This document discusses IoT security threats and challenges. It begins by defining IoT as the network of physical objects embedded with electronics, software and sensors that enables them to connect and exchange data. It then discusses common IoT devices and associated security challenges in protecting embedded chips from remote attackers. It outlines common threats like vulnerable perimeters, data breaches, and malware/botnet attacks. Finally, it summarizes the top 10 IoT vulnerabilities introduced by OWASP like insecure interfaces, authentication, encryption and software/firmware issues.

1. IoT Security, Threats and
Challenges
By V.P.Prabhakaran

2. Introduction of IoT
The Internet of Things (IoT) is the network of physical objects
or “things” embedded with electronics, software, sensors,
and network connectivity, which enables these objects to
collect and exchange data. It is a complete integration of
physical objects with computer logical operations.
01

3. Things in IoT
• Things, in the IoT, include vast collections
of devices such as heart monitoring
implants, biochip transponders on farm
animals, automobiles with built-in sensors,
or field operation devices that assist fire-
fighters in search and rescue,” reads the
definition provided by Wikipedia.
02

4. Associated Challenges
• IoT Security is all about protecting or safeguarding. Nowadays, in almost every objects, we
have a small chip, which usually we used to ignore. Attackers try to compromise those chips
by gaining logical access to devices remotely. All security and technical experts face the
challenge of protecting that chip from attackers because all the devices, like cars, industrial
machines, and home appliances, have the same chip that works with a specific program
which is easy to target.
02

5. Companies who Operate IoT
• Traditional Big Companies –
Google, Microsoft, and Amazon are
the big companies who are well
versed with latest security and
threats associated with IoT and they
have experts who can protect it from
attacks. The Image below, that I
would like to share, show how
Amazon is using IOT.
02

6. Companies who Operate IoT (contd…)
• Big Companies – They are not as exposed in terms of threats associated with IoT, like Honeywell
and Ford
• Kickstartup – New joinees who did research and developed a prototype, later on big companies,
like IFTTT (If This Then That) by Linden Tibbets and MuleSoft by Greg Schott, purchase these
packages and used them. Currently, the industry is facing a shortage of IoT security experts and
they still struggle with countermeasures of IoT, according to the report ” ISACA Survey: UK Security
Experts Sceptical of IoT Device Security; 3/4 Say Manufacturers are Not Implementing Sufficient
Security Measures “
02

7. Common Threats Associated with IoT
• Vulnerable IoT Perimeters: When IoT networks are designed, there is lack of planning of good
security implementation which can allow an intruder to easily gain access to the network. Let’s take
an example of Smart Meter. If a cyber criminal compromised this device, he is able to access a
domestic network and also can monitor the connections between objects in IoT.
• Increase in Data Breaches: Data breaches are one of the biggest threats in IoT devices. Cyber
attackers can try to spy on the communications between devices in IoT network. Devices accessed
through Internet of Things may be used for cyber espionage purposes by an intelligence agency or
by some companies for commercial purposes. The FBI’s chief information security officer warned
the impact of IoT data breaches could be much worse for end users than previous enterprise data
breaches.
02

8. Common Threats Associated with IoT
• Malware and Botnet Attacks: Malicious users designed the code for attempting to attack against
IOT networks. Cyber criminals can exploit vulnerabilities in firmware running on the devices and run
their arbitrary code, turning IoT components to unplanned use. Some of the Malware used in IOT is
Linux worm, Linux.Darlloz. Graphics processing units-based malware and ransomware attacks are
growing rapidly, due to the increase in data, bigger networks, and the Internet of Things (IoT),
according to Intel Security’s five-year retrospective threat report. The analysis found that
ransomware continued to grow rapidly, with the number of new ransomware samples rising 58
percent in Q2. According to Intel Security, the total number of ransomware samples also grew by
127 percent year-on-year, with the company attributing the increase to fast-growing new families,
such as CTB-Locker and CryptoWall. The release of the report marks the five-year anniversary
since Intel Security purchased McAfee for $7.7 billion.
02

9. OWASP Introduces Vulnerabilities in IoT
• The Open Web Application Security Project (OWASP) comes with best practices to improve the
security of IoT. It is natural that the project also analyzed the top 10 security issues related to the
popular paradigm:
02
• Insecure Web Interface Insecure Web Interface is a common vulnerability found in IoT. OWASP
Zap and shodan tools are available and with them we can access these devices. The most famous
example of this to date is the case of the web application on TrendNet cameras that exposed a full
video feed to anyone who accessed it.

10. OWASP Introduces Vulnerabilities in IoT (contd…)
• Insufficient Authentication/Authorization Most IoT devices are protected with a weak password
and it is easily exploited through a brute force attack. The attack could come from external or
internal users. Some devices in IoT are configured with a base64 password encoding mechanism
and sent between devices in plain text so attacker can use an online website through which they try
to convert base64 code to simple text. Many IoT devices are secured with “Spaceballs quality”
passwords like “1234”, put their password checks in client-side Java code, send credentials without
using HTTPS or other encrypted transports, or require no passwords at all.
02

11. OWASP Introduces Vulnerabilities in IoT (contd…)
• Insecure Network Services Insecure network services may be vulnerable to buffer overflow
attacks. Some other attacks can also be done, like DOS and DDOS attacks, which leave systems
inaccessible to clients or users. In order to find insecure network services, we use several tools, like
Nmap and other fuzzers. Examples of these types of services abound in IoT documentation and are
regularly lit up by security researchers. In August 2014, a sweep of more than 32,000 devices found
“at least 2000 devices with hard-coded Telnet logins.”
02

12. OWASP Introduces Vulnerabilities in IoT (contd…)
• Lack of Transport Encryption IoT devices have a lack of transport encryption which are exploited
by an attacker who is trying to intercept the information exchanged between IoT devices. This
attack can be done from internal and external users.
• Privacy Concerns An attacker uses a different path, like lack of authentication, lack of strong
transport encryption or other ports and network services through which they gain access to
personal data. One of the biggest vulnerabilities, as per OWASP Standard, is that home users may
not understand computer security, but they do understand physical security (“is my door locked?”)
and privacy (“is that camera watching me?”). Furthermore, their fears are widespread.
02

13. OWASP Introduces Vulnerabilities in IoT (contd…)
• Insecure Cloud Interface We can identify an insecure cloud interface vulnerability through
reviewing the connections to the cloud interface and analyzing if SSL is secure. We also attempt a
password reset on the portal to find a live user, which can lead to user enumeration. Since most
security professionals already know how to evaluate systems for these types of vulnerabilities, we
won’t spend much time on it in this article, except to remind you that you should get the permission
of any remote cloud service before you attempt to perform any type of penetration test against it.
02

14. OWASP Introduces Vulnerabilities in IoT (contd…)
• Insecure Mobile Interface
• Insufficient Security Configurability
• Insecure Software/Firmware
• Poor Physical Security
02

15. OWASP Introduces Vulnerabilities in IoT (contd…)
• Insecure Mobile Interface
• Insufficient Security Configurability
• Insecure Software/Firmware
• Poor Physical Security
02

16. About Author
• V.P.Prabhakaran is a highly-experienced security
professional , having more then 9 years experience
as Senior Information Security Consultant at Koenig
Solutions.
02
Information Security Consultant
CISSP | CISA | CISM |COBIT 5|TOGAF

17. Koenig training services are sought by some of the biggest multinationals and Fortune 500 companies.
Some of the brand names associated with Koenig for its world renowned IT training include:
Our Valuable Customers
24

18. 27
• Nearly half the cost as compared to similar training in UK or USA.
• Experienced pool of 350+ certified trainers
• Happiness Guaranteed else Money Back or Class Redo
• Authorized partner for 30+large IT vendors
• Multiple modes of delivery
• Customizable learning packages
• World class training centres with best infrastructure
• Post training support
• Excursion to local tourist attractions
• Best accommodation and support services
• Visa Guidance
Advantages @ Koenig

19. Let’s Talk
Koenig Delhi
Koenig Campus B-39, Plot No. 70,
KLJ Complex-1, Shivaji Marg, Moti
Nagar, New Delhi-110015 (India)
Koenig Bangalore
PARAGON PRIMA, 2nd & 3rd Floor,
No. 39, 8th Main Koramangala 4th
Block Bengaluru-560034, (India)
Koenig Goa
3rd Floor, B/T1, Campal Trade Centre,
Opp. Kala Academy, Panjim,
Goa-403001 (India)
33
Koenig Shimla
7, Prospect Lodge, Behind YMCA,
Lower Jakhu, Shimla-171001,
Himachal Pradesh (India)
Koenig Dehradun
Plot #22, IT Park, Sahastradhara
Road, Dehradun-248001,
Uttarakhand (India)
Koenig Dubai
Block 3, Office G10,
Dubai Knowledge Village Dubai, UAE
Phone : +9714 3686241
Email : info@Koenig-dubai.com
Koenig USA
640 W California Avenue, Suite 210,
Sunnyvale, CA 94086, USA
Koenig Singapore
30 Cecil Street, #19-08 Prudential
Tower, Singapore 049712
Koenig Solutions (India)
Website: www.koenig-solutions.com
Phone : +91 75330 08521 (24x7)
Email : info@Koenig-solutions.com

20. THANK YOU
Follow us:
http://www.Koenig-solutions.com