Internet of Things – novelty and comfort vs. security
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Title of Series | ||
Number of Parts | 95 | |
Author | ||
License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
Identifiers | 10.5446/32261 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
| |
Keywords |
FrOSCon 201785 / 95
4
8
9
15
20
22
23
24
25
27
29
32
36
37
38
39
40
45
46
47
48
49
50
51
53
54
59
63
64
65
74
75
76
79
83
84
86
87
88
89
91
92
93
94
95
00:00
SoftwareFreewarePoint (geometry)Information securityInternet der DingeProof theoryMultiplication signInternetworkingXMLLecture/ConferenceComputer animation
01:01
Internet der DingeInformation securityTerm (mathematics)Expert systemCASE <Informatik>TwitterVulnerability (computing)Branch (computer science)Computer animationJSONXML
02:09
Physical lawInformation securityInternetworkingInternet der DingeData storage deviceInsertion lossSoftwareShared memoryNeuroinformatikRadio-frequency identificationTerm (mathematics)ChainGroup actionProcess (computing)Lecture/ConferenceComputer animation
03:41
Visualization (computer graphics)InternetworkingObject (grammar)Uniform resource locatorUsabilityInternet der DingeExtension (kinesiology)Resource allocationSoftwarePhysicalismVirtualizationChainDifferent (Kate Ryan album)State of matterInterface (computing)Lecture/Conference
05:03
System callInternet der DingeDifferent (Kate Ryan album)ResultantPower (physics)Group actionConnected spaceNormal (geometry)Formal grammarGreatest elementComputer animationLecture/Conference
05:55
Multiplication signInfinityResultantInformation securityComputer animationLecture/Conference
06:44
MathematicsIntegrated development environmentReal numberPresentation of a groupSet (mathematics)Information securityEncryptionType theoryInternet der DingeLecture/Conference
07:43
RoboticsStudent's t-testLevel (video gaming)TrailRifling
08:45
InternetworkingFunctional (mathematics)Inheritance (object-oriented programming)FacebookUML
09:43
Speech synthesisInternet der DingeError messageMagnetic stripe cardCondition numberLevel (video gaming)Grass (card game)Graph (mathematics)Spring (hydrology)Lecture/ConferenceComputer animation
10:34
MeasurementProfil (magazine)Metropolitan area networkTelebankingInternet der DingeForm (programming)
11:35
PlastikkarteBranch (computer science)SummierbarkeitTelecommunicationOnline helpComputer animationLecture/Conference
13:13
CASE <Informatik>Server (computing)Software bug
14:27
Software bugHazard (2005 film)Server (computing)CASE <Informatik>Video gameHeat waveEncryptionLocal area networkInformation securityPasswordPoint cloudLecture/Conference
15:32
File formatControl flowOcean currentUniverse (mathematics)Direct numerical simulationSoftwareVirtual machineLecture/ConferenceComputer animation
16:42
Physical systemSystem administratorMessage passingSoftwareElectronic visual displayError messageGroup actionParameter (computer programming)Arithmetic meanFactory (trading post)CASE <Informatik>WeightFlow separationInternetworkingInternet der DingeBridging (networking)Lecture/Conference
18:07
Vulnerability (computing)Thermische ZustandsgleichungPhase transitionCondition number1 (number)Demo (music)EncryptionSingle-precision floating-point formatDifferent (Kate Ryan album)Endliche ModelltheorieKey (cryptography)Computer animation
19:31
Control flowMeasurementLimit (category theory)Information securityLecture/ConferenceComputer animation
20:25
Information securityForcing (mathematics)Binary fileTopological vector spaceGraph (mathematics)Scaling (geometry)Denial-of-service attackInternet der DingeComputer animationXMLLecture/Conference
21:26
Connected spaceScripting languageSoftwarePattern recognitionUser interfaceInformationPoint cloudMechanism designInformation securityEnterprise architectureMobile WebSystem administratorVector spaceConstructor (object-oriented programming)Multiplication signNumberTelecommunicationMetropolitan area networkIntegrated development environmentBitInterface (computing)MikroblogLecture/ConferenceXML
23:34
Physical lawInformation securityInternet der DingeArchaeological field surveyLecture/ConferenceJSONXMLUML
24:27
Information securityStrategy gameInternet der DingeProduct (business)Multiplication signProjective planeLecture/ConferenceJSONXMLUML
25:17
Information securityInternet der DingeVideo gameSoftwareLecture/ConferenceComputer animationJSONXML
26:36
PlastikkarteBit rateSlide ruleMereologyInternetworkingNumberVector potentialHacker (term)Internet der DingeLecture/Conference
28:14
Multiplication signInternet der DingeMereologyDenial-of-service attackWeb 2.0TelnetNeuroinformatikCASE <Informatik>TouchscreenInternetworkingLogic gatePower (physics)LaptopBoss CorporationComputer virusInterface (computing)Firewall (computing)User interfaceJSONXMLLecture/Conference
31:18
Multiplication signEncryptionSoftwareNeuroinformatikGroup actionMathematicsMoore's lawDiscounts and allowancesXML
32:13
Connected spaceConfiguration spaceInstallation artSimilarity (geometry)Factory (trading post)Information securityInternet der DingeReal numberWeb 2.0Software developerPoint (geometry)Wave packetCodeShift operatorFlock (web browser)Staff (military)CASE <Informatik>CuboidCodeMultiplication signNumberForcing (mathematics)Web-DesignerLecture/Conference
35:19
Single-precision floating-point formatInformation securityInformation privacyTheoryJSONXMLProgram flowchart
36:27
Information privacyArithmetic meanInformation securityShared memoryInsertion lossArmBuildingTopological vector spaceTerm (mathematics)Internet der DingeAuthorizationLecture/Conference
38:02
Self-organizationSoftwareFinite-state machinePhysicalismBuildingNetwork topologyInformation securityComputer animation
39:03
SoftwarePlastikkarteResultantExtreme programmingInternet der DingeBit rateInformationSet (mathematics)Lecture/ConferenceXMLComputer animation
40:09
Heat waveService (economics)Denial-of-service attackLecture/Conference
40:57
Transportation theory (mathematics)Boss CorporationDimensional analysisOrder (biology)Insertion lossSlide ruleSoftwareRight angleMultiplication signDevice driverNeuroinformatikWater vaporMeasurementFood energyHypermediaFactory (trading post)Server (computing)ArmComputer animationLecture/Conference
43:05
Process (computing)Information securityInternet der DingeFunctional (mathematics)Connected spaceComputer animationJSONXML
43:58
Transportation theory (mathematics)SoftwareFlow separationPoint cloudMultiplication signCycle (graph theory)Video gameLocal area networkLecture/Conference
45:24
Level (video gaming)Perspective (visual)Software frameworkSoftware developerSoftware bugCodeInformation securityState of matterPhysical systemObject (grammar)Functional (mathematics)Standard deviationSelf-organizationSoftware testingNeuroinformatikPublic key certificateMoment (mathematics)Point (geometry)Transportation theory (mathematics)Greatest elementScripting languageMultiplication signLocal ringCuboidPlastikkarteCloud computingInternet der DingeFinite differenceXMLLecture/Conference
49:30
Transportation theory (mathematics)Slide ruleThermodynamisches SystemInformation securityPoint (geometry)Self-organizationMoore's lawConnected spaceSoftwareInternetworkingMultiplication signSoftware bugCuboidObject (grammar)Computer animationLecture/Conference
50:48
Multiplication signElectronic signatureSoftwareMereologyMoore's lawPower (physics)VortexLimit (category theory)Point cloudSelf-organizationDebuggerLecture/Conference
52:33
Multiplication signOnline helpXML
53:41
Multiplication signPresentation of a groupDifferent (Kate Ryan album)Order (biology)SmartphoneInformationTunisLecture/Conference
55:27
InformationMultiplication signInternet der DingeConnected spaceArchaeological field surveyPhysical lawElectronic program guideInformation securitySelf-organizationPhysical systemXML
57:58
Multiplication signArmInformation securitySoftware frameworkPhysical systemInternet der DingePublic key certificateLevel (video gaming)Moment (mathematics)Point (geometry)Metropolitan area networkExecution unitDivisorCommunications protocolOperating systemForestXMLUMLLecture/Conference
01:02:18
Operator (mathematics)Operating systemInformation securityAuthorizationComputer animationLecture/Conference
01:03:13
Computer animation
Transcript: English(auto-generated)
00:07
Okay, so again, thank you for your warm welcome. My name is Alexander Zdib, privately. Personally, I'm an enthusiast of free software.
00:23
Professionally, I work with embedded devices, IoT devices, industry, 4.0 devices, and for last four years, I was interested particularly in security of these devices.
00:43
Okay, this is my second time here on FrostCon speaking, so thanks to hosts and all the crew for inviting me and holding this event. It's very nice every time. So, let's start. The topic today is Internet of Things,
01:04
Novelty and Comfort versus Security. So, I think that we all kinda understand what Internet of Things devices are, but let's look at it more focused, in more details,
01:22
and especially let's see what are the benefits, but also what is the compromise we need to agree, especially in terms of security, to use them. So, today we're going to talk about what is Internet of Things
01:41
in case it's not yet well understood. I'm probably not going to explain it because it's still just ongoing topic and I believe there are no real experts in this branch, so then I will show you some vulnerabilities
02:00
of these popular devices, hazards, trends that they create and then finally how to provide security and solve most common problems and in the end we can have some discussion or questions or let's see. So, the first question here is
02:22
if every device connected to Internet is already IoT device. So, Internet of Things, it's not recent term. It was first used by Mr. Kevin Ashton in last century.
02:46
He was describing Procter & Gamble's supply chain and it was just RFID devices speaking to each other and that was it. So, how do we define, whoa, sorry about that.
03:26
So, currently Wikipedia defines Internet of Things as a concept according to which devices can store, process and share data with usage of computer networks, but I think this is too general. It can be true for virtually every device
03:43
which is connected to kind of network. So, let's look at other. Mr. Andy Rose, IoT expert, enthusiast and researcher says it's allocation of virtual presence
04:01
to physical objects and that's more like this. So, comparing to Internet of None Things, the Internet of Humans, let's say, we can agree somehow that Internet of Things is about devices which themselves produce data,
04:23
information and consume them and there is no need for human. Of course, human can be at the beginning of the chain and the end of the chain, but in the intermediate state there are only devices which produce and consume each other's data and that's the difference.
04:42
So, no, I don't believe that every each device connected to Internet is Internet of Things. I believe that it needs to have this feature of producing data on its own or consuming data on its own without needing human to interface with it.
05:02
So, let's see how does it look in practice. So, what especially manufacturers, what they like to call Internet of Things for different reasons because they really believe that this is Internet of Things or maybe they just want to market this way,
05:20
but let's see. So, let's start with very simple stuff and one little disclaimer at the beginning, I'm showing concrete devices, but I'm not talking about them really, so this is just illustration of a group of devices.
05:43
So, first group is just very common, normal stuff like connected buttons which can be programmed or power outlets, nothing really special, but this is already Internet of Things. Then toys and these toys nowadays can also connect to Internet
06:05
and share some data to receive some data. For example, some toys can react on time of the day, they can react on the weather conditions outside and so on. So, this is very nice,
06:22
sometimes it's for additional reasons. There is some research, not this toy presented, but the security researchers were able to hack one of such devices and make it swearing in front of the users.
06:43
So, let's see what's next. Something more of real stuff, so this is here eight which is connected it can connect, for example, directly to doorbell, so it doesn't need to amplify the real doorbell,
07:04
but instead it can just play the sound of the doorbell directly, it can pair to phone, or it can react on changes in the environment to adjust its settings, very nice. Today, just before my presentation, there was also mentioned this peacemaker defibrillator
07:22
which is also kind of IoT because these types of devices have telemetry, it also was mentioned that they virtually have no security, no encryption. So, yeah, you can see that the appliances
07:40
may be really serious sometimes, sometimes less serious or more serious depends on person. You have some robot drink, you can order drinks using your phone, for example, that's just for fun probably. Barbecue must have, so this little device
08:00
can measure the level of gas in your container, what can go wrong? What can go wrong is a rifle. Of course, I'm not going to say that if you hacked this device, you could pull the trigger of this rifle, but researchers
08:22
were able to mislead auto aiming and targeting aid. This scope, not rifle, is helping to track target and attackers were able to change the target
08:40
while aiming, so this is kind of scary already. Something for the youngest, this is probably nice device. It can help track vital functions of your baby. Probably very good for most of parents,
09:03
maybe for some only, but there was already a story on the internet that parents were scared to see notification on their phone that the vital function of their babies disappeared only to find out that the toddler just dropped the sock.
09:27
Something which is probably not only for teenagers, just wonder, you can connect it to your phone, hopefully not directly to Facebook to just announce to everybody.
09:44
This is something which I believe, and this is where I work, I work in industry and agriculture, IoT, so I believe this is one of the appliances which makes most sense, agriculture, where IoT devices, all the tractors,
10:05
harvesters, trucks, and so on are connected to each other, speaking to each other, what are the crops, what are the fuel levels, what are the engines condition, this helps a lot in industry.
10:22
This is something for gardening, you can schedule sprinkling your grass and so on, I think really special, but yes, another stuff. This is something you know, there is no thing to be excited about, we had laugh about it last year,
10:43
but how about this? This is something which is virtually Fitbit for men, it's set to measure man's performance and synchronize it with a profile on the phone,
11:01
I don't know if it posts it to the dating portal or not, just say yeah, okay, something which is again, serious or not, but there is IoT bank, or at least they want to create one. Okay, so we are using e-banking for 15 or 20 years now,
11:21
so what is special about this one? If you overspend somewhere, in restaurant for example, it's going to connect to your thermostat and turn down your temperature so you can save money. So to sum up, it's all around us,
11:41
it's in every branch of our life, smart home, wearables, communication, industry, energetics, healthcare, everything, so if you like it or not, it's all around there, even if you don't buy it yourself, if you don't employ it yourself, it's your neighbour,
12:00
it's your colleague who does it, and you can't just do anything about this. A few examples, what have already, what has already gone wrong about these devices? What's that?
12:21
So this first example, okay, so can we have some help please, it's again wrong screen, okay, sorry about that,
13:11
so you know what can go wrong about devices already, but specifically about IoT devices. So there was some topic on Reddit last year
13:26
that refurbished IP cameras, the previous users were still able to connect to the new user's devices. This might be a little problem,
13:42
but sometimes it may escalate, so let's see what's next. So sometimes owners of pets decide to leave them at home and go for vacation or whatever, and there are these nice devices which can take care of the pets,
14:01
at least feeding them, but there was a case where some servers were malfunctioning and this stopped feeding animals. And it may also apply to people because a bug in a thermostat
14:21
caused a draining battery, which then the devices just didn't work, and another case, also with thermostat during the heatwave, they just had a bug somewhere in servers and they didn't work again.
14:42
So if we depend our comfort or life, even sometimes of the pets for these devices, we have to know what are the hazards there. Another device, I've already shown this,
15:02
it doesn't matter which exactly it is, all of them behave the same and have security implemented, or lack of security implemented the same way. So this device had a Wi-Fi hotspot for easy setup,
15:21
but there was only weak password on this hotspot and there was no encryption in local networks and no encryption in communicating with the cloud. So every neighbor could possibly switch lights off for us or whatever.
15:43
Another story, known brand, two years in a row, hacked cars, attackers were able to take over steering and brakes in a car. In the next year, luckily it was only with physical access,
16:03
but sometimes that's not even a problem. Very recent story, at some university there was 5,000 devices hacked to execute DNS requests about seafood, why not?
16:24
So what's special? It's special because vending machines, light bulbs, light posts were involved. So these devices were hacked to break down networking on this university.
16:42
Again, this is from a few weeks before, ransomware installed on coffee machine. So the story was like technician called remote admin that the monitoring system in petrochemical factory,
17:02
a huge one, was attacked by apparently ransomware. And the admin replied, that's impossible because we have completely separated network. And the technician came to the kitchen to take some coffee, not only to notice that the coffee machine displays the same error,
17:23
I mean the same message of the ransomware. So what turned out to be, so yes, there was separated network for the monitoring system, but someone connecting coffee machine to internet
17:42
also connected it to the separated network. So coffee machine was a bridge between separated corporate network and internet. And this machine, this is probably probable, was just infected by ransomware and then spread it to the,
18:01
meant to be separate network, funny story or not. Okay, so IoT village of DEFCON, this is data from last year. It was only recent that it, in this year, so there are no summaries yet, but the data is interesting. Anyways, so 47 vulnerabilities
18:23
in 23 devices of 21 manufacturers. So one, the most interesting ones, thermostats. There was live demo of hacking a thermostat ransomware. So if you want your house to be heated or cooled down,
18:42
you need to pay, because otherwise you will not have your air conditioning. Door locks, that was a disaster. Almost every single door lock available on market was hacked for different reasons, like password, where to find text
19:03
and transmit it without any encryption. One of the device just opened the door when receiving distorted packet. So and recent story from this or previous month was that there was an upgrade of one of these door locks
19:24
and it happened that it bricked devices. Luckily, the manufacturer claims that you can always use physical key, but if you can break brick even devices, we've just update, there's something which gone wrong.
19:42
Solar panels, attackers have taken over one of the farms. They could disable it. They also claimed that they could steer it in this way, that they could damage it.
20:00
Wheelchairs, there are wheelchairs which are somehow connected, which can be remotely controlled. And these were also hacked. And some security measures were disabled, like speed limit and so on. On some devices, attackers were even able to take control.
20:24
So that's scary. And some attacks on larger scale, to gigantic, really, DDoS attacks from last year. Krebs on security was attacked. This was one of the biggest DDoS attacks in history
20:43
and it is believed that significant contribution of IoT devices was there. And the devices were like TVs, VCRs and so on. And the same situation with Mirai attack on din.com,
21:05
it touched users mostly in US, but some of us could also suffer from it in Europe. Again, it is believed that IoT devices played significant role within this attack.
21:22
So, why? Why the problems? Why? Because there's no network connection whatsoever, I promise.
21:44
Yeah, yeah. Maybe, in between. But that was not in the script.
22:01
Thank you. So, why the problems? Because there are so many attack vectors in this device, so you can hack them through the web interface. Mobile interface, administrative interface, they can be hacked by the other devices in this ecosystem. They can be hacked through cloud connections
22:22
because some of them don't encrypt it. They can be hacked or destroyed by update mechanism because most of them allow physical access, maybe not in your home, but maybe in safety infrastructure, like streetlights even.
22:43
So, there are some numbers. Let's see on, let's have a look at research from HP Enterprise. They claim, and you can see it in the attached PDF, that 90% of device gather information about environment,
23:04
and at the same time, 80% of them rise doubts about security. That's a lot. That's really a lot, and that's scary. 70% devices do not encrypt communication. Not local, nor in the cloud.
23:24
And again, 60% of devices have web interfaces which are prone to attacks, and updates are not encrypted and probably also not signed,
23:40
to be sure what they download. So, another research. This one is from Symantec, I believe. So, most common credentials for IoT devices. So, there's no wonder they are so easily taken over. Another research from PWC.
24:04
This is a security survey they have among IT directors and so on. People which have something to say in their companies about security and IT and everything around,
24:24
and they revealed that only 35% of these companies have IoT security strategy, and 28 is going to have one, maybe. Sometime.
24:41
Another scary research. So, this is not directly related to security, but in Cisco's survey, it's revealed that three-fourths of IoT projects are failing,
25:01
and they are failing not because of security reasons, but what I wanted to point here, that if the market is so harsh, so difficult, there is no wonder that sometimes, and that's three most of the time, it's tempting to just neglect security.
25:23
So, if there is so many problems, who needs IoT again? And the answer is everybody. We need them. Because they are fun, because they're helping us, they help us have more comfortable life,
25:44
they help us earn more money, they help us feel more rested, whatever. So, there's really one answer. Almost everybody needs IoT, but then why criminals need IoT? And there's also just obvious answer
26:03
that this is for money, but how they earn money on IoT? So, first, industrial espionage, so spying on companies. If some company is equipped with a lot of IoT devices which are easily hacked,
26:21
it just helps to compromise network and finally get into other devices. Personal data of the users, and this might be all of us, like we have some biometrical devices on us which count our steps, which measure our heart rate
26:41
and so on. This data, if stolen, may have really great impact on, for example, what insurance we are offered and how much does it cost. Maybe there is no examples, maybe there is no disclosure at this point, but if it doesn't happen right now,
27:02
it will happen in the near future. So, something which is kinda obvious, and it was, you don't need IoT devices for this, but this is just another way, burglary, spying on potential victims, like is the user, user, is the potential victim at home
27:23
or so, so these devices also store some credentials, some of them even store credit card numbers and so on, and they are easily hackable, so this is just easier to steal credentials from them.
27:42
Again, botnets, if these devices can do arbitrary internet requests, they can easily become part of some botnets. Or to spam or whatever, and to ransomware, we've already seen this on at least two slides, that if these devices are taken over,
28:02
they may just extort money from users because they want their houses to be heated or cooled down or whatever. So, why the criminals prefer IoT over hacking and compromising other devices?
28:24
Hmm, first of all, IoT devices are easier to find because most of the time, they just announce the presence, either by having some signals over Wi-Fi
28:40
or Bluetooth or other transports, or you can just see them because they are attached to wall, they are attached to streetlights and so on. They are easier to compromise because most of the time, they are small with low computing power, with low performance,
29:04
they cannot afford running antivirus, they cannot afford running firewall, so it's just easier to hack them, to get into them. They are easier to manage also because they have multiple interfaces, most of the time.
29:22
They can have web interface, they can have mobile interface, some of them have telnet or SSH or whatever, so this is just easy to manage them. And in contrary to our laptops, for example,
29:41
they work just 24 by seven, so even if we had our laptop compromised, if we close it, if we shut it down, if we put it to sleep, it just won't spam people, or it will just not take part in DDoS attack,
30:03
but the devices, the internet of things, these devices are most of the time just working. You normally don't completely shut down your garage, gate, or your bulb, or you don't completely power off your TV, so they just work.
30:23
And they don't, most of the time, disclose the fact that they were hacked because most of the time, there is no screen there, for example, in door lock or doorbell or garage gate or whatever,
30:41
there is nothing which would say, which would point, reveal that this device was hacked unless it's really what the criminals, the attackers want. So they can be hacked, compromised, and still work and just do their work in background,
31:01
and their work in this case is infecting with ransomware, doing DDoSes, and so on. And there is plenty of them, there is more than one device per human being on planet, so that's just a lot of them. Okay, so why it's easier to compromise these devices?
31:27
I've already said that they cannot defend themselves. These devices very often are matchbox size, and with low computing power, so they don't have antivirus,
31:41
they don't have seven layers firewall, and just cannot defend themselves. Often they just work, operate in so-called trusted network so many manufacturers say, oh, our device is meant to work only in your home, so if you have your network
32:06
encrypted, you don't need additional encryption on our devices, but that's most of the time not true because in that way, if you hack one, because of whatever reason, you can have access
32:21
to all of them because they send their credentials just in plain text, so that's just easy. So easy configuration is also the selling point. And because your grandma cannot be just,
32:42
she cannot just configure the device, so it must work just out of the box, and to set up, we know that to set up security, there is some work to be done, and manufacturers, in most of the cases, just neglect it and try to skip this point because otherwise they will not sell.
33:02
Another two reasons, two stories, one about Jack, a web developer, who has not much experience, is now IoT device coder, so this reveals first problem.
33:21
At the time, like five or six millions developers work on IoT devices, and there is need for more, and if the market is so, it cannot be demanding, because there is just no experienced workforce.
33:43
So people with no real experience, and especially no real experience in secure coding, they still do it because there is no one else. And similar story with George, who was electrician
34:00
on the factory floor, and they just shipped to him a ton of connected light bulbs, and told them to install them, and nothing else, right? So again, lack of experience, lack of trained staff,
34:23
it's the reason why this is easy to compromise, because of first code of not great quality, and no experience to configure and deploy them correctly.
34:41
Again, I'm just out of luck officially now.
35:15
Okay, so I think we are receiving now
35:20
another lesson of history, and another great researcher, Mr Craig Hafner, said that we are repeating every single problem from security, from computing, even now in embedded device, so we kinda know
35:44
almost everything about computing, but then there came embedded device, and for some reason we just forgot everything, and I think it's also frightening, so what are now to just summarize,
36:06
or sum up the threats which come generally from Internet of Device, because we had some examples, now let's just do some theory, they have impact,
36:20
or treat our privacy, surveillance, and security, so privacy would be that most, okay, some of the devices, even like TVs, doorbells, and so on, they listen to us, they look at us, just to listen to our voice commands,
36:42
to see our gestures, but what happens with this data, can you be sure that that's not even about privacy in terms of having this data by company, behind these devices, because that's for sure,
37:00
and that's according to privacy policy we agreed to, but what if these devices are hacked? They can watch us, and listen to us, and they can sell this data for some reason, and then, like unauthorized surveillance, there was one example that there were drone used
37:24
to inspect elevation of high buildings, but how do we know that these drones were not hacked, and used to peeping on the inhabitants of this building, for example, and security in this most common meaning,
37:45
like IoT devices are present, for example, in streetlights sometimes, and what if they are hacked, compromised, or just malfunctioning? They can literally lead to disasters sometimes.
38:01
So, general threats from IoT devices are like this, they allow to recognize topology of networks, and if you have anything to do with networks, or security, you know that that's very efficient weapon
38:21
against networks and organizations. They can make easier to penetrate networks also, because if you are able to hack, let's say, camera, industrial camera of company,
38:42
which is outside of their buildings, maybe on the fence, or somewhere there, if you are able to hack it, sometimes even with physical access, and it's connected to corporate network, as it was already said, it is possible, then they have easier access to companies, to networks,
39:05
and also, denial of sleep attacks, which are special kind of attacks, it was, let's say, invented because of these IoT devices, especially in smart homes, that you just make these devices never rest,
39:25
so they drain battery and malfunction, or not function at all in the result. Local threats, so they, as I already said, can recognize our habits and our lifestyle,
39:43
and gather this information, sell this information, for whatever reason, to whomever, and that's already scary, medical information, like our heart rate trackers, our step trackers,
40:04
and, sorry, this information can be sold for real money to insurance companies, for example, and what else? This was already told, that denial of service on household devices,
40:22
just to disable them, to make users pay, for example, for putting you back to work, and as already said before, it's not obvious that they were hacked, so they may be hacked and disclosed this just after weeks or months, even,
40:45
in the very worst moment, like during the heatwave, for example, and this is, for example, more likely that you pay for enabling your air condition during heatwave. So, these were local threats, what are public?
41:03
So, I already mentioned, paralyses of public infrastructure, and this may be, again, streetlights, this may be sometimes, we know that on buses, like public transportations, there are computers now,
41:22
and through these computers, through these networks, drivers can receive orders, what if they just get ridiculous orders to go with all buses to the same street or so on? This may be a disaster. Enabling many devices at the same time, I think it happened already,
41:44
or there was attempt to do so, enabling many, many air conditioners at the same time, which was about to lead to blackout because of higher energy consumption. Another topic is frauds on media consumption,
42:02
like forging the measurements from your water or electricity consumption. Unauthorized surveillance also hacked our IP cameras at home, hacked surveillance cameras in city or a factory or whatever.
42:30
Was it hacked or what?
43:00
Okay, as I said, most of the time
43:03
we will not even notice because this is how this device work. This is how they meant to be. Sometimes they are just there and they are meant to forget about them. They do their job, but sometimes if they're compromised, they don't. So this is a game, but maybe,
43:22
maybe we are not that far away from this. So finally, I will try to tell you what can you do to make it better, at least a little. So to secure Internet of Things device,
43:43
you need to answer some questions. What does it do besides its obvious function? So what are the connections? What are the transportation layers?
44:02
Like what are the destinations of the networking? Is it only local, is it cloud or whatever? Separation, so I already mentioned that most of these devices are meant to function in so-called local networks.
44:21
But is it true every time or even if the local networks, do they behave like they should? Or maybe they export too much to cloud then? And lifetime and life cycle of the devices? And you need to know these things
44:41
about every device you want to protect. So I'm really not sure what to do now using this one.
45:18
Okay, so in one way or another,
45:23
I already mentioned all of this, but this is a summary. So first of all, if you want your device to be secure, and this is both on the manufacturer or consumer, perspective, you need to care about security
45:42
on each state of development. This is more on the manufacturer side. So you need better code. If you cannot afford best specialists, at least use some well-known tested frameworks
46:01
so there is lower possibility of bugs and failures, or at least obvious bugs. Standards for interoperability. This is important because there are so many devices now on market, and they use so many different
46:20
operating systems, transportation layers, like some use Wi-Fi, some use Bluetooth, some use Z-Wave, some use even others, NFC, Zigbee, and so on. There's just plenty of them, but at some point, a consumer wants to put them together to work together,
46:44
and this leads to create some interoperability layers, and these are sometimes, or from my experience most of the time, just bad code. This is coded inside of a company,
47:04
which has ad hoc needs to just put something together so they hack some Python scripts together just to make it work with no security in mind, with no testing in mind, and so on. They just want quickly to work.
47:21
So if we had some standards there, we could avoid some of these problems, certifications, so IoT is still new topic, but there was no discussion at this moment,
47:41
at least nothing serious, about certifications. We all know that, for example, our credit cards, terminals, are certified, and they wouldn't be allowed on market if they are not certified. Maybe we should have something like this with IoT devices, so to be sure that they're just safe, or reasonably safe.
48:07
So there is also some special kind of embedded or IoT devices which are so tiny, and their function is so, maybe not minor, but little, that they can just be disposable.
48:22
So if we can create very low cost device, very inexpensive devices, this could solve some problems with updates, for example. If we have some bug in this device, we can just throw it out and buy new one.
48:42
And that's one of the solutions to updates sometimes, if we can afford this, of course. And fog computing, this is something between local computing and cloud computing. So instead of connecting all our little devices
49:03
to cloud directly, there is this fog computing, which is something on, for example, organization level. So instead of directly connecting to cloud, we have some intermediate layer, where all our maybe less secure devices are connected,
49:24
and these are never exposed to outside world. That may also be sometimes a solution. So there are also some other ways. I put them together on another slide, because personally I don't agree with them, but some people just advise them.
49:43
So dedicated closed system, this is more or less security by obscurity. Again, the same with the transportation layers, but at some point it might help. But this is only if the device is probably not very popular among users,
50:02
or just inside organizations and so on. But you can go for it, if it works for you. So if we know what we need to do, we also need to do what prevents us from doing it.
50:21
So bugs are normal. Everybody who works with software knows that there are bugs, and there are always going to be bugs. And to solve them, you just provide updates. But that's really tricky sometimes, especially in the embedded devices, where there is maybe not all the time
50:42
connection, internet connection. Maybe there is sometimes not even enough computing power to download this or unpack these updates. Sometimes there might be not enough computing power to decrypt them or check signature.
51:03
So you have to take it into account. If you are going to provide updates, and you should really provide updates, you need to ensure that you can do it in proper way, like not the brick devices, like not accepting not signed updates and so on.
51:24
So again, fourth time probably, these devices cannot defend themselves, so you have to worry about them. You have to keep an eye on them in different ways. So maybe putting them all together
51:41
in some protected parts of network, maybe not to expose them directly to cloud and so on. You need to know how they work, what are the drawbacks, what are the limitation, to know how to care about them. And this is very often neglected somehow,
52:03
even in organizations, not only at home. And devices are publicly available, so direct physical access, when you can just come with your wires, with your debugger and whatever, it's really hard to protect devices
52:23
against this kind of attacks, but at least if it's, for example, safety infrastructure, you should try. Again, lack of this compatibility doesn't help. I will not go through it again. Users should not be forced to provide
52:44
their own ad hoc compatibility. Lack of experienced professionals, another time I'm repeating myself, so if you cannot afford specialist, maybe just try to use something which is tested.
53:04
Other problems, and these are abstract somehow, but also important. We have centralized electricity grids, so if you want a device to be long running,
53:22
it either has to have good battery or be really good at power saving and so on, so you cannot just put your device in the middle of the desert. So that also needs to be keep in mind.
53:41
Dependence of smartphones, some gadgets, especially wearable, depend on phones, and this also is kind of a, maybe not problem, but something you need to care about, and something which is completely different,
54:00
distinct topic, ethical and legal problems. I believe today or tomorrow there is going to be presentation fully on this topic. I'm just going to say that there are these problems with IoT, ethical and legal. For example, NSA director,
54:21
he just admitted sometime last year that NSA is hacking biometrical devices to prevent, to help preventing terrorism. Or there are different examples, like for example, is police allowed
54:45
to request information from our home devices, for example, to testify for or against us if we had our alibi, like were we at home or we were not, what do our device say about this?
55:02
Or some others, like can our coffee machine disclose our over usage of coffee to insurance company, or can our step counter disclose that we just moved to our doctor or whatever?
55:21
So this is completely distinct, but also needs to be taken into account. And really quick, I think we have little time, so maybe let's not repeat most of this information,
55:40
but I just wanted to say that you can always, you have some impact on this situation, and you can just vote with your wallet, like in automotive, it was last year, or the even previous one. That there was survey among car owners or future owners,
56:08
and most of them said that they care about security, and they are afraid that their car might be hacked, so automotive in US, there was alliance there,
56:21
they just have their own manuals, they have the conferences to speak about this, to have good overview of this topic, and after this survey, they really started to care somehow. There are some tries to do it from legal way,
56:48
like this European Network and Information Security Agency, this is very new one, they admit that there needs to be some law behind usage of this IoT
57:02
and other connected devices, but there is only some proposals, you can see them. Also, this alliance of Internet of Things innovation, this is initiated by European Commission as well, but this is non-commercial organization,
57:24
but this is supported for like half of the Fortune 500 companies. There are not strictly for security, but at least there is something which consolidates and to work together for better IoT devices.
57:46
And there are some guidebooks, like what should you do to have your IoT devices, more secure, you can also read them if you are interested in details. And that's it, not sure if we have time for questions,
58:05
but thank you for your attention anyways. We have? Okay, so we have some time, so if you have some questions, please ask them now.
58:29
Okay, sorry, I almost cannot hear you.
59:18
Okay, if I understood correctly, this was somehow a discussion started
59:24
about certification possibilities and concerns about it. So yeah, I agree that certification is something which takes much, much time, but in the end, this is only way you could force
59:43
something, because as I said before, if manufacturers are left on their own, and they just sell their devices, and the one which is easier to use is sold over the other, and if
01:00:00
There is no need for certification. There is no need to keep some level of security. This is probably not going to happen unless there are some serious consequences of having no security. So yes, I agree that this takes time
01:00:20
and we may be running out of time, but later than never, and in the meantime, maybe some producers, some manufacturers can do on their own, but at some point, maybe in two years, maybe in five years, there is some baseline to stick to. That's what I believe.
01:00:41
So now we just have to vote with our wallets to impose something on the manufacturers when the legal parties like European Union, where actually they are not at this moment, but maybe they will, and that would be debatable, but better situation.
01:01:01
For now, it's rather up to us to say or to show which devices we choose or not. Okay?
01:01:43
If I knew, maybe we wouldn't be here because there will be no problem with IoT security, but if you cannot convince them to sacrifice to devote some resources like many hours,
01:02:01
maybe you can try to convince them to use something which is already tested like frameworks or operating systems which are meant to be generic and secure. I have some of the, some of these are protocols,
01:02:21
some of these are even full-blown operating systems, some of them are just frameworks, but if the company doesn't want to devote all the resources to security, maybe that's the idea, to use something which is already somehow tested and somehow more secure.
01:02:42
Does it help somehow? Okay, so thank you very much, have a nice day.