Download as PDF, PPTX
Uploaded byNarudom Roongsiriwong, CISSP
IoT Security
The document discusses IoT security, outlining the journey of the author, Narudom Roongsiriwong, into the field of information security and highlighting key concepts and vulnerabilities specific to IoT ecosystems. It emphasizes the importance of multilayered security mechanisms and the need to address the flaws in IoT device design, particularly concerning firmware updates and authentication practices. Additionally, it references notable threats such as the Mirai malware, providing insights on preventive measures against IoT attacks.
More Related Content
![Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]](https://cdn.slidesharecdn.com/ss_thumbnails/agenticcommunityseries-day3-cfd-251120170304-ddef8112-thumbnail.jpg?width=640&height=640&fit=bounds)
IoT Security
- 1. IoT SecurityIoT Security NarudomRoongsiriwong, CISSPNarudom Roongsiriwong, CISSP November 8, 2017November 8, 2017
- 2. WhoAmI ● Lazy Blogger –Japan, Security, FOSS, Politics, Christian – http://narudomr.blogspot.com ● Information Security since 1995 ● Embedded System since 2002 ● Head of IT Security and Solution Architecture, Kiatnakin Bank PLC (KKP) ● Consultant for OWASP Thailand Chapter ● Committee Member of Cloud Security Alliance (CSA), Thailand Chapter ● Committee Member of Thailand Banking Sector CERT (TB-CERT) ● Consulting Team Member for National e-Payment project ● Contact: narudom@owasp.org
- 3. My Journey toIoT Security
- 4. Microcontroller and AssemblyLanguage ● 1986 Studied Electrical Engineering, Chulalongkorn University ● 1987 Worked Part-Time, Controllers Using Zilog Z80 ● 1989 Was Apprenticed at Intronics, Using Intel 8048 ● 1989 Designed Heat Exchanger Controller as a Senior Project, Using Intel 8031 (My Favorite 8051)
- 5. Network Security ● 1995Started Working at Information and Telecommunication Services (ITS) as Business Development ● Was Assigned to Market a Firewall, “Eagle Raptor” ● Started My Life in Information Security
- 6. Embedded System andC/C++ ● 2002 Started a Company, Structure and Composites, Embedded System Design for Bridge and Building Structure Monitoring ● 2004 First WiFi IP Based Bridge Structure Monitoring System ● 2004 Became a Special Instructor in Embedded System Design at Faculty of Engineering, Thammasat University ● 2006 My Company Went Broke ● 2007 Joined Incotec Automation (Thailand) ● 2009 Joined Chanwanich, Project Implementation on Smart Card, PLC and Information Security
- 7.
- 8. What is Security? “The quality or state of being secure—to be free from danger” A successful organization should have multiple layers of security in place: Physical security Personal security Operations security Communications security Network security Information security
- 9. What is InformationSecurity? The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information Necessary tools: policy, awareness, training, education, technology
- 10. Security Concepts Security Concepts Core Design ConfidentialityIntegrity Availibility Authentication Authorization Accountability Need to Know Least Privilege Separation of Duties Defense in Depth Fail Safe / Fail Secure Economy of Mechanisms Complete Mediation Open Design Least Common Mechanisms Psychological Acceptability Weakest Link Leveraging Existing Components
- 11. Confidentiality-Integrity-Availability (CIA) To ensurethat information and vital services are accessible for use when required To ensure the accuracy and completeness of information to protect business processes To ensure protection against unauthorized access to or use of confidential information
- 12.
- 13. Security vs. Safety(General Usage) ● Security is concerned with malicious humans that actively search for and exploit weaknesses in a system. ● Safety is protection against mishaps that are unintended (such as accidents)
- 14. Why Secure IoTEcosystems
- 15. Problems of IoTSecurity ● Initial design was for private communication network then moved to IP network and later on the Internet ● Firmware updates are hard or nearly impossible after installations ● Started with basic security then found the security flaws and attached more complex security requirements later ● Low security devices from early design are still out there and used in compatible fall-back mode
- 16.
- 17.
- 18. Rises of ThreatsTarget IoT Devices https://securelist.com/honeypots-and-the-internet-of-things/78751/
- 19. Types of IoTClassified by Communication ● Client Type – Most of implementation – e.g. payment terminal, IP Camera (call back to server), Smart Cars ● Server Type – e.g. IP Camera (built-in web interface) ● Peer-to-Peer or Mesh
- 20. Typical IoT Infrastructure ControlServer IoT Device Private or Public Internet Public Internet Configuration App Callback and wait for commands Remote control Remote Control App Configure or Update Firmware Configure
- 21. Typical Attack: FakeControl Server Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control AppFake Control Server
- 22. Typical Attack: Attackon Device Open Ports Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App
- 23. Typical Attack: Attackon Server Open Ports Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App Attack
- 24. Typical Attack: StealCredential Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App
- 25. Typical Attack: Inject BadConfiguration or Firmware Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App Inject Bad Configuration or Firmware Inject Bad Configuration
- 26. Typical Attack: SniffData on Private Network IoT Device Private Internet Public Internet Callback and wait for commands Remote control Remote Control App Control Server
- 27. Other Attack SurfaceAreas → See OWASP ● Ecosystem ● Device Memory ● Device Physical Interfaces ● Device Web Interface ● Device Firmware ● Device Network Services ● Administrative Interface ● Local Data Storage ● Cloud Web Interface ● Third-party Backend APIs ● Update Mechanism ● Mobile Application ● Vendor Backend APIs ● Ecosystem Communication ● Network Traffic ● Authentication/Authorization ● Privacy ● Hardware (Sensors) https://www.owasp.org/index.php/IoT_Attack_Surface_Areas
- 28. OWASP Top 10IoT Vulnerabilities 2014 I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption/Integrity Verification I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security
- 39. Secure IoT DevicesThat We Use
- 40. Mirai Malware ● Malwarethat turns networked devices running Linux intoMalware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of aremotely controlled "bots" that can be used as part of a botnet in large-scale network attacksbotnet in large-scale network attacks ● Primarily targets online consumer devices such as IP camerasPrimarily targets online consumer devices such as IP cameras and home routers using a table of more than 60 commonand home routers using a table of more than 60 common factory default usernames and passwords, and logs into themfactory default usernames and passwords, and logs into them to infect them with the Mirai malwareto infect them with the Mirai malware ● First found in August 2016First found in August 2016 ● Use in DDoS attacksUse in DDoS attacks – 20 September 2016 on the Krebs on Security site which reached 62020 September 2016 on the Krebs on Security site which reached 620 Gbit/s and 1 Tbit/s attack on French web host OVHGbit/s and 1 Tbit/s attack on French web host OVH – 21 October 2016 multiple major DDoS attacks in DNS services of DNS21 October 2016 multiple major DDoS attacks in DNS services of DNS service provider Dynservice provider Dyn – November 2016 attacks on Liberia's Internet infrastructureNovember 2016 attacks on Liberia's Internet infrastructure ● The source code for Mirai has been published in hacker forumsThe source code for Mirai has been published in hacker forums as open-sourceas open-source
- 41. What Can WeLearn from Mirai Attacks? ● Do not use default passwords for all default usernames ● If possible, do not allow configuration interface from Internet side ● If the IoT devices are used only in the organization, do not expose to the public Internet ● If there is a need to use from the Internet, open only necessary ports and use non-default ports where possible