IoT (in)security(a pessimistic view on the Future Internet)
Levente Buttyán, PhD
Laboratory of Cryptography and System Security (CrySyS Lab)
Department of Networked Systems and Services
Budapest University of Technology and Economics
www.crysys.hu
CrySyS Lab, Budapest
www.crysys.hu2
CrySyS Lab, Budapest
www.crysys.hu
”If you’re a researcher on this book thing and you were on Earth,
you must have been gathering material on it.”
”Well, I was able to extend the original entry a bit, yes.”
”Let me see what it says in this edition, then. I’ve got to see it.”
... ”What? Harmless! Is that all it’s got to say? Harmless! One word!
... Well, for God's sake I hope you managed to rectify that a bit.”
”Oh yes, well I managed to transmit a new entry off to the editor. He
had to trim it a bit, but it’s still an improvement.”
”And what does it say now?” asked Arthur.
”Mostly harmless,” admitted Ford with a slightly embarrassed
cough.
3
CrySyS Lab, Budapest
www.crysys.hu4
CrySyS Lab, Budapest
www.crysys.hu
still
5
2016
CrySyS Lab, Budapest
www.crysys.hu6
CrySyS Lab, Budapest
www.crysys.hu
Smart homes
7
CrySyS Lab, Budapest
www.crysys.hu
Smart vehicles (aka connected cars)
8
CrySyS Lab, Budapest
www.crysys.hu
Smart factories (aka Industry 4.0)
9
CrySyS Lab, Budapest
www.crysys.hu
How about security?
10
CrySyS Lab, Budapest
www.crysys.hu
How about security?
11
CrySyS Lab, Budapest
www.crysys.hu
IoT from a hacker’s perspective
12
Internet of Things
cheap (in every sense)
computers easy to compromise
now easily searchable and
accessible remotely
CrySyS Lab, Budapest
www.crysys.hu13
CrySyS Lab, Budapest
www.crysys.hu
It could really be a nightmare...
14
CrySyS Lab, Budapest
www.crysys.hu
It could really be a nightmare...
15
CrySyS Lab, Budapest
www.crysys.hu
It could really be a nightmare...
16
CrySyS Lab, Budapest
www.crysys.hu
IoT devices became the weakest link
17
CrySyS Lab, Budapest
www.crysys.hu
Default passwords
18
CrySyS Lab, Budapest
www.crysys.hu
Unpatched vulnerabilities
19
CrySyS Lab, Budapest
www.crysys.hu
Factory made backdoors
20
CrySyS Lab, Budapest
www.crysys.hu
Firewall bypass as a feature
21
source: IoT security is a nightm
are. But w
hat is the real risk?
Hactivity 2016 talk by Zoltán Balázs
CrySyS Lab, Budapest
www.crysys.hu22
CrySyS Lab, Budapest
www.crysys.hu23
CrySyS Lab, Budapest
www.crysys.hu
Security economics
24
vendors build
cheap devices
maximize profit
minimize time to market
more features, no security
consumers buy
cheap devices
optimize price/value ratio
don’t understand the risk
can’t identify quality
misplaced incentives
makes no sense to build
secure devices
lemon market:
information asymmetry
consumers will pay average price
quality vendors leave the market
CrySyS Lab, Budapest
www.crysys.hu
Have you seen this before?
25
CrySyS Lab, Budapest
www.crysys.hu26
”History is just new people making old mistakes.”— Sigmund Freud
CrySyS Lab, Budapest
www.crysys.hu
still
27
2016
CrySyS Lab, Budapest
www.crysys.hu28
will remain
2016
Laboratory of Cryptography and System Security (CrySyS Lab)
Department of Networked Systems and Services
Budapest University of Technology and Economics
www.crysys.hu
contact:
Levente Buttyán, PhD
Associate Professor, Head of the CrySyS Lab