• Home

  • Technology

  • Your Life Is The Attack Surface: The Risks of IoT in 2016
19
Crowdsourced Cybersecurity Your Life Is The Attack Surface: The Risks of IoT in 2016 Jason Haddix, Head of Trust and Security, Bugcrowd

Your Life Is The Attack Surface: The Risks of IoT in 2016

Embed Size (px)

Citation preview

Page 1: Your Life Is The Attack Surface: The Risks of IoT in 2016

Crowdsourced Cybersecurity

Your Life Is The Attack Surface: The Risks of IoT in 2016Jason Haddix, Head of Trust and Security, Bugcrowd

Page 2: Your Life Is The Attack Surface: The Risks of IoT in 2016

Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]

Who am I?Hacker, father and lover of EDM

Director of Penetration Testing - HP Fortify

Sr. Security Engineer - Redspin, Inc

and now… Bugcrowd

Previously: Director of Technical Operations

Now: Head of Trust & Security

mailto:[email protected]
Page 3: Your Life Is The Attack Surface: The Risks of IoT in 2016

Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]

What are we talking about today?

History + Evolution of the Internet of ThingsRisks - Perceived and Real of IoTIoT & Security TestingResources + ProjectsFuture of IoT SecurityMain Takeaways

3

mailto:[email protected]
Page 4: Your Life Is The Attack Surface: The Risks of IoT in 2016

Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]

What is this ‘IoT’?“The Internet of Things (IoT) is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.”

mailto:[email protected]
Page 5: Your Life Is The Attack Surface: The Risks of IoT in 2016

Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]

A brief history of IoT…

https://www.semiwiki.com/forum/content/5559-quick-history-internet-things.html

mailto:[email protected]
Page 6: Your Life Is The Attack Surface: The Risks of IoT in 2016

Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]

It’s a crazy world…Some talks from IoT Village in DEFCON this year

mailto:[email protected]
Page 7: Your Life Is The Attack Surface: The Risks of IoT in 2016

CONFIDENTIAL - DO NOT DISTRIBUTE +1 415 867 5351 [email protected]

Why should I care about this crazy stuff anyway?

mailto:[email protected]
Page 8: Your Life Is The Attack Surface: The Risks of IoT in 2016

CONFIDENTIAL - DO NOT DISTRIBUTE +1 415 867 5351 [email protected]

8

Security = SafetyDATA

mailto:[email protected]
Page 9: Your Life Is The Attack Surface: The Risks of IoT in 2016

Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]

What are the real risks?

mailto:[email protected]
Page 10: Your Life Is The Attack Surface: The Risks of IoT in 2016

Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]

IoT Security: Who is involved?The Players:

Manufacturer Developer Consumer

mailto:[email protected]
Page 11: Your Life Is The Attack Surface: The Risks of IoT in 2016

Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]

Typical Surface Areas

mailto:[email protected]
Page 12: Your Life Is The Attack Surface: The Risks of IoT in 2016

Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]

Bugcrowd Case Studies

mailto:[email protected]
Page 13: Your Life Is The Attack Surface: The Risks of IoT in 2016

Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]

Bugcrowd Case Studies

mailto:[email protected]
Page 14: Your Life Is The Attack Surface: The Risks of IoT in 2016

Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]

Bugcrowd Case Studies

mailto:[email protected]
Page 15: Your Life Is The Attack Surface: The Risks of IoT in 2016

Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]

IoT Security MitigationConsumer Protection:

Research your device before purchaseChange and use strong passwordsUse strong WiFi encryptionUpdate the device regularlyCheck device for additional security

configurationsDisable features not being used

mailto:[email protected]
Page 16: Your Life Is The Attack Surface: The Risks of IoT in 2016

Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]

IoT Security MitigationDeveloper / Manufacturer Guidance:

Use and Force SSL for communication

Allow and encourage strong passwords

Require the user to change default passwords

Do not use hard-coded passwords in source

Provide a simple and secure update process with a chain of trust

Secure any web interface and API from bugs listed in the OWASP Top Ten Web Vulnerabilities

mailto:[email protected]
Page 17: Your Life Is The Attack Surface: The Risks of IoT in 2016

Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]

Resources

https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project

https://builditsecure.ly/

https://www.iamthecavalry.org/

mailto:[email protected]
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project
https://builditsecure.ly/
https://builditsecure.ly/
https://www.iamthecavalry.org/
https://www.iamthecavalry.org/
Page 18: Your Life Is The Attack Surface: The Risks of IoT in 2016

Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]

The Future and QuestionsWhat causes change?

1. Learning big lessons2. Standards3. Policy 4. Legislation & compliance

Questions?

@jhaddix & [email protected]

mailto:[email protected]
Page 19: Your Life Is The Attack Surface: The Risks of IoT in 2016

Crowdsourced Cybersecurity

Questions?


Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna Basu

Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna Basu

Technology
An Attack-Resilient Architecture for the Internet of Thingsevans/pubs/attack-resilient-iot/attack-resilient-iot.pdfnetwork architecture simplifies the data analysis to enable a simple

An Attack-Resilient Architecture for the Internet of Thingsevans/pubs/attack-resilient-iot/attack-resilient-iot.pdfnetwork architecture simplifies the data analysis to enable a simple

Documents
Network Camera User Manual · attack, hacker attack, virus inspection, or other internet security risks; however, hikvision will provide timely technical support if required. surveillance

Network Camera User Manual · attack, hacker attack, virus inspection, or other internet security risks; however, hikvision will provide timely technical support if required. surveillance

Documents
IoT Security and Privacy Risks

IoT Security and Privacy Risks

Documents
Engineering Secure Software. Agenda What is IoT? Security implications of IoT IoT Attack Surface Areas IoT Testing Guidelines Top IoT Vulnerabilities

Engineering Secure Software. Agenda What is IoT? Security implications of IoT IoT Attack Surface Areas IoT Testing Guidelines Top IoT Vulnerabilities

Documents
Cybersecurity Risks in Complex IoT Environments Risks in Complex IoT Environments: Stephen Hilt, Numaan Huq, Martin Rösler, and Akira Urano Threats to Smart Homes, Buildings and Other

Cybersecurity Risks in Complex IoT Environments Risks in Complex IoT Environments: Stephen Hilt, Numaan Huq, Martin Rösler, and Akira Urano Threats to Smart Homes, Buildings and Other

Documents
IoT as an Attack Vector€¦ · 1 © Corero 2017 IoT as an Attack Vector The DDoS Game Changer! Sean Newman Director Product Management

IoT as an Attack Vector€¦ · 1 © Corero 2017 IoT as an Attack Vector The DDoS Game Changer! Sean Newman Director Product Management

Documents
Cyber Attack in IoT on the rise · 2017-02-13 · Cyber Attack in IoT on the rise - Observing attacks in IoT using IoTPOT - Koji Nakao Distinguished Researcher - NICT Guest Professor

Cyber Attack in IoT on the rise · 2017-02-13 · Cyber Attack in IoT on the rise - Observing attacks in IoT using IoTPOT - Koji Nakao Distinguished Researcher - NICT Guest Professor

Documents
IoT Goes Nuclear: Creating a ZigBee Chain Reactionpiak/teaching/iot/2016/...IoT devices had just been demonstrated by the massive DDOS attack on the Dyn DNS company, which exploited

IoT Goes Nuclear: Creating a ZigBee Chain Reactionpiak/teaching/iot/2016/...IoT devices had just been demonstrated by the massive DDOS attack on the Dyn DNS company, which exploited

Documents
IoT & SCADA Cyber Security Services - RIoT Solutions · sample attack / exploitation steps, and the resulting risks - Identified effective security controls . RIoT Solutions Pty Ltd

IoT & SCADA Cyber Security Services - RIoT Solutions · sample attack / exploitation steps, and the resulting risks - Identified effective security controls . RIoT Solutions Pty Ltd

Documents
Towards Learning-automation IoT Attack Detection through ...(IoT) devices are deployed, the security and privacy issues in IoT arouse more and more attention. The IoT attacks are causing

Towards Learning-automation IoT Attack Detection through ...(IoT) devices are deployed, the security and privacy issues in IoT arouse more and more attention. The IoT attacks are causing

Documents
McAfee Labs Threats Report · of Internet of Things (IoT) devices last fall. The so-called Dyn attack was a distributed denial of service (DDoS) attack that used IoT devices as bots

McAfee Labs Threats Report · of Internet of Things (IoT) devices last fall. The so-called Dyn attack was a distributed denial of service (DDoS) attack that used IoT devices as bots

Documents
E Series - Network Webcams · OPERATION, PRIVACY LEAKAGE OR OTHER DAMAGES RESULTING FROM CYBER ATTACK, HACKER ATTACK, VIRUS INSPECTION, OR OTHER INTERNET SECURITY RISKS; HOWEVER,

E Series - Network Webcams · OPERATION, PRIVACY LEAKAGE OR OTHER DAMAGES RESULTING FROM CYBER ATTACK, HACKER ATTACK, VIRUS INSPECTION, OR OTHER INTERNET SECURITY RISKS; HOWEVER,

Documents
IOT & BYOD – The New Security Risks (v1.1)

IOT & BYOD – The New Security Risks (v1.1)

Internet
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)

Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)

Technology
An Attack-Resilient Architecture for the Internet of Thingsevans/pubs/attack-resilient-iot/attack... · 3940 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 15, 2020

An Attack-Resilient Architecture for the Internet of Thingsevans/pubs/attack-resilient-iot/attack... · 3940 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 15, 2020

Documents
Perpetrate cyber-attacks using IoT devices as attack

Perpetrate cyber-attacks using IoT devices as attack

Documents
How Hackable is Your Smart Enterprise? · such as Wi-Fi, Bluetooth, ZigBee. Anatomy of an IoT Attack. Visualizing an IoT Attack. Research Methodology Commissioned by ForeScout Technologies,

How Hackable is Your Smart Enterprise? · such as Wi-Fi, Bluetooth, ZigBee. Anatomy of an IoT Attack. Visualizing an IoT Attack. Research Methodology Commissioned by ForeScout Technologies,

Documents
IoT Attack Surfaces -- DEFCON 2015

IoT Attack Surfaces -- DEFCON 2015

Technology
Mitigating Security Risks through Attack Strategies

Mitigating Security Risks through Attack Strategies

Documents
Attack and Anomaly Detection in IoT Networks using Machine

Attack and Anomaly Detection in IoT Networks using Machine

Documents
Risks to UEFI firmware: Due to growing attack surfaces

Risks to UEFI firmware: Due to growing attack surfaces

Documents
New Nikos Georgopoulos, MBA, cyRM Cyber Risks Advisorfiles.cyberadvisors.webnode.com/200000207-a4182a5107/IoT... · 2016. 10. 16. · Nikos Georgopoulos IoT Conference 2016 More Information

New Nikos Georgopoulos, MBA, cyRM Cyber Risks Advisorfiles.cyberadvisors.webnode.com/200000207-a4182a5107/IoT... · 2016. 10. 16. · Nikos Georgopoulos IoT Conference 2016 More Information

Documents
IoT Forensics: Challenges For The IoA Era · The IoT is creating a wider attack surface, with billions of new and emerging devices. The IoT inherits the same monitoring requirements

IoT Forensics: Challenges For The IoA Era · The IoT is creating a wider attack surface, with billions of new and emerging devices. The IoT inherits the same monitoring requirements

Documents
The real risks of the IoT security-nightmare Hacking … › 2016 › pp7e0 › fahrplan › system › ...The real risks of the IoT security-nightmare Hacking IP cameras through the

The real risks of the IoT security-nightmare Hacking … › 2016 › pp7e0 › fahrplan › system › ...The real risks of the IoT security-nightmare Hacking IP cameras through the

Documents
The Healthcare IoT: Rewards and Risks (Infographic)

The Healthcare IoT: Rewards and Risks (Infographic)

Technology
The Internet of Things...• The Internet of Things (IoT) has brought benefits, but also risks – particularly security risks • The security threat to IoT is real, dangerous and

The Internet of Things...• The Internet of Things (IoT) has brought benefits, but also risks – particularly security risks • The security threat to IoT is real, dangerous and

Documents
Nuclear Attack Planning Base-1990, Annex B (Fallout Risks

Nuclear Attack Planning Base-1990, Annex B (Fallout Risks

Documents
Reducing cyber security risks in video surveillance …...brute force attack. 2.2 If it is not possible to acquire cameras without IoT components, it is recommended to disable Internet

Reducing cyber security risks in video surveillance …...brute force attack. 2.2 If it is not possible to acquire cameras without IoT components, it is recommended to disable Internet

Documents
IoT Security Risks and Challenges

IoT Security Risks and Challenges

Internet