IoT devices are embedded systems. Essentially "[a] computer small enough to fit in a pocket". One wouldn’t put a computer on the Internet without at least considering securing it, yet security for IoT devices is quite often an afterthought.
There's no S(ecurity) in IoT: This is why we can't sleep
1. There’s no S(ecurity) in IoT
There’s No S(ecurity)
In IoT:
This is why we can’t sleep
Jimmy Shah
2. Disclaimers
● The views, opinions, and positions expressed in this
presentation are solely those of the author
● They do not necessarily represent the views and
opinions of my employer and do not constitute or imply
any endorsement or recommendation from my employer
3. IoT Devices are embedded systems
● “A computer small enough to fit in a pocket”
● One wouldn’t put a computer on the Internet
without at least considering securing it
4. A story about a friend
●Embedded QA engineer
●Over a decade of experience
●Knows bugs can kill
5. A story about a friend, cont.
●6 month contract
●Project was a Sensor/Meter for an oil
pipeline
●Possible red flags
oOlder developer set in his ways
oDidn’t believe in source control
Monolithic application, recompiled daily after bug
fixes
6. A story about a friend, cont.
●Fired couple months before contract end
oYou can be too good at your job
●Replaced by another worker w/ no QA exp.
oRubber stamped everything
● Must ship!
7. Case study: CloudPets DB Ransom
●CloudPets
●MongoDB instance compromised
●Must ship?
[1] https://www.theregister.co.uk/2017/02/28/cloudpets_database_leak/
8. Case study: Vizio TV monitoring
●VIZIO TVs were spying on users
●Must Sell Users/Buyers?
[1] https://www.consumer.ftc.gov/blog/vizio-settlement-smart-tvs-should-not-track-your-shows-without-your-ok
[2] Photo by Flickr user kennejima https://www.flickr.com/photos/kennejima/
9. Tips
●Research is your friend
oOSINT
Search engines
Periodical Databases
Libraries
●Don’t be afraid to ask