50 Milliards de failles connectes en 2020 Benot Rousseaux Bruxelles - - PowerPoint PPT Presentation

50 Milliards de failles connectées en 2020

Benoît Rousseaux – Bruxelles – 12 juin 2018

Digital Security

Pure Player in Cyber Security Services 200+ Experts in France. Subsidiaries in Belgium and Luxembourg 2 domains of expertise : Information Systems and IOT 6 service lines : Audit (intrusion tests, code review,…), Consulting (governance, risk management, GDPR), Training, CERT, Onsite Security (SOC, SIEM), Project based security (IAM,SSO,…) Innovation : CERT, Technology watch, R&D, Publications Certified consultants (PASSI, ISO, CISSP, ITIL,…)P Security label for the Internet of Things,…

IoT : What is it ?

Digital Security

IOT : Definition

A connected object with the following seven attributes :

 Sensor  Connected to Internet  Processor  Energy efficiency  Optimized cost  Reliability  Security

Digital Security

Use of Connected Objects

IoT: A major evolution

In 2 years, the new connected objects will be half of Internet devices

Source : kaizen-factory.com

Digital Security

All sectors are concerned

Gartner:

 « By end of 2018, over 20 percent of entreprises will have

digital security services devoted to protecting business initiatives using the IoT »

Source : iot-analytics.com

Digital Security

A complex architecture

Data to be protected in a distributed architecture, using a dozen of different programming languages

Source : Mark Horowitz - Stanford Engineering - Securing the Internet of Things

IoT : what about security?

Digital Security

Digital Security

Top 10 of IoT flaws according

1 Insecure Web Interface 2 Insufficient Authentication/Authorization 3 Insecure Network Services 4 Lack of Transport Encryption 5 Privacy Concerns 6 Insecure Cloud Interface 7 Insecure Mobile Interface 8 Insufficient Security Configurability 9 Insecure Software/Firmware 10 Poor Physical Security

Digital Security

The point of view of authorities

The FBI mentions […] personal data theft, but also the sending of malware, e-mail spamming as well as a risk for physical security.

Source : FBI, I-091015-PSA

Digital Security

IoT Standards and safety guides

Several initiatives :

 Sectorial guidance on IoT security by the ENISA  U.S. Dept of Homeland Security Strategic Principles for

securing IoT

 NIST Special Publication 800-160  Projet OWASP for the IoT  NESCOR Standard  UL 2900 Standard

IoT security is on the way, but connected solutions are already largely widespread

How the IoT got hacked

Digital Security

Shodan.io, the IoT search engine

Shodan crawls the Internet and records technical banners of accessible services A malicious use is to identify vulnerable targets to known flaws

How the IoT got hacked

IoT devices expose themselves on Internet

Source : Shodan.io

Digital Security

Spying thinks to the Internet of things

Hack of « smarts TV » used for the « Digital Signage » Hijacking of services robots (cameras, micros) Interception of conversations at reception areas, meeting rooms, etc.

How the IoT got hacked

Facilitation of spying

Source : Presse

Digital Security

Resonance of the IoT on the company information system

An « APT » through hacking of the distributor’s subcontracter responsible for the remote monitoring of the connected heating and air conditioning systems. A financial and privacy prejudice never reached:

 $ 40 millions of stolen credit card numbers and $ 110 millions of stolen contact

details…affecting 1 out of 3 American

 Total estimated cost: $ 14 billions

How the IoT got hacked

Information System Hacking

Digital Security

Hack of the Information System through a smart light bulb

Analysis of the light bulb firmware reveals vulnerabilities in every devices Possibility to hack the WiFi network in case of physical access to the radio frequency waves (30 meters)

How the IoT got hacked

Information System Hacking

Source : www.contexis.com

Digital Security

Hackers remotely took control of a connected car

Takeover through Internet of the car embedded systems 1,5 millions cars have been called back in USA during Summer 2015 Available update by USB key!

How the IoT got hacked

Endangering of human life

Digital Security

Attacks on smart meters

How the IoT got hacked

Endangering of human life Study on smart meters security

 Measuring of consumption  Adaptation of electricity production

Hypothetical attack scenari include the electric sabotage and subsequent blackout of a whole population

Source : Black Hat Euope 2014, www.youtube.com

Digital Security

Hijack of medical devices

How the IoT got hacked

The common point between a pacemaker and a insuline pump? They have both been hacked

 Pacemaker : possibility to turn off the device or send a electric

discharge of 830 volts

 Insuline pump: Takeover via WiFi, possibility to convert the device in a

lethal weapon! Endangering of human life

IoT security: what solutions?

Digital Security

Our CERT

CERT UBIK: the very first CERT in Europe dedicated to IoT security 50 experts Security watch, incident response, security audits, reverse engineering, … We have our own dedicated lab

Our IoT CERT and its activites

Digital Security

Digital Security portfolio

Security level evaluation of the IoT chain

 Integrating security into projects  Software and hardware reverse engineering  Code review  Penetration tests

Our IoT CERT and its activites

Equipment and appropriate skills for the IoT security specificities

Digital Security

IoT Qualified Security Label

Security label for IoT solutions

IQS enables future buyers, companies or individuals to identify the security level of a connected solution according to a reliable, neutral and independent indicator.

Digital Security

Benoit.Rousseaux@digital.security