+
Practical Approaches to IoT SecurityTony Wilson, CISSP
+Agenda
About Me Current State of IoT Current Threat Landscape Practical Security Options
Consumers Developers
Putting it All Together Q & A Appendix
Resources Missteps from Popular IoT Security Fails
+About Me
10+ years cyber security and compliance experience Expertise in Threat Intelligence and Incident Response Currently geeking out on machine learning and home
cyber security My hobbies include fitness activities, fantasy sports,
travel and television / movies
+Current State of IoT
Maximum hype Growing number of devices High visibility of security limitations
What is the tipping point? There is no incentive for security until consumers demand it Confluence of ability, opportunity and motivation
+Current Threat Landscape
Barrier to entry is low Malware as a service
Vectors of choice Phishing Watering holes / exploit kits
Attack de jour Ransomware
As the traditional landscape becomes more fortified, attacks will shift more to IoT devices “Old vulnerabilities with new capabilities” - Bruce Shneier “We might use the internet of things to spy on you” - US intelligence chief
Stay ahead of the herd
+Practical Security Options: Consumers Product selection
Consider not being an early adopter Choose brands you trust
Proven track records Certified by standards bodies
Choose products that are patchable
Adopt general security best practices Unique passwords, multi-factor authentication Smartphone security
Beef up home security Update / replace ISP provided router Firewall Segmentation Nextgen gateways (limited options for home users)
User Behavior Analytics (Cujo)
+Commercial Improvements are Necessary to Make Progress Better hardware at lower costs
Trade-offs + security --> + processing power + processing power --> + $, + packaging, + battery
May be viable for devices like appliances, but not disposables
Standards Developer-focused
Fragmented, adoption still lacking Consumer-focused
Sparse
+Practical Security Options: Developers Align security investment with your brand Examples
Volvo Integration of safety (i.e. security) by design
Adobe (Flash) Reactive approach to security
+Practical Security Options: Developers Educate yourself about key elements of
IoT security OWASP Top 10
Adopt a framework or standard Frameworks
NIST CPS, IoTivity/OIC, GSMA Standards
Alljoyn, Thread, OTrP
+Practical Security Options: Developers Integrate security into your SDLC
DevOps can facilitate automation
Automated testing Static analysis
Third party testing Traditional bug bounties Crowdsourced testing
Bugcrowd, Applause
+
Profile
Objective: Create prototypeSecurity budget: $0 - $1000Security experience: LimitedProject timeline: 3-6 months
Education
Hardware /Software
SDLC
Code Review
Security Posture
• OWASP Top 10
• BeagleBone Black• Ubuntu Core (Snappy)• C/C++
• Agile• Define security requirements
upfront• Test iteratively
• Static analysis• Clang, Cppcheck, Flawfinder,
RATS, Splint, Yasca• Crowdsourced testing: Bugcrowd
• Not likely to be susceptible to common attacks
• Well positioned to transition to a secure production device
Putting it All Together
+Closing Thoughts
Baby steps Progress, not perfection
+Resources
OWASP https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Main
Standards and frameworks Thread
http://threadgroup.org/ Alljoyn / Allseen
https://allseenalliance.org/ Industrial Internet Reference Architecture
http://www.iiconsortium.org/IIRA.htm IEEE P2413
https://standards.ieee.org/develop/project/2413.html Apple homekit
https://developer.apple.com/homekit/ IoTivity
https://www.iotivity.org/ NIST CPS PWG Cyber-Physical Systems (CPS) Framework Release 1.0
https://pages.nist.gov/cpspwg/ GSMA
http://www.gsma.com/connectedliving/future-iot-networks/iot-security-guidelines/
+Resources
Crowd testing Bugcrowd
https://bugcrowd.com/ Applause
https://www.applause.com/security-testing/
Static analysis NIST compilation of tools
https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
+Missteps from Popular IoT Security FailsDevice Attack Vector
• Bluetooth Smartlocks • Open locks • Static/default passwords
• Poor standard implementation
• Jeep Cherokee • Remote operation• Denial of service
• Guessable Wi-Fi password (entry point)
• Tesla Model S • Unauthorized operation
• Denial of service
• Physical security• Unpatched OS
• Barbie • Eavesdropping • Unpatched server• Weak app
authentication• Baby monitors • Spying
• Privacy invasion• Verbal abuse
• Default passwords• Guessable account
numbers• Lack of encryption
• Sniper Rifle • Denial of service• Sabotage
• Default password