2. ❖❖ Who am I?Who am I?
- Chief System Architect of SiteGround.com- Chief System Architect of SiteGround.com
- Sysadmin since 1996- Sysadmin since 1996
- Organizer of OpenFest, BG Perl- Organizer of OpenFest, BG Perl
Workshops, LUG-BG and othersWorkshops, LUG-BG and others
- Teaching Network Security and- Teaching Network Security and
Linux System AdministrationLinux System Administration
courses in Sofia Universitycourses in Sofia University
and SoftUniand SoftUni
3. ❖❖ What is an IoT device?What is an IoT device?
- a Thermostat- a Thermostat
- a WiFi enabled light bulb- a WiFi enabled light bulb
- Smart TV- Smart TV
- Smart toys- Smart toys
- home/office IP camera- home/office IP camera
- home/office WiFi router- home/office WiFi router
- home/office NAS- home/office NAS
4. ❖❖ What information may leakWhat information may leak
from IoT devices?from IoT devices?
11. ❖❖ IoT Security?IoT Security?
* most of the WiFi/Radio/Bluetooth IoT devices* most of the WiFi/Radio/Bluetooth IoT devices
have poor securityhave poor security
12. ❖❖ IoT Security?IoT Security?
* most of the WiFi/Radio/Bluetooth IoT devices* most of the WiFi/Radio/Bluetooth IoT devices
have poor securityhave poor security
- manufacturers were more concerned with- manufacturers were more concerned with
usabilityusability
13. ❖❖ IoT Security?IoT Security?
* most of the WiFi/Radio/Bluetooth IoT devices* most of the WiFi/Radio/Bluetooth IoT devices
have poor securityhave poor security
- manufacturers were more concerned with- manufacturers were more concerned with
usabilityusability
- the HW does not allow them to do a lot more- the HW does not allow them to do a lot more
14. ❖❖ IoT Security?IoT Security?
* most of the WiFi/Radio/Bluetooth IoT devices* most of the WiFi/Radio/Bluetooth IoT devices
have poor securityhave poor security
- manufacturers were more concerned with- manufacturers were more concerned with
usabilityusability
- the HW does not allow them to do a lot more- the HW does not allow them to do a lot more
- use of default passwords is widespread- use of default passwords is widespread
15. ❖❖ IoT Security?IoT Security?
- >5000 IoT devices attack their own network- >5000 IoT devices attack their own network
http://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-agaihttp://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-agai
nst-itself/nst-itself/
16. ❖❖ IoT Security?IoT Security?
- >5000 IoT devices attack their own network- >5000 IoT devices attack their own network
http://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-agaihttp://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-agai
nst-itself/nst-itself/
- security of the low cost devices is almost non-- security of the low cost devices is almost non-
existentexistent
17. ❖❖ IoT Security?IoT Security?
- >5000 IoT devices attack their own network- >5000 IoT devices attack their own network
http://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-agaihttp://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-agai
nst-itself/nst-itself/
- security of the low cost devices is almost non-- security of the low cost devices is almost non-
existentexistent
- and to top all that, there is the Shodan search- and to top all that, there is the Shodan search
engine, which helps to search for such devicesengine, which helps to search for such devices
18. ❖❖ The number of attacks made by IoT devicesThe number of attacks made by IoT devices
is increasing while businesses and customersis increasing while businesses and customers
are searching for easier to use devices...are searching for easier to use devices...
19. ❖❖ Most of the IoT devices work in "The Cloud"Most of the IoT devices work in "The Cloud"
- your data is as secure as the company that- your data is as secure as the company that
keeps itkeeps it
- your devices are sharing information with- your devices are sharing information with
other companies via APIsother companies via APIs
- some of your devices can not function without- some of your devices can not function without
"The Cloud""The Cloud"
20. ❖❖ IoT device updatesIoT device updates
- some of these devices get no updates- some of these devices get no updates
- most of the Chinese devices will NEVER get- most of the Chinese devices will NEVER get
software updatessoftware updates
- some of the very small IoT devices don't even- some of the very small IoT devices don't even
have a mechanism for over the air upgradehave a mechanism for over the air upgrade
- a lot of the devices that do support updates,- a lot of the devices that do support updates,
do not have a mechanism to actually verify thedo not have a mechanism to actually verify the
update images, so anyone can provide falseupdate images, so anyone can provide false
imagesimages
21. ❖❖ IoT as TrojansIoT as Trojans
- single compromised IoT device can be used to- single compromised IoT device can be used to
circumvent company firewalls and open yourcircumvent company firewalls and open your
networks to a lot of different attacksnetworks to a lot of different attacks
22. ❖❖ A lot of these missing security features areA lot of these missing security features are
because adding the security would actuallybecause adding the security would actually
introduce complexity for the customersintroduce complexity for the customers
23. ❖❖ Once compromised the devices are no longerOnce compromised the devices are no longer
under your controlunder your control
24. ❖❖ Sometimes compromised devices maySometimes compromised devices may
remain under your control but simply waitingremain under your control but simply waiting
for a command by the C&C serversfor a command by the C&C servers
25. ❖❖ What am I doing to protect my selfWhat am I doing to protect my self
and to protect the Internet from me?and to protect the Internet from me?
26. ❖❖ I personally, try to avoid devices that requireI personally, try to avoid devices that require
access to the manufacturer's sitesaccess to the manufacturer's sites
27. ❖❖ I personally, try to avoid devices that requireI personally, try to avoid devices that require
access to the manufacturer's sitesaccess to the manufacturer's sites
❖❖ This prevents the possibility of remotelyThis prevents the possibility of remotely
disabling or changing my devicedisabling or changing my device
28. ❖❖ Every new device I connect to my network isEvery new device I connect to my network is
given static IP addressgiven static IP address
29. ❖❖ Every new device I connect to my network isEvery new device I connect to my network is
given static IP addressgiven static IP address
❖❖ Every device is initially firewalledEvery device is initially firewalled
30. ❖❖ Every new device I connect to my network isEvery new device I connect to my network is
given static IP addressgiven static IP address
❖❖ Every device is initially firewalledEvery device is initially firewalled
❖❖ I check what are the addresses that it needsI check what are the addresses that it needs
and allow only themand allow only them
31. ❖❖ Every new device I connect to my network isEvery new device I connect to my network is
given static IP addressgiven static IP address
❖❖ Every device is initially firewalledEvery device is initially firewalled
❖❖ I check what are the addresses that it needsI check what are the addresses that it needs
and allow only themand allow only them
❖❖ I do not allow traffic to devices that do notI do not allow traffic to devices that do not
require thatrequire that
32. ❖❖ Every new device I connect to my network isEvery new device I connect to my network is
given static IP addressgiven static IP address
❖❖ Every device is initially firewalledEvery device is initially firewalled
❖❖ I check what are the addresses that it needsI check what are the addresses that it needs
and allow only themand allow only them
❖❖ I do not allow traffic to devices that do notI do not allow traffic to devices that do not
require thatrequire that
❖❖ When I need to update the SW or FW of theWhen I need to update the SW or FW of the
device I allow them Internet accessdevice I allow them Internet access
33. ❖❖ Every new device I connect to my network isEvery new device I connect to my network is
given static IP addressgiven static IP address
❖❖ Every device is initially firewalledEvery device is initially firewalled
❖❖ I check what are the addresses that it needsI check what are the addresses that it needs
and allow only themand allow only them
❖❖ I do not allow traffic to devices that do notI do not allow traffic to devices that do not
require thatrequire that
❖❖ When I need to update the SW or FW of theWhen I need to update the SW or FW of the
device I allow them Internet accessdevice I allow them Internet access
❖❖ After upgrade I test what the device is tryingAfter upgrade I test what the device is trying
to access againto access again
34. ❖❖ I would never give internet access to VoiceI would never give internet access to Voice
and Video devicesand Video devices
35. ❖❖ In 2015 unprotected baby monitors leakedIn 2015 unprotected baby monitors leaked
audio and video conversations by unsuspectingaudio and video conversations by unsuspecting
familiesfamilies
36. ❖❖ A lot of surveillance give you false sense ofA lot of surveillance give you false sense of
security by providing you user/passwordsecurity by providing you user/password
prompts, but their video streams are protectedprompts, but their video streams are protected
with DEFAULT users and passwordswith DEFAULT users and passwords
37. ❖❖ In 2015 unprotected baby monitors leakedIn 2015 unprotected baby monitors leaked
audio and video conversations by unsuspectingaudio and video conversations by unsuspecting
familiesfamilies
❖❖ In 2016 unprotected IP camera helped toIn 2016 unprotected IP camera helped to
schedule the best time for burglary in someschedule the best time for burglary in some
companies and homes in the UScompanies and homes in the US
38. ❖❖ There are currently around 6 billion internet-There are currently around 6 billion internet-
connected devices in use worldwide, and thatconnected devices in use worldwide, and that
figure is predicted to soar to over 20 billion byfigure is predicted to soar to over 20 billion by
2020, according to research by consultancy2020, according to research by consultancy
Gartner.Gartner.
39. ❖❖ The EU tries to battle these security threatsThe EU tries to battle these security threats
by introducing new laws for IoT devicesby introducing new laws for IoT devices
40. ❖❖ Keep in mind that security IS a process andKeep in mind that security IS a process and
not a statenot a state
41. ❖❖ Keep in mind that security IS a process andKeep in mind that security IS a process and
not a statenot a state
❖❖ A device that is SECURE today, may beA device that is SECURE today, may be
UNSECURE tomorrowUNSECURE tomorrow
42. THANK YOUTHANK YOU
Marian HackMan Marinov <mm@siteground.com>Marian HackMan Marinov <mm@siteground.com>
Chief System ArchitectChief System Architect
SiteGround.comSiteGround.com