Adam Englander, profile picture
Uploaded byAdam Englander
PPTX, PDF461 views

IoT Lockdown

The document outlines various security layers and best practices in IoT and software development, emphasizing that security must be multi-layered to reduce vulnerabilities. It discusses strategies for protecting data in transit and at rest, account hijacking prevention, and measures to avoid remote code execution. Detailed technical recommendations are provided, including encryption techniques, secure session management, and awareness of potential attacks.

Embed presentation

Download to read offline
IoT Lockdown Adam Englander, LaunchKey
Who Am I? • Director of Engineering for LaunchKey • Developer Community Activist • IoT Enthusiast • National Junior Basketball Coach
What Do I Do? • Security Consulting • SDK Development • API Development • Protocol Server Development • IoT Research
Know This • You will be attacked • You will be exposed to a Zero Day vulnerability Paris Tuileries Garden Facepalm statue by Alex E. Proimos - http://www.flickr.com/photos/proimos/4199675334/. Licensed under CC BY 2.0 via Commons.
Security is like an Ogre… …it has layers ©The Frollo Show – licensed under Creative Commons
Layered Security • Prevents single point of vulnerability • Increases the cost of penetration by an attacker “Swiss cheese model of accident causation” by Davidmack – Own work - Licensed under CC BY-SA 3.0 via Commons
Security Layers Operating System File System Services Application Network
Operating System File System Services Application Network Operating System Layer
Operating System Security • Randomize user passwords • Disable unused ports • Encrypt the file system “JolietPrisonGate” by Jacobsteinafm – Own work – Licensed under Public Domain via Commons
Operating System File System Services Application Network File System Layer
File System Security • Named application user • Remove “everyone” access where possible • Restrict app user to files necessary to run • Avoid write access – use pipes © Chris Smart license under Creative Commons BY-NC-ND
Operating System File System Services Application Network Services Layer
Isolation • Use web services for communication • Remove all non-essential services (SSH, FTP, etc) • Use authentication on remaining services • Be as secure as possible with service data “Joshuatree" by Joho345 - @U2 (www.atu2.com) - Joho345. Licensed under CC BY 2.5 via Wikimedia Commons.
Operating System File System Services Application Network Network Layer
Network Security • Devise a system with only outbound IP traffic • Restrict inbound and outbound IP traffic • Only allow paired Bluetooth devices to connect • Pair Bluetooth devices with challenge-response "FEMA - 40322 - Road Closed sign" by Patsy Lynch - This image is from the FEMA Photo Library.. Licensed under Public Domain via Wikimedia Commons - https://commons.wikimedia.org/wiki/File:FEMA_-_40322_- _Road_Closed_sign.jpg#/media/File:FEMA_-_40322_-_Road_Closed_sign.jpg
Operating System File System Services Application Network Application Layer
Sensitive Data Exposure Escalation of Privilege Account Hijacking Denial of Service Remote Code Execution What You Are Preventing
Sensitive Data Exposure • Protect data in transit by: • utilizing TLS • not following redirects • pinning SSL certificates • using DNSSEC to verify DNS • encrypting data • Protect data at rest with encryption "Marilyn Monroe photo pose Seven Year Itch" by Published by Corpus Christi Caller-Times photo from Associated Press - Corpus Christi Caller-Times page 20 via Newspapers.com. Licensed under Public Domain via Commons - https://commons.wikimedia.org/wiki/File:Marilyn_Monroe_photo _pose_Seven_Year_Itch.jpg
SSL Pinning • Certificate verification via fingerprint res.socket.getPeerCertificate().fingerprint • Have backup fingerprints to quickly rotate when primary is compromised. • Additional certificates must use different private keys to have a different signature.
Encrypting Data • Data at rest can use symmetric encryption as secret is not shared but local. • Data in transit should use asymmetric encryption. It’s more complex and slower but does not require transmitting your secret. • Both are available natively via the “crypto” package. "Lorenz-SZ42-2". Licensed under Public Domain via Commons - https://commons.wikimedia.org/wiki/File:Lorenz-SZ42- 2.jpg#/media/File:Lorenz-SZ42-2.jpg
Symmetric Encryption • Uses shared “secret” key. • Uses initialization vector (IV). • Use crypto.randomBytes() for cryptographically random IV. • Always use some sort of block chaining or cipher feedback to ensure pseudo-randomness. • aes-256-cbc is a good standard "Tux ecb" by en:User:Lunkwill - http://en.wikipedia.org/wiki/Image:Tux_ecb.jpg. Licensed under Attribution via Commons - https://commons.wikimedia.org/wiki/File:Tux_ecb.jpg#/media/File:Tux_e cb.jpg
Asymmetric Encryption • Uses public/private key pairs. • Private and public key can encrypt and verify signature. • Only private key can decrypt and create a signature. • Private key should be password protected. • Key size at least 2048 bytes but 4096 bytes is preferred.
Account Hijacking • Never use plain text credentials • Use strong hashing: • PBKDF2 is in crypto package • 32+ character random SALT • 10,000+ iterations • sha256 digest • If you use email for username, hash the value for storage • Alert for changes to accounts "Hi-jacking Hot Spot!" by Herby Hönigsperger - https://www.flickr.com/photos/hmvh/58185411. Licensed under Attribution via Commons - https://creativecommons.org/licenses/by-nc-sa/2.0/
Encryption vs. Hashing • Hashing is one way • Encryption is reversible • Hashing is more secure than encryption • If you do not need to decrypt sensitive data, consider hashing it "Hi-jacking Hot Spot!" by Herby Hönigsperger - https://www.flickr.com/photos/hmvh/58185411. Licensed under Attribution via Commons - https://creativecommons.org/licenses/by-nc-sa/2.0/
Escalation of Privilege • Always use TLS • Set "secure" and "HttpOnly" flags for session cookies • Use a CSRF token (nonce) • Strict-Transport-Security • Expire your requests • Sign API requests including credential data and location "Holborn Tube Station Escalator" by renaissancechambara - http://www.flickr.com/photos/renaissancechambara/2267250649/. Licensed under CC BY 2.0 via Commons - https://commons.wikimedia.org/wiki/File:Holborn_Tube_Station_Escalator .jpg#/media/File:Holborn_Tube_Station_Escalator.jpg
Nonces • Used only once • Must be cryptographically random • Provided by crypto package with randomBytes() • Should expire "Cutting head of a paper shredder" by wdwd - Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons - https://commons.wikimedia.org/wiki/File:Cutting_head_of_a_paper_shredder.jpg#/media/File:Cu tting_head_of_a_paper_shredder.jpg
Digital Signatures • Verifiable hash of supplied data • HMAC or RSA is provided by crypto • RSA is preferred • JOSE is IETF standard "Wacom STU-300 LCD Signature Tablet - Mar 2013 04" by WestportWiki - Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons - https://commons.wikimedia.org/wiki/File:Wacom_STU-300_LCD_Signature_Tablet_- _Mar_2013_04.jpg#/media/File:Wacom_STU-300_LCD_Signature_Tablet_-_Mar_2013_04.jpg
Denial of Service • Detection • Honey Pot • Request frequency • Request signatures • Mitigation • Black list IPs • Black hole (no response) • Detect early in process "Motorcycles in Taipei" by Koika - Own work. Licensed under CC BY- SA 1.0 via Commons - https://commons.wikimedia.org/wiki/File:Motorcycles_in_Taipei.JP G#/media/File:Motorcycles_in_Taipei.JPG
Remote Code Execution • Content Security Policy • Restrict to local source • No inline CSS/JS • No eval(), ever! • Prepared statements in SQL • Code Object with Scope in MongoDB
Further Reading • https://en.wikipedia.org/wiki/Layered_security • https://en.wikipedia.org/wiki/Defense_in_depth_(comput ing) • https://www.owasp.org/index.php/OWASP_Internet_of_ Things_Project • https://en.wikipedia.org/wiki/JSON_Web_Token

More Related Content

PPTX
Pentest Apocalypse
byBeau Bullock
 
PDF
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
byBeau Bullock
 
PPTX
Red Team Apocalypse
byBeau Bullock
 
PDF
DEFCON 23 - jeremy dorrough - usb attack to decrypt wifi communicationsn
byFelipe Prado
 
PDF
Top 10 Threats to Cloud Security
bySBWebinars
 
PPTX
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
byAndrew Morris
 
PPT
Secure Communication with an Insecure Internet Infrastructure
bywebhostingguy
 
PDF
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
byClare Nelson, CISSP, CIPP-E
 
Pentest Apocalypse
byBeau Bullock
 
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
byBeau Bullock
 
Red Team Apocalypse
byBeau Bullock
 
DEFCON 23 - jeremy dorrough - usb attack to decrypt wifi communicationsn
byFelipe Prado
 
Top 10 Threats to Cloud Security
bySBWebinars
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
byAndrew Morris
 
Secure Communication with an Insecure Internet Infrastructure
bywebhostingguy
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
byClare Nelson, CISSP, CIPP-E
 

What's hot

PDF
Abusing & Securing XPC in macOS apps
bySecuRing
 
PPTX
How to Build Your Own Physical Pentesting Go-bag
byBeau Bullock
 
PPTX
Security Compensation - How to Invest in Start-Up Security
byChristopher Grayson
 
PPTX
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
byCODE BLUE
 
PDF
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
byAndrew Morris
 
PDF
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
byBeau Bullock
 
PPTX
A Google Event You Won't Forget
byBeau Bullock
 
PDF
Fade from Whitehat... to Black
byBeau Bullock
 
PDF
Heartbleed && Wireless
byLuis Grangeia
 
PPTX
Offensive Python for Pentesting
byMike Felch
 
PPTX
Red teaming in the cloud
byPeter Wood
 
PPTX
Pentest Apocalypse - SANSFIRE 2016 Edition
byBeau Bullock
 
PPTX
BlueHat v17 || Down the Open Source Software Rabbit Hole
byBlueHat Security Conference
 
PDF
Web Security - Introduction v.1.3
byOles Seheda
 
PDF
Lares from LOW to PWNED
byChris Gates
 
PDF
Let's get evil - threat modeling at scale
bySecuRing
 
PPTX
Pwning the Enterprise With PowerShell
byBeau Bullock
 
PPTX
GreyNoise - Lowering Signal To Noise
byAndrew Morris
 
KEY
Introduction to web security @ confess 2012
byjakobkorherr
 
PDF
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
byMadhu Akula
 
Abusing & Securing XPC in macOS apps
bySecuRing
 
How to Build Your Own Physical Pentesting Go-bag
byBeau Bullock
 
Security Compensation - How to Invest in Start-Up Security
byChristopher Grayson
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
byCODE BLUE
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
byAndrew Morris
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
byBeau Bullock
 
A Google Event You Won't Forget
byBeau Bullock
 
Fade from Whitehat... to Black
byBeau Bullock
 
Heartbleed && Wireless
byLuis Grangeia
 
Offensive Python for Pentesting
byMike Felch
 
Red teaming in the cloud
byPeter Wood
 
Pentest Apocalypse - SANSFIRE 2016 Edition
byBeau Bullock
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
byBlueHat Security Conference
 
Web Security - Introduction v.1.3
byOles Seheda
 
Lares from LOW to PWNED
byChris Gates
 
Let's get evil - threat modeling at scale
bySecuRing
 
Pwning the Enterprise With PowerShell
byBeau Bullock
 
GreyNoise - Lowering Signal To Noise
byAndrew Morris
 
Introduction to web security @ confess 2012
byjakobkorherr
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
byMadhu Akula
 

Viewers also liked

PDF
Node.js interactive NA 2016: Tales From the Crypt
byAdam Englander
 
PDF
php[world] 2016 - Tales From the Crypto: A Cryptography Primer
byAdam Englander
 
PPTX
Python Bluetooth
byAdam Englander
 
PDF
Py Vegas - Tales from the crypt
byAdam Englander
 
PDF
Zend con 2016 - Asynchronous Prorgamming in PHP
byAdam Englander
 
PPTX
Travis CI - PHP
byAdam Englander
 
PDF
Asynchronous PHP and Real-time Messaging
bySteve Rhoades
 
PDF
php[world] 2016 - You Don’t Need Node.js - Async Programming in PHP
byAdam Englander
 
PDF
Phone calls and sms from php
byDavid Stockton
 
PDF
IoT Lock Down - Battling the Bot Net Builders
byAdam Englander
 
PDF
SunshinePHP 2017: Tales From The Crypt - A Cryptography Primer
byAdam Englander
 
PDF
PHP UK 2017 - Don't Lose Sleep - Secure Your REST
byAdam Englander
 
ODP
The promise of asynchronous PHP
byWim Godden
 
PDF
Biometrics - Fantastic Failure Point of the Future
byAdam Englander
 
Node.js interactive NA 2016: Tales From the Crypt
byAdam Englander
 
php[world] 2016 - Tales From the Crypto: A Cryptography Primer
byAdam Englander
 
Python Bluetooth
byAdam Englander
 
Py Vegas - Tales from the crypt
byAdam Englander
 
Zend con 2016 - Asynchronous Prorgamming in PHP
byAdam Englander
 
Travis CI - PHP
byAdam Englander
 
Asynchronous PHP and Real-time Messaging
bySteve Rhoades
 
php[world] 2016 - You Don’t Need Node.js - Async Programming in PHP
byAdam Englander
 
Phone calls and sms from php
byDavid Stockton
 
IoT Lock Down - Battling the Bot Net Builders
byAdam Englander
 
SunshinePHP 2017: Tales From The Crypt - A Cryptography Primer
byAdam Englander
 
PHP UK 2017 - Don't Lose Sleep - Secure Your REST
byAdam Englander
 
The promise of asynchronous PHP
byWim Godden
 
Biometrics - Fantastic Failure Point of the Future
byAdam Englander
 

Similar to IoT Lockdown

PDF
Computer Security
byFrederik Questier
 
PDF
Eat Your Vegetables - Data Security for Data Scientists
byWilliam Voorhees
 
PPTX
How to write secure code
byFlaskdata.io
 
PDF
Computer & Data Security
byFrederik Questier
 
PDF
Understanding how to prevent Sensitive Data Exposure
byowaspsuffolk
 
PPTX
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
byHackIT Ukraine
 
DOCX
FIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast I
byChereCheek752
 
PDF
(eBook PDF) Corporate Computer Security 4th Edition by Randall J. Boyle
byoscgbksaxg403
 
PDF
Invited Talk - Cyber Security and Open Source
byhack33
 
PDF
CompTIA-Security-Study-Guide-with-over-500-Practice-Test-Questions-Exam-SY0-7...
byemestica1
 
PDF
Security at Scale - Lessons from Six Months at Yahoo
byAlex Stamos
 
PDF
Data Security And The Security
byRachel Phillips
 
PPT
Computersystemssecurity 090529105555-phpapp01
byMiigaa Mine
 
PPT
Computer Systems Security
bydrkelleher
 
PDF
Insecurity-In-Security version.1 (2010)
byAbhishek Kumar
 
PPTX
NIT Silchar Cyber Security FDP.pptxcyber security
byDrrashmi26
 
PDF
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
byadamdeja
 
PPTX
Technology, Process, and Strategy
byereddick
 
PPTX
Private Data and Prying Eyes
byEllie Sherven
 
PDF
Watch How The Giants Fall: Learning from Bug Bounty Results
byjtmelton
 
Computer Security
byFrederik Questier
 
Eat Your Vegetables - Data Security for Data Scientists
byWilliam Voorhees
 
How to write secure code
byFlaskdata.io
 
Computer & Data Security
byFrederik Questier
 
Understanding how to prevent Sensitive Data Exposure
byowaspsuffolk
 
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
byHackIT Ukraine
 
FIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast I
byChereCheek752
 
(eBook PDF) Corporate Computer Security 4th Edition by Randall J. Boyle
byoscgbksaxg403
 
Invited Talk - Cyber Security and Open Source
byhack33
 
CompTIA-Security-Study-Guide-with-over-500-Practice-Test-Questions-Exam-SY0-7...
byemestica1
 
Security at Scale - Lessons from Six Months at Yahoo
byAlex Stamos
 
Data Security And The Security
byRachel Phillips
 
Computersystemssecurity 090529105555-phpapp01
byMiigaa Mine
 
Computer Systems Security
bydrkelleher
 
Insecurity-In-Security version.1 (2010)
byAbhishek Kumar
 
NIT Silchar Cyber Security FDP.pptxcyber security
byDrrashmi26
 
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
byadamdeja
 
Technology, Process, and Strategy
byereddick
 
Private Data and Prying Eyes
byEllie Sherven
 
Watch How The Giants Fall: Learning from Bug Bounty Results
byjtmelton
 

More from Adam Englander

PPTX
Making PHP Smarter - Dutch PHP 2023.pptx
byAdam Englander
 
PDF
Practical API Security - PyCon 2019
byAdam Englander
 
PDF
Threat Modeling for Dummies
byAdam Englander
 
PDF
ZendCon 2018 - Practical API Security
byAdam Englander
 
PDF
ZendCon 2018 - Cryptography in Depth
byAdam Englander
 
PDF
Threat Modeling for Dummies - Cascadia PHP 2018
byAdam Englander
 
PDF
Dutch PHP 2018 - Cryptography for Beginners
byAdam Englander
 
PDF
php[tek] 2108 - Cryptography Advances in PHP 7.2
byAdam Englander
 
PDF
php[tek] 2018 - Biometrics, fantastic failure point of the future
byAdam Englander
 
PDF
Biometrics: Sexy, Secure and... Stupid - RSAC 2018
byAdam Englander
 
PPTX
Practical API Security - PyCon 2018
byAdam Englander
 
PDF
Practical API Security - Midwest PHP 2018
byAdam Englander
 
PDF
Cryptography for Beginners - Midwest PHP 2018
byAdam Englander
 
PDF
Cryptography for Beginners - Sunshine PHP 2018
byAdam Englander
 
PDF
ConFoo Vancouver 2017 - Biometrics: Fantastic Failure Point of the Future
byAdam Englander
 
PDF
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
byAdam Englander
 
PDF
ZendCon 2017 - Cryptography for Beginners
byAdam Englander
 
PDF
ZendCon 2017: The Red Team is Coming
byAdam Englander
 
PDF
ZendCon 2017 - Build a Bot Workshop - Async Primer
byAdam Englander
 
PDF
Symfony Live San Franciso 2017 - BDD API Development with Symfony and Behat
byAdam Englander
 
Making PHP Smarter - Dutch PHP 2023.pptx
byAdam Englander
 
Practical API Security - PyCon 2019
byAdam Englander
 
Threat Modeling for Dummies
byAdam Englander
 
ZendCon 2018 - Practical API Security
byAdam Englander
 
ZendCon 2018 - Cryptography in Depth
byAdam Englander
 
Threat Modeling for Dummies - Cascadia PHP 2018
byAdam Englander
 
Dutch PHP 2018 - Cryptography for Beginners
byAdam Englander
 
php[tek] 2108 - Cryptography Advances in PHP 7.2
byAdam Englander
 
php[tek] 2018 - Biometrics, fantastic failure point of the future
byAdam Englander
 
Biometrics: Sexy, Secure and... Stupid - RSAC 2018
byAdam Englander
 
Practical API Security - PyCon 2018
byAdam Englander
 
Practical API Security - Midwest PHP 2018
byAdam Englander
 
Cryptography for Beginners - Midwest PHP 2018
byAdam Englander
 
Cryptography for Beginners - Sunshine PHP 2018
byAdam Englander
 
ConFoo Vancouver 2017 - Biometrics: Fantastic Failure Point of the Future
byAdam Englander
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
byAdam Englander
 
ZendCon 2017 - Cryptography for Beginners
byAdam Englander
 
ZendCon 2017: The Red Team is Coming
byAdam Englander
 
ZendCon 2017 - Build a Bot Workshop - Async Primer
byAdam Englander
 
Symfony Live San Franciso 2017 - BDD API Development with Symfony and Behat
byAdam Englander
 

Recently uploaded

PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
apidays Paris 2025 | Zero Trust By Design
byapidays
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
apidays New York 2025 | AI in Application Security
byapidays
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
Workflow and decision Automation with Flowable
bychakib ch
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
apidays Paris 2025 | Zero Trust By Design
byapidays
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 

IoT Lockdown

  • 2.
  • 3.
    Who Am I? •Director of Engineering for LaunchKey • Developer Community Activist • IoT Enthusiast • National Junior Basketball Coach
  • 4.
    What Do IDo? • Security Consulting • SDK Development • API Development • Protocol Server Development • IoT Research
  • 5.
    Know This • Youwill be attacked • You will be exposed to a Zero Day vulnerability Paris Tuileries Garden Facepalm statue by Alex E. Proimos - http://www.flickr.com/photos/proimos/4199675334/. Licensed under CC BY 2.0 via Commons.
  • 6.
    Security is likean Ogre… …it has layers ©The Frollo Show – licensed under Creative Commons
  • 7.
    Layered Security • Preventssingle point of vulnerability • Increases the cost of penetration by an attacker “Swiss cheese model of accident causation” by Davidmack – Own work - Licensed under CC BY-SA 3.0 via Commons
  • 8.
  • 9.
  • 10.
    Operating System Security • Randomizeuser passwords • Disable unused ports • Encrypt the file system “JolietPrisonGate” by Jacobsteinafm – Own work – Licensed under Public Domain via Commons
  • 11.
  • 12.
    File System Security •Named application user • Remove “everyone” access where possible • Restrict app user to files necessary to run • Avoid write access – use pipes © Chris Smart license under Creative Commons BY-NC-ND
  • 13.
  • 14.
    Isolation • Use webservices for communication • Remove all non-essential services (SSH, FTP, etc) • Use authentication on remaining services • Be as secure as possible with service data “Joshuatree" by Joho345 - @U2 (www.atu2.com) - Joho345. Licensed under CC BY 2.5 via Wikimedia Commons.
  • 15.
  • 16.
    Network Security • Devisea system with only outbound IP traffic • Restrict inbound and outbound IP traffic • Only allow paired Bluetooth devices to connect • Pair Bluetooth devices with challenge-response "FEMA - 40322 - Road Closed sign" by Patsy Lynch - This image is from the FEMA Photo Library.. Licensed under Public Domain via Wikimedia Commons - https://commons.wikimedia.org/wiki/File:FEMA_-_40322_- _Road_Closed_sign.jpg#/media/File:FEMA_-_40322_-_Road_Closed_sign.jpg
  • 17.
  • 18.
  • 19.
    Sensitive Data Exposure •Protect data in transit by: • utilizing TLS • not following redirects • pinning SSL certificates • using DNSSEC to verify DNS • encrypting data • Protect data at rest with encryption "Marilyn Monroe photo pose Seven Year Itch" by Published by Corpus Christi Caller-Times photo from Associated Press - Corpus Christi Caller-Times page 20 via Newspapers.com. Licensed under Public Domain via Commons - https://commons.wikimedia.org/wiki/File:Marilyn_Monroe_photo _pose_Seven_Year_Itch.jpg
  • 20.
    SSL Pinning • Certificateverification via fingerprint res.socket.getPeerCertificate().fingerprint • Have backup fingerprints to quickly rotate when primary is compromised. • Additional certificates must use different private keys to have a different signature.
  • 21.
    Encrypting Data • Dataat rest can use symmetric encryption as secret is not shared but local. • Data in transit should use asymmetric encryption. It’s more complex and slower but does not require transmitting your secret. • Both are available natively via the “crypto” package. "Lorenz-SZ42-2". Licensed under Public Domain via Commons - https://commons.wikimedia.org/wiki/File:Lorenz-SZ42- 2.jpg#/media/File:Lorenz-SZ42-2.jpg
  • 22.
    Symmetric Encryption • Usesshared “secret” key. • Uses initialization vector (IV). • Use crypto.randomBytes() for cryptographically random IV. • Always use some sort of block chaining or cipher feedback to ensure pseudo-randomness. • aes-256-cbc is a good standard "Tux ecb" by en:User:Lunkwill - http://en.wikipedia.org/wiki/Image:Tux_ecb.jpg. Licensed under Attribution via Commons - https://commons.wikimedia.org/wiki/File:Tux_ecb.jpg#/media/File:Tux_e cb.jpg
  • 23.
    Asymmetric Encryption • Usespublic/private key pairs. • Private and public key can encrypt and verify signature. • Only private key can decrypt and create a signature. • Private key should be password protected. • Key size at least 2048 bytes but 4096 bytes is preferred.
  • 24.
    Account Hijacking • Neveruse plain text credentials • Use strong hashing: • PBKDF2 is in crypto package • 32+ character random SALT • 10,000+ iterations • sha256 digest • If you use email for username, hash the value for storage • Alert for changes to accounts "Hi-jacking Hot Spot!" by Herby Hönigsperger - https://www.flickr.com/photos/hmvh/58185411. Licensed under Attribution via Commons - https://creativecommons.org/licenses/by-nc-sa/2.0/
  • 25.
    Encryption vs. Hashing •Hashing is one way • Encryption is reversible • Hashing is more secure than encryption • If you do not need to decrypt sensitive data, consider hashing it "Hi-jacking Hot Spot!" by Herby Hönigsperger - https://www.flickr.com/photos/hmvh/58185411. Licensed under Attribution via Commons - https://creativecommons.org/licenses/by-nc-sa/2.0/
  • 26.
    Escalation of Privilege •Always use TLS • Set "secure" and "HttpOnly" flags for session cookies • Use a CSRF token (nonce) • Strict-Transport-Security • Expire your requests • Sign API requests including credential data and location "Holborn Tube Station Escalator" by renaissancechambara - http://www.flickr.com/photos/renaissancechambara/2267250649/. Licensed under CC BY 2.0 via Commons - https://commons.wikimedia.org/wiki/File:Holborn_Tube_Station_Escalator .jpg#/media/File:Holborn_Tube_Station_Escalator.jpg
  • 27.
    Nonces • Used onlyonce • Must be cryptographically random • Provided by crypto package with randomBytes() • Should expire "Cutting head of a paper shredder" by wdwd - Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons - https://commons.wikimedia.org/wiki/File:Cutting_head_of_a_paper_shredder.jpg#/media/File:Cu tting_head_of_a_paper_shredder.jpg
  • 28.
    Digital Signatures • Verifiablehash of supplied data • HMAC or RSA is provided by crypto • RSA is preferred • JOSE is IETF standard "Wacom STU-300 LCD Signature Tablet - Mar 2013 04" by WestportWiki - Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons - https://commons.wikimedia.org/wiki/File:Wacom_STU-300_LCD_Signature_Tablet_- _Mar_2013_04.jpg#/media/File:Wacom_STU-300_LCD_Signature_Tablet_-_Mar_2013_04.jpg
  • 29.
    Denial of Service •Detection • Honey Pot • Request frequency • Request signatures • Mitigation • Black list IPs • Black hole (no response) • Detect early in process "Motorcycles in Taipei" by Koika - Own work. Licensed under CC BY- SA 1.0 via Commons - https://commons.wikimedia.org/wiki/File:Motorcycles_in_Taipei.JP G#/media/File:Motorcycles_in_Taipei.JPG
  • 30.
    Remote Code Execution •Content Security Policy • Restrict to local source • No inline CSS/JS • No eval(), ever! • Prepared statements in SQL • Code Object with Scope in MongoDB
  • 31.
    Further Reading • https://en.wikipedia.org/wiki/Layered_security •https://en.wikipedia.org/wiki/Defense_in_depth_(comput ing) • https://www.owasp.org/index.php/OWASP_Internet_of_ Things_Project • https://en.wikipedia.org/wiki/JSON_Web_Token

Editor's Notes

  • #6 If you are fortunate enough to be successful, with your device and people use it, you will be attacked. It’s not if. It’s when. A zero day vulnerability is a security vulnerability that is not disclosed before it is exploited. Ethical or “white hat” hackers will give the software or hardware vendor a reasonable window with which to resolve a vulnerability before it is exposed to the public. Unethical or “black hat” hackers will either sell or utilize the vulnerability without any warning to the vendor. The only way to be sure that you are breached is to believe that you cannot be
  • #9 In order for layered security to succeed, you must create each layer assuming that the others have failed. Assume that each measure you put in place is the only remaining measure you have to reduce harm from a breach. You may use three different layers of encryption for the same data. This may seem like overkill but its how you keep your data safe.
  • #13 Have a user name unique to your application to be able to fine tune file access Even with a named user, if your files are “everyone”
  • #17 Restrict network access as much as possible The safest system accepts no inbound connections from the IP network. Look into other ways to configure network configuration and have you device connect to a service you devise on the Internet utilizing Web Sockets for communicating with the user. Restrict inbound IP traffic to not allow access to any services utilized by your application. Restrict outbound IP traffic to prevent your device from becoming a relay or slave node for an attack Paired Bluetooth devices have performed a key exchange to verify their identity. They also use those keys to encrypt communication data Use visual or audio announcing of the challenge. Pairing with a challenge-response reduces the risk of an attacker being able hijack your device during the pairing process
  • #20 TLS is the ground level basis for secure communication over the Internet. Make sure you use valid and verifiable certificates. Ignoring certificate errors is the best way to fall victim to a Man in the Middle attack. The primary way a successful Man in the Middle attack is carried out is by providing an invalid DNS response that redirects to another domain with a valid certificate. This can be easily avoided by not following redirects from remote service requests and pinning SSL certificates so that only known certificates are accepted. For more elaborate protection, you can also verify DNS with DNSSEC. I have not been able to find a DNSSEC implementation for Node.js. Data encryption is the last piece to protecting data in transit. If you are compromised by a man in the middle attack, having your data encrypted provides security for each piece of data. Data at rest should be encrypted as well. That goes for data in the file system, cache services, and databases.
  • #21 SSL pinning is probably the simplest way to prevent man in the middle attacks. Have multiple SSL certificates available for you API endpoints dealing in sensitive data. Have at least one backup certificate to be able to rotate. Two backups to allow for recovery time with an existing backup certificate. Always remember to request certificates with new primary keys to ensure finger prints are different.
  • #22 Encryption can be confusing. Don’t make the mistake of ignoring or doing it poorly. We’ll talk about it in a little more depth in the next slides.
  • #23 The size of the key and IV go a long way to adding pseufo-randomness and ,
  • #26 Hashing requires knowledge of the original data. Decryption only requires knowledge of the secrets and not the data. As such, if you determine the encryption keys used to encrypt one piece of data, you can use that decrypt the rest of the data. Cracking on hash does not give you any insight into any other hash. Hashing sensitive account data like email and user name can prevent account hijacking. Not having a unique way to link a user or an employer to an account will prevent from being able to utilizing spearfishing or whaling in their attack.