Iot(security)

 IoT Security And Advancement
 By Shreya Pohekar

ABOUT ME
Coding and a Cyber Security Enthusiast
A Singer
An artist

OVERVIEW
 Why internet of things?
 Internet of things
 Applications
 All is not well
 Hacks on iot
 Mirai botnet
 Steps to security

WHY WE NEED IOT?
 Comfortable life
 Connected world
 Computers can’t be installed everywhere that
too for specific works.
 Better data, automation, increased efficiency
 They are much cheaper
 Require less computational power
 Are less complex

INTERNET OF THINGS (IOT)
 The internet of things is a system of interrelated
computing devices, mechanical and digital
machines, objects that are provided with unique
identifiers(IP Address) and have the ability to
transfer data over a network without requiring
human –to- human or human-to-computer
interaction.

Formal definition by international telecommunication
union
A dynamic global network infrastructure with self
configuring capabilities based on standard and
interoperable communication protocols where
physical and virtual things have-
 Identifiers , physical attributes and virtual
personalities
 use intelligent interfaces
 Are seamlessly integrated into information

Till 2017 we have 15.4 billion IoT devices
connected over the internet.
And it is forecasted to reach 20.8 billion by
2020.

CATEGORIES OF IOT
 First class of iot (Public sensors and
actuators)
 Second class of iot

PROTOCOLS ON WHICH IOT WORK
 Infrastructure (ex: 6LowPAN, IPv4/IPv6, RPL)
 Identification (ex: EPC, uCode, IPv6, URIs)
 Comms / Transport (ex: Wifi, Bluetooth,
LPWAN)
 Discovery (ex: Physical Web, mDNS, DNS-SD)
 Data Protocols (ex: MQTT, CoAP, AMQP,
Websocket, Node)
 Device Management (ex: TR-069, OMA-DM)
 Semantic (ex: JSON-LD, Web Thing Model)
 Multi-layer Frameworks (ex: Alljoyn, IoTivity,
Weave, Homekit)

APPLICATIONS
Transport system
agriculture
Environmental
monitoring
Medical and
healthcare systems
Energy management
Industrial applications
Building and home
automation
Large scale
deployments

THE SECURITY CHALLENGES
 70% of the total iot devices being used today are vulnerable
to cyber attacks
 Low level of encryption
 Work on different ports
 No firewalls or antivirus
 Firmware
most of the times outdated
update file not encrypted
update not verified before upload
 Lack of role based access control
 Lack of 2 factor authentication
 Insecure password recovery
 Poorly implemented SSL/TLS
 Account enumeration
 Poor physical security

USUAL ATTACKS ON IOT DEVICES
 DDoS attacks
 Privilege escalation
 Buffer overflow
 Brute force attacks
 Open ports via UPnP( universal plug and
play)
* UPnP : it is a set of networking protocols that permits networked devices , such as
personal computers, printers, internet gateways, Wi-Fi access points and mobile
devices to seamlessly discover each other’s presence on the network and establish
functional network services for data sharing.

LACK OF SECURITY CONFIGURABILITY
Insufficient security configurability is present when users of the
device have limited or no ability to alter its security controls.
Insufficient security configurability is apparent when the web
interface of the device has no option for creating granular user
permission or for example , forcing the use of strong passwords
Lack of transport encryption
Lack of transport encryption allows data to be viewed as it travels over
local networks on the internet. Lack of transport encryption is prevalent
on local networks as it is easy to assume that local network traffic will
not be widely visible , however in case of a local wireless
network,misconfiguration of that wireless network can make traffic
visible to anyone within range of that wireless network.

 KINESIS is an example of a sensor network
system designed to make it possible for
sensors to automatically take response
actions in the event of data transmission
disruptions.

.Is my cloud interface secure??
checking for a insecure cloud interface includes:
 Determining if the default username and
password can be changed during initial product setup.
 Determining if a specific user account is locked out after 3-5 failed
login attempt.
 Determining if valid accounts can be identified using password
recovery mechanisms or new user pages.
 Reviewing the interface for issues such as cross site scripting,
cross-site request forgery and sql injection.
 Reviewing all cloud interfaces for vulnerabilities( API interfaces
and cloud-based web interfaces)

MIRAI BOTNET
 The terrifying power of billions of IoT devices
botnets can be used to orchestrate Distributed-Denial-of-Service (DDoS) attacks. These
attacks use large numbers of IoT devices to direct traffic to a website or server,
overwhelming it and rendering it inaccessible to real users.
 Botnets are traditionally made up of infected computers, but the widespread use of
vulnerable IoT devices provides a far more enticing target for cyber criminals. A lack of
investment in security and the abundance of IoT devices, a result of cheap and quick
manufacturing, means these botnets are potentially far more dangerous than infected PCs.
 This lack of security investment was revealed in 2016 when criminals launched the largest
DDoS attack in history. The botnet malware behind the attack, Mirai, infected 100,000s of
IoT devices that then pummeled DNS provider Dyn with a 1.2 Tbps DDoS attack.
 The Mirai botnet knocked PayPal, Spotify, Netflix and Twitter offline, causing never-before-
seen levels of disruption to some of the largest websites in the world.
One month later businesses were unprepared when the Mirai botnet struck again. This
time the attack affected 100,000s of Deutsche Telekom customers.
 The Mirai botnet source code is now available online, so it’s likely to continue plaguing
poorly secured IoT devices. And in February 2017, researchers identified a new variant of
the Mirai botnet capable of targeting Windows systems, allowing the malware to spread to
even more devices.
 Mirai is just the tip of the iceberg and other powerful botnets continue to damage
businesses globally. It’s not just businesses that should worry, one attack against a UK
bank in 2016 resulted in £2.5 million stolen directly from customer accounts.

Security should be there from a
point when the power is supplied

ENCRYPTION
 The best option – light weight encryption tools
 The RSA Algorithm( concept of factor)
block ciphers, like PRESENT and CLEFIA,
(lightweight versions of the Advanced Encryption
Standard. )There are also hardware-oriented stream
ciphers, like Enocoro, that focus on chip size and
energy consumption; hash functions, such as
PHOTON, which concentrate on data integrity;
and message authentication codes for validating and
authenticating communications between devices.
 Elliptic curve based encryption

RSA ALGORITHM
 The RSA Algorithm
 The Rivest-Shamir-Adleman (RSA) algorithm is one of the most popular
and secure public-key encryption methods. The algorithm capitalizes on
the fact that there is no efficient way to factor very large (100-200 digit)
numbers. Using an encryption key (e,n), the algorithm is as follows:
 Represent the message as an integer between 0 and (n-1). Large
messages can be broken up into a number of blocks. Each block would
then be represented by an integer in the same range.
 Encrypt the message by raising it to the eth power modulo n. The result
is a cipher text message C.
 To decrypt cipher text message C, raise it to another power d modulo n
 The encryption key (e,n) is made public. The decryption key (d,n) is kept
private by the user.

IOT TOO REQUIRE A FIREWALL
 The embedded firewall provides a basic
but critical level of security by controlling what packets or
messages are processed.
 The firewall enforces its policies by filtering packets as
they are received, comparing each packet to the policies
for that device, and blocking all packets that don’t match
the communication policy criteria.
 Rules-based filtering: Each packet is compared to a set
of static rules determining if the packet is blocked or
allowed . All decisions are made based on the information
in the packet. Rules-based filtering enforces policies by
blocking unused protocols, closing unused ports, and
enforcing IP address white lists and blacklists.

SOFTWARE MUST BE SECURED
 Many IoT devices are based on processors such as the ARM
processor, which have differences in the instruction set with
respect to other conventionally used processors.
 Such diversity has an implication, for ex. On the techniques for
protecting software from attacks, such as return –oriented
programming attacks, as such must be tailored to the specific
instruction set of the platform of interest
 One way to provide better security is to isolate sensors and other
permissive devices on a separate virtual LAN. This setup
prevents a hacker from observing the totality of network traffic if
one sensor is compromised, or using it to launch attacks across
the entire enterprise.
 Create bug bounty programs and vulnerability reporting systems

GOOD CITIZEN RULES
 Don’t connect your devices unless you need
to
 don’t use default passwords
 Keep the latest firmwares
 Turn off universal plug and play (UpnP)
 Do not trust any network , just because it is
introduced by any trusted entity
 Not all access point are trustworthy

OPEN SOURCE WOULD HAVE AN IMPACT
 to support and connect billions of sensors,
routers, gateways and data servers
 Promotes velocity of innovation
 Easy exploration and experimentation
 Enables permission less innovation

REFERENCES
o Data security and privacy in IoT by Elisa Bertino
o OWASP IoT security
https://www.owasp.org/index.php/IoT_Security_Guidance
o https://www.symantec.com/solutions/internet-of-things

Iot(security)

More Related Content

What's hot

Similar to Iot(security)

More from Shreya Pohekar

Recently uploaded

In this document

Iot(security)