Security Concerns and Future Challenges of Internet Connected Devices in Budva, Montenegro

With the increasing number of Internet-connected devices and IoT, the security concerns are escalating. In the past, communication was restricted to servers and terminals, but now everyone is connected globally. The future poses even greater risks with IoT becoming prevalent. Reasons for concern include the quality of devices, network security, ease of information gathering for intrusions, and lack of awareness among customers. The evolution of IoT brings a new set of challenges, with a vast market offering both professional and low-quality devices. Ensuring the security of these devices is crucial to the proper functioning of modern society.

• Security Concerns
• Internet of Things
• Budva
• Montenegro
• Quality of Devices

cyru_4 Follow

Uploaded on Sep 18, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. SEE 6 Budva, Montenegro Security concerns related to the Internet connected devices and IoT Goran Slavi , SOX Chief Engineer gslavic@sox.rs

2. In the old days Who was communicating over the Internet / local network: - Servers (big, stationary, large energy needs ). - Terminals ( umbilical tied to the servers ). - Small number of devices on the Internet. - Computers where in the same room / same building. - Computers could be traced over the cables that connect them. Who was the treat : - Small number of people who new what the Internet was. - Smaller number of people who could get away with it. 2

3. Present situation Who is communicating over the Internet / local network: - Everybody ! - ICD can be anywhere in the world. - There is a large number of devices on the Internet (and growing !). - Computers and services can be based anywhere in the world. - Tracing the source of the problem is the problem in it s own right. Who is the treat : - Everybody !!! - Large number of people can bypass computer/network security measures. - The security awareness of the customers is not very high. 3

4. Future Who will be communicating over the Internet / local network: - Everybody and everything (IoT) ! - Large number of automated services that are not human controlled. - Services that are critical for the function of the society as the whole are Internet based and/or are Internet dependent. Who will be the treat: - Everybody and everything !!! - People will not be the main problem (high jacked smart refrigerator that is participating in the DDoS attack ) - The security awareness of the customers will probably not be able to keep- up with demands. 4

5. What are the reasons for concern ? Internet is now the backbone of the modern society. It s function and proper operation is the key to the proper function of most of the services and activities in society as a whole. Quality of the Internet connected devices. Number of Internet devices. Network security of the Internet devices. Absolute simplicity of gaining information and training in network intrusions. Inherent technical inertia, lack of problem awareness and blind belief in automatic security measures of the customers. Raspberry Pi and similar small computers . 5

6. Quality of Internet connected devices Private, never forget: your war gear was made by the lowest bidder IoT is the new and expanding field of study and innovation. Large number of companies are competing on the market. For professional use customer might buy a professional device. For personal use cost might be the prevailing factor. Lot of knockoff and unsophisticated devices on the market. Even the price is not the guarantee of the quality. Specification for autonomy of IoT devices mean that there is no room for network security equipment on them. 6

7. Number of Internet connected devices There are a lot devices already connected in our home. It is an understatement to describe the number of both wired and wireless devices on the workplace as large . Filtering and access control for such a large number of devices can be a problem even for the trained network engineer. Network security of the Internet devices You can hardly expect a home-based humidity and temperature WiFi sensor to have a firewall or access control list for IP that it is responding too. Most of the devices have two way communication as the mode of operation and as the core function. 7

8. Information and training in network intrusion techniques Professionals are predictable the world is full of dangerous amateurs There is a large number of Internet sites that offer basic resources and knowledge for successful network intrusion. Some of those methods don t require any knowledge of network technologies and protocols (practically plug-and-play ). Most of the required knowledge can be gained in less then a month. Another problem is the speed with which knowledge of security problems propagates over the world. Most of the suggested methods will work even in enterprise environment. Most of the ideas will work not because there are no countermeasures for them but only because those measures are not implemented. 8

9. Customer as the problem Customers expect the solutions for IoT and home automation to work out of the box . Customers presume that the out-of-the-box solution has all of the security features that they need activated and configured. Customers don t have the technical knowledge for the successful implementation of the secure home network. When the only device connected to Internet was home computer with installed firewall/anti-virus software they didn t need it ! Even if the knowledge of the potential problems is presented to them customer will believe that he is secure by existing measures. 9

10. Raspberry PI CPU: 1.2 GHz quad-core ARM Cortex-A53 RAM: 1 GB LPDDR2 RAM at 900 MHz Storage: MicroSDHC slot (up to 64GB) GPU: Broadcom VideoCore IV Connections: 4 USB ports, HDMI, display and camera flat connection, 40xGPIO pins and ability to connect it to outside IoT controllers. Developed as the tool for programming/electronics classes in high schools. Now evolved into one of the main do-it-yourself platforms for home automation. Extremely easy to use due to extensive online lectures, tutorials and literature. Runs on multitude of Linux derivatives (NOOB, Raspbian, Kali Linux, Ark Linux ). Costs less then 40$ and has the energy requirements of less then 2W. 10

11. Problematic scenarios Disclaimer: Some of the things presented in the slides are trivial but don t forget that you are not securing these networks VPN connection as the revenge tool of the rival colleague Automated greenhouse problem . Remote access to the pacemaker . Raspberry Pi as the illegal WiFi router Raspberry Pi as the WiFi hijacker 11

12. VPN connection as the revenge tool of the rival colleague THREAT THREAT THREAT THREAT What if somebody from work sabotages your alarm clock or refrigerator so that you are unable to attend the important meeting ? 12

13. Automated greenhouse problem. It would be very hard to implement sensor identification/verification /authorization on every sensor for earth moisture / temperature even in the small greenhouse. 13

14. Remote access to the pacemaker. Continued heart monitoring is needed for quick response to the medical emergencies of the patients. Some of the new devices beside monitoring have the fully functioning defibrillator ! Hacking of the device could (as the least concern) lead to serious privacy issues. Deadly consequences would be the actual possibility of such an activity. US Food and Drug Administration issued a set of recommendations for securing medical devices that could jeopardize the safety and privacy of their users ( Postmarket Management of Cyber security in Medical Devices ) 14

15. Raspberry Pi as the illegal WiFi router. SETUP: - Raspberry Pi (2/3). - Additional WiFi dongle. - Password for target company WiFi + the WiFi of the other company/cafee that is close to their office. You could setup Quagga/Bird or some other routing software on Raspberry and use it in combination with the VPN tunnel to siphon data from the network of the target company. Raspberry Pi 3 even has both it s own 100Mbps Ethernet port and the WiFi !!! Device can be hidden or masked as the external storage connected by USB. 15

16. Raspberry Pi as the WiFi highjack device Connect the Raspberry Pi to the mobile phone power bank (in the experiment that gave us 18h autonomy). And put it in the backpack. Write a simple code: - Every 5 minutes scan for all of the available WiFI networks. - Find if you can connect to them using no password. - Record the SSID-s and position of the unprotected network. Results of the test where: - Around 10% of the networks didn t have WiFi passwords setup. - Around 15-20% of the networks did have a password but they where easily obtainable (WiFi of the caf , restaurant ) - In around 20-25% of those networks the router could be accessed by logging to the default gateway with factory (admin/admin or admin/[none]) user/password combination !!! This was not demanding to setup or implement!!! 16

17. SEE 6 Budva, Montenegro Concerns related to the new Internet Connected Devices Goran Slavi , SOX Chief Engineer gslavic@sox.rs