$HOME Sweet $HOME Devoxx 2015
-
Upload
xavier-mertens -
Category
Internet
-
view
1.252 -
download
1
Transcript of $HOME Sweet $HOME Devoxx 2015
@xme#Devoxx #IoT
$ cat ~/whoami.xml<profile> <real_name>Xavier Mertens</real_name> <day_job>Freelance Security Consultant</day_job> <night_job>Hacker, Blogger</night_job> <![CDATA[ www.truesec.be blog.rootshell.be isc.sans.edu www.brucon.org ]]></profile>
@xme#Devoxx #IoT
$ cat ~/.profile
• I like (your) data
• Playing “active defense”
• I prefer (black) t-shirts than ties
• I like to play with gadgets
@xme#Devoxx #IoT
$ cat /opt/disclaimer.txt
“The opinions expressed in this presentation are those of the speakerand do not necessarily reflect those of past, present employers,
partners or customers.”
@xme#Devoxx #IoT
Agenda
• A revolution entered our homes
• “Internet of Terror”
• Issues & Mitigations
@xme#Devoxx #IoT
Source: http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
@xme#Devoxx #IoT
Source: http://www.engadget.com/2011/08/04/researcher-hacks-wireless-insulin-pump-to-push-lethal-doses-giv
@xme#Devoxx #IoT
Source: http://archive.hack.lu/2015/2015-10-20-SEKOIA-Keynote%20Internet%20of%20Tchotchke-v1.0.pdf
@xme#Devoxx #IoT
Security goals
• To protect “data”
• To prevent unauthorised access
• To prevent unauthorised modification
• To prevent loss
@xme#Devoxx #IoT
Security is relative
• Directly related to your business and needs
• Security is measured at a time “T”
• Security level is directly related to the weakest point
• Security must be constantly reviewed and adapted
“Security is a process, not a product” - Bruce Schneider
@xme#Devoxx #IoT
“Developers think of ways to make things”
“Security peeps think of ways to break things”
Infosec guys VS. developers
@xme#Devoxx #IoT
• Implement boring controls• Make our daily job difficult• Are paranoiac• Don’t know the business
Infosec guys VS. developers
• Just write lines of code• Don’t have a clue about
security• Have short deadlines (“RTM”)• Re-use piece of code (and the
associated bugs)
@xme#Devoxx #IoT
Top security threats
Source: Capgemini & Sogeti, “Security of the IoT Survey”, Nov 2014
@xme#Devoxx #IoT
Issue #1 - It’s a computer…
• Insecure Web Interface
• Insufficient Authentication/Authorization
• Insecure Network Services
• Lack of Transport Encryption
• Privacy Concerns
Source: https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project
• Insecure Cloud Interface
• Insecure Mobile Interface
• Insufficient Security Configurability
• Insecure Software/Firmware
• Poor Physical Security
@xme#Devoxx #IoT
Issue #2 - In the wild
• Working in our real life!
• Physical access == Pwn3d!
• Access personal data
• Access health data
• Access & control critical data (electricity, gaz, water, cars)
@xme#Devoxx #IoT
Issue #3 - Limited resources
• Slow CPU
• Basic interface (who said “where is the GUI?”)
• Restricted RAM
• Restricted storage
• Restricted API calls
• Restricted features
• Battery usage
@xme#Devoxx #IoT
Issue #4 - Crypto
• Use good crypto (hashing is not crypto)
• Crypto requires resources (see #3)
• Self-made crypto == bad crypto
@xme#Devoxx #IoT
Issue #5 - External resources
• Why reinvent the wheel?
• External resources are buggy / may contain backdoors
@xme#Devoxx #IoT
Issue #6 - Valuable data
• Why store so much data?
• Data classification
• Data privacy
@xme#Devoxx #IoT
Issue #7 - Back to the roots
• IoT will be deployed by old school industries(ex: smart meters)
• Know their business
@xme#Devoxx #IoT
Tips to keep in mind
• IoT is there and will(is) invade(ing) our homes & companies
• Think: “IoT” == “Computers” (same issues)
• Smart != Safe
• Tools exists… but assess them!
• Ask yourself: “Do I need it?”
• Apply critical security controls (1)
(1) http://www.sans.org/critical-security-controls
@xme#Devoxx #IoT
Tips to keep in mind
• Think “data privacy”. Do I need the data in the device? What if data are stolen?
• Implement security from the design (remember “SDLC”)
@xme#Devoxx #IoT
Questions?@[email protected]://www.truesec.behttps://blog.rootshell.be