The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano...
Transcript of The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano...
The Dark Ages of IoT
Security
Prof. Stefano Zanero, PhD
Agenda
What is the Internet of Things
IoT (in)security
A real-world case study
The (scary) future of IoT security
Conclusions
What is the Internet of Things ?
What is the Internet of Things
The IoT is the network of physical objects or
"things" embedded with electronics, software,
sensors, and network connectivity, which enables
these objects to collect and exchange data
Source: Wikipedia
What is the Internet of Things
Things are physical objects
Things are connected with existing network infrastructure
Things collect data – physical world’s probes (!)
Things can be remotely controlled
Things exchange data with (some)thing
What is the Internet of Things
(personal) things
What is the Internet of Things
(home) things
What is the Internet of Things
(industrial) things
What is the Internet of Things
(medical) things
IoT (in)security
IoT (in)security
What is information security ?
o Confidentiality
o Integrity
o Availability
The so called CIA paradigm (or triad)
What about IoT security?
IoT (in)security
IoT Security ≠ Device Security
IoT (in)security
Why? Think about mobile security world !
Mobile security is
o The security of the mobile device
o The security of installed apps
o The security of 3rd party apps’ back-end systems
o The security of pre-installed apps’ back-end (e.g., apps
store)
Now back to the IoT universe..
IoT (in)security
Defining attack surface
“the attack surface describes all of the different
points where an attacker could get intoa system, and where they could get data out”
What about IoT attack surface ?
Source: OWASP
IoT (in)security
Now, let’s talk about vulnerabilities
No alien technology, no extra-terrestrial bugs
OWASP defines an ad-hoc list for IoT
o Welcome to the OWASP IoT Top Vulnerabilities
o It represents a list of vulnerabilities not risks
o In 2015 the list was a canonical Top 10
o Currently there are 62 vulnerabilities listed in 17 categories
IoT (in)security
OWASP top ten:
1. Insecure Web Interface
2. Insufficient Authentication/Authorization
3. Insecure Network Services
4. Lack of Transport Encryption
5. Privacy Concerns
6. Insecure Cloud Interface
7. Insecure Mobile Interface
8. Insufficient Security Configurability
9. Insecure Software/Firmware10. Poor Physical Security
IoT (in)security
Slightly random thoughts on IoT security
IoT is “happening” with a rapidly (chaotic) development withoutappropriate considerations on security
More devices == more data == more cyber attacks
“Things” are probes in everyone’s life
Smart TV, cameras, thermostats are literally “watching” us !
Devices firmware update will be ruled by market – see ya security in 18 months?
Real-world case studies
Real-world case studies
Source: HP research on smart watches
Real-world case studies
Source: Rapid7 research on baby monitoring systems
Real-world case studies
Source: HP research on home security systems
The (scary) future of IoT security
The (scary) future of IoT security
Skynet is waiting
The (scary) future of IoT security
26 BILLIONobjects by 2020
Source: Cisco
The (scary) future of IoT security
Complexity. That’s the problem.
The Internet of Things is wild, open and no onewill pay for secure (every)thing
Vendors are urgently called to implementsolution secure by design to reduce the risks
An extensive standardization on “how things
should be securely implemented” could be trulya panacea
Conclusions
Conclusions
We are brewing a perfect cyber-physical stormwith unfathomable consequences
We are using complex networks of smart
devices on which we increasingly rely for
critical infrastructures and safety-criticalsystems, without humans in the loop
We have issues with zero-days as well asforever-days
We need significant engineering and
research efforts to get this done and avert the storm
Thank [email protected]