Security and Privacy for the Internet of Things - Not - PowerPoint Presentation

Security and Privacy for the Internet of Things - Not - Description

Miranda Mowbray HP Labs mirandamowbray at hpecom My opinions not my employers Still from HP marketing video Photo from San Diegi ComicCon 2011 Doug Kline popculturegeek ID: 358573 Download Presentation

Similar presentations

Security in Internet of Things Begins with the Data
Security in Internet of Things Begins with the Data

Daniel . W. . . Engels, PhD. Associate Professor, CSE, Southern . Methodist University. Director, SMU . Master of Science in Data Science Program. Source: Opte Project. F. irst . mentioned in 1999 . by .

The Internet of Things For Discussion
The Internet of Things For Discussion

What is the Internet of Things?. Security and Privacy. Attack Surface Areas. Previous . IoT. Research. Is it Getting Any Better?. Protect Yourself. What is the Internet of Things?. Wikipedia definition - the inter-networking of physical devices, vehicles (also referred to as "connected devices" and "smart devices"), buildings, and other items embedded with electronics, software, sensors, actuators, and network connectivity which enable these objects to collect and exchange data..

The Internet of Things:
The Internet of Things:

A survey. Luigi . Atzori. , Antonio . Iera. & Giacomo . Morabito. Computer Networks 2010. Presenter - Bob Kinicki. . . Internet of Things. . Fall 2015. Outline. Introduction.

Week 2 (May 21 – May 28, 2018)
Week 2 (May 21 – May 28, 2018)

Accomplishments:. Read two chapters from the Deep Learning textbook.. Linear Algebra review from the Deep Learning for Natural Language Processing textbook.. Read an article on Abstractive Text Summarization using Sentiment Infusion..

Privacy and cybersecurity
Privacy and cybersecurity

GPD. Purpose of this webinar. To discuss the meaning of privacy in a cyber security and human rights frame. To explore how the notion and realization of privacy . is . changed by the internet. To identify the .

Privacy, Security and Ethics
Privacy, Security and Ethics

9. Learning Objectives. Identify the most significant concerns for effective implementation of computer technology.. Discuss the primary privacy issues of accuracy, property, and access.. Describe the impact of large databases, private networks, the Internet, and the Web on privacy..

SECURING THE INTERNET OF THINGS
SECURING THE INTERNET OF THINGS

Presented by – Aditya Nalge. About the paper. Authors – . Rodrigo . Roman. , Pablo . Najera. , and . Javier . Lopez. NICS Lab. Publications -. https://www.nics.uma.es/publications. FORETHOUGHT. .

SECURITY AND SAFETY OF INTERNET OF THINGS (IoTs)
SECURITY AND SAFETY OF INTERNET OF THINGS (IoTs)

An Investigation on Belkin . WeMos. Purpose. To further . identify security liabilities of IoTs, in particular those of Belkin. . WeMo smart outlets. . Introduction. Internet of Things (IoT): . Network of normal devices embedded .

Security, Internet of Things, DNS and ICANN
Security, Internet of Things, DNS and ICANN

domainfest.asia. . 20 Sep 2016 Hong Kong richard.lamb@icann.org. What’s all this I hear about the Internet of Things?. (A recent visit to CES in Las Vegas). BS or Not BS?. Does it matter?. Where do “WE” fit in?.

State-of-the-Art and Challenges for the Internet of Things Security
State-of-the-Art and Challenges for the Internet of Things Security

Internet-Draft (IRTF-T2TRG). Henrique . Pötter. Draft origins. Based in a draft from 2011. Security Considerations in the IP-based Internet of Things. Draft origins. Based in a draft from 2011. Security Considerations in the IP-based Internet of Things.

118K - views

Security and Privacy for the Internet of Things - Not

Published bymyesha-ticknor

Miranda Mowbray. , HP Labs. miranda.mowbray at hpe.com. My opinions, not my employer‘s. . Still from HP marketing video. . Photo from San . Diegi. Comic-Con 2011 Doug Kline / . popculturegeek.

Tags : flickr www internet https www flickr https internet owasp photos photo security 2015 project http research study web org
Embed :
Presentation Download Link

Download Presentation - The PPT/PDF document "Security and Privacy for the Internet of..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Security and Privacy for the Internet of Things - Not






Presentation on theme: "Security and Privacy for the Internet of Things - Not"— Presentation transcript:

Slide1

Security and Privacy for the Internet of Things - Not

Miranda Mowbray

, HP Labs

miranda.mowbray at hpe.com

My opinions, not my employer‘sSlide2

Still from HP marketing videoSlide3

Photo from San

Diegi

Comic-Con 2011 Doug Kline /

popculturegeek

on Flickr

https://www.flickr.com/photos/popculturegeek/6039791556/Slide4

Internet of Things Research Study

by

Craig

Smith and Daniel

Miessler

HP Security Research (Fortify, not HP Labs)

10 most popular

IoT

devices in different categories:

TV, webcam,

home

thermostat,

remote

power outlet,

sprinkler controller, hub

for controlling multiple devices,

door lock,

home

alarm, scales, garage door opener

Report linked from

http

://go.saas.hp.com/fod/internet-of-thingsSlide5

Photo

Kimubert

/

treevillage

on Flickr,

https://www.flickr.com/photos/treevillage/16019902595/ Slide6

Internet of Things Research Study:

privacy

9 collected at least one piece of personal information via the device, its cloud, or the app

Eg

. name, address, date of birth, health data, even credit card numbersSlide7

How many Pen Testers does it take to change a lightbulb?

Photo of George Yianni Betsy Weber /

betseyweber

on Flickr

https://www.flickr.com/photos/betsyweber/13952214021/Slide8

Internet of Things Research Study:

authentication

8 failed to require passwords of sufficient complexity or length.

Most allowed

eg

. “1234” or “123456”Slide9

Photo

DAVID

HOLT /

zongo

on

Flickr

,https://www.flickr.com/photos/zongo/9392549871/Slide10

Internet of Things Research Study:

encryption

7 had unencrypted communications with Internet or local network.

Half of mobile apps had unencrypted communications.Slide11

Photo Casey

Fiesler

/

cfiesler

on Flickr,

https://www.flickr.com/photos/cfiesler/5798190451/Slide12

Internet of Things Research Study:

Web user interface

6 had user interface security problems

eg

. persistent XSS, poor session management, weak default credentials, credentials transferred in clearSlide13

Detail of image Stephen Edgar/

netweb

on Flickr,

https://

www.flickr.com/photos/netweb/3825893890/Slide14

Internet of Things Research Study:

software updates

6 didn’t used encryption to upload software updates. Some updates could be intercepted and the whole code viewed and changed.Slide15

25Slide16

Photo Intel Free Press /

intelfreepress

on Flickr,

https

://www.flickr.com/photos/intelfreepress/16539020590/Slide17

Smartwatches

2015 report

10 of the top smartwatches in today’s market

Android or iOS mobile device and app

Report linked from

http://go.saas.hp.com/fod/internet-of-thingsSlide18

9 of 10: watch communications trivially intercepted

7

of 10: firmware transmitted without

encryption

Slide19

How Safe are Home Security Systems?

2015 report

10 off-the-shelf home security systems

7 with cloud interface, all with mobile interface

Report linked from

http://go.saas.hp.com/fod/internet-of-thingsSlide20

10 of 10

vulnerable to brute-force password-guessing attack

Other problems too

Slide21

Photo of Ford keyless fob

ckramer

on Flickr

https://www.flickr.com/photos/ckramer/16536075774/Slide22

Keyless car theft

London, 2014: 42% of all vehicle thefts (= 6000)

Verdult

, Garcia &

Ege

, 2013, publ. 2015

https://www.usenix.org/sits/default/files/sec15_supplement.pdf

Metropolitan Police, 2015http://

content.met.police.uk/Article/What-is-keyless-vehicle-theft/1400029057620/

The Mirror, 2015

http

://www.mirror.co.uk/news/uk-news/crime-wave-sweeping-nation-car-5113289Slide23

Disco

Pants

o0mouse0o

aka Russell Couper,

Coupertronicshttp://www.instructables.com/id/Disco-pants/Slide24

Why is

IoT

privacy & security so pants?

New tech

Hooking up old tech

Limited device resources

Not even trying

Image adapted from Fail stamp

Nima

Badiey

/

ncc_badiey

on Flickr,

https://www.flickr.com/photos/ncc_badiey/3095099782

/Slide25

Museum of Things, Berlin, photo

fiona.mcgowan

/

freeeeb

on Flickr

https://www.flickr.com/photos/freeeeb/4486673826/Slide26

Some Suggestions

Don’t fund insecure Things

Open source kit for hooking up offline Things

Security development

processes

Process for responding to

vuln

report

Overrides

Business models

LawyersSlide27

Photo of Secret Pizza Party poster in Detroit CAVE CANEM/

bewareofdog

,

https://www.flickr.com/photos/bewareofdog/284770877/Slide28

Questions?

Miranda Mowbray

, HP Labs

miranda.mowbray at hp.com (hpe.com from 1 Aug 2015)Slide29

Photo Travis

Goodspped

/

travisgoodspeed

on Flickr

https://www.flickr.com/photos/travisgoodspeed/3351125516/

ZigBee SniffingSlide30

ZigBee Exploited

“Tests

with light bulbs and even door locks have shown that the vendors of the tested devices implement the minimum of the features required to be certified, including the default TC fallback

key."

Tobias

Zillner

, Cognosec,

“ZigBee Exploited”, 6 Aug 2015http://cognosec.com/zigbee_exploited_8F_Ca9.pdfSlide31

Physiological data

(not comprehensive)

Blood Pressure

Ihealth, Withings

Movement

Fitbit, Nike Fuel band, Jawbone up band, Garmin,

Samsung, MC10, Zephyr, Withings, Spire, iHealth,

Jins Merne, Proteus, Neumitra, Body Media,

Empatica

, Owlet

Muscle Activity

Athos

Skin Conductance

Basis, Body Media,

Empatica

,

Neumitra

Oxygen Level

iHealth

,

Withings

, Owlet

Posture

Lumo

, Zephyr,

Jins

Merne

Hydration

Corventis

, MC10

Temperature

Tempdrop

,

Empatica

,

BodyMedia

, Basis, Owlet, MC10

Sleep

Fitbit, Rest devices, Garmin, Nike, Amigo,

BodyMedia

,

Withings

, Samsung, Misfit,

Jewborne

,

iHealth

, Basis, Owlet

Brain activity

NeuroSky

, DAQRI,

Emotiv

Glucose

Google,

Dexcom

,

Glysens

Inc

Respiration

Spire, Zephyr, Rest Devices

Ingestion

Proteus

Eye Tracking

Jins

Merne

Heart tracking

Zephyr,

Withings

, Sprouting, Proteus,

iHealth

, Basis,

Cofventis

,

AliveCor

, Samsung, Garmin,

Empatica

, Owlet

Source:

Elenko

, Underwood + Zohar, Nature Biotechnology 33: 456-461, May 2015

http://www.nature.com/nbt/journal/v33/n5/fig_tab/nbt.3222_F1.htmlSlide32

OWASP recommendations: privacy

Only collect data the device needs to function

Try not to collect sensitive data

De-identify or anonymize

Ensure the Thing and its components protect personal information

Only give access to authorized individuals

“Notice and Choice” for end-users if more data is collected than would be expected

Open Web

Appllication

Security Project (slightly edited)

https

://

www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_ProjectSlide33

OWASP recommendations: authentication

Require strong passwords

Granular access control where necessary

Protect credentials

2-factor authentication where practical

Secure password recovery mechanisms

Re-authentication for sensitive features

Password control configuration options

Open Web

Appllication

Security Project (slightly edited)

https

://

www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_ProjectSlide34

OWASP recommendations: transport encryption

Encrypt data when transiting networks

Use SSL/TLS, or other industry standards if these are not available

Don’t use proprietary encryption

Open Web

Appllication

Security Project (slightly edited)

https

://

www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_ProjectSlide35

OWASP recommendations: Web user interface

Change default passwords during initial setup – ideally also default usernames

Robust password recovery mechanisms

Ensure not susceptible to XSS, SQLI, CSRF

Don’t expose credentials in network traffic

Require strong passwords

Lockout account after 3-5 failed logins

Open Web

Appllication

Security Project (slightly edited)

https

://

www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_ProjectSlide36

OWASP recommendations: software/firmware updates

Ensure updates are possible!

Encrypt the update file

Transfer update over encrypted connection

Ensure update file doesn’t expose sensitive info

Verify update before uploading and applying

Secure the update server

Open Web

Appllication

Security Project (slightly edited)

https

://

www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_ProjectSlide37
Slide38

Photo Jim /

albysbrain

on Flickr,

https://

www.flickr.com/photos/albysbrain/5951283280/

/Slide39

Photo of TV--B-Gone

Stefan Bellini on Wikipedia

https://en.wikipedia.org/wiki/TV-B-Gone#/media/File:TV-B-Gone_complete.jpgSlide40

By

Dan

Tentler

(@

Viss

on Flicker), posted on Twitter 27 June 2015, https://twitter.com/Viss/status/614867241922736129/photo/1 Adapted from a comic

by C K Green, http://gunshowcomic.com/513Slide41

Vendor Response: baby monitors

Photo Wade Armstrong/

juniorbird

on Flickr

https://www.flickr.com/photos/juniorbird/8524443211

/Slide42

10 vulnerabilities reported to 7 vendors

Philips N.V. “exemplary” response

No other vendor gave estimated timeline for fixes

Some

vendors did not respond to the reported findings at all. Others

responded with concerns about

the motives behind the research, and were wondering why they should be alerted or why they should respond at all

.”

Mark Stanislaw & Tod Beardsley, Rapid7, Sept 2015, “Hacking

IoT

: A case study on baby monitor exposures and vulnerabilities

https://

www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdf