out go the lights: an enlightening discussion of iot automation security by deral heiland
TRANSCRIPT
Out Go The Lights An enlightening discussion of IoT automation security
RESEARCH LEAD at
Deral Heiland CISSP
Agenda
Understanding IoT
IoT Migration into the enterprise
Lighting automation exploitation
Securing IoT best practices
Internet of Things (IoT)
Typical traits of an IoT based technology
Interrelated devices
Collecting and sharing data
Networked together
Embedded electronics
Cloud
Mobile
Hardware
Network
Data
The ecosystem approach allows us to:
The ability to more thoroughly examine the technologies overall security
Better define the security risk and impact
Deploy IoT solutions in a more secure manner
Mobile
Application
Communication
Storage
Authentication
Cloud
Authentication
Communication
Encryption
Data storage
Web attacks
Network
Protocols
Communications
Encryption
Replay, Spoofing attacks
Hardware
CPU
Physical
Firmware
IoT Migration into the Enterprise
They’re Here
Wearable
Lighting
HVAC
Power Management
Audio Video systems
Lighting Automation Exploitation
Automation Exploits
Mobile Application
Embedded Web
Communication Protocols
Local / Direct connect services
Mobile Applications
Unencrypted storage
Unencrypted communication
IOS home button screen shot
No SSL Pinning
Embedded Web
Cross site scripting
Cross site request forgery
Communication protocols
Zigbee
Ethernet
Zwave
WiFi
Local Connect
Unencrypted
Unauthenticated
#Set up data to send to port 4000 $data1 = "\x83\x00\x00\xe3\x03\x00\x00\x00\x01"; $data2 = pack('a33',"$SSID"); $data3 = pack('a69',"$WPAPSK"); $data4 = "\x04\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; $send_data = join "", $data1, $data2, $data3, $data4;
!
Securing IoT Best Practices
Best Practices
Identification
Business needs
Isolation / Segmentation
Patch management