Upload
bugcrowd
View
108
Download
0
Embed Size (px)
Citation preview
Crowdsourced Cybersecurity
Your Life Is The Attack Surface: The Risks of IoT in 2016Jason Haddix, Head of Trust and Security, Bugcrowd
Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]
Who am I?Hacker, father and lover of EDM
Director of Penetration Testing - HP Fortify
Sr. Security Engineer - Redspin, Inc
and now… Bugcrowd
Previously: Director of Technical Operations
Now: Head of Trust & Security
Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]
What are we talking about today?
History + Evolution of the Internet of ThingsRisks - Perceived and Real of IoTIoT & Security TestingResources + ProjectsFuture of IoT SecurityMain Takeaways
3
Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]
What is this ‘IoT’?“The Internet of Things (IoT) is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.”
Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]
A brief history of IoT…
https://www.semiwiki.com/forum/content/5559-quick-history-internet-things.html
Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]
It’s a crazy world…Some talks from IoT Village in DEFCON this year
CONFIDENTIAL - DO NOT DISTRIBUTE +1 415 867 5351 [email protected]
Why should I care about this crazy stuff anyway?
Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]
What are the real risks?
Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]
IoT Security: Who is involved?The Players:
Manufacturer Developer Consumer
Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]
Typical Surface Areas
Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]
Bugcrowd Case Studies
Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]
Bugcrowd Case Studies
Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]
Bugcrowd Case Studies
Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]
IoT Security MitigationConsumer Protection:
Research your device before purchaseChange and use strong passwordsUse strong WiFi encryptionUpdate the device regularlyCheck device for additional security
configurationsDisable features not being used
Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]
IoT Security MitigationDeveloper / Manufacturer Guidance:
Use and Force SSL for communication
Allow and encourage strong passwords
Require the user to change default passwords
Do not use hard-coded passwords in source
Provide a simple and secure update process with a chain of trust
Secure any web interface and API from bugs listed in the OWASP Top Ten Web Vulnerabilities
Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]
Resources
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project
https://builditsecure.ly/
https://www.iamthecavalry.org/
Your Life Is The Attack Surface: The Risks of IoT in 2016 @jhaddix [email protected]
The Future and QuestionsWhat causes change?
1. Learning big lessons2. Standards3. Policy 4. Legislation & compliance
Questions?
@jhaddix & [email protected]
Crowdsourced Cybersecurity
Questions?