50 Milliards de failles connectées en 2020

Renaud Lifchitz – Namur – 31 mai 2018

Digital Security

Pure Player in Cyber Security Services

200+ Experts in France. Subsidiaries in Belgium and Luxembourg

2 domains of expertise : Information Systems and IOT

6 service lines : Audit (intrusion tests, code review,…),

Consulting (governance, risk management, GDPR), Training, CERT,

Onsite Security (SOC, SIEM), Project based security (IAM,SSO,…)

Innovation : CERT, Technology watch, R&D, Publications

Certified consultants (PASSI, ISO, CISSP, ITIL,…)P

Security label for the Internet of Things,…

IoT : What is it ?

Digital Security

IOT : Definition

A connected object with the following seven attributes :

Sensor

Connected to Internet

Processor

Energy efficiency

Optimized cost

Reliability

Security

Digital Security

Use of Connected Objects

IoT: A major evolution

In 2 years, the new connected objects willbe half of Internet devices

Source : kaizen-factory.com

Digital Security

All sectors are concerned

Gartner: « By end of 2018, over 20 percent of entreprises will have

digital security services devoted to protecting businessinitiatives using the IoT »

Source : iot-analytics.com

Digital Security

A complex architecture

Data to be protected in a distributed architecture, using a dozen of different programming languages

Source : Mark Horowitz - Stanford Engineering - Securing the Internet of Things

IoT : what about security?

Digital Security

Digital Security

Top 10 of IoT flaws according

1 Insecure Web Interface

2 Insufficient Authentication/Authorization

3 Insecure Network Services

4 Lack of Transport Encryption

5 Privacy Concerns

6 Insecure Cloud Interface

7 Insecure Mobile Interface

8 Insufficient Security Configurability

9 Insecure Software/Firmware

10 Poor Physical Security

Digital Security

The point of view of authorities

The FBI mentions […] personal data theft, but also the sending of malware, e-mail spamming as well as a risk for physical security.

Source : FBI, I-091015-PSA

Digital Security

IoT Standards and safety guides

Several initiatives : Sectorial guidance on IoT security by the ENISA

U.S. Dept of Homeland Security Strategic Principles for securing IoT

NIST Special Publication 800-160

Projet OWASP for the IoT

NESCOR Standard

UL 2900 Standard

IoT security is on the way, but connected solutions are already largely widespread

How the IoT got hacked

Digital Security

Shodan.io, the IoT search engine

Shodan crawls the Internet and records technicalbanners of accessible services

A malicious use is to identify vulnerable targets to known flaws

How the IoT got hacked

IoT devices expose themselves on Internet

Source : Shodan.io

Digital Security

Spying thinks to the Internet of things

Hack of « smarts TV » used for the « Digital Signage »

Hijacking of services robots (cameras, micros)

Interception of conversations at reception areas, meeting rooms, etc.

How the IoT got hacked

Facilitation of spying

Source : Presse

Digital Security

Resonance of the IoT on the companyinformation system

An « APT » through hacking of the distributor’s subcontracter responsiblefor the remote monitoring of the connected heating and air conditioningsystems.

A financial and privacy prejudice never reached:

$ 40 millions of stolen credit card numbers and $ 110 millions of stolen contactdetails…affecting 1 out of 3 American

Total estimated cost: $ 14 billions

How the IoT got hacked

Information System Hacking

Digital Security

Hack of the Information System through a smart light bulb

Analysis of the light bulb firmware revealsvulnerabilities in every devices

Possibility to hack the WiFi network in case of physical access to the radio frequency waves (30 meters)

How the IoT got hacked

Information System Hacking

Source : www.contexis.com

Digital Security

Hackers remotely took control of a connectedcar

Takeover through Internet of the car embeddedsystems

1,5 millions cars have been called back in USA duringSummer 2015

Available update by USB key!

How the IoT got hacked

Endangering of human life

Digital Security

Attacks on smart meters

How the IoT got hacked

Endangering of human life

Study on smart meters security

Measuring of consumption

Adaptation of electricity production

Hypothetical attack scenari include the electric sabotage and subsequentblackout of a whole population

Source : Black Hat Euope 2014, www.youtube.com

Digital Security

Hijack of medical devices

How the IoT got hacked

The common point between a pacemaker and a insulinepump? They have both been hacked

Pacemaker : possibility to turn off the device or send a electricdischarge of 830 volts

Insuline pump: Takeover via WiFi, possibility to convert the device in alethal weapon!

Endangering of human life

IoT security: what solutions?

Digital Security

Our CERTCERT UBIK:the very first CERT in Europe dedicated to IoT security

50 experts

Security watch, incident response, security audits, reverse engineering, …

We have our own dedicated lab

Our IoT CERT and its activites

Digital Security

Digital Security portfolio

Security level evaluation of the IoT chain

Integrating security into projects

Software and hardware reverse engineering

Code review

Penetration tests

Our IoT CERT and its activites

Equipment and appropriate skills for the IoT security specificities

Digital Security

IoT Qualified Security Label

Security label for IoT solutions

IQS enables future buyers, companies or individuals to identify the security level of a connected solution according to a reliable,

neutral and independent indicator.

Digital Security

Benoit.Rousseaux@digital.security