Download to read offline
Uploaded byETCenter
Hacking IoT: the new threat for content assets
The document discusses security vulnerabilities in IoT devices, highlighting significant common flaws identified from IoT Village, including denial of service and remote code execution. It emphasizes the threat posed by the Mirai botnet and outlines recommendations for both manufacturers and users to mitigate these risks, such as threat modeling and reducing attack surfaces. The author, Ted Harrington, suggests leveraging security assessments to improve protection against these threats.
More Related Content
Similar to Hacking IoT: the new threat for content assets
![Vibe Coding vs. Spec-Driven Development [Free Meetup]](https://cdn.slidesharecdn.com/ss_thumbnails/vibecodingvsspecdrivendevelopment-251209105622-43f455e7-thumbnail.jpg?width=640&height=640&fit=bounds)
Hacking IoT: the new threat for content assets
- 1. H ACK INGI oT Ted Harrington, Executive Partner | ted.harrington@securityevaluators.com
- 2.
- 3. Agenda 3 A) Context B) Problems C)Solutions
- 4. Agenda 4 A) Context B) Problems C)Solutions
- 5.
- 6.
- 7. IoT Village: Results 7 •113zero-days • 51device types • 39manufacturers
- 8. Common IoT SecurityFlaws 8 2015 • Denial of Service • Lack of Encryption • Key Exposure • Privilege Escalation • Remote Code Execution • Backdoors • Runs as Root 2016 • All of the previous!! PLUS: • Buffer Overflow • Command Injection • Session Management • Etc etc etc
- 9. Agenda 9 A) Context B) Problems C)Solutions
- 10. Weaponize wep-uh-nahyz - To convertto use as a weapon - To supply or equip with weapons
- 11. M&E Adversaries CouldUse IoT to: • Pivot • Steal content • Circumvent/undermine monetization schema • Degrade the user experience • Deny access • Ensnare studio/vendor in DDoS botnet 11
- 12.
- 13.
- 14. Mirai Botnet 14 What isMirai? Malware targeting Linux, that turns systems into ”bots”
- 15. A group ofcomputing devices that can be centrally controlled Mirai Botnet 15 What is a botnet?
- 16. Mirai Botnet What isDDoS?
- 17. Mirai Botnet What isDDoS?
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24. Agenda 24 A) Context B) Problems C)Solutions
- 25. Recommendations 25 Those Who Build •Threat Modeling • Secure Design Principles • Adversarial Perspective • Security Assessment Those Who Use • Reduce Attack Surface • Audit / Inventory • Change Default Credentials • Check for Updates
- 26. How Can ISEHelp? ISE Proprietary 26 SECURITY ASSESSMENT vCISO
- 27.
Editor's Notes
- #2 Security is a BUSINESS problem. Not an IT problem. 2 case studies: IoT Village, and Hacking Healthcare. "this isnt about what could happen. this is about what HAS happened. this is going on right now, as we speak. the implications are far and wide.” the issue is not that someone hacks your in-room thermostat and figures out the temperature you like. the issue is that someone hacks your in-room thermostat and gets guest credit cards, home address, loyalty account info, etc. Connected devices do not effectively have security built in Huge adoption of connected devices is looming The industry needs a radical shift or else we will all become exposed There is a path to success! Lets make you smarter about connected devices, and help you understand why these things are happening, so you can do something about it. Optional: Cialis comparison. Shark tank “ imagine pitching this to marc cuban. “are there any flaws?” well yeah there are one or two things we didn’t address like security or privacy mention legal ramification: target breach cost them $$$$ because of attorneies; make no doubt, attornies will be coming for the inevitable IoT breach "all anyboyd needs is some ambitous lawyer to put you out business” People who THINK they are smart wait for a problem to land, and then deal with it. People who ARE smart get out ahead of the problem and handle it poractively. Fnd somewhere for “people are stupid”
- #6 Background on DEF CON, village concept, and IoT Village as newest village To shine a spotlight on the security concerns in connected devices To prove/disprove hypthesis that security flaws are systemic
- #7 0day demos Hacking contest Workshops
- #9 Describe that things are trending worse, not better. Outline the types of issues relevant to IoT, setting up for a deeper dive into some of the more significant items We’re going to talk about denial of service today
- #11 Purpose of this slide is to define the key title term and overall presentation theme. Set the groundwork for the disucssion about how IoT can and is weaponized. Rest of the presentation ties back to this concept.
- #13 Stepping stone attacks Everything is integrated
- #14 Give context and background, for those who might be unfamiliar with the Mirai botnet story What is Mirai What is a Botnet What is denial of service Dyn published an amazing post in response. They did not hide behind “we take your security seriously,” like so many others do; they published a detailed discussion of the attack, their response, and their analysis of the issue. For those unfamiliar with this incident and looking for more info, I strongly recommend. Its on the Dyn blog, easily found via a google search. http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/
- #16 Often described as zombies, because the devices are unwittingly malicious, just like how people who used to be otherwise normal rational humans now have insatiable bloodthirst without cognitiion
- #19 So think about a DDoS attack as too many people trying to get through a too small door. Service is unable to differentiate between valid and malicuious traffic Exacerbating the issue is that legitimate traffic, once denied, will perform a retry, further clogging the service. The service cannot differentiate between valid and malicious retries
- #20 Break down the attack anatomy
- #21 Break down the attack anatomy
- #24 Discuss each victim type, what they care about, and how that impacts the ultimate victim
- #26 we are talking about IoT, but "those who build" applies to anyone building tech, whether that'ss mobile apps, network infrastructures, etc
- #28 Any questions?