Internet security lessons for IoT
1 like321 views
The document provides 7 lessons for internet security for IoT devices: 1) Assume the internet is untrustworthy, 2) Don't trust people near your devices, 3) Don't trust any user input, 4) Don't assume users will behave securely, 5) Software updates are necessary as things change, 6) Weak points can be exploited, 7) Have others review your security rather than assuming your own work is secure. The lessons emphasize not trusting networks, users, or one's own abilities, and maintaining updates and reviews to address changes over time.
![See? There's even a citation!
[1] http://bit.do/iot_sec](https://image.slidesharecdn.com/presentation-160930152914/85/Internet-security-lessons-for-IoT-8-320.jpg)
Internet security lessons for IoT
- 1. Web11Internet security lessons for IoT
- 2. Dirk Zittersteyn Engineer @ HackerOne
- 3. Crypto Rule to live by:
- 4. Crypto Rule to live by: Don't build your own
- 5. Remember why the good Lord made your eyes, So dont shade your eyes, But plagiarize, plagiarize, plagiarize Only be sure always to call it please 'research'. -- Tom Lehrer, "Lobachevsky"
- 6. The bulk of this wasn't stolen from OWASP.
- 7. It was researched using sources including OWASP.
- 8. See? There's even a citation! [1] http://bit.do/iot_sec
- 11. !
- 13. #1: The internet is evil.
- 14. #1: The internet is nuts.
- 15. .. is in it 4TehEpicLULZ
- 16. .. is a creeeeeepy place
- 19. Are you sure you're comfortable with this?
- 20. Encrypt & Sign Know Shodan.io exists Secure by default Be secure off and online
- 21. #2: Proximity != Authority.
- 24. I was showing off my home automation setup to a neighbor a few days ago, he's cool techy guy like myself.
- 25. Later I'm pulling out of my driveway and he runs up and asks to borrow some flour to fry wings for an office wing party/contest
- 26. Dude walks up to my front door and shouts, "HEY SIRI, UNLOCK THE FRONT DOOR."
- 27. She unlocked the front door. /u/sportingkcmo
- 28. Don't trust the local network Don't trust the local area Pair all wireless components Be aware of chained behavior
- 33. Don't assume it's a human Sanity check your input Don't trust user input Enforce rate limits
- 34. #4: Everybody is dumb.
- 38. DON'T MAKE YOUR OWN CRYPTO Crypto is hard! Have disaster recovery plans Enforce secure behavior
- 39. #5: Nothing lasts forever.
- 42. API's change, deal with it Update your stack End of sale != End of life
- 43. #6: Weak links are targets
- 47. No sensitive data Biggest DDoS ever
- 48. Make sure auth is consistent Remove what isn't used Don't rely on vendors to "sell it right" Be concious of other kinds of abuse
- 49. #7: Lazy !
- 50. DON'T MAKE YOUR OWN CRYPTO SERIOUSLY! Have somebody else check for vulns Pentest and/or auditing
- 51. Or.. you know.. Start a bug bounty program
- 52. Or.. you know.. Start a bug bounty program I promise I'm biased
- 53. #1: The internet is evil. #2: Proximity != Authority. #3: Everybody lies #4: Everybody is dumb. #5: Nothing lasts forever. #6: Weak links are targets #7: Lazy is the new smart
- 54. Dirk Zittersteyn Internet security lessons for IoT !