iot security by sanjay kumar
TRANSCRIPT
![Page 1: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/1.jpg)
IoT (Internet of
Things)Security
Sanjay KumarInformation Security Specialistsanjay1519841 [at] gmail [dot] comNULL/OWASP Delhi meet on 20th June 2015
![Page 2: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/2.jpg)
Agenda
• What is IoT (Internet of Things)?
• Threat Agents & Attack Vectors
• Security Weaknesses
• Technical Impacts
• Business Impacts
• OWASP Top 10 2014 for IOT
![Page 3: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/3.jpg)
Introduction
The Internet of Things (IoT) refers to the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems.
![Page 4: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/4.jpg)
UbiquitousGartner: “IoT Installed Base Will Grow to 26 Billion Units By 2020.” That number might be too low.
•Every Auto•Every Mobile
•Every Door
•Every Room
Every sensor in any device
Could be in bracelet
in every home, office, building or hospital room …
in every city and village ... on Earth ...
Every sensor in any device
Could be in bracelet
in every home, office, building or hospital room …
in every city and village ... on Earth ...
![Page 5: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/5.jpg)
![Page 6: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/6.jpg)
IoT devices which could be vulnerable
Thermostat
To control home/office temperatureAssigned with IP
![Page 7: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/7.jpg)
Watches and fitness monitors
Expose Personal Health Data
IoT devices which could be vulnerable
![Page 8: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/8.jpg)
• Smart Cars• Wireless Pacemaker & other
implanted device for monitoring health
• Biometrics
IoT devices which could be vulnerable
![Page 9: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/9.jpg)
• The Internet of Things Device• The Cloud• The Mobile Application• The Network Interfaces• The Software• Use of Encryption• Use of Authentication• Physical Security• USB ports
All elements need to be considered
![Page 10: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/10.jpg)
OWASP Top 101. Insecure Web Interface2. Insufficient Authentication/Authorization3. Insecure Network Services4. Lack of Transport Encryption5. Privacy Concerns6. Insecure Clould Interface7. Insecure Mobile Interface8. Insufficient Security Configurability9. Insecure Software/Firmware10.Poor Physical Security
![Page 11: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/11.jpg)
1- Insecure Web Interface
![Page 12: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/12.jpg)
Checklist for Insecure Web Interface
• Account Enumeration• Weak Default
Credentials• Credentials Exposed in
Network Traffic• Cross-site Scripting
(XSS)• SQL-Injection• Session Management• Account Lockout
![Page 13: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/13.jpg)
2- Insufficient Authentication/Authorization
![Page 14: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/14.jpg)
Checklist
• Lack of Password Complexity• Poorly Protected Credentials• Lack of Two Factor Authentication• Insecure Password Recovery• Privilege Escalation• Lack of Role Based Access Control
![Page 15: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/15.jpg)
3- Insecure Network Services
![Page 16: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/16.jpg)
Checklist
• Vulnerable Services• Buffer Overflow• Open Ports via UPnP• Exploitable UDP Services• Denial-of-Service• DoS via Network Device Fuzzing
![Page 17: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/17.jpg)
4- Lack of Transport Encryption
![Page 18: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/18.jpg)
Checklist
• Unencrypted Services via the Internet• Unencrypted Services via the Local
Network• Poorly Implemented SSL/TLS• Misconfigured SSL/TLS
![Page 19: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/19.jpg)
5-Privacy Concerns
![Page 20: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/20.jpg)
Checklist
• Collection of Unnecessary Personal Information
![Page 21: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/21.jpg)
6- Insecure Cloud Interface
![Page 22: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/22.jpg)
Checklist• Account Enumeration• No Account Lockout• Credentials Exposed in Network
Traffic
![Page 23: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/23.jpg)
7-Insecure Mobile Interface
![Page 24: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/24.jpg)
Checklist• Account Enumeration• No Account Lockout• Credentials Exposed in Network
Traffic
![Page 25: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/25.jpg)
8- Insufficient Security Configurability
![Page 26: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/26.jpg)
Checklist• Lack of Granular Permission Model• Lack of Password Security Options• No Security Monitoring• No Security Logging
![Page 27: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/27.jpg)
9- Insecure Software/Firmware
![Page 28: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/28.jpg)
Checklist• Encryption Not Used to Fetch Updates• Update File not Encrypted• Update Not Verified before Upload• Firmware Contains Sensitive Information• No Obvious Update Functionality
![Page 29: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/29.jpg)
10-Poor Physical Security
![Page 30: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/30.jpg)
Checklist• Access to Software via USB Ports• Removal of Storage Media
![Page 31: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/31.jpg)
Thank You
![Page 32: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/32.jpg)
Recommendation for IOT-1
![Page 33: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/33.jpg)
Recommendation for IOT-2
![Page 34: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/34.jpg)
Recommendation for IOT-3
![Page 35: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/35.jpg)
Recommendation for IOT-4
![Page 36: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/36.jpg)
Recommendation for IOT-5
![Page 37: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/37.jpg)
Recommendation for IOT-6
![Page 38: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/38.jpg)
Recommendation for IOT-7
![Page 39: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/39.jpg)
Recommendation for IOT-8
![Page 40: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/40.jpg)
Recommendation for IOT-9
![Page 41: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/41.jpg)
Recommendation for IOT-10
![Page 42: IoT Security by Sanjay Kumar](https://reader038.vdocuments.mx/reader038/viewer/2022103002/55c430cebb61ebbb628b47e2/html5/thumbnails/42.jpg)
Thank You