smart toys: are they too smart? - where the world talks … · smart toys: are they too smart?...

#RSAC

Oren Yomtov

Smart Toys: Are They Too Smart?

Security ResearcherSynack Inc.@orenyomtov

#RSAC

Smart Toys

Toymail

#RSAC

3

#RSAC

Background

Started breaking things in 2007

Israeli Intelligence Corps

Security Researcher at Synack

#RSAC

Smart Toy =

+Physical Toy Any Screen Game Software

+

#RSAC

Users Manufacturers

#RSAC

Users

#RSAC

8

#RSAC

9

#RSAC

10

#RSAC

11

#RSAC

12

#RSAC

Manufacturers

#RSAC

14

#RSAC

15

#RSAC

16

#RSAC

Attack Vectors

#RSAC

HTTP

HTTPApp

ToyServer

#RSAC

HTTP

HTTPS

Certificate validation

Certificate pinning

#RSAC

Web API

Toy Server

#RSAC

Web API

SQL injection

Broken authentication

Path traversal

For more information, visit OWASP Top 10

#RSAC

Firmware / Software Update

ServerFirmware Update

App

Toy

#RSAC

Firmware / Software Update

Firmware signing

Transport security (HTTPS)

Encryption

#RSAC

Bluetooth

BluetoothApp Toy

#RSAC

Hardware

Toy

#RSAC

26

#RSAC

Hardcoded Secrets

App

Toy

#RSAC

Hardcoded Secrets

API Keys (e.g. AWS)

URLs not meant to be exposed to end-users

Credentials

Encryption keys

#RSAC

29

#RSAC

Oren Yomtov

Smart Toys: Are They Too Smart?

Security ResearcherSynack Inc.@orenyomtov

#RSAC

Michele D. Guel

Your Part in Securing Our Connected World –Are You Ready?

Distinguished Engineer, InfosecCisco Systems@MicheleDGuel

#RSAC

A Typical Connected Day in 2017

#RSAC

What if every aspect of your life was digitally captured?

#RSAC

Opportunities & Challenges

#RSAC

What are the Opportunities?

Data driven decisions

Increased automation

Higher productivity

Efficient use of resources

Exponential connectedness

Limitless possibilities

#RSAC

What are Challenges?

Loss of privacy

Loss of humanity

New, unforeseen attack vectors

Increase risk of targeted attacks

Increase need for new laws and regulations

Exponential expansion of threat landscape

#RSAC

IOT is Moving at Warp Speed

“As is often the case, consumer demand for new and exciting technologies

have far surpassed the implementation of security measures.”

#RSAC

How Connected Do You Want to Be?

#RSAC

Our Part

#RSAC

As Individuals We Can…

Hold vendors accountable

Don’t use applications with weak security

Understand privacy laws

Get educated on new technologies

Encourage your kids to pursue STEM

#RSAC

As Employees We Can…

Hold vendors accountable

Develop & adopt standards for application integrity and trustworthiness

Develop and adopt standards for IP enabled devices

Develop and adopt seamless and scalable identity for people, process and things

#RSAC

Apply What You Have Learned Today

Within 30 days:Identify where sensor/smart technology is in use

Become more proactive about privacy of data

Within 60 days:Form a strategy around securing sensor/smart technology

Understand changing privacy laws that pertain to your organization and your personal data

#RSAC

Apply What You Have Learned Today

Within 180 days:Implement policy regarding use of sensor/smart technology

Ensure IoT projects are reviewed by security architecture team

#RSAC

Thank You