SlideShare uma empresa Scribd logo

The Internet of Things: We've Got to Chat

Duo Security
Duo Security

BSides SF, February 2014: http://www.securitybsides.com/w/page/70849271/BSidesSF2014 Duo's Zach Lanier (@quine) & Mark Stanislav (@markstanislav) on IoT (Internet of Things) security, announcing http://BuildItSecure.ly

Tecnologia
1 de 37
Baixar para ler offline
The Internet Of Things
 We’ve Got To Chat
Introduction Mark Stanislav Security Evangelist Zach Lanier Sr. Security Researcher
The Internet of Things
About The Internet Of Things “The Internet of Things is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.”, Gartner IT Glossary1 “Machine to machine (M2M) refers to technologies that allow both wireless and wired systems to communicate with other devices of the same type.”, Wikipedia2
 IoT Growth Estimates * Gartner: 26 billion units by 20203 * ABI Research: 30 billion units by 20204 4. https://www.abiresearch.com/press/more-than-30-billion-devices-will-wirelessly-conne 3. http://www.gartner.com/newsroom/id/26360731. http://www.gartner.com/it-glossary/internet-of-things/ 2. http://en.wikipedia.org/wiki/Internet_of_Things
There’s A Shift Underway You Should Know About • The IoT growth that we’re all expecting won’t just be from large vendors like Belkin, TRENDnet, Cisco, and Ericsson • Postscapes1 and Wolfram Alpha2 list a few hundred IoT-related companies, most of which you’ve likely never heard of • Crowd-funding web sites are going to produce many of the newest IoT devices we all want to use • Entrepreneurs likely have no experience with information security, nor the budget to afford help • They also won’t know what a “security researcher” is or why you’re contacting them… 1. http://postscapes.com/companies/ 2. http://devices.wolfram.com
The Internet of Things “Line of Insanity”TM Sane Reasonable InsaneQuestionable Egg TrayIP Camera Door LockDoor Bell
Cheap Hardware, Unlimited Possibilities Electric Imp ($25) Gumstix ($169) Arduino ($75) Raspberry Pi ($35)Intel Quark ($?)
Plenty Of Choices, How Do You Determine Security? Philips ($60) LimitlessLED ($23)INSTEON ($30) Vendors could each use different hardware, software, APIs, third-party service providers, and patching mechanisms
The Government Is Watching January 8th, 2014 FTC Commissioner Maureen Ohlhausen sits on panel at CES about IoT3 November 21st, 2013 Internet of Things - Privacy and Security in a Connected World Workshop2 February 7th, 2014 FTC approves final order settling charges against TRENDnet, Inc.4 June 3rd, 2013 Software & Information Industry Association asks FTC to be careful with IoT1 1. https://www.siia.net/blog/index.php/2013/06/siia-to-ftc-internet-of-things-requires-technology-neutral-policies-and-flexible-privacy-framework/ 3. http://www.adweek.com/news/technology/will-washington-move-quickly-regulate-internet-things-154863 2. http://www.ftc.gov/news-events/events-calendar/2013/11/internet-things-privacy-and-security-connected-world 4. http://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-order-settling-charges-against-trendnet-inc February 18th, 2014 US CERT works with IOActive to resolve Belkin WeMo vulnerabilities5 5. http://www.kb.cert.org/vuls/id/656302
A Case Study in IoT Failure - IZON
IoT Ecosystem
CrowdFunding & IoT Pinoccio Wunderbar KoolThings Twine Knut Tessel Canary Piper
Challenges Faced
What’s Better Than One Vulnerable Device? Interconnected Vulnerable Devices! • If-This-Then-That (IFTTT) supports over 80 platforms, services, and devices • Allows for event-based actions across disparate technologies • If the CO2 in this room is unsafe, change my lightbulb to be red to warn me • This behavior will become a consumer expectation rather than merely a “nice to have”
Challenges •Hardware security •Software security •Comms/Network security •Platform security •User awareness & behavior •Vulnerability handling & disclosure awareness
Challenges: Hardware Security • Many devices use generic SoCs/boards • Quick development, few security features • i.e. “HW hacking made easy” - serial consoles, FW dumping/ JTAGs, etc. • HW-based trusted execution and HSMs are practically nil • Prevalence/distribution of same components, firmware, etc. means one bug could affect many products • Little expertise required to design, build, and ship an “IoT Product”
Challenges: Hardware Security (Cont’d…) + =+ Least common denominator: Logic analyzer Bus Pirate UART headers Console!
Challenges: Software Security • Development environments don’t necessarily make security controls/options “clear” • Selected platform may drive/ restrict language choices % grep -Er "s(mem|str)cpy(" .
 …
 ./apps/http-post-auth/http-post-auth.c: strcpy(s->message, "status=");
 ./apps/http-post-auth/http-post-auth.c: strcpy(&s->message[7], msg);
 ./apps/irc/irc.c: memcpy(log, &log[LOG_WIDTH], LOG_WIDTH * (LOG_HEIGHT - 1));
 ./apps/irc/irc.c: memcpy(log, &log[LOG_WIDTH], LOG_WIDTH * (LOG_HEIGHT - 1));
 ./apps/ping6/ping6.c: memcpy(command, (void *)"ping6", 5);
 ./apps/rest-coap/coap-common.c: memcpy(
 ./apps/rest-coap/coap-common.c: memcpy((char*)&buffer[index], option->value, option->len);
 ./apps/rest-coap/coap-common.c: memcpy(&buffer[index], packet->payload, packet->payload_len);
 ./apps/rest-coap/coap-server.c: memcpy(option->value, value, len);
 ./apps/rest-common/buffer.c: memcpy(buffer, data, len);
 ./apps/rest-common/buffer.c: strcpy(buffer, text);
 ./apps/rest-common/rest-util.c: memcpy(p + 4 - size, buf, size);
 ./apps/rest-common/rest-util.c: memcpy(buf, ((char*)(&data)) + 4 - size, size);
 ./apps/rest-common/rest.c: memcpy(temp_etag, etag, size);
 ./apps/rest-http/http-server.c: strcpy(current_header->value, value);
 ./apps/rest-http/http-server.c: strcpy(current_header->value, buffer);
 ./apps/rest-http/http-server.c: memcpy(buffer + index, response->payload, response->payload_len); • “Me write Python/Ruby/ Node/… pretty one day” (or worse, C) • History repeating…? Quick grep for potentially dangerous functions in someone’s Contiki project
Challenges: Software Security (Cont’d…) • Selected platform often locks dev/ vendor into given OS choice • Proprietary OSes (such as ElectricImp) - don’t peek inside the black box! • Linux, Contiki, QNX, et. al (all with their own issues) • Little consideration given to least- priv, mitigations, hardening, etc. • Third-party dependencies • Inherited bugs/attack surface Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Bro, do you even PIE? Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Bro, do you even PIE? Bro, do you even randomize?
Challenges: Software Security Cont’d • iOS/Android/other mobile apps with their own security issues • See also “OWASP Mobile Top 10 Risks” • Developer naïveté:
 “HOW COULD/WHY WOULD YOU DO THIS? IT WASN’T SHOWN IN THE MOBILE APP USER INTERFACE!” “Relayr says that developers can have their first Internet of Things App up and running in less than 10 minutes”
Challenges: Comms/Network Security • WiFi goofiness (“device as AP”, no WPA, exploitable behavior, etc.) • Plaintext protocols or poor crypto at transport layer • …or lack of cert pinning where SSL/TLS actually used • Unprotected FW updates/downloads • Otherwise seemingly unnecessary services listening • Telnet, SSH, FTP, you name it… • Shared accounts/auth material for “support” or updates • Use of technologies such as ZigBee and cellular introduce additional security considerations
Example: Sparqee Cell "Cellular made easy"
Wat? TRUST US WITH CREDENTIALS TO YOUR CLEARTEXT PROTOCOL SERVERS
Example: GoPro WiFi Remote • Remote acts as access point, camera acts as mobile station • Remote/AP does not use any security - totally open • Camera scans for HERO-RC- XXXXXX (where XX... are the last three octets of the BSSID/ MAC of the remote) • Prefers known BSSID, but can be configured to “pair” with new remote Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. 8484/udp OO se lc lc lc + bitmap se lc lc + bitmap ... sh sh ConversationScan for "HERO-RC-XXXXXX" HERO-RC-123456HERO-RC-123456 WiFi RC Fake AP/Evil twin GoPro Camera
Example: “Home Automation Gateway” Magical cloud service/site M ZigBee ZigBee ZigBee HTTPS HTTPS HTTPS Mobile app Web browser "Gateway" Lights Pool pump Automated cat entertainment toyXSS, CSRF, auth bugs, etc. Key extraction, replay, injection, etc. Unfettered console access, no priv sep for services, same "support" creds on multiple devices Linux-based gateway talks RESTful HTTP to “cloud”-based service, receives commands (schedules, metering data, etc.), relays commands to smart plugs/meters via ZigBee
Challenges: Platform* Security • Everything that uses an HTTP GET/POST has become an “API” to the average developer • Authentication? Signed requests? Unlikely. • Input manipulation is a less obvious concern when developers do mobile and embedded • Yup… OWASP {Mobile,Web} Top 10 • Leveraging third-party service providers introduce exponential complexities and further increases potential attack surface • Quick & Dirty cloud infrastructure yields poor accessibility and potentially confidentiality * for our purposes “Platform” also includes supporting infrastructure, services, frameworks, etc.
Real-World IoT Failures TRENDnet, January 20121 Various IP camera products would allow anyone with a generic URL to access the camera’s live feed without requiring authentication Belkin, July 20122 The WeMo Switch allowed for UPnP actions (e.g. power cycle) that didn’t require authentication to be performed to do so Philips, August 20133 The Hue Lighting System utilized the MD5 hash of the MAC address of an authorized system as a “secret token” to control the platform 1. http://console-cowboys.blogspot.com/2012/01/trendnet-cameras-i-always-feel-like.html 2. http://www.issackelly.com/blog/2012/07/30/wemo-hacking/ 3. http://www.dhanjani.com/blog/2013/08/hacking-lightbulbs.html
Real-World IoT Failures, cont’d IZON, October 20131 Video clips of “alerts” were saved in an AWS S3 bucket unencrypted, with no access control preventing someone from viewing the file [Redacted], December 20132
 API call to purchase in-app credits for service was done without purchase verification and via clear-text HTTP calls Belkin, February 20143 The WeMo Home Automation API allowed XML injection (XXE) allowing for the potential revealing of filesystem contents 1. https://speakerdeck.com/mstanislav/eyes-on-izon-surveilling-ip-camera-security 3. http://www.dhanjani.com/blog/2013/08/hacking-lightbulbs.html 2. [Redacted] =)
User Awareness & Behavior • Users may not know (let alone care) how to update device firmware or apps • Disparity in management: web console v. mobile app v. physical “update” button • Also they just want to use the !@#$ thing now! • Lack of feedback or notification for updates or errors • How does a user know their IoT device was updated or, worse, compromised?
Vulnerability Handling & Disclosure Awareness • Small vendors (and some big ones) fail to get it, or just simply don’t know • “But, why would anyone want to hack this device? And why would they want to tell us or talk about it publicly?” • Few-to-no resources for small vendors to handle this • Nascency of “IoT” means some researchers may not know either • And we’d like for them to stay out of jail
A New Initiative
Announcing BuildItSecure.ly Our Mission 
 • Provide resources, guidance, community for small IoT developers/builders to make informed security decisions • Incentivize vulnerability research and reporting for these devices ! Our Goal
 Help secure the "Internet of Things” ! This ISN’T…
 • “saving the world” • something that’s happening tomorrow
BuildItSecure.ly Phase 1 - Build Out • Establish a core team of advisors and content contributors • Curate secure development documents and disclosure guidelines • Build new diagrams, flow charts, info graphics to transfer knowledge • Form relationships with crowd-funding sites, IoT-centric hardware vendors/platform providers, and other relevant organizations Gather Advisors & Contributors Collect/build and share resources Establish relationships w/vendors, funding sites
BuildItSecure.ly Phase 2 - Rewards/Incentives • Build a reporting and reward/ incentive program • Partnering with Bugcrowd on this • Rewards could include: • Recognition • Monetary reward • Device reward • Schwag!
Conclusion
Conclusion • Very few green fields in infosec to impact early on • IoT at this level is still malleable • Much work to be done, but we can leverage lessons learned in the past • BuildItSecure.ly could help keep IoT from spinning any further out of control • Plus, it’ll be fun!
Thanks! Questions? Mark Stanislav mstanislav@duosecurity.com
 @markstanislav
 Zach Lanier zach@duosecurity.com
 @quine http://BuildItSecure.ly/ @BuildItSecurely

Recomendados

IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai RevisitedClare Nelson, CISSP, CIPP-E
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoTWSO2
 
IoT Honeypots: State of the Art
IoT Honeypots: State of the ArtIoT Honeypots: State of the Art
IoT Honeypots: State of the ArtBiagio Botticelli
 
beware of Thing Bot
beware of Thing Botbeware of Thing Bot
beware of Thing BotBellaj Badr
 
"The State of IoT Security" Keynote by Shawn Henry at Inform[ED] IoT Security
"The State of IoT Security" Keynote by Shawn Henry at Inform[ED] IoT Security"The State of IoT Security" Keynote by Shawn Henry at Inform[ED] IoT Security
"The State of IoT Security" Keynote by Shawn Henry at Inform[ED] IoT SecurityCableLabs
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Mender.io
 
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
Security Fundamental for IoT Devices; Creating the Internet of Secure ThingsSecurity Fundamental for IoT Devices; Creating the Internet of Secure Things
Security Fundamental for IoT Devices; Creating the Internet of Secure ThingsDesign World
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014Brian Knopf
 

Recomendados

IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai RevisitedClare Nelson, CISSP, CIPP-E
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoTWSO2
 
IoT Honeypots: State of the Art
IoT Honeypots: State of the ArtIoT Honeypots: State of the Art
IoT Honeypots: State of the ArtBiagio Botticelli
 
beware of Thing Bot
beware of Thing Botbeware of Thing Bot
beware of Thing BotBellaj Badr
 
"The State of IoT Security" Keynote by Shawn Henry at Inform[ED] IoT Security
"The State of IoT Security" Keynote by Shawn Henry at Inform[ED] IoT Security"The State of IoT Security" Keynote by Shawn Henry at Inform[ED] IoT Security
"The State of IoT Security" Keynote by Shawn Henry at Inform[ED] IoT SecurityCableLabs
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Mender.io
 
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
Security Fundamental for IoT Devices; Creating the Internet of Secure ThingsSecurity Fundamental for IoT Devices; Creating the Internet of Secure Things
Security Fundamental for IoT Devices; Creating the Internet of Secure ThingsDesign World
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014Brian Knopf
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaYogesh Ojha
 
The Mirai Botnet and Massive DDoS Attacks of October 2016
The Mirai Botnet and Massive DDoS Attacks of October 2016The Mirai Botnet and Massive DDoS Attacks of October 2016
The Mirai Botnet and Massive DDoS Attacks of October 2016William Slater III
 
IoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you SpamIoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you SpamAmit Rohatgi
 
Securing Internet of Things
Securing Internet of ThingsSecuring Internet of Things
Securing Internet of ThingsRishabh Sharma
 
IoT Security: Cases and Methods
IoT Security: Cases and MethodsIoT Security: Cases and Methods
IoT Security: Cases and MethodsLeonardo De Moura Rocha Lima
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015Daniel Miessler
 
Protecting your home and office in the era of IoT
Protecting your home and office in the era of IoTProtecting your home and office in the era of IoT
Protecting your home and office in the era of IoTMarian Marinov
 
IoT Security Training, IoT Security Awareness 2019
IoT Security Training, IoT Security Awareness 2019 IoT Security Training, IoT Security Awareness 2019
IoT Security Training, IoT Security Awareness 2019 Tonex
 
Security issues and solutions : IoT
Security issues and solutions : IoTSecurity issues and solutions : IoT
Security issues and solutions : IoTJinia Bhowmik
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeAPNIC
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking BadNUS-ISS
 
Security and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSecurity and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSomasundaram Jambunathan
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of ThingsForgeRock
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTWSO2
 
RAT - Kill or Get Killed! by Karan Bansal
RAT - Kill or Get Killed! by Karan BansalRAT - Kill or Get Killed! by Karan Bansal
RAT - Kill or Get Killed! by Karan BansalOWASP Delhi
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoTVasco Veloso
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
Internet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsInternet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsGeorge Fletcher
 
RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsDaniel Miessler
 
Konfigurasi elektron
Konfigurasi elektronKonfigurasi elektron
Konfigurasi elektronRizky Hilman
 
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloA Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloDuo Security
 

Mais conteúdo relacionado

Mais procurados

KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaYogesh Ojha
 
The Mirai Botnet and Massive DDoS Attacks of October 2016
The Mirai Botnet and Massive DDoS Attacks of October 2016The Mirai Botnet and Massive DDoS Attacks of October 2016
The Mirai Botnet and Massive DDoS Attacks of October 2016William Slater III
 
IoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you SpamIoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you SpamAmit Rohatgi
 
Securing Internet of Things
Securing Internet of ThingsSecuring Internet of Things
Securing Internet of ThingsRishabh Sharma
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015Daniel Miessler
 
Protecting your home and office in the era of IoT
Protecting your home and office in the era of IoTProtecting your home and office in the era of IoT
Protecting your home and office in the era of IoTMarian Marinov
 
IoT Security Training, IoT Security Awareness 2019
IoT Security Training, IoT Security Awareness 2019 IoT Security Training, IoT Security Awareness 2019
IoT Security Training, IoT Security Awareness 2019 Tonex
 
Security issues and solutions : IoT
Security issues and solutions : IoTSecurity issues and solutions : IoT
Security issues and solutions : IoTJinia Bhowmik
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeAPNIC
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking BadNUS-ISS
 
Security and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSecurity and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSomasundaram Jambunathan
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of ThingsForgeRock
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTWSO2
 
RAT - Kill or Get Killed! by Karan Bansal
RAT - Kill or Get Killed! by Karan BansalRAT - Kill or Get Killed! by Karan Bansal
RAT - Kill or Get Killed! by Karan BansalOWASP Delhi
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoTVasco Veloso
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
Internet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsInternet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsGeorge Fletcher
 
RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsDaniel Miessler
 

Mais procurados (20)

KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
 
The Mirai Botnet and Massive DDoS Attacks of October 2016
The Mirai Botnet and Massive DDoS Attacks of October 2016The Mirai Botnet and Massive DDoS Attacks of October 2016
The Mirai Botnet and Massive DDoS Attacks of October 2016
 
IoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you SpamIoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you Spam
 
Securing Internet of Things
Securing Internet of ThingsSecuring Internet of Things
Securing Internet of Things
 
IoT Security: Cases and Methods
IoT Security: Cases and MethodsIoT Security: Cases and Methods
IoT Security: Cases and Methods
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015
 
Protecting your home and office in the era of IoT
Protecting your home and office in the era of IoTProtecting your home and office in the era of IoT
Protecting your home and office in the era of IoT
 
IoT Security Training, IoT Security Awareness 2019
IoT Security Training, IoT Security Awareness 2019 IoT Security Training, IoT Security Awareness 2019
IoT Security Training, IoT Security Awareness 2019
 
Security issues and solutions : IoT
Security issues and solutions : IoTSecurity issues and solutions : IoT
Security issues and solutions : IoT
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat Landscape
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT Security
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking Bad
 
Security and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSecurity and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of Things
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of Things
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoT
 
RAT - Kill or Get Killed! by Karan Bansal
RAT - Kill or Get Killed! by Karan BansalRAT - Kill or Get Killed! by Karan Bansal
RAT - Kill or Get Killed! by Karan Bansal
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoT
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
 
Internet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsInternet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open Standards
 
RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of Things
 

Destaque

Konfigurasi elektron
Konfigurasi elektronKonfigurasi elektron
Konfigurasi elektronRizky Hilman
 
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloA Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloDuo Security
 
7141 bab iii_konfigurasi_elektron
7141 bab iii_konfigurasi_elektron7141 bab iii_konfigurasi_elektron
7141 bab iii_konfigurasi_elektronRizky Hilman
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Duo Security
 
Probing Mobile Operator Networks - Collin Mulliner
Probing Mobile Operator Networks - Collin MullinerProbing Mobile Operator Networks - Collin Mulliner
Probing Mobile Operator Networks - Collin MullinerDuo Security
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...Duo Security
 
The Real Deal of Android Device Security: The Third Party
The Real Deal of Android Device Security: The Third PartyThe Real Deal of Android Device Security: The Third Party
The Real Deal of Android Device Security: The Third PartyDuo Security
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerSecuring Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerDuo Security
 
No Apology Required: Deconstructing BB10
No Apology Required: Deconstructing BB10No Apology Required: Deconstructing BB10
No Apology Required: Deconstructing BB10Duo Security
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongDuo Security
 
Sifat keperiodikan
Sifat keperiodikanSifat keperiodikan
Sifat keperiodikanRizky Hilman
 
Security Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesSecurity Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesDuo Security
 
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Duo Security
 
Konfigurasi elektron-dalam-atom1
Konfigurasi elektron-dalam-atom1Konfigurasi elektron-dalam-atom1
Konfigurasi elektron-dalam-atom1Rizky Hilman
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Duo Security
 
Konfigurasi elektron
Konfigurasi elektronKonfigurasi elektron
Konfigurasi elektronRizky Hilman
 

Destaque (16)

Konfigurasi elektron
Konfigurasi elektronKonfigurasi elektron
Konfigurasi elektron
 
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloA Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
 
7141 bab iii_konfigurasi_elektron
7141 bab iii_konfigurasi_elektron7141 bab iii_konfigurasi_elektron
7141 bab iii_konfigurasi_elektron
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default"
 
Probing Mobile Operator Networks - Collin Mulliner
Probing Mobile Operator Networks - Collin MullinerProbing Mobile Operator Networks - Collin Mulliner
Probing Mobile Operator Networks - Collin Mulliner
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
 
The Real Deal of Android Device Security: The Third Party
The Real Deal of Android Device Security: The Third PartyThe Real Deal of Android Device Security: The Third Party
The Real Deal of Android Device Security: The Third Party
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerSecuring Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
 
No Apology Required: Deconstructing BB10
No Apology Required: Deconstructing BB10No Apology Required: Deconstructing BB10
No Apology Required: Deconstructing BB10
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
 
Sifat keperiodikan
Sifat keperiodikanSifat keperiodikan
Sifat keperiodikan
 
Security Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesSecurity Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the Headlines
 
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...
 
Konfigurasi elektron-dalam-atom1
Konfigurasi elektron-dalam-atom1Konfigurasi elektron-dalam-atom1
Konfigurasi elektron-dalam-atom1
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
 
Konfigurasi elektron
Konfigurasi elektronKonfigurasi elektron
Konfigurasi elektron
 

Semelhante a The Internet of Things: We've Got to Chat

IoT Security Risks and Challenges
IoT Security Risks and ChallengesIoT Security Risks and Challenges
IoT Security Risks and ChallengesOWASP Delhi
 
IoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 finalIoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 finalFrank Siepmann
 
20130226 How Personal Is Your Cloud?
20130226 How Personal Is Your Cloud?20130226 How Personal Is Your Cloud?
20130226 How Personal Is Your Cloud?T.Rob Wyatt
 
Security challenges for internet of things
Security challenges for internet of thingsSecurity challenges for internet of things
Security challenges for internet of thingsMonika Keerthi
 
Dissecting internet of things by avinash sinha
Dissecting internet of things by avinash sinhaDissecting internet of things by avinash sinha
Dissecting internet of things by avinash sinhaAvinash Sinha
 
Internet of things (IoT) Architecture Security Analysis
Internet of things (IoT) Architecture Security AnalysisInternet of things (IoT) Architecture Security Analysis
Internet of things (IoT) Architecture Security AnalysisDaksh Raj Chopra
 
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...IJCSIS Research Publications
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxIoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxmariuse18nolet
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
Final Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docxFinal Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docxvoversbyobersby
 
IoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security ControlsIoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security ControlsJay Nagar
 
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxIoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxvrickens
 
All The Things: Security, Privacy & Safety in a World of Connected Devices
All The Things: Security, Privacy & Safety in a World of Connected DevicesAll The Things: Security, Privacy & Safety in a World of Connected Devices
All The Things: Security, Privacy & Safety in a World of Connected DevicesJohn D. Johnson
 
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerProduct of Things
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranIoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranKoenig Solutions Ltd.
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesPierluigi Paganini
 
Written by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxWritten by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxjeffevans62972
 
Written by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxWritten by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxodiliagilby
 

Semelhante a The Internet of Things: We've Got to Chat (20)

IoT Security Risks and Challenges
IoT Security Risks and ChallengesIoT Security Risks and Challenges
IoT Security Risks and Challenges
 
IoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 finalIoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 final
 
20130226 How Personal Is Your Cloud?
20130226 How Personal Is Your Cloud?20130226 How Personal Is Your Cloud?
20130226 How Personal Is Your Cloud?
 
Security challenges for internet of things
Security challenges for internet of thingsSecurity challenges for internet of things
Security challenges for internet of things
 
Dissecting internet of things by avinash sinha
Dissecting internet of things by avinash sinhaDissecting internet of things by avinash sinha
Dissecting internet of things by avinash sinha
 
Internet of things (IoT) Architecture Security Analysis
Internet of things (IoT) Architecture Security AnalysisInternet of things (IoT) Architecture Security Analysis
Internet of things (IoT) Architecture Security Analysis
 
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxIoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
Final Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docxFinal Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docx
 
pptt.pptx
pptt.pptxpptt.pptx
pptt.pptx
 
IoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security ControlsIoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security Controls
 
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxIoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
 
All The Things: Security, Privacy & Safety in a World of Connected Devices
All The Things: Security, Privacy & Safety in a World of Connected DevicesAll The Things: Security, Privacy & Safety in a World of Connected Devices
All The Things: Security, Privacy & Safety in a World of Connected Devices
 
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranIoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.Prabhakaran
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issues
 
Written by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxWritten by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docx
 
Written by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxWritten by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docx
 

Último

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Último (20)

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

The Internet of Things: We've Got to Chat

  • 1. The Internet Of Things
 We’ve Got To Chat
  • 4. About The Internet Of Things “The Internet of Things is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.”, Gartner IT Glossary1 “Machine to machine (M2M) refers to technologies that allow both wireless and wired systems to communicate with other devices of the same type.”, Wikipedia2
 IoT Growth Estimates * Gartner: 26 billion units by 20203 * ABI Research: 30 billion units by 20204 4. https://www.abiresearch.com/press/more-than-30-billion-devices-will-wirelessly-conne 3. http://www.gartner.com/newsroom/id/26360731. http://www.gartner.com/it-glossary/internet-of-things/ 2. http://en.wikipedia.org/wiki/Internet_of_Things
  • 5. There’s A Shift Underway You Should Know About • The IoT growth that we’re all expecting won’t just be from large vendors like Belkin, TRENDnet, Cisco, and Ericsson • Postscapes1 and Wolfram Alpha2 list a few hundred IoT-related companies, most of which you’ve likely never heard of • Crowd-funding web sites are going to produce many of the newest IoT devices we all want to use • Entrepreneurs likely have no experience with information security, nor the budget to afford help • They also won’t know what a “security researcher” is or why you’re contacting them… 1. http://postscapes.com/companies/ 2. http://devices.wolfram.com
  • 6. The Internet of Things “Line of Insanity”TM Sane Reasonable InsaneQuestionable Egg TrayIP Camera Door LockDoor Bell
  • 7. Cheap Hardware, Unlimited Possibilities Electric Imp ($25) Gumstix ($169) Arduino ($75) Raspberry Pi ($35)Intel Quark ($?)
  • 8. Plenty Of Choices, How Do You Determine Security? Philips ($60) LimitlessLED ($23)INSTEON ($30) Vendors could each use different hardware, software, APIs, third-party service providers, and patching mechanisms
  • 9. The Government Is Watching January 8th, 2014 FTC Commissioner Maureen Ohlhausen sits on panel at CES about IoT3 November 21st, 2013 Internet of Things - Privacy and Security in a Connected World Workshop2 February 7th, 2014 FTC approves final order settling charges against TRENDnet, Inc.4 June 3rd, 2013 Software & Information Industry Association asks FTC to be careful with IoT1 1. https://www.siia.net/blog/index.php/2013/06/siia-to-ftc-internet-of-things-requires-technology-neutral-policies-and-flexible-privacy-framework/ 3. http://www.adweek.com/news/technology/will-washington-move-quickly-regulate-internet-things-154863 2. http://www.ftc.gov/news-events/events-calendar/2013/11/internet-things-privacy-and-security-connected-world 4. http://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-order-settling-charges-against-trendnet-inc February 18th, 2014 US CERT works with IOActive to resolve Belkin WeMo vulnerabilities5 5. http://www.kb.cert.org/vuls/id/656302
  • 10. A Case Study in IoT Failure - IZON
  • 14. What’s Better Than One Vulnerable Device? Interconnected Vulnerable Devices! • If-This-Then-That (IFTTT) supports over 80 platforms, services, and devices • Allows for event-based actions across disparate technologies • If the CO2 in this room is unsafe, change my lightbulb to be red to warn me • This behavior will become a consumer expectation rather than merely a “nice to have”
  • 15. Challenges •Hardware security •Software security •Comms/Network security •Platform security •User awareness & behavior •Vulnerability handling & disclosure awareness
  • 16. Challenges: Hardware Security • Many devices use generic SoCs/boards • Quick development, few security features • i.e. “HW hacking made easy” - serial consoles, FW dumping/ JTAGs, etc. • HW-based trusted execution and HSMs are practically nil • Prevalence/distribution of same components, firmware, etc. means one bug could affect many products • Little expertise required to design, build, and ship an “IoT Product”
  • 17. Challenges: Hardware Security (Cont’d…) + =+ Least common denominator: Logic analyzer Bus Pirate UART headers Console!
  • 18. Challenges: Software Security • Development environments don’t necessarily make security controls/options “clear” • Selected platform may drive/ restrict language choices % grep -Er "s(mem|str)cpy(" .
 …
 ./apps/http-post-auth/http-post-auth.c: strcpy(s->message, "status=");
 ./apps/http-post-auth/http-post-auth.c: strcpy(&s->message[7], msg);
 ./apps/irc/irc.c: memcpy(log, &log[LOG_WIDTH], LOG_WIDTH * (LOG_HEIGHT - 1));
 ./apps/irc/irc.c: memcpy(log, &log[LOG_WIDTH], LOG_WIDTH * (LOG_HEIGHT - 1));
 ./apps/ping6/ping6.c: memcpy(command, (void *)"ping6", 5);
 ./apps/rest-coap/coap-common.c: memcpy(
 ./apps/rest-coap/coap-common.c: memcpy((char*)&buffer[index], option->value, option->len);
 ./apps/rest-coap/coap-common.c: memcpy(&buffer[index], packet->payload, packet->payload_len);
 ./apps/rest-coap/coap-server.c: memcpy(option->value, value, len);
 ./apps/rest-common/buffer.c: memcpy(buffer, data, len);
 ./apps/rest-common/buffer.c: strcpy(buffer, text);
 ./apps/rest-common/rest-util.c: memcpy(p + 4 - size, buf, size);
 ./apps/rest-common/rest-util.c: memcpy(buf, ((char*)(&data)) + 4 - size, size);
 ./apps/rest-common/rest.c: memcpy(temp_etag, etag, size);
 ./apps/rest-http/http-server.c: strcpy(current_header->value, value);
 ./apps/rest-http/http-server.c: strcpy(current_header->value, buffer);
 ./apps/rest-http/http-server.c: memcpy(buffer + index, response->payload, response->payload_len); • “Me write Python/Ruby/ Node/… pretty one day” (or worse, C) • History repeating…? Quick grep for potentially dangerous functions in someone’s Contiki project
  • 19. Challenges: Software Security (Cont’d…) • Selected platform often locks dev/ vendor into given OS choice • Proprietary OSes (such as ElectricImp) - don’t peek inside the black box! • Linux, Contiki, QNX, et. al (all with their own issues) • Little consideration given to least- priv, mitigations, hardening, etc. • Third-party dependencies • Inherited bugs/attack surface Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Bro, do you even PIE? Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Bro, do you even PIE? Bro, do you even randomize?
  • 20. Challenges: Software Security Cont’d • iOS/Android/other mobile apps with their own security issues • See also “OWASP Mobile Top 10 Risks” • Developer naïveté:
 “HOW COULD/WHY WOULD YOU DO THIS? IT WASN’T SHOWN IN THE MOBILE APP USER INTERFACE!” “Relayr says that developers can have their first Internet of Things App up and running in less than 10 minutes”
  • 21. Challenges: Comms/Network Security • WiFi goofiness (“device as AP”, no WPA, exploitable behavior, etc.) • Plaintext protocols or poor crypto at transport layer • …or lack of cert pinning where SSL/TLS actually used • Unprotected FW updates/downloads • Otherwise seemingly unnecessary services listening • Telnet, SSH, FTP, you name it… • Shared accounts/auth material for “support” or updates • Use of technologies such as ZigBee and cellular introduce additional security considerations
  • 23. Wat? TRUST US WITH CREDENTIALS TO YOUR CLEARTEXT PROTOCOL SERVERS
  • 24. Example: GoPro WiFi Remote • Remote acts as access point, camera acts as mobile station • Remote/AP does not use any security - totally open • Camera scans for HERO-RC- XXXXXX (where XX... are the last three octets of the BSSID/ MAC of the remote) • Prefers known BSSID, but can be configured to “pair” with new remote Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. 8484/udp OO se lc lc lc + bitmap se lc lc + bitmap ... sh sh ConversationScan for "HERO-RC-XXXXXX" HERO-RC-123456HERO-RC-123456 WiFi RC Fake AP/Evil twin GoPro Camera
  • 25. Example: “Home Automation Gateway” Magical cloud service/site M ZigBee ZigBee ZigBee HTTPS HTTPS HTTPS Mobile app Web browser "Gateway" Lights Pool pump Automated cat entertainment toyXSS, CSRF, auth bugs, etc. Key extraction, replay, injection, etc. Unfettered console access, no priv sep for services, same "support" creds on multiple devices Linux-based gateway talks RESTful HTTP to “cloud”-based service, receives commands (schedules, metering data, etc.), relays commands to smart plugs/meters via ZigBee
  • 26. Challenges: Platform* Security • Everything that uses an HTTP GET/POST has become an “API” to the average developer • Authentication? Signed requests? Unlikely. • Input manipulation is a less obvious concern when developers do mobile and embedded • Yup… OWASP {Mobile,Web} Top 10 • Leveraging third-party service providers introduce exponential complexities and further increases potential attack surface • Quick & Dirty cloud infrastructure yields poor accessibility and potentially confidentiality * for our purposes “Platform” also includes supporting infrastructure, services, frameworks, etc.
  • 27. Real-World IoT Failures TRENDnet, January 20121 Various IP camera products would allow anyone with a generic URL to access the camera’s live feed without requiring authentication Belkin, July 20122 The WeMo Switch allowed for UPnP actions (e.g. power cycle) that didn’t require authentication to be performed to do so Philips, August 20133 The Hue Lighting System utilized the MD5 hash of the MAC address of an authorized system as a “secret token” to control the platform 1. http://console-cowboys.blogspot.com/2012/01/trendnet-cameras-i-always-feel-like.html 2. http://www.issackelly.com/blog/2012/07/30/wemo-hacking/ 3. http://www.dhanjani.com/blog/2013/08/hacking-lightbulbs.html
  • 28. Real-World IoT Failures, cont’d IZON, October 20131 Video clips of “alerts” were saved in an AWS S3 bucket unencrypted, with no access control preventing someone from viewing the file [Redacted], December 20132
 API call to purchase in-app credits for service was done without purchase verification and via clear-text HTTP calls Belkin, February 20143 The WeMo Home Automation API allowed XML injection (XXE) allowing for the potential revealing of filesystem contents 1. https://speakerdeck.com/mstanislav/eyes-on-izon-surveilling-ip-camera-security 3. http://www.dhanjani.com/blog/2013/08/hacking-lightbulbs.html 2. [Redacted] =)
  • 29. User Awareness & Behavior • Users may not know (let alone care) how to update device firmware or apps • Disparity in management: web console v. mobile app v. physical “update” button • Also they just want to use the !@#$ thing now! • Lack of feedback or notification for updates or errors • How does a user know their IoT device was updated or, worse, compromised?
  • 30. Vulnerability Handling & Disclosure Awareness • Small vendors (and some big ones) fail to get it, or just simply don’t know • “But, why would anyone want to hack this device? And why would they want to tell us or talk about it publicly?” • Few-to-no resources for small vendors to handle this • Nascency of “IoT” means some researchers may not know either • And we’d like for them to stay out of jail
  • 32. Announcing BuildItSecure.ly Our Mission 
 • Provide resources, guidance, community for small IoT developers/builders to make informed security decisions • Incentivize vulnerability research and reporting for these devices ! Our Goal
 Help secure the "Internet of Things” ! This ISN’T…
 • “saving the world” • something that’s happening tomorrow
  • 33. BuildItSecure.ly Phase 1 - Build Out • Establish a core team of advisors and content contributors • Curate secure development documents and disclosure guidelines • Build new diagrams, flow charts, info graphics to transfer knowledge • Form relationships with crowd-funding sites, IoT-centric hardware vendors/platform providers, and other relevant organizations Gather Advisors & Contributors Collect/build and share resources Establish relationships w/vendors, funding sites
  • 34. BuildItSecure.ly Phase 2 - Rewards/Incentives • Build a reporting and reward/ incentive program • Partnering with Bugcrowd on this • Rewards could include: • Recognition • Monetary reward • Device reward • Schwag!
  • 36. Conclusion • Very few green fields in infosec to impact early on • IoT at this level is still malleable • Much work to be done, but we can leverage lessons learned in the past • BuildItSecure.ly could help keep IoT from spinning any further out of control • Plus, it’ll be fun!
  • 37. Thanks! Questions? Mark Stanislav mstanislav@duosecurity.com
 @markstanislav
 Zach Lanier zach@duosecurity.com
 @quine http://BuildItSecure.ly/ @BuildItSecurely