2. +
Agenda
About Me
Current State of IoT
Current Threat Landscape
Practical Security Options
Consumers
Developers
Putting it All Together
Q & A
Appendix
Resources
Missteps from Popular IoT Security Fails
3. +
About Me
10+ years cyber security and compliance experience
Expertise in Threat Intelligence and Incident Response
Currently geeking out on machine learning and home cyber
security
My hobbies include fitness activities, fantasy sports, travel and
television / movies
4. +
Current State of IoT
Maximum hype
Growing number of devices
High visibility of security limitations
What is the tipping point?
There is no incentive for
security until consumers demand it
Confluence of ability,
opportunity and motivation
5. +
Current Threat Landscape
Barrier to entry is low
Malware as a service
Vectors of choice
Phishing
Watering holes / exploit kits
Attack de jour
Ransomware
As the traditional landscape becomes more fortified, attacks will shift more to IoT devices
“Old vulnerabilities with new capabilities” - Bruce Shneier
“We might use the internet of things to spy on you” - US intelligence chief
Stay ahead of the herd
6. +
Practical Security Options:
Consumers
Product selection
Consider not being an early adopter
Choose brands you trust
Proven track records
Certified by standards bodies
Choose products that are patchable
Adopt general security best practices
Unique passwords, multi-factor authentication
Smartphone security
Beef up home security
Update / replace ISP provided router
Firewall
Segmentation
Nextgen gateways (limited options for home users)
User Behavior Analytics (Cujo)
7. +
Commercial Improvements are
Necessary to Make Progress
Better hardware at lower costs
Trade-offs
+ security --> + processing power
+ processing power --> + $, + packaging, + battery
May be viable for devices like appliances, but not disposables
Standards
Developer-focused
Fragmented, adoption still lacking
Consumer-focused
Sparse
8. +
Practical Security Options:
Developers
Align security investment with your brand
Examples
Volvo
Integration of safety (i.e. security) by design
Adobe (Flash)
Reactive approach to security
9. +
Practical Security Options:
Developers
Educate yourself about key elements of IoT
security
OWASP Top 10
Adopt a framework or standard
Frameworks
NIST CPS, IoTivity/OIC, GSMA
Standards
Alljoyn, Thread, OTrP
10. +
Practical Security Options:
Developers
Integrate security into your SDLC
DevOps can facilitate automation
Automated testing
Static analysis
Third party testing
Traditional bug bounties
Crowdsourced testing
Bugcrowd, Applause
11. +
Profile
Objective: Create prototype
Security budget: $0 - $1000
Security experience: Limited
Project timeline: 3-6 months
Education
Hardware /Software
SDLC
Code Review
Security Posture
• OWASP Top 10
• BeagleBone Black
• Ubuntu Core (Snappy)
• C/C++
• Agile
• Define security requirements
upfront
• Test iteratively
• Static analysis
• Clang, Cppcheck, Flawfinder,
RATS, Splint, Yasca
• Crowdsourced testing: Bugcrowd
• Not likely to be susceptible to common
attacks
• Well positioned to transition to a
secure production device
Putting it All Together
16. +
Missteps from Popular IoT Security
Fails
Device Attack Vector
• Bluetooth Smartlocks • Open locks • Static/default passwords
• Poor standard
implementation
• Jeep Cherokee • Remote operation
• Denial of service
• Guessable Wi-Fi
password (entry point)
• Tesla Model S • Unauthorized operation
• Denial of service
• Physical security
• Unpatched OS
• Barbie • Eavesdropping • Unpatched server
• Weak app authentication
• Baby monitors • Spying
• Privacy invasion
• Verbal abuse
• Default passwords
• Guessable account
numbers
• Lack of encryption
• Sniper Rifle • Denial of service
• Sabotage
• Default password
Editor's Notes
5.4B connected devices today, by 2020, 20-50B total devices
Attack landscape growing not just by amount of devices, but software running on them (multiple OS’s)
With known issues, why isn’t anyone panicking?
Most publicized attacks have been hypothetical or sensationalized
Ability and opportunity exist in spades, but many attackers lack motivation to target IoT and will always choose the path of least resistance
High degree of success with attack vectors such as phishing and watering holes
Many applications integrate with smartphones, so if that is compromised, it can have a cascading impact
Heavy lifting can’t be done by startups
Many IoT offerings will require high volume and low margins, so investments in better hardware to improve security are unlikely
Embedded security requires greater processing power
Powerful processors are more expensive, need bigger packaging and require more battery power
Larger and more expensive batteries and processors are not ideal for disposable devices
I’ll speak more on standards later
Despite lack of many major IoT security events to date, it is evident that security will have to be addressed sooner rather than later.
Think about how security fits into your brand and product vision
If you’re already familiar with security and just need direction, take a look at the OWASP top 10
Provides examples and guidelines
If you need a more holistic approach, adopt an existing framework and/or standard
Standards are primarily focused on interoperability. Some include complete frameworks
Even if you have a small budget or limited security expertise, you have options
Some crowd testing offers you the flexibility to pay for bounties, or give “kudos”
Example of someone with limited budget and security experience that needs to hit the ground running
Education
OWASP Top 10 will allow you to focus on most common mistakes
Hardware / Software
BeagleBone Black
Powerful, affordable
Ability to extend with CryptoCape for more demanding security applications
Ubuntu Core (Snappy)
Designed with security in mind
Isolated components (kernel, OS, gadget, app)
Security profiles
Patchable
Strong dev community
SDLC
Whether you choose traditional waterfall, iterative, agile, or other SDLC, just merely adopting any SDLC that considers security requirements and testing throughout will leave you well positioned for success.
Having reviewed the OWASP Top 10 already will help you define security requirements.
Code Review
There are many free static analysis tools for C and C++. You can incorporate multiple tools, or focus on those that specialize in areas you feel least comfortable (e.g. memory management)
For dynamic/extended testing options, Leverage crowdsourced testing and offer kudos.
Security Posture
Good chance of avoiding mistakes that attackers commonly go after, such as vectors referenced in the appendix for publicized attacks
Easier transition to production since security requirements have already been considered in the design of the prototype
Your commitment to security can grow as your resources grow