iot security, threats and challenges by v.p.prabhakaran
Post on 10-Jan-2017
433 Views
Preview:
TRANSCRIPT
IoT Security, Threats and
Challenges
By V.P.Prabhakaran
Introduction of IoTThe Internet of Things (IoT) is the network of physical objects or “things” embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data. It is a complete integration of physical objects with computer logical operations.01
Things in IoT
• Things, in the IoT, include vast collections
of devices such as heart monitoring
implants, biochip transponders on farm
animals, automobiles with built-in sensors,
or field operation devices that assist fire-
fighters in search and rescue,” reads the
definition provided by Wikipedia.
02
Associated Challenges
• IoT Security is all about protecting or safeguarding. Nowadays, in almost every objects, we
have a small chip, which usually we used to ignore. Attackers try to compromise those chips
by gaining logical access to devices remotely. All security and technical experts face the
challenge of protecting that chip from attackers because all the devices, like cars, industrial
machines, and home appliances, have the same chip that works with a specific program
which is easy to target.
02
Companies who Operate IoT
• Traditional Big Companies –
Google, Microsoft, and Amazon are
the big companies who are well
versed with latest security and
threats associated with IoT and they
have experts who can protect it from
attacks. The Image below, that I
would like to share, show how
Amazon is using IOT.
02
Companies who Operate IoT (contd…)
• Big Companies – They are not as exposed in terms of threats associated with IoT, like Honeywell
and Ford
• Kickstartup – New joinees who did research and developed a prototype, later on big companies,
like IFTTT (If This Then That) by Linden Tibbets and MuleSoft by Greg Schott, purchase these
packages and used them. Currently, the industry is facing a shortage of IoT security experts and
they still struggle with countermeasures of IoT, according to the report ” ISACA Survey: UK
Security Experts Sceptical of IoT Device Security; 3/4 Say Manufacturers are Not Implementing
Sufficient Security Measures “
02
Common Threats Associated with IoT
• Vulnerable IoT Perimeters: When IoT networks are designed, there is lack of planning of good
security implementation which can allow an intruder to easily gain access to the network. Let’s take
an example of Smart Meter. If a cyber criminal compromised this device, he is able to access a
domestic network and also can monitor the connections between objects in IoT.
• Increase in Data Breaches: Data breaches are one of the biggest threats in IoT devices. Cyber
attackers can try to spy on the communications between devices in IoT network. Devices
accessed through Internet of Things may be used for cyber espionage purposes by an intelligence
agency or by some companies for commercial purposes. The FBI’s chief information security
officer warned the impact of IoT data breaches could be much worse for end users than previous
enterprise data breaches.02
Common Threats Associated with IoT
• Malware and Botnet Attacks: Malicious users designed the code for attempting to attack against
IOT networks. Cyber criminals can exploit vulnerabilities in firmware running on the devices and
run their arbitrary code, turning IoT components to unplanned use. Some of the Malware used in
IOT is Linux worm, Linux.Darlloz. Graphics processing units-based malware and ransomware
attacks are growing rapidly, due to the increase in data, bigger networks, and the Internet of Things
(IoT), according to Intel Security’s five-year retrospective threat report. The analysis found that
ransomware continued to grow rapidly, with the number of new ransomware samples rising 58
percent in Q2. According to Intel Security, the total number of ransomware samples also grew by
127 percent year-on-year, with the company attributing the increase to fast-growing new families,
such as CTB-Locker and CryptoWall. The release of the report marks the five-year anniversary
since Intel Security purchased McAfee for $7.7 billion.02
OWASP Introduces Vulnerabilities in IoT
• The Open Web Application Security Project (OWASP) comes with best practices to improve the
security of IoT. It is natural that the project also analyzed the top 10 security issues related to the
popular paradigm:
02
• Insecure Web Interface Insecure Web Interface is a common vulnerability found in IoT. OWASP
Zap and shodan tools are available and with them we can access these devices. The most famous
example of this to date is the case of the web application on TrendNet cameras that exposed a full
video feed to anyone who accessed it.
OWASP Introduces Vulnerabilities in IoT (contd…)
• Insufficient Authentication/Authorization Most IoT devices are protected with a weak password
and it is easily exploited through a brute force attack. The attack could come from external or
internal users. Some devices in IoT are configured with a base64 password encoding mechanism
and sent between devices in plain text so attacker can use an online website through which they
try to convert base64 code to simple text. Many IoT devices are secured with “Spaceballs quality”
passwords like “1234”, put their password checks in client-side Java code, send credentials
without using HTTPS or other encrypted transports, or require no passwords at all.
02
OWASP Introduces Vulnerabilities in IoT (contd…)
• Insecure Network Services Insecure network services may be vulnerable to buffer overflow
attacks. Some other attacks can also be done, like DOS and DDOS attacks, which leave systems
inaccessible to clients or users. In order to find insecure network services, we use several tools,
like Nmap and other fuzzers. Examples of these types of services abound in IoT documentation
and are regularly lit up by security researchers. In August 2014, a sweep of more than 32,000
devices found “at least 2000 devices with hard-coded Telnet logins.”
02
OWASP Introduces Vulnerabilities in IoT (contd…)
• Lack of Transport Encryption IoT devices have a lack of transport encryption which are exploited
by an attacker who is trying to intercept the information exchanged between IoT devices. This
attack can be done from internal and external users.
• Privacy Concerns An attacker uses a different path, like lack of authentication, lack of strong
transport encryption or other ports and network services through which they gain access to
personal data. One of the biggest vulnerabilities, as per OWASP Standard, is that home users may
not understand computer security, but they do understand physical security (“is my door locked?”)
and privacy (“is that camera watching me?”). Furthermore, their fears are widespread.
02
OWASP Introduces Vulnerabilities in IoT (contd…)
• Insecure Cloud Interface We can identify an insecure cloud interface vulnerability through
reviewing the connections to the cloud interface and analyzing if SSL is secure. We also attempt a
password reset on the portal to find a live user, which can lead to user enumeration. Since most
security professionals already know how to evaluate systems for these types of vulnerabilities, we
won’t spend much time on it in this article, except to remind you that you should get the permission
of any remote cloud service before you attempt to perform any type of penetration test against it.
02
OWASP Introduces Vulnerabilities in IoT (contd…)
• Insecure Mobile Interface
• Insufficient Security Configurability
• Insecure Software/Firmware
• Poor Physical Security
02
OWASP Introduces Vulnerabilities in IoT (contd…)
• Insecure Mobile Interface
• Insufficient Security Configurability
• Insecure Software/Firmware
• Poor Physical Security
02
About Author
• V.P.Prabhakaran is a highly-experienced security
professional , having more then 9 years experience
as Senior Information Security Consultant at
Koenig Solutions.
02
Information Security ConsultantCISSP | CISA | CISM |COBIT 5|TOGAF
Koenig training services are sought by some of the biggest multinationals and Fortune 500 companies.
Some of the brand names associated with Koenig for its world renowned IT training include:
Our Valuable Customers
24
27
•Nearly half the cost as compared to similar training in UK or USA.
•Experienced pool of 350+ certified trainers
•Happiness Guaranteed else Money Back or Class Redo
•Authorized partner for 30+large IT vendors
•Multiple modes of delivery
•Customizable learning packages
•World class training centres with best infrastructure
•Post training support
•Excursion to local tourist attractions
•Best accommodation and support services
•Visa Guidance
Advantages @ Koenig
Let’s Talk
Koenig DelhiKoenig Campus B-39, Plot No. 70,KLJ Complex-1, Shivaji Marg, Moti Nagar, New Delhi-110015 (India)
Koenig BangalorePARAGON PRIMA, 2nd & 3rd Floor, No. 39, 8th Main Koramangala 4th Block Bengaluru-560034, (India)
Koenig Goa3rd Floor, B/T1, Campal Trade Centre, Opp. Kala Academy, Panjim,
Goa-403001 (India)
33
Koenig Shimla7, Prospect Lodge, Behind YMCA, Lower Jakhu, Shimla-171001, Himachal Pradesh (India)
Koenig DehradunPlot #22, IT Park, Sahastradhara Road, Dehradun-248001, Uttarakhand (India)
Koenig DubaiBlock 3, Office G10, Dubai Knowledge Village Dubai, UAEPhone : +9714 3686241Email : info@Koenig-dubai.com
Koenig USA640 W California Avenue, Suite 210, Sunnyvale, CA 94086, USA
Koenig Singapore30 Cecil Street, #19-08 Prudential Tower, Singapore 049712
Koenig Solutions (India)Website: www.koenig-solutions.com Phone : +91 75330 08521 (24x7)Email : info@Koenig-solutions.com
THANK YOU
Follow us:
http://www.Koenig-solutions.com
top related