Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Protecting your home and office in the era of IoT

392 views

Published on

Some information about the security of IoT devices

Published in: Engineering
  • Be the first to comment

Protecting your home and office in the era of IoT

  1. 1. Protecting Protecting  your home and office your home and office  in the era of IoTin the era of IoT Marian HackMan MarinovMarian HackMan Marinov Chief System ArchitectChief System Architect SiteGround.comSiteGround.com
  2. 2. ❖❖ Who am I?Who am I? - Chief System Architect of SiteGround.com- Chief System Architect of SiteGround.com - Sysadmin since 1996- Sysadmin since 1996 - Organizer of OpenFest, BG Perl- Organizer of OpenFest, BG Perl Workshops, LUG-BG and othersWorkshops, LUG-BG and others - Teaching Network Security and- Teaching Network Security and Linux System AdministrationLinux System Administration courses in Sofia Universitycourses in Sofia University and SoftUniand SoftUni
  3. 3. ❖❖ What is an IoT device?What is an IoT device? - a Thermostat- a Thermostat - a WiFi enabled light bulb- a WiFi enabled light bulb - Smart TV- Smart TV - Smart toys- Smart toys - home/office IP camera- home/office IP camera - home/office WiFi router- home/office WiFi router - home/office NAS- home/office NAS
  4. 4. ❖❖ What information may leakWhat information may leak from IoT devices?from IoT devices?
  5. 5. ❖❖ Presence informationPresence information (are you at home/office/car)(are you at home/office/car)
  6. 6. ❖❖ Electricity usageElectricity usage
  7. 7. ❖❖ What devices are you usingWhat devices are you using at your networkat your network
  8. 8. ❖❖ Voice and videoVoice and video conversationsconversations (streaming audio/video)(streaming audio/video) Samsung privacy statement:Samsung privacy statement: http://www.samsung.com/sg/info/privacy/smarttv/http://www.samsung.com/sg/info/privacy/smarttv/
  9. 9. ❖❖ HabitsHabits
  10. 10. ❖❖ Private filesPrivate files (pictures, documents and(pictures, documents and videos)videos)
  11. 11. ❖❖ IoT Security?IoT Security? * most of the WiFi/Radio/Bluetooth IoT devices* most of the WiFi/Radio/Bluetooth IoT devices have poor securityhave poor security
  12. 12. ❖❖ IoT Security?IoT Security? * most of the WiFi/Radio/Bluetooth IoT devices* most of the WiFi/Radio/Bluetooth IoT devices have poor securityhave poor security - manufacturers were more concerned with- manufacturers were more concerned with usabilityusability
  13. 13. ❖❖ IoT Security?IoT Security? * most of the WiFi/Radio/Bluetooth IoT devices* most of the WiFi/Radio/Bluetooth IoT devices have poor securityhave poor security - manufacturers were more concerned with- manufacturers were more concerned with usabilityusability - the HW does not allow them to do a lot more- the HW does not allow them to do a lot more
  14. 14. ❖❖ IoT Security?IoT Security? * most of the WiFi/Radio/Bluetooth IoT devices* most of the WiFi/Radio/Bluetooth IoT devices have poor securityhave poor security - manufacturers were more concerned with- manufacturers were more concerned with usabilityusability - the HW does not allow them to do a lot more- the HW does not allow them to do a lot more - use of default passwords is widespread- use of default passwords is widespread
  15. 15. ❖❖ IoT Security?IoT Security? - >5000 IoT devices attack their own network- >5000 IoT devices attack their own network http://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-agaihttp://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-agai nst-itself/nst-itself/
  16. 16. ❖❖ IoT Security?IoT Security? - >5000 IoT devices attack their own network- >5000 IoT devices attack their own network http://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-agaihttp://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-agai nst-itself/nst-itself/ - security of the low cost devices is almost non-- security of the low cost devices is almost non- existentexistent
  17. 17. ❖❖ IoT Security?IoT Security? - >5000 IoT devices attack their own network- >5000 IoT devices attack their own network http://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-agaihttp://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-agai nst-itself/nst-itself/ - security of the low cost devices is almost non-- security of the low cost devices is almost non- existentexistent - and to top all that, there is the Shodan search- and to top all that, there is the Shodan search engine, which helps to search for such devicesengine, which helps to search for such devices
  18. 18. ❖❖ The number of attacks made by IoT devicesThe number of attacks made by IoT devices is increasing while businesses and customersis increasing while businesses and customers are searching for easier to use devices...are searching for easier to use devices...
  19. 19. ❖❖ Most of the IoT devices work in "The Cloud"Most of the IoT devices work in "The Cloud" - your data is as secure as the company that- your data is as secure as the company that keeps itkeeps it - your devices are sharing information with- your devices are sharing information with other companies via APIsother companies via APIs - some of your devices can not function without- some of your devices can not function without "The Cloud""The Cloud"
  20. 20. ❖❖ IoT device updatesIoT device updates - some of these devices get no updates- some of these devices get no updates - most of the Chinese devices will NEVER get- most of the Chinese devices will NEVER get software updatessoftware updates - some of the very small IoT devices don't even- some of the very small IoT devices don't even have a mechanism for over the air upgradehave a mechanism for over the air upgrade - a lot of the devices that do support updates,- a lot of the devices that do support updates, do not have a mechanism to actually verify thedo not have a mechanism to actually verify the update images, so anyone can provide falseupdate images, so anyone can provide false imagesimages
  21. 21. ❖❖ IoT as TrojansIoT as Trojans - single compromised IoT device can be used to- single compromised IoT device can be used to circumvent company firewalls and open yourcircumvent company firewalls and open your networks to a lot of different attacksnetworks to a lot of different attacks
  22. 22. ❖❖ A lot of these missing security features areA lot of these missing security features are because adding the security would actuallybecause adding the security would actually introduce complexity for the customersintroduce complexity for the customers
  23. 23. ❖❖ Once compromised the devices are no longerOnce compromised the devices are no longer under your controlunder your control
  24. 24. ❖❖ Sometimes compromised devices maySometimes compromised devices may remain under your control but simply waitingremain under your control but simply waiting for a command by the C&C serversfor a command by the C&C servers
  25. 25. ❖❖ What am I doing to protect my selfWhat am I doing to protect my self and to protect the Internet from me?and to protect the Internet from me?
  26. 26. ❖❖ I personally, try to avoid devices that requireI personally, try to avoid devices that require access to the manufacturer's sitesaccess to the manufacturer's sites
  27. 27. ❖❖ I personally, try to avoid devices that requireI personally, try to avoid devices that require access to the manufacturer's sitesaccess to the manufacturer's sites ❖❖ This prevents the possibility of remotelyThis prevents the possibility of remotely disabling or changing my devicedisabling or changing my device
  28. 28. ❖❖ Every new device I connect to my network isEvery new device I connect to my network is given static IP addressgiven static IP address
  29. 29. ❖❖ Every new device I connect to my network isEvery new device I connect to my network is given static IP addressgiven static IP address ❖❖ Every device is initially firewalledEvery device is initially firewalled
  30. 30. ❖❖ Every new device I connect to my network isEvery new device I connect to my network is given static IP addressgiven static IP address ❖❖ Every device is initially firewalledEvery device is initially firewalled ❖❖ I check what are the addresses that it needsI check what are the addresses that it needs and allow only themand allow only them
  31. 31. ❖❖ Every new device I connect to my network isEvery new device I connect to my network is given static IP addressgiven static IP address ❖❖ Every device is initially firewalledEvery device is initially firewalled ❖❖ I check what are the addresses that it needsI check what are the addresses that it needs and allow only themand allow only them ❖❖ I do not allow traffic to devices that do notI do not allow traffic to devices that do not require thatrequire that
  32. 32. ❖❖ Every new device I connect to my network isEvery new device I connect to my network is given static IP addressgiven static IP address ❖❖ Every device is initially firewalledEvery device is initially firewalled ❖❖ I check what are the addresses that it needsI check what are the addresses that it needs and allow only themand allow only them ❖❖ I do not allow traffic to devices that do notI do not allow traffic to devices that do not require thatrequire that ❖❖ When I need to update the SW or FW of theWhen I need to update the SW or FW of the device I allow them Internet accessdevice I allow them Internet access
  33. 33. ❖❖ Every new device I connect to my network isEvery new device I connect to my network is given static IP addressgiven static IP address ❖❖ Every device is initially firewalledEvery device is initially firewalled ❖❖ I check what are the addresses that it needsI check what are the addresses that it needs and allow only themand allow only them ❖❖ I do not allow traffic to devices that do notI do not allow traffic to devices that do not require thatrequire that ❖❖ When I need to update the SW or FW of theWhen I need to update the SW or FW of the device I allow them Internet accessdevice I allow them Internet access ❖❖ After upgrade I test what the device is tryingAfter upgrade I test what the device is trying to access againto access again
  34. 34. ❖❖ I would never give internet access to VoiceI would never give internet access to Voice and Video devicesand Video devices
  35. 35. ❖❖ In 2015 unprotected baby monitors leakedIn 2015 unprotected baby monitors leaked audio and video conversations by unsuspectingaudio and video conversations by unsuspecting familiesfamilies
  36. 36. ❖❖ A lot of surveillance give you false sense ofA lot of surveillance give you false sense of security by providing you user/passwordsecurity by providing you user/password prompts, but their video streams are protectedprompts, but their video streams are protected with DEFAULT users and passwordswith DEFAULT users and passwords
  37. 37. ❖❖ In 2015 unprotected baby monitors leakedIn 2015 unprotected baby monitors leaked audio and video conversations by unsuspectingaudio and video conversations by unsuspecting familiesfamilies ❖❖ In 2016 unprotected IP camera helped toIn 2016 unprotected IP camera helped to schedule the best time for burglary in someschedule the best time for burglary in some companies and homes in the UScompanies and homes in the US
  38. 38. ❖❖ There are currently around 6 billion internet-There are currently around 6 billion internet- connected devices in use worldwide, and thatconnected devices in use worldwide, and that figure is predicted to soar to over 20 billion byfigure is predicted to soar to over 20 billion by 2020, according to research by consultancy2020, according to research by consultancy Gartner.Gartner.
  39. 39. ❖❖ The EU tries to battle these security threatsThe EU tries to battle these security threats by introducing new laws for IoT devicesby introducing new laws for IoT devices
  40. 40. ❖❖ Keep in mind that security IS a process andKeep in mind that security IS a process and not a statenot a state
  41. 41. ❖❖ Keep in mind that security IS a process andKeep in mind that security IS a process and not a statenot a state ❖❖ A device that is SECURE today, may beA device that is SECURE today, may be UNSECURE tomorrowUNSECURE tomorrow
  42. 42. THANK YOUTHANK YOU Marian HackMan Marinov <mm@siteground.com>Marian HackMan Marinov <mm@siteground.com> Chief System ArchitectChief System Architect SiteGround.comSiteGround.com

×