SlideShare a Scribd company logo

Securing the Internet of Things

C
Christopher Frenz

This document discusses security issues with Internet of Things (IoT) devices and proposes solutions. It summarizes the 2016 Mirai botnet attack that took down major websites. Default passwords allow the easy compromise of hundreds of thousands of IoT devices. Proposed solutions include network segmentation of IoT devices, internal firewalls, adopting a zero trust model, and consumers pressuring manufacturers to build more secure products. An IoT nutrition label is suggested to help consumers compare security. Overall the document analyzes current IoT vulnerabilities and strategies to address them.

Technology
Related topics:
Information Security
1 of 19
Downloaded 42 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
SECURING THE INTERNET OF THINGS Christopher Frenz
THE NEED FOR IOT SECURITY???
MIRAI BOTNET AND DDOS
ATTACK ON DYN • 1.2 Tbps DDoS Attack from 100K malicious endpoints • Brought down Twitter, Netflix, Reddit, CNN, Paypal, and others • 145K domains affected • Dyn lost 14.5 domains as customers Image – downdetector.com
LOCALIZED TARGETS
IOT IN HEALTHCARE
PRIVACY ISSUES AS WELL
MIRAI • What makes these attacks so scary is not the level of sophistication of the malware itself, but actually its lack of sophistication in how it gains control of IoT devices. • The source code or Mirai is available: • https://github.com/jgamblin/Mirai-Source-Code • Mirai and the related Bashlight malware make use of default usernames and passwords
SCANNER.C • This Mirai source code file scanner.c lists a combination of 62 default user names and passwords • Sophos estimates that this simple list of passwords is enough to compromise hundreds of thousands IoT devices User Name Password User Name Password User Name Password root xc3511 admin 1111 root zlxx. root vizxv root 666666 root 7ujMko0vizxv root admin root password root 7ujMko0admin admin admin root 1234 root system root 888888 root klv123 root ikwb root xmhdipc Administrator admin root dreambox root default service service root user root juantech supervisor supervisor root realtek root 123456 guest guest root 0 root 54321 guest 12345 admin 1111111 support support guest 12345 admin 1234 root (none) admin1 password admin 12345 admin password administrator 1234 admin 54321 root root 666666 666666 admin 123456 root 12345 888888 888888 admin 7ujMko0admin user user ubnt ubnt admin 1234 admin (none) root klv1234 admin pass root pass root Zte521 admin meinsm admin admin1234 root hi3518 tech tech root 1111 root jvbzd mother fucker admin smcadmin root anko
OWASP IOT TOP 10 Vulnerability Rank Vulnerability Name 1 Insecure Web Interface 2 Insufficient Authentication/Authorization 3 Insecure Network Services 4 Lack of Transport Encryption/Integrity Verification 5 Privacy Concerns 6 Insecure Cloud Interface 7 Insecure Mobile Interface 8 Insufficient Security Configurability 9 Insecure Software/Firmware 10 Poor Physical Security
IOT CRUSHER
WHERE IS ALL MY DATA? • Organizations should have a map of where all of their data assets are and where their data flows to • This effort needs involve more than just IT. A surprising amount of sensitive data may not be under the control of IT (HR, Finance, etc) • Finance sending data to an external vendor for revenue cycle management or collections • Paper based records such as a morgue logbook may still have PII • Shadow IT, BYOD, etc • This map should include data collected and distributed by IoT devices like security cameras, medical devices, etc.
INTERNAL FIREWALLS, NETWORK SEGMENTATION, INTERNAL IDS • Traffic to and from IoT devices should be isolated as much as possible from the rest of your network – VLANs, ACLs, etc. • In healthcare it is becoming common to place a firewall in front of network enabled medical equipment to restrict traffic flows • IDS and threat detection is not just a good idea at the perimeter – it should be used to examine internal traffic as well
ZERO TRUST • With increasing virtualization of servers and desktops security at the virtual machine level should not be ignored • Software Defined Networking and security products like NSX and Hyper-V network virtualization make approaching zero trust networks more feasible
TOP 10 IOT SECURITY CONTROLS FOR IOT DEVELOPERS • No default passwords or hardcoded passwords post initial setup • Account Lockouts after 3-5 failed logins • Password complexity filters • No unsecured connections • No administrative access on internet facing interfaces • Network level access controls • Update Mechanisms • Encryption at rest • Differing account access levels • Privacy by Design Principles http://www.codeguru.com/IoT/ understanding-iot-security-for- iot-developers.html
HOW DO WE GET MANUFACTURERS TO CARE • Consumers need to put economic pressure on manufacturers to produce secure devices • Customers need to vote with their wallet and not purchase products that cannot be properly secured • The average consumer does not know enough about security to make good decisions as to which products are secure and which are not
IOT NUTRITION LABEL Makes it easy for non- savvy consumers to compare the security of IoT devices If enough industry backing can be gained where the use of such labelling becomes commonplace vendors will strive to eliminate red Xs from their label
ENOUGH MOMENTUM?
QUESTIONS • https://www.linkedin.com/in/christopherfrenz/

More Related Content

PPTX
Iot Security, Internet of Things
Bryan Len
 
PPT
IoT Security by Sanjay Kumar
OWASP Delhi
 
PDF
Internet of Things Security Patterns
Mark Benson
 
PDF
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
Design World
 
PPTX
Privacy and Security in the Internet of Things
Jeff Katz
 
PPTX
Privacy and security in IoT
Vasco Veloso
 
PDF
IoT Security, Mirai Revisited
Clare Nelson, CISSP, CIPP-E
 
PDF
Internet of Things - Privacy and Security issues
Pierluigi Paganini
 
Iot Security, Internet of Things
Bryan Len
 
IoT Security by Sanjay Kumar
OWASP Delhi
 
Internet of Things Security Patterns
Mark Benson
 
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
Design World
 
Privacy and Security in the Internet of Things
Jeff Katz
 
Privacy and security in IoT
Vasco Veloso
 
IoT Security, Mirai Revisited
Clare Nelson, CISSP, CIPP-E
 
Internet of Things - Privacy and Security issues
Pierluigi Paganini
 

What's hot (20)

PDF
Security in the Internet of Things
ForgeRock
 
PDF
Security challenges for IoT
WSO2
 
PPTX
Internet of Things Security
Tutun Juhana
 
PDF
Privacy & Security for the Internet of Things
Gerry Elman
 
PPTX
ON THE SECURITY AND PRIVACY OF INTERNET OF THINGS ARCHITECTURES
Manisha Luthra
 
PPTX
IoT Security Middleware: evaluating the threats and protecting against them
Nick Allott
 
PDF
IOT Security
Sylvain Martinez
 
PPTX
IoT Security Imperative: Stop your Fridge from Sending you Spam
Amit Rohatgi
 
PPTX
Internet of Things (IoT) Security
shiriskumar
 
PPTX
IOT privacy and Security
noornabi16
 
PPTX
Iot(security)
Shreya Pohekar
 
PDF
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 
PPTX
IoT Security Briefing FBI 07 23-2017 final
Frank Siepmann
 
PPTX
IoT Security, Threats and Challenges By V.P.Prabhakaran
Koenig Solutions Ltd.
 
DOCX
Security and Privacy considerations in Internet of Things
Somasundaram Jambunathan
 
PPTX
Security issues and solutions : IoT
Jinia Bhowmik
 
PDF
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
IJCSIS Research Publications
 
PPTX
IoT security
YashKesharwani2
 
PPTX
IoT Security Training, IoT Security Awareness 2019
Tonex
 
PPT
IoT Security – Executing an Effective Security Testing Process
EC-Council
 
Security in the Internet of Things
ForgeRock
 
Security challenges for IoT
WSO2
 
Internet of Things Security
Tutun Juhana
 
Privacy & Security for the Internet of Things
Gerry Elman
 
ON THE SECURITY AND PRIVACY OF INTERNET OF THINGS ARCHITECTURES
Manisha Luthra
 
IoT Security Middleware: evaluating the threats and protecting against them
Nick Allott
 
IOT Security
Sylvain Martinez
 
IoT Security Imperative: Stop your Fridge from Sending you Spam
Amit Rohatgi
 
Internet of Things (IoT) Security
shiriskumar
 
IOT privacy and Security
noornabi16
 
Iot(security)
Shreya Pohekar
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 
IoT Security Briefing FBI 07 23-2017 final
Frank Siepmann
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
Koenig Solutions Ltd.
 
Security and Privacy considerations in Internet of Things
Somasundaram Jambunathan
 
Security issues and solutions : IoT
Jinia Bhowmik
 
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
IJCSIS Research Publications
 
IoT security
YashKesharwani2
 
IoT Security Training, IoT Security Awareness 2019
Tonex
 
IoT Security – Executing an Effective Security Testing Process
EC-Council
 
Ad

Viewers also liked (17)

PPT
Pengetahuan Bahan Makanan
irmafardik
 
PPTX
місто Суми
Valentina Yashchenko
 
PPTX
Trichomonas
Esthersita Caballero
 
PPTX
clasificacion de las empresas
jorge alberto antonio torres
 
PDF
2 eso
Santiago Campos zurano
 
PDF
Green Man Gaming Overview - March 2017
Green Man Gaming
 
PDF
Ejerciciosderefuerzodematematicas
Santiago Campos zurano
 
PPT
Σχολικός Εκφοβισμός από την Ε' τάξη
Ευαγγελία Καρακούτα
 
PPT
Bhel( Bharat Heavy Electricals Limited )
Shashwat Mishra
 
PPTX
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
Eric Vanderburg
 
PPTX
Era cenozoica o terciaria
Carol Martínez
 
PDF
Leadership, Management & Innovation
Jean-Charles Neau
 
PPTX
Question 1
jack gould
 
PPT
Inquiry training model [compatible]
Kiran Dammani
 
PDF
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
L. Duke Golden
 
PPTX
Security in IoT
gr9293
 
PDF
Newsletter n. 3
Vittorio Versace
 
Pengetahuan Bahan Makanan
irmafardik
 
місто Суми
Valentina Yashchenko
 
Trichomonas
Esthersita Caballero
 
clasificacion de las empresas
jorge alberto antonio torres
 
2 eso
Santiago Campos zurano
 
Green Man Gaming Overview - March 2017
Green Man Gaming
 
Ejerciciosderefuerzodematematicas
Santiago Campos zurano
 
Σχολικός Εκφοβισμός από την Ε' τάξη
Ευαγγελία Καρακούτα
 
Bhel( Bharat Heavy Electricals Limited )
Shashwat Mishra
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
Eric Vanderburg
 
Era cenozoica o terciaria
Carol Martínez
 
Leadership, Management & Innovation
Jean-Charles Neau
 
Question 1
jack gould
 
Inquiry training model [compatible]
Kiran Dammani
 
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
L. Duke Golden
 
Security in IoT
gr9293
 
Newsletter n. 3
Vittorio Versace
 
Ad

Similar to Securing the Internet of Things (20)

PDF
Cybersecurity
nado-web
 
PDF
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
HITCON GIRLS
 
PPTX
U nit 4
Integral university, India
 
PPTX
It security the condensed version
Brian Pichman
 
PPTX
Lock it Down: Access Control for IBM i
Precisely
 
PDF
Controlling Access to IBM i Systems and Data
Precisely
 
PPTX
securing_information_systems_._lec6.pptx
tasniahnuha
 
PDF
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
PPTX
The Threat Is Real. Protect Yourself.
2nd Sight Lab
 
PDF
Cyber Security.pdf
preethajoseph5
 
PDF
Crush Common Cybersecurity Threats with Privilege Access Management
BeyondTrust
 
PPTX
Implementing security for your library | PLAN Tech Day Conference
Brian Pichman
 
PPTX
Security Testing for IoT Systems
Security Innovation
 
PPTX
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
PDF
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
BeyondTrust
 
PPTX
The Internet of Everything is Here
Lancope, Inc.
 
PPTX
Cyber Security Overview for Small Businesses
Charles Cline
 
PPTX
IoT DDoS Attacks: the stakes have changed
Great Bay Software
 
PPT
Chapter 5 MIS
Amirul Shafiq Ahmad Zuperi
 
PDF
Track 5 session 1 - st dev con 2016 - need for security for iot
ST_World
 
Cybersecurity
nado-web
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
HITCON GIRLS
 
U nit 4
Integral university, India
 
It security the condensed version
Brian Pichman
 
Lock it Down: Access Control for IBM i
Precisely
 
Controlling Access to IBM i Systems and Data
Precisely
 
securing_information_systems_._lec6.pptx
tasniahnuha
 
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
The Threat Is Real. Protect Yourself.
2nd Sight Lab
 
Cyber Security.pdf
preethajoseph5
 
Crush Common Cybersecurity Threats with Privilege Access Management
BeyondTrust
 
Implementing security for your library | PLAN Tech Day Conference
Brian Pichman
 
Security Testing for IoT Systems
Security Innovation
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
BeyondTrust
 
The Internet of Everything is Here
Lancope, Inc.
 
Cyber Security Overview for Small Businesses
Charles Cline
 
IoT DDoS Attacks: the stakes have changed
Great Bay Software
 
Chapter 5 MIS
Amirul Shafiq Ahmad Zuperi
 
Track 5 session 1 - st dev con 2016 - need for security for iot
ST_World
 

Recently uploaded (20)

PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
KodekX | Application Modernization Development
KodekX
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Teaching material agriculture food technology
LiaRayya
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 

Securing the Internet of Things

  • 1. SECURING THE INTERNET OF THINGS Christopher Frenz
  • 2. THE NEED FOR IOT SECURITY???
  • 4. ATTACK ON DYN • 1.2 Tbps DDoS Attack from 100K malicious endpoints • Brought down Twitter, Netflix, Reddit, CNN, Paypal, and others • 145K domains affected • Dyn lost 14.5 domains as customers Image – downdetector.com
  • 8. MIRAI • What makes these attacks so scary is not the level of sophistication of the malware itself, but actually its lack of sophistication in how it gains control of IoT devices. • The source code or Mirai is available: • https://github.com/jgamblin/Mirai-Source-Code • Mirai and the related Bashlight malware make use of default usernames and passwords
  • 9. SCANNER.C • This Mirai source code file scanner.c lists a combination of 62 default user names and passwords • Sophos estimates that this simple list of passwords is enough to compromise hundreds of thousands IoT devices User Name Password User Name Password User Name Password root xc3511 admin 1111 root zlxx. root vizxv root 666666 root 7ujMko0vizxv root admin root password root 7ujMko0admin admin admin root 1234 root system root 888888 root klv123 root ikwb root xmhdipc Administrator admin root dreambox root default service service root user root juantech supervisor supervisor root realtek root 123456 guest guest root 0 root 54321 guest 12345 admin 1111111 support support guest 12345 admin 1234 root (none) admin1 password admin 12345 admin password administrator 1234 admin 54321 root root 666666 666666 admin 123456 root 12345 888888 888888 admin 7ujMko0admin user user ubnt ubnt admin 1234 admin (none) root klv1234 admin pass root pass root Zte521 admin meinsm admin admin1234 root hi3518 tech tech root 1111 root jvbzd mother fucker admin smcadmin root anko
  • 10. OWASP IOT TOP 10 Vulnerability Rank Vulnerability Name 1 Insecure Web Interface 2 Insufficient Authentication/Authorization 3 Insecure Network Services 4 Lack of Transport Encryption/Integrity Verification 5 Privacy Concerns 6 Insecure Cloud Interface 7 Insecure Mobile Interface 8 Insufficient Security Configurability 9 Insecure Software/Firmware 10 Poor Physical Security
  • 12. WHERE IS ALL MY DATA? • Organizations should have a map of where all of their data assets are and where their data flows to • This effort needs involve more than just IT. A surprising amount of sensitive data may not be under the control of IT (HR, Finance, etc) • Finance sending data to an external vendor for revenue cycle management or collections • Paper based records such as a morgue logbook may still have PII • Shadow IT, BYOD, etc • This map should include data collected and distributed by IoT devices like security cameras, medical devices, etc.
  • 13. INTERNAL FIREWALLS, NETWORK SEGMENTATION, INTERNAL IDS • Traffic to and from IoT devices should be isolated as much as possible from the rest of your network – VLANs, ACLs, etc. • In healthcare it is becoming common to place a firewall in front of network enabled medical equipment to restrict traffic flows • IDS and threat detection is not just a good idea at the perimeter – it should be used to examine internal traffic as well
  • 14. ZERO TRUST • With increasing virtualization of servers and desktops security at the virtual machine level should not be ignored • Software Defined Networking and security products like NSX and Hyper-V network virtualization make approaching zero trust networks more feasible
  • 15. TOP 10 IOT SECURITY CONTROLS FOR IOT DEVELOPERS • No default passwords or hardcoded passwords post initial setup • Account Lockouts after 3-5 failed logins • Password complexity filters • No unsecured connections • No administrative access on internet facing interfaces • Network level access controls • Update Mechanisms • Encryption at rest • Differing account access levels • Privacy by Design Principles http://www.codeguru.com/IoT/ understanding-iot-security-for- iot-developers.html
  • 16. HOW DO WE GET MANUFACTURERS TO CARE • Consumers need to put economic pressure on manufacturers to produce secure devices • Customers need to vote with their wallet and not purchase products that cannot be properly secured • The average consumer does not know enough about security to make good decisions as to which products are secure and which are not
  • 17. IOT NUTRITION LABEL Makes it easy for non- savvy consumers to compare the security of IoT devices If enough industry backing can be gained where the use of such labelling becomes commonplace vendors will strive to eliminate red Xs from their label