ATTACKS ON THE
INTERNET OF THINGS
NICK MONTELEONE
WHAT IS THE INTERNET OF THINGS?
• Connecting any device to the internet • Major risks
•
•
•
•
•
•
Cell phones
Coffee makers
Washing machines
Lamps
Jet engine
Oil rig drill
•
•
•
•
•
Sniffer attacks
Denial of service
Compromised- key attacks
Password-based
Man-in-the-middle
EXAMPLE OF AN ATTACK: PROOFPOINT DISCOVERY
• ~100,000 consumer gadgets utilized to send massive email bursts
• 25% came from devices that were not conventional machines
• Characteristics of utilized devices:
•
•
•
•
Embedded linux servers
Open telnet, open SSH, and SMTP (exploit by attacker not neccissary)
Media players
Game consoles
• Could be used for DDOS attacks
AN INTERNET OF TREACHEROUS THINGS
•
Samsung promises all products will be internet connected by 2020
•
Lizard Stressor:
•
•
•
•
Network that people can use to take websites offline (DDOS)
Relies on home/ commercial routers
Easily to exploit (admin control panel that uses default username and password)
Smart devices include similar feacures
•
Open ports designed to allow legitimate communications allow unintended access
•
Bug batch in 2002 was found to still exist on 12million home routers
SEVEN ENTERPRISE RISKS TO CONSIDER
1.
2.
3.
4.
5.
6.
7.
Distribution and Denial of Service attacks
Understanding complexity of vulnerabilities
IoT vulnerability management
Identifying, Implementing security controls
Fulfilling the need for security analytics capabilities
Modular hardware and software components
Rapid demand in bandwidth requirement
THE LINUX WORM
• Targets computers/ devices running linux operating sys
• Utilizes an old vulnerability in PHP & attempts to gain admin privileges
through brute force
• 2 versions, one for x86 architecture, one for ARM, PPC, MIPS & MIPSEL
• Most vendors don’t supply updates
• Hardware limitations or outdated technology
• Utilized for data theft
FUTURAMA: HTTP://WWW.CC.COM/VIDEO-CLIPS/WV2XUI/FUTURAMA-ROBOT-REBELLION
SOURCES:
•
•
http://www.securityweek.com/cyber-attack-leverages-internet-things
•
http://www.symantec.com/connect/blogs/internet-things-new-threats-emergeconnected-world
•
http://searchsecurity.techtarget.com/tip/Internet-of-Things-IOT-Seven-enterpriserisks-to-consider#
•
http://www.technologyreview.com/news/534196/an-internet-of-treacherous-things/
http://www.out-law.com/en/articles/2014/october/internet-of-things-devices-couldbe-used-to-support-ddos-attacks/