SlideShare a Scribd company logo

Security Testing for IoT Systems

Download as PPTX, PDF
Security Innovation
Security Innovation

IoT Systems provide powerful, flexible features for IT systems — tracking, monitoring, and other data sharing. Today’s IoT devices utilize microservices and APIs that make them easy to put into production. But securing them isn’t as easy. This webinar will look at security risks of IoT devices, interfaces, and implementations. We’ll provide practical steps and checklists any DevOps team can use to make their IoT components as secure as possible. We’ll also cover some testing best practices that can be done pre- and post-production to verify security and resilience on an ongoing basis.

Technology
1 of 31
Risk-Based Testing for IoT Systems Ed Adams 11 June 2019
About Me • CEO by day; engineer by trade (and heart) • Mechanical Engineer, Software Engineer • Research Fellow, Ponemon Institute • Privacy by Design Ambassador, Canada • In younger days, built non-lethal weapons systems for US Federal Government
Agenda Security Risks of IoT Devices • Risk-based Testing Essentials • IoT Device Considerations • Securing Our Digital Future
So many connected “things”…
Good Ol’ Days: Devices Were Just Devices • Ran on a little code; made to serve a specific purpose • Cash payments • Real-time changes; no “wait for compile” and see • Had to be physically at the device to access/change • Sharing data meant print, verbal, film, CD, etc.
Today’s Devices are Still Devices but... • Run on LOTS of code; made to serve single/multiple purposes • Make changes from anywhere via cellular or Wi-Fi connection • Sharing data is instantaneous and digital
The Mirai Botnet (aka Dyn Attack) A not so oldie but goodie • Domain Name System (DNS) service disrupted • Affected nearly 1/3 of all Internet users in US and Europe • No access to (short list): • Amazon.com • Comcast • DirecTV • GitHub • Netflix • Twitter • PayPal • Starbucks • Verizon • Visa • Walgreens • Xbox Live • PlayStation Network • iHeart Radio • BBC • NY Times • GrubHub • Slack Millions of IoT Devices (printers, IP cameras, baby monitors) infected with Mirai malware and used to flood Dyn with traffic (DDoS)
More Recent IoT Trouble Consumer & Medical Devices • 465,000 vulnerable pacemakers from St. Jude • Implantable cardiac devices have vulnerabilities • Unauthorized remote access • Deplete battery, change pacing, or deliver shocks • Owlet WiFi Baby Heart Monitor • Alerts parents when babies have heart troubles • Connectivity element makes them exploitable • TRENDnet SecurView Webcam • Faulty software  anyone who obtained a camera’s IP address could look through it and listen as well • Transmitted user login credentials in clear, readable text • Mobile app stored login information in clear, readable text Best intentions exploited via careless manufacture configuration
Governments & Customers Getting Involved • FTC vs D-Link: The legal risks of IoT insecurity • Lawsuit against D-Link • Claims company put thousands of customers at risk • Unauthorized access to its IP cameras and routers • Customers vs John Deere: The business risks of IoT • US farmers dispute rights to repair their tractors • Contain embedded software (it’s an IoT device) • Company issued a new license agreement • Prohibits software modification on its tractors • Ensure all repairs are done by John Deere contractors
Skimmers • Evolved from mag stripe readers  Bluetooth and cellular transmitters • devices keep getting smaller • embedded inside pumps and PoS devices • Future skimmers • Embedded devices that don't steal credit card data but rather attack your networks directly.
Agenda • Security Risks of IoT Devices Risk-based Testing Essentials • Weak Links, Soft Spots, Blind Spots • Securing Our Digital Future
Convenience-Risk Trade Offs • Building in security takes time initially; equates to money • Time to market pressures often trump this investment • Security can equate to safety in consumer IoT devices • Ease of setup and operation • Consumers want devices to “just work” • Quick setup and minimal configuration required • Often means little to no authentication or default (same for all devices) • When vulnerabilities discovered, patching is the answer • But IoT patching can be difficult, impossible, and illegal Consumers demand easy and convenient features, until they backfire
Today’s IoT Deployment in Practice • How is testing IoT different from our other platforms, e.g., web, mobile cloud? The answer is it’s not very different. • Most IoT devices are connected to many of the following: • Mobile App • APIs • Cloud Infrastructure • Web App • KEYPOINT: IoT is not a magical technology, but a mash up of many different technologies – and at its core, it’s just almost all software Sources: “International Journal of Web Portals” Ahmedi, Sejdiu, et al; Geoff Vaughan Security Innovation, Inc.
Top 4 IoT Security Weak Points • Insufficient Security Awareness • Humans #1 weak point: building, deploying, using • Weak Physical Security • Debug interfaces (JTAG, UART, etc.) and USB ports allow unintended device or data access • Infrequent Updates • Firmware, device apps, admin apps/interfaces • Expensive and/or remote IoT devices long lifespan (difficult to update) • Weak Data Protection • Data at rest/transit uses weak encryption techniques • Lack of dedicated security chips and modules to store sensitive data.
3 Must-have IoT Security Considerations • “Shift left” • Think security earlier and more often in system design • Account for resources that will be able to provide security updates • Could be vendor, e.g., maintenance agreement, and/or internal staff, e.g., patching • KEYPOINT: Every component needs to be tested as part of the ecosystem • Not just individual IoT device testing Sources: “Dr. Dobbs” Larry Smith; Geoff Vaughan Security Innovation, Inc.
Start with “Simple” Questions • How is the IoT deployed in our organization today, and who owns it or its respective components? • IoT inventory and business activity/role • Don’t expect the word “IoT” to show up in project docs • Do we know what data is collected, stored and analyzed? Have we assessed the legal, security and privacy implications? • Governance policies cover data captured at thousands of sensors? • Do we have contingency plans in place in case our IoT “things” are hijacked or modified for unintended purposes? Driven by Key Threats & Attack Surface
Start by Assessing IoT Risk/Liability IoT Connection Chain Ownership Threats Device hardware/firmware Vendor X Known vulnerabilities with Vendor products Patching process for Vendor X products Mobile application Vendor Y Secure SDLC activities for Vendor Y Web application Us Our own Secure SDLC activities/process Information/Data management Us Storage and transport of data Where is it encrypted? Channels of transmission Telco X Security guarantees/SLA with Telco X User authentication/roles Us Enumerate each role and authorized activity Authentication for each role
US FTC IoT Security Best Practices* • Build security into devices at the outset, rather than as an afterthought • Train employees about the importance of security • Ensure security is managed at an appropriate level in the organization • Ensure outside service providers are capable of maintaining reasonable security, and provide oversight of providers • Consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk • Keep unauthorized users from accessing device data, or personal info • Monitor connected devices; provide security patches for known risks * https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices
Agenda • Security Risks of IoT Devices • Risk-based Testing Essentials IoT Device Considerations • Securing Our Digital Future
Testing IoT Devices • ~8-10 very technology specific areas to consider • Component Identification and Classification • Static Firmware Analysis • Dynamic Debugging • Peripheral Hacking • Protocols and Data Sniffing • WIFI • BLE • SDR • Cellular • USB • Hardware Hacks • JTAG • UART • SPI • Obtain from vendor website • Web search: support and community forums • Reverse the mobile application • Sniffing the OTA update mechanism • Dumping it from the device Tools such as Binwalk, IDA Pro, Radare2 can be usefulSimilar to other network-based testing • What services are running? • What communication protocols are being used? • What ports are open? • What version is running? Known vulnerability? Sources: Attify, Security Innovation
Agenda • How Connected Are We? • Nothing Ever Goes Wrong… Right? • IoT Device Considerations Securing Our Digital Future
Top 5 IoT Security Tips TIPS  Secure the Device OS and Firmware  Ensure Sufficient Data Protection  Secure the Physical Device  Secure the Communication Channel  Enforce Authentication and Authorization
Secure the Device OS and Firmware Security Controls  Ensure updates are over a secure channel, signed and verified  Ensure bootloader firmware is secure and has not been tampered with  Ensure installed bootloader is verified at every stage of boot sequence  Ensure device makes use of full disk encryption  Disable unnecessary services running on the device  Protect against fuzzing and buffer overflow attacks  Ensure that binaries are compiled and signed for security
Ensure Sufficient Data Protection Security Controls  Encrypt data at rest using strong and known encryption techniques  Ensure device uses dedicated security chips and modules to store sensitive data  Avoid usage of hard-coded credentials or cryptographic key  Do not collect data not essential for device functionality  Avoid usage of weak, broken, or risky cryptographic algorithms  Log all secure data access and alter events  Ensure authentication and authorization to all PII
Secure the Physical Device Security Controls  Ensure data storage is not directly accessible  Test debug interfaces (JTAG, UART, etc.) and USB ports for unintended device or data access  Ensure tamper protection/resistance techniques are in use  Limit the admin functionalities present on the device
Secure the Communication Channel Security Controls  Secure the Wi-Fi interface via secure configurations (encryption, password, etc.) and drivers  Ensure protection against Denial-of-Service (DoS) and fuzzing attacks  Secure the exposed services and keys during device enrollment  Audit the file, printer and device sharing mechanism in place regularly  Secure the Bluetooth interface via secure configurations (discovery modes, PIN, etc.) and drivers  Verify that secure Bluetooth modes are in use  Ensure sensitive data is not sent over unencrypted bus lines
Enforce Authentication and Authorization Security Controls  Ensure role-based access control is currently in place  Mandate the use of multi-factor authentication for privileged accounts  Ensure that a strong password management policy is in place
Summary of Tips for Securing IoT Systems • Know your technology vendor’s track record • Update your evaluation process, if necessary • Invest in security training for all in-house systems staff • From “Don’t Click on Sh*t” toTechnical/Configuration for IT/Ops teams • Perform proactive penetration testing • Obtain right to do so from 3rd-parties • Adopt a "defense-in-depth" strategy • e.g.,WAF between IoT devices and cloud admin app? • Eliminate all hardcoded default passwords and backdoors IoT Security Toolkit: https://tinyurl.com/y4zxw577
Engage with Security Professionals •Have a chat with us  •Bug Bounty Programs •Non-hostile relationship with “researchers” •Vulnerability Disclosure Program •Direct Relationship • Use as independent 3rd-party • Share info about good/bad ones
Questions? @AppSec eadams@securityinnovation.com Want a whitepaper? ….and/or Tip Sheet?

Recommended

Smartphone security
Smartphone securitySmartphone security
Smartphone security
Manish Gupta
 
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
CableLabs
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
MarketingArrowECS_CZ
 
Mobile security
Mobile securityMobile security
Mobile security
Mphasis
 
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
Seungjoo Kim
 
Security and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSecurity and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of Things
Somasundaram Jambunathan
 
IoT security (Internet of Things)
IoT security (Internet of Things)IoT security (Internet of Things)
IoT security (Internet of Things)
Sanjay Kumar (Seeking options outside India)
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
Nemwos
 

Recommended

Smartphone security
Smartphone securitySmartphone security
Smartphone security
Manish Gupta
 
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
CableLabs
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
MarketingArrowECS_CZ
 
Mobile security
Mobile securityMobile security
Mobile security
Mphasis
 
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
Seungjoo Kim
 
Security and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSecurity and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of Things
Somasundaram Jambunathan
 
IoT security (Internet of Things)
IoT security (Internet of Things)IoT security (Internet of Things)
IoT security (Internet of Things)
Sanjay Kumar (Seeking options outside India)
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
Nemwos
 
Mobile security
Mobile securityMobile security
Mobile security
dilipdubey5
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Mohammad Affan
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
Geo Marian
 
Iot Security
Iot SecurityIot Security
Iot Security
MAITREYA MISRA
 
Mobile security
Mobile securityMobile security
Mobile security
Tapan Khilar
 
ETHICAL HACKING
ETHICAL HACKING ETHICAL HACKING
ETHICAL HACKING Sweta Leena Panda
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranIoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.Prabhakaran
Koenig Solutions Ltd.
 
Information security
Information security Information security
Information security
AishaIshaq4
 
Data Security Explained
Data Security ExplainedData Security Explained
Data Security Explained
Happiest Minds Technologies
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and prevention
Seccuris Inc.
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptx
AbhishekDas794104
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
Priya Manik
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
abdullah roomi
 
Hacking Internet of Things (IoT)
Hacking Internet of Things (IoT)Hacking Internet of Things (IoT)
Hacking Internet of Things (IoT)
SecPod Technologies
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Vidoushi B-Somrah
 
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptx
MohanPandey31
 
Wireless and mobile security
Wireless and mobile securityWireless and mobile security
Wireless and mobile security
Pushkar Pashupat
 
Ctf del upload
Ctf del uploadCtf del upload
Ctf del upload
Setia Juli Irzal Ismail
 
IOT privacy and Security
IOT privacy and SecurityIOT privacy and Security
IOT privacy and Security
noornabi16
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
IoT security
IoT securityIoT security
IoT security
YashKesharwani2
 

More Related Content

What's hot

Mobile security
Mobile securityMobile security
Mobile security
dilipdubey5
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Mohammad Affan
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
Geo Marian
 
Iot Security
Iot SecurityIot Security
Iot Security
MAITREYA MISRA
 
Mobile security
Mobile securityMobile security
Mobile security
Tapan Khilar
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranIoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.Prabhakaran
Koenig Solutions Ltd.
 
Information security
Information security Information security
Information security
AishaIshaq4
 
Data Security Explained
Data Security ExplainedData Security Explained
Data Security Explained
Happiest Minds Technologies
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and prevention
Seccuris Inc.
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptx
AbhishekDas794104
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
Priya Manik
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
abdullah roomi
 
Hacking Internet of Things (IoT)
Hacking Internet of Things (IoT)Hacking Internet of Things (IoT)
Hacking Internet of Things (IoT)
SecPod Technologies
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Vidoushi B-Somrah
 
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptx
MohanPandey31
 
Wireless and mobile security
Wireless and mobile securityWireless and mobile security
Wireless and mobile security
Pushkar Pashupat
 
Ctf del upload
Ctf del uploadCtf del upload
Ctf del upload
Setia Juli Irzal Ismail
 
IOT privacy and Security
IOT privacy and SecurityIOT privacy and Security
IOT privacy and Security
noornabi16
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 

What's hot (20)

Mobile security
Mobile securityMobile security
Mobile security
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
 
Iot Security
Iot SecurityIot Security
Iot Security
 
Mobile security
Mobile securityMobile security
Mobile security
 
ETHICAL HACKING
ETHICAL HACKING ETHICAL HACKING
ETHICAL HACKING
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranIoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.Prabhakaran
 
Information security
Information security Information security
Information security
 
Data Security Explained
Data Security ExplainedData Security Explained
Data Security Explained
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and prevention
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptx
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
Hacking Internet of Things (IoT)
Hacking Internet of Things (IoT)Hacking Internet of Things (IoT)
Hacking Internet of Things (IoT)
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptx
 
Wireless and mobile security
Wireless and mobile securityWireless and mobile security
Wireless and mobile security
 
Ctf del upload
Ctf del uploadCtf del upload
Ctf del upload
 
IOT privacy and Security
IOT privacy and SecurityIOT privacy and Security
IOT privacy and Security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 

Similar to Security Testing for IoT Systems

IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
IoT security
IoT securityIoT security
IoT security
YashKesharwani2
 
Embracing iot in the enterprise
Embracing iot in the enterpriseEmbracing iot in the enterprise
Embracing iot in the enterprise
Gabriella Davis
 
What are the Challenges of IoT SecurityIoT has many of the same s.docx
What are the Challenges of IoT SecurityIoT has many of the same s.docxWhat are the Challenges of IoT SecurityIoT has many of the same s.docx
What are the Challenges of IoT SecurityIoT has many of the same s.docx
alanfhall8953
 
Security Issues in Internet of Things
Security Issues in Internet of ThingsSecurity Issues in Internet of Things
Security Issues in Internet of Things
Lohith Haravu Chandrashekar
 
Introduction to IOT security
Introduction to IOT securityIntroduction to IOT security
Introduction to IOT security
Priyab Satoshi
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
HITCON GIRLS
 
Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)
k33a
 
Presentation about IoT in media and communication.pdf
Presentation about IoT in media and communication.pdfPresentation about IoT in media and communication.pdf
Presentation about IoT in media and communication.pdf
ezzAyman1
 
Assign 1_8812814ctm.pptx
Assign 1_8812814ctm.pptxAssign 1_8812814ctm.pptx
Assign 1_8812814ctm.pptx
pdevang
 
IoT-Device-Security-DRAFT-slide-presentation
IoT-Device-Security-DRAFT-slide-presentationIoT-Device-Security-DRAFT-slide-presentation
IoT-Device-Security-DRAFT-slide-presentation
AuliaArifWardana
 
IoT-Device-Security.pptx
IoT-Device-Security.pptxIoT-Device-Security.pptx
IoT-Device-Security.pptx
ZahidHussainqaisar
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking Bad
NUS-ISS
 
Technology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityTechnology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT Security
CableLabs
 
Fundamentals of IoT Security
Fundamentals of IoT SecurityFundamentals of IoT Security
Fundamentals of IoT Security
SHAAMILIVARSAGV
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 
Hugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric ImpHugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric Imp
Business of Software Conference
 
BYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestBYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, West
Jay McLaughlin
 
IoT -Internet of Things
IoT -Internet of ThingsIoT -Internet of Things
IoT -Internet of Things
Joshua Johnston
 
Final Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docxFinal Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docx
tjane3
 

Similar to Security Testing for IoT Systems (20)

IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
 
IoT security
IoT securityIoT security
IoT security
 
Embracing iot in the enterprise
Embracing iot in the enterpriseEmbracing iot in the enterprise
Embracing iot in the enterprise
 
What are the Challenges of IoT SecurityIoT has many of the same s.docx
What are the Challenges of IoT SecurityIoT has many of the same s.docxWhat are the Challenges of IoT SecurityIoT has many of the same s.docx
What are the Challenges of IoT SecurityIoT has many of the same s.docx
 
Security Issues in Internet of Things
Security Issues in Internet of ThingsSecurity Issues in Internet of Things
Security Issues in Internet of Things
 
Introduction to IOT security
Introduction to IOT securityIntroduction to IOT security
Introduction to IOT security
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
 
Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)
 
Presentation about IoT in media and communication.pdf
Presentation about IoT in media and communication.pdfPresentation about IoT in media and communication.pdf
Presentation about IoT in media and communication.pdf
 
Assign 1_8812814ctm.pptx
Assign 1_8812814ctm.pptxAssign 1_8812814ctm.pptx
Assign 1_8812814ctm.pptx
 
IoT-Device-Security-DRAFT-slide-presentation
IoT-Device-Security-DRAFT-slide-presentationIoT-Device-Security-DRAFT-slide-presentation
IoT-Device-Security-DRAFT-slide-presentation
 
IoT-Device-Security.pptx
IoT-Device-Security.pptxIoT-Device-Security.pptx
IoT-Device-Security.pptx
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking Bad
 
Technology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityTechnology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT Security
 
Fundamentals of IoT Security
Fundamentals of IoT SecurityFundamentals of IoT Security
Fundamentals of IoT Security
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT Security
 
Hugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric ImpHugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric Imp
 
BYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestBYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, West
 
IoT -Internet of Things
IoT -Internet of ThingsIoT -Internet of Things
IoT -Internet of Things
 
Final Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docxFinal Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docx
 

More from Security Innovation

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Security Innovation
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Security Innovation
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
Security Innovation
 
5 Ways To Train Security Champions
5 Ways To Train Security Champions5 Ways To Train Security Champions
5 Ways To Train Security Champions
Security Innovation
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
Security Innovation
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection Flaws
Security Innovation
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
Security Innovation
 
Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital Future
Security Innovation
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
Security Innovation
 
Slashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSlashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do's
Security Innovation
 
A Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeA Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber Range
Security Innovation
 
Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to Security
Security Innovation
 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar Question
Security Innovation
 
Privacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaPrivacy: The New Software Development Dilemma
Privacy: The New Software Development Dilemma
Security Innovation
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
Security Innovation
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
Security Innovation
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
Security Innovation
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
Security Innovation
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
Security Innovation
 

More from Security Innovation (20)

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
 
5 Ways To Train Security Champions
5 Ways To Train Security Champions5 Ways To Train Security Champions
5 Ways To Train Security Champions
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection Flaws
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
 
Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital Future
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
Slashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSlashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do's
 
A Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeA Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber Range
 
Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to Security
 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar Question
 
Privacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaPrivacy: The New Software Development Dilemma
Privacy: The New Software Development Dilemma
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
 

Recently uploaded

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 

Recently uploaded (20)

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 

Security Testing for IoT Systems

  • 1.
  • 2. Risk-Based Testing for IoT Systems Ed Adams 11 June 2019
  • 3. About Me • CEO by day; engineer by trade (and heart) • Mechanical Engineer, Software Engineer • Research Fellow, Ponemon Institute • Privacy by Design Ambassador, Canada • In younger days, built non-lethal weapons systems for US Federal Government
  • 4. Agenda Security Risks of IoT Devices • Risk-based Testing Essentials • IoT Device Considerations • Securing Our Digital Future
  • 5. So many connected “things”…
  • 6. Good Ol’ Days: Devices Were Just Devices • Ran on a little code; made to serve a specific purpose • Cash payments • Real-time changes; no “wait for compile” and see • Had to be physically at the device to access/change • Sharing data meant print, verbal, film, CD, etc.
  • 7. Today’s Devices are Still Devices but... • Run on LOTS of code; made to serve single/multiple purposes • Make changes from anywhere via cellular or Wi-Fi connection • Sharing data is instantaneous and digital
  • 8. The Mirai Botnet (aka Dyn Attack) A not so oldie but goodie • Domain Name System (DNS) service disrupted • Affected nearly 1/3 of all Internet users in US and Europe • No access to (short list): • Amazon.com • Comcast • DirecTV • GitHub • Netflix • Twitter • PayPal • Starbucks • Verizon • Visa • Walgreens • Xbox Live • PlayStation Network • iHeart Radio • BBC • NY Times • GrubHub • Slack Millions of IoT Devices (printers, IP cameras, baby monitors) infected with Mirai malware and used to flood Dyn with traffic (DDoS)
  • 9. More Recent IoT Trouble Consumer & Medical Devices • 465,000 vulnerable pacemakers from St. Jude • Implantable cardiac devices have vulnerabilities • Unauthorized remote access • Deplete battery, change pacing, or deliver shocks • Owlet WiFi Baby Heart Monitor • Alerts parents when babies have heart troubles • Connectivity element makes them exploitable • TRENDnet SecurView Webcam • Faulty software  anyone who obtained a camera’s IP address could look through it and listen as well • Transmitted user login credentials in clear, readable text • Mobile app stored login information in clear, readable text Best intentions exploited via careless manufacture configuration
  • 10. Governments & Customers Getting Involved • FTC vs D-Link: The legal risks of IoT insecurity • Lawsuit against D-Link • Claims company put thousands of customers at risk • Unauthorized access to its IP cameras and routers • Customers vs John Deere: The business risks of IoT • US farmers dispute rights to repair their tractors • Contain embedded software (it’s an IoT device) • Company issued a new license agreement • Prohibits software modification on its tractors • Ensure all repairs are done by John Deere contractors
  • 11. Skimmers • Evolved from mag stripe readers  Bluetooth and cellular transmitters • devices keep getting smaller • embedded inside pumps and PoS devices • Future skimmers • Embedded devices that don't steal credit card data but rather attack your networks directly.
  • 12. Agenda • Security Risks of IoT Devices Risk-based Testing Essentials • Weak Links, Soft Spots, Blind Spots • Securing Our Digital Future
  • 13. Convenience-Risk Trade Offs • Building in security takes time initially; equates to money • Time to market pressures often trump this investment • Security can equate to safety in consumer IoT devices • Ease of setup and operation • Consumers want devices to “just work” • Quick setup and minimal configuration required • Often means little to no authentication or default (same for all devices) • When vulnerabilities discovered, patching is the answer • But IoT patching can be difficult, impossible, and illegal Consumers demand easy and convenient features, until they backfire
  • 14. Today’s IoT Deployment in Practice • How is testing IoT different from our other platforms, e.g., web, mobile cloud? The answer is it’s not very different. • Most IoT devices are connected to many of the following: • Mobile App • APIs • Cloud Infrastructure • Web App • KEYPOINT: IoT is not a magical technology, but a mash up of many different technologies – and at its core, it’s just almost all software Sources: “International Journal of Web Portals” Ahmedi, Sejdiu, et al; Geoff Vaughan Security Innovation, Inc.
  • 15. Top 4 IoT Security Weak Points • Insufficient Security Awareness • Humans #1 weak point: building, deploying, using • Weak Physical Security • Debug interfaces (JTAG, UART, etc.) and USB ports allow unintended device or data access • Infrequent Updates • Firmware, device apps, admin apps/interfaces • Expensive and/or remote IoT devices long lifespan (difficult to update) • Weak Data Protection • Data at rest/transit uses weak encryption techniques • Lack of dedicated security chips and modules to store sensitive data.
  • 16. 3 Must-have IoT Security Considerations • “Shift left” • Think security earlier and more often in system design • Account for resources that will be able to provide security updates • Could be vendor, e.g., maintenance agreement, and/or internal staff, e.g., patching • KEYPOINT: Every component needs to be tested as part of the ecosystem • Not just individual IoT device testing Sources: “Dr. Dobbs” Larry Smith; Geoff Vaughan Security Innovation, Inc.
  • 17. Start with “Simple” Questions • How is the IoT deployed in our organization today, and who owns it or its respective components? • IoT inventory and business activity/role • Don’t expect the word “IoT” to show up in project docs • Do we know what data is collected, stored and analyzed? Have we assessed the legal, security and privacy implications? • Governance policies cover data captured at thousands of sensors? • Do we have contingency plans in place in case our IoT “things” are hijacked or modified for unintended purposes? Driven by Key Threats & Attack Surface
  • 18. Start by Assessing IoT Risk/Liability IoT Connection Chain Ownership Threats Device hardware/firmware Vendor X Known vulnerabilities with Vendor products Patching process for Vendor X products Mobile application Vendor Y Secure SDLC activities for Vendor Y Web application Us Our own Secure SDLC activities/process Information/Data management Us Storage and transport of data Where is it encrypted? Channels of transmission Telco X Security guarantees/SLA with Telco X User authentication/roles Us Enumerate each role and authorized activity Authentication for each role
  • 19. US FTC IoT Security Best Practices* • Build security into devices at the outset, rather than as an afterthought • Train employees about the importance of security • Ensure security is managed at an appropriate level in the organization • Ensure outside service providers are capable of maintaining reasonable security, and provide oversight of providers • Consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk • Keep unauthorized users from accessing device data, or personal info • Monitor connected devices; provide security patches for known risks * https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices
  • 20. Agenda • Security Risks of IoT Devices • Risk-based Testing Essentials IoT Device Considerations • Securing Our Digital Future
  • 21. Testing IoT Devices • ~8-10 very technology specific areas to consider • Component Identification and Classification • Static Firmware Analysis • Dynamic Debugging • Peripheral Hacking • Protocols and Data Sniffing • WIFI • BLE • SDR • Cellular • USB • Hardware Hacks • JTAG • UART • SPI • Obtain from vendor website • Web search: support and community forums • Reverse the mobile application • Sniffing the OTA update mechanism • Dumping it from the device Tools such as Binwalk, IDA Pro, Radare2 can be usefulSimilar to other network-based testing • What services are running? • What communication protocols are being used? • What ports are open? • What version is running? Known vulnerability? Sources: Attify, Security Innovation
  • 22. Agenda • How Connected Are We? • Nothing Ever Goes Wrong… Right? • IoT Device Considerations Securing Our Digital Future
  • 23. Top 5 IoT Security Tips TIPS  Secure the Device OS and Firmware  Ensure Sufficient Data Protection  Secure the Physical Device  Secure the Communication Channel  Enforce Authentication and Authorization
  • 24. Secure the Device OS and Firmware Security Controls  Ensure updates are over a secure channel, signed and verified  Ensure bootloader firmware is secure and has not been tampered with  Ensure installed bootloader is verified at every stage of boot sequence  Ensure device makes use of full disk encryption  Disable unnecessary services running on the device  Protect against fuzzing and buffer overflow attacks  Ensure that binaries are compiled and signed for security
  • 25. Ensure Sufficient Data Protection Security Controls  Encrypt data at rest using strong and known encryption techniques  Ensure device uses dedicated security chips and modules to store sensitive data  Avoid usage of hard-coded credentials or cryptographic key  Do not collect data not essential for device functionality  Avoid usage of weak, broken, or risky cryptographic algorithms  Log all secure data access and alter events  Ensure authentication and authorization to all PII
  • 26. Secure the Physical Device Security Controls  Ensure data storage is not directly accessible  Test debug interfaces (JTAG, UART, etc.) and USB ports for unintended device or data access  Ensure tamper protection/resistance techniques are in use  Limit the admin functionalities present on the device
  • 27. Secure the Communication Channel Security Controls  Secure the Wi-Fi interface via secure configurations (encryption, password, etc.) and drivers  Ensure protection against Denial-of-Service (DoS) and fuzzing attacks  Secure the exposed services and keys during device enrollment  Audit the file, printer and device sharing mechanism in place regularly  Secure the Bluetooth interface via secure configurations (discovery modes, PIN, etc.) and drivers  Verify that secure Bluetooth modes are in use  Ensure sensitive data is not sent over unencrypted bus lines
  • 28. Enforce Authentication and Authorization Security Controls  Ensure role-based access control is currently in place  Mandate the use of multi-factor authentication for privileged accounts  Ensure that a strong password management policy is in place
  • 29. Summary of Tips for Securing IoT Systems • Know your technology vendor’s track record • Update your evaluation process, if necessary • Invest in security training for all in-house systems staff • From “Don’t Click on Sh*t” toTechnical/Configuration for IT/Ops teams • Perform proactive penetration testing • Obtain right to do so from 3rd-parties • Adopt a "defense-in-depth" strategy • e.g.,WAF between IoT devices and cloud admin app? • Eliminate all hardcoded default passwords and backdoors IoT Security Toolkit: https://tinyurl.com/y4zxw577
  • 30. Engage with Security Professionals •Have a chat with us  •Bug Bounty Programs •Non-hostile relationship with “researchers” •Vulnerability Disclosure Program •Direct Relationship • Use as independent 3rd-party • Share info about good/bad ones

Editor's Notes

  1. All of our devices are conveniently connected and able to communicate with each other either via central control systems or with some consumption device like your phone or tablet. Getting too hot? Just have your thermostat signal your blinds to close. Speak into your phone and have your front-door unlock. Washing machine in need of a check-up?  It can request service by itself through an API call. loaded with Attack Vectors Cloud apps and wireless networks accessible by others Distributed devices may be used for email, DDoS, and other applications subjected to social engineering Devices may be accessible by unknown/unauthorized people Devices may have open connections Devices likely lack encryption Physical interfaces on the devices leak sensitive data Debug ports lead to privileged access on the device Radio and network communication protocols can be exploited Weak Firmware security can lead to device compromise
  2. Summary - Friday October 21, 2016 - Dyn (The company that controls much of internets domain name system infrastructure) came under attack by two large and complex Distributed Denial of Service (DDoS) attacks against its Managed DNS infrastructure. High flood of TCP and UDP traffic both with destination port 53 (DNS port) from large number of source IP addresses. When service went down – legitimate devices started trying to reconnect to the services. This made it difficult to differentiate between real and fake requests. Many devices had no login credentials; others had default username-password; the “tough” ones to crack were easily brute-forced by Mirai Mirai open-source software freely available
  3. St. Jude/ Abbott: The wireless protocol (RF) used had serious security vulnerabilities that could be exploited by unauthorized attackers (as far as 10 ft away .. but can be extended with off-the-shelf parts). The unauthorized commands could modify device settings (e.g., stop pacing), deliver shocks or impact device functionality. Owlet WiFi Baby Heart Monitor:  sensor that babies wear in a sock that monitors their heartbeat and relays that data wirelessly to parent's smartphones if anything is amiss. Vulnerabiility was that the device created its own base station which is basically an unlocked wifi network that anyone can join. After joining the attackers can monitor a stranger's baby and prevent alerts from being sent out.
  4. we conduct trainings at well known conferences like Black Hat. That way they can trust that we know what we are talking about. Most organizations don’t have sufficient in-house expertise to keep their IoT systems secure day in and day out. Developers, testers, operators, and system administrators often lack the training to identify common vulnerabilities, understand why they’re dangerous, and mitigate their risks. Without this in-house security expertise, IT staff don’t recognize system vulnerabilities until after a hack or breach occurs. People can’t protect themselves if they don’t understand the threat. In addition to this lack of in-house knowledge, when organizations deploy IoT systems, they’re also typically constricted by tight deadlines and inadequate in-house experience. These combined constraints, coupled with complex documentation and deployment processes, will inevitably leave systems unsecured and vulnerable to hacks and breaches. Weak Physical Security – Opening up the IoT device you can find test pads. These may be debug ports like JTAG, UART. In the past we’ve encountered devices that directly drop us to “root” when we connect hardware tools to it (Eg: http://konukoii.com/blog/2018/02/16/5-min-tutorial-root-via-uart/ and https://blog.malwarebytes.com/security-world/2014/02/uart-root-shell-on-commercial-devices/). This is pretty common in our projects too. Updating firmware on IoT devices can be a daunting task. It’s understandable that an organization may want to avoid the hassle and potential business risk of updating firmware regularly, especially if the business doesn’t have trusted processes in place. But firmware releases often contain critical security updates. By skipping releases, not only does an IoT infrastructure get out-of-date; it also becomes vulnerable to threats. IoT devices tend to have a much longer lifespan than typical software applications, largely because they are physical devices, some of which have relatively high capital costs (think refrigerators and TVs). The legacy systems supporting these devices can be difficult to keep up-to-date, and may have vulnerabilities that can't easily be patched due to legacy design issues or a lack of vendor support.
  5. we conduct trainings at well known conferences like Black Hat. That way they can trust that we know what we are talking about. Most organizations don’t have sufficient in-house expertise to keep their IoT systems secure day in and day out. Developers, testers, operators, and system administrators often lack the training to identify common vulnerabilities, understand why they’re dangerous, and mitigate their risks. Without this in-house security expertise, IT staff don’t recognize system vulnerabilities until after a hack or breach occurs. People can’t protect themselves if they don’t understand the threat. In addition to this lack of in-house knowledge, when organizations deploy IoT systems, they’re also typically constricted by tight deadlines and inadequate in-house experience. These combined constraints, coupled with complex documentation and deployment processes, will inevitably leave systems unsecured and vulnerable to hacks and breaches. Weak Physical Security – Opening up the IoT device you can find test pads. These may be debug ports like JTAG, UART. In the past we’ve encountered devices that directly drop us to “root” when we connect hardware tools to it (Eg: http://konukoii.com/blog/2018/02/16/5-min-tutorial-root-via-uart/ and https://blog.malwarebytes.com/security-world/2014/02/uart-root-shell-on-commercial-devices/). This is pretty common in our projects too. Updating firmware on IoT devices can be a daunting task. It’s understandable that an organization may want to avoid the hassle and potential business risk of updating firmware regularly, especially if the business doesn’t have trusted processes in place. But firmware releases often contain critical security updates. By skipping releases, not only does an IoT infrastructure get out-of-date; it also becomes vulnerable to threats. IoT devices tend to have a much longer lifespan than typical software applications, largely because they are physical devices, some of which have relatively high capital costs (think refrigerators and TVs). The legacy systems supporting these devices can be difficult to keep up-to-date, and may have vulnerabilities that can't easily be patched due to legacy design issues or a lack of vendor support.
  6. How is the IoT deployed in our organization today, and who owns it or its respective components? This includes determining an organization’s potential IoT inventory and IoT’s business activity role. The IoT could play a part in the end products that a business sells, for example, or in internal process management. It most likely does not reside in the IT organization. In many cases, projects will not include the wording “IoT” in their project plans or definitions. This underscores the importance of having skilled IT auditors who are able to link strategy and the underlying implementation mechanisms to identify where the IoT exists within the organization. Do we know what data is collected, stored and analyzed, and have we assessed the potential legal, security and privacy implications? If IoT technology is found within a company’s solution offerings, for example, customer agreements may require disclosures regarding what information the devices are capturing and sharing. Do the organization’s data governance policies cover the tremendous amount of data being captured through the thousands of deployed sensors? Does the collection of sensor data pose risks that data may be aggregated in a manner that would create privacy concerns? Do we have contingency plans in place in case our IoT “things” are hijacked or modified for unintended purposes? Among other considerations, it is critical to identify how an organization uses IoT devices and how a partial or full network shutdown would impact the business. Does the loss of these devices pose a risk to our organizations or other organizations? Is there a risk that our devices sold to others could be compromised on a large scale? One well-publicized example was the utilization of thousands of internet-connected devices as part of a denial of service attack on Dyn in October of 2016.
  7. Go back to the Attack Surface list and start identifying who owns what Then discuss threats for each piece of the IoT chain Finally, discuss steps to mitigate each threat identified
  8. If you’re investing in new IoT technology, perform due diligence to understand whether the vendor comes with a history of insecure firmware, inadequate responses to public vulnerability reports, or any kind of lax attitude towards security. If so, find a different vendor. In-house expertise and sound internal processes can help prevent human error and ensure systems are secure. However, because they can't prevent what they don't know, developers need to understand common vulnerabilities before they can avoid them. When planning your initial security spending priorities, ensuring the security knowledge of your in-house staff will be your best line of defense, and will deliver your best security value overall. Remember that if you’re switching to a new IoT technology platform, your operations, system admins, testers, and others have to be ramped up on the new technology. They’ll also need to draft new systems deployment, configuration, and verification guidelines. Organizations, particularly those with high-risk applications, need to undergo regular penetration testing – before product launch (for manufacturers) and before product deployment (for customers). Too often, penetration testing doesn’t happen until after a breach, public disclosure, or other event that tarnishes a company’s brand or leaks customer data. IT managers can mistakenly assume that their firewalls, network segmentation, and perimeter defenses will be enough to secure their IoT assets. As a result, they fail to prioritize application security on the devices themselves, leaving gaping security holes. The IoT firmware, applications that run on the IoT devices, communication to outside resources, and servers (to which IoT devices upload data), all need to be secured. Device firmware sometimes includes default credentials or "administrative backdoors.” While these "features" may make it easier to troubleshoot potential problems that on the devices, they also create a large attack surface for hackers. The safest solution is to adopt the more secure key-based and multi-factor forms of authentication.