Transcription
IoT Security and privacy challengesAdel Abdel Moneim, MBAITU-ARCC Cyber Security ExpertSCCISP ,CISSP, CISM, CRISC, CISA, CGEIT, CCISO,SABSA-SCF, CEH, CCSK,CHFI, EDRP,CSA ,ECSA, LPT,CND, ECES, CCFP-EU,PECB MS Auditor, SMSP,ECIH, Master ISO27001, ISO27005LRM , ISO31000, ISO27032 Lead Cybersecurity Manager, ISO27035 LIM, ISO38500 Lead IT CorporateGovernance Manager,ISO24762 LDRM, CLSSP, ISO 29100 Lead Privacy Implementer, Lead Forensic Examiner, Certified Cyber IntelligenceProfessional (CCIP)
Definition of IoT[WIKIPEDIA ] The Internet of Things (IoT) is thenetwork of physical objects or "things" embedded withelectronics, software, sensorsand connectivity to enable it to achieve greater valueand service by exchanging data with the manufacturer,operator and/or other connected devices.[ OXFORD ] A proposed development of the Internet inwhich everyday objects have network connectivity,allowing them to send and receive data.
The internet of Things moves in
IOT Attack newsADEL ABDEL MONEIM [ adelnet2k@gmail.com ]4
IOT Attack ttacks-cost-the-uk-economy-1-billion/5
IOT Attack news6
IOT Attack news7
IOT Attack news8
IOT Attack news9
10
Smart Home &Wearable devices
IoT in Health
IoTin Agriculture
IoTin Education
IoTin Traffic
IoT in Retail
IoT in Smart City
IoTBasedWasteCollection
IoT Based Pollution Control
Smart Dust Bin in London
Smart Dust Bin in London (Cont.)
Smart Dust Bin in London (Cont.)
IoT Application Areas and Devices
IoT Application Areas and Devices
IoTAttackSurfaceAreasDevice Memory Cleartextcredentials Third-partycredentials Encryption keysEcosystem(general)Device PhysicalInterfaces Implicit trustbetweencomponents Enrollmentsecurity Decommissioningsystem Lost accessprocedures Firmwareextraction User CLI Admin CLI Privilegeescalation Reset to insecurestate Removal ofstorage media TamperresistanceDevice WebInterface SQL injection Cross-sitescripting Cross-siteRequest Forgery Usernameenumeration Weak passwords Account lockout Known defaultcredentialsDevice Firmware Hardcodedcredentials Encryption keys Encryption(Symmetric,Asymmetric) Sensitiveinformation Sensitive URLdisclosure Firmware versiondisplay and/orlast update date
IoTAttackSurfaceAreasDevice NetworkServicesAdministrativeInterface Informationdisclosure User CLI Administrative CLI Injection and Denialof Service UnencryptedServices Poorly implementedencryption UPnP Vulnerable UDPServices SQL injection Cross-site scripting Security/encryptionoptions Logging options Two-factorauthentication Inability to wipedeviceLocal DataStorageCloud WebInterfaceThird-partyBackend APIs Unencrypted data Data encrypted withdiscovered keys Lack of data integritychecks SQL injection Cross-site scripting Transport encryption Insecure passwordrecovery mechanism Two-factorauthentication Unencrypted PII sent Encrypted PII sent Device informationleaked Location leaked
ionVendor BackendAPIsEcosystemCommunication Update is notencrypted Updates notsigned Update locationwritable Updateverification &authentication Missing updatemechanism No manualupdatemechanism Implicitlytrusted bydevice or cloud Usernameenumeration Account lockout Known defaultcredentials Weak pass Transportencryption Insecurerecoverymechanism Inherent trustof cloud ormobileapplication Weakauthentication Weak accesscontrols Injection attacks Hidden services Health checks Heartbeats Ecosystemcommands Deprovisioning Pushing updatesNetwork Traffic LAN LAN to Internet Short range Non-standard
IoT Security is the T services, encryption, firewall, input authN, authZ, input validation, etc. insecure APIs, lack of encryption, etc. AuthSessionAccess net app mobile cloud IoT
IoT Technologies and Protocols
IoT Communication Models
IoT : How IoT Works
Data Leakage & Users Privacy Issues
Data Leakage & Users Privacy Issues
Data Leakage & Users Privacy Issues
Google Services
Google Services (Cont.)
Google Services (Cont.)
Google Services (Cont.)
Google Services (Cont.)
Google Services (Cont.)
Google Services (Cont.)
Google Services (Cont.)
Google Services (Cont.)
Google Services (Cont.)
Samsung Health App
Samsung Health App
Samsung Health App (Cont.)
Samsung Health App (Cont.)
Samsung Health App (Cont.)
NIST Cyber Security Framework
56
Contact eim
Questions?
Account lockout Known default credentials Weak pass Transport encryption Insecure recovery mechanism Vendor Backend APIs Inherent trust of cloud or mobile application Weak authentication Weak access controls Injection attacks Hidden services Ecosystem Communication Health checks Heartbeats Ecosystem commands