Introduction

15 Dec 2016

Most of the problems with IoT security are not specific to IoT. They’re problems that have been around for a long time. If you’re well-versed in general cyber, software and cloud security, you’re most of the way there.

IoT security is different because:

• It’s multidisciplinary; security covers hardware, software and online elements
• The business model makes it difficult to implement good security
• There’s no security culture or training among most IoT vendors
• IoT devices probably never receive security updates. You probably don’t even know that the devices exist!

I want to focus on what makes IoT security different.

Where do I start?

• What’s the least I can know?
• What is IoT?
• What sort of device do you have?
• Frequently asked questions
• Why is IoT security different?
• Why extract firmware?

How do I design for security?

• Beware putting the same keys on every device
• Design assuming your security controls will fail
• Software developers shouldn’t build threat models
• How to extract firmware from a device
• Attacks on embedded systems

How do we fix IoT security?

• How do we fix IoT security?
• Negative reporting and security research

How do IoT devices work?

• How does firmware get onto the device?

Specialised applications

• Blockchains on IoT devices

Commentary

• The Sony IPELA IP Camera backdoor
• Pressures on highly regulated industries
• Miscellaneous
• Is responsible disclosure appropriate for IoT devices?