OWASP IoT and Wrap-Up
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> When we talk about the very top option,
00:00
passwords, it's funny because
00:00
that exists in our own network environments.
00:00
More traditional passwords are
00:00
always going to be the weakest link.
00:00
For one thing, our devices come with default passwords.
00:00
There is an attack where over a million devices
00:00
that were all from the Internet of Things
00:00
>> were used in a botnet
00:00
>> to create a denial of service attack.
00:00
Ultimately, what the attackers did,
00:00
was assume the default password of these devices.
00:00
If the device wasn't using the default,
00:00
they just moved on to the next one.
00:00
That shows you
00:00
>> these default passwords can be very difficult.
00:00
>> Ideally, we've made some changes there.
00:00
We have more randomized passwords,
00:00
but certainly a concern.
00:00
Insecure network services.
00:00
It's estimated over 600,000 devices suffer
00:00
>> from this particular vulnerability like open ports
00:00
>> and unneeded services that are
00:00
provided through these devices.
00:00
Typical security vulnerabilities arise
00:00
>> where they have additional services
00:00
>> that aren't required.
00:00
>> Not to mention the fact that
00:00
>> it's so easy to add additional devices,
00:00
>> which is why we see these insecure services
00:00
as being a real issue.
00:00
Insecure ecosystem.
00:00
When I bring this into my home environment,
00:00
I have lots of devices collaborating.
00:00
I've got maybe cameras from my Wyze,
00:00
>> where I monitor home activity through cameras.
00:00
>> Maybe I have of baby monitor,
00:00
an ECO Assistant,
00:00
a Google Nest thermostat, and a ring doorbell.
00:00
We all have these devices.
00:00
First of all, trying to get them
00:00
to collaborate could be an issue.
00:00
But what is this information
00:00
>> that is being collected from all of them
00:00
>> and where is it going on the back-end?
00:00
>> They have Internet access.
00:00
I have Internet access in my Wi-Fi network,
00:00
what's being reported through the Cloud
00:00
to back-end databases?
00:00
Lack of security updates.
00:00
When's the last time you updated your thermostat,
00:00
your lights, or your doorbell?
00:00
We don't think to update.
00:00
We don't think to monitor these devices
00:00
because they've just become a part of her house.
00:00
These have embedded computer systems in them.
00:00
Like everything, they're often
00:00
necessary updates to maintain
00:00
the security of these devices.
00:00
Then sometimes if the security updates
00:00
are rolled out automatically,
00:00
that causes functionality problems.
00:00
The question would then be,
00:00
am I able to roll back
00:00
>> if a security function doesn't work?
00:00
>> Insecure or outdated components.
00:00
Right in line with our last topic.
00:00
If you have an Alexa,
00:00
every few months a year,
00:00
they release an updated component,
00:00
then they stop supporting
00:00
>> some of the earlier components.
00:00
>> We have to think about
00:00
>> who we trust to allow into our home.
00:00
>> Knowing that businesses are in business to make money,
00:00
when we look at these systems
00:00
>> and interfaces what capability do the have from input?
00:00
>> Have we bought this from a trusted vendor?
00:00
Have we purchased these devices
00:00
>> from a trusted provider?
00:00
>> Probably the greatest concern in my mind
00:00
is insufficient privacy protection.
00:00
Once again, the law's lagging behind,
00:00
what can that information be used for?
00:00
Who owns the data that's recorded by my Google device?
00:00
We don't have a lot of laws in place now.
00:00
Certainly, we don't have
00:00
any capability of classifying information.
00:00
These devices were designed to assist you.
00:00
But that means they are always listening.
00:00
If you say, "Hey Siri" and your iPhone comes on,
00:00
that tells you your iPhone
00:00
>> is just sitting there waiting for that command.
00:00
>> It's listening.
00:00
>> We hear about these things
00:00
>> and then we get shocked
00:00
>> when the NSA is found to be listening
00:00
>> to be suspected criminals
00:00
>> or terrorists through their televisions.
00:00
Well, the television is waiting
00:00
so you record such and such show.
00:00
Of course, it's listening.
00:00
When it's listening, what's on the back-end?
00:00
What's also listening should be a tremendous concern.
00:00
Have you ever said something in
00:00
your house and then it shows up on your Amazon list?
00:00
That should tell you about the privacy we have.
00:00
Data transfer and storage.
00:00
What's being stored?
00:00
Where is it going?
00:00
>> How is it protected?
00:00
>> How is my communication protected by these devices?
00:00
How is the data that's going
00:00
>> from one network device to another,
00:00
>> how's any of it protected?
00:00
When we think about health care information,
00:00
and a lot of health care devices
00:00
are modified through networking,
00:00
they're part of the Internet of Things.
00:00
Well, those health care devices
00:00
contain sensitive information.
00:00
If it were stored in the traditional sense,
00:00
HIPAA guidelines would restrict
00:00
>> how that data is stored.
00:00
>> When we have these wearable devices that aren't being
00:00
communicated via Bluetooth or some other fashion,
00:00
the security isn't necessarily as clear.
00:00
You have to think about who has access to
00:00
these devices on our home or on the network.
00:00
Again, I'm really thinking
00:00
beyond just our home use when I think about
00:00
these IoT devices that are part of the network
00:00
and incorporate in maybe a facility management system.
00:00
How are the rules for access configured?
00:00
There are several different ways.
00:00
These rule-based access controls,
00:00
there is discretionary access control,
00:00
there is mandatory access control.
00:00
We'll talk about those three different
00:00
access control types,
00:00
we are going to find differing degrees of security.
00:00
I mentioned this earlier.
00:00
Just lack of device management.
00:00
Who is updating their thermostat?
00:00
Most people aren't.
00:00
Who's managing or monitoring?
00:00
How do we make sure that
00:00
>> when we decommission these devices,
00:00
>> that they're truly decommissioned in a safe way?
00:00
Can we destroy the device or what's stored locally?
00:00
We just don't have a lot of control
00:00
>> and a lot of management on these devices.
00:00
>> Default settings make these devices
00:00
easy to set up and get running.
00:00
But once again,
00:00
>> if I know your default configurations
00:00
>> and can I access your network?
00:00
>> Many people don't change those default settings.
00:00
Not to mention the fact that with
00:00
just a little bit of physical access,
00:00
I can usually and sometimes not even physical access,
00:00
but I can reset the devices to their factory settings,
00:00
which means we're going to come back
00:00
to all the defaults as well.
00:00
Then a lack of physical hardening.
00:00
With these devices, just like any other device,
00:00
you can't underestimate the need for physical security.
00:00
They need to be tamper-resistant.
00:00
We need modes for tamper detection.
00:00
Can we implement some device that listens
00:00
>> or acts as a man in the middle attack?
00:00
>> Do we trust our supply chain?
00:00
Do we trust who calls and comes in in our environment?
00:00
Just a lot of security considerations for IoT.
00:00
What I really believe is we get caught up
00:00
>> in the convenience that's offered,
00:00
>> that we really fail to think
00:00
about the security considerations.
00:00
Just some key takeaways.
00:00
We have a lot of use for the Internet of Things.
00:00
It really has become
00:00
just an explosion over the past few years.
00:00
We often think of these personal assistants,
00:00
these health care devices that we use,
00:00
but expands way beyond that.
00:00
We have monitoring tools and
00:00
configuration capabilities, inventory systems,
00:00
all elements that take advantage of these devices
00:00
that report maybe to a central management framework.
00:00
Ultimately, the capabilities are pretty much unlimited.
00:00
However, we have to consider security.
00:00
OWASP publishes the top 10 security vulnerabilities
00:00
with Internet of Things.
00:00
Even though that's not going to be testable per se,
00:00
I would certainly be aware of some of those.
00:00
Really, all of those vulnerabilities.
00:00
They're not going to ask you about it
00:00
>> in the context of OWASP.
00:00
>> I think being able to pick some of
00:00
the security vulnerabilities of IoT out of a list
00:00
>> and say, "That would absolutely be appropriate."
00:00
>> I think that may.
Up Next
Similar Content
