在物联网村揭幕物联网安全缺陷
As more and more businesses and consumers adopt connected devices that comprise the so-called物联网(物联网),它提出了一个问题:这些用户也采用哪些安全风险?广泛的安全研究(其中大部分已经成为主流媒体),在许多不同的设备类型中证明了一些非常严重的物联网安全缺陷。但是,所有这些发现似乎都感到脱节。这些缺陷是否偶然相似,并且仅限于所研究的特定设备或制造商?还是在玩更大的问题?
At Independent Security Evaluators, we had the hypothesis that these IoT security flaws in connected devices might plague the entire IoT industry, not just the few manufacturers who had been studied to date. So in order to prove (or disprove!) that hypothesis, we organized a hacking eventknown as IoT Village。
IoT Village first debuted at esteemed security conference DEF CON from August 7-9, 2015. Over the course of the event, we had researchers from a wide range of security organizations present their work on various aspects of the IoT security flaw problem. In conjunction with these talks, we also had security researchers teaching hands-on workshops about how to break devices and how to harden them. Finally, we had a hacking contest, where we bought a range of devices and encouraged attendees tohack them together。
Upon conclusion of IoT Village, we had unequivocally proven thatIoT security flaws in connected devices are pervasive。这是一些指标的快照,可以支持该发现:
66:0-day vulnerabilitiesdiscovered/presented overall
14: 0-day vulnerabilities discovered/presented in the contest
27: Unique devices
18: Different manufacturers
11: Researchers
Analysis
物联网村证明了安全问题在连接的设备之间普遍存在。该活动是一个平台,在各种各样的制造商和不同的设备类型中生产了66个以前未被发现的安全漏洞。在活动的几天发生的黑客比赛中,在现场发现了其中14个漏洞。在这样做时,物联网村强调了一个事实,即安全性是连接设备制造商的行业问题,因为这些问题并未降级为任何特定的制造商或设备类型。此外,在设备和制造商之间重复了许多对潜在安全设计原则的违规行为。这表明,在大多数情况下,尚未将建立安全性构建为关联设备。随着连接的设备继续迅速采用,必须在安全评估中更好地建立安全性,并更好地验证这些安全措施是否有效。
IoT security flaws: Examples
SmartThings Motion Sensor: An attacker could exploit a vulnerability in such a way to interfere with the device’s ability to monitor motion. This would be very useful for a property thief or violent criminal, who could run the attack from outside the physical premise, break in to steal items or attack a tenant, and then leave the premise. After leaving the premise, the adversary would stop the attack against the device, returning it to normal operation. The motion sensor would not have triggered, and thus the adversary could circumvent the entire purpose of the device. (Credit: Wes Wineberg, Synack).
ISPY坦克:对手可以利用漏洞,使他们能够控制车轮和视频捕获。有效地,对手将能够获得遥控,动力,间谍机。这尤其令人担忧,因为这个玩具是针对儿童的,因此最有可能受到这次袭击受害的人也可能会暴露其孩子。(信用:Ken Munro,Pentest Partners)。
鹦鹉无人机:使用单个命令,攻击者可以使无人机从天上掉下来。随着无人机的部署是出于越来越多的目的,这次攻击的含义也会扩大。(信用:Ryan Satterfield,Zuda行星)。
下一步
物联网村定于全年在未来的其他会议上进行以后的迭代。如果您是该领域的研究人员,是连接设备的制造商或部署连接设备的业务,我们鼓励您参与其中。我们可以一起做出有意义的改变以解决这个问题。
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.