IoT Security by Sanjay Kumar
•Download as PPT, PDF•
1 like•1,543 views
IoT Security by Sanjay Kumar @ Combined null/OWASP Delhi meeting on 20/06/2015
![IoT
(Internet of
Things)
Security
Sanjay Kumar
Information Security Specialist
sanjay1519841 [at] gmail [dot] com
NULL/OWASP Delhi meet on 20th
June 2015](https://image.slidesharecdn.com/iotsecurity-150620145430-lva1-app6891/85/iot-security-by-sanjay-kumar-1-320.jpg)
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (19)
Similar to IoT Security by Sanjay Kumar
Similar to IoT Security by Sanjay Kumar (20)
More from OWASP Delhi
More from OWASP Delhi (20)
Recently uploaded
Recently uploaded (20)
IoT Security by Sanjay Kumar
- 1. IoT (Internet of Things) Security Sanjay Kumar Information Security Specialist sanjay1519841 [at] gmail [dot] com NULL/OWASP Delhi meet on 20th June 2015
- 2. Agenda • What is IoT (Internet of Things)? • Threat Agents & Attack Vectors • Security Weaknesses • Technical Impacts • Business Impacts • OWASP Top 10 2014 for IOT
- 4. Ubiquitous Gartner: “IoT Installed Base Will Grow to 26 Billion Units By 2020.” That number might be too low. •Every Auto •Every Mobile •Every Door •Every Room Every sensor in any device Could be in bracelet in every home, office, building or hospital room … in every city and village ... on Earth ... Every sensor in any device Could be in bracelet in every home, office, building or hospital room … in every city and village ... on Earth ...
- 6. IoT devices which could be vulnerable Thermostat To control home/office temperature Assigned with IP
- 7. Watches and fitness monitors Expose Personal Health Data IoT devices which could be vulnerable
- 8. • Smart Cars • Wireless Pacemaker & other implanted device for monitoring health • Biometrics IoT devices which could be vulnerable
- 9. • The Internet of Things Device • The Cloud • The Mobile Application • The Network Interfaces • The Software • Use of Encryption • Use of Authentication • Physical Security • USB ports All elements need to be considered
- 10. OWASP Top 10 1. Insecure Web Interface 2. Insufficient Authentication/Authorization 3. Insecure Network Services 4. Lack of Transport Encryption 5. Privacy Concerns 6. Insecure Clould Interface 7. Insecure Mobile Interface 8. Insufficient Security Configurability 9. Insecure Software/Firmware 10.Poor Physical Security
- 12. Checklist for Insecure Web Interface • Account Enumeration • Weak Default Credentials • Credentials Exposed in Network Traffic • Cross-site Scripting (XSS) • SQL-Injection • Session Management • Account Lockout
- 14. Checklist • Lack of Password Complexity • Poorly Protected Credentials • Lack of Two Factor Authentication • Insecure Password Recovery • Privilege Escalation • Lack of Role Based Access Control
- 16. Checklist • Vulnerable Services • Buffer Overflow • Open Ports via UPnP • Exploitable UDP Services • Denial-of-Service • DoS via Network Device Fuzzing
- 17. 4- Lack of Transport Encryption
- 18. Checklist • Unencrypted Services via the Internet • Unencrypted Services via the Local Network • Poorly Implemented SSL/TLS • Misconfigured SSL/TLS
- 20. Checklist • Collection of Unnecessary Personal Information
- 22. Checklist • Account Enumeration • No Account Lockout • Credentials Exposed in Network Traffic
- 24. Checklist • Account Enumeration • No Account Lockout • Credentials Exposed in Network Traffic
- 26. Checklist • Lack of Granular Permission Model • Lack of Password Security Options • No Security Monitoring • No Security Logging
- 28. Checklist • Encryption Not Used to Fetch Updates • Update File not Encrypted • Update Not Verified before Upload • Firmware Contains Sensitive Information • No Obvious Update Functionality
- 30. Checklist • Access to Software via USB Ports • Removal of Storage Media
- 31. Thank You
- 42. Thank You
Editor's Notes
- The Internet of Things (IoT, sometimes Internet of Everything) is the network of physical objects or "things" embedded[1] with electronics, software, sensors[2] and connectivity to enable it to achieve greater value and service by exchanging data with the manufacturer, operator and/or other connected devices. Each thing is uniquely identifiable through its embedded computing system but is able to interoperate within the existing Internet infrastructure. Experts estimate that the IoT will consist of almost 50 billion objects by 2020.[3] The term “Internet of Things” was first documented by a British visionary, Kevin Ashton, in 1999.[4] Typically, IoT is expected to offer advanced connectivity of devices, systems, and services that goes beyond machine-to-machine communications (M2M) and covers a variety of protocols, domains, and applications.[5] The interconnection of these embedded devices (including smart objects), is expected to usher in automation in nearly all fields, while also enabling advanced applications like a Smart Grid.[6] Things, in the IoT, can refer to a wide variety of devices such as heart monitoring implants, biochip transponders on farm animals, electric clams in coastal waters,[7] automobiles with built-in sensors, or field operation devices that assist fire-fighters in search and rescue.[8] These devices collect useful data with the help of various existing technologies and then autonomously flow the data between other devices.[9] Current market examples include smart thermostat systems and washer/dryers that utilize Wi-Fi for remote monitoring. A thing, in the Internet of Things, can be a person with a heart monitor implant, a farm animal with a biochip transponder, an automobile that has built-in sensors to alert the driver when tire pressure is low — or any other natural or man-made object that can be assigned an IP address and provided with the ability to transfer data over a network. So far, the Internet of Things has been most closely associated with machine-to-machine (M2M) communication in manufacturing and power, oil and gas utilities. Products built with M2M communication capabilities are often referred to as being smart.
- Every one of those sensor and control points is generating data. Often, it's very informative and very private data. Systems are needed to help those devices talk to each other, manage all that data, and enforce proper access control.
- The carefully-regulated climate in your office can conceal the fact that to criminals your data is hot. Remotely programmable thermostats are just as vulnerable to attack as anything else, particularly if you’re using a third-party contractor to manage the office HVAC system (a la Target’s breach). But even if it’s a company-managed remote thermostat, it’s probably not smart to leave the temperature-setting to just anyone, especially a hacker.
- Take a look at your co-workers’ wrists, and it’s likely that one of them is wearing a smart watch or a fitness monitor, like a FitBit or Garmin VivoFit. And while your co-workers are being reminded to walk around the office to stay in shape, the devices themselves – particularly if they’re syncing to the Internet via a device on your network or even using your company’s Wi-Fi – are making your security strategy flabby.
- Smart Cars: Bluetooth, Car Ignition, Aircondition Smart Biometrics: Attacker can get hack into the system and steal personal identities & also can feed his/her data into system to gain access Implanted Device: http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/