Practical Experience with IoT INSecurity – A Hands-on IoT Workshop
This Workshop has been cancelled
Tues 27th November, 2-6pm
Location: RMIT city Campus,
Building 8 Level 9 Room 48, ( 8.9.48)
WORKSHOP: Much has been discussed on the (lack of) security and need for authentication in the IoT world. Unfortunately few people have had the opportunity to use IoT devices and see where the security vulnerabilities lie. Understanding the underlying network operation and configuration is paramount for designing IoT devices which are resistant to malware and botnet attacks.
This workshop will introduce participants to a range of tools which can be used to diagnose vulnerabilities to develop a practical understanding of how protection techniques such as authentication can be applied. This workshop is hands on, participants will be assisted to examine IoT devices such as switches, lights, thermostats, video cameras, door locks, and music players.
The Internet of Things (IoT) is a novel paradigm which is shaping the evolution of the future Internet. We are seeing increasing ubiquity of the Internet, by way of connecting people anytime and everywhere, as well as the connection of inanimate objects. By providing objects with embedded communication capabilities and a common addressing scheme, a highly distributed and ubiquitous network of seamlessly connected heterogeneous devices is formed, which can be integrated into the current Internet and mobile networks, thus essentially allowing for the development of new intelligent services available anytime, anywhere, by anyone and anything.
Unfortunately vulnerability can apply to all devices connected. An IoT device is not considered to be a network device as is a router, switch, firewall, server etc. Devices connected could be thermostats, lights, switches, locks, recorders, webcams etc which traditionally are not included in a security framework – but may need to become so as a result of being manipulated by IoT devices.
IoT consists of two key ideas: local control of devices – commonly industrial systems and remote control of devices, commonly consumer products which are manipulated by mobile devices). In the former case, security is essentially a component of the control network, and is no different from any industrial control system. In the latter case (remote control of devices), one has an inherent requirement for the device to be exposed – in some way – to the external network. Typically this is done by it connecting home devices to the CSP (Cloud Service Provider), which can severely limit security.
So there are multiple avenues of vulnerability, depending on which resources one is trying to secure. The important thing is that beyond the network-level issues, there is also the user-level issue and all interaction with the IoT device is mediated by a (logging) third party: not a security issue from the network point of view, but certainly one from the system point of view.
Also the malware lays low at first – the main purpose is still for a DDoS botnet, and it is designed to spread rapidly to other IoT devices. Many antivirus solutions are still unable to detect such malware.
Ray Hunt is an Associate Professor specialising in both University and Industry work in the area of cybersecurity. He has worked for a variety of organisations including Universities, airline industry, Reuters (Hong Kong), Ministry of Defence (Singapore and New Zealand), Fujitsu (Singapore and Thailand), AT&T (Hong Kong). He conducts applied cybersecurity workshops – particularly for Universities) in a number of countries including Australia, New Zealand, Singapore, Hong Kong, Malaysia and the UK. The focus in recent years has been to provide practical cybersecurity skills to graduate students to aid them in getting employment as well as to upskill those in the IT security industry.