Successfully reported this slideshow.
Your SlideShare is downloading. ×

​Understanding the Internet of Things

​Understanding the Internet of Things

Download to read offline

This is a talk I gave in St. Louis in April 2018 about how businesses need to understand the Internet of Things and how they can better protect themselves.

This is a talk I gave in St. Louis in April 2018 about how businesses need to understand the Internet of Things and how they can better protect themselves.

Advertisement
Advertisement

More Related Content

Advertisement
Advertisement

Related Books

Free with a 30 day trial from Scribd

See all

​Understanding the Internet of Things

  1. 1. David Strom April 2018
  2. 2. http://strominator.com 3
  3. 3. http://strominator.com 4
  4. 4. Agenda • What is the IoT, really? • Notable recent IoT security disasters • What makes these devices unsafe • It isn’t just what you have in your home or business • What you can do to be more secure
  5. 5. Sample IoT devices
  6. 6. Notable IoT Security Disasters
  7. 7. Internet-connected hard drives WD My Cloud Drive c. 2018
  8. 8. HP JetDirect c. 1991 IoT Security, then and now
  9. 9. What a simple webcam can do now
  10. 10. IoT and the cloud
  11. 11. What are these words?
  12. 12. What makes devices unsafe? • Insecure firmware • Or lousy updates of your firmware • Operating system bugs (Windows esp.) • Bad coding practices by device makers • Application insecurity • Physical security: like that fishtank
  13. 13. What is wrong with devices Many devices have no security whatsoever: Once you know the device’s IP address, game over
  14. 14. Many privacy issues • Device passwords often ignored – or sometimes can’t be changed • Device permissions rarely monitored • Devices can be used to launch network-based attacks and spread malware • Device firmware rarely upgraded or tracked
  15. 15. Suggestions to sleep better
  16. 16. Search for security issues before you buy an IoT device
  17. 17. Change all device passwords – today!
  18. 18. Buy your own firewall/router device for your home network
  19. 19. Secure your home Wifi network
  20. 20. Upgrade your firmware regularly
  21. 21. Use a password manager
  22. 22. For further reading • https://www.hpe.com/us/en/insights/articles/9-ways- to-make-iot-devices-more-secure-1701.html • https://www.theguardian.com/world/2018/jan/28/fitn ess-tracking-app-gives-away-location-of-secret-us- army-bases • https://www.bleepingcomputer.com/news/security/ab out-90-percent-of-smart-tvs-vulnerable-to-remote- hacking-via-rogue-tv-signals/ • (Network printers) https://blog.strom.com/wp/?p=5751
  23. 23. (c) 2018 David Strom Inc. http://strominator.com 39 David Strom, david@strom.com strominator.com Subscribe to my newsletter: inside.com/security These slides can be found here: http://slideshare.net/davidstrom

Editor's Notes

  • Understanding the security implications of the Internet of Things
    We are awash in many IoT devices, such as web cams, Amazon Alexa, Nest thermostats and Apple smart watches. But these and other devices can be an issue in staying secure, both in our homes and across our workplaces. In this talk, I will describe the landscape and suggest how people can better protect themselves against potential IoT security threats and where these threats are likely to come from. 
  • Consumer IoT devices – Apple Smart Watch, Alexa from Amazon and Google Home, and the Nest thermostat
  • I write about various B2B security products for business trade publications, and also produce this regular newsletter via email for Inside.com, Sign up now for free!
  • I used to write for the NY Times about computer topics.
  • Rasberry Pi, Arduino, Android Things platform Insulin pumps

  • You can play you tube videos and music on your wall switch. This is progress?
  • In addition to these devices, there are also Traffic sensors and Cop body cams that can connect to business networks.
  • Notable IoT Exploits
  • The classic insider revenge scenario dates back to 1999, when VitekBoden was applying for a job for the Maroochy county sewer district in Australia. He was a contractor for the district and the county decided not to hire him. To seek revenge, he caused thousands of gallons of raw sewage to be dumped into the local waterways, using a series of radio commands. He was eventually caught by a police officer with various RF equipment. What is important to note is that Boden had all this insider knowledge, yet never worked for the agency that he attacked. He was able to disguise his actions and avoid immediate detection by the agency IT department, which never had any security policies or procedures in place for disgruntled employees.
  • This is perhaps the most infamous example of IoT – the uranium enrichment centrifuges that operated at the Iran Natanz facility that were targeted by the Stuxnet malware. The malware compromise the computers controlling the centrifuges in an attempt to thwart Iran’s nuclear weapons program.

    More info:
    http://readwrite.com/2011/06/28/how-symantec-cracked-stuxnet/
  • Earlier this year UnderArmour revealed that it had leaked more than 150 million users of its app called MyFitness Pal. While not specifically an IoT device, it does work with their fitness tracking apps. Another way to lose weight: have your data leaked by a formerly trusted vendor.
  • They entered the casino’s network through an IoT-connected thermometer, and then moved around the casion’s network until they found a copy of their high roller’s database.
  • https://www.bleepingcomputer.com/news/security/about-90-percent-of-smart-tvs-vulnerable-to-remote-hacking-via-rogue-tv-signals/
  • This Western Digital NAS drive has a hard-coded username and password that enables hackers to insert exploit code on the drives and use them as part of a botnet. This means that every command executed through the web interface has full access to the operating system -- an attacker would have the keys to the kingdom.
     https://www.engadget.com/2017/03/05/wd-my-cloud-security-exploits/
  • The original IoT enterprise device: the HP Jet Direct printer interface. First invented back in 1991, it has been a source of network vulnerabilities for decades. The early models didn’t have any telnet passwords, making them a hacker’s playground. A few years ago HP came out with more protected printers that lock down their BIOS and have built-in intrusion detection.

    https://blog.strom.com/wp/?p=5751
  • Imperva found in 2017 a record high number of IoT issues, more than 100 of them. That was the year of the Mirai botnet.
    https://www.imperva.com/blog/2017/12/the-state-of-web-application-vulnerabilities-in-2017/
  • There are many things to learn from construction of the Mirai malware and its leverage of various IoT embedded devices. Let’s talk about the timeline of the destruction it has already accomplished.
    This began in September 2016, when the website for journalist Brian Krebs was attacked. Eventually, this became one of the largest attacks that had been attempted, when about half of the total Internet’s capacity was focused on his website. A month later the source code for this attack was published and then other sites were targeted.

  • What is being communicated and when?
    Does the cloud make the IoT device more of an asset or a threat?
    Do you need a different enterprise firewall or a different operating procedure?
  • All are names of IoTMalware attacks that have happened over the past several years.
  • This is just one website, called Shodan, that makes finding particular devices very easy. Think of it as a search engine for looking for potential IoT targets.
  • Bluetooth headsets can also be vulnerable and can be a security sinkhole
  • IoT threats are pervasive and widespread, witness the growth of various botnets based on them such as Mirai and WannaCry in the past year
    Insecure IoT devices can be found across a wide collection of industries, computing operating systems, networks, and situations
    IoT is a growing category for many companies that are implementing embedded sensors, applications, and automated systems
    Gartner, Inc. has estimated that 6.4 billion connected things are in use worldwide in 2016, and predicts that this will reach 20.8 billion by 2020

×