Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Iot(security)

266 views

Published on

the ppt describes about the basics of iot,its applications, security challenges , hacks and the solutions to the security challenges

Published in: Technology
  • Be the first to comment

Iot(security)

  1. 1.  IoT Security And Advancement  By Shreya Pohekar
  2. 2. ABOUT ME Coding and a Cyber Security Enthusiast A Singer An artist
  3. 3. OVERVIEW  Why internet of things?  Internet of things  Applications  All is not well  Hacks on iot  Mirai botnet  Steps to security
  4. 4. WHY WE NEED IOT?  Comfortable life  Connected world  Computers can’t be installed everywhere that too for specific works.  Better data, automation, increased efficiency  They are much cheaper  Require less computational power  Are less complex
  5. 5. INTERNET OF THINGS (IOT)  The internet of things is a system of interrelated computing devices, mechanical and digital machines, objects that are provided with unique identifiers(IP Address) and have the ability to transfer data over a network without requiring human –to- human or human-to-computer interaction.
  6. 6. Formal definition by international telecommunication union A dynamic global network infrastructure with self configuring capabilities based on standard and interoperable communication protocols where physical and virtual things have-  Identifiers , physical attributes and virtual personalities  use intelligent interfaces  Are seamlessly integrated into information
  7. 7. Till 2017 we have 15.4 billion IoT devices connected over the internet. And it is forecasted to reach 20.8 billion by 2020.
  8. 8. CATEGORIES OF IOT  First class of iot (Public sensors and actuators)  Second class of iot
  9. 9. PROTOCOLS ON WHICH IOT WORK  Infrastructure (ex: 6LowPAN, IPv4/IPv6, RPL)  Identification (ex: EPC, uCode, IPv6, URIs)  Comms / Transport (ex: Wifi, Bluetooth, LPWAN)  Discovery (ex: Physical Web, mDNS, DNS-SD)  Data Protocols (ex: MQTT, CoAP, AMQP, Websocket, Node)  Device Management (ex: TR-069, OMA-DM)  Semantic (ex: JSON-LD, Web Thing Model)  Multi-layer Frameworks (ex: Alljoyn, IoTivity, Weave, Homekit)
  10. 10. APPLICATIONS Transport system agriculture Environmental monitoring Medical and healthcare systems Energy management Industrial applications Building and home automation Large scale deployments
  11. 11. BUT… ALL IS NOT WELL
  12. 12. THE SECURITY CHALLENGES  70% of the total iot devices being used today are vulnerable to cyber attacks  Low level of encryption  Work on different ports  No firewalls or antivirus  Firmware most of the times outdated update file not encrypted update not verified before upload  Lack of role based access control  Lack of 2 factor authentication  Insecure password recovery  Poorly implemented SSL/TLS  Account enumeration  Poor physical security
  13. 13. USUAL ATTACKS ON IOT DEVICES  DDoS attacks  Privilege escalation  Buffer overflow  Brute force attacks  Open ports via UPnP( universal plug and play) * UPnP : it is a set of networking protocols that permits networked devices , such as personal computers, printers, internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services for data sharing.
  14. 14. LACK OF SECURITY CONFIGURABILITY Insufficient security configurability is present when users of the device have limited or no ability to alter its security controls. Insufficient security configurability is apparent when the web interface of the device has no option for creating granular user permission or for example , forcing the use of strong passwords Lack of transport encryption Lack of transport encryption allows data to be viewed as it travels over local networks on the internet. Lack of transport encryption is prevalent on local networks as it is easy to assume that local network traffic will not be widely visible , however in case of a local wireless network,misconfiguration of that wireless network can make traffic visible to anyone within range of that wireless network.
  15. 15.  KINESIS is an example of a sensor network system designed to make it possible for sensors to automatically take response actions in the event of data transmission disruptions.
  16. 16. .Is my cloud interface secure?? checking for a insecure cloud interface includes:  Determining if the default username and password can be changed during initial product setup.  Determining if a specific user account is locked out after 3-5 failed login attempt.  Determining if valid accounts can be identified using password recovery mechanisms or new user pages.  Reviewing the interface for issues such as cross site scripting, cross-site request forgery and sql injection.  Reviewing all cloud interfaces for vulnerabilities( API interfaces and cloud-based web interfaces)
  17. 17. MIRAI BOTNET  The terrifying power of billions of IoT devices botnets can be used to orchestrate Distributed-Denial-of-Service (DDoS) attacks. These attacks use large numbers of IoT devices to direct traffic to a website or server, overwhelming it and rendering it inaccessible to real users.  Botnets are traditionally made up of infected computers, but the widespread use of vulnerable IoT devices provides a far more enticing target for cyber criminals. A lack of investment in security and the abundance of IoT devices, a result of cheap and quick manufacturing, means these botnets are potentially far more dangerous than infected PCs.  This lack of security investment was revealed in 2016 when criminals launched the largest DDoS attack in history. The botnet malware behind the attack, Mirai, infected 100,000s of IoT devices that then pummeled DNS provider Dyn with a 1.2 Tbps DDoS attack.  The Mirai botnet knocked PayPal, Spotify, Netflix and Twitter offline, causing never-before- seen levels of disruption to some of the largest websites in the world. One month later businesses were unprepared when the Mirai botnet struck again. This time the attack affected 100,000s of Deutsche Telekom customers.  The Mirai botnet source code is now available online, so it’s likely to continue plaguing poorly secured IoT devices. And in February 2017, researchers identified a new variant of the Mirai botnet capable of targeting Windows systems, allowing the malware to spread to even more devices.  Mirai is just the tip of the iceberg and other powerful botnets continue to damage businesses globally. It’s not just businesses that should worry, one attack against a UK bank in 2016 resulted in £2.5 million stolen directly from customer accounts.
  18. 18. Security should be there from a point when the power is supplied
  19. 19. ENCRYPTION  The best option – light weight encryption tools  The RSA Algorithm( concept of factor) block ciphers, like PRESENT and CLEFIA, (lightweight versions of the Advanced Encryption Standard. )There are also hardware-oriented stream ciphers, like Enocoro, that focus on chip size and energy consumption; hash functions, such as PHOTON, which concentrate on data integrity; and message authentication codes for validating and authenticating communications between devices.  Elliptic curve based encryption
  20. 20. RSA ALGORITHM  The RSA Algorithm  The Rivest-Shamir-Adleman (RSA) algorithm is one of the most popular and secure public-key encryption methods. The algorithm capitalizes on the fact that there is no efficient way to factor very large (100-200 digit) numbers. Using an encryption key (e,n), the algorithm is as follows:  Represent the message as an integer between 0 and (n-1). Large messages can be broken up into a number of blocks. Each block would then be represented by an integer in the same range.  Encrypt the message by raising it to the eth power modulo n. The result is a cipher text message C.  To decrypt cipher text message C, raise it to another power d modulo n  The encryption key (e,n) is made public. The decryption key (d,n) is kept private by the user.
  21. 21. IOT TOO REQUIRE A FIREWALL  The embedded firewall provides a basic but critical level of security by controlling what packets or messages are processed.  The firewall enforces its policies by filtering packets as they are received, comparing each packet to the policies for that device, and blocking all packets that don’t match the communication policy criteria.  Rules-based filtering: Each packet is compared to a set of static rules determining if the packet is blocked or allowed . All decisions are made based on the information in the packet. Rules-based filtering enforces policies by blocking unused protocols, closing unused ports, and enforcing IP address white lists and blacklists.
  22. 22. SOFTWARE MUST BE SECURED  Many IoT devices are based on processors such as the ARM processor, which have differences in the instruction set with respect to other conventionally used processors.  Such diversity has an implication, for ex. On the techniques for protecting software from attacks, such as return –oriented programming attacks, as such must be tailored to the specific instruction set of the platform of interest  One way to provide better security is to isolate sensors and other permissive devices on a separate virtual LAN. This setup prevents a hacker from observing the totality of network traffic if one sensor is compromised, or using it to launch attacks across the entire enterprise.  Create bug bounty programs and vulnerability reporting systems
  23. 23. GOOD CITIZEN RULES  Don’t connect your devices unless you need to  don’t use default passwords  Keep the latest firmwares  Turn off universal plug and play (UpnP)  Do not trust any network , just because it is introduced by any trusted entity  Not all access point are trustworthy
  24. 24. OPEN SOURCE WOULD HAVE AN IMPACT  to support and connect billions of sensors, routers, gateways and data servers  Promotes velocity of innovation  Easy exploration and experimentation  Enables permission less innovation
  25. 25. REFERENCES o Data security and privacy in IoT by Elisa Bertino o OWASP IoT security https://www.owasp.org/index.php/IoT_Security_Guidance o https://www.symantec.com/solutions/internet-of-things
  26. 26. QUESTIONS

×