the internet of insecure things · • challenge: create tool consumers can use to guard against...
TRANSCRIPT
![Page 2: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/2.jpg)
Getting Connected
![Page 3: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/3.jpg)
Getting Connected
![Page 4: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/4.jpg)
![Page 5: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/5.jpg)
5
TODAY’S DISCUSSION
30,000 Foot View of the Law IoT Case Studies Policy Activity Business Best Practices
![Page 6: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/6.jpg)
6
30,000 FOOT VIEW OF THE LAW
U.S. Federal Laws and Regulations Representative Sample
International Laws and Regulations Representative Sample
U.S. State Laws and Regulations Representative Sample
Industry Standards and Self-Regulatory Frameworks Representative Sample
![Page 7: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/7.jpg)
7
PROMISES TO CONSUMERS
What do you communicate to the public about privacy and security?
What do you actually do?
![Page 8: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/8.jpg)
8
GUIDANCE ON REASONABLE SECURITY
Sensitivity and volume of consumer data
Size and complexity of data operations
Cost of available tools to improve security and reduce vulnerabilities
![Page 9: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/9.jpg)
“secure wireless transmissions”
![Page 10: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/10.jpg)
Setting to require PW/UN to access live feeds
Setting didn’t function correctly for 20 camera
models – live feeds were publicly accessible
![Page 11: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/11.jpg)
FTC: TrendNet failed to use reasonable security to design & test the software
Hackers posted live feeds of hundreds of IP cameras
![Page 12: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/12.jpg)
ASUS “protect computers
from any unauthorized
access, hacking, and virus attacks”
“SPI intrusion detection”
“DoS protection”
![Page 13: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/13.jpg)
Default user name: (admin)
Default password: (admin)
![Page 14: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/14.jpg)
“enable the [router’s] firewall to protect your local network against attacks from
hackers”
Router software susceptible to cross-site scripting, etc.
Notified & took no action for years
![Page 15: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/15.jpg)
“the most complete, accessible, and secure cloud platform”
ASUS: AiCloud Plug in a USB device to router to access files & share files through a secure URL
![Page 16: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/16.jpg)
Authentication bypass vulnerability: allow access to AiCloud account w/o login credentials
Password disclosure vulnerability in AiCloud application: allowed retrieval of router’s login
credentials (& modify firewall, etc.) ASUS notified in 6/2013 – emailed customers in
2/2014 about firmware updates
![Page 17: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/17.jpg)
“safely secure and access your treasured data through your router”
ASUS: AiDisk
Remotely access files on USB storage device attached to
router via FTP
![Page 18: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/18.jpg)
“limitless access rights”
Anyone w/ the router’s IP address could access
consumer’s USB storage
![Page 19: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/19.jpg)
ASUS Hackers placed text files on thousands of USB devices: “This is an automated message being sent out to everyone effected [sic]. Your Asus router (and your documents) can be accessed by anyone in the
world with an internet connection.”
Hackers posted list of IP addresses of over 12,000 vulnerable ASUS routers & login creds for over 3,000 AiCloud accounts.
FTC: ASUS failed to provide reasonable security in the design & maintenance of the software developed
for its routers & related “cloud” features
![Page 20: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/20.jpg)
D-Link “EASY TO SECURE”
“ADVANCED NETWORK SECURITY”
![Page 21: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/21.jpg)
D-Link “HARDCODED
USER CREDENTIALS”
“COMMAND INJECTION
FLAWS” “FAILED TO TAKE
REASONABLE STEPS TO MAINTAIN CONFIDENTIALITY
OF PRIVATE KEY”
![Page 22: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/22.jpg)
Breathometer “Breathometer is a law
enforcement grade breathalyzer.”
![Page 23: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/23.jpg)
Breathometer Sensors deteriorated
significantly over time & allegedly did not accurately detect a consumer’s BAC.
Company had no way to recalibrate products in the
field.
Eventually stopped selling products but didn’t notify
consumers until FTC investigation.
![Page 24: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/24.jpg)
• Security: build reasonable security into device at the outset
• Data Minimization: limit data collect/retain & dispose of it when no longer need it
• Notice & Choice: is data collected/used in way inconsistent w/ the interaction?
• Legislation https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf
IoT Report
![Page 25: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/25.jpg)
Workshops
Ransomware September 7
Drones October 13
Smart TV December 7
https://www.ftc.gov/news-events/press-releases/2016/03/ftc-host-fall-seminar-series-emerging-consumer-technology-issues
![Page 26: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/26.jpg)
Workshops
https://www.ftc.gov/news-events/events-calendar/2017/01/privacycon
![Page 27: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/27.jpg)
• FTC & NHTSA workshop to examine consumer privacy & security issues posed by automated and connected cars
• https://www.ftc.gov/news-events/events-calendar/2017/06/connected-cars-privacy-security-issues-related-connected
Workshops
![Page 28: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/28.jpg)
• Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog: Scan home network inventory
connected devices & flag out-of-date software & other common vulnerabilities & provide instructions to update the software
• Prize: $25,000 • More info: https://www.ftc.gov/iot-home-inspector-challenge
Updates & Patches
![Page 29: THE INTERNET OF INSECURE THINGS · • Challenge: Create tool consumers can use to guard against IoT security vulnerabilities & protect against out-of-date software • IoT Watchdog:](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f094fd27e708231d42639fc/html5/thumbnails/29.jpg)
https://www.ftc.gov/tips-advice/business-center/guidance/careful-connections-building-security-internet-things
Business Education
• Implement “security by design” and “defense in depth” approach
• Design your product with authentication in mind. • Protect the interfaces between your product and other
devices or services. • Consider how to limit permissions. • Test the security measures before launching your product.
• Select the secure choice as your default setting.
• Establish an effective approach for updating your security procedures.
• Innovate how you communicate.