Internet of Things means every household or handy device which is used to make our world easy and better and connected with IP which transmit some data.
This slide covers IOT description, OWASP Top 10 2014 & its recommendations.
4. Ubiquitous
Gartner: “IoT Installed Base Will Grow to 26
Billion Units By 2020.” That number might be
too low.
•Every
Auto
•Every Mobile
•Every Door
•Every Room
Every sensor in
any device
Could be in
bracelet
in every home,
office, building
or hospital room
…
in every city and
village ... on
Earth ...
Every sensor in
any device
Could be in
bracelet
in every home,
office, building
or hospital room
…
in every city and
village ... on
Earth ...
5.
6. IOT devices which could be vulnerable
Thermostat
To control home/office temperature
Assigned with IP
7. Watches and fitness monitors
Expose Personal Health Data
IOT devices which could be vulnerable
8. • Smart Cars
• Wireless Pacemaker & other implanted
device for monitoring health
• Biometrics
IOT devices which could be vulnerable
9. • The Internet of Things Device
• The Cloud
• The Mobile Application
• The Network Interfaces
• The Software
• Use of Encryption
• Use of Authentication
• Physical Security
• USB ports
All elements need to be
considered
10. OWASP Top 10
1. Insecure Web Interface
2. Insufficient Authentication/Authorization
3. Insecure Network Services
4. Lack of Transport Encryption
5. Privacy Concerns
6. Insecure Clould Interface
7. Insecure Mobile Interface
8. Insufficient Security Configurability
9. Insecure Software/Firmware
10.Poor Physical Security
14. Checklist
• Lack of Password Complexity
• Poorly Protected Credentials
• Lack of Two Factor Authentication
• Insecure Password Recovery
• Privilege Escalation
• Lack of Role Based Access Control
16. Checklist
• Vulnerable Services
• Buffer Overflow
• Open Ports via UPnP
• Exploitable UDP Services
• Denial-of-Service
• DoS via Network Device Fuzzing
*UPnP: Universal Plug and Play (UPnP) is a set of networking protocols that permits networked
devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile
devices to seamlessly discover each other's presence on the network and establish functional
network services for data sharing.
18. Checklist
• Unencrypted Services via the Internet
• Unencrypted Services via the Local
Network
• Poorly Implemented SSL/TLS
• Misconfigured SSL/TLS
28. Checklist
• Encryption Not Used to Fetch Updates
• Update File not Encrypted
• Update Not Verified before Upload
• Firmware Contains Sensitive Information
• No Obvious Update Functionality
The Internet of Things (IoT, sometimes Internet of Everything) is the network of physical objects or "things" embedded[1] with electronics, software, sensors[2] and connectivity to enable it to achieve greater value and service by exchanging data with the manufacturer, operator and/or other connected devices. Each thing is uniquely identifiable through its embedded computing system but is able to interoperate within the existing Internet infrastructure. Experts estimate that the IoT will consist of almost 50 billion objects by 2020.[3]
The term “Internet of Things” was first documented by a British visionary, Kevin Ashton, in 1999.[4] Typically, IoT is expected to offer advanced connectivity of devices, systems, and services that goes beyond machine-to-machine communications (M2M) and covers a variety of protocols, domains, and applications.[5] The interconnection of these embedded devices (including smart objects), is expected to usher in automation in nearly all fields, while also enabling advanced applications like a Smart Grid.[6]
Things, in the IoT, can refer to a wide variety of devices such as heart monitoring implants, biochip transponders on farm animals, electric clams in coastal waters,[7] automobiles with built-in sensors, or field operation devices that assist fire-fighters in search and rescue.[8] These devices collect useful data with the help of various existing technologies and then autonomously flow the data between other devices.[9] Current market examples include smart thermostat systems and washer/dryers that utilize Wi-Fi for remote monitoring.
A thing, in the Internet of Things, can be a person with a heart monitor implant, a farm animal with a biochip transponder, an automobile that has built-in sensors to alert the driver when tire pressure is low — or any other natural or man-made object that can be assigned an IP address and provided with the ability to transfer data over a network. So far, the Internet of Things has been most closely associated with machine-to-machine (M2M) communication in manufacturing and power, oil and gas utilities. Products built with M2M communication capabilities are often referred to as being smart.
Every one of those sensor and control points is generating data. Often, it's very informative and very private data. Systems are needed to help those devices talk to each other, manage all that data, and enforce proper access control.
The carefully-regulated climate in your office can conceal the fact that to criminals your data is hot. Remotely programmable thermostats are just as vulnerable to attack as anything else, particularly if you’re using a third-party contractor to manage the office HVAC system (a la Target’s breach). But even if it’s a company-managed remote thermostat, it’s probably not smart to leave the temperature-setting to just anyone, especially a hacker.
Take a look at your co-workers’ wrists, and it’s likely that one of them is wearing a smart watch or a fitness monitor, like a FitBit or Garmin VivoFit. And while your co-workers are being reminded to walk around the office to stay in shape, the devices themselves – particularly if they’re syncing to the Internet via a device on your network or even using your company’s Wi-Fi – are making your security strategy flabby.
Smart Cars: Bluetooth, Car Ignition, Aircondition
Smart
Biometrics: Attacker can get hack into the system and steal personal identities & also can feed his/her data into system to gain access
Implanted Device: http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/