IoT is at the peak of the hype cycle - what they call the 'Peak of Inflated Expectations’. The complexity of the cybersecurity landscape is at an all-time high, with security researchers, vendors and even governments all trying to come to a consensus for making the cyber-world a safer place. In this world of lightning-fast development cycles, it may intuitively feel like security gets left behind. The battle over standards is always a struggle. The unresolved problem of software updates and short vendor support cycle combined with the lack of effort into security makes these devices an easy target. Companies not only need to update their technology stack for the evolving security landscape but also their mindset, processes and culture. This talk will shine a light on some of the challenges that today’s executives face in finding and fixing systemic problems in and outside of security through people, tools and understanding.
10. We are drowning in technology.
We are not becoming more secure.
11. 11
− Not realizing to be potential targets
− Treating cybersecurity as an IT
problem
− Thinking threats are only external
rather than internal or accidental
− Thinking the cloud provider is in
charge of data/infra security (oh,
and backups!)
− Not using properly their e-mail
infrastructure, especially if managed
by 3rd parties
We are wasting billions to “defend
ourselves” from APTs. Buying
Next-Gen appliances. Following
predictions and hypes.
Don't be scared to go back to
basics with your cybersecurity
strategy.
Many of us are still making the same, old mistakes
12. 12
− PERVASIVENESS: You won’t have one IoT device, you’ll have ten.
− That’s a lot of new attack surface to your life and/or business
− UNIQUENESS: IoT devices are a wild-west of mixed technologies.
− How do I patch firmware on these dozen devices?
− Which random vendor made the HW inside the device?
So? What’s wrong in IoT?
13. 13
− ECOSYSTEM: Your vendor may be leveraging six other vendors
− Where’s your data going once it enters that IoT device?
− Who has access to your network via proxy connections?
So? What’s wrong in IoT?
18. 18
− Insufficient Security training
− Humans #1 weak point: building,
deploying, using
− Weak Physical Security
− Debug interfaces (JTAG, UART, etc.) and USB ports allow unintended
device or data access
− Infrequent updates
− Firmware, device apps, admin apps/interfaces
− Expensive and/or remote IoT devices long lifespan (difficult to
update)
TOP 4 IoT Security Risks
19. 19
− Weak Data Protection
− Data at rest/transit uses weak encryption techniques
− Lack of dedicated security chips and modules to store sensitive data.
TOP 4 IoT Security Risks
20. 20
− Privacy
− PII leakage
− Mass surveillance
− Stalking
− Theft
− Data breaches
− Liability
− Reputation
− Botnets, e.g. Mirai, for mass hacking
End-user risks
22. 22
− Vulnerabilities bypassing password protection:
− Memory corruption issues (Buffer Overflow, Format String, etc.)
− CSRF
− Backdoor accounts
− Lack of brute-force protection
I am safe, I changed all my passwords
23. 23
− Patches are often late by years
− Many IoT devices do not get a patch, ever
I am safe, I regularly patch all of my IoT devices
24. 24
− If your IoT device has an Internet routable IPv4(/v6) address, without
any firewall port filtering:
− Just prepare for apocalypse
− Seriously, don’t do that
− CCTV is OCTV today
Problems with direct IPv4(/v6) connection
27. 27
− NAT is sneaky evil
− Users believe they are safe behind home router NAT
− Developers created ways to connect devices behind NAT, seamless
I am safe, home network, behind NAT
28. 28
Think again:
− UPNP
− IPv6
− Teredo (encapsulates IPv6 packets within UDP/IPv4 datagrams)
− Cloud
I am safe, home network, behind NAT
32. Many of us don’t have IR capabilities.
They all immediately PANIC!
Organizations are still getting breached due to poor
key/credentials management, unpatched
applications and misconfigured services (eg. cloud
databases).
33. 33
− It’s very hard to report vulnerabilities
− Often vendors do not have a Coordinated
Vulnerability Disclosure (CVD) policy
− FTC and/or ENISA recommendations for customers’
safety are not always followed
− Just few of the EU member states do have a CVD
framework in place at national level
− CEPS’ report on «Software Vulnerability Disclosure
in Europe» aims at helping member states with the
technology, the policies and legal challenges
ahead.
Reporting vulnerabilities
40. 40
Core to the future and success of IoT is the “security of things”
Device
Identity
Anti-tampering
Key
Management
Encrypted
Transport and
Data
Confidentiality
42. 42
Hardware Security
ATECC508A/ATECC608A Cryptographic Co-Processor from Microchip Technology
What we use it for?
– Secure Hardware-Based Key Storage
up to 16 keys, certificates or data
– Hardware Support for Asymmetric Sign, Verify, Key Agreement
ECDSA, ECDH, NIST P256 Elliptic Curve Support
– Internal high-quality FIPS Random Number Generator (RNG)
43. 43
Data encryption and secure authentication
– All traffic to/from Arduino IoT Cloud is encrypted using Transport Layer Security (TLS)
– Device authentication using X.509 certificates
– Initial support for JSON Web Tokens (ECDSA P-256 SHA-256) in ArduinoECCX08 library
– AES-128 (for LoRaWAN™), AES-CMAC for messages exchange, which includes encryption
and integrity.