Professional Documents
Culture Documents
https://gdpr.report/news/2019/05/24/iot-
cyber-attacks-cost-the-uk-economy-1-billion/
5
IOT Attack news
6
IOT Attack news
7
IOT Attack news
8
IOT Attack news
9
10
Smart Home &Wearable devices
IoT in Health
IoTin Agriculture
IoTin Education
IoTin Traffic
IoT in Retail
IoT in Smart City
IoTBasedWasteCollection
IoT Based Pollution Control
Smart Dust Bin in London
Smart Dust Bin in London (Cont.)
Smart Dust Bin in London (Cont.)
IoT Application Areas and Devices
IoT Application Areas and Devices
IoTAttackSurfaceAreas
Ecosystem Device Physical Device Web
Device Memory Device Firmware
(general) Interfaces Interface
• Cleartext • Implicit trust • Firmware • SQL injection • Hardcoded
credentials between extraction • Cross-site credentials
• Third-party components • User CLI scripting • Encryption keys
credentials • Enrollment • Admin CLI • Cross-site • Encryption
• Encryption keys security • Privilege Request Forgery (Symmetric,
• Decommissioning escalation • Username Asymmetric)
system • Reset to insecure enumeration • Sensitive
• Lost access state • Weak passwords information
procedures • Removal of • Account lockout • Sensitive URL
storage media • Known default disclosure
• Tamper credentials • Firmware version
resistance display and/or
last update date
IoTAttackSurfaceAreas
Device Network Administrative Local Data Cloud Web Third-party
Services Interface Storage Interface Backend APIs
• Information • SQL injection • Unencrypted data • SQL injection • Unencrypted PII sent
disclosure • Cross-site scripting • Data encrypted with • Cross-site scripting • Encrypted PII sent
• User CLI • Security/encryption discovered keys • Transport encryption • Device information
• Administrative CLI options • Lack of data integrity • Insecure password leaked
• Injection and Denial • Logging options checks recovery mechanism • Location leaked
of Service • Two-factor • Two-factor
• Unencrypted authentication authentication
Services • Inability to wipe
• Poorly implemented device
encryption
• UPnP
• Vulnerable UDP
Services
IoTAttackSurfaceAreas
Update Mobile Vendor Backend Ecosystem
Network Traffic
Mechanism Application APIs Communication
• Update is not • Implicitly • Inherent trust • Health checks • LAN
encrypted trusted by of cloud or • Heartbeats • LAN to Internet
• Updates not device or cloud mobile • Ecosystem • Short range
signed • Username application commands • Non-standard
• Update location enumeration • Weak • Deprovisioning
writable • Account lockout authentication
• Pushing updates
• Update • Known default • Weak access
verification & credentials controls
authentication • Weak pass • Injection attacks
• Missing update • Transport • Hidden services
mechanism encryption
• No manual • Insecure
update recovery
mechanism mechanism
IoT Security is the Worst-of-All-Worlds
Network • services, encryption, firewall, input…
Cloud • AuthSessionAccess
@adelnet2k
www.facebook.com/adelnet2k
www.linkedin.com/in/Adel-Abdel-Moneim
Questions?