hp internet of things research studyconference2015.chistera.eu/sites/conference2015... · internet...
TRANSCRIPT
![Page 1: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/1.jpg)
HP Internet of Things Research Study
Miranda Mowbray, HP Labs miranda.mowbray at hp.com (hpe.com from 1 Aug 2015)
![Page 2: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/2.jpg)
Talos: Security Thing, 2nd Century BC
Sculputure “Talos 2” by James Lee Hanson, in Port;and
Photo Ian Sane,
https://www.flickr.com/photos/31246066@N04/11441760524/in/photostream/
![Page 3: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/3.jpg)
Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand Research (not HP Labs) 10 devices - most popular devices in 10 different categories: TV, webcam, home thermostat, remote power outlet, sprinkler controller, hub for controlling multiple devices, door lock, home alarm, scales, garage door opener All had mobile apps for remote control Majority had cloud service http://www8.hp.com/h20195/V2/GetPDF.aspx/4AA5-4759ENW.pdf
![Page 4: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/4.jpg)
Photo Kimubert / treevillage on Flickr, https://www.flickr.com/photos/treevillage/16019902595/
![Page 5: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/5.jpg)
OWASP recommendations: privacy • Only collect data the device needs to function • Try not to collect sensitive data • De-identify or anonymize • Ensure the Thing and its components protect
personal information • Only give access to authorized individuals • “Notice and Choice” for end-users if more data is
collected than would be expected
Open Web Appllication Security Project (slightly edited) https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project
![Page 6: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/6.jpg)
Internet of Things Research Study: privacy
9 collected at least one piece of personal information via the device, its cloud, or the app Eg. name, address, date of birth, health data, even credit card numbers
![Page 7: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/7.jpg)
How many Pen Testers does it take to change a lightbulb?
Photo of George Yianni Betsy Weber / betseyweber on Flickr https://www.flickr.com/photos/betsyweber/13952214021/
![Page 8: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/8.jpg)
OWASP recommendations: authentication
• Require strong passwords • Granular access control where necessary • Protect credentials • 2-factor authentication where practical • Secure password recovery mechanisms • Re-authentication for sensitive features • Password control configuration options
Open Web Appllication Security Project (slightly edited) https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project
![Page 9: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/9.jpg)
Internet of Things Research Study: authentication
8 failed to require passwords of sufficient complexity or length. Most allowed eg. “1234” or “123456”
![Page 10: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/10.jpg)
The hidden meaning of Things
o único sentido oculto das coisas É elas não terem sentido oculto nenhum the only hidden meaning of things Is that they have no hidden meaning at all Alberto Caeiro (Fernando Pessoa), “O Guardados de Rebanhos”
Public domain photo: portrait of Fernando Pessoa in 1912, by Rodriguez Castañe. http://en.wikipedia.org/wiki/Fernando_Pessoa#/media/File:CCI00768.jpg
![Page 11: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/11.jpg)
OWASP recommendations: transport encryption
• Encrypt data when transiting networks • Use SSL/TLS, or other industry standards if these
are not available • Don’t use proprietary encryption
Open Web Appllication Security Project (slightly edited) https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project
![Page 12: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/12.jpg)
Internet of Things Research Study: transport encryption
7 did not encrypt communications with Internet or local network.
![Page 13: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/13.jpg)
Photo Casey Fiesler / cfiesler on Flickr, https://www.flickr.com/photos/cfiesler/5798190451/
![Page 14: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/14.jpg)
OWASP recommendations: Web user interface
• Change default passwords during initial setup – ideally also default usernames
• Robust password recovery mechanisms • Ensure not susceptible to XSS, SQLI, CSRF • Don’t expose credentials in network traffic • Require strong passwords • Lockout account after 3-5 failed logins
Open Web Appllication Security Project (slightly edited) https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project
![Page 15: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/15.jpg)
Internet of Things Research Study: Web user interface
6 had user interface security problems eg. persistent XSS, poor session management, weak default credentials, credentials transferred in clear
![Page 16: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/16.jpg)
Detail of image Stephen Edgar/netweb on Flickr, https://www.flickr.com/photos/netweb/3825893890/
![Page 17: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/17.jpg)
OWASP recommendations: software/firmware updates
• Ensure updates are possible! • Encrypt the update file • Transfer update over encrypted connection • Ensure update file doesn’t expose sensitive info • Verify update before uploading and applying • Secure the update server
Open Web Appllication Security Project (slightly edited) https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project
![Page 18: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/18.jpg)
Internet of Things Research Study: software updates
6 did not use encryption when downloading software updates.
![Page 19: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/19.jpg)
25
![Page 20: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/20.jpg)
Why the Epic Fail?
• New tech
• Hooking up old tech
• Limited device resources
• Business models
Adapted from Fail stamp Nima Badiey/ ncc_badiey on Flickr, https://www.flickr.com/photos/ncc_badiey/3095099782/
![Page 21: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/21.jpg)
HP Discover, 2014
•
![Page 22: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/22.jpg)
•
Photo Jim / albysbrain on Flickr, https://www.flickr.com/photos/albysbrain/5951283280//
![Page 23: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/23.jpg)
Physiological data (not comprehensive) Blood Pressure Ihealth, Withings Movement Fitbit, Nike Fuel band, Jawbone up band, Garmin, Samsung, MC10, Zephyr, Withings, Spire, iHealth, Jins Merne, Proteus, Neumitra, Body Media, Empatica, Owlet Skin Conductance Basis, Body Media, Empatica, Neumitra Oxygen Level iHealth, Withings, Owlet Posture Lumo, Zephyr, Jins Merne Hydration Corventis, MC10 Temperature Tempdrop, Empatica, BodyMedia, Basis, Owlet, MC10 Sleep Fitbit, Rest devices, Garmin, Nike, Amigo, BodyMedia, Withings, Samsung, Misfit, Jewborne, iHealth, Basis, Owlet Brain activity NeuroSky, DAQRI, Emotiv Glucose Google, Dexcom, Glysens Inc Respiration Spire, Zephyr, Rest Devices Ingestion Proteus Eye Tracking Jins Merne Heart tracking Zephyr, Withings, Sprouting, Proteus, iHealth, Basis, Corventis, AliveCor, Samsung, Garmin, Empatica, Owlet Source: Elenko, Underwood + Zohar, Nature Biotechnology 33: 456-461, May 2015 http://www.nature.com/nbt/journal/v33/n5/fig_tab/nbt.3222_F1.html
![Page 24: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/24.jpg)
Things transform themselves into me
Things transform themselves into me It’s like rain on the sea It melts itself into waves traversing me... Cloud, window, clothes line, wing, wish, back yard... Phrases, voices, colours, waves, frequencies, signals
Translation of part of “Chuva no mar”, lyrics by Arnaldo Antunes Performed by Carminho and Marisa Monte, “Canto” album, 2014 https://www.youtube.com/watch?v=hIiRXFz7C24
![Page 25: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/25.jpg)
Photo of Secret Pizza Party poster in Detroit CAVE CANEM/bewareofdog, https://www.flickr.com/photos/bewareofdog/284770877/
![Page 26: HP Internet of Things Research Studyconference2015.chistera.eu/sites/conference2015... · Internet of Things Research Study 2014 report by Craig Smith et al, HP Fortify on Demand](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec3e0c703174f5666725880/html5/thumbnails/26.jpg)
Questions?
Miranda Mowbray, HP Labs miranda.mowbray at hp.com (hpe.com from 1 Aug 2015)