V Międzynarodowa Konferencja Naukowa Nauka o informacji (informacja naukowa) w okresie zmian Innowacyjne usługi informacyjne. Wydział Dziennikarstwa, Informacji i Bibliologii Katedra Informatologii, Uniwersytet Warszawski, Warszawa, 15 – 16 maja 2017
Christopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of Things
1. CYBERSECURITY AND
THE INTERNET OF
THINGS
Chris Biedermann
Chief Financial Officer, Chief Data Security Officer – Emitel
PhD Student – Warsaw University of Technology
2. Information is Everywhere
• Why a discussion on “The Internet of
Things” at a conference on Information
Services?
• With the dramatic growth in connected devices information is now effectively
accumulated and stored a vast array of common devices
• Commonplace “things” that in the past posed no security risk now need to be
thought of in a different light
• Source of confidential information that needs to be adequately protected
• End point that can be used to attack larger systems
• The basic tenants of cybersecurity “CIA” need to be incorporated into how we
view everyday devices
3. What is “IOT”
• IOT – the “Internet of Things”
• A growing universe of “things” that are now connected to
the internet
• Includes appliances, switches, cars,
medical devices, etc…
• Connecting to the internet opens
up a vast array of new opportunities
4. The IoT
Connecting a myriad of
devices (actuators and
sensors) with each other
and to higher level
processing centers in the
cloud
- Cloud can utilize more
sophisticated
algorithms
- Cloud can store
massive amount of
data collected for more
intelligent analysis
(data mining)
Communication
performed utilizing the
internet and internet
protocols
5. Growth of the IoT
• Still in the early stage
• Gartner estimates that by 2020 over 20 billion IoT
connected devices will be in place
• Ericsson predicted
that by the end of
2018 there will be
more IoT
connections than
phone subsriptions
Source: NCTA, Gartner
6. IoT Growth will bring new opportunities
• Smart Home
• Smart City
• Smart Medical Devices
• Self Driving Cars
7. New sources of risks
• New ways to hack or disrupt systems
• New sources of data privacy concerns
• All sorts of common day “things” may be storing potentially
Confidential and Personally identifiable information
• Day to day habits of consumers will be tracked in ways not seen
before
• All this data has value for both legitimate and non legitimate
persons
8. Case Study: example of IoT security risk
• Example - DDoS Attack in October 2016
• DDoS attack utilized distributed computers to overwhelm a target
server
• Unknown group launched the attack (using Marai botnet) on DNS
server that served major corporations such as Amazon, Twitter, Netflix
• Unique as attacked utilized vulnerabilities in common IoT devices (e.g.
smart TV’s) to carry out the attack
9. Infected devices found in over 164
countries
• Devices that were most vulnerable and therefore most
likely hijacked were home security systems, home
monitoring cameras and smart TVs
10. Poor security practices are primarily to
blame
• The malicious software (Marai) found easy targets by
scanning IP addresses looking for poorly secured devices
• Many simple IoT devices such as IP cameras or
smartTV’s did not have passwords changed from default
ones.
• In some cases the devices had hardcoded
passwords that could not be changed
• Once attackers had control of the device
they could use it to launch the DDoS attack
11. Implications
• Hijacking of devices
• Marai example
• Baby monitors
• Japanese toilet example
• Many devices track non standard personal information
(e.g. track behaviors of people) – information is valuable
and can be sold
• What are we doing
• What are we using
• Where are we going
• Significant improvement in overall state of IoT Security
required
12. IoT security – underlying issues
• IT was estimated that less than 10% of IoT devices on the
market are designed with adequate security
• Lack of consumer awareness
• IoT devices however present unique new challenges – the tend
to have lower processing power and memory than traditional
connected devices – difficulties with
• Encryption methodologies
• Automatic patching and updates
• installation of anti-virus programs
• Lack of standards
Source: IoT Security Foudnation
13. Potential Solutions
• Technologies will improve to provide some solutions
• However other fundamental changes need to take place
• Drive for open standards
• In most cases today systems from different producers operate in silos
and can not talk to each other
• Industry change and consolidation
• Many smaller players developing proprietary systems
• Consumer education
14. Considerations for average consumer
• Awareness – know what devices are connected and the
associated risks
• Any malware placed on
computing devices
(e.g. PC, tablet, phone)
can be used to
access IoT devices
on the same network
• Similar guidelines as with PC’s
• Always change default passwords
• Create strong passwords (.eg. I*have*3*children)
• Social Engineering
Be careful of phishing emails