Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IOT Security

119 views

Published on

A look at the main security risks and impact related to IOT devices as well as what are the key steps to improve IOT security.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

IOT Security

  1. 1. IOT SECURITY VERSION: 1.2a DATE: 24/10/2018 AUTHOR: SYLVAIN MARTINEZ REFERENCE: ESC13-MUSCL CLASSIFICATION: Public
  2. 2. 2 • IOT definition; • IOT trends, • IOT innovation and integration; • Cyber security risks • IOT contribution to cyber security risk; • Main risk overview; • Security as an afterthought; • Embedded vulnerabilities; • Embedded backdoors; • Unsupported devices; • Unpatchable devices; • Main impacts overview; • IOT used as a bot; • IOT used to access network; • IOT used to spy/attack you; • IOT physical impact; • IOT Self destruct button; • IOT security overview; • Traffic analysis; • Code analysis; • Firmware analysis; • Online search; • Follow best practise; CONTENTS PUBLIC FUTURESECURITYIMPACTRISKCONTEXT • Future of IOT
  3. 3. IOT DEFINITION FUTURESECURITYIMPACTRISKCONTEXT 3PUBLIC THE INTERNET OF THINGS ANY PHYSICAL OBJECT THAT CAN BE CONNECTED TO THE INTERNET Icons from the Noun Project unless specified otherwise
  4. 4. IOT TRENDS FUTURESECURITYIMPACTRISKCONTEXT 4PUBLIC Source: information is beautiful
  5. 5. IOT INOVATION AND INTEGRATION FUTURESECURITYIMPACTRISKCONTEXT 5PUBLIC Idea: information is beautiful
  6. 6. CYBER SECURITY RISK FUTURESECURITYIMPACTRISKCONTEXT 6PUBLIC GLOBALIZATION & DIGITALIZATION ITSYSTEMRELIANCE ATTACK SURFACE PAST FUTURE 100% 0% TIME GROWTH MONEY & GEOPOLITICAL GAIN THREATACTORSSKILLS ATTACK VECTORS PAST FUTURE 100% 0% TIME GROWTH ATTACK SURFACE ATTACKVECTORS CYBER SECURITY RISKS PAST FUTURE 100% 0% TIME GROWTH CYBER SECURITY RISKS’ PROBABILITY AND IMPACT ARE INCREASING. THEIR ABILITY TO DISRUPT COMPANIES BUSINESS OPERATION HAVE GROWING FINANCIAL, REPUTATIONAL AND LEGAL NEGATIVE CONSEQUENCES SOURCE: ELYSIUMSECURITY LTD – Please refer to us when re-using this diagram + =
  7. 7. IOT CONTRIBUTION TO CYBER SECURITY RISK FUTURESECURITYIMPACTRISKCONTEXT 7PUBLIC GLOBALIZATION & DIGITALIZATION ITSYSTEMRELIANCE ATTACK SURFACE PAST FUTURE 100% 0% TIME GROWTH SOURCE: ELYSIUMSECURITY LTD
  8. 8. MAIN RISKS OVERVIEW FUTURESECURITYIMPACTRISKCONTEXT 8PUBLIC SECURITY IS AN AFTERTHOUGH EMBEDDED VULNERABILITIES EMBEDDED BACKDOORS UNSUPPORTED DEVICES UNPATCHABLE DEVICES
  9. 9. SECURITY IS AN AFTERTHOUGHT FUTURESECURITYIMPACTRISKCONTEXT 9PUBLIC LOW COST LOW RESOURCES 3RD PARTY RELIANCE & LOW PERFORMANCE + ADDED SECURITY = PERFORMANCE IMPACT & HIGHER COST
  10. 10. EMBEDDED VULNERABILITIES FUTURESECURITYIMPACTRISKCONTEXT 10PUBLIC OLD LIBRARIES & COMPONENTS BAD CONFIGURATION OPEN PORTS
  11. 11. EMBEDDED BACKDOORS FUTURESECURITYIMPACTRISKCONTEXT 11PUBLIC P A S S W O R D 1 2 3 DEFAULT PASSWORDS DEBUG FUNCTIONS ”VENDOR” ACCESS
  12. 12. UNSUPPORTED DEVICES FUTURESECURITYIMPACTRISKCONTEXT 12PUBLIC SHORT LIFESPAN VENDOR CLOSED DIFFICULT TO UPDATE NO SUPPORT HELP
  13. 13. UNPATCHABLE DEVICES FUTURESECURITYIMPACTRISKCONTEXT 13PUBLIC ROM BASED VULNERABILITY OUT OF REACH PHYSICAL DANGER
  14. 14. MAIN IMPACTS OVERVIEW FUTURESECURITYIMPACTRISKCONTEXT 14PUBLIC USED AS A BOT/DOS USED AS AN ENTRY TO YOUR NETWORK USED TO SPY/ATTACK YOU PHYSICAL IMPACT PRODUCT DESTRUCTION
  15. 15. IOT USED AS A BOT FUTURESECURITYIMPACTRISKCONTEXT 15PUBLIC MIRAI, GAFGYT, AIDRA MIRAI • TELNET OPEN • 61 DEFAULT PASSWORDS • 1TBPS • ROUTERS, IP CAMERAS, ETC. ANIMATED MIRAI GIF FROM WIKIMEDIA
  16. 16. IOT USED TO ACCESS NETWORK FUTURESECURITYIMPACTRISKCONTEXT 16PUBLIC 1 2 3 4 5 • IOT DEVICE INITIATES THE CONNECTION • IOT CALLS “HOME” • IOT BYPASSES FIREWALL PROTECTION 6 VENDOR IOT PROXY
  17. 17. IOT USED TO SPY/ATTACK YOU FUTURESECURITYIMPACTRISKCONTEXT 17PUBLIC
  18. 18. IOT PHYSICAL IMPACT FUTURESECURITYIMPACTRISKCONTEXT 18PUBLIC
  19. 19. IOT SELF DESTRUCT BUTTON FUTURESECURITYIMPACTRISKCONTEXT 19PUBLIC MIKROTIK ROUTER RUSSIAN GOOD SAMARITAN PATCH NOKIA HEALTH SCALE REFUNDED AND DISABLED
  20. 20. IOT SECURITY OVERVIEW FUTURESECURITYIMPACTRISKCONTEXT 20PUBLIC TRAFFIC ANALYSIS CODE ANALYSIS FIRMWARE ANALYSIS ONLINE SEARCH / SHODAN SECURITY DESIGN BEST PRACTISE
  21. 21. TRAFFIC ANALYSIS FUTURESECURITYIMPACTRISKCONTEXT 21PUBLIC • INTERCEPT TRAFFIC • LOOK AT PASSWORDS SENT • LOOK AT ENCRYPTION • LOOK AT TOKENS USER VENDOR
  22. 22. CODE ANALYSIS FUTURESECURITYIMPACTRISKCONTEXT 22PUBLIC • CONNECT TO THE DEVICE • INSPECT SOFTWARE INSTALLED • LOOK AT SCRIPTS • STRINGS IN BINARY USER VENDOR • NO DEFAULT PASSWORD • NO BACKDOOR FOR SUPPORT • CODE ANALYSIS TOOLS • THREAT ANALYSIS TOOLS
  23. 23. FIRMWARE ANALYSIS FUTURESECURITYIMPACTRISKCONTEXT 23PUBLIC • EXTRACT FIRMWARE • DISASSEMBLE FIRMWARE • REVIEW MAIN FUNCTIONS USER VENDOR • FIRMWARE ORIGIN? • ANALYSE SOURCE CODE • PENTEST RESULTS REVIEW
  24. 24. ONLINE SEARCH FUTURESECURITYIMPACTRISKCONTEXT 24PUBLIC • GOOGLE SEARCH VENDOR • SHODAN SEARCH DEVICE AND IP • IS YOUR IP VULNERABLE? USER VENDOR • SHODAN SEARCH DEVICE • WHITE PAPER REVIEW • THREAT INTELLIGENCE
  25. 25. FOLLOW BEST PRACTISE FUTURESECURITYIMPACTRISKCONTEXT 25PUBLIC VENDOR UK CODE OF PRACTICE FOR CONSUMER IOT SECURITY 1. NO DEFAULT PASSWORDS 2. IMPLEMENT A VULNERABILITY DISCLOSURE POLICY 3. KEEP SOFTWARE UPDATED 4. SECURELY STORE CREDENTIALS AND SECURITY-SENSITIVE DATA 5. COMMUNICATE SECURELY 6. MINIMISE EXPOSED ATTACK SURFACES 7. ENSURE SOFTWARE INTEGRITY 8. ENSURE THAT PERSONAL DATA IS PROTECTED 9. MAKE SYSTEMS RESILIENT TO OUTAGES 10. MONITOR SYSTEM TELEMETRY DATA 11. MAKE IT EASY FOR CONSUMERS TO DELETE PERSONAL DATA 12. MAKE INSTALLATION AND MAINTENANCE OF DEVICES EASY 13. VALIDATE INPUT DATA https://www.gov.uk/government/publications/secure-by-design
  26. 26. FUTURE OF IOT FUTURESECURITYIMPACTRISKCONTEXT 26PUBLIC IOT FRAMEWORK IOT REGULATION IOT BREACH FINES IOT INTEGRATION IOT FUSION
  27. 27. © 2018 ElysiumSecurity Ltd. All Rights Reserved www.elysiumsecurity.com ABOUT ELYSIUMSECURITY LTD. ELYSIUMSECURITY provides practical expertise to identify vulnerabilities, assess their risks and impact, remediate those risks, prepare and respond to incidents as well as raise security awareness through an organization. ELYSIUMSECURITY provides high level expertise gathered through years of best practices experience in large international companies allowing us to provide advice best suited to your business operational model and priorities. ELYSIUMSECURITY provides a portfolio of Strategic and Tactical Services to help companies protect and respond against Cyber Security Threats. We differentiate ourselves by offering discreet, tailored and specialized engagements. ELYSIUMSECURITY operates in Mauritius and in Europe, a boutique style approach means we can easily adapt to your business operational model and requirements to provide a personalized service that fits your working environment.

×