Platforms  Atmel Microcontroller  Texas Instruments  ARM  Qualcomm IoT  Intel IoT  SamsungArtik IoT  LANTronix  SierraWireless  Etc.
Ecosystems where IoT is being used  Home  Internet connectivity (e.g. Router)  TV,TIVO,VoIP, Home cameras,  Home automation (e.g. Locks)  Amazon Echo, Google Home, etc.  Car  Entertainment Center, Hotspot, Maintenance, Remote control  Industry  Smart Sensors  Programable Logic Controllers (PLC)
Why are IoT DevicesVulnerable?  Cost  Manufacturing cost < 60 Cents (Source: Goldman Sachs)  Full-blown Linux running on single board computer for $5 (Raspberry Zero)  Processing Power  Many IoT devices are very limited in Resources (Single Core, RAM < 500 MB)  History  Traditionally Security has not been an issue in the various ecosystems  User Negligence  Vendor supplied password not changed  Insecure protocols (e.g.WEP) not turned off  ProprietaryTechnology  Not leveraging proven frameworks  Segmentation/Trust  Relying on “traditional” trust models  Inability to Update  No Update mechanism available to address a new security flaw Raspberry Pi Zero: $5
IoT Attack Surface  Internet  Flaws in Internet facing Services  Security Flaws in Implementation  Wireless  Use of InsecureWireless Protocol  Security through Proprietary Protocol  Security by “Distance”  Physical  Device is not physically secured Software Defined Radio (SDR) receives signals 950 – 2150 MHZ all for < $25
Shodan – IoT Search Engine Shodan • Search Engine for Internet Connected Devices • Shows which devices are connected to the Internet, where they are located and who is using them • Within minutes a list of vulnerable devices on the Internet can be compiled
Wigle.net –Wireless Search Engine Wigle.net • Consolidates location and information of wireless networks world-wide to a central database • Site is crowdsourced with people war-driving and uploading their data • Database can be queried by applications via an API
Physical Security of IoT devices Ring – Doorbell • Doorbell that usesWiFi to connect to Ring’s service, recording video and allowing for Intercom • WiFi password is stored on the device • Device is programmed via a USB connector • No physical securing of device, besides some screws
IoT “Special” Attack Vibration Speaker • Vibration Speakers (VS) get connected to surfaces that are used to emit sound • Connecting theVS to the outside of a door with glass allows to control devices like Amazon’s Alexa or Google’s Home • The possibilities are endless
Examples of IoT Attacks Webcams used for DDoS • Webcams with a security vulnerability were used to launch one of the largest DDoS attacks against Dyn, a DNS service provider. • Leveraging an amplification attack the sheer number of devices was the reason why the DDoS was initially successful. Home Router attacks • Wireless Home Routers of various vendors have been targeted by malware. Redirecting DNS calls. • One malware actually tries to secure the router by identifying other infections and trying to remove those. SAMSUNG Fridge • Samsung offers fridges that allow for your Google Calendar to be displayed. At least one model was vulnerable to a man –in-the-middle-attack, not checking the SSL certificate presented by Google (or in this case an attacker). OnStar used to control car • OnStar, used in GM vehicles, allowed for an attacker to eavesdrop on communication.With that they were able to unlock the car and start it. • Jeep had to recall 1.4m vehicles due to hackers being able to hijack most of the car’s electronic functions.
Devil’s Ivy – Vulnerability in gSoap Library used in IoT  gSoap is a framework used by many IoT companies to implement the Open NetworkVideo Interface Forum (ONVIF) protocol, used by e.g. Security cameras  Small company behind gSOAP, known as Genivia, says that at least 34 companies use the code in their IoT products (mainly physical security products)  Genivia provided updated code that fixed the security vulnerability on 6/21/2017 all within 24h of notification according to Genivia’s website.  Genivia uses static code analysis! However, the flaw was two levels down.  Many vendors struggling to get code out to the devices since updating the devices is in some cases not possible, or users do not know about the flaw or are not skilled to perform an update With a built-in update mechanism that acts independent from a user, the devices could be updated as soon as a new firmware is available. 24h for new code, not bad!
Countermeasures  Leverage Existing Frameworks  Some IoT vendors have the tendency to “re-invent” the wheel e.g. Samsung fridge. This creates a “uniqueness” that can result in vulnerabilities used but not publicly addressed.  Other people with much better cyber security skills can do the work in fixing vulnerabilities for the IoT company.  Segmentation/Trust Relationships  IoT devices that have Internet connectivity should not be part of a ecosystem that traditionally trusts each other just by being a member.  Additional mechanisms are needed to establish trust with a IoT device that has Internet connectivity e.g. signing of messages end-to-end.  Do not rely on Users for Security  Studies have shown over and over that users are the weak link. One study showed that many IoT users do not change the vendor set password.Vendors will need to “force” users to be secure.  Built-In Update mechanisms  Security “is a journey” an old saying but still true.What is secure today, might be vulnerable tomorrow.
EconomicTimes 08/13/17 – “Over 50 Billion IoT Connected Devices By 2020” What does this mean for Cybersecurity and Privacy?  Increased complexity when implementing security controls and defining regulations.  Market will expand horizontally and vertically, creating even tighter pricing with security being one cost factor to shave off.  The large number of IoT devices by itself will face the same risks as cloud. If it fails, it will fail really big.  Regulations and laws will require adjustments.Already one case with Amazon’s Echo and voice recording Amazon keeps.  Users will need to learn with IoT being in their homes that someone is watching and hearing them all the time – maybe not in real-time.
QUESTIONS ?
Contact Information Frank H. Siepmann CISM, CISSP, ISSAP, NSA-IAM, NSA-IEM Email: Frank.Siepmann@1SSA.NET Phone: +1-571-982-9907
APPENDIX
Sources  ESET survey - https://cdn5- prodint.esetstatic.com/Imported_from_GWS2_0/US/resources/press/ESET_ConnectedLiv es-DataSummary.pdf  The EconomicTimes – http://economictimes.indiatimes.com/tech/internet/50-billion-iot- connected-devices-by-2020-report/articleshow/59580306.cms  WIRED - https://www.wired.com/2016/08/jeep-hackers-return-high-speed-steering- acceleration-hacks/  The Register - https://www.theregister.co.uk/2015/08/24/smart_fridge_security_fubar/  Forbes - https://www.forbes.com/sites/thomasbrewster/2015/10/01/vigilante-malware- makes-you-safer/#4b31988b1fd5  WIRED - https://www.wired.com/2015/07/gadget-hacks-gm-cars-locate-unlock-start/  Devil’s Ivy - https://www.wired.com/story/devils-ivy-iot-vulnerability/  VS Attack - https://www.youtube.com/channel/UCi-qfzbdNLFoJCUq8jRF3xw

More Related Content

PDF
Internet of Things Security Patterns
Mark Benson
 
PDF
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
Design World
 
PPTX
Iot Security
MAITREYA MISRA
 
PPT
IoT Security – Executing an Effective Security Testing Process
EC-Council
 
PDF
IoT security and privacy: main challenges and how ISOC-OTA address them
Radouane Mrabet
 
PPTX
IoT Security: Cases and Methods [CON5446]
Leonardo De Moura Rocha Lima
 
PPTX
Microsoft IoT Security @ Xpand:X:ED Meetup Sydney Feb 2016
David Glover
 
PDF
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 
Internet of Things Security Patterns
Mark Benson
 
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
Design World
 
Iot Security
MAITREYA MISRA
 
IoT Security – Executing an Effective Security Testing Process
EC-Council
 
IoT security and privacy: main challenges and how ISOC-OTA address them
Radouane Mrabet
 
IoT Security: Cases and Methods [CON5446]
Leonardo De Moura Rocha Lima
 
Microsoft IoT Security @ Xpand:X:ED Meetup Sydney Feb 2016
David Glover
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 

What's hot (20)

PDF
IoT Security Challenges and Solutions
Intel® Software
 
PPTX
Iot(security)
Shreya Pohekar
 
PPTX
Internet of Things Security
Tutun Juhana
 
PDF
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Stanford School of Engineering
 
PPTX
Privacy and security in IoT
Vasco Veloso
 
PDF
Technology & Policy Interaction Panel at Inform[ED] IoT Security
CableLabs
 
PDF
IOT Security
Sylvain Martinez
 
PPTX
IoT Security Imperative: Stop your Fridge from Sending you Spam
Amit Rohatgi
 
PPT
IoT Security by Sanjay Kumar
OWASP Delhi
 
PDF
IoT Security, Mirai Revisited
Clare Nelson, CISSP, CIPP-E
 
PDF
IoT security fresh thinking 2017 sep 9
Arvind Tiwary
 
PPTX
Enabling Data Protection through PKI encryption in IoT m-Health Devices
Charalampos Doukas
 
PDF
IoT Security in Action - Boston Sept 2015
Eurotech
 
PPTX
IoT Security: Cases and Methods
Leonardo De Moura Rocha Lima
 
PDF
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
CableLabs
 
PPTX
Introduction to IoT Security
CAS
 
PPTX
Iot security amar prusty
amarprusty
 
PDF
IoT Security: How Your TV and Thermostat are Attacking the Internet
Nathan Wallace, PhD, PE
 
PPTX
Iot Security, Internet of Things
Bryan Len
 
PDF
Security in the Internet of Things
ForgeRock
 
IoT Security Challenges and Solutions
Intel® Software
 
Iot(security)
Shreya Pohekar
 
Internet of Things Security
Tutun Juhana
 
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Stanford School of Engineering
 
Privacy and security in IoT
Vasco Veloso
 
Technology & Policy Interaction Panel at Inform[ED] IoT Security
CableLabs
 
IOT Security
Sylvain Martinez
 
IoT Security Imperative: Stop your Fridge from Sending you Spam
Amit Rohatgi
 
IoT Security by Sanjay Kumar
OWASP Delhi
 
IoT Security, Mirai Revisited
Clare Nelson, CISSP, CIPP-E
 
IoT security fresh thinking 2017 sep 9
Arvind Tiwary
 
Enabling Data Protection through PKI encryption in IoT m-Health Devices
Charalampos Doukas
 
IoT Security in Action - Boston Sept 2015
Eurotech
 
IoT Security: Cases and Methods
Leonardo De Moura Rocha Lima
 
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
CableLabs
 
Introduction to IoT Security
CAS
 
Iot security amar prusty
amarprusty
 
IoT Security: How Your TV and Thermostat are Attacking the Internet
Nathan Wallace, PhD, PE
 
Iot Security, Internet of Things
Bryan Len
 
Security in the Internet of Things
ForgeRock
 
Ad

Similar to IoT Security Briefing FBI 07 23-2017 final (20)

PPTX
Assign 1_8812814ctm.pptx
pdevang
 
DOCX
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
vrickens
 
PPTX
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
ClicTest
 
PDF
The bad, the ugly and the weird about IoT
Speck&Tech
 
DOCX
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
mariuse18nolet
 
PDF
Smau Milano 2015 - Stefano Zanero
SMAU
 
PPTX
pptt.pptx
AdityaRajput317826
 
PDF
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
PDF
The Internet of Things – Good, Bad or Just Plain Ugly?
Yasmin AbdelAziz
 
PPTX
IOT.pptx
Bkannan2
 
DOCX
Final Research Project - Securing IoT Devices What are the Challe.docx
tjane3
 
DOCX
Final Research Project - Securing IoT Devices What are the Challe.docx
lmelaine
 
PDF
Security in IoT
SKS
 
PPTX
Introduction to IOT security
Priyab Satoshi
 
PPTX
IoT security
YashKesharwani2
 
PDF
IoT – Breaking Bad
NUS-ISS
 
PPTX
IoT Security, Threats and Challenges By V.P.Prabhakaran
Koenig Solutions Ltd.
 
PPTX
Security challenges for internet of things
Monika Keerthi
 
PPTX
IoT Security Risks and Challenges
OWASP Delhi
 
PDF
Internet of Things - Privacy and Security issues
Pierluigi Paganini
 
Assign 1_8812814ctm.pptx
pdevang
 
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
vrickens
 
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
ClicTest
 
The bad, the ugly and the weird about IoT
Speck&Tech
 
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
mariuse18nolet
 
Smau Milano 2015 - Stefano Zanero
SMAU
 
pptt.pptx
AdityaRajput317826
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
The Internet of Things – Good, Bad or Just Plain Ugly?
Yasmin AbdelAziz
 
IOT.pptx
Bkannan2
 
Final Research Project - Securing IoT Devices What are the Challe.docx
tjane3
 
Final Research Project - Securing IoT Devices What are the Challe.docx
lmelaine
 
Security in IoT
SKS
 
Introduction to IOT security
Priyab Satoshi
 
IoT security
YashKesharwani2
 
IoT – Breaking Bad
NUS-ISS
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
Koenig Solutions Ltd.
 
Security challenges for internet of things
Monika Keerthi
 
IoT Security Risks and Challenges
OWASP Delhi
 
Internet of Things - Privacy and Security issues
Pierluigi Paganini
 
Ad

Recently uploaded (20)

PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
 
PPTX
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
PDF
Testing WebRTC applications at scale.pdf
Giacomo Vacca
 
PDF
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
PPTX
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
PDF
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
PPTX
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
PPTX
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
PDF
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
PPT
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
Digital Literacy And Online Safety on internet
riksa rifqi
 
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
Testing WebRTC applications at scale.pdf
Giacomo Vacca
 
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
innovation process that make everything different.pptx
SoumyadipPaul18
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 

IoT Security Briefing FBI 07 23-2017 final

  • 1. IoT Security Frank H. Siepmann,CISM,CISSP, ISSAP, NSA-IAM, NSA-IEM
  • 2. What Is the Internet ofThings (IoT)? ITU’s Definition: “Internet of things (IoT): A global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies” Source: International Telecom Union Rec. ITU-T Y.2060 (06/2012)
  • 3. Categories of IoT Devices  Network IoT device (I): Devices that only exist to ensure Internet connectivity. Examples are Home routers, Home Automation Hubs, etc.  IoT only devices (II): Devices that have been created because of the Internet connectivity. Examples would be: Amazon’s Echo and Google Home  Legacy IoT enabled devices (III): Devices that have been around for years or decades that are modified to allow for Internet connectivity. Examples: Internet enabled Fridge, ConnectedThermostats, etc.
  • 4. Common IoTTechnologyVendors  Major Software Platforms  AndroidThings – Google  Windows 10 IoT – Microsoft  Home Kit – Apple  AWS IoT platform – Amazon  Bosch IoT Suite – Bosch  Device Connection Platform – Ericsson  IoT Foundation Device Cloud – IBM  IoT Analytics Platform – CISCO  Etc.  Hardware Platforms  Atmel Microcontroller  Texas Instruments  ARM  Qualcomm IoT  Intel IoT  SamsungArtik IoT  LANTronix  SierraWireless  Etc.
  • 5. Ecosystems where IoT is being used  Home  Internet connectivity (e.g. Router)  TV,TIVO,VoIP, Home cameras,  Home automation (e.g. Locks)  Amazon Echo, Google Home, etc.  Car  Entertainment Center, Hotspot, Maintenance, Remote control  Industry  Smart Sensors  Programable Logic Controllers (PLC)
  • 6. Why are IoT DevicesVulnerable?  Cost  Manufacturing cost < 60 Cents (Source: Goldman Sachs)  Full-blown Linux running on single board computer for $5 (Raspberry Zero)  Processing Power  Many IoT devices are very limited in Resources (Single Core, RAM < 500 MB)  History  Traditionally Security has not been an issue in the various ecosystems  User Negligence  Vendor supplied password not changed  Insecure protocols (e.g.WEP) not turned off  ProprietaryTechnology  Not leveraging proven frameworks  Segmentation/Trust  Relying on “traditional” trust models  Inability to Update  No Update mechanism available to address a new security flaw Raspberry Pi Zero: $5
  • 7. IoT Attack Surface  Internet  Flaws in Internet facing Services  Security Flaws in Implementation  Wireless  Use of InsecureWireless Protocol  Security through Proprietary Protocol  Security by “Distance”  Physical  Device is not physically secured Software Defined Radio (SDR) receives signals 950 – 2150 MHZ all for < $25
  • 8. Shodan – IoT Search Engine Shodan • Search Engine for Internet Connected Devices • Shows which devices are connected to the Internet, where they are located and who is using them • Within minutes a list of vulnerable devices on the Internet can be compiled
  • 9. Wigle.net –Wireless Search Engine Wigle.net • Consolidates location and information of wireless networks world-wide to a central database • Site is crowdsourced with people war-driving and uploading their data • Database can be queried by applications via an API
  • 10. Physical Security of IoT devices Ring – Doorbell • Doorbell that usesWiFi to connect to Ring’s service, recording video and allowing for Intercom • WiFi password is stored on the device • Device is programmed via a USB connector • No physical securing of device, besides some screws
  • 11. IoT “Special” Attack Vibration Speaker • Vibration Speakers (VS) get connected to surfaces that are used to emit sound • Connecting theVS to the outside of a door with glass allows to control devices like Amazon’s Alexa or Google’s Home • The possibilities are endless
  • 12. Examples of IoT Attacks Webcams used for DDoS • Webcams with a security vulnerability were used to launch one of the largest DDoS attacks against Dyn, a DNS service provider. • Leveraging an amplification attack the sheer number of devices was the reason why the DDoS was initially successful. Home Router attacks • Wireless Home Routers of various vendors have been targeted by malware. Redirecting DNS calls. • One malware actually tries to secure the router by identifying other infections and trying to remove those. SAMSUNG Fridge • Samsung offers fridges that allow for your Google Calendar to be displayed. At least one model was vulnerable to a man –in-the-middle-attack, not checking the SSL certificate presented by Google (or in this case an attacker). OnStar used to control car • OnStar, used in GM vehicles, allowed for an attacker to eavesdrop on communication.With that they were able to unlock the car and start it. • Jeep had to recall 1.4m vehicles due to hackers being able to hijack most of the car’s electronic functions.
  • 13. Devil’s Ivy – Vulnerability in gSoap Library used in IoT  gSoap is a framework used by many IoT companies to implement the Open NetworkVideo Interface Forum (ONVIF) protocol, used by e.g. Security cameras  Small company behind gSOAP, known as Genivia, says that at least 34 companies use the code in their IoT products (mainly physical security products)  Genivia provided updated code that fixed the security vulnerability on 6/21/2017 all within 24h of notification according to Genivia’s website.  Genivia uses static code analysis! However, the flaw was two levels down.  Many vendors struggling to get code out to the devices since updating the devices is in some cases not possible, or users do not know about the flaw or are not skilled to perform an update With a built-in update mechanism that acts independent from a user, the devices could be updated as soon as a new firmware is available. 24h for new code, not bad!
  • 14. Countermeasures  Leverage Existing Frameworks  Some IoT vendors have the tendency to “re-invent” the wheel e.g. Samsung fridge. This creates a “uniqueness” that can result in vulnerabilities used but not publicly addressed.  Other people with much better cyber security skills can do the work in fixing vulnerabilities for the IoT company.  Segmentation/Trust Relationships  IoT devices that have Internet connectivity should not be part of a ecosystem that traditionally trusts each other just by being a member.  Additional mechanisms are needed to establish trust with a IoT device that has Internet connectivity e.g. signing of messages end-to-end.  Do not rely on Users for Security  Studies have shown over and over that users are the weak link. One study showed that many IoT users do not change the vendor set password.Vendors will need to “force” users to be secure.  Built-In Update mechanisms  Security “is a journey” an old saying but still true.What is secure today, might be vulnerable tomorrow.
  • 15. EconomicTimes 08/13/17 – “Over 50 Billion IoT Connected Devices By 2020” What does this mean for Cybersecurity and Privacy?  Increased complexity when implementing security controls and defining regulations.  Market will expand horizontally and vertically, creating even tighter pricing with security being one cost factor to shave off.  The large number of IoT devices by itself will face the same risks as cloud. If it fails, it will fail really big.  Regulations and laws will require adjustments.Already one case with Amazon’s Echo and voice recording Amazon keeps.  Users will need to learn with IoT being in their homes that someone is watching and hearing them all the time – maybe not in real-time.
  • 17. Contact Information Frank H. Siepmann CISM, CISSP, ISSAP, NSA-IAM, NSA-IEM Email: Frank.Siepmann@1SSA.NET Phone: +1-571-982-9907
  • 19. Sources  ESET survey - https://cdn5- prodint.esetstatic.com/Imported_from_GWS2_0/US/resources/press/ESET_ConnectedLiv es-DataSummary.pdf  The EconomicTimes – http://economictimes.indiatimes.com/tech/internet/50-billion-iot- connected-devices-by-2020-report/articleshow/59580306.cms  WIRED - https://www.wired.com/2016/08/jeep-hackers-return-high-speed-steering- acceleration-hacks/  The Register - https://www.theregister.co.uk/2015/08/24/smart_fridge_security_fubar/  Forbes - https://www.forbes.com/sites/thomasbrewster/2015/10/01/vigilante-malware- makes-you-safer/#4b31988b1fd5  WIRED - https://www.wired.com/2015/07/gadget-hacks-gm-cars-locate-unlock-start/  Devil’s Ivy - https://www.wired.com/story/devils-ivy-iot-vulnerability/  VS Attack - https://www.youtube.com/channel/UCi-qfzbdNLFoJCUq8jRF3xw