the dark ages of iot security - csa cee summit€¦ · the dark ages of iot security prof. stefano...
TRANSCRIPT
![Page 1: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/1.jpg)
The Dark Ages of IoT
Security
Prof. Stefano Zanero, PhD
![Page 2: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/2.jpg)
Agenda
What is the Internet of Things
IoT (in)security
A real-world case study
The (scary) future of IoT security
Conclusions
![Page 3: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/3.jpg)
What is the Internet of Things ?
![Page 4: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/4.jpg)
What is the Internet of Things
The IoT is the network of physical objects or
"things" embedded with electronics, software,
sensors, and network connectivity, which enables
these objects to collect and exchange data
Source: Wikipedia
![Page 5: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/5.jpg)
What is the Internet of Things
Things are physical objects
Things are connected with existing network infrastructure
Things collect data – physical world’s probes (!)
Things can be remotely controlled
Things exchange data with (some)thing
![Page 6: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/6.jpg)
What is the Internet of Things
(personal) things
![Page 7: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/7.jpg)
What is the Internet of Things
(home) things
![Page 8: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/8.jpg)
What is the Internet of Things
(industrial) things
![Page 9: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/9.jpg)
What is the Internet of Things
(medical) things
![Page 10: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/10.jpg)
IoT (in)security
![Page 11: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/11.jpg)
IoT (in)security
What is information security ?
o Confidentiality
o Integrity
o Availability
The so called CIA paradigm (or triad)
What about IoT security?
![Page 12: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/12.jpg)
IoT (in)security
IoT Security ≠ Device Security
![Page 13: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/13.jpg)
IoT (in)security
Why? Think about mobile security world !
Mobile security is
o The security of the mobile device
o The security of installed apps
o The security of 3rd party apps’ back-end systems
o The security of pre-installed apps’ back-end (e.g., apps
store)
Now back to the IoT universe..
![Page 14: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/14.jpg)
IoT (in)security
Defining attack surface
“the attack surface describes all of the different
points where an attacker could get intoa system, and where they could get data out”
What about IoT attack surface ?
Source: OWASP
![Page 15: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/15.jpg)
IoT (in)security
Now, let’s talk about vulnerabilities
No alien technology, no extra-terrestrial bugs
OWASP defines an ad-hoc list for IoT
o Welcome to the OWASP IoT Top Vulnerabilities
o It represents a list of vulnerabilities not risks
o In 2015 the list was a canonical Top 10
o Currently there are 62 vulnerabilities listed in 17 categories
![Page 16: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/16.jpg)
IoT (in)security
OWASP top ten:
1. Insecure Web Interface
2. Insufficient Authentication/Authorization
3. Insecure Network Services
4. Lack of Transport Encryption
5. Privacy Concerns
6. Insecure Cloud Interface
7. Insecure Mobile Interface
8. Insufficient Security Configurability
9. Insecure Software/Firmware10. Poor Physical Security
![Page 17: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/17.jpg)
IoT (in)security
Slightly random thoughts on IoT security
IoT is “happening” with a rapidly (chaotic) development withoutappropriate considerations on security
More devices == more data == more cyber attacks
“Things” are probes in everyone’s life
Smart TV, cameras, thermostats are literally “watching” us !
Devices firmware update will be ruled by market – see ya security in 18 months?
![Page 18: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/18.jpg)
Real-world case studies
![Page 19: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/19.jpg)
Real-world case studies
Source: HP research on smart watches
![Page 20: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/20.jpg)
Real-world case studies
Source: Rapid7 research on baby monitoring systems
![Page 21: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/21.jpg)
Real-world case studies
Source: HP research on home security systems
![Page 22: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/22.jpg)
The (scary) future of IoT security
![Page 23: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/23.jpg)
The (scary) future of IoT security
Skynet is waiting
![Page 24: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/24.jpg)
The (scary) future of IoT security
26 BILLIONobjects by 2020
Source: Cisco
![Page 25: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/25.jpg)
The (scary) future of IoT security
Complexity. That’s the problem.
The Internet of Things is wild, open and no onewill pay for secure (every)thing
Vendors are urgently called to implementsolution secure by design to reduce the risks
An extensive standardization on “how things
should be securely implemented” could be trulya panacea
![Page 26: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/26.jpg)
Conclusions
![Page 27: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/27.jpg)
Conclusions
We are brewing a perfect cyber-physical stormwith unfathomable consequences
We are using complex networks of smart
devices on which we increasingly rely for
critical infrastructures and safety-criticalsystems, without humans in the loop
We have issues with zero-days as well asforever-days
We need significant engineering and
research efforts to get this done and avert the storm
![Page 28: The Dark Ages of IoT Security - CSA CEE Summit€¦ · The Dark Ages of IoT Security Prof. Stefano Zanero, PhD. Agenda What is the Internet of Things IoT (in)security A real-world](https://reader033.vdocument.in/reader033/viewer/2022042318/5f07032f7e708231d41adbe0/html5/thumbnails/28.jpg)
Thank [email protected]