WHAT IS IOT?
• IoT is computing devices that send data,
receive date or both on the internet.
• The Internet of Things (IoT) refers to the
ever-growing network of physical objects
that feature an IP address for internet
connectivity, and the communication that
occurs between these objects and other
Internet-enabled devices and systems.
• Where do we see it in our daily life?
THE HARDWARE IS TO BE BLAMED!
Relatively modern 64-bit x86 CPU cores in I.o.T devices, they will still
be substantially more complex than the smallest ARM cores, and
therefore will need more battery power
Cheap and disposable wearables, appear to be the biggest concern,
won’t be powered by such chips. We need more powerful
processors, such as Intel Atoms or ARMv8 chips, in smart products,
like smart refrigerators or washing machines with touchscreens, but
they are impractical for disposable devices with no displays and with
limited battery capacity.
The industry needs is more unstandardized devices and more
THE WEB APPLICATION SIDE OF IT!
• “Weak authentication,” might thinking of passwords that are
easy to guess. Unfortunately, the bar is much lower with many
• Generally I.o.T devices are secured with passwords like
“1234”, put their password in client-side Java code, send
credentials without using HTTPS or other encrypted transports,
or require no passwords at all.
INSECURE NETWORK IN IOT DEVICES!
• In your modern corporate network, you may think Telnet and
FTP are dead, but the IOT smart device world would disagree.
• August 2014, a sweep of more than 32,000 devices found “at
least 2000 devices with hard-coded Telnet logins.
• October 2014 research that demonstrated more than a million
deployed routers were vulnerable.
INSECURE CLOUD AND MOBILE INTERFACE
• Many IoT devices exchange information with an external
cloud interface or ask end users to connect to a remote web
server to work with their information or devices. In addition to
obvious vulnerabilities such as a lack of HTTPS, the OWASP IoT
Top Ten list asks you to look for authentication problems such
as username harvesting (“user enumeration”) and no lockouts
after a number of brute-force guessing attempts.
• IoT devices may also act as wireless access points (WAPs).
INSECURE SOFTWARE/ FIRMWARE
• Real life examples of corrupt update files abound, especially
when people use “jailbroken” phones to disable the validation
built in to their devices. MITM attacks using insecure update
sources, such as the HTTP-based update vulnerability that
affected ASUS RT routers in October 2014.
• To test whether or not a device is using insecure updates, you
generally need to use a proxy or sniffer to watch the data
stream for use of secure transport, for example, an online
utility called “APK Downloader” lets you download and inspect
Android installations and updates on any platform.
PHYSICAL SECURITY OF IOT DEVICES
• Five things to determine if a device’s exposed ports can be
used for malicious purposes. These are ease of storage media
removal, encryption of stored data, physical protection of USB
and similar ports, ease of disassembly and removal or disabling
of unnecessary ports.
SCOPE OF IOT SECURITY
How many IoT devices do you own and use right now? How many
does your business use? That’s where the “Internet of NoThings” joke
comes from, most people don’t have any. The numbers keep going up,
but the average consumer is not buying many, so where is that growth
coming from? IoT devices are out there and the numbers are booming,
driven by enterprise rather than the consumer market.
Verizon and ABI Research estimate that there were 1.2 billion
different devices connected to the internet last year, but by 2020, they
expect as many as 5.4 billion B2B IoT connections.
IOT SPECIFIC SECURITY ASSESSMENT
How it is a combination of different type assessments:
Secure Transport medium
Cloud and Mobile interface
I.O.T SECURITY: TRENDS, PROBLEMS AND
Problems and security challenges
Many small devices have limited CPU power
Not much processing power for security
Need to look for new encryption scheme with less CPU power.
Can not install AV software
Example: IP-addressable light bulbs.
I.o.T also needs both encryption key management and identity management
It may scale into billions!
• Problems and security challenges
• New devices for endpoint security
• New firmware, embedded OS, new software & etc.
• It is not possible to support AV on every device.
• New transport protocols for making network security
• Much more network traffic for security analysis
• Bad news for large enterprises as network security is
already complex and cumbersome
SEVEN IOT SECURITY RISKS*:
1. Disruption and denial-of-service attacks
2. Understanding the complexity of vulnerabilities
3. I.o.T vulnerability management
4. Identifying, implementing security controls
5. Fulfilling the need for security analytics capabilities
6. Modular hardware and software components
7. Rapid demand in bandwidth requirement
I.O.T SECURITY TOP 10 (OWASP 2014):
I1 Insecure Web Interface
I2 Insufficient Authentication/Authorization
I3 Insecure Network Services
I4 Lack of Transport Encryption
I5 Privacy Concerns
I6 Insecure Cloud Interface
I7 Insecure Mobile Interface
I8 Insufficient Security Configurability
I9 Insecure Software/Firmware
I10 Poor Physical Security