Transcription
50 Milliards de failles connectées en 2020Renaud Lifchitz – Namur – 31 mai 2018
Pure Player in Cyber Security Services200 Experts in France. Subsidiaries in Belgium and Luxembourg2 domains of expertise : Information Systems and IOT6 service lines : Audit (intrusion tests, code review, ),Consulting (governance, risk management, GDPR), Training, CERT,Onsite Security (SOC, SIEM), Project based security (IAM,SSO, )Innovation : CERT, Technology watch, R&D, PublicationsCertified consultants (PASSI, ISO, CISSP, ITIL, )PSecurity label for the Internet of Things, Digital Security
IoT : What is it ?
IOT : DefinitionA connected object with the following seven attributes : SensorConnected to InternetProcessorEnergy efficiencyOptimized costReliabilitySecurityDigital Security
IoT: A major evolutionUse of Connected ObjectsSource : kaizen-factory.comIn 2 years, the new connected objects willbe half of Internet devicesDigital Security
All sectors are concernedSource : iot-analytics.comGartner: « By end of 2018, over 20 percent of entreprises will havedigital security services devoted to protecting businessinitiatives using the IoT »Digital Security
A complex architectureSource : Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsData to be protected in a distributed architecture, using a dozen ofdifferent programming languagesDigital Security
IoT : what about security?
Digital Security
Top 10 of IoT flaws according1 Insecure Web Interface2 Insufficient Authentication/Authorization3 Insecure Network Services4 Lack of Transport Encryption5 Privacy Concerns6 Insecure Cloud Interface7 Insecure Mobile Interface8 Insufficient Security Configurability9 Insecure Software/Firmware10 Poor Physical SecurityDigital Security
The point of view of authoritiesSource : FBI, I-091015-PSAThe FBI mentions [ ] personal data theft, but also the sending ofmalware, e-mail spamming as well as a risk for physical security.Digital Security
IoT Standards and safety guidesSeveral initiatives : Sectorial guidance on IoT security by the ENISAU.S. Dept of Homeland Security Strategic Principles forsecuring IoTNIST Special Publication 800-160Projet OWASP for the IoTNESCOR StandardUL 2900 StandardIoT security is on the way, but connected solutions are alreadylargely widespreadDigital Security
How the IoT got hacked
How the IoT got hackedShodan.io, the IoT search engineSource : Shodan.ioShodan crawls the Internet and records technicalbanners of accessible servicesA malicious use is to identify vulnerable targets toknown flawsIoT devices expose themselves on InternetDigital Security
How the IoT got hackedSpying thinks to the Internet of thingsSource : PresseHack of « smarts TV » used for the « Digital Signage »Hijacking of services robots (cameras, micros)Interception of conversations at reception areas, meetingrooms, etc.Facilitation of spyingDigital Security
How the IoT got hackedResonance of the IoT on the companyinformation systemAn « APT » through hacking of the distributor’s subcontracter responsiblefor the remote monitoring of the connected heating and air conditioningsystems.A financial and privacy prejudice never reached: 40 millions of stolen credit card numbers and 110 millions of stolen contactdetails affecting 1 out of 3 American Total estimated cost: 14 billionsInformation System HackingDigital Security
How the IoT got hackedHack of the Information System through a smartlight bulbSource : www.contexis.comAnalysis of the light bulb firmware revealsvulnerabilities in every devicesPossibility to hack the WiFi network in case ofphysical access to the radio frequency waves (30meters)Information System HackingDigital Security
How the IoT got hackedHackers remotely took control of a connectedcarTakeover through Internet of the car embeddedsystems1,5 millions cars have been called back in USA duringSummer 2015Available update by USB key!Endangering of human lifeDigital Security
How the IoT got hackedAttacks on smart metersSource : Black Hat Euope 2014, www.youtube.comStudy on smart meters security Measuring of consumption Adaptation of electricity productionHypothetical attack scenari include the electric sabotage and subsequentblackout of a whole populationEndangering of human lifeDigital Security
How the IoT got hackedHijack of medical devicesThe common point between a pacemaker and a insulinepump? They have both been hacked Pacemaker : possibility to turn off the device or send a electricdischarge of 830 voltsInsuline pump: Takeover via WiFi, possibility to convert the device in alethal weapon!Endangering of human lifeDigital Security
IoT security: what solutions?
Our IoT CERT and its activitesOur CERTCERT UBIK:the very first CERT in Europe dedicated to IoT security50 expertsSecurity watch, incident response, security audits,reverse engineering, We have our own dedicated labDigital Security
Our IoT CERT and its activitesDigital Security portfolioSecurity level evaluation of the IoT chain Integrating security into projectsSoftware and hardware reverse engineeringCode reviewPenetration testsEquipment and appropriate skills for the IoT security specificitiesDigital Security
Security label for IoT solutionsIoT Qualified Security LabelIQS enables future buyers, companies or individuals to identifythe security level of a connected solution according to a reliable,neutral and independent indicator.Digital Security
Benoit.Rousseaux@digital.securityDigital Security
Digital Security Resonance of the IoT on the company information system An « APT » through hacking of the distributor’ssubcontracter responsible for the remote monitoring of the connected heating and air conditioning
