SlideShare ist ein Scribd-Unternehmen logo

Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by Mark Stanislav and Zach Lanier

Duo Security
Duo Security

This presentation will dive into research, outcomes, and recommendations regarding information security for the "Internet of Things". Mark and Zach will discuss IoT security failures both from their own research as well as the work of people they admire. Attendees are invited to laugh/cringe at concerning examples of improper access control, a complete lack of transport security, hardcoded-everything, and ways to bypass paying for stuff. Mark and Zach will also discuss the progress that their initiative, BuildItSecure.ly, has made since it was announced this past February at B-Sides San Francisco. Based on their own struggles with approaching smaller technology vendors with bugs and trying to handle coordinated disclosure, Mark and Zach decided to change the process and dialog that was occurring into one that is inclusive, friendly, researcher-centric. They will provide results and key learnings about the establishment of this loose organization of security-minded vendors, partners, and researchers who have decided to focus on improving information security for bootstrapped/crowd-funded IoT products and platforms. If you're a researcher who wants to know more about attacking this space, an IoT vendor trying to refine your security processes, or just a consumer who cares about their own safety and privacy, this talk will provide some great insights to all of those ends. MARK STANISLAV DUO SECURITY Mark Stanislav is the Security Evangelist for Duo Security. With a career spanning over a decade, Mark has worked within small business, academia, startup and corporate environments, primarily focused on Linux architecture, information security, and web application development. He has presented at over 70 events internationally including RSA, ShmooCon, SOURCE Boston, and THOTCON. His security research has been featured on web sites including CSO Online, Security Ledger, and Slashdot. Mark holds a B.S. in Networking & IT Administration and an M.S. in Information Assurance, both from Eastern Michigan University. Mark is currently writing a book titled, "Two-Factor Authentication" (published by IT Governance). ZACH LANIER DUO SECURITY Zach Lanier is a Security Researcher with Duo Security, specializing in various bits of network, mobile, and application security. Prior to joining Duo, Zach most recently served as a Senior Research Scientist with Accuvant LABS. He has spoken at a variety of security conferences, such as Black Hat, CanSecWest, INFILTRATE, ShmooCon, and SecTor, and is a co-author of the recently published "Android Hackers' Handbook."

Technologie
1 von 45
Downloaden Sie, um offline zu lesen
The Internet of Fails Where IoT Has Gone Wrong and How We're Making It Right Mark Stanislav Zach Lanier <mstanislav@duosecurity.com> <zach@duosecurity.com>
The Internet of Things
About The Internet Of Things “The Internet of Things is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.”, Gartner IT Glossary1 “Machine to machine (M2M) refers to technologies that allow both wireless and wired systems to communicate with other devices of the same type.”, Wikipedia2
 IoT Growth Estimates •Gartner: 26 billion units by 20203 •ABI Research: 30 billion units by 20204 4. https://www.abiresearch.com/press/more-than-30-billion-devices-will-wirelessly-conne 3. http://www.gartner.com/newsroom/id/26360731. http://www.gartner.com/it-glossary/internet-of-things/ 2. http://en.wikipedia.org/wiki/Internet_of_Things
Cool! So What’s Wrong? •Pervasiveness: You won’t have one IoT device, you’ll have ten. •That’s a lot of new attack surface to your life and/or business
 •Uniqueness: IoT devices are a wild-west of mixed technologies. •How do I patch firmware on these dozen devices? •Which random vendor made the hardware inside this device?
 •Ecosystem: Your vendor may be leveraging six other vendors. •Where’s your data going once it enters that IoT device? •Who has access to your network via proxy connections?
The Internet of Things “Line of Insanity”TM Sane Reasonable InsaneQuestionable Egg TrayIP Camera Door LockDoor Bell
Cheap Hardware, Unlimited Possibilities Electric Imp ($25) Gumstix ($169) Arduino ($75) Raspberry Pi ($35)Pinoccio ($59)
Plenty Of Choices, How Do You Determine Security? Philips ($60) LimitlessLED ($23)INSTEON ($30) Vendors could each use different hardware, software, APIs, third-party service providers, and patching mechanisms
IoT Ecosystem
What’s Better Than One Vulnerable Device? Interconnected Vulnerable Devices! •If-This-Then-That (IFTTT) supports over 110 platforms, services, and devices •Allows for event-based actions across disparate technologies •If the CO2 in this room is unsafe, change my lightbulb to be red to warn me •This behavior will become a consumer expectation rather than merely a “nice to have”
The Government Is Watching — And That’s Good! January 8th, 2014 FTC Commissioner Maureen Ohlhausen sits on panel at CES about IoT3 November 21st, 2013 Internet of Things - Privacy and Security in a Connected World Workshop2 February 7th, 2014 FTC approves final order settling charges against TRENDnet, Inc.4 June 3rd, 2013 Software & Information Industry Association asks FTC to be careful with IoT1 1. https://www.siia.net/blog/index.php/2013/06/siia-to-ftc-internet-of-things-requires-technology-neutral-policies-and-flexible-privacy-framework/ 3. http://www.adweek.com/news/technology/will-washington-move-quickly-regulate-internet-things-154863 2. http://www.ftc.gov/news-events/events-calendar/2013/11/internet-things-privacy-and-security-connected-world 4. http://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-order-settling-charges-against-trendnet-inc February 18th, 2014 US CERT works with IOActive to resolve Belkin WeMo vulnerabilities5 5. http://www.kb.cert.org/vuls/id/656302
Challenges Faced
Hardware Security •Many devices use generic SoCs/boards •Quick development, few security features (“HW hacking made easy”) •Prevalence of same components, firmware, etc. means one bug affects many products •Little expertise required to design, build, and ship an “IoT Product” + =+ Least common denominator: Logic analyzer Bus Pirate UART headers Console!
Software Security •Development environments don’t necessarily make security controls/options “clear” •Selected platform may drive/ restrict language choices % grep -Er "s(mem|str)cpy(" .
 …
 ./apps/http-post-auth/http-post-auth.c: strcpy(s->message, "status=");
 ./apps/http-post-auth/http-post-auth.c: strcpy(&s->message[7], msg);
 ./apps/irc/irc.c: memcpy(log, &log[LOG_WIDTH], LOG_WIDTH * (LOG_HEIGHT - 1));
 ./apps/irc/irc.c: memcpy(log, &log[LOG_WIDTH], LOG_WIDTH * (LOG_HEIGHT - 1));
 ./apps/ping6/ping6.c: memcpy(command, (void *)"ping6", 5);
 ./apps/rest-coap/coap-common.c: memcpy(
 ./apps/rest-coap/coap-common.c: memcpy((char*)&buffer[index], option->value, option->len);
 ./apps/rest-coap/coap-common.c: memcpy(&buffer[index], packet->payload, packet->payload_len);
 ./apps/rest-coap/coap-server.c: memcpy(option->value, value, len);
 ./apps/rest-common/buffer.c: memcpy(buffer, data, len);
 ./apps/rest-common/buffer.c: strcpy(buffer, text);
 ./apps/rest-common/rest-util.c: memcpy(p + 4 - size, buf, size);
 ./apps/rest-common/rest-util.c: memcpy(buf, ((char*)(&data)) + 4 - size, size);
 ./apps/rest-common/rest.c: memcpy(temp_etag, etag, size);
 ./apps/rest-http/http-server.c: strcpy(current_header->value, value);
 ./apps/rest-http/http-server.c: strcpy(current_header->value, buffer);
 ./apps/rest-http/http-server.c: memcpy(buffer + index, response->payload, response->payload_len); •“Me write Python/Ruby/ Node/… pretty one day” (or worse, C) •History repeating…? Quick grep for potentially dangerous behavior in someone’s Contiki project
Challenges: Software Security (Cont’d…) •Selected platform often locks dev/ vendor into given OS choice •Proprietary OSes (such as ElectricImp) - don’t peek inside the black box! •Linux, Contiki, QNX, et. al (all with their own issues) •Little consideration given to least- priv, mitigations, hardening, etc. •Third-party dependencies •Inherited bugs/attack surface •Also applies to mobile Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Bro, do you even PIE? Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Bro, do you even PIE? Bro, do you even randomize?
Comms/Network Security •WiFi goofiness (“device as AP”, no WPA, exploitable behavior, etc.) •Plaintext protocols or poor crypto at transport layer •…or lack of cert pinning where SSL/TLS actually used •Unprotected FW updates/downloads •Otherwise seemingly unnecessary services listening •Telnet, SSH, FTP, you name it… •Shared accounts/auth material for “support” or updates •Use of technologies such as ZigBee and cellular introduce additional security considerations "Cellular made easy"
Platform* Security •Everything that uses an HTTP GET/POST has become an “API” to the average developer •Authentication? Signed requests? Unlikely. •Input manipulation is a less obvious concern when developers do mobile and embedded •Yup… OWASP {Mobile,Web} Top 10 •Leveraging third-party service providers introduce exponential complexities and further increases potential attack surface •Quick & Dirty cloud infrastructure yields poor accessibility and potentially confidentiality * for our purposes “Platform” also includes supporting infrastructure, services, frameworks,
User Awareness & Behavior •Users may not know (let alone care) how to update device firmware or apps •Disparity in management: web console v. mobile app v. physical “update” button •Also they just want to use the !@# $ thing now! •Lack of feedback or notification for updates or errors •How does a user know their IoT device was updated or, worse, compromised?
[Failures]
Oh, You Wanted Authentication on Your Camera? •Issue: Some TRENDnet IP camera models didn’t authenticate users connecting to http://camera-ip/anony/mjpg.cgi which exposed actual video feeds of people’s cameras. •Hypothetical Exploit: •Google for “inurl:/anony/mjpg.cgi” •Be a big creep that nobody likes •Fix: Always verify all expected “private” URLs actually require authentication. This is easily accomplished with a curl script or Selenium. http://console-cowboys.blogspot.com/2012/01/trendnet-cameras-i-always-feel-like.html
You Get Keys, and You Get Keys… EVERYBODY GETS KEYS! •Issue: IOActive determined that Belkin’s WeMo devices were including their GPG signing key and password inside of the firmware its self. •Hypothetical Exploit: •Retrieve firmware signing key + password •MITM firmware feed announcing updates •Own WeMo devices •Flip lights and stuff •Fix: Don’t try to “hide” secret data in firmware, a lot of people are looking there. Signing firmware is great… just don’t let attackers sign it, too :)http://www.ioactive.com/news-events/
LIFX •Issue: Context found that LIFX utilized a hardcoded symmetric key for encrypting data across 6LoWPAN, including WiFi credentials •Hypothetical Exploit: •Give a LIFX user a new bulb as a “gift” •Get creepily close to their house •Wait for them to add the new bulb, sniff traffic •Decrypt packet capture with symmetric key •Jump on their WiFi network and do bad things •Fix: No, seriously, for the last time, don’t hardcode passwords/keys/etc. in your firmware. http://contextis.co.uk/blog/hacking-internet-connected-light-bulbs/
“Home Automation Gateway” Magical cloud service/site M ZigBee ZigBee ZigBee HTTPS HTTPS HTTPS Mobile app Web browser "Gateway" Lights Pool pump Automated cat entertainment toyXSS, CSRF, auth bugs, etc. Key extraction, replay, injection, etc. Unfettered console access, no priv sep for services, same "support" creds on multiple devices Linux-based gateway talks RESTful HTTP to “cloud”-based service, receives commands (schedules, metering data, etc.), relays commands to smart plugs/meters via ZigBee
IZON IP Camera
Telnet And A Hardcoded Root Password? Let’s Do This! •Issue: The camera’s mobile app contained hardcoded root credentials so that it could initiate firmware upgrades by connecting over Telnet and echoing out a shell script to start the process. •Hypothetical Exploit: •Run strings on the decrypted mobile application •Connect to any camera you can reach via Telnet as root •View the admin password for the camera’s web interface and login •Fix: Don’t use Telnet for anything… ever. Don’t hardcode 

If You Want To Protect Data… Protect It. •Issue: Unencrypted camera “alert” video clips were uploaded to Amazon S3 into one bucket and protected only by an MD5-string filename. Oh, and no SSL. •Hypothetical Exploit: •Generate MD5 strings with the filename format •Be really, really, really patient •View random videos of cats knocking stuff over •Fix: Leverage the AWS Identity and Access Management (IAM) functionality to provide
API = Always Poorly Implemented •Issue: API calls for third-party services were done without SSL and used an MD5-sum of the user’s password as a secret. •Hypothetical Exploit: •Go to Starbucks and hopefully get a PSL •MITM network traffic •Wait for someone to check their video camera •Retrieve their MD5’ed password, crack, repeat •Fix: If you setup third-party credentials for your customers, do NOT transmit their real account password. Also, make sure your vendors understand the basics of API security.
The Bigger Picture of This Research, FWIW…
[Redacted]* *The issues presented shown are real but the context has been changed
 
 Coordinated disclosure is rarely perfect :)
Session Handling: Time is Not On Your Side •Issue: Session IDs are “generated” by using only the exact UNIX epoch timestamp of when you logged into the service for this IoT device. •Hypothetical Exploit: •Enumerate 172,800 recent epoch timestamps •Set your session ID to each timestamp •Send a GET request to determine validity •“Become” a user with a browser header •Fix: Use your web framework’s default session handler that hopefully isn’t non-random.
Don’t Trust What You Haven’t Verified •Issue: Purchasing in-app credits for use with the device via the app store lets the mobile application dictate that a purchase occurred. •Hypothetical Exploit: •Pick a number… any number •Make an API call with that number •Gain that many “things” for your account •Fix: Don’t let a mobile app be the authority on any account balances. Always use a transaction log on the backend to reconcile what purchases have occurred and what balances should be.
Hiding in Plain(text) Sight •Issue: A chicken-and-egg problem existed where sensitive details about a user were provided prior to authorization from said user. •Hypothetical Exploit: •Ask a user to be your friend •Data is transmitted over the wire about that user •User gets to decide if they want to share data •…wait a second… •Fix: Don’t transmit data ahead of authorization, even if the user interface won’t expose it. If it
Heart Bleed And The Internet Of Things •PKI is (sadly?) a critical component of IoT security •Mobile apps speaking to embedded devices •Embedded devices speaking to services •Services speaking to other services •Developers leveraging service APIs •How many IoT vendors are concerning themselves over Heart Bleed implications? •Do you think most random Chinese ODMs are going to rush to get your devices patched and re-keyed? Or even release a notice?
Vendors You’ve Never Heard Of
There’s A Shift Underway You Should Know About •The IoT growth that we’re all expecting won’t just be from large vendors like Belkin, TRENDnet, Cisco, and Ericsson •Postscapes1 and Wolfram Alpha2 list a few hundred IoT-related companies, most of which you’ve likely never heard of •Crowd-funding web sites are going to produce many of the newest IoT devices we all want to use •Entrepreneurs likely have no experience with information security, nor the budget to afford help •They also won’t know what a “security 1. http://postscapes.com/companies/ 2. http://devices.wolfram.com
CrowdFunding & IoT Pinoccio Wunderbar KoolThings Twine Knut Tessel Canary Piper
Vulnerability Handling & Disclosure Awareness •Small vendors (and some big ones) fail to get it, or just simply don’t know •“But, why would anyone want to hack this device? And why would they want to tell us or talk about it publicly?” •Few-to-no resources for small vendors to handle this •Nascency of “IoT” means some researchers may not know either •And we’d like for them to stay out of jail
A New Initiative
A New Initiative — BuildItSecure.ly
Our Current Partners, Vendors, and Researchers!
Our Timeline February, 2014: 
 + Initial announcement of this initiative at BSides San Francisco
 
 March - April, 2014:
 + Established relationships with an initial set of partners/researchers
 + Link curation for presentations, papers, standards related to IoT security
 
 April, 2014:
 + Provide an update on progress and initial partners at SOURCE Boston
 
 June, 2014:
 + Spun-up Bugcrowd for our launch vendors to leverage for bug triage July, 2014:
 + Added additional IoT vendors to provide a better research pipeline
 + Pinoccio ships researchers their first hardware for testing!
What’s Next? •Complete our first round of vendor hardware testing •Pinoccio has provided hardware for two researchers to test •Bugcrowd has been setup for our vendors + researchers to utilize •We need to figure out testing/reporting/triage/fix timelines still •Get some bugs reported, get them fixed, reward researchers(?) •Figure out what works, what doesn’t — and then expand! •We want to better understand our processes before growing •As we add vendors to test for, we’ll add more researchers •We’re a big fan of results and not just pretending help people ;) •We’re growing slowly, on purpose, and happy about it
Conclusion
Lessons Learned •People are way less cynical in information security than you may think — don’t be afraid to ask people for their input and help. ! •Take your timeline and double it. The same people who are going to provide the best help/effort are already pretty damn busy. ! •Focus on quality, not quantity when it comes to people/ partners.
Conclusion •IoT is still malleable enough to help make a positive impact •BuildItSecure.ly could help consumers make better decisions •Plenty of vendors — let’s find a few that care about security •Worst case? We do some research and help a few companies!
Thanks! Questions? Mark Stanislav mstanislav@duosecurity.com
 @markstanislav
 Zach Lanier zach@duosecurity.com
 @quine http://BuildItSecure.ly/
 builditsecurely@duosecurity.com
 @BuildItSecurely

Empfohlen

Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a HouseSynack
 
[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan NovikovOWASP Russia
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015Daniel Miessler
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 

Empfohlen

Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a HouseSynack
 
[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan NovikovOWASP Russia
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015Daniel Miessler
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreveerababu penugonda(Mr-IoT)
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Luca Bongiorni
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasySecurity Weekly
 
Pwn phone2014 jrs
Pwn phone2014 jrsPwn phone2014 jrs
Pwn phone2014 jrsSecurity Weekly
 
Advanced Wi-Fi pentesting
Advanced Wi-Fi pentestingAdvanced Wi-Fi pentesting
Advanced Wi-Fi pentestingYunfei Yang
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10 veerababu penugonda(Mr-IoT)
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Sessionveerababu penugonda(Mr-IoT)
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
 
Protecting your home and office in the era of IoT
Protecting your home and office in the era of IoTProtecting your home and office in the era of IoT
Protecting your home and office in the era of IoTMarian Marinov
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionveerababu penugonda(Mr-IoT)
 
Firmware analysis 101
Firmware analysis 101Firmware analysis 101
Firmware analysis 101veerababu penugonda(Mr-IoT)
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsSlawomir Jasek
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of ThingsPaul Fremantle
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)FFRI, Inc.
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
 
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxIoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxmariuse18nolet
 

Weitere ähnliche Inhalte

Was ist angesagt?

The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Luca Bongiorni
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasySecurity Weekly
 
Advanced Wi-Fi pentesting
Advanced Wi-Fi pentestingAdvanced Wi-Fi pentesting
Advanced Wi-Fi pentestingYunfei Yang
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Sessionveerababu penugonda(Mr-IoT)
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
 
Protecting your home and office in the era of IoT
Protecting your home and office in the era of IoTProtecting your home and office in the era of IoT
Protecting your home and office in the era of IoTMarian Marinov
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionveerababu penugonda(Mr-IoT)
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsSlawomir Jasek
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of ThingsPaul Fremantle
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)FFRI, Inc.
 

Was ist angesagt? (20)

The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made Easy
 
Pwn phone2014 jrs
Pwn phone2014 jrsPwn phone2014 jrs
Pwn phone2014 jrs
 
Advanced Wi-Fi pentesting
Advanced Wi-Fi pentestingAdvanced Wi-Fi pentesting
Advanced Wi-Fi pentesting
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Protecting your home and office in the era of IoT
Protecting your home and office in the era of IoTProtecting your home and office in the era of IoT
Protecting your home and office in the era of IoT
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
 
Firmware analysis 101
Firmware analysis 101Firmware analysis 101
Firmware analysis 101
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of Things
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
 

Ähnlich wie Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by Mark Stanislav and Zach Lanier

The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
 
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxIoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxmariuse18nolet
 
WHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsWHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsSymantec
 
Security challenges for internet of things
Security challenges for internet of thingsSecurity challenges for internet of things
Security challenges for internet of thingsMonika Keerthi
 
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...IJCSIS Research Publications
 
IoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security ControlsIoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security ControlsJay Nagar
 
Final Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docxFinal Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docxvoversbyobersby
 
This Time, It’s Personal: Why Security and the IoT Is Different
This Time, It’s Personal: Why Security and the IoT Is DifferentThis Time, It’s Personal: Why Security and the IoT Is Different
This Time, It’s Personal: Why Security and the IoT Is DifferentJustin Grammens
 
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxIoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxvrickens
 
Addressing security and privacy in io t ecosystem v0.4
Addressing security and privacy in io t ecosystem v0.4Addressing security and privacy in io t ecosystem v0.4
Addressing security and privacy in io t ecosystem v0.4Somasundaram Jambunathan
 
IoT Security Risks and Challenges
IoT Security Risks and ChallengesIoT Security Risks and Challenges
IoT Security Risks and ChallengesOWASP Delhi
 
All The Things: Security, Privacy & Safety in a World of Connected Devices
All The Things: Security, Privacy & Safety in a World of Connected DevicesAll The Things: Security, Privacy & Safety in a World of Connected Devices
All The Things: Security, Privacy & Safety in a World of Connected DevicesJohn D. Johnson
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...ClicTest
 
Personal data breaches and securing IoT devices· By Damon Culber.docx
Personal data breaches and securing IoT devices· By Damon Culber.docxPersonal data breaches and securing IoT devices· By Damon Culber.docx
Personal data breaches and securing IoT devices· By Damon Culber.docxherbertwilson5999
 
20130226 How Personal Is Your Cloud?
20130226 How Personal Is Your Cloud?20130226 How Personal Is Your Cloud?
20130226 How Personal Is Your Cloud?T.Rob Wyatt
 
SIM Portland IOT - Sandhi Bhide - (09-14-2016)
SIM Portland IOT - Sandhi Bhide - (09-14-2016)SIM Portland IOT - Sandhi Bhide - (09-14-2016)
SIM Portland IOT - Sandhi Bhide - (09-14-2016)sandhibhide
 
Security and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSecurity and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSomasundaram Jambunathan
 

Ähnlich wie Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by Mark Stanislav and Zach Lanier (20)

The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to Chat
 
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxIoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
 
pptt.pptx
pptt.pptxpptt.pptx
pptt.pptx
 
WHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsWHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of Things
 
Security challenges for internet of things
Security challenges for internet of thingsSecurity challenges for internet of things
Security challenges for internet of things
 
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
 
IoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security ControlsIoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security Controls
 
Final Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docxFinal Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docx
 
This Time, It’s Personal: Why Security and the IoT Is Different
This Time, It’s Personal: Why Security and the IoT Is DifferentThis Time, It’s Personal: Why Security and the IoT Is Different
This Time, It’s Personal: Why Security and the IoT Is Different
 
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxIoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
 
Addressing security and privacy in io t ecosystem v0.4
Addressing security and privacy in io t ecosystem v0.4Addressing security and privacy in io t ecosystem v0.4
Addressing security and privacy in io t ecosystem v0.4
 
IoT Security Risks and Challenges
IoT Security Risks and ChallengesIoT Security Risks and Challenges
IoT Security Risks and Challenges
 
All The Things: Security, Privacy & Safety in a World of Connected Devices
All The Things: Security, Privacy & Safety in a World of Connected DevicesAll The Things: Security, Privacy & Safety in a World of Connected Devices
All The Things: Security, Privacy & Safety in a World of Connected Devices
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
 
Security Issues in Internet of Things
Security Issues in Internet of ThingsSecurity Issues in Internet of Things
Security Issues in Internet of Things
 
Personal data breaches and securing IoT devices· By Damon Culber.docx
Personal data breaches and securing IoT devices· By Damon Culber.docxPersonal data breaches and securing IoT devices· By Damon Culber.docx
Personal data breaches and securing IoT devices· By Damon Culber.docx
 
20130226 How Personal Is Your Cloud?
20130226 How Personal Is Your Cloud?20130226 How Personal Is Your Cloud?
20130226 How Personal Is Your Cloud?
 
SIM Portland IOT - Sandhi Bhide - (09-14-2016)
SIM Portland IOT - Sandhi Bhide - (09-14-2016)SIM Portland IOT - Sandhi Bhide - (09-14-2016)
SIM Portland IOT - Sandhi Bhide - (09-14-2016)
 
Security and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSecurity and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of Things
 

Mehr von Duo Security

Security Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesSecurity Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesDuo Security
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerSecuring Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerDuo Security
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...Duo Security
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongDuo Security
 
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloA Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloDuo Security
 
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Duo Security
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Duo Security
 
Probing Mobile Operator Networks - Collin Mulliner
Probing Mobile Operator Networks - Collin MullinerProbing Mobile Operator Networks - Collin Mulliner
Probing Mobile Operator Networks - Collin MullinerDuo Security
 
The Real Deal of Android Device Security: The Third Party
The Real Deal of Android Device Security: The Third PartyThe Real Deal of Android Device Security: The Third Party
The Real Deal of Android Device Security: The Third PartyDuo Security
 
No Apology Required: Deconstructing BB10
No Apology Required: Deconstructing BB10No Apology Required: Deconstructing BB10
No Apology Required: Deconstructing BB10Duo Security
 

Mehr von Duo Security (10)

Security Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesSecurity Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the Headlines
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerSecuring Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
 
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloA Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
 
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default"
 
Probing Mobile Operator Networks - Collin Mulliner
Probing Mobile Operator Networks - Collin MullinerProbing Mobile Operator Networks - Collin Mulliner
Probing Mobile Operator Networks - Collin Mulliner
 
The Real Deal of Android Device Security: The Third Party
The Real Deal of Android Device Security: The Third PartyThe Real Deal of Android Device Security: The Third Party
The Real Deal of Android Device Security: The Third Party
 
No Apology Required: Deconstructing BB10
No Apology Required: Deconstructing BB10No Apology Required: Deconstructing BB10
No Apology Required: Deconstructing BB10
 

Kürzlich hochgeladen

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Kürzlich hochgeladen (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by Mark Stanislav and Zach Lanier

  • 1. The Internet of Fails Where IoT Has Gone Wrong and How We're Making It Right Mark Stanislav Zach Lanier <mstanislav@duosecurity.com> <zach@duosecurity.com>
  • 3. About The Internet Of Things “The Internet of Things is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.”, Gartner IT Glossary1 “Machine to machine (M2M) refers to technologies that allow both wireless and wired systems to communicate with other devices of the same type.”, Wikipedia2
 IoT Growth Estimates •Gartner: 26 billion units by 20203 •ABI Research: 30 billion units by 20204 4. https://www.abiresearch.com/press/more-than-30-billion-devices-will-wirelessly-conne 3. http://www.gartner.com/newsroom/id/26360731. http://www.gartner.com/it-glossary/internet-of-things/ 2. http://en.wikipedia.org/wiki/Internet_of_Things
  • 4. Cool! So What’s Wrong? •Pervasiveness: You won’t have one IoT device, you’ll have ten. •That’s a lot of new attack surface to your life and/or business
 •Uniqueness: IoT devices are a wild-west of mixed technologies. •How do I patch firmware on these dozen devices? •Which random vendor made the hardware inside this device?
 •Ecosystem: Your vendor may be leveraging six other vendors. •Where’s your data going once it enters that IoT device? •Who has access to your network via proxy connections?
  • 5. The Internet of Things “Line of Insanity”TM Sane Reasonable InsaneQuestionable Egg TrayIP Camera Door LockDoor Bell
  • 6. Cheap Hardware, Unlimited Possibilities Electric Imp ($25) Gumstix ($169) Arduino ($75) Raspberry Pi ($35)Pinoccio ($59)
  • 7. Plenty Of Choices, How Do You Determine Security? Philips ($60) LimitlessLED ($23)INSTEON ($30) Vendors could each use different hardware, software, APIs, third-party service providers, and patching mechanisms
  • 9. What’s Better Than One Vulnerable Device? Interconnected Vulnerable Devices! •If-This-Then-That (IFTTT) supports over 110 platforms, services, and devices •Allows for event-based actions across disparate technologies •If the CO2 in this room is unsafe, change my lightbulb to be red to warn me •This behavior will become a consumer expectation rather than merely a “nice to have”
  • 10. The Government Is Watching — And That’s Good! January 8th, 2014 FTC Commissioner Maureen Ohlhausen sits on panel at CES about IoT3 November 21st, 2013 Internet of Things - Privacy and Security in a Connected World Workshop2 February 7th, 2014 FTC approves final order settling charges against TRENDnet, Inc.4 June 3rd, 2013 Software & Information Industry Association asks FTC to be careful with IoT1 1. https://www.siia.net/blog/index.php/2013/06/siia-to-ftc-internet-of-things-requires-technology-neutral-policies-and-flexible-privacy-framework/ 3. http://www.adweek.com/news/technology/will-washington-move-quickly-regulate-internet-things-154863 2. http://www.ftc.gov/news-events/events-calendar/2013/11/internet-things-privacy-and-security-connected-world 4. http://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-order-settling-charges-against-trendnet-inc February 18th, 2014 US CERT works with IOActive to resolve Belkin WeMo vulnerabilities5 5. http://www.kb.cert.org/vuls/id/656302
  • 12. Hardware Security •Many devices use generic SoCs/boards •Quick development, few security features (“HW hacking made easy”) •Prevalence of same components, firmware, etc. means one bug affects many products •Little expertise required to design, build, and ship an “IoT Product” + =+ Least common denominator: Logic analyzer Bus Pirate UART headers Console!
  • 13. Software Security •Development environments don’t necessarily make security controls/options “clear” •Selected platform may drive/ restrict language choices % grep -Er "s(mem|str)cpy(" .
 …
 ./apps/http-post-auth/http-post-auth.c: strcpy(s->message, "status=");
 ./apps/http-post-auth/http-post-auth.c: strcpy(&s->message[7], msg);
 ./apps/irc/irc.c: memcpy(log, &log[LOG_WIDTH], LOG_WIDTH * (LOG_HEIGHT - 1));
 ./apps/irc/irc.c: memcpy(log, &log[LOG_WIDTH], LOG_WIDTH * (LOG_HEIGHT - 1));
 ./apps/ping6/ping6.c: memcpy(command, (void *)"ping6", 5);
 ./apps/rest-coap/coap-common.c: memcpy(
 ./apps/rest-coap/coap-common.c: memcpy((char*)&buffer[index], option->value, option->len);
 ./apps/rest-coap/coap-common.c: memcpy(&buffer[index], packet->payload, packet->payload_len);
 ./apps/rest-coap/coap-server.c: memcpy(option->value, value, len);
 ./apps/rest-common/buffer.c: memcpy(buffer, data, len);
 ./apps/rest-common/buffer.c: strcpy(buffer, text);
 ./apps/rest-common/rest-util.c: memcpy(p + 4 - size, buf, size);
 ./apps/rest-common/rest-util.c: memcpy(buf, ((char*)(&data)) + 4 - size, size);
 ./apps/rest-common/rest.c: memcpy(temp_etag, etag, size);
 ./apps/rest-http/http-server.c: strcpy(current_header->value, value);
 ./apps/rest-http/http-server.c: strcpy(current_header->value, buffer);
 ./apps/rest-http/http-server.c: memcpy(buffer + index, response->payload, response->payload_len); •“Me write Python/Ruby/ Node/… pretty one day” (or worse, C) •History repeating…? Quick grep for potentially dangerous behavior in someone’s Contiki project
  • 14. Challenges: Software Security (Cont’d…) •Selected platform often locks dev/ vendor into given OS choice •Proprietary OSes (such as ElectricImp) - don’t peek inside the black box! •Linux, Contiki, QNX, et. al (all with their own issues) •Little consideration given to least- priv, mitigations, hardening, etc. •Third-party dependencies •Inherited bugs/attack surface •Also applies to mobile Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Bro, do you even PIE? Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Bro, do you even PIE? Bro, do you even randomize?
  • 15. Comms/Network Security •WiFi goofiness (“device as AP”, no WPA, exploitable behavior, etc.) •Plaintext protocols or poor crypto at transport layer •…or lack of cert pinning where SSL/TLS actually used •Unprotected FW updates/downloads •Otherwise seemingly unnecessary services listening •Telnet, SSH, FTP, you name it… •Shared accounts/auth material for “support” or updates •Use of technologies such as ZigBee and cellular introduce additional security considerations "Cellular made easy"
  • 16. Platform* Security •Everything that uses an HTTP GET/POST has become an “API” to the average developer •Authentication? Signed requests? Unlikely. •Input manipulation is a less obvious concern when developers do mobile and embedded •Yup… OWASP {Mobile,Web} Top 10 •Leveraging third-party service providers introduce exponential complexities and further increases potential attack surface •Quick & Dirty cloud infrastructure yields poor accessibility and potentially confidentiality * for our purposes “Platform” also includes supporting infrastructure, services, frameworks,
  • 17. User Awareness & Behavior •Users may not know (let alone care) how to update device firmware or apps •Disparity in management: web console v. mobile app v. physical “update” button •Also they just want to use the !@# $ thing now! •Lack of feedback or notification for updates or errors •How does a user know their IoT device was updated or, worse, compromised?
  • 19. Oh, You Wanted Authentication on Your Camera? •Issue: Some TRENDnet IP camera models didn’t authenticate users connecting to http://camera-ip/anony/mjpg.cgi which exposed actual video feeds of people’s cameras. •Hypothetical Exploit: •Google for “inurl:/anony/mjpg.cgi” •Be a big creep that nobody likes •Fix: Always verify all expected “private” URLs actually require authentication. This is easily accomplished with a curl script or Selenium. http://console-cowboys.blogspot.com/2012/01/trendnet-cameras-i-always-feel-like.html
  • 20. You Get Keys, and You Get Keys… EVERYBODY GETS KEYS! •Issue: IOActive determined that Belkin’s WeMo devices were including their GPG signing key and password inside of the firmware its self. •Hypothetical Exploit: •Retrieve firmware signing key + password •MITM firmware feed announcing updates •Own WeMo devices •Flip lights and stuff •Fix: Don’t try to “hide” secret data in firmware, a lot of people are looking there. Signing firmware is great… just don’t let attackers sign it, too :)http://www.ioactive.com/news-events/
  • 21. LIFX •Issue: Context found that LIFX utilized a hardcoded symmetric key for encrypting data across 6LoWPAN, including WiFi credentials •Hypothetical Exploit: •Give a LIFX user a new bulb as a “gift” •Get creepily close to their house •Wait for them to add the new bulb, sniff traffic •Decrypt packet capture with symmetric key •Jump on their WiFi network and do bad things •Fix: No, seriously, for the last time, don’t hardcode passwords/keys/etc. in your firmware. http://contextis.co.uk/blog/hacking-internet-connected-light-bulbs/
  • 22. “Home Automation Gateway” Magical cloud service/site M ZigBee ZigBee ZigBee HTTPS HTTPS HTTPS Mobile app Web browser "Gateway" Lights Pool pump Automated cat entertainment toyXSS, CSRF, auth bugs, etc. Key extraction, replay, injection, etc. Unfettered console access, no priv sep for services, same "support" creds on multiple devices Linux-based gateway talks RESTful HTTP to “cloud”-based service, receives commands (schedules, metering data, etc.), relays commands to smart plugs/meters via ZigBee
  • 24. Telnet And A Hardcoded Root Password? Let’s Do This! •Issue: The camera’s mobile app contained hardcoded root credentials so that it could initiate firmware upgrades by connecting over Telnet and echoing out a shell script to start the process. •Hypothetical Exploit: •Run strings on the decrypted mobile application •Connect to any camera you can reach via Telnet as root •View the admin password for the camera’s web interface and login •Fix: Don’t use Telnet for anything… ever. Don’t hardcode 

  • 25. If You Want To Protect Data… Protect It. •Issue: Unencrypted camera “alert” video clips were uploaded to Amazon S3 into one bucket and protected only by an MD5-string filename. Oh, and no SSL. •Hypothetical Exploit: •Generate MD5 strings with the filename format •Be really, really, really patient •View random videos of cats knocking stuff over •Fix: Leverage the AWS Identity and Access Management (IAM) functionality to provide
  • 26. API = Always Poorly Implemented •Issue: API calls for third-party services were done without SSL and used an MD5-sum of the user’s password as a secret. •Hypothetical Exploit: •Go to Starbucks and hopefully get a PSL •MITM network traffic •Wait for someone to check their video camera •Retrieve their MD5’ed password, crack, repeat •Fix: If you setup third-party credentials for your customers, do NOT transmit their real account password. Also, make sure your vendors understand the basics of API security.
  • 27. The Bigger Picture of This Research, FWIW…
  • 28. [Redacted]* *The issues presented shown are real but the context has been changed
 
 Coordinated disclosure is rarely perfect :)
  • 29. Session Handling: Time is Not On Your Side •Issue: Session IDs are “generated” by using only the exact UNIX epoch timestamp of when you logged into the service for this IoT device. •Hypothetical Exploit: •Enumerate 172,800 recent epoch timestamps •Set your session ID to each timestamp •Send a GET request to determine validity •“Become” a user with a browser header •Fix: Use your web framework’s default session handler that hopefully isn’t non-random.
  • 30. Don’t Trust What You Haven’t Verified •Issue: Purchasing in-app credits for use with the device via the app store lets the mobile application dictate that a purchase occurred. •Hypothetical Exploit: •Pick a number… any number •Make an API call with that number •Gain that many “things” for your account •Fix: Don’t let a mobile app be the authority on any account balances. Always use a transaction log on the backend to reconcile what purchases have occurred and what balances should be.
  • 31. Hiding in Plain(text) Sight •Issue: A chicken-and-egg problem existed where sensitive details about a user were provided prior to authorization from said user. •Hypothetical Exploit: •Ask a user to be your friend •Data is transmitted over the wire about that user •User gets to decide if they want to share data •…wait a second… •Fix: Don’t transmit data ahead of authorization, even if the user interface won’t expose it. If it
  • 32. Heart Bleed And The Internet Of Things •PKI is (sadly?) a critical component of IoT security •Mobile apps speaking to embedded devices •Embedded devices speaking to services •Services speaking to other services •Developers leveraging service APIs •How many IoT vendors are concerning themselves over Heart Bleed implications? •Do you think most random Chinese ODMs are going to rush to get your devices patched and re-keyed? Or even release a notice?
  • 34. There’s A Shift Underway You Should Know About •The IoT growth that we’re all expecting won’t just be from large vendors like Belkin, TRENDnet, Cisco, and Ericsson •Postscapes1 and Wolfram Alpha2 list a few hundred IoT-related companies, most of which you’ve likely never heard of •Crowd-funding web sites are going to produce many of the newest IoT devices we all want to use •Entrepreneurs likely have no experience with information security, nor the budget to afford help •They also won’t know what a “security 1. http://postscapes.com/companies/ 2. http://devices.wolfram.com
  • 36. Vulnerability Handling & Disclosure Awareness •Small vendors (and some big ones) fail to get it, or just simply don’t know •“But, why would anyone want to hack this device? And why would they want to tell us or talk about it publicly?” •Few-to-no resources for small vendors to handle this •Nascency of “IoT” means some researchers may not know either •And we’d like for them to stay out of jail
  • 38. A New Initiative — BuildItSecure.ly
  • 39. Our Current Partners, Vendors, and Researchers!
  • 40. Our Timeline February, 2014: 
 + Initial announcement of this initiative at BSides San Francisco
 
 March - April, 2014:
 + Established relationships with an initial set of partners/researchers
 + Link curation for presentations, papers, standards related to IoT security
 
 April, 2014:
 + Provide an update on progress and initial partners at SOURCE Boston
 
 June, 2014:
 + Spun-up Bugcrowd for our launch vendors to leverage for bug triage July, 2014:
 + Added additional IoT vendors to provide a better research pipeline
 + Pinoccio ships researchers their first hardware for testing!
  • 41. What’s Next? •Complete our first round of vendor hardware testing •Pinoccio has provided hardware for two researchers to test •Bugcrowd has been setup for our vendors + researchers to utilize •We need to figure out testing/reporting/triage/fix timelines still •Get some bugs reported, get them fixed, reward researchers(?) •Figure out what works, what doesn’t — and then expand! •We want to better understand our processes before growing •As we add vendors to test for, we’ll add more researchers •We’re a big fan of results and not just pretending help people ;) •We’re growing slowly, on purpose, and happy about it
  • 43. Lessons Learned •People are way less cynical in information security than you may think — don’t be afraid to ask people for their input and help. ! •Take your timeline and double it. The same people who are going to provide the best help/effort are already pretty damn busy. ! •Focus on quality, not quantity when it comes to people/ partners.
  • 44. Conclusion •IoT is still malleable enough to help make a positive impact •BuildItSecure.ly could help consumers make better decisions •Plenty of vendors — let’s find a few that care about security •Worst case? We do some research and help a few companies!
  • 45. Thanks! Questions? Mark Stanislav mstanislav@duosecurity.com
 @markstanislav
 Zach Lanier zach@duosecurity.com
 @quine http://BuildItSecure.ly/
 builditsecurely@duosecurity.com
 @BuildItSecurely