50 Milliards de failles connectées en 2020 Benoît Rousseaux – Bruxelles – 12 juin 2018
Pure Player in Cyber Security Services 200+ Experts in France. Subsidiaries in Belgium and Luxembourg 2 domains of expertise : Information Systems and IOT 6 service lines : Audit (intrusion tests, code review, … ), Consulting (governance, risk management, GDPR), Training, CERT, Onsite Security (SOC, SIEM), Project based security (IAM,SSO, … ) Innovation : CERT, Technology watch, R&D, Publications Certified consultants (PASSI, ISO, CISSP, ITIL, … ) P Security label for the Internet of Things , … Digital Security
IoT : What is it ?
IOT : Definition A connected object with the following seven attributes : Sensor Connected to Internet Processor Energy efficiency Optimized cost Reliability Security Digital Security
IoT: A major evolution Use of Connected Objects Source : kaizen-factory.com In 2 years, the new connected objects will be half of Internet devices Digital Security
All sectors are concerned Source : iot-analytics.com Gartner: « By end of 2018, over 20 percent of entreprises will have digital security services devoted to protecting business initiatives using the IoT » Digital Security
A complex architecture Source : Mark Horowitz - Stanford Engineering - Securing the Internet of Things Data to be protected in a distributed architecture, using a dozen of different programming languages Digital Security
IoT : what about security?
Digital Security
Top 10 of IoT flaws according 1 Insecure Web Interface 2 Insufficient Authentication/Authorization 3 Insecure Network Services 4 Lack of Transport Encryption 5 Privacy Concerns 6 Insecure Cloud Interface 7 Insecure Mobile Interface 8 Insufficient Security Configurability 9 Insecure Software/Firmware 10 Poor Physical Security Digital Security
The point of view of authorities Source : FBI, I-091015-PSA The FBI mentions […] personal data theft, but also the sending of malware, e-mail spamming as well as a risk for physical security. Digital Security
IoT Standards and safety guides Several initiatives : Sectorial guidance on IoT security by the ENISA U.S. Dept of Homeland Security Strategic Principles for securing IoT NIST Special Publication 800-160 Projet OWASP for the IoT NESCOR Standard UL 2900 Standard IoT security is on the way, but connected solutions are already largely widespread Digital Security
How the IoT got hacked
How the IoT got hacked Shodan.io, the IoT search engine Source : Shodan.io Shodan crawls the Internet and records technical banners of accessible services A malicious use is to identify vulnerable targets to known flaws IoT devices expose themselves on Internet Digital Security
How the IoT got hacked Spying thinks to the Internet of things Source : Presse Hack of « smarts TV » used for the « Digital Signage » Hijacking of services robots (cameras, micros) Interception of conversations at reception areas, meeting rooms, etc. Facilitation of spying Digital Security
How the IoT got hacked Resonance of the IoT on the company information system An « APT » through hacking of the distributor’s subcontracter responsible for the remote monitoring of the connected heating and air conditioning systems. A financial and privacy prejudice never reached: $ 40 millions of stolen credit card numbers and $ 110 millions of stolen contact details … affecting 1 out of 3 American Total estimated cost: $ 14 billions Information System Hacking Digital Security
How the IoT got hacked Hack of the Information System through a smart light bulb Source : www.contexis.com Analysis of the light bulb firmware reveals vulnerabilities in every devices Possibility to hack the WiFi network in case of physical access to the radio frequency waves (30 meters) Information System Hacking Digital Security
How the IoT got hacked Hackers remotely took control of a connected car Takeover through Internet of the car embedded systems 1,5 millions cars have been called back in USA during Summer 2015 Available update by USB key! Endangering of human life Digital Security
How the IoT got hacked Attacks on smart meters Source : Black Hat Euope 2014, www.youtube.com Study on smart meters security Measuring of consumption Adaptation of electricity production Hypothetical attack scenari include the electric sabotage and subsequent blackout of a whole population Endangering of human life Digital Security
How the IoT got hacked Hijack of medical devices The common point between a pacemaker and a insuline pump? They have both been hacked Pacemaker : possibility to turn off the device or send a electric discharge of 830 volts Insuline pump: Takeover via WiFi, possibility to convert the device in a lethal weapon! Endangering of human life Digital Security
IoT security: what solutions?
Our IoT CERT and its activites Our CERT CERT UBIK: the very first CERT in Europe dedicated to IoT security 50 experts Security watch, incident response, security audits, reverse engineering, … We have our own dedicated lab Digital Security
Our IoT CERT and its activites Digital Security portfolio Security level evaluation of the IoT chain Integrating security into projects Software and hardware reverse engineering Code review Penetration tests Equipment and appropriate skills for the IoT security specificities Digital Security
Security label for IoT solutions IoT Qualified Security Label IQS enables future buyers, companies or individuals to identify the security level of a connected solution according to a reliable, neutral and independent indicator. Digital Security
Benoit.Rousseaux@digital.security Digital Security
Recommend
More recommend
