A Secure and Reliable Document Management System is Essential.docx
ย
RSA2015: Securing the Internet of Things
1. SESSION ID:
#RSAC
ASD-T10
Security Research
HP Fortify on Demand
@danielmiessler
Daniel Miessler
Securing the Internet of Things:
Mapping Attack Surface Areas
Using the OWASP IoT Top 10
2. #RSAC
2
๏ต HP Fortify on Demand
๏ต Security Research & Development
๏ต Penetration Testing
๏ต OWASP Project Leader (IoT, Mobile)
3. #RSAC
The Plan
3
๏ต Letโs Talk About Naming
๏ต A Vision of the Future (Universal Daemonization)
๏ต Why IoT is Currently Broken
๏ต Examples From Research
๏ต The OWASP IoT Project
๏ต Applying What Weโve Learned
๏ต One more thingโฆ
5. #RSAC
What does it mean?
5
๏ต [ WIKIPEDIA ] The Internet of Things (IoT)
is the network of physical objects or "things"
embedded with electronics, software,
sensors and connectivity to enable it to
achieve greater value and service by
exchanging data with the manufacturer,
operator and/or other connected devices.
๏ต [ OXFORD ] A proposed development of
the Internet in which everyday objects have
network connectivity, allowing them to send
and receive data.
11. #RSAC
The Current IoT Security Problem
11
network ๏ต services, encryption, firewall, inputโฆ
12. #RSAC
The Current IoT Security Problem
12
network
application ๏ต authN, authZ, input validation, etc.
13. #RSAC
The Current IoT Security Problem
13
network
application
mobile ๏ต insecure APIs, lack of encryption, etc.
14. #RSAC
The Current IoT Security Problem
14
network
application
mobile
cloud ๏ต yadda yadda AuthSessionAccess
15. #RSAC
IoT Security is the Worst-of-All-Worlds
15
network
application
mobile
cloud
IoT ๏ต net + app + mobile + cloud = IoT
๏ต yadda yadda AuthSessionAccess
๏ต insecure APIs, lack of encryption, etc.
๏ต authN, authZ, input validation, etc.
๏ต services, encryption, firewall, inputโฆ
16. #RSAC
The Current IoT Security Problem
16
network
application
mobile
cloud
IoT
1 + 1 = 5
18. #RSAC
IoT Security Fail Examples (Authentication)
18
network
application
mobile
cloud
IoT
๏ต 10/10 security systems accept โ123456โ
๏ต Account enumeration
๏ต Lack of account lockout
19. #RSAC
IoT Security Fail Examples (Update Systems)
19
network
application
mobile
cloud
IoT
๏ต No signing of updates
๏ต Download over FTP
๏ต Server was world-writeable
๏ต Server held ALL products
20. #RSAC
IoT Security Fail Examples
20
network
application
mobile
cloud
IoT
๏ต 10/10 security systems accept โ123456โ
๏ต 10/10 security systems with no lockout
๏ต 10/10 security systems with enumeration
๏ต SSH listeners with root/โโ access
๏ต 6/10 web interfaces with XSS/SQLi
๏ต 70% of devices not using encryption
๏ต 8/10 collected personal information
๏ต 9/10 had no two-factor options
๏ต Unauthenticated video streaming
๏ต Completely flawed software update systems
21. #RSAC
The Need for a Methodology
21
network
application
mobile
cloud
IoT
33. #RSAC
OWASP IoT Project Goals
33
1. Understand the main attack surface
areas for any IoT device or ecosystem
34. #RSAC
OWASP IoT Project Goals
34
1. Understand the main attack surface areas
for any IoT device or ecosystem
2. As a tester, be able to hit the major
issues for each surface area for the
product youโre testing
35. #RSAC
OWASP IoT Project Goals
35
1. Understand the main attack surface areas
for any IoT device or ecosystem
2. As a tester, be able to hit the major issues
for each surface area for the product
youโre testing
3. As a manufacturer, be able to ensure
that youโve done your due diligence in
security across the main surface areas
36. #RSAC
OWASP IoT Project Goals
36
1. Understand the main attack surface areas
for any IoT device or ecosystem
2. As a tester, be able to hit the major issues
for each surface area for the product
youโre testing
3. As a manufacturer, be able to ensure that
youโve done your due diligence in security
across the main surface areas
4. As a developer, be able to ensure that
youโre avoiding the top security issues
while building your particular component
37. #RSAC
OWASP IoT Project Goals
37
1. Understand the main attack surface areas
for any IoT device or ecosystem
2. As a tester, be able to hit the major issues
for each surface area for the product
youโre testing
3. As a manufacturer, be able to ensure that
youโve done your due diligence in security
across the main surface areas
4. As a developer, be able to ensure that
youโre avoiding the top security issues
while building your particular component
5. As a consumer, ensure youโre using the
technology safely
38. #RSAC
OWASP IoT Project Goals
38
1. Understand the main attack surface areas
for any IoT device or ecosystem
2. As a tester, be able to hit the major issues
for each surface area for the product youโre
testing
3. As a manufacturer, be able to ensure that
youโve done your due diligence in security
across the main surface areas
4. As a developer, be able to ensure that
youโre avoiding the top security issues while
building your particular component
5. As a consumer, ensure youโre using the
technology safely
42. #RSAC
OWASP IoT Project (FAQ)
42
1. If IoT is just a collection of other
technologies, why not just use existing
OWASP projects?
43. #RSAC
OWASP IoT Project (FAQ)
43
1. If IoT is just a collection of other
technologies, why not just use existing
OWASP projects? (one place, multiple
spaces)
2. Why call it a Top 10 List, which is
traditionally a list of vulnerabilities?
44. #RSAC
OWASP IoT Project (FAQ)
44
1. If IoT is just a collection of other
technologies, why not just use existing
OWASP projects? (one place, multiple
spaces)
2. Why call it a Top 10 List, which is
traditionally a list of vulnerabilities?
(tradition, approachability)
3. Why not have X category, or Y category,
or you should move I7 to I2, etc.
45. #RSAC
OWASP IoT Project (FAQ)
45
1. If IoT is just a collection of other
technologies, why not just use existing
OWASP projects? (one place, multiple
spaces)
2. Why call it a Top 10 List, which is
traditionally a list of vulnerabilities?
(tradition, approachability)
3. Why not have X category, or Y category,
or you should move I7 to I2, etc.
(excellent, come help)
https://lists.owasp.org/mailman/listinfo/owasp_internet_of_things_top_ten_project
47. #RSAC
How to Apply This
47
The Internet of Things is not just about sensors and machines. Itโs about people,
and how they will continuously interact with their environments through their
personal assistants and Universal Daemonization.
Concept Application
48. #RSAC
How to Apply This
48
The Internet of Things is not just about sensors and machines. Itโs about people,
and how they will continuously interact with their environments through their
personal assistants and Universal Daemonization.
You now know the future before others do, and
can use that knowledge to inform better
decisions.
Concept Application
49. #RSAC
How to Apply This
49
The Internet of Things is not just about sensors and machines. Itโs about people,
and how they will continuously interact with their environments through their
personal assistants and Universal Daemonization.
You now know the future before others do, and
can and use that knowledge to inform better
decisions.
IoT Security is broken for three reasons: itโs worst-of-all-worlds scenario, nobody
is paid to secure IoT, and 1+1=5 when it comes to security and complexity.
Concept Application
50. #RSAC
How to Apply This
50
The Internet of Things is not just about sensors and machines. Itโs about people,
and how they will continuously interact with their environments through their
personal assistants and Universal Daemonization.
You now know the future before others do, and
can use that knowledge to inform better
decisions.
IoT Security is broken for three reasons: itโs worst-of-all-worlds scenario, nobody
is paid to secure IoT, and 1+1=5 when it comes to security and complexity.
You can now identify the common causes for
the mistakes, and look out for them in projects
you consult on.
Concept Application
51. #RSAC
How to Apply This
51
The Internet of Things is not just about sensors and machines. Itโs about people,
and how they will continuously interact with their environments through their
personal assistants and Universal Daemonization.
Know the future before others do, and use that
knowledge to inform better decisions.
IoT Security is broken for three reasons: itโs worst-of-all-worlds scenario, nobody
is paid to secure IoT, and 1+1=5 when it comes to security and complexity.
You can now identify the common causes for
the mistakes, and look out for them in projects
you consult on.
The OWASP IoT Top 10 Project maps IoT attack surface areas and gives
contextual and prescriptive guidance on how to avoid vulnerabilities within each.
Concept Application
52. #RSAC
How to Apply This
52
The Internet of Things is not just about sensors and machines. Itโs about people,
and how they will continuously interact with their environments through their
personal assistants and Universal Daemonization.
Know the future before others do, and use that
knowledge to inform better decisions.
IoT Security is broken for three reasons: itโs worst-of-all-worlds scenario, nobody
is paid to secure IoT, and 1+1=5 when it comes to security and complexity.
You can now identify the common causes for
the mistakes, and look out for them in projects
you consult on.
The OWASP IoT Top 10 Project maps IoT attack surface areas and gives
contextual and prescriptive guidance on how to avoid vulnerabilities within each.
You can now use the OWASP IoT Project as a
tangible guide to securing the IoT systems you
work with.
Concept Application
53. #RSAC
Other IoT Resources
๏ต Build It Securely Project (connects SMBs with researchers)
๏ต Mark Stanislav and Zach Lanier
๏ต I am the Cavalry (focuses on automotive IoT security)
๏ต Josh Corman
๏ต IoT Firmware Testing Training
๏ต Paul Asadoorian (BlackHat)
53
54. #RSAC
Just One More Thingโฆ
๏ต OWASP IoT Top 10 Mini-poster !
๏ต Card stock
๏ต Two-sided
๏ต Covers Top 10 Surface Areas
๏ต Available for download as well
54