HP Security and The Internet of Things

IoT.png

 

 

The Internet of Things is…well, many things. It's a combination of reality and hype, peril and promise, present and future. Gartner says that by the year 2020 there will be 30 billion Internet of Things devices, and the current technology market is brimming with competitors in this space.

 

In this short article we'll walk through what the Internet of Things is and isn't, talk about some of its security and privacy implications, and introduce a few initiatives HP Fortify on Demand is working on in this exciting and developing area.

 

What it's all about

 

Let's start with what it is. 

 

The Internet of Things refers to the unique identification and Internetization of everyday objects. This allows for human interaction and control of these "things" from anywhere in the world, as well as device to device interaction without the need for human involvement.

In sum, the everyday things you grew up with--such as your toaster, your alarm clock, your car, your refrigerator, and your television--are all going to be network/internet connectedThis means you (and hopefully just you) will be able to interact with them from wherever you are in the world--right from your mobile device.

 

A factory provides a good example of how the Internet of Things will bring significant advantage to how we conduct our daily business. Imagine a factory floor where the various components--such as the delivery trucks, the warehouse doors, the shipping containers, etc.--all are network aware and able to interact with each other in real time.

 

A forklift can configure itself to lift an inbound package, because the package told it that it was coming. And all the doors are open for it as it moves, because the doors know where the forklift is. And because the package is temperature sensitive, the storage area's thermostat made an automatic adjustment upon sensing it was on its way.

 

That's just a few devices interacting--now think of billions of them doing the same thing.

 

Opportunity and challenge

As you can see from the factory example, the advantages yielded by the Internet of Things will be far-reaching. But as with most power, potential danger is not far away. While the Internet of Things will connect and unify countless objects and systems, that connectivity and access will present challenges that must be addressed sooner rather than later.

 

Here are a couple of examples:

 

  1. Bypassing The Perimeter: It will be extremely seductive for both individuals and businesses to bring increasing numbers of their systems into the Internet of Things. But in doing so it's crucial to remember that network devices for users can serve as network footholes for attackers. We have to remember that if your device can connect to the Internet, the Internet might be able to connect to you as well--even if it's on your home network. We're still in the early adoption phase of IoT, and we're already starting to see network compromise and DDoS attacks enabled by things like refrigerators.
  2. Privacy Considerations: In addition to the issue of attackers gaining access to systems they shouldn't, you also have the issue of privacy. A big part of the Internet of Things is having sensors on these objects, e.g. cameras, microphones, vibration sensors, air quality, etc. When you start thinking about these devices being around us all the time--both in the workplace and at home--you can see the dangers of accidental or malicious monitoring of our private lives.
  3. The Safety Question: Beyond the serious issues of someone getting on your network through an internet-connected device, or spying on you using your toaster, we also need to consider the national infrastructure that is connected to automation. As the IoT starts to bind more and more together, attacks against that structure becomes increasingly troubling.

 

HP and the Internet of Things

Here at Fortify on Demand we are putting significant effort into the Internet of Things. We're looking at its current state, where it's heading, and what its security implications are for our customers and the Internet overall.

 

Here are a few of our IoT efforts currently underway:

 

  • We are in the middle of a large IoT Testing Project whereby the top Internet of Things devices and systems are being tested for a range of vulnerabilities. Results of that research will be released as soon as testing is complete and responsible disclosure has been satisfied.
  • We have created the OWASP Internet of Things Top 10 Project, which like all OWASP projects, is an open, community-driven effort to raise awareness about a given security topic. As part of that effort we have published a draft of the Top 10 IoT vulnerabilities that we are seeing in our research, and we are taking input from others on that as well
  • We have responded to CFPs at a number of prominent security conferences (APPSEC, DEFCON, etc.) on the topic of IoT, and we will be presenting on it over the coming months

These are just a few of the efforts around IoT that we're working on. As always, feel free to reach out to us here at FoD at with any questions via Twitter (@hpappsecurity) or via email  (fodsales(at)hp.com).  We'd love to hear your questions or comments about the Internet of Things and how it affects your organization.

 

About HP Fortify on Demand

 

HP Fortify on Demand is a cloud-based application security solution. We perform multiple types of manual and automated security testing, including web assessments, mobile application assessments, thick client testing, ERP testing, etc.--and we do it both statically and dynamically, both in the cloud and on-premise.

 

Ping us with any thoughts, questions, or comments.

 

: :
 
Daniel Miessler is a Practice Principal with Fortify on Demand based out of San Francisco, California. His areas of expertise are web and mobile application security testing and building application security programs for the Global and Fortune 100. He can be reached at daniel.miessler@hp.com and on Twitter at @danielmiessler

 

 

 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
http://www.danielmiessler.com/about


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation