OWASP IoT and Wrap-Up

00:00

when we talk about the very top option

00:02

passwords, it's funny because that exists in our own network environments.

00:07

More traditional passwords are always going to be the weakest link.

00:10

For one thing, our devices come with default passwords. There was an attack where over a million devices that were all from the Internet of things were used in a botnet to create a denial of service attack.

00:21

Ultimately, the Attackers did was assumed the default password of these devices. If the device wasn't using the default, they just moved on to the next one.

00:29

That shows you these default passwords can be very difficult,

00:33

ideally made some changes there.

00:35

We have more randomized passwords, but certainly a concern.

00:41

Insecure network services. It's estimated over 600,000 devices suffer from this particular vulnerability, like open ports and unneeded services that are provided through these devices.

00:52

Typical security vulnerabilities arise where they have additional services that aren't required,

00:57

not to mention the fact that it's so easy to add additional devices, which is why we see these insecure services as being a real issue

01:06

insecure ecosystem.

01:07

When I bring this into my home environment, I have lots of devices collaborating I've got maybe cameras from my wise, where I monitor home activity through cameras. I have maybe have a baby monitor, an echo assistant, a Google nest thermostat and a ring doorbell.

01:22

We all have those devices. And first of all, trying to get them to collaborate could be an issue. But what is this information that is being collected from all of them, and where is it going on the back end?

01:32

They have Internet access. I have Internet access in my WiFi network. What's being reported through the cloud to back end databases?

01:42

Yeah,

01:42

lack of security updates. When's the last time you updated your thermostat, your lights or your doorbell?

01:49

We don't think to update.

01:49

We don't think to monitor these devices because they've just become a part of our house.

01:55

These have embedded computer systems in them,

01:57

like everything. There are often necessary updates to maintain the security of these devices.

02:02

Then sometimes, if the security updates are rolled out automatically that causes functionality problems,

02:08

the question would then be Am I able to roll back of the security function? Doesn't work

02:14

insecure or outdated components right in line with our last topic. If you have an Alexa. Every few months a year, they released an updated component.

02:23

Then they stop supporting some of the earlier components.

02:25

We have to think about who we trust to allow into our home,

02:29

knowing that businesses are in business to make money. When we look at these systems and inter visas, what sort of capability to the have from input? Have we bought this from a trusted vendor? Have we purchased these advices from a trusted provider?

02:43

Probably the greatest concern in my mind is insufficient privacy protection.

02:46

Once again, the law is lagging behind. What can that information be used for? Who owns the data that's recorded by my Google device? We don't have a lot of laws in place now. Certainly we don't have any sort of capability of classifying information.

03:00

These devices were designed to assist you, but that means they're always listening. If you say Hey, Siri and your iPhone comes on that tells you your iPhone is just sitting there waiting for that command.

03:12

So it's listening.

03:14

We hear about these things, and then we get shocked when the N S A is found to be listening to be suspected criminals or terrorists through their televisions.

03:20

Well, the television is waiting till you record session such show.

03:23

Of course it's listening when it's listening. What's on the back end? What's also listening should be a tremendous concern. If you've ever said something in your house, and then it shows up on your Amazon list,

03:35

that should tell you about the privacy. We have

03:40

data transfer and storage. What's being stored. Where is it going? How is it protected House, My communication protected by these devices? How is the data that's going from one network device to another? How is any of it protected?

03:53

When we think about health care information and a lot of healthcare devices are modified through networking. They're part of the Internet of things.

04:00

Well, those healthcare devices contain sensitive information. If it were stored in the traditional sense, H I p. A. Guidelines would restrict how that data is stored.

04:11

When we have these wearable devices that aren't being communicated via Bluetooth or some other fashion. The security isn't necessarily as clear.

04:18

We have to think about who has access to these devices and our home or on the network

04:24

again. I'm really thinking beyond just our home use when I think about these Iot devices that are part of the network and incorporating, like maybe a facility management system.

04:33

How are the rules for access Configured?

04:35

There are several different ways these rule based access controls. There is discretionary access control. There's mandatory access control. We'll talk about those three different access control types, but you're going to find differing degrees of security.

04:54

I mentioned this earlier.

04:56

Just lack of device management

04:57

who is updating their thermostat?

05:00

Most people aren't who's managing or monitoring. How do we make sure that when we decommission these devices that they're truly decommissioned in a safe way? Can we destroy the device or what? Stored locally, we just don't have a lot of control and a lot of management on these devices.

05:16

Default settings make these devices easy to set up and get running. But once again, if I know your default configurations and can I access your network?

05:26

Many people don't change those default settings, Not to mention the fact that with just a little bit of physical access, I can usually and sometimes not even physical access. But I can reset the devices to their factory settings, which means we're going to come back to all the defaults as well.

05:42

Right

05:44

then. A lack of physical heartening

05:46

with these devices, just like any other device. Can't underestimate the need for physical security. They need to be tamper resistant. We need modes for tamper detection. Can we implement some sort of device that listen to act as a man in the middle attack? Do we trust our supply chain? Do we trust who coz and comes in in our environment

06:04

Just a lot of security considerations for Iot. What I really believe is we get caught up in the convenience that's offered that. We really failed to think about the security considerations,

06:15

just some key takeaways. We have a lot of use for the Internet of things. It really has become a just an explosion over the past few years. We often think of these personal assistance, these healthcare devices that we use but expands way beyond that.

06:30

We have monitoring tools and configuration capabilities, inventory systems, all sorts of elements that take advantage of these devices that report maybe to a central management sort of framework. Ultimately, the capabilities are pretty much unlimited. However, we have to consider security O W A S P published the top 10 security vulnerabilities with Internet of things.

06:51

And even though that's not going to be testable purse, I I would certainly be aware of some of those, really, all of those vulnerabilities.