Out Go The Lights An enlightening discussion of IoT automation security

RESEARCH LEAD at

Deral Heiland CISSP

Agenda

Understanding IoT

IoT Migration into the enterprise

Lighting automation exploitation

Securing IoT best practices

Internet of Things (IoT)

Typical traits of an IoT based technology

Interrelated devices

Collecting and sharing data

Networked together

Embedded electronics

Cloud

Mobile

Hardware

Network

Data

The ecosystem approach allows us to:

The ability to more thoroughly examine the technologies overall security

Better define the security risk and impact

Deploy IoT solutions in a more secure manner

Mobile

Application

Communication

Storage

Authentication

Cloud

Authentication

Communication

Encryption

Data storage

Web attacks

Network

Protocols

Communications

Encryption

Replay, Spoofing attacks

Hardware

CPU

Physical

Firmware

IoT Migration into the Enterprise

They’re Here

Wearable

Lighting

HVAC

Power Management

Audio Video systems

Lighting Automation Exploitation

Automation Exploits

Mobile Application

Embedded Web

Communication Protocols

Local / Direct connect services

Mobile Applications

Unencrypted storage

Unencrypted communication

IOS home button screen shot

No SSL Pinning

Embedded Web

Cross site scripting

Cross site request forgery

Communication protocols

Zigbee

Ethernet

Zwave

WiFi

Local Connect

Unencrypted

Unauthenticated

#Set up data to send to port 4000 $data1 = "\x83\x00\x00\xe3\x03\x00\x00\x00\x01"; $data2 = pack('a33',"$SSID"); $data3 = pack('a69',"$WPAPSK"); $data4 = "\x04\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; $send_data = join "", $data1, $data2, $data3, $data4;

!

Securing IoT Best Practices

Best Practices

Identification

Business needs

Isolation / Segmentation

Patch management