smart toys: are they too smart? - where the world talks … · smart toys: are they too smart?...
TRANSCRIPT
#RSAC
Oren Yomtov
Smart Toys: Are They Too Smart?
Security ResearcherSynack Inc.@orenyomtov
#RSAC
Smart Toys
Toymail
#RSAC
3
#RSAC
Background
Started breaking things in 2007
Israeli Intelligence Corps
Security Researcher at Synack
#RSAC
Smart Toy =
+Physical Toy Any Screen Game Software
+
#RSAC
Users Manufacturers
#RSAC
Users
#RSAC
8
#RSAC
9
#RSAC
10
#RSAC
11
#RSAC
12
#RSAC
Manufacturers
#RSAC
14
#RSAC
15
#RSAC
16
#RSAC
Attack Vectors
#RSAC
HTTP
HTTPApp
ToyServer
#RSAC
HTTP
HTTPS
Certificate validation
Certificate pinning
#RSAC
Web API
Toy Server
#RSAC
Web API
SQL injection
Broken authentication
Path traversal
For more information, visit OWASP Top 10
#RSAC
Firmware / Software Update
ServerFirmware Update
App
Toy
#RSAC
Firmware / Software Update
Firmware signing
Transport security (HTTPS)
Encryption
#RSAC
Bluetooth
BluetoothApp Toy
#RSAC
Hardware
Toy
#RSAC
26
#RSAC
Hardcoded Secrets
App
Toy
#RSAC
Hardcoded Secrets
API Keys (e.g. AWS)
URLs not meant to be exposed to end-users
Credentials
Encryption keys
#RSAC
29
#RSAC
Oren Yomtov
Smart Toys: Are They Too Smart?
Security ResearcherSynack Inc.@orenyomtov
#RSAC
Michele D. Guel
Your Part in Securing Our Connected World –Are You Ready?
Distinguished Engineer, InfosecCisco Systems@MicheleDGuel
#RSAC
A Typical Connected Day in 2017
#RSAC
What if every aspect of your life was digitally captured?
#RSAC
Opportunities & Challenges
#RSAC
What are the Opportunities?
Data driven decisions
Increased automation
Higher productivity
Efficient use of resources
Exponential connectedness
Limitless possibilities
#RSAC
What are Challenges?
Loss of privacy
Loss of humanity
New, unforeseen attack vectors
Increase risk of targeted attacks
Increase need for new laws and regulations
Exponential expansion of threat landscape
#RSAC
IOT is Moving at Warp Speed
“As is often the case, consumer demand for new and exciting technologies
have far surpassed the implementation of security measures.”
#RSAC
How Connected Do You Want to Be?
#RSAC
Our Part
#RSAC
As Individuals We Can…
Hold vendors accountable
Don’t use applications with weak security
Understand privacy laws
Get educated on new technologies
Encourage your kids to pursue STEM
#RSAC
As Employees We Can…
Hold vendors accountable
Develop & adopt standards for application integrity and trustworthiness
Develop and adopt standards for IP enabled devices
Develop and adopt seamless and scalable identity for people, process and things
#RSAC
Apply What You Have Learned Today
Within 30 days:Identify where sensor/smart technology is in use
Become more proactive about privacy of data
Within 60 days:Form a strategy around securing sensor/smart technology
Understand changing privacy laws that pertain to your organization and your personal data
#RSAC
Apply What You Have Learned Today
Within 180 days:Implement policy regarding use of sensor/smart technology
Ensure IoT projects are reviewed by security architecture team
#RSAC
Thank You