IoT Device Hacking and New Direction of IoT Security Evaluation Using Common Criteria @ ICCC 2019 (International Common Criteria Conference), which is a major conference for the community of experts involved in security evaluation
IoT Systems provide powerful, flexible features for IT systems — tracking, monitoring, and other data sharing. Today’s IoT devices utilize microservices and APIs that make them easy to put into production. But securing them isn’t as easy.
This webinar will look at security risks of IoT devices, interfaces, and implementations. We’ll provide practical steps and checklists any DevOps team can use to make their IoT components as secure as possible. We’ll also cover some testing best practices that can be done pre- and post-production to verify security and resilience on an ongoing basis.
Secure by Design - Security Design Principles for the Rest of UsEoin Woods
Security is an ever more important topic for system designers. As our world becomes digital, today’s safely-hidden back office system is tomorrow’s public API, open to anyone on the Internet with a hacking tool and time on their hands. So the days of hoping that security is someone else’s problem are over.
The security community has developed a well understood set of principles used to build systems that are secure (or at least securable) by design, but this topic often isn’t included in the training of software developers, assuming that it’s only relevant to security specialists.
In this talk, we will briefly discuss why security needs to be addressed as part of architecture work and then introduce a set of proven principles for the architecture of secure systems, explaining each in the context of mainstream system design, rather than in the specialised language of security engineering.
This version of the talk was presented at GOTO London in October 2016.
IoT Systems provide powerful, flexible features for IT systems — tracking, monitoring, and other data sharing. Today’s IoT devices utilize microservices and APIs that make them easy to put into production. But securing them isn’t as easy.
This webinar will look at security risks of IoT devices, interfaces, and implementations. We’ll provide practical steps and checklists any DevOps team can use to make their IoT components as secure as possible. We’ll also cover some testing best practices that can be done pre- and post-production to verify security and resilience on an ongoing basis.
Secure by Design - Security Design Principles for the Rest of UsEoin Woods
Security is an ever more important topic for system designers. As our world becomes digital, today’s safely-hidden back office system is tomorrow’s public API, open to anyone on the Internet with a hacking tool and time on their hands. So the days of hoping that security is someone else’s problem are over.
The security community has developed a well understood set of principles used to build systems that are secure (or at least securable) by design, but this topic often isn’t included in the training of software developers, assuming that it’s only relevant to security specialists.
In this talk, we will briefly discuss why security needs to be addressed as part of architecture work and then introduce a set of proven principles for the architecture of secure systems, explaining each in the context of mainstream system design, rather than in the specialised language of security engineering.
This version of the talk was presented at GOTO London in October 2016.
The OWASP Mobile Top 10 is a nice start for any developer or a security professional, but the road is still ahead and there is so much to do to destroy most of the possible doors that hackers can use to find out about app’s vulnerabilities. We look forward to the OWASP to continue their work, but let’s not stay on the sidelines!
The Firmware extraction and fuzzing workshop will cover the ways of extracting the firmware from the IoT devices and set up the dynamic fuzzer in the emulated firmware to find the bugs.
https://nsconclave.net-square.com/firmware-extraction-and-fuzzing.html
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Threat Hunting, Detection, and Incident Response in the CloudBen Johnson
SaaS and IaaS are new frontiers for a lot of security teams. We'll explore some thoughts at how you might approach some of these areas of your environment from a hunting or IR perspective. This was from a Sans webinar on 2019-09-25.
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.
OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.
APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.
In this session we’ll discuss:
· What makes API Security different from web application security
· The top 10 common API security vulnerabilities
· Examples and mitigation strategies for each of the risks
Understanding what is IoT security
What is the scope of IoT security
Uses of IoT and where do we see it in our daily life
Possible attack surface and likelihood of IoT-related attacks
IoT specific security assessment (understanding approach, IoT protocols, how it is a combination of different type assessments)
The myths of IoT security and the way it has progressed in past few years and how far fetched it can be.
Available Resources and Tools
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?PECB
Ethical hacking helps organizations in preventing the exploitation and vulnerabilities of their system’s data.
Today, several real-world testing methods are used to avoid cyber-attacks and secure important data from exploitation.
The webinar covers
• Ethical Hacking
• Penetration Testing
• Differences and Similarities
• Types & Stages of Penetration Testing
• Cybersecurity
• Impact of COVID-19 on Cybersecurity
Presenters:
Carl Carpenter
Carl is a former CISO of a $6B entity where he was responsible for protecting data of all types and regulatory environments such as FFIEC, HIPAA, and PCI as well as working with the FBI, IRS, and US Department of Labor around investigations relating to money laundering. He has performed assessments against Fortune 10 and 50 companies in the areas of GDPR, CCPA, ISO/IEC 27001 and currently performs CMMC assessments as well as CMMC pre-audit support to help ensure a successful CMMC audit. Prior to that, Carl retired from the US Military where he was involved in counter-terrorist, counter-narcotics, counter-intelligence operations and training foreign military members in these same concepts. Carl is also a PECB trainer in ISO/IEC 27001, ISO/IEC 27032, and CMMC Foundations and holds numerous other certifications.
In 2016, Carl joined Arrakis Consulting where he started as an auditor and providing CISO-as-a-Service to small or medium sized companies that needed more experience without increased cost. In 2017, Carl added active penetration testing to his portfolio of skills and routinely performs penetration tests against companies of all sizes. Carl also trains people on a variety of skills such as penetration testing, network engineering, network administration, OSI model, subnetting, etc…
Carl holds a Bachelors from Western Governors University in Network Security and Operations as well as numerous certifications from ITIL, Cisco, CompTIA, Microsoft, CMMC-AB, ISACA, OneTrust, RSA, PCI Council, Citrix, and Novell
Andreas Christoforides
Mr. Christoforides is an active IT auditor and a trainer for a various organization on Information Security Management Systems. He is a member of the Cyprus Computer Society, a PECB certified trainer for ISO/IEC 27001, ISO 22301 and GDPR CDPO, and a former Deputy Head of IT Infrastructure at a Bulgarian Leading Bank.
In 2019, he joined BEWISE and delivered to clients a wide range of Cybersecurity projects in the areas of strategy, governance and risk management, data privacy and protection (GDPR), and business resilience and recovery. He conducts IT Risk Assessments and develops IT policies and procedures towards establishing an effective and secure IT Governance framework.
Mr. Christoforides holds a BEng degree from Birmingham City University and a variety of other qualifications from Microsoft and CISCO.
YouTube video: https://youtu.be/cTrdBZFIFhM
Website link: https://pecb.com/
Threat modeling web application: a case studyAntonio Fontes
TAM is a security activity conducted early in the development lifecycle, when we only have ideas, early design specifications and no source code is produced yet. It helps identify major threats to your web application and their appropriate countermeasures.
This session focuses on an introduction to the threat modeling technique through a case study on an online newspaper platform.
Event: Confoo 2011 Montreal
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...Edureka!
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Tools" gives an introduction to the various tools used in the industry for the purpose of cybersecurity. You get to know different kinds of security tools in today's IT world and how they protect us against cyber threats/attacks. The following tools are discussed in this tutorial:
- BluVector
- Bricata
- Cloud Defender
- Contrast Security
- Digital Guardian
- Intellicta
- Mantix4
- SecBI
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
Understand what Ethical Hacking is, what are it's phases, and how it is different from Hacking.
Followed by screenshots of two common ethical hacking attacks.
Using a smart building as their case study, Forescout Research Labs investigated how IoT devices can be leveraged as an entry point to a building’s network, where legacy OT assets, IT systems and IoT devices all intersect. Key findings from our research include:
• How the IoT is impacting the organizational threat landscape
• The additional risks that IoT devices introduce
• How to evolve your cybersecurity strategy for the age of IoT
The OWASP Mobile Top 10 is a nice start for any developer or a security professional, but the road is still ahead and there is so much to do to destroy most of the possible doors that hackers can use to find out about app’s vulnerabilities. We look forward to the OWASP to continue their work, but let’s not stay on the sidelines!
The Firmware extraction and fuzzing workshop will cover the ways of extracting the firmware from the IoT devices and set up the dynamic fuzzer in the emulated firmware to find the bugs.
https://nsconclave.net-square.com/firmware-extraction-and-fuzzing.html
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Threat Hunting, Detection, and Incident Response in the CloudBen Johnson
SaaS and IaaS are new frontiers for a lot of security teams. We'll explore some thoughts at how you might approach some of these areas of your environment from a hunting or IR perspective. This was from a Sans webinar on 2019-09-25.
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.
OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.
APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.
In this session we’ll discuss:
· What makes API Security different from web application security
· The top 10 common API security vulnerabilities
· Examples and mitigation strategies for each of the risks
Understanding what is IoT security
What is the scope of IoT security
Uses of IoT and where do we see it in our daily life
Possible attack surface and likelihood of IoT-related attacks
IoT specific security assessment (understanding approach, IoT protocols, how it is a combination of different type assessments)
The myths of IoT security and the way it has progressed in past few years and how far fetched it can be.
Available Resources and Tools
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?PECB
Ethical hacking helps organizations in preventing the exploitation and vulnerabilities of their system’s data.
Today, several real-world testing methods are used to avoid cyber-attacks and secure important data from exploitation.
The webinar covers
• Ethical Hacking
• Penetration Testing
• Differences and Similarities
• Types & Stages of Penetration Testing
• Cybersecurity
• Impact of COVID-19 on Cybersecurity
Presenters:
Carl Carpenter
Carl is a former CISO of a $6B entity where he was responsible for protecting data of all types and regulatory environments such as FFIEC, HIPAA, and PCI as well as working with the FBI, IRS, and US Department of Labor around investigations relating to money laundering. He has performed assessments against Fortune 10 and 50 companies in the areas of GDPR, CCPA, ISO/IEC 27001 and currently performs CMMC assessments as well as CMMC pre-audit support to help ensure a successful CMMC audit. Prior to that, Carl retired from the US Military where he was involved in counter-terrorist, counter-narcotics, counter-intelligence operations and training foreign military members in these same concepts. Carl is also a PECB trainer in ISO/IEC 27001, ISO/IEC 27032, and CMMC Foundations and holds numerous other certifications.
In 2016, Carl joined Arrakis Consulting where he started as an auditor and providing CISO-as-a-Service to small or medium sized companies that needed more experience without increased cost. In 2017, Carl added active penetration testing to his portfolio of skills and routinely performs penetration tests against companies of all sizes. Carl also trains people on a variety of skills such as penetration testing, network engineering, network administration, OSI model, subnetting, etc…
Carl holds a Bachelors from Western Governors University in Network Security and Operations as well as numerous certifications from ITIL, Cisco, CompTIA, Microsoft, CMMC-AB, ISACA, OneTrust, RSA, PCI Council, Citrix, and Novell
Andreas Christoforides
Mr. Christoforides is an active IT auditor and a trainer for a various organization on Information Security Management Systems. He is a member of the Cyprus Computer Society, a PECB certified trainer for ISO/IEC 27001, ISO 22301 and GDPR CDPO, and a former Deputy Head of IT Infrastructure at a Bulgarian Leading Bank.
In 2019, he joined BEWISE and delivered to clients a wide range of Cybersecurity projects in the areas of strategy, governance and risk management, data privacy and protection (GDPR), and business resilience and recovery. He conducts IT Risk Assessments and develops IT policies and procedures towards establishing an effective and secure IT Governance framework.
Mr. Christoforides holds a BEng degree from Birmingham City University and a variety of other qualifications from Microsoft and CISCO.
YouTube video: https://youtu.be/cTrdBZFIFhM
Website link: https://pecb.com/
Threat modeling web application: a case studyAntonio Fontes
TAM is a security activity conducted early in the development lifecycle, when we only have ideas, early design specifications and no source code is produced yet. It helps identify major threats to your web application and their appropriate countermeasures.
This session focuses on an introduction to the threat modeling technique through a case study on an online newspaper platform.
Event: Confoo 2011 Montreal
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...Edureka!
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Tools" gives an introduction to the various tools used in the industry for the purpose of cybersecurity. You get to know different kinds of security tools in today's IT world and how they protect us against cyber threats/attacks. The following tools are discussed in this tutorial:
- BluVector
- Bricata
- Cloud Defender
- Contrast Security
- Digital Guardian
- Intellicta
- Mantix4
- SecBI
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
Understand what Ethical Hacking is, what are it's phases, and how it is different from Hacking.
Followed by screenshots of two common ethical hacking attacks.
Using a smart building as their case study, Forescout Research Labs investigated how IoT devices can be leveraged as an entry point to a building’s network, where legacy OT assets, IT systems and IoT devices all intersect. Key findings from our research include:
• How the IoT is impacting the organizational threat landscape
• The additional risks that IoT devices introduce
• How to evolve your cybersecurity strategy for the age of IoT
Marcellus Buchheit (Wibu-Systems) and Terrence Barr (Electric Imp) talk about how to secure IIoT endpoints, why they are so vital to secure, and how the Industrial Internet Security Framework (IISF) can help. This talk was given during a webinar as part of the #IICSeries, a continuous series of webinars on the industrial internet hosted by the Industrial Internet Consortium.
IIoT Endpoint Security – The Model in Practiceteam-WIBU
What is your first line of defense against cyberattacks? Secure endpoints! Endpoints are everywhere in the IIoT landscape. Without proper security, Industrial Internet of Things (IIoT) systems are not trustworthy, putting organizations, their missions and the greater public at increased risk. The viability of the IIoT depends on proper implementation of security to counter the growing and ever changing threats that are emerging.
Addressing this challenge is critical to the success of the Industrial IoT, Industrie 4.0 and the Industrial Internet revolution. To that end, Industrial Internet Consortium members have developed a common security framework and an approach to assess cybersecurity in Industrial Internet of Things systems: The Industrial Internet Security Framework (IISF).
Watch the webinar: https://youtu.be/t0GC4Fp-NXQ
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
Companies and researchers are exploring ways to make software and hardware development easier for the masses. Soon you will be able to build your own autonomous drone, create a sensor that assess the watering needs of your plants, and develop a cat tracking device with minimal coding and hardware skills.
What is the place of security and privacy in this exciting development?
Are we building the next generation of Internet security vulnerabilities right now?
In his talk Hannes Tschofenig will highlight challenges with Internet of Things, what role standardization plays, and what contributions ARM, a provider of microprocessor IP, is making to improve IoT security.
Product security by Blockchain, AI and Security CertsLabSharegroup
Three themes You need to think about Product Security — and some tips for How to Do It
I have been working with software security laboratories and IT security firms for years. I have talked with clients, read and watched dozens of articles/videos and talked with several experts about product security themes, future, technologies.
The three themes are:
Is the blockchain the new technology of trust?
Blockchain has the potential to transform industries. However, some security experts raised questions: If blockchain is broadly used in technology solutions will security standards be adopted? How to protect the cryptographic keys that allow access to the blockchain applications? Although it is true that the potential is huge such as securing IoT nodes, edge devices with authentication, improved confidentiality and data integrity, disrupting current PKI systems, reducing DDoS attacks etc.
AI (Machine Learning, Deep Learning, Reinforcement Learning algorithm) potential in Product Security
Machine learning can help in creating products that analyse threats and respond to attacks and security incidents. There are several repositories on GitHub or open-source codes by IBM available for developers. Deep learning networks are rapidly growing due to cheap cloud GPU services and after Reinforcement learning algorithm’s last success nobody knows the upper limit.
Product Security by International security standards and practices
The present, future, and developmental orientations of independent third party certificates Industry. How can the international standards answer the rapid growth of new technologies and maintain secure applications in IoT, Blockchain or AI-driven industries?
Are IT products reliable, secure and will they stay that way?
I would like to explain Product Security in a simple way. My goal is the introduction of product security for Tech startups, fast-growing Tech firms. Furthermore, I would like to emphasize the benefits of product security certification.
IoT References:
https://www.techrepublic.com/article/how-to-secure-your-iot-devices-from-botnets-and-other-threats/
https://www.peerbits.com/blog/biggest-iot-security-challenges.html
https://www.bankinfosecurity.asia/securing-iot-devices-challenges-a-11138
https://www.sumologic.com/blog/iot-security/
https://news.ihsmarkit.com/press-release/number-connected-iot-devices-will-surge-125-billion-2030-ihs-markit-says
https://cdn.ihs.com/www/pdf/IoT_ebook.pdf
https://go.armis.com/hubfs/Buyers%E2%80%99%20Guide%20to%20IoT%20Security%20-Final.pdf
https://www.techrepublic.com/article/smart-farming-how-iot-robotics-and-ai-are-tackling-one-of-the-biggest-problems-of-the-century/
Video Resources:What is the Internet of Things (IoT) and how can we secure it?
https://www.youtube.com/watch?v=H_X6IP1-NDc
What is the problem with IoT security? - Gary explains
https://www.youtube.com/watch?v=D3yrk4TaIQQ
What are the Challenges of IoT Security?
IoT has many of the same security challenges that other systems have. There are, however, some challenges that are unique to IoT.
1. Embedded Passwords. Embedding passwords in IoT devices make it easy for remote support technicians to access devices for troubleshooting and simplifies the installation of multiple devices. Of course, it also simplifies access to devices for malicious purposes.
2. Lack of device authentication. Allowing IoT devices access to the network without authenticating opens the network to unknown and unauthorized devices. Rogue devices can serve as an entry point for attacks or even as a source of attacks.
3. Patching and upgrading. Some IoT devices do not provide a simple (or any) means to patch or upgrade software. This results in many IoT devices with vulnerabilities continuing to be in use.
4. Physical hardening. Physical access to IoT devices can introduce risk if those devices are not hardened against physical attack. Such an attack may not be intended to damage the device, but rather to extract information. Simply removing a microSD memory card to read its contents can give an attacker private data, as well as information such as embedded passwords that may allow access to other devices.
5. Outdated components. When vulnerabilities are discovered in hardware or software components of IoT devices, it can be difficult and expensive for manufacturers or users to update or replace them. As with patches, this results in many IoT devices with vulnerabilities continuing to be used.
6. Device monitoring and management. IoT devices do not always have a unique identifier that facilitates asset tracking, monitoring, and management. IT personnel do not necessarily consider IoT devices among the hosts that they monitor and manage. Asset tracking systems sometimes neglect to include IoT devices, so they sit on the network without being managed or monitored.
Most of these issues can be attributed to security being an afterthought (if a thought at all) in the design and manufacturing of IoT devices. Even tho ...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...Priyanka Aash
In 2017, a sophisticated threat actor deployed the TRITON attack framework engineered to manipulate industrial safety systems at a critical infrastructure facility. This talk offers new insights into TRITON attack framework which became an unprecedented milestone in the history of cyber-warfare as it is the first publicly observed malware that specifically targets protection functions meant to safeguard human lives. While the attack was discovered before its ultimate goal was achieved, that is, disruption of the physical process, TRITON is a wakeup call regarding the need to urgently improve ICS cybersecurity.
The Internet of Things: We've Got to ChatDuo Security
BSides SF, February 2014: http://www.securitybsides.com/w/page/70849271/BSidesSF2014
Duo's Zach Lanier (@quine) & Mark Stanislav (@markstanislav) on IoT (Internet of Things) security, announcing http://BuildItSecure.ly
IoT Vulnerability Analysis and IOT In security ControlsJay Nagar
The Internet of Things (IoT) market has begun to take off. Consumers can buy connected versions of nearly every household appliance available. However, despite its increasing acceptance by consumers, recent studies of IoT devices seem to agree that “security” is not a word that gets associated with this category of devices, leaving consumers potentially exposed. To find out for ourselves how IoT devices fare when it comes to security, we analyzed 50 smart home devices that are available today. We found that none of the devices, enforced strong passwords, used mutual authentication, or protected accounts against brute-force attacks. Almost two out of ten of the mobile apps used to control the tested IoT devices did not use Secure Sockets Layer (SSL) to encrypt communications to the cloud. The tested IoT technology also contained many common vulnerabilities. All of the potential weaknesses that could afflict IoT systems, such as authentication and traffic encryption, are already well known to the security industry, but despite this, known mitigation techniques are often neglected on these devices. IoT vendors need to do a better job on security before their devices become ubiquitous in every home, leaving millions of people at risk of cyber attacks.
Final Research Project - Securing IoT Devices What are the Challe.docxtjane3
Final Research Project - Securing IoT Devices: What are the Challenges?
Internet security, in general, is a challenge that we have been dealing with for decades. It is a regular topic of discussion and concern, but a relatively new segment of internet security is getting most attention—internet of things (IoT). So why is internet of things security so important?
The high growth rate of IoT should get the attention of cybersecurity professionals. The rate at which new technology goes to market is inversely proportional to the amount of security that gets designed into the product. According to IHS Markit, “The number of connected IoT devices worldwide will jump 12 percent on average annually, from nearly 27 billion in 2017 to 125 billion in 2030.”
IoT devices are quite a bit different from other internet-connected devices such as laptops and servers. They are designed with a single purpose in mind, usually running minimal software with minimal resources to serve that purpose. Adding the capability to run and update security software is often not taken into consideration.
Due to the lack of security integrated into IoT devices, they present significant risks that must be addressed. IoT security is the practice of understanding and mitigating these risks. Let’s consider the challenges of IoT security and how we can address them.
Some security practitioners suggest that key IoT security steps include:
1. Make people aware that there is a threat to security;
2. Design a technical solution to reduce security vulnerabilities;
3. Align the legal and regulatory frameworks; and
4. Develop a workforce with the skills to handle IoT security.
Final Assignment - Project Plan (Deliverables):
1) Address each of the FOURIoT security steps listed above in terms of IoT devices.
2) Explain in detail, in a step-by-step guide, how to make people more aware of the problems associated with the use of IoT devices.
Bottom of Form
Top of Form
Bottom of Form
IoT References:
https://www.techrepublic.com/article/how-to-secure-your-iot-devices-from-botnets-and-other-threats/
https://www.peerbits.com/blog/biggest-iot-security-challenges.html
https://www.bankinfosecurity.asia/securing-iot-devices-challenges-a-11138
https://www.sumologic.com/blog/iot-security/
https://news.ihsmarkit.com/press-release/number-connected-iot-devices-will-surge-125-billion-2030-ihs-markit-says
https://cdn.ihs.com/www/pdf/IoT_ebook.pdf
https://go.armis.com/hubfs/Buyers%E2%80%99%20Guide%20to%20IoT%20Security%20-Final.pdf
https://www.techrepublic.com/article/smart-farming-how-iot-robotics-and-ai-are-tackling-one-of-the-biggest-problems-of-the-century/
Video Resources:What is the Internet of Things (IoT) and how can we secure it?
https://www.youtube.com/watch?v=H_X6IP1-NDc
What is the problem with IoT security? - Gary explains
https://www.youtube.com/watch?v=D3yrk4TaIQQ
What are the Challenges of IoT Security?
IoT has many of the same security challenges that other systems have. There are, howe.
Final Research Project - Securing IoT Devices What are the Challe.docxlmelaine
Final Research Project - Securing IoT Devices: What are the Challenges?
Internet security, in general, is a challenge that we have been dealing with for decades. It is a regular topic of discussion and concern, but a relatively new segment of internet security is getting most attention—internet of things (IoT). So why is internet of things security so important?
The high growth rate of IoT should get the attention of cybersecurity professionals. The rate at which new technology goes to market is inversely proportional to the amount of security that gets designed into the product. According to IHS Markit, “The number of connected IoT devices worldwide will jump 12 percent on average annually, from nearly 27 billion in 2017 to 125 billion in 2030.”
IoT devices are quite a bit different from other internet-connected devices such as laptops and servers. They are designed with a single purpose in mind, usually running minimal software with minimal resources to serve that purpose. Adding the capability to run and update security software is often not taken into consideration.
Due to the lack of security integrated into IoT devices, they present significant risks that must be addressed. IoT security is the practice of understanding and mitigating these risks. Let’s consider the challenges of IoT security and how we can address them.
Some security practitioners suggest that key IoT security steps include:
1. Make people aware that there is a threat to security;
2. Design a technical solution to reduce security vulnerabilities;
3. Align the legal and regulatory frameworks; and
4. Develop a workforce with the skills to handle IoT security.
Final Assignment - Project Plan (Deliverables):
1) Address each of the FOURIoT security steps listed above in terms of IoT devices.
2) Explain in detail, in a step-by-step guide, how to make people more aware of the problems associated with the use of IoT devices.
Bottom of Form
Top of Form
Bottom of Form
IoT References:
https://www.techrepublic.com/article/how-to-secure-your-iot-devices-from-botnets-and-other-threats/
https://www.peerbits.com/blog/biggest-iot-security-challenges.html
https://www.bankinfosecurity.asia/securing-iot-devices-challenges-a-11138
https://www.sumologic.com/blog/iot-security/
https://news.ihsmarkit.com/press-release/number-connected-iot-devices-will-surge-125-billion-2030-ihs-markit-says
https://cdn.ihs.com/www/pdf/IoT_ebook.pdf
https://go.armis.com/hubfs/Buyers%E2%80%99%20Guide%20to%20IoT%20Security%20-Final.pdf
https://www.techrepublic.com/article/smart-farming-how-iot-robotics-and-ai-are-tackling-one-of-the-biggest-problems-of-the-century/
Video Resources:What is the Internet of Things (IoT) and how can we secure it?
https://www.youtube.com/watch?v=H_X6IP1-NDc
What is the problem with IoT security? - Gary explains
https://www.youtube.com/watch?v=D3yrk4TaIQQ
What are the Challenges of IoT Security?
IoT has many of the same security challenges that other systems have. There are, howe ...
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...CODE BLUE
Tons of insecure IoT devices are out there and ready to be compromised to join next IoT botnet or misused in even more serious threats. Since many of them are unmanaged, the situation does not seem to improve naturally in a short term. This talk will focus on series of efforts on discovery, monitoring, analysis, and notification of these devices trying to clean up "the mess".
[Blockchain and Cryptocurrency] 01. SyllabusSeungjoo Kim
'Blockchain and Cryptocurrency' Subject @ Korea University, 2021
01. Syllabus
02. Blockchain Overview and Introduction - Technical Concepts of Blockchain Systems -
03. Blockchain's Theoretical Foundation, Cryptography
04. Bitcoin and Nakamoto Blockchain
05. Ethereum and Smart Contract
06. NFT and Metaverse
07. Cardano(ADA) and Other Altcoins
08. Dark Coins
09. Blockchain Usage Beyond Currency - Way to Design Good Blockchain Business Models -
[Blockchain and Cryptocurrency] 02. Blockchain Overview and Introduction - Te...Seungjoo Kim
'Blockchain and Cryptocurrency' Subject @ Korea University, 2021
01. Syllabus
02. Blockchain Overview and Introduction - Technical Concepts of Blockchain Systems -
03. Blockchain's Theoretical Foundation, Cryptography
04. Bitcoin and Nakamoto Blockchain
05. Ethereum and Smart Contract
06. NFT and Metaverse
07. Cardano(ADA) and Other Altcoins
08. Dark Coins
09. Blockchain Usage Beyond Currency - Way to Design Good Blockchain Business Models -
[Blockchain and Cryptocurrency] 03. Blockchain's Theoretical Foundation, Cryp...Seungjoo Kim
'Blockchain and Cryptocurrency' Subject @ Korea University, 2021
01. Syllabus
02. Blockchain Overview and Introduction - Technical Concepts of Blockchain Systems -
03. Blockchain's Theoretical Foundation, Cryptography
04. Bitcoin and Nakamoto Blockchain
05. Ethereum and Smart Contract
06. NFT and Metaverse
07. Cardano(ADA) and Other Altcoins
08. Dark Coins
09. Blockchain Usage Beyond Currency - Way to Design Good Blockchain Business Models -
[Blockchain and Cryptocurrency] 04. Bitcoin and Nakamoto BlockchainSeungjoo Kim
'Blockchain and Cryptocurrency' Subject @ Korea University, 2021
01. Syllabus
02. Blockchain Overview and Introduction - Technical Concepts of Blockchain Systems -
03. Blockchain's Theoretical Foundation, Cryptography
04. Bitcoin and Nakamoto Blockchain
05. Ethereum and Smart Contract
06. NFT and Metaverse
07. Cardano(ADA) and Other Altcoins
08. Dark Coins
09. Blockchain Usage Beyond Currency - Way to Design Good Blockchain Business Models -
[Blockchain and Cryptocurrency] 05. Ethereum and Smart ContractSeungjoo Kim
'Blockchain and Cryptocurrency' Subject @ Korea University, 2021
01. Syllabus
02. Blockchain Overview and Introduction - Technical Concepts of Blockchain Systems -
03. Blockchain's Theoretical Foundation, Cryptography
04. Bitcoin and Nakamoto Blockchain
05. Ethereum and Smart Contract
06. NFT and Metaverse
07. Cardano(ADA) and Other Altcoins
08. Dark Coins
09. Blockchain Usage Beyond Currency - Way to Design Good Blockchain Business Models -
[Blockchain and Cryptocurrency] 06. NFT and MetaverseSeungjoo Kim
'Blockchain and Cryptocurrency' Subject @ Korea University, 2021
01. Syllabus
02. Blockchain Overview and Introduction - Technical Concepts of Blockchain Systems -
03. Blockchain's Theoretical Foundation, Cryptography
04. Bitcoin and Nakamoto Blockchain
05. Ethereum and Smart Contract
06. NFT and Metaverse
07. Cardano(ADA) and Other Altcoins
08. Dark Coins
09. Blockchain Usage Beyond Currency - Way to Design Good Blockchain Business Models -
[Blockchain and Cryptocurrency] 07. Cardano(ADA) and Other AltcoinsSeungjoo Kim
'Blockchain and Cryptocurrency' Subject @ Korea University, 2021
01. Syllabus
02. Blockchain Overview and Introduction - Technical Concepts of Blockchain Systems -
03. Blockchain's Theoretical Foundation, Cryptography
04. Bitcoin and Nakamoto Blockchain
05. Ethereum and Smart Contract
06. NFT and Metaverse
07. Cardano(ADA) and Other Altcoins
08. Dark Coins
09. Blockchain Usage Beyond Currency - Way to Design Good Blockchain Business Models -
[Blockchain and Cryptocurrency] 08. Dark CoinsSeungjoo Kim
'Blockchain and Cryptocurrency' Subject @ Korea University, 2021
01. Syllabus
02. Blockchain Overview and Introduction - Technical Concepts of Blockchain Systems -
03. Blockchain's Theoretical Foundation, Cryptography
04. Bitcoin and Nakamoto Blockchain
05. Ethereum and Smart Contract
06. NFT and Metaverse
07. Cardano(ADA) and Other Altcoins
08. Dark Coins
09. Blockchain Usage Beyond Currency - Way to Design Good Blockchain Business Models -
[Blockchain and Cryptocurrency] 09. Blockchain Usage Beyond Currency - Way to...Seungjoo Kim
'Blockchain and Cryptocurrency' Subject @ Korea University, 2021
01. Syllabus
02. Blockchain Overview and Introduction - Technical Concepts of Blockchain Systems -
03. Blockchain's Theoretical Foundation, Cryptography
04. Bitcoin and Nakamoto Blockchain
05. Ethereum and Smart Contract
06. NFT and Metaverse
07. Cardano(ADA) and Other Altcoins
08. Dark Coins
09. Blockchain Usage Beyond Currency - Way to Design Good Blockchain Business Models -
Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)Seungjoo Kim
Even in this pandemic situation, thank you for making and running the HITCON 2021 so well. Thank you for giving me the chance to talk!
This presentation is revised by reinforcing Q&A. Look forward to seeing you offline next year!
Kid Blockchain - Everything You Need to Know - (Part 1)Seungjoo Kim
Kid Blockchain - Everything You Need to Know - (Part 1)
01. 화폐의 역사 : 금에서부터 간편결제에 이르기까지 ... 4P
02. 비트코인의 탄생 ... 27P
03. 비트코인과 블록체인의 세부 동작원리 ... 85P
04. 작업증명(PoW)이란? ... 158P
05. 비트코인과 블록체인이 당면한 기술적 문제 ... 171P
Application of the Common Criteria to Building Trustworthy Automotive SDLCSeungjoo Kim
Seungyeon Jeong, Sooyoung Kang, and Seungjoo Kim, "Application of the Common Criteria to Building Trustworthy Automotive SDLC", Proc. of The 19th ICCC 2020, The 19th International Common Criteria Conference, Virtual (online) Conference, November 16-18, 2020.
Assurance-Level Driven Method for Integrating Security into SDLC ProcessSeungjoo Kim
Sooyoung Kang, Seungyeon Jeong, and Seungjoo Kim, "Assurance-Level Driven Method for Integrating Security into SDLC Process”, Proc. of The 18th CCUF Workshop 2020, The 18th Common Criteria Users Forum Workshop, Virtual (online) Conference, November 12, 2020.
How South Korea Is Fighting North Korea's Cyber ThreatsSeungjoo Kim
Seungjoo Kim, "How South Korea Is Fighting North Korea's Cyber Threats", Asia Transnational Threats Forum - Virtual Roundtable on North Korean Cyber Threats, Center for East Asia Policy Studies at BROOKINGS, October 15, 2020.
o 행 사 명 : 포스트코로나 시대의 ICT산업 미래전략포럼
o 일시/장소 : ‘20.5.22.(금) 10:00~16:30 / 에스팩토리(서울 성수동 소재)
o 주최/후원 : KAIT, KCA, IITP / SKT, KT, LGU+, LG전자 등
o 참 석 자 : 과기정통부 2차관, 정보통신산업정책관 및 ICT산업분야별 전문가 등
Verification of IVI Over-The-Air using UML/OCLSeungjoo Kim
Verification of IVI Over-The-Air using UML/OCL @ ICCC 2019 (International Common Criteria Conference), which is a major conference for the community of experts involved in security evaluation
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
ACEP Magazine edition 4th launched on 05.06.2024Rahul
This document provides information about the third edition of the magazine "Sthapatya" published by the Association of Civil Engineers (Practicing) Aurangabad. It includes messages from current and past presidents of ACEP, memories and photos from past ACEP events, information on life time achievement awards given by ACEP, and a technical article on concrete maintenance, repairs and strengthening. The document highlights activities of ACEP and provides a technical educational article for members.
NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...ssuser7dcef0
Power plants release a large amount of water vapor into the
atmosphere through the stack. The flue gas can be a potential
source for obtaining much needed cooling water for a power
plant. If a power plant could recover and reuse a portion of this
moisture, it could reduce its total cooling water intake
requirement. One of the most practical way to recover water
from flue gas is to use a condensing heat exchanger. The power
plant could also recover latent heat due to condensation as well
as sensible heat due to lowering the flue gas exit temperature.
Additionally, harmful acids released from the stack can be
reduced in a condensing heat exchanger by acid condensation. reduced in a condensing heat exchanger by acid condensation.
Condensation of vapors in flue gas is a complicated
phenomenon since heat and mass transfer of water vapor and
various acids simultaneously occur in the presence of noncondensable
gases such as nitrogen and oxygen. Design of a
condenser depends on the knowledge and understanding of the
heat and mass transfer processes. A computer program for
numerical simulations of water (H2O) and sulfuric acid (H2SO4)
condensation in a flue gas condensing heat exchanger was
developed using MATLAB. Governing equations based on
mass and energy balances for the system were derived to
predict variables such as flue gas exit temperature, cooling
water outlet temperature, mole fraction and condensation rates
of water and sulfuric acid vapors. The equations were solved
using an iterative solution technique with calculations of heat
and mass transfer coefficients and physical properties.
A review on techniques and modelling methodologies used for checking electrom...nooriasukmaningtyas
The proper function of the integrated circuit (IC) in an inhibiting electromagnetic environment has always been a serious concern throughout the decades of revolution in the world of electronics, from disjunct devices to today’s integrated circuit technology, where billions of transistors are combined on a single chip. The automotive industry and smart vehicles in particular, are confronting design issues such as being prone to electromagnetic interference (EMI). Electronic control devices calculate incorrect outputs because of EMI and sensors give misleading values which can prove fatal in case of automotives. In this paper, the authors have non exhaustively tried to review research work concerned with the investigation of EMI in ICs and prediction of this EMI using various modelling methodologies and measurement setups.
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressionsVictor Morales
K8sGPT is a tool that analyzes and diagnoses Kubernetes clusters. This presentation was used to share the requirements and dependencies to deploy K8sGPT in a local environment.
HEAP SORT ILLUSTRATED WITH HEAPIFY, BUILD HEAP FOR DYNAMIC ARRAYS.
Heap sort is a comparison-based sorting technique based on Binary Heap data structure. It is similar to the selection sort where we first find the minimum element and place the minimum element at the beginning. Repeat the same process for the remaining elements.
Water billing management system project report.pdfKamal Acharya
Our project entitled “Water Billing Management System” aims is to generate Water bill with all the charges and penalty. Manual system that is employed is extremely laborious and quite inadequate. It only makes the process more difficult and hard.
The aim of our project is to develop a system that is meant to partially computerize the work performed in the Water Board like generating monthly Water bill, record of consuming unit of water, store record of the customer and previous unpaid record.
We used HTML/PHP as front end and MYSQL as back end for developing our project. HTML is primarily a visual design environment. We can create a android application by designing the form and that make up the user interface. Adding android application code to the form and the objects such as buttons and text boxes on them and adding any required support code in additional modular.
MySQL is free open source database that facilitates the effective management of the databases by connecting them to the software. It is a stable ,reliable and the powerful solution with the advanced features and advantages which are as follows: Data Security.MySQL is free open source database that facilitates the effective management of the databases by connecting them to the software.
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common Criteria
1. Security Analysis aNd Evaluation Lab.
ICCC 2019
2019. 10. 02
IoT Device Hacking and New Direction of IoT
Security Evaluation Using Common Criteria
Ki Taek Lee* Kwangwoo Lee** Seungjoo Kim***
zizihacker@korea.ac.kr* kwangwoo.lee@hp.com** skim71@korea.ac.kr***
*1st
Author
CIST (Center for Information
Security Technologies),
Korea University
**2nd
Author
HP Inc.
***Corresponding Author
CIST (Center for Information
Security Technologies),
Korea University
3. 3 / 40
Introduction
§ IoT market
§ In 2018, the global IoT market reached about 164 billion U.S. dollars.
§ In 2025, IoT market will reach over 1.5 trillion U.S. dollars.
Source: Size of the Internet of Things (IoT) market worldwide from 2017 to 2025 (in billion U.S. dollars),
https://www.statista.com/statistics/976313/global-iot-market-size/
4. 4 / 40
Introduction
§ Reference model of Internet of Things
§ ITU-T Y. 4000
Source: Fernmeldeunion, Internationale. "ITU-T Y. 4000/Y. 2060 (06/2012)."
5. 5 / 40
Introduction
§ Three high-level considerations for Internet of Things
1. Device Interactions with the Physical World.
Many IoT devices interact with the physical world in ways conventional IT devices
usually do not.
2. Device Access, Management, and Monitoring Features.
Many IoT devices cannot be accessed, managed, or monitored in the same ways
conventional IT devices can.
3. Cybersecurity and Privacy Capability Availability, Efficiency, and
Effectiveness.
The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities
are often different for IoT devices than conventional IT devices.
Source: NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8228.pdf
6. 6 / 40
Introduction
§ IoT hacking and botnet
§ security cameras represent 47 percent of vulnerable devices installed on home
networks
§ IoT botnet in large-scale network attacks
§ Mirai(2016), Satori(2017)
Okiru, Masuta, PureMasuta, OMG, Wicked, Sora, Owari, Omni, Miori(2018)
Hakai, Yowai, SpeakUp (2019)
Source: ZDNET, https://www.zdnet.com/article/cybersecurity-these-are-the-
internet-of-things-devices-that-are-most-targeted-by-hackers/
7. 7 / 40
Introduction
§ High-level risk mitigation
Three high-level risk mitigation goals:
1. Protect device security
2. Protect data security
3. Protect individuals’ privacy
Source: NIST IR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8228.pdf
8. 8 / 40
⓪ Firmware acquisition and analysis
① Firmware provisioning
② Serial communication
③ Desoldering
④ Side channel attack
⑤ Remote Code Execution
⑥ Packet Relay
⑦ Developer mode or Backdoor
Real attack against IoT devices
9. 9 / 40
Real attack against IoT devices
⑤ Remote Code Execution
⑦ Developer mode or Backdoor
① Firmware provisioning
② Serial communication
⑥ Packet Relay
③ Desoldering
④ Side channel attack
10. 10 / 40
⓪ Find a firmware
§ Provides firmware publicly
§ depends on vendors
Real attack against IoT devices
11. 11 / 40
① Firmware provisioning
Real attack against IoT devices
Update Server
IoT Hub
Getting firmware link when firmware updating
SSL Strip
12. 12 / 40
② Serial communication
§ Used for debugging embedded systems
Real attack against IoT devices
Trying to JTAG
connection
UART
Connection
Find UART pin
13. 13 / 40
③ Desoldering
§ Removal of solder and components from a PCB using Heat gun
§ Very hazardous, it needs very skillful technique
Real attack against IoT devices
Heat gun
14. 14 / 40
③ Desoldering
Real attack against IoT devices
Mount the extracted eMMC Work normally
15. 15 / 40
④ Side channel attack
Real attack against IoT devices
U-Boot
CFE
Other
Redboot
RouterBOOT
BOOTLOADER
Most IoT devices use U-Boot
Source: https://wikidevi.com/wiki/Property:Stock_bootloader/full
16. 16 / 40
④ Side channel attack
Real attack against IoT devices
Memory
Loading stored
kernel images
Kernel Memory Load,
file system mount
Embedded Boot Process
Boot loader
Flash memory
Initialize
peripheral device
U-Boot boot loader
Initialization task
main_loop()
cli_loop
main_loop()
OS Boot
If fail
run_preboot
bootdelay
cli_loop
autoboot_
command
Return to
Custom Shell
17. 17 / 40
④ Side channel attack
Real attack against IoT devices
Memory map is overwritten
when autoboot_command is executed
U-Boot Start OS Boot
Main_loop DOES NOT HANDLE the return
value
18. 18 / 40
④ Side channel attack
Real attack against IoT devices
Make an error through glitching Got the shell, CVE-2018-19916
19. 19 / 40
⑤ Remote Code Execution
§ Remote Code Execution at Cookie parameter
Real attack against IoT devices
Service
Analysis
Process Caught !
Found to Login pages
SessionSecurityHandler Function
GetCookieValue Function
20. 20 / 40
⑤ Remote Code Execution
§ Remote Code Execution at Cookie parameter
Real attack against IoT devices
Used the proxy tool to poison cookie values Crashed by memory overflow
21. 21 / 40
⑤ Remote Code Execution
§ Remote Code Execution at Cookie parameter
Real attack against IoT devices
Got reverse shell
Exploit !
Wrote exploit code
22. 22 / 40
⑥ Packet Relay
§ Malformed packet relay attack
Real attack against IoT devices
output log generated during communication Data packet Structure
23. 23 / 40
⑥ Packet Relay
§ Malformed packet relay attack
Real attack against IoT devices
Found command value of Packet Structure in ida
Supported binary commands
25. 25 / 40
⑦ Developer mode or backdoor
Real attack against IoT devices
Checked 8443 service
Accessed denied Accessed to login interface successfully
Web service code analysised
Service
Analysis
26. 26 / 40
⑦ Developer mode or backdoor
Real attack against IoT devices
Analyzed source code to got account
Restricted the number of login attempts
98:93:CC:A2:XX:XX @ AH66AJ01000000XXX Found service to changed MAC address and Serial key
Port information about special service
Serial : AH66AJ01000000XXXMAC : 98:93:CC:A2:XX:XX
27. 27 / 40
⑦ Developer mode or backdoor
Real attack against IoT devices
Access
Connected to service
Changed the password through MESD daemon
Ethernet Mac Ethernet Mac WiFi Mac Check
28. 28 / 40
⑦ Developer mode or backdoor
Real attack against IoT devices
Function
analysis
Accessed to admin page successfully Found plug-in management service
29. 29 / 40
⑦ Developer mode or backdoor
Real attack against IoT devices
Uploaded a reverse shell
Got the shell !
Exploit
30. 30 / 40
New Direction of IoT Security Evaluation
§ Efforts on the security requirements
§ Secure Boot from Microsoft*
Secure boot is a security standard developed by members of the PC industry to help make
sure that a device boots using only software that is trusted by the Original Equipment
Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of
boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications,
and the operating system. If the signatures are valid, the PC boots, and the firmware gives
control to the operating system.
§ Root of Trust from Trusted Computing Group (TCG)**
A component that performs one or more security-specific functions, such as measurement,
storage, reporting, verification, and/or update. It is trusted always to behave in the expected
manner, because its misbehavior cannot be detected under normal operation.
§ Root of Trust from Global Platform***
A computing engine, code, and possibly data, all co-located on the same platform; provides
security services. No ancestor entity is able to provide a trustable attestation (in Digest or
other form) for the initial code and data state of the Root of Trust.
* https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot
** https://trustedcomputinggroup.org/wp-content/uploads/17.pdf
*** https://globalplatform.org/wp-content/uploads/2018/07/GP_RoT_Definitions_and_Requirements_v1.1_PublicRelease-2018-06-28.pdf
31. 31 / 40
New Direction of IoT Security Evaluation
§ NIST Special Publication 800-193
§ Platform Firmware Resiliency Guidelines
§ Provides technical guidance for resiliency of
platforms to protect against destructive
attacks
§ Promotes resiliency in the platform by
describing security mechanisms for:
§ Protecting the platform against
unauthorized changes
§ Detecting unauthorized changes that
occur
§ Recovery from attacks
32. 32 / 40
New Direction of IoT Security Evaluation
§ NIST Special Publication 800-193
§ Key concept
§ Roots of Trust (Section 4.1)
§ Protection (Section 4.2)
§ Detection (Section 4.3)
§ Recovery (Section 4.4)
Source: NIST Special Publication 800-193, Platform Firmware Resiliency Guidelines, https://doi.org/10.6028/NIST.SP.800-193
33. 33 / 40
New Direction of IoT Security Evaluation
§ ISO/IEC 15408 CD3 (FPT_INI.1 TSF Initialization)
§ This component requires the TOE to provide a TSF initialization function that brings the
TSF into a secure operational state at power-on.
§ FPT_INI.1.1 The TOE shall provide an initialization function which is self-protected for
integrity and authenticity.
§ FPT_INI.1.2 The TOE initialization function shall ensure that certain properties hold on
certain elements immediately before establishing the TSF in a secure initial state, as
specified below:
§ Properties à [assignment: property, for instance authenticity, integrity, correct version]
§ Elements à [assignment: list of TSF/user firmware, software or data]
§ FPT_INI.1.3 The TOE initialization function shall detect and respond to errors and failures
during initialization such that the TOE [selection: is halted, successfully completes
initialization with [selection: reduced functionality, signaling error state, [assignment: list of
actions]].
§ FPT_INI.1.4 The TOE initialization function shall only interact with the TSF in
[assignment: defined methods] during initialization.
Source: ISO/IEC JTC 1 SC 27 WG 3 15408-2 Committee Draft 3. July 2019
34. 34 / 40
New Direction of IoT Security Evaluation
§ Other approaches and guidance
§ UK Government, DCMS (Digital, Culture, Media and Sport)
§ Code of Practice for Consumer IoT Security
§ Hardcopy Devices TC
§ HCD cPP
§ Network Device iTC
§ NDcPP
§ DSC iTC
§ DSC cPP
Source https://medium.com/rtone-iot-security/the-uk-code-of-practice-for-consumer-iot-security-783e3473f726
35. 35 / 40
New Direction of IoT Security Evaluation
* collaborative Protection Profile for Dedicated Security Component, Version 1.0d, Sept. 9, 2019
** ISO/IEC JTC 1 SC 27 WG 3 15408-2 Committee Draft 3. July 2019
Vulnerability Threat/Assumption* Security Requirement of New Direction*
① Firmware provisioning T.SDE_TRANSIT_COMPROMISE FTP_ITE_EXT.1 Encrypted Data Communications
② Serial communication T.HW_ATTACK
T.UNAUTHORIZED_ACCESS
FPT_PHP.3 Resistance to Physical Attack
FPT_MOD_EXT.1 Debug Modes
③ Desoldering T.HW_ATTACK
T.UNAUTHORIZED_ACCESS
FPT_PHP.3 Resistance to Physical Attack
④ Side channel attack T.HW_ATTACK
T.UNAUTHORIZED_ACCESS
T.SDE_TRANSIT_COMPROMISE
T.WEAK_OWNERSHIP_BINDING
T.WEAK_ELEMENT_BINDING
A.ROT_INTEGRITY
FPT_PHP.3 Resistance to Physical Attack
FPT_PRO_EXT.1 Root of Trust
FPT_ROT_EXT.1 Root of Trust Services
FPT_TST.1 Integrity Checking
FDP_MFW_EXT.1 Mutable/Immutable Firmware
FDP_DAU.1 Prove Data Authentication for Use with The Prove Service
FDP_MFW_EXT.2 Basic Firmware Integrity
FDP_MFW_EXT.3 Firmware Authentication with Identity of Guarantor
FPT_INI.1 TSF Initialization
⑤ Remote Code Execution T.UNAUTHORIZED_ACCESS ATE_IND.1 Independent Testing
AVA_VAN.1 Vulnerability Survey
⑥ Packet Relay T.UNAUTHORIZED_ACCESS
T.SDE_TRANSIT_COMPROMISE
T.WEAK_OWNERSHIP_BINDING
T.WEAK_ELEMENT_BINDING
FPT_RPL_EXT.1 Replay Prevention
⑦ Developer mode or
Backdoor
T.UNAUTHORIZED_ACCESS
T.HW_ATTACK
FPT_MOD_EXT.1 Debug Modes
36. 36 / 40
Conclusion
§ Lack of Security Requirement and Testing in IoT products.
§ We demonstrated real attacks against IoT devices that do not
provide enough capabilities such as Secure Boot and Root of
Trust.
§ iTC, TC, and WG who want to create new protection profile need
to consider this in their evaluation and testing.
§ Also, IoT manufacturers …
37. 37 / 40
Thank you
This work was supported by Institute for Information & communications Technology Promotion(IITP) grant funded
by the Korea government(MSIT) (No.2018-0-00532,Development of High-Assurance(≥EAL6) Secure Microkernel)
Special thanks to Jisub Kim, Hongryeol Lim and Pwnhub team.