Welcome toThe Internet of

(Insecure) Things

Who am I? Who is Nexum?

I’m Chandler HowellDirector of Engineering at Nexumchandler@nexuminc.com@chandlerhowell on Twitter

Nexum is a Network & Security Reseller & Consultancy

Headquartered in ChicagoPresence East of the Mississippi Riverhttp://nexuminc.com

The Internet of (Insecure) Things

1. The Internet of What?

2. Smart is the New Dumb

3. When Worlds Collide

4. Failure Modes

5. A Parade of Horrors

6. So What Now?

THE INTERNET OF WHAT?A few definitions might be handy

The Internet of What?

“The Internet of Things is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment, “ – Gartner

“Spime is a neologism for a futuristic object…that can be tracked through space and time throughout its lifetime” – Wikipedia/Bruce Sterling

The Internet of What?

IoT is massive and getting massiver

'14 '15 '16 '17 '18 '19 '2005

10152025

# of Devices (Billions)

Residential (78%)

Commecial (22%)

Sources: Gartner; Praetorian Security (@praetorianlabs)

SMART IS THE NEW DUMBIronic, really

Smart is the New Dumb

Smart, but Vulnerable Security is not a priority of IoT (yet)

Focus is on Cost Time to market Features & Functionality

Focus is NOT on Security Maintainability Longevity

WHEN WORLDS COLLIDEIs your Internet in my Thing or my Thing in your Internet?

When Worlds Collide

Lifecycles are mismatched

Technology lifecycles are short (18-48 months)

Consumer lifecycles are longer (12-15 years)

Industrial Equipment is supposed to outlive you

When Worlds Collide

IT is not IoT Scale

Network Connectivity

Inventory

Logging & Monitoring

Incident Response

When Worlds Collide

Compliance What IoT data needs a Privacy Policy? What about Data Retention policies? What about standards in general?

Insurance Do you have the right coverage? Are you sure?

Lawsuits Software Liability is coming through IoT

FAILURE MODESHow can I fail thee? Let me count the ways…

Failure Modes

1.Get BrokenDamage or destroy the device or attached devices

2.Get LeveragedUse the device as a vector for Other Badness

3.Get ExploitedUse the device to spy on or steal from the target

A PARADE OF HORRORSIt’s spelled “IoT” but it’s pronounced “Fail”

A Parade of Horrors

Welcome to the Future

A Parade of Horrors

Numerous, Recurring Poor Security Decisions Weak/No Crypto Weak/No transport security Insecure/Default Authentication Root-only devices Security-by-Obscurity Insecure /unsigned images Fail-Open designs Credential Leaks Key & Credential Replay Insecure User Interfaces (XSS, CSRF) Cloud Insecurity Privacy Violations

A Parade of Horrors

Consumer Goods Refrigerators Light Bulbs Televisions & Electronics Smart Watches Home Automation

A Parade of Horrors

Medical Devices Surgical and anesthesia devices Ventilators Drug infusion pumps Pacemakers External defibrillators Patient monitors Laboratory and analysis equipment

Pretty much every type of failure you can imagine

A Parade of Horrors

Cars Miller & Valasek Jeep Hacking Samy’s OwnStar > ON*Star Samy’s RollCode just re-hacked car keyless entry Black Boxes & Telematics Volkswagen hacked themselves

A Parade of Horrors

Airplanes Drones

Definitely (Iranian Gov't, Samy's SkyJack)

In-Flight Entertainment (IFE) Definitely (Ruben Santamarta)

Telemetry, Internet uplinks & SATCOM Probably (Ruben Santamarta)

A Parade of Horrors

Infrastructure NFC & Prox Cards Traffic Lights Industrial Control Systems Utility Meters

SO WHAT NOW?Can I have a hint?

Fortunately, not this.

So what now?

So what now?

Don’t Panic

Think in terms of Failure Modes

Realize these are not new problems

Expect Novel attacks

So what now?

Ashley Madison + Smart TV’s =

So what now?

Know your Key Controls Preventative: Onboarding & Inventory Detective: Monitoring Reactive: Incident Response

Ensure proper Risk Ownership

Have a robust Exceptions Process

So what now?

Assess whether the Smart is worth the Risk

Align Trust & Risk Boundaries

Architect for Insecure Things Assume devices are insecure by default If not today, they will be some day

Avoid proprietary standards & protocols (where possible)

Don't forget how to operate without IoT

So what now?

Leverage Existing Security Tools & Processes

Defense-in-Depth

Threat Modeling

Incident Response

Implement Compensating Controls

So what can I do?

Support/Leverage Emerging IoT Security Groups and Standards, e.g. Online Trust Alliance

Hold the line on security standards for IoT They are not special!

Include the cost of IoIT security in their TCO

Thank You for your time!

Fun Fact: John Bender invented Power-Over-Ethernet (PoE) light bulbs

Well, that was fun.

I try to behave,

but sometimes these things happen...