Protecting your home and office in the era of IoT

Protecting Protecting
your home and office your home and office
in the era of IoTin the era of IoT
Marian HackMan MarinovMarian HackMan Marinov
Chief System ArchitectChief System Architect
SiteGround.comSiteGround.com

❖❖ Who am I?Who am I?
- Chief System Architect of SiteGround.com- Chief System Architect of SiteGround.com
- Sysadmin since 1996- Sysadmin since 1996
- Organizer of OpenFest, BG Perl- Organizer of OpenFest, BG Perl
Workshops, LUG-BG and othersWorkshops, LUG-BG and others
- Teaching Network Security and- Teaching Network Security and
Linux System AdministrationLinux System Administration
courses in Sofia Universitycourses in Sofia University
and SoftUniand SoftUni

❖❖ What is an IoT device?What is an IoT device?
- a Thermostat- a Thermostat
- a WiFi enabled light bulb- a WiFi enabled light bulb
- Smart TV- Smart TV
- Smart toys- Smart toys
- home/office IP camera- home/office IP camera
- home/office WiFi router- home/office WiFi router
- home/office NAS- home/office NAS

❖❖ What information may leakWhat information may leak
from IoT devices?from IoT devices?

❖❖ Presence informationPresence information
(are you at home/office/car)(are you at home/office/car)

❖❖ Electricity usageElectricity usage

❖❖ What devices are you usingWhat devices are you using
at your networkat your network

❖❖ Voice and videoVoice and video
conversationsconversations
(streaming audio/video)(streaming audio/video)
Samsung privacy statement:Samsung privacy statement:
http://www.samsung.com/sg/info/privacy/smarttv/http://www.samsung.com/sg/info/privacy/smarttv/

❖❖ Private filesPrivate files
(pictures, documents and(pictures, documents and
videos)videos)

❖❖ IoT Security?IoT Security?
* most of the WiFi/Radio/Bluetooth IoT devices* most of the WiFi/Radio/Bluetooth IoT devices
have poor securityhave poor security

- manufacturers were more concerned with- manufacturers were more concerned with
usabilityusability

usabilityusability
- the HW does not allow them to do a lot more- the HW does not allow them to do a lot more

usabilityusability
- the HW does not allow them to do a lot more- the HW does not allow them to do a lot more
- use of default passwords is widespread- use of default passwords is widespread

- >5000 IoT devices attack their own network- >5000 IoT devices attack their own network
http://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-agaihttp://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-agai
nst-itself/nst-itself/

- security of the low cost devices is almost non-- security of the low cost devices is almost non-
existentexistent

- security of the low cost devices is almost non-- security of the low cost devices is almost non-
existentexistent
- and to top all that, there is the Shodan search- and to top all that, there is the Shodan search
engine, which helps to search for such devicesengine, which helps to search for such devices

❖❖ The number of attacks made by IoT devicesThe number of attacks made by IoT devices
is increasing while businesses and customersis increasing while businesses and customers
are searching for easier to use devices...are searching for easier to use devices...

❖❖ Most of the IoT devices work in "The Cloud"Most of the IoT devices work in "The Cloud"
- your data is as secure as the company that- your data is as secure as the company that
keeps itkeeps it
- your devices are sharing information with- your devices are sharing information with
other companies via APIsother companies via APIs
- some of your devices can not function without- some of your devices can not function without
"The Cloud""The Cloud"

❖❖ IoT device updatesIoT device updates
- some of these devices get no updates- some of these devices get no updates
- most of the Chinese devices will NEVER get- most of the Chinese devices will NEVER get
software updatessoftware updates
- some of the very small IoT devices don't even- some of the very small IoT devices don't even
have a mechanism for over the air upgradehave a mechanism for over the air upgrade
- a lot of the devices that do support updates,- a lot of the devices that do support updates,
do not have a mechanism to actually verify thedo not have a mechanism to actually verify the
update images, so anyone can provide falseupdate images, so anyone can provide false
imagesimages

❖❖ IoT as TrojansIoT as Trojans
- single compromised IoT device can be used to- single compromised IoT device can be used to
circumvent company firewalls and open yourcircumvent company firewalls and open your
networks to a lot of different attacksnetworks to a lot of different attacks

❖❖ A lot of these missing security features areA lot of these missing security features are
because adding the security would actuallybecause adding the security would actually
introduce complexity for the customersintroduce complexity for the customers

❖❖ Once compromised the devices are no longerOnce compromised the devices are no longer
under your controlunder your control

❖❖ Sometimes compromised devices maySometimes compromised devices may
remain under your control but simply waitingremain under your control but simply waiting
for a command by the C&C serversfor a command by the C&C servers

❖❖ What am I doing to protect my selfWhat am I doing to protect my self
and to protect the Internet from me?and to protect the Internet from me?

❖❖ I personally, try to avoid devices that requireI personally, try to avoid devices that require
access to the manufacturer's sitesaccess to the manufacturer's sites

❖❖ I personally, try to avoid devices that requireI personally, try to avoid devices that require
access to the manufacturer's sitesaccess to the manufacturer's sites
❖❖ This prevents the possibility of remotelyThis prevents the possibility of remotely
disabling or changing my devicedisabling or changing my device

❖❖ Every new device I connect to my network isEvery new device I connect to my network is
given static IP addressgiven static IP address

❖❖ Every device is initially firewalledEvery device is initially firewalled

❖❖ I check what are the addresses that it needsI check what are the addresses that it needs
and allow only themand allow only them

❖❖ I do not allow traffic to devices that do notI do not allow traffic to devices that do not
require thatrequire that

❖❖ When I need to update the SW or FW of theWhen I need to update the SW or FW of the
device I allow them Internet accessdevice I allow them Internet access

❖❖ When I need to update the SW or FW of theWhen I need to update the SW or FW of the
device I allow them Internet accessdevice I allow them Internet access
❖❖ After upgrade I test what the device is tryingAfter upgrade I test what the device is trying
to access againto access again

❖❖ I would never give internet access to VoiceI would never give internet access to Voice
and Video devicesand Video devices

❖❖ In 2015 unprotected baby monitors leakedIn 2015 unprotected baby monitors leaked
audio and video conversations by unsuspectingaudio and video conversations by unsuspecting
familiesfamilies

❖❖ A lot of surveillance give you false sense ofA lot of surveillance give you false sense of
security by providing you user/passwordsecurity by providing you user/password
prompts, but their video streams are protectedprompts, but their video streams are protected
with DEFAULT users and passwordswith DEFAULT users and passwords

❖❖ In 2015 unprotected baby monitors leakedIn 2015 unprotected baby monitors leaked
audio and video conversations by unsuspectingaudio and video conversations by unsuspecting
familiesfamilies
❖❖ In 2016 unprotected IP camera helped toIn 2016 unprotected IP camera helped to
schedule the best time for burglary in someschedule the best time for burglary in some
companies and homes in the UScompanies and homes in the US

❖❖ There are currently around 6 billion internet-There are currently around 6 billion internet-
connected devices in use worldwide, and thatconnected devices in use worldwide, and that
figure is predicted to soar to over 20 billion byfigure is predicted to soar to over 20 billion by
2020, according to research by consultancy2020, according to research by consultancy
Gartner.Gartner.

❖❖ The EU tries to battle these security threatsThe EU tries to battle these security threats
by introducing new laws for IoT devicesby introducing new laws for IoT devices

❖❖ Keep in mind that security IS a process andKeep in mind that security IS a process and
not a statenot a state

❖❖ Keep in mind that security IS a process andKeep in mind that security IS a process and
not a statenot a state
❖❖ A device that is SECURE today, may beA device that is SECURE today, may be
UNSECURE tomorrowUNSECURE tomorrow

THANK YOUTHANK YOU
Marian HackMan Marinov <mm@siteground.com>Marian HackMan Marinov <mm@siteground.com>
Chief System ArchitectChief System Architect
SiteGround.comSiteGround.com

Protecting your home and office in the era of IoT

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Protecting your home and office in the era of IoT

Similar to Protecting your home and office in the era of IoT (20)

More from Marian Marinov

More from Marian Marinov (20)

Recently uploaded

Recently uploaded (20)

Protecting your home and office in the era of IoT