50 Milliards de failles connectées en 2020 - ICT …...Shodan.io, the IoT search engine Shodan...
Transcript of 50 Milliards de failles connectées en 2020 - ICT …...Shodan.io, the IoT search engine Shodan...
50 Milliards de failles connectées en 2020
Renaud Lifchitz – Namur – 31 mai 2018
Digital Security
Pure Player in Cyber Security Services
200+ Experts in France. Subsidiaries in Belgium and Luxembourg
2 domains of expertise : Information Systems and IOT
6 service lines : Audit (intrusion tests, code review,…),
Consulting (governance, risk management, GDPR), Training, CERT,
Onsite Security (SOC, SIEM), Project based security (IAM,SSO,…)
Innovation : CERT, Technology watch, R&D, Publications
Certified consultants (PASSI, ISO, CISSP, ITIL,…)P
Security label for the Internet of Things,…
IoT : What is it ?
Digital Security
IOT : Definition
A connected object with the following seven attributes :
Sensor
Connected to Internet
Processor
Energy efficiency
Optimized cost
Reliability
Security
Digital Security
Use of Connected Objects
IoT: A major evolution
In 2 years, the new connected objects willbe half of Internet devices
Source : kaizen-factory.com
Digital Security
All sectors are concerned
Gartner: « By end of 2018, over 20 percent of entreprises will have
digital security services devoted to protecting businessinitiatives using the IoT »
Source : iot-analytics.com
Digital Security
A complex architecture
Data to be protected in a distributed architecture, using a dozen of different programming languages
Source : Mark Horowitz - Stanford Engineering - Securing the Internet of Things
IoT : what about security?
Digital Security
Digital Security
Top 10 of IoT flaws according
1 Insecure Web Interface
2 Insufficient Authentication/Authorization
3 Insecure Network Services
4 Lack of Transport Encryption
5 Privacy Concerns
6 Insecure Cloud Interface
7 Insecure Mobile Interface
8 Insufficient Security Configurability
9 Insecure Software/Firmware
10 Poor Physical Security
Digital Security
The point of view of authorities
The FBI mentions […] personal data theft, but also the sending of malware, e-mail spamming as well as a risk for physical security.
Source : FBI, I-091015-PSA
Digital Security
IoT Standards and safety guides
Several initiatives : Sectorial guidance on IoT security by the ENISA
U.S. Dept of Homeland Security Strategic Principles for securing IoT
NIST Special Publication 800-160
Projet OWASP for the IoT
NESCOR Standard
UL 2900 Standard
IoT security is on the way, but connected solutions are already largely widespread
How the IoT got hacked
Digital Security
Shodan.io, the IoT search engine
Shodan crawls the Internet and records technicalbanners of accessible services
A malicious use is to identify vulnerable targets to known flaws
How the IoT got hacked
IoT devices expose themselves on Internet
Source : Shodan.io
Digital Security
Spying thinks to the Internet of things
Hack of « smarts TV » used for the « Digital Signage »
Hijacking of services robots (cameras, micros)
Interception of conversations at reception areas, meeting rooms, etc.
How the IoT got hacked
Facilitation of spying
Source : Presse
Digital Security
Resonance of the IoT on the companyinformation system
An « APT » through hacking of the distributor’s subcontracter responsiblefor the remote monitoring of the connected heating and air conditioningsystems.
A financial and privacy prejudice never reached:
$ 40 millions of stolen credit card numbers and $ 110 millions of stolen contactdetails…affecting 1 out of 3 American
Total estimated cost: $ 14 billions
How the IoT got hacked
Information System Hacking
Digital Security
Hack of the Information System through a smart light bulb
Analysis of the light bulb firmware revealsvulnerabilities in every devices
Possibility to hack the WiFi network in case of physical access to the radio frequency waves (30 meters)
How the IoT got hacked
Information System Hacking
Source : www.contexis.com
Digital Security
Hackers remotely took control of a connectedcar
Takeover through Internet of the car embeddedsystems
1,5 millions cars have been called back in USA duringSummer 2015
Available update by USB key!
How the IoT got hacked
Endangering of human life
Digital Security
Attacks on smart meters
How the IoT got hacked
Endangering of human life
Study on smart meters security
Measuring of consumption
Adaptation of electricity production
Hypothetical attack scenari include the electric sabotage and subsequentblackout of a whole population
Source : Black Hat Euope 2014, www.youtube.com
Digital Security
Hijack of medical devices
How the IoT got hacked
The common point between a pacemaker and a insulinepump? They have both been hacked
Pacemaker : possibility to turn off the device or send a electricdischarge of 830 volts
Insuline pump: Takeover via WiFi, possibility to convert the device in alethal weapon!
Endangering of human life
IoT security: what solutions?
Digital Security
Our CERTCERT UBIK:the very first CERT in Europe dedicated to IoT security
50 experts
Security watch, incident response, security audits, reverse engineering, …
We have our own dedicated lab
Our IoT CERT and its activites
Digital Security
Digital Security portfolio
Security level evaluation of the IoT chain
Integrating security into projects
Software and hardware reverse engineering
Code review
Penetration tests
Our IoT CERT and its activites
Equipment and appropriate skills for the IoT security specificities
Digital Security
IoT Qualified Security Label
Security label for IoT solutions
IQS enables future buyers, companies or individuals to identify the security level of a connected solution according to a reliable,
neutral and independent indicator.