This is a talk I gave in St. Louis in April 2018 about how businesses need to understand the Internet of Things and how they can better protect themselves.
5. Agenda
• What is the IoT, really?
• Notable recent IoT security disasters
• What makes these devices unsafe
• It isn’t just what you have in your home or
business
• What you can do to be more secure
25. What makes devices unsafe?
• Insecure firmware
• Or lousy updates of your firmware
• Operating system bugs (Windows esp.)
• Bad coding practices by device makers
• Application insecurity
• Physical security: like that fishtank
26. What is wrong with devices
Many devices have
no security
whatsoever: Once
you know the
device’s IP
address, game
over
27.
28.
29. Many privacy issues
• Device passwords often ignored – or
sometimes can’t be changed
• Device permissions rarely monitored
• Devices can be used to launch network-based
attacks and spread malware
• Device firmware rarely upgraded or tracked
38. For further reading
• https://www.hpe.com/us/en/insights/articles/9-ways-
to-make-iot-devices-more-secure-1701.html
• https://www.theguardian.com/world/2018/jan/28/fitn
ess-tracking-app-gives-away-location-of-secret-us-
army-bases
• https://www.bleepingcomputer.com/news/security/ab
out-90-percent-of-smart-tvs-vulnerable-to-remote-
hacking-via-rogue-tv-signals/
• (Network printers)
https://blog.strom.com/wp/?p=5751
39. (c) 2018 David Strom Inc.
http://strominator.com
39
David Strom, david@strom.com
strominator.com
Subscribe to my newsletter: inside.com/security
These slides can be found here:
http://slideshare.net/davidstrom
Hinweis der Redaktion
Understanding the security implications of the Internet of Things
We are awash in many IoT devices, such as web cams, Amazon Alexa, Nest thermostats and Apple smart watches. But these and other devices can be an issue in staying secure, both in our homes and across our workplaces. In this talk, I will describe the landscape and suggest how people can better protect themselves against potential IoT security threats and where these threats are likely to come from.
Consumer IoT devices – Apple Smart Watch, Alexa from Amazon and Google Home, and the Nest thermostat
I write about various B2B security products for business trade publications, and also produce this regular newsletter via email for Inside.com, Sign up now for free!
I used to write for the NY Times about computer topics.
Rasberry Pi, Arduino, Android Things platform Insulin pumps
You can play you tube videos and music on your wall switch. This is progress?
In addition to these devices, there are also Traffic sensors and Cop body cams that can connect to business networks.
Notable IoT Exploits
The classic insider revenge scenario dates back to 1999, when VitekBoden was applying for a job for the Maroochy county sewer district in Australia. He was a contractor for the district and the county decided not to hire him. To seek revenge, he caused thousands of gallons of raw sewage to be dumped into the local waterways, using a series of radio commands. He was eventually caught by a police officer with various RF equipment. What is important to note is that Boden had all this insider knowledge, yet never worked for the agency that he attacked. He was able to disguise his actions and avoid immediate detection by the agency IT department, which never had any security policies or procedures in place for disgruntled employees.
This is perhaps the most infamous example of IoT – the uranium enrichment centrifuges that operated at the Iran Natanz facility that were targeted by the Stuxnet malware. The malware compromise the computers controlling the centrifuges in an attempt to thwart Iran’s nuclear weapons program.
More info:
http://readwrite.com/2011/06/28/how-symantec-cracked-stuxnet/
Earlier this year UnderArmour revealed that it had leaked more than 150 million users of its app called MyFitness Pal. While not specifically an IoT device, it does work with their fitness tracking apps. Another way to lose weight: have your data leaked by a formerly trusted vendor.
They entered the casino’s network through an IoT-connected thermometer, and then moved around the casion’s network until they found a copy of their high roller’s database.
This Western Digital NAS drive has a hard-coded username and password that enables hackers to insert exploit code on the drives and use them as part of a botnet. This means that every command executed through the web interface has full access to the operating system -- an attacker would have the keys to the kingdom.
https://www.engadget.com/2017/03/05/wd-my-cloud-security-exploits/
The original IoT enterprise device: the HP Jet Direct printer interface. First invented back in 1991, it has been a source of network vulnerabilities for decades. The early models didn’t have any telnet passwords, making them a hacker’s playground. A few years ago HP came out with more protected printers that lock down their BIOS and have built-in intrusion detection.
https://blog.strom.com/wp/?p=5751
Imperva found in 2017 a record high number of IoT issues, more than 100 of them. That was the year of the Mirai botnet.
https://www.imperva.com/blog/2017/12/the-state-of-web-application-vulnerabilities-in-2017/
There are many things to learn from construction of the Mirai malware and its leverage of various IoT embedded devices. Let’s talk about the timeline of the destruction it has already accomplished.
This began in September 2016, when the website for journalist Brian Krebs was attacked. Eventually, this became one of the largest attacks that had been attempted, when about half of the total Internet’s capacity was focused on his website. A month later the source code for this attack was published and then other sites were targeted.
What is being communicated and when?
Does the cloud make the IoT device more of an asset or a threat?
Do you need a different enterprise firewall or a different operating procedure?
All are names of IoTMalware attacks that have happened over the past several years.
This is just one website, called Shodan, that makes finding particular devices very easy. Think of it as a search engine for looking for potential IoT targets.
Bluetooth headsets can also be vulnerable and can be a security sinkhole
IoT threats are pervasive and widespread, witness the growth of various botnets based on them such as Mirai and WannaCry in the past year
Insecure IoT devices can be found across a wide collection of industries, computing operating systems, networks, and situations
IoT is a growing category for many companies that are implementing embedded sensors, applications, and automated systems
Gartner, Inc. has estimated that 6.4 billion connected things are in use worldwide in 2016, and predicts that this will reach 20.8 billion by 2020