Practical Exploitation of IoT Security Vulnerabilities
Talk Abstract
Consumer IoT devices manifest in a variety of forms today, including fitness trackers, rings, smart-watches, pacemakers, and so on. The wearable IoT market is dominated by small and medium-sized business, who are often in a rush to hit the shelves before their competitors, and trivialize the need for security in the bargain, citing no “return on investment”. In our presentation, we deep-dive into the wireless protocol of choice for wearables — Bluetooth Low Energy (BLE), and its impact from a security perspective. We use a USB-based bluetooth hacking hardware board called Ubertooth-One to analyze popular market products, and also perform a live demo on stealing information from a fitness tracker using standard Android app development practices. We wrap up with a discussion on simple cryptographic approaches and BLE-hardening mechanisms to prevent such attacks on wearable and IoT platforms.
In addition to wireless protocols, we'll also talk about the IoT ecosystem as a whole, and the threats faced by the device, mobile, cloud and wireless protocol components of IoT platforms. We will educate the audience about the essentials of Security Development Life Cycle (SDLC) practices that all companies from startups to large enterprises should follow in order to develop secure products.