Protecting Protecting your home and office your home and office in the era of IoTin the era of IoT

Marian HackMan MarinovMarian HackMan MarinovChief System ArchitectChief System Architect

SiteGround.comSiteGround.com

❖❖ Who am I?Who am I? - Chief System Architect of SiteGround.com- Chief System Architect of SiteGround.com - Sysadmin since 1996- Sysadmin since 1996 - Organizer of OpenFest, BG Perl - Organizer of OpenFest, BG Perl Workshops, LUG-BG and othersWorkshops, LUG-BG and others - Teaching Network Security and - Teaching Network Security and Linux System Administration Linux System Administration courses in Sofia University courses in Sofia University and SoftUniand SoftUni

❖❖ What is an IoT device?What is an IoT device?- a Thermostat- a Thermostat- a WiFi enabled light bulb- a WiFi enabled light bulb- Smart TV- Smart TV- Smart toys- Smart toys- home/office IP camera- home/office IP camera- home/office WiFi router- home/office WiFi router- home/office NAS- home/office NAS

❖❖ What information may leak from IoT What information may leak from IoT devices?devices?

❖❖ Presence informationPresence information(are you at home/office/car)(are you at home/office/car)

❖❖ Electricity usageElectricity usage

❖❖ What devices are you using at your What devices are you using at your networknetwork

❖❖ Voice and video conversationsVoice and video conversations(streaming audio/video)(streaming audio/video)

Samsung privacy statement:Samsung privacy statement: http://www.samsung.com/sg/info/privacy/smarttv/ http://www.samsung.com/sg/info/privacy/smarttv/

❖❖ HabitsHabits

❖❖ Private filesPrivate files(pictures, documents and videos)(pictures, documents and videos)

❖❖ IoT Security?IoT Security?

** most of the WiFi/Radio/Bluetooth IoT devices most of the WiFi/Radio/Bluetooth IoT devices have poor securityhave poor security

❖❖ IoT Security?IoT Security?

** most of the WiFi/Radio/Bluetooth IoT devices most of the WiFi/Radio/Bluetooth IoT devices have poor securityhave poor security - manufacturers were more concerned with - manufacturers were more concerned with usabilityusability

❖❖ IoT Security?IoT Security?

** most of the WiFi/Radio/Bluetooth IoT devices most of the WiFi/Radio/Bluetooth IoT devices have poor securityhave poor security - manufacturers were more concerned with - manufacturers were more concerned with usabilityusability - the HW does not allow them to do a lot more- the HW does not allow them to do a lot more

❖❖ IoT Security?IoT Security?

** most of the WiFi/Radio/Bluetooth IoT devices most of the WiFi/Radio/Bluetooth IoT devices have poor securityhave poor security - manufacturers were more concerned with - manufacturers were more concerned with usabilityusability - the HW does not allow them to do a lot more- the HW does not allow them to do a lot more - use of default passwords is widespread- use of default passwords is widespread

❖❖ IoT Security?IoT Security?

- >5000 IoT devices attack their own network- >5000 IoT devices attack their own network http://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-agaihttp://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-against-itself/nst-itself/

❖❖ IoT Security?IoT Security?

- >5000 IoT devices attack their own network- >5000 IoT devices attack their own network http://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-agaihttp://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-against-itself/nst-itself/

- security of the low cost devices is almost non-- security of the low cost devices is almost non-existentexistent

❖❖ IoT Security?IoT Security?

- >5000 IoT devices attack their own network- >5000 IoT devices attack their own network http://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-agaihttp://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-against-itself/nst-itself/

- security of the low cost devices is almost non-- security of the low cost devices is almost non-existentexistent- and to top all that, there is the Shodan search - and to top all that, there is the Shodan search engine, which helps to search for such devicesengine, which helps to search for such devices

❖❖ The number of attacks made by IoT devices The number of attacks made by IoT devices is increasing while businesses and customers is increasing while businesses and customers are searching for easier to use devices...are searching for easier to use devices...

❖❖ Most of the IoT devices work in "The Cloud"Most of the IoT devices work in "The Cloud"

- your data is as secure as the company that - your data is as secure as the company that keeps itkeeps it- your devices are sharing information with - your devices are sharing information with other companies via APIsother companies via APIs- some of your devices can not function without - some of your devices can not function without "The Cloud""The Cloud"

❖❖ IoT device updatesIoT device updates

- some of these devices get no updates- some of these devices get no updates- most of the Chinese devices will NEVER get - most of the Chinese devices will NEVER get software updatessoftware updates- some of the very small IoT devices don't even - some of the very small IoT devices don't even have a mechanism for over the air upgradehave a mechanism for over the air upgrade- a lot of the devices that do support updates, - a lot of the devices that do support updates, do not have a mechanism to actually verify the do not have a mechanism to actually verify the update images, so anyone can provide false update images, so anyone can provide false imagesimages

❖❖ IoT as TrojansIoT as Trojans

- single compromised IoT device can be used to - single compromised IoT device can be used to circumvent company firewalls and open your circumvent company firewalls and open your networks to a lot of different attacks networks to a lot of different attacks

❖❖ A lot of these missing security features are A lot of these missing security features are because adding the security would actually because adding the security would actually introduce complexity for the customersintroduce complexity for the customers

❖❖ Once compromised the devices are no longer Once compromised the devices are no longer under your controlunder your control

❖❖ Sometimes compromised devices may remain Sometimes compromised devices may remain under your control but simply waiting for a under your control but simply waiting for a command by the C&C serverscommand by the C&C servers

❖❖ What am I doing to protect my self What am I doing to protect my self and to protect the Internet from me?and to protect the Internet from me?

❖❖ I personally, try to avoid devices that require I personally, try to avoid devices that require access to the manufacturer's sites access to the manufacturer's sites

❖❖ I personally, try to avoid devices that require I personally, try to avoid devices that require access to the manufacturer's sites access to the manufacturer's sites

❖❖ This prevents the possibility of remotely This prevents the possibility of remotely disabling or changing my devicedisabling or changing my device

❖❖ Every new device I connect to my network is Every new device I connect to my network is given static IP addressgiven static IP address

❖❖ Every new device I connect to my network is Every new device I connect to my network is given static IP addressgiven static IP address

❖❖ Every device is initially firewalledEvery device is initially firewalled

❖❖ Every new device I connect to my network is Every new device I connect to my network is given static IP addressgiven static IP address

❖❖ Every device is initially firewalledEvery device is initially firewalled

❖❖ I check what are the addresses that it needs I check what are the addresses that it needs and allow only themand allow only them

❖❖ Every new device I connect to my network is Every new device I connect to my network is given static IP addressgiven static IP address

❖❖ Every device is initially firewalledEvery device is initially firewalled

❖❖ I check what are the addresses that it needs I check what are the addresses that it needs and allow only themand allow only them

❖❖ I do not allow traffic to devices that do not I do not allow traffic to devices that do not require thatrequire that

❖❖ Every new device I connect to my network is Every new device I connect to my network is given static IP addressgiven static IP address

❖❖ Every device is initially firewalledEvery device is initially firewalled

❖❖ I check what are the addresses that it needs I check what are the addresses that it needs and allow only themand allow only them

❖❖ I do not allow traffic to devices that do not I do not allow traffic to devices that do not require thatrequire that

❖❖ When I need to update the SW or FW of the When I need to update the SW or FW of the device I allow them Internet accessdevice I allow them Internet access

❖❖ Every new device I connect to my network is Every new device I connect to my network is given static IP addressgiven static IP address

❖❖ Every device is initially firewalledEvery device is initially firewalled

❖❖ I check what are the addresses that it needs I check what are the addresses that it needs and allow only themand allow only them

❖❖ I do not allow traffic to devices that do not I do not allow traffic to devices that do not require thatrequire that

❖❖ When I need to update the SW or FW of the When I need to update the SW or FW of the device I allow them Internet accessdevice I allow them Internet access

❖❖ After upgrade I test what the device is trying After upgrade I test what the device is trying to access againto access again

❖❖ I would never give internet access to Voice I would never give internet access to Voice and Video devicesand Video devices

❖❖ In 2015 unprotected baby monitors leaked In 2015 unprotected baby monitors leaked audio and video conversations by unsuspecting audio and video conversations by unsuspecting familiesfamilies

❖❖ In 2015 unprotected baby monitors leaked In 2015 unprotected baby monitors leaked audio and video conversationsaudio and video conversations by unsuspecting by unsuspecting familiesfamilies

❖❖ In 2016 unprotected IP camera helped to In 2016 unprotected IP camera helped to schedule the best time for burglary in some schedule the best time for burglary in some companies and homes in the UScompanies and homes in the US

❖❖ In 2015 unprotected baby monitors leaked In 2015 unprotected baby monitors leaked audio and video conversationsaudio and video conversations by unsuspecting by unsuspecting familiesfamilies

❖❖ In 2016 unprotected IP camera helped to In 2016 unprotected IP camera helped to schedule the best time for burglary in some schedule the best time for burglary in some companies and homes in the UScompanies and homes in the US

❖❖ There are currently around 6 billion internet-There are currently around 6 billion internet-connected devices in use worldwide, and that connected devices in use worldwide, and that figure is predicted to soar to over 20 billion by figure is predicted to soar to over 20 billion by 2020, according to research by consultancy 2020, according to research by consultancy Gartner.Gartner.

❖❖ The EU tries to battle these security threats The EU tries to battle these security threats by introducing new laws for IoT devicesby introducing new laws for IoT devices

❖❖ Keep in mind that security IS a process and Keep in mind that security IS a process and not a statenot a state

❖❖ Keep in mind that security IS a process and Keep in mind that security IS a process and not a statenot a state

❖❖ A device that is SECURE today, may be A device that is SECURE today, may be UNSECURE tomorrowUNSECURE tomorrow

THANK YOUTHANK YOU

Marian HackMan Marinov <mm@siteground.com>Marian HackMan Marinov <mm@siteground.com>Chief System ArchitectChief System ArchitectSiteGround.comSiteGround.com