If Equifax got hacked so easily, wait till IoT gets deployed!


(SureshS) #1

Todays websites have a one dimensional attack surface, ie IT and Internet. When IoT becomes a reality, then we will have a 3D attack surface, comprised of IT, OT and Devices. I have discussed this in my whitepaper, Cybersecurity Concerns due to the 3D Attack Surface in the IoT Environment.

I urge you to take a look at this whitepaper on my website (under Whitepapers) and tell me what you think.

Thanks, Cal
Siliconbeach.cloud
Largo, Florida
#nsa2600
NSA Level security using 2600 channel techniques


(Chris Holt) #2

What is your criteria for IoT becoming a “reality”?


(James Bond) #3

About a year ago I was writing a paper around IoT security and “smart homes”. While writing it I was learning about the messaging services and protocols that most IoT things were using at the time. After a few hours of studying I was able to find a random device through a quick search on shodan for ports and protocol and within another 30 minutes know that the device was:
A. A home security/thermostat solution
B. Connected to two mobile devices that shared their proximity information every 30 seconds
C. Reverse the address of the home, all door locks and windows (and the status of locked/unlocked)
D. Find out the identity of the couple that lived at the location as well as where they worked and their routes to work.

This was enough information to where I could drop pins on a google map with a script as the husband and wife moved around their neighborhood and house. All of this information I was able to see, was by design within the IoT device just poorly protected.

Needless to say, I didn’t release the paper and I contacted the owners and let them know their house was telling secrets about them. Even a properly firewall IoT devices has other attack vectors through trusted relationships (mobile phone apps, cloud backend services, other IoT devices).

Wanted to contribute to the original post


(SureshS) #4

Chris & “James Bond”,
I am replying to your earlier message about IoT & Cybersecurity. I wrote a whitepaper for my Cybersecurity class at SPC and also sent this to my mentor at Google, Dr. Vint Cerf (Chief Internet Evangelist) and he had some interesting comments about this paper. One of the things that makes IoT interesting is that it has a 3D attack surface c.o. of IT, OT & Smart Devices. If IT alone can pose such big problems for even firms like Equifax, I feel that the OT aspect, which involves industrial automation & legacy systems like PLC, SCADA, etc could be a big problem for the Industrial Enterprise environment. SCADA is a perfect example of such vulnerability. In any event, you can see the whitepaper on my Cloud computing website, under Siliconbeach.cloud (whitepapers) . Would be interested in any of your comments, I can also post Vint’s comments in this thread. Thanks for the interest & insights.

Regards
Cal Tiger
Siliconbeach.cloud - my cloud business
nsa2600.org - my cybersecurity business
#nsa2600 - my new hashtag

PS: I have filed for 4 patents involving secure messaging; ie Cloud and Google Cloud Platform.
I will post the Google Gmail to Cloud vulnerability in another email & would like some comments.