Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Principals of IoT security
1. Principals of IoT Security
Stephanie Sabatini, Cyber Security Professional
2. Principals of IoT Security Agenda
Over the next 20 minutes we’ll discuss the following:
The Fear
• Be afraid (very afraid)
The Challenge
• IoT Security isn’t easy
The Solution
• Don’t be a statistic
4. IoT Security – The Fear
• Baby monitors
• Thermostats
• Cars
• Medical devices
• Children’s toys
• Toasters
• Locks
• ETC…
5. IoT Security – The Fear
Gartner predicts 26 billion by 2020
• Revenue exceeding $300 billion in 2020
• $1.9 Trillion in global economic impact
The financially motivated attacker has 26 billion targets and 300 billion reasons.
7. IoT Security – The Challenge
The top 10 security challenges with IoT:
1. Insecure Web Interface
2. Insufficient Authentication / Authorization
3. Insecure Network Services
4. Encryption
5. Privacy Concerns
6. Insecure Cloud Interface
7. Insecure Mobile Interface
8. Insufficient Security Configurability
9. Insecure Software / Firmware
10. Poor Physical Security
8. IoT Security – The Challenge
Many IoT producers aren’t committed to security like a major tech company would
be. Toy companies, for example – Toys made by Mattel Inc. (Fisher Price brand)
with internet connectivity have been hacked revealing names, ages and
geographical location of children. They specialize in making toys – not security.
These ‘things’ live differently than the traditional internet connected devices. Many
attacks that we have seen so far take advantage of these differences. They exploit
the differences.
The challenge is applying security controls on non-traditional devices. The principal
is the same, but the control itself needs to be adapted (or innovated) to fit the
security gap.
Network + Application + Mobile + Cloud = IoT
10. Perimeter
Network
Host
Application
Data
IoT Security – The Solution
Security by design and a
defense in depth approach will
consider security from the
design phase to the end-of-life
and destruction of information
phase.
11. IoT Security – The Solution
A holistic approach needs to be built in – not bolted on
• The device (end point security)
• The cloud
• The mobile application
• The network interfaces
• Encryption
• Authentication
• Patching
• Physical security
• Data Destruction
12. IoT Security – The Solution
Developers – build components securely using secure development
methodologies and perform static code analysis.
Infrastructure Support – build infrastructure with secure end points,
detective and preventative controls.
Testers – include all attack vectors in testing methodologies.
Manufacturers – Due diligence! Check, test, audit – make sure that
you are manufacturing a secure product by bringing experts to the
table. Plan for sufficient budgets.
Consumers – change passwords regularly, use encryption – use the
technology safely.
14. IoT Security – The Conclusion
• DO NOT TRY THIS AT HOME!
• Experts! Call the experts!
• Expert solutions can’t be matched by homegrown solutions.
• DON’T PANIC
• Defense in depth
• Innovate!
IoT devices are often sold or transferred during their lifespan, they are connected for longer periods of time, they do not follow a traditional 1 to 1 model of users to applications