This Time, It’s Personal: Why Security and the IoT Is Different
1 like243 views
The document discusses the Internet of Things (IoT) and its unique security challenges, emphasizing the difference from traditional Internet of Computers (IoC) due to massive scale changes and personal data vulnerability. It outlines various security exploits, anti-patterns to avoid, and emerging techniques such as two-factor authentication and decentralized data storage. The author, Justin Grammens, underscores the importance of applying established security practices to IoT as data becomes increasingly personal and unfiltered.
This Time, It’s Personal: Why Security and the IoT Is Different
- 1. THIS TIME IT’S PERSONAL Why Security and the IoT is Different Justin Grammens, Lab 651
- 2. Fear of the Internet of Things
- 3. What We’ll Cover • About Me • What is the Internet of Things • What’s the big deal? • Example security exploits • Anti-Patterns that should guarded against • Emerging security techniques
- 4. About Me • Software Engineer for 20+ years • Serial Entrepreneur • Cofounder of Lab 651& IoT Fuse • Adjunct Professor at University of Saint Thomas teaching IoT • Publisher of IoT Weekly News • Excited for the next wave of connected things!
- 5. What is the Internet of Things? Formal: The Internet of things (IoT) is the network of physical devices, vehicles, home appliances, and other items embedded with electronics, software, sensors, actuators, and network connectivity which enable these objects to connect and exchange data. Practical: The physical world becoming one big information system. We are moving from Internet of Computers (IoC) to IoT. It should actually be called “Things on the Internet”.
- 6. IoC vs IoT… What’s the Big Deal? 1. Massive Changes in Scale 2. Impact on the Physical World
- 9. Security Needs to Be Addressed at Each Level
- 10. Security of IoT vs IoC • IoT has both information attacks and physical tampering • Nearly all use wireless communications • “Denial of sleep” attacks to kill battery • Devices are expected to run with low power • Operating systems may not support sophisticated security approaches • Often not easily updatable and no screen / user interface • It’s not the massive, but smaller scale attacks are more worrisome
- 11. IoT vs IoC – Personal Data • Estimated that the average household generates ~2TB of data a year, by 2020 expected to be 10TB of personal data. • Researchers found that Vizio & Samsung T.V’s send data to 3rd parties are have known vulnerabilities to listen into your home or what you watch • FitBit can tell if you are active or not when you say you are • Police used a woman’s Fitbit to discount a story of assault • Tesla using data logs to disprove claims by automotive reviewers • Things are becoming personal…
- 12. Hacking Devices “Broken Hearts” episode, Homeland, 2012
- 13. Yeah, but is this actually possible?
- 16. Open Camera
- 17. This is new, but is it?
- 18. Mirai Botnet • Malware infecting IP cameras, routers & DVR players • Infected between more than 600,000 devices • Started by 3 college students • Some countries in Africa were taken offline • Could have affected more than 185 million devices * * Source: http://www.newsweek.com/mirai-botnet- brought-down-internet-was-minecraft-stunt-747806
- 19. Owlet Baby Monitor • Monitor your baby’s heartrate & oxygen level • Base station creates a completely open WiFi • Anyone in range could • Send data to another network/server • Disable alerts • Nest camera had similar exploit
- 20. Jeep Hack • In 2015 security researchers hacked a Jeep to take control of the vehicle • Used cellular network and the devices Controller Area Network (CAN)Bus • Chrysler recalled 1.4 million vehicles to fix this issue
- 21. Anti-Patterns • Doing too much • Just because you can run a full Linux OS, should you? • Consider your end user – do they need root access? • Input validation and buffer overflows need to be checked • Bugs • Integer overflows • Race conditions • Memory corruption
- 22. Anti-Patterns • Weak encryption • Service Passwords • No authentication • Default credentials that are easily discoverable • Permanent credentials ( for support ), never changeable • Failure to allow for revocation of credential or privilege • Failure to allow for delegation of privilege to another legitimate party (forces work arounds) • Unclear instructions or defaults to the device be online, rather than opt in
- 23. Anti-Patterns • No Authentication • CAN bus how communication happens within an automobile. Never designed for connections over the internet. • Default Credentials • EURECOM found 100,000 internet facing IoT devices with default passwords • Permanent Credentials • ComfortLink thermostat set root passwords that could not be changed. Finally fixed after 2 years
- 24. Online Trust Alliance – IoT Rules • Default passwords must be prompted to be reset or changed on first use • All users must adhere to SSL best practices using industry standards • All device sites and cloud services must use HTTPS encryption • Manufacturers must conduct penetration testing of devices, applications and services • Manufacturers must have remediation plans when vulnerabilities are found • All updates, patches, revision must be signed and verified • Manufactures must provide a mechanism for the transfer of ownership
- 25. Emerging IoT Security Techniques • TPM ( Trusted Platform Module ) – Cryptographic keys burned into devices as it’s produced • Two factor (or more) authentication • Location based as verification • Using a paired device (smartwatch) as access control • Only send the data that you need and nothing more
- 26. Emerging IoT Security Techniques • Where possible, say no to big data backends • Forbes reports more than 112 million records spilled in 2015 • More than a petabyte (1015 bytes) of data accidentally exposed online • New York Times reported that $50 million stolen from over 100,000 people using “Get Transcripts” service from the IRS • Instead - use concepts from Distributed Computing Systems • Store data close to the person • Provide time based access and deletion
- 27. Data Type Best Location for Data Consequences If Data Is Lost, or the Network Is Compromised or Disrupted Sensitive/personal data On a personal device such as a phone, laptop, backup hard drive, or home computer Loss of employment; public humiliation; bullying or social isolation, which could potentially lead to suicide Medical data On a local device that can be shared with medical professionals on a timed clock Blackmailing; loss of employment Business data (e.g., LinkedIn profile) On publicly accessible servers (shared) N/A (this data was created with the intention of sharing it) Home automation system On a local network within the home without access to a larger network Loss of access to or control of lights, thermostats, or other home systems Credit: Calm Technology, Amber Case
- 28. Summary • The world of connected devices ( IoT ) is still an emerging field • Data available will become increasing personal and unfiltered • As with prior technology changes: • The IoT ( and mistakes ) will happen whether we like it or not • Apply many of the same security practices from the IoC • Leverage distributed computing and best practices for data storage • Always provide mechanisms for updates