Threats to machine clouds
-
Upload
sensepost -
Category
Technology
-
view
783 -
download
0
description
Transcript of Threats to machine clouds
Security Threats to Machine Clouds
about: us
Georg-Christian Pranschke
http://www.sensepost.com/blog/7733.html
what we’re going to talk about
• the cloud• why this talk ?• machine clouds ?• results: cursory “testing”• what does all this mean ?
The Cloud
clobbering the cloud!
cloud security
Why This Talk ?
security threats to machine clouds• fast growing mobile connectivity • greater number of connected devices• management complexity and high costs
• web-based device management for connected devices
• inherits some of the web app threats plus new
ones
Machine Clouds ?
machine clouds?
machine clouds?• home automation• vehicle tracking• tele-medicine• location-based services• “M2M and connected products are changing our world”• “safer, simpler and more productive”• “less cost per year than full-time employee”
• i.e. ATMs monitoring -> access to finances• i.e. medical equipment -> ensuring very best patient care• i.e. smart signs -> law enforcement • i.e. cars -> driving behaviour to insurance carriers
machine cloud ui: the web application
machine - cloud integration
protocol dissection (i)
DHCP response
protocol dissection (ii)
restart request response
machine – cloud interaction (i)
machine – cloud interaction (ii)
connecting a machine
Results: Cursory “Testing”
#include <disclaimer.h>
approach
Business Logic
Application
Infrastructure
web application/web services <<>> “rogue machine”
the environment (i)
the environment (ii)
threat: exposed administrative interfaces
threats: cms layer (i)
threats: cms layer (ii)
threats: cms layer(iii)
threats: web app layer
clickjacking/ui redressing
SDKs (i)
SDKs (ii)
SDKs (iii)
SDKs (iv)
a side note…
transport layer encryption (i)
transport layer encryption (ii)
lame ? (i)
lame ? (ii)
lame ? (iii)
threat: malicious applets
a side note …
threat: rogue machines
putting it all together
• malicious applets• obtain vendor id or …• unauthorised connection• upload of XSS payload or …• XSS -> session hijacking and …
What Does All This Mean ?
what does all this mean
Security Threats to Machine Clouds
Thank You!