WEAPONIZING IOT – NOT! presented at bsidestampa 2018

by Kat Fitzgerald,

Summary : This talk opens with brief introduction to IoT types of attacks and vulnerabilities, over the five IoT verticals of 1. wearables 2. connected cars 3. connected homes 4. connected cities 5. industrialExample attacks are given for each of the verticals. Expand on the IoT specifics of how devices are developed, including issues such as reused code, crypto limitations as well as re-used firmware. The talk continues with connection to how IoT utilizes the cloud for data storage, type of data and how the cloud is overlooked in most IoT security issues. Scripted (or live) demos are now shown with several IoT devices, exploring attack methodologies and details of the attack surface presented by most IoT devices. Connect with IoT security development and OWASP methodologies, especially related to APIs and Big Data (in the cloud). Examples are shown using live data and Shodan (recorded scripts in case of live demo failure or connectivity issues) Final section of talk expands on IoT honeypots with several examples showing SCADA devices, routers and webcams. A recorded example of “Iot_Reaper” was actually caught by a custom honeypot and will be shown in this part of the talk. Conclusions of better methods for development of IoT but at the same time, how to better protect against weaponized IoT devices when your company is the target. The entire talk uses live examples or recorded scripts and shows real-world scenarios with a variety of devices. A win-win for this talk is that attendees not only learn, but they walk away with tools and methods that are practical and can be put into use immediately.