Unfortunately, in recent years we’ve seen a host of incidences where IoT devices were compromised. Sometimes these have been minor with little coverage, while others like Mirai affected millions around the globe a produced serious economic impact. When attacks like this occur, they not only erode the trust of the users of these devices, but cause those who are looking to adopt this new technology to pause. With any new technology, security must be thought of as a first class citizen and when we are talking about IoT, the data is personal. As the IoT matures, I’ll share some mistakes that have happened in the past, where we are today and how I believe we are now finally seeing a maturity of devices that are remotely updated, fault tolerant and secure. When it comes to building an IoT device, security is personal.
3. What We’ll Cover
• About Me
• What is the Internet of Things
• What’s the big deal?
• Example security exploits
• Anti-Patterns that should guarded against
• Emerging security techniques
4. About Me
• Software Engineer for 20+ years
• Serial Entrepreneur
• Cofounder of Lab 651& IoT Fuse
• Adjunct Professor at University of Saint Thomas teaching IoT
• Publisher of IoT Weekly News
• Excited for the next wave of connected things!
5. What is the Internet of Things?
Formal: The Internet of things (IoT) is the network of physical
devices, vehicles, home appliances, and other items
embedded with electronics, software, sensors, actuators, and
network connectivity which enable these objects to connect
and exchange data.
Practical: The physical world becoming one big information
system. We are moving from Internet of Computers (IoC) to IoT.
It should actually be called “Things on the Internet”.
6. IoC vs IoT…
What’s the Big Deal?
1. Massive Changes in Scale
2. Impact on the Physical World
10. Security of IoT vs IoC
• IoT has both information attacks and physical tampering
• Nearly all use wireless communications
• “Denial of sleep” attacks to kill battery
• Devices are expected to run with low power
• Operating systems may not support sophisticated security approaches
• Often not easily updatable and no screen / user interface
• It’s not the massive, but smaller scale attacks are more worrisome
11. IoT vs IoC – Personal Data
• Estimated that the average household generates ~2TB of data a year, by 2020
expected to be 10TB of personal data.
• Researchers found that Vizio & Samsung T.V’s send data to 3rd parties are
have known vulnerabilities to listen into your home or what you watch
• FitBit can tell if you are active or not when you say you are
• Police used a woman’s Fitbit to discount a story of assault
• Tesla using data logs to disprove claims by automotive reviewers
• Things are becoming personal…
18. Mirai Botnet
• Malware infecting IP cameras,
routers & DVR players
• Infected between more than
600,000 devices
• Started by 3 college students
• Some countries in Africa were
taken offline
• Could have affected more than
185 million devices *
* Source: http://www.newsweek.com/mirai-botnet-
brought-down-internet-was-minecraft-stunt-747806
19. Owlet Baby Monitor
• Monitor your baby’s heartrate &
oxygen level
• Base station creates a
completely open WiFi
• Anyone in range could
• Send data to another
network/server
• Disable alerts
• Nest camera had similar exploit
20. Jeep Hack
• In 2015 security researchers
hacked a Jeep to take control of
the vehicle
• Used cellular network and the
devices Controller Area Network
(CAN)Bus
• Chrysler recalled 1.4 million
vehicles to fix this issue
21. Anti-Patterns
• Doing too much
• Just because you can run a full Linux OS, should you?
• Consider your end user – do they need root access?
• Input validation and buffer overflows need to be checked
• Bugs
• Integer overflows
• Race conditions
• Memory corruption
22. Anti-Patterns
• Weak encryption
• Service Passwords
• No authentication
• Default credentials that are easily discoverable
• Permanent credentials ( for support ), never changeable
• Failure to allow for revocation of credential or privilege
• Failure to allow for delegation of privilege to another legitimate party (forces work
arounds)
• Unclear instructions or defaults to the device be online, rather than opt in
23. Anti-Patterns
• No Authentication
• CAN bus how communication happens within an automobile. Never designed
for connections over the internet.
• Default Credentials
• EURECOM found 100,000 internet facing IoT devices with default passwords
• Permanent Credentials
• ComfortLink thermostat set root passwords that could not be changed. Finally
fixed after 2 years
24. Online Trust Alliance – IoT Rules
• Default passwords must be prompted to be reset or changed on first use
• All users must adhere to SSL best practices using industry standards
• All device sites and cloud services must use HTTPS encryption
• Manufacturers must conduct penetration testing of devices, applications and
services
• Manufacturers must have remediation plans when vulnerabilities are found
• All updates, patches, revision must be signed and verified
• Manufactures must provide a mechanism for the transfer of ownership
25. Emerging IoT Security Techniques
• TPM ( Trusted Platform Module ) – Cryptographic keys burned into devices
as it’s produced
• Two factor (or more) authentication
• Location based as verification
• Using a paired device (smartwatch) as access control
• Only send the data that you need and nothing more
26. Emerging IoT Security Techniques
• Where possible, say no to big data backends
• Forbes reports more than 112 million records spilled in 2015
• More than a petabyte (1015 bytes) of data accidentally exposed online
• New York Times reported that $50 million stolen from over 100,000 people using
“Get Transcripts” service from the IRS
• Instead - use concepts from Distributed Computing Systems
• Store data close to the person
• Provide time based access and deletion
27. Data Type Best Location for Data Consequences If Data Is Lost,
or the Network Is
Compromised or Disrupted
Sensitive/personal data On a personal device such as
a phone, laptop, backup
hard drive, or home computer
Loss of employment; public
humiliation; bullying or social
isolation, which could
potentially lead to suicide
Medical data On a local device that can
be shared with medical
professionals on a timed clock
Blackmailing; loss of
employment
Business data (e.g., LinkedIn
profile)
On publicly accessible servers
(shared)
N/A (this data was created
with the intention of sharing it)
Home automation system On a local network within the
home without access to a
larger network
Loss of access to or control of
lights, thermostats, or other
home systems
Credit: Calm Technology, Amber Case
28. Summary
• The world of connected devices ( IoT ) is still an emerging field
• Data available will become increasing personal and unfiltered
• As with prior technology changes:
• The IoT ( and mistakes ) will happen whether we like it or not
• Apply many of the same security practices from the IoC
• Leverage distributed computing and best practices for data storage
• Always provide mechanisms for updates