Security in the IoT Era

Mustafa Sadiq
PhD Student in Computer Engineering
What is the Internet of Things (IoT)?
- Different definitions.
- Coined 1999.
- In general: IoT is a network of physical
devices that are connected to each
other, share information, and take
actions based on this information.
- Different devices, different
connection technologies, different
applications, and billions of users
24/7.
What is Wrong with IoT from Security Perspective?

- Billions of small devices with lightweight security solutions.

- Multiple layers of processing (edge, fog, cloud, ...etc.) and many transactions.
- Default passwords!
- Human factor.
- More sophisticated attacks with the new platform.
- DDoS attacks.
- Botnets and Malware based attacks.
- Data Breaches.
- No unified standard.
- In general: IoT dramatically enlarge attack surface.
Some Possible Attacks:
Some Recent Attacks
- VPNFilter IoT attack: May 2018, Cisco, half million routers, 54 countries, Russian
linked botnet, affected devices include TP-Link, Linksys, netgear, Mikrotik.
- Casino hacked through thermostat: May 2018, thermostat in casino lobby, access
casino network, gamblers DB pulled up through the thermostat to the cloud!
- Prowli malware, June 2018, more than 40,000 servers and devices affected,
password brute-forcing and abusing weak configuration were used.

Techniques used in these attacks:

Botnets, Man in the middle (MITM) attacks, and social engineering.

Top 10 IoT Security Threats:
Top 10 IoT Security Threats (cont.)
Some Stats:
Any Solutions?
Different Philosophies:
AI can ba a solution
- Only 10% of companies planning to use IoT trust their devices!.
- 70% of the devices connected to the IoT today have vulnerabilities.
- No perimeter anymore, huge shortage in skilled security professionals.
- New approaches and new tools are required.
- According to more than 50% of security professionals, AI might be the weapon to
win the war because:
● It increases effectiveness.
● Provide greater investigation efficiency.
● Quick discover and respond to stealthy attacks.
What to do as a User or a Technician?
- Never trust the technology blindly.
- Use complicated passwords and change then regularly and get rid of passwords (if
possible). The replacement is the collection of (Cards+ Certifications+PINs).
- Different vendors provide different security philosophy, read about it and adopt
the best.
- Think about IoT Security as a multilayer building and manage Security at every
level of IoT.
- Always think about privacy and protect the identity of the devices and the users
of different IoT services.
- Use multifactor Authentication (emails, passwords, PINs, cards, phone numbers,
...etc.)
Finally, Some Misconceptions
- Who would target me! (WRONG!).
- My company knows better! (WRONG)!
- Well-known device, then it is safe! (WRONG)!
- I have firewall, antivirus, and strong passwords, so I
am safe! (WRONG)!
- They say “this product is better than that” so, I trust
them! (WRONG!) no matter who are those (them!!).