IOT Security
Oct. 29, 2018•0 likes•831 views
Download to read offline
Report
Technology
A look at the main security risks and impact related to IOT devices as well as what are the key steps to improve IOT security.
Sylvain MartinezFollow
Recommended
IoT securityYashKesharwani2
IoT SecurityNarudom Roongsiriwong, CISSP
IoT security (Internet of Things)Sanjay Kumar (Seeking options outside India)
Security issues and solutions : IoTJinia Bhowmik
Iot Security, Internet of ThingsBryan Len
Internet of things - challenges scopes and solutionsShivam Kumar
More Related Content
What's hot
Privacy and security in IoTVasco Veloso
Presentation on IOT SECURITYThe Avi Sharma
Security in IoTgr9293
A survey in privacy and security in Internet of Things IOTUniversity of Ontario Institute of Technology (UOIT)
Internet of Thingspkshc01
Iot - Internet of ThingsKIET Group of Institutions, Ghaziabad
Similar to IOT Security
The Internet of Things: We've Got to ChatDuo Security
Unauthorized Access Detection in IoT using Canary Token AlgorithmIJSRED
Security Requirements in IoT Architecture Vrince Vimal
IoT Vulnerability Analysis and IOT In security ControlsJay Nagar
SIM Portland IOT - Sandhi Bhide - (09-14-2016)sandhibhide
Internet of Things - Privacy and Security issuesPierluigi Paganini
![[CLASS2014] Palestra Técnica - Franzvitor Fiorim](https://cdn.slidesharecdn.com/ss_thumbnails/ptclass22-franzvitorfiorim-141113131906-conversion-gate01-thumbnail.jpg?width=2048&height=1162&fit=bounds)
More from Sylvain Martinez
PROGRAMMING AND CYBER SECURITYSylvain Martinez
INTRODUCTION TO CRYPTOGRAPHYSylvain Martinez
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
DATA LOSS PREVENTION OVERVIEWSylvain Martinez
2019 CYBER SECURITY TRENDS REPORT REVIEWSylvain Martinez
INCIDENT RESPONSE CONCEPTSSylvain Martinez
Recently uploaded
h2 meet pdf test.pdfJohnLee971654
DWeb and Civil Society: An Introduction For MakersTechSoup
Industry 4.0.pdfTery Lockitski
AMAZON-RESUME.pdfRegineRaneses
Document Understanding as Cloud APIs and Generative AI Pre-labeling Extractio...DianaGray10
Inclusivity and AI: opportunity or threatAlan Dix
IOT Security
- 1. IOT SECURITY VERSION: 1.2a DATE: 24/10/2018 AUTHOR: SYLVAIN MARTINEZ REFERENCE: ESC13-MUSCL CLASSIFICATION: Public
- 2. 2 • IOT definition; • IOT trends, • IOT innovation and integration; • Cyber security risks • IOT contribution to cyber security risk; • Main risk overview; • Security as an afterthought; • Embedded vulnerabilities; • Embedded backdoors; • Unsupported devices; • Unpatchable devices; • Main impacts overview; • IOT used as a bot; • IOT used to access network; • IOT used to spy/attack you; • IOT physical impact; • IOT Self destruct button; • IOT security overview; • Traffic analysis; • Code analysis; • Firmware analysis; • Online search; • Follow best practise; CONTENTS PUBLIC FUTURESECURITYIMPACTRISKCONTEXT • Future of IOT
- 3. IOT DEFINITION FUTURESECURITYIMPACTRISKCONTEXT 3PUBLIC THE INTERNET OF THINGS ANY PHYSICAL OBJECT THAT CAN BE CONNECTED TO THE INTERNET Icons from the Noun Project unless specified otherwise
- 4. IOT TRENDS FUTURESECURITYIMPACTRISKCONTEXT 4PUBLIC Source: information is beautiful
- 5. IOT INOVATION AND INTEGRATION FUTURESECURITYIMPACTRISKCONTEXT 5PUBLIC Idea: information is beautiful
- 6. CYBER SECURITY RISK FUTURESECURITYIMPACTRISKCONTEXT 6PUBLIC GLOBALIZATION & DIGITALIZATION ITSYSTEMRELIANCE ATTACK SURFACE PAST FUTURE 100% 0% TIME GROWTH MONEY & GEOPOLITICAL GAIN THREATACTORSSKILLS ATTACK VECTORS PAST FUTURE 100% 0% TIME GROWTH ATTACK SURFACE ATTACKVECTORS CYBER SECURITY RISKS PAST FUTURE 100% 0% TIME GROWTH CYBER SECURITY RISKS’ PROBABILITY AND IMPACT ARE INCREASING. THEIR ABILITY TO DISRUPT COMPANIES BUSINESS OPERATION HAVE GROWING FINANCIAL, REPUTATIONAL AND LEGAL NEGATIVE CONSEQUENCES SOURCE: ELYSIUMSECURITY LTD – Please refer to us when re-using this diagram + =
- 7. IOT CONTRIBUTION TO CYBER SECURITY RISK FUTURESECURITYIMPACTRISKCONTEXT 7PUBLIC GLOBALIZATION & DIGITALIZATION ITSYSTEMRELIANCE ATTACK SURFACE PAST FUTURE 100% 0% TIME GROWTH SOURCE: ELYSIUMSECURITY LTD
- 8. MAIN RISKS OVERVIEW FUTURESECURITYIMPACTRISKCONTEXT 8PUBLIC SECURITY IS AN AFTERTHOUGH EMBEDDED VULNERABILITIES EMBEDDED BACKDOORS UNSUPPORTED DEVICES UNPATCHABLE DEVICES
- 9. SECURITY IS AN AFTERTHOUGHT FUTURESECURITYIMPACTRISKCONTEXT 9PUBLIC LOW COST LOW RESOURCES 3RD PARTY RELIANCE & LOW PERFORMANCE + ADDED SECURITY = PERFORMANCE IMPACT & HIGHER COST
- 10. EMBEDDED VULNERABILITIES FUTURESECURITYIMPACTRISKCONTEXT 10PUBLIC OLD LIBRARIES & COMPONENTS BAD CONFIGURATION OPEN PORTS
- 11. EMBEDDED BACKDOORS FUTURESECURITYIMPACTRISKCONTEXT 11PUBLIC P A S S W O R D 1 2 3 DEFAULT PASSWORDS DEBUG FUNCTIONS ”VENDOR” ACCESS
- 12. UNSUPPORTED DEVICES FUTURESECURITYIMPACTRISKCONTEXT 12PUBLIC SHORT LIFESPAN VENDOR CLOSED DIFFICULT TO UPDATE NO SUPPORT HELP
- 13. UNPATCHABLE DEVICES FUTURESECURITYIMPACTRISKCONTEXT 13PUBLIC ROM BASED VULNERABILITY OUT OF REACH PHYSICAL DANGER
- 14. MAIN IMPACTS OVERVIEW FUTURESECURITYIMPACTRISKCONTEXT 14PUBLIC USED AS A BOT/DOS USED AS AN ENTRY TO YOUR NETWORK USED TO SPY/ATTACK YOU PHYSICAL IMPACT PRODUCT DESTRUCTION
- 15. IOT USED AS A BOT FUTURESECURITYIMPACTRISKCONTEXT 15PUBLIC MIRAI, GAFGYT, AIDRA MIRAI • TELNET OPEN • 61 DEFAULT PASSWORDS • 1TBPS • ROUTERS, IP CAMERAS, ETC. ANIMATED MIRAI GIF FROM WIKIMEDIA
- 16. IOT USED TO ACCESS NETWORK FUTURESECURITYIMPACTRISKCONTEXT 16PUBLIC 1 2 3 4 5 • IOT DEVICE INITIATES THE CONNECTION • IOT CALLS “HOME” • IOT BYPASSES FIREWALL PROTECTION 6 VENDOR IOT PROXY
- 17. IOT USED TO SPY/ATTACK YOU FUTURESECURITYIMPACTRISKCONTEXT 17PUBLIC
- 18. IOT PHYSICAL IMPACT FUTURESECURITYIMPACTRISKCONTEXT 18PUBLIC
- 19. IOT SELF DESTRUCT BUTTON FUTURESECURITYIMPACTRISKCONTEXT 19PUBLIC MIKROTIK ROUTER RUSSIAN GOOD SAMARITAN PATCH NOKIA HEALTH SCALE REFUNDED AND DISABLED
- 20. IOT SECURITY OVERVIEW FUTURESECURITYIMPACTRISKCONTEXT 20PUBLIC TRAFFIC ANALYSIS CODE ANALYSIS FIRMWARE ANALYSIS ONLINE SEARCH / SHODAN SECURITY DESIGN BEST PRACTISE
- 21. TRAFFIC ANALYSIS FUTURESECURITYIMPACTRISKCONTEXT 21PUBLIC • INTERCEPT TRAFFIC • LOOK AT PASSWORDS SENT • LOOK AT ENCRYPTION • LOOK AT TOKENS USER VENDOR
- 22. CODE ANALYSIS FUTURESECURITYIMPACTRISKCONTEXT 22PUBLIC • CONNECT TO THE DEVICE • INSPECT SOFTWARE INSTALLED • LOOK AT SCRIPTS • STRINGS IN BINARY USER VENDOR • NO DEFAULT PASSWORD • NO BACKDOOR FOR SUPPORT • CODE ANALYSIS TOOLS • THREAT ANALYSIS TOOLS
- 23. FIRMWARE ANALYSIS FUTURESECURITYIMPACTRISKCONTEXT 23PUBLIC • EXTRACT FIRMWARE • DISASSEMBLE FIRMWARE • REVIEW MAIN FUNCTIONS USER VENDOR • FIRMWARE ORIGIN? • ANALYSE SOURCE CODE • PENTEST RESULTS REVIEW
- 24. ONLINE SEARCH FUTURESECURITYIMPACTRISKCONTEXT 24PUBLIC • GOOGLE SEARCH VENDOR • SHODAN SEARCH DEVICE AND IP • IS YOUR IP VULNERABLE? USER VENDOR • SHODAN SEARCH DEVICE • WHITE PAPER REVIEW • THREAT INTELLIGENCE
- 25. FOLLOW BEST PRACTISE FUTURESECURITYIMPACTRISKCONTEXT 25PUBLIC VENDOR UK CODE OF PRACTICE FOR CONSUMER IOT SECURITY 1. NO DEFAULT PASSWORDS 2. IMPLEMENT A VULNERABILITY DISCLOSURE POLICY 3. KEEP SOFTWARE UPDATED 4. SECURELY STORE CREDENTIALS AND SECURITY-SENSITIVE DATA 5. COMMUNICATE SECURELY 6. MINIMISE EXPOSED ATTACK SURFACES 7. ENSURE SOFTWARE INTEGRITY 8. ENSURE THAT PERSONAL DATA IS PROTECTED 9. MAKE SYSTEMS RESILIENT TO OUTAGES 10. MONITOR SYSTEM TELEMETRY DATA 11. MAKE IT EASY FOR CONSUMERS TO DELETE PERSONAL DATA 12. MAKE INSTALLATION AND MAINTENANCE OF DEVICES EASY 13. VALIDATE INPUT DATA https://www.gov.uk/government/publications/secure-by-design
- 26. FUTURE OF IOT FUTURESECURITYIMPACTRISKCONTEXT 26PUBLIC IOT FRAMEWORK IOT REGULATION IOT BREACH FINES IOT INTEGRATION IOT FUSION
- 27. © 2018 ElysiumSecurity Ltd. All Rights Reserved www.elysiumsecurity.com ABOUT ELYSIUMSECURITY LTD. ELYSIUMSECURITY provides practical expertise to identify vulnerabilities, assess their risks and impact, remediate those risks, prepare and respond to incidents as well as raise security awareness through an organization. ELYSIUMSECURITY provides high level expertise gathered through years of best practices experience in large international companies allowing us to provide advice best suited to your business operational model and priorities. ELYSIUMSECURITY provides a portfolio of Strategic and Tactical Services to help companies protect and respond against Cyber Security Threats. We differentiate ourselves by offering discreet, tailored and specialized engagements. ELYSIUMSECURITY operates in Mauritius and in Europe, a boutique style approach means we can easily adapt to your business operational model and requirements to provide a personalized service that fits your working environment.