In this course, you'll learn why devices are being connected, the types of security flaws that are being introduced into them, and - most importantly - how we can better protect them from future malicious attacks.
Play by Play is a series in which top technologists work through a problem in realtime, unrehearsed and unscripted. In this course, Play by Play: Emerging Threats in IoT, Troy Hunt and Lars Klint define the scope for IoT devices and look at some of the many examples of both humorous and practical implementations. Discover how these devices can influence your everyday and why you, as a developer and general IT professional, should be aware of the capabilities and integration points. By the end of this Play by Play, you'll have learned about multiple different approaches to layer security appropriately, industry patterns and best practices, how to secure your IoT device, and how to fix security vulnerabilities.
Lars is an author, trainer, Microsoft MVP, community leader, authority on
all things Windows Platform, and part time crocodile wrangler. He is heavily
involved in the space of HoloLens and mixed reality, as well as a published
Pluralsight author, freelance solution architect, and writer for numerous
Troy Hunt is a Microsoft Regional Director and MVP for Developer Security. He's a regular conference speaker, frequent blogger at troyhunt.com and is the creator of the data breach notification service known as “Have I Been Pwned”.
Course Overview Hi everyone. I'm Troy Hunt. And I'm Lars Klint. And welcome to our Play by Play on the security of IoT things. I'm an independent security specialist based in Australia, and I've got a passion for security of connected things, whether they be websites, IoT things, or anything else talking over the internet. And I'm a freelance solution architect at larsklint. com, and Microsoft MVP, speaker, and expert in Mixed Reality development, and also Australian Outback internet. I've been building software systems from tiny websites to massive telecommunication systems for the past 20 years. In this course, we're going to look, first of all, at just how far IoT is going. So how much stuff are we connecting to the web, and just what sort of data are we actually collecting? Learn how these devices can influence our every day and why you, as a developer and general IT professional, should be aware of the capabilities and integration points. We'll also look at a lot of IoT security precedence. So we're going to talk about real world examples of where things have gone badly wrong with IoT devices, some of which I've been personally involved in the discovery and reporting of as well. But that is not all. You'll also get firsthand experience on how to secure your IoT devices and fix the security vulnerabilities identified. You'll learn about multiple different approaches to layer security appropriately, as well as industry patterns and best practices. So should devices run as a client, or possibly even as a server, do you actually want to run a web server in your dishwasher and many other such anti-patterns? To complete the course, all you need is an open mind, an understanding of the internet, and the next hour or so to watch this course. I hope you enjoy watching this course and you find it entertaining, insightful, and hopefully enormously useful for how you secure your Internet of Things.
How Far Is IoT Going? Hi, I'm Lars Klint and Pluralsight author. I'm here with Troy Hunt, security expert, and we're going to talk about some emerging threats in IoT today in the Internet of Things in particular. Thanks for joining me, Troy. Yeah, we're back again with number four. Number five? This is number four, I think. You might have seen us on this show before. But something all new, right? For sure. Yeah, there's a few peculiar things, I'd say, and some funny things, and some very, very interesting things. So, where are we? Why do we need to connect, like what is this IoT craze that people are going on about? I was sort of waiting for you to say, why? Why would you follow this? Well, I know why, I'm looking at your screen, I'm just going why? Well, look, I mean, okay, on the screen we have a hairbrush, and I think there's sort of a broader discussion here, which is why are we connecting so many things to the internet? So why is IoT such a big thing? And look, there are many factors, and the reality of it is there are some very, very good use cases for connecting everyday items to the internet, and we're going to look at some of those in this talk, and there also are some very, I think maybe bizarre is the most charitable way --- Let's go with bizarre, yeah. So, there's some bizarre use cases. And I suspect that a lot of this is that adding internet to a device is adding a feature. Now, whether that's a feature which does provide real benefit or whether it's a perceived feature, it's a marked advantage as a point of differentiation. And I understand why so many of the items that we're going to look at in this talk today would have internet added, because you can just sort of picture the marketing, right? It's like, better than before, because now you can brush your hair and have internet. New and improved.
Securing the Things on the Internet So now we looked at all these vulnerabilities for, you know, God knows what, your iKettle, or your teddy bear, or whatever it is, where do we start securing things? Now, how can we fix some of these flaws? So, look, part of this we've touched on multiple times, which is that very frequently the flaws are not in the devices themselves, they are in the back-end services. So when we think back to things like, say, cloud pets, the issue there was that the data had to be secured. So if you're going to stand up a web service, a website, any one of these things which we've been doing for years and years and years, you've got to secure that. Don't put your MongoDB out there with no password, for example. That's probably not going to end well. When we think about the Nissan LEAF, the Nissan LEAF again is a well-known vulnerability in that it was a direct object reference problem. So if you could guess another identifier, you had control. It was also a lack of access controls problem, where all you needed was a VIN number. Now again, this is printed in the windscreen on many cars, you can go around and find a Nissan LEAF and go, well, there's my API key, which was really not a very good thing. So again, these are problems with the way we do authentication, the way we allow attackers to potentially enumerate through object references and just, again, in the case of Nissan LEAF, just keep adding numbers until they find a hit. So, there are well-known problems with well-known solutions. And honestly, like a lot of these are fixed with developer education, so not building systems that are vulnerable to these sorts of basic attacks. Penetration testers. If I've got someone in a classroom, it takes an hour of training to find this sort of vulnerability, professionals are just going to tear it apart. No question in my mind, things like the Nissan LEAF issue would have been found by any half competent security tester. So there's definitely a big education thing there.
Conclusion So I guess sort of start wrapping this up, a lot of it sort of comes back to this whole sort of information security premise of defense in depth, where we say, look, let's secure this thing at every layer. So there's not just sort of the one single point of failure. And if we think back to an example like cloud pets and the number of different points where things went wrong, so the bad Bluetooth implementation, the exposed MongoDB, a lot of the internal implementation as well, so they had things like URLs pointing to Amazon S3 storage with voice recordings which required no authorization. So, if anyone obtained these via any risk, such as your entire database being exposed, then you had access to the voice recordings. So this really, in many ways, it's very different. Your light bulbs could have vulnerabilities, your toilet could be controlled by someone else, the toy in your kid's bedroom could have a vulnerability which gives other people control and again makes it speak like a Dalek, or as we discussed, something even worse. So, we've got all of these new problems to think about, but much of the time, the solution is the old solution. Yeah, and there seem to be solutions to problems we already know, like the problems that you were describing throughout each of these examples seems to be something we've seen before. In many cases, and I think, again, as we said earlier on, a lot of it comes back to education and things like PIN testing, which we've been doing for decades, right? Yeah, we've got to apply that to IoT, because if we don't, we're going to have risks in classes of items that can be very, very sensitive where we really, really don't want to have problems. That's right. Like, I don't want my car to be controlled by someone else. I think on that note, whether it be your car or your teddy bears or your lights, that's probably a good place to wrap up. Sounds good. Yeah, hopefully we've covered what are the sorts of risks that we're seeing, what are some of the defenses, and how we can try and get these things just working a little bit better in the longer term. Absolutely. Very educational. Thanks, Troy. All right, thanks Lars.