The Dark Ages of IoT

Security

Prof. Stefano Zanero, PhD

Agenda

What is the Internet of Things

IoT (in)security

A real-world case study

The (scary) future of IoT security

Conclusions

What is the Internet of Things ?

What is the Internet of Things

The IoT is the network of physical objects or

"things" embedded with electronics, software,

sensors, and network connectivity, which enables

these objects to collect and exchange data

Source: Wikipedia

What is the Internet of Things

Things are physical objects

Things are connected with existing network infrastructure

Things collect data – physical world’s probes (!)

Things can be remotely controlled

Things exchange data with (some)thing

What is the Internet of Things

(personal) things

What is the Internet of Things

(home) things

What is the Internet of Things

(industrial) things

What is the Internet of Things

(medical) things

IoT (in)security

IoT (in)security

What is information security ?

o Confidentiality

o Integrity

o Availability

The so called CIA paradigm (or triad)

What about IoT security?

IoT (in)security

IoT Security ≠ Device Security

IoT (in)security

Why? Think about mobile security world !

Mobile security is

o The security of the mobile device

o The security of installed apps

o The security of 3rd party apps’ back-end systems

o The security of pre-installed apps’ back-end (e.g., apps

store)

Now back to the IoT universe..

IoT (in)security

Defining attack surface

“the attack surface describes all of the different

points where an attacker could get intoa system, and where they could get data out”

What about IoT attack surface ?

Source: OWASP

IoT (in)security

Now, let’s talk about vulnerabilities

No alien technology, no extra-terrestrial bugs

OWASP defines an ad-hoc list for IoT

o Welcome to the OWASP IoT Top Vulnerabilities

o It represents a list of vulnerabilities not risks

o In 2015 the list was a canonical Top 10

o Currently there are 62 vulnerabilities listed in 17 categories

IoT (in)security

OWASP top ten:

1. Insecure Web Interface

2. Insufficient Authentication/Authorization

3. Insecure Network Services

4. Lack of Transport Encryption

5. Privacy Concerns

6. Insecure Cloud Interface

7. Insecure Mobile Interface

8. Insufficient Security Configurability

9. Insecure Software/Firmware10. Poor Physical Security

IoT (in)security

Slightly random thoughts on IoT security

IoT is “happening” with a rapidly (chaotic) development withoutappropriate considerations on security

More devices == more data == more cyber attacks

“Things” are probes in everyone’s life

Smart TV, cameras, thermostats are literally “watching” us !

Devices firmware update will be ruled by market – see ya security in 18 months?

Real-world case studies

Real-world case studies

Source: HP research on smart watches

Real-world case studies

Source: Rapid7 research on baby monitoring systems

Real-world case studies

Source: HP research on home security systems

The (scary) future of IoT security

The (scary) future of IoT security

Skynet is waiting

The (scary) future of IoT security

26 BILLIONobjects by 2020

Source: Cisco

The (scary) future of IoT security

Complexity. That’s the problem.

The Internet of Things is wild, open and no onewill pay for secure (every)thing

Vendors are urgently called to implementsolution secure by design to reduce the risks

An extensive standardization on “how things

should be securely implemented” could be trulya panacea

Conclusions

Conclusions

We are brewing a perfect cyber-physical stormwith unfathomable consequences

We are using complex networks of smart

devices on which we increasingly rely for

critical infrastructures and safety-criticalsystems, without humans in the loop

We have issues with zero-days as well asforever-days

We need significant engineering and

research efforts to get this done and avert the storm

Thank you!s.zanero@securenetwork.it