Scribd
Upload
5 views

Week 6_IoT Security Vulnerabilities

Uploaded by

mustafapektas.mn
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
5 views

Week 6_IoT Security Vulnerabilities

Uploaded by

mustafapektas.mn
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

IoT Security

Vulnerabilities
Dr. Hakan Kılınç
[email protected]
IoT Vulnerabilities
Vulnerability
• A software flaw in a system
• A hacker can exploit the flaw
• Gain unauthorized access to an asset

• The potential for cyber attacks along with


compromising privacy is increasing
• It's time to raise awareness, make security
accessible, and involve experts and trusted
vendors.

• Found over half a million vulnerable IoT


devices which can pose serious security
risks
IoT
Vulnerabilities
Device Tampering
• Send incorrect information and
commands to a controller from rogue
devices
• Perform some physical action – spoof
a faulty security system
• Gain unauthorized access

• Serious concerns about mission-


critical applications
• Public infrastructure, automobiles,
and medical devices
IoT Vulnerabilities

Architect
• Follow codes and standards
• Ensure safety for the client

However,

No standards or common language in


the IoT
IoT Vulnerabilities
How can we build in security when we're not even sure of all the
risks?
• Developers
• Working on incorporating security modules
• User and password management
• Secure storage
• Anti-counterfeiting and authentication solutions
• User Education
• Encourage users and consumers to check to see what
vulnerabilities the device may have
• Before using IoT devices in a home or in an organization,
consider security risks before implementation
• Vendor Responsibility
• A consumer will have no interest or no knowledge on how to
secure their own device
• Take steps to provide the necessary security
No Malware Needed

• IoT has gaping flaws


• Default username and passwords
• Able to access the device over the Internet
• Using telnet and SSH

• Recent Testing
• 25% of devices tested had weaknesses
• Each device had approximately 750
exploitable flaws.
• It is not limited to a single vendor or
device
No Malware Needed

• Main Vulnerabilities
• Outdated firmware,
• Default username and password,
• Outward-facing
• Exposure to the Internet
• No firewall protection
No Malware Needed

Security Recommendations
• Resist attacks
• Have access control,
• Require data authentication
• Ensure confidentiality

• These recommendations become a


mandatory privilege
• Devices will need security standards much
like the early days of wireless.
• Until then, it's essential for companies to
design devices with security in mind.
Vendor Backdoors
• Manufacturers feel a sense of
urgency in releasing new smart
devices
• Without proper testing
• Many have critical flaws
• Profit is the main goal
• Consumers are anxious to install and
use the device
• Without much consideration for
the security
• Many don't even change the
default password
Vendor Backdoors
• Flaws oalong with vendor
backdoors
• A built-in vendor backdoor on the
device
• Can allow remote access to
hundreds of thousands of devices
across the world
Vendor Backdoors
Hackers
• Remotely open a shell with root privileges
• Can use scripts to target applications that are exposed
• This allows access to hundreds of devices

Best Practices
• Make sure you have the latest firmware
• Block internet access to the device
Bugs and
Compatibility Issues

IoT Devices
• Small and simple,
• Unable to upgrade,
• Have outdated firmware,
• Unable to modify

• IoT devices are easy to configure, and


implement in your home
• End user isn't sure if something has gone
wrong
• A security breach can last a long time
without detection
Bugs and
Compatibility Issues

Commonality
• If one type of a device is vulnerable, most likely
similar devices will have the same vulnerables
and can fall victim to the same types of
attacks.
Operating Systems
• Security patches and updates are not available
on many IoT applications
Device Life
• Simple IoT devices have a long shelf life and
may possibly outlive support for the device
Bugs and Compatibility Issues

IoT Bugs
• Disruptions in the way the device behaves
• It might not work properly, or shut down
unexpectedly
• Errors in the operating system, flaws in the code,
or even malware can cause erratic behavior
• The severity of failure due to these issues could
range from mild to significant
Bugs and Compatibility Issues

• Because of a lack of standards,


there are compatibility issues
• Prior to Implementation
• Ensure the device
• Is free from major flaws
• Has no compatibility issues
• Is able to support future
technology
• Can blend in with the rest of
the networked environment
Army of Things
• Preparation
• IoT Devices
• Lack basic security defenses
• Can fall victim to malware.
• Vendor Backdoor
• Some IoT devices have a built-in backdoor
• The manufacturer can access the device remotely
• Although not a malicious backdoor, this could give others
access to the device
• Fall 2016
• Managed DNS as a weapon
• Marai bot attacked Dyna DNS
• Major outages throughout the country
Army of Things

• Domain Name System (DNS)


• It is an application layer protocol essential to any network.
• It converts host names to IP addresses.
• It failures prevent hosts from communicating
• Static IP Address
• A business will register their domain name and obtain a
permanent or static IP address.
• Google.com → 172.217.7.206.
• Dynamic IP Address
• A consumer has a dynamic IP address, issued by an ISP that
preodically changes
• It will change often, at least every time they boot their router.
• Dynamic DNS
• Assigns a permanent domain name to a consumer IP address
• Updates every time the ISP issues a new IP address to the
consumer
Army of Things

• Mirai Bot
• Weaponized millions of IoT
devices
• Launched a massive DDoS
attack at Dyn’s infrastructure
• Blocked legitimate users from
obtaining IP addresses
• Slowed Internet traffic to a
crawl
• Hackers have morphed the IoT
botnet Mirai to do bitcoin mining
• They infect the vulnerable devices
and send any bitcoin mining results
to the hackers.
Thanks

You might also like