INTERNET OF THINGS [IoT] VILLAGE SANDBOX
at RSA Conference 2018 | San Francisco
 

Mission.

Organized by security consulting and research firm Independent Security Evaluators (ISE), IoT Village™ delivers expertise advocating for security advancements in Internet of Things (IoT) devices. This exhibit highlights vulnerable connected devices and groundbreaking security research found in devices as common as smart cameras to devices as complex as solar panels and medical devices. Experience thought-provoking talks by expert security researchers who dissect real-world exploits and vulnerabilities and analyze the impact on consumer and business environments. Stay informed by following both ISE and IoT Village on Twitter.

 

Why.

Exhibits.

The IoT Village will feature a number of exhibits and a few hands-on labs.

  • ISE's Jake Holcomb developed hands on hacking labs from our SOHoplessly Broken. These labs will let you walk through real attacks on connected, embeded devices. ISE have also built a new lab to start SOHoplessly Broken 2.0, a new research project to find security issues in a group on new devices.
  • There's also an IoT Hardware Hacking Lab from Deral Heiland and Nathan Sevier.

Talks.

The IoT Village is featuring eight talks in the RSA Sandbox. Here’s the schedule of sessions.

• Advanced Attack Surface Discovery and Exploitation
• Balancing Public Good and Personal Privacy - Challenges in De-Identifying Open Datasets
• Connected Medical Devices – Saving or Harming Patients
• Exploiting Cloud Synchronisation to Mass Hack IoTs
• IoT Hardware Hacking - Demoing Firmware Extraction and Protection Methods
• Lateral Attacks Between Connected Devices In Action
• Robotic Telepresence - Is Your Enemy Watching You?
• Care Delivery Workflow Attacks through Behaviorial eManipulation


An ITSP Radio Podcast Series
Chats On The Road To RSA Conference 2018 | San Francisco

The invasion of the connected devices. It happened. No place to hide. Nowhere to run.

With this “Chats On The Road to RSA Conference 2018” we cover the last, but surely not the least, of the RSA Conference Village Sandboxes: the one dedicated to the Internet of Things, AKA IoT.

As I am writing this, I am surrounded by WiFi waves that emanate from at least forty routers, I cannot, even if I try, count the people seated and walking around me with their connected cellphone, probably a bunch of connected cars driving by, and who knows how many devices of any sort connected to the buildings surrounding me: from home alarm systems, cameras, toothbrushes, lights, tablets, coffee machines, fitness wearables, medical devices; my head is already spinning. Then my head focuses for a second on how many potential vulnerabilities there are and how many default passwords are being used in these connected devices; and my head start spinning again, fast, faster, and I feel nauseated.

Our world is filled with connected devices; and we are at a point that, collectively as a society, we do not even think about it. We went from zero to millions of IoT devices in relatively no time at all. It seems like yesterday that the Walkman was the coolest thing around. Now there are devices that help us communicate with each other, devices that make it easier for us as humans to interact with other (oftentimes, more complex) devices, and devices that even communicate amongst themselves on our behalf to take care of tasks that are just too mundane to deal with; or maybe we have become too lazy or "too-cool-for-school" for us to do these tasks ourselves.

The scale of these devices is growing tremendously; the question is, how does security for these devices - and the networks and clouds they communicate across and through - stack up? Excellent question! That’s where the IoT Village comes in.

Driven by the need to address the scalability of security challenges we face in this connected world we live in, the IoT Village was born. This village is designed to give people with varying levels of skill sets an opportunity to connect these devices to networks to see how they work and how they break ... to take these devices apart to see how the pieces are vulnerable and how they can be exploited.

The research, presentations, and labs in the IoT Village are designed to help answer some of the questions. Or, in reality, it will likely create more questions, which is a good thing if we are to make things better. We have heard this many times from many white hat hackers during our conversation at the intersection of IT security and society.

Perhaps a better way to put this, and the goals for the other Villages, is that they exist to give us a safe place - a sandbox, if you will - to play and break things, so we can reduce the need for the user to ask these questions so often and with such vigor.

There are many sessions designed to educate end users/consumers of these devices, business leaders that leverage these devices to run their company's operations, and the manufacturers of these devices so they can raise the infosec bar across the board.

We strongly believe this bar needs to be raised and we hope that many of you will come by and help us to do this. 

Start with this podcast, where we ITSPmagazine’s Co-Founders Sean Martin and Marco Ciappelli talk to Lisa Green and Sam Levin about the IoT Village, its roots and history, and what people can expect to see, hear, touch, and break.


News.


To Make Things Even More Interesting, After - Or Before - Playing In The SandBox You Can Listen To These Brilliant Talks:


Advanced Attack Surface Discovery and Exploitation
Adrian Bednarek | Security Researcher and Analyst, Independent Security Evaluators
April 19, 2018 | 2:30 PM - 3:00 PM

This session will cover the problems of reverse engineering complex software systems in order to reveal their inner workings normally not visible to typical penetration testing scenarios. Advanced tools and methodologies will be demonstrated that greatly assist in the discovery of internal software mechanisms in order to expose potential attack vectors.

Learning Objectives:
1: Learn about the challenges of reverse engineering complex software.
2: Understand that complex software is hard to test for security defects.
3: See a demonstration of how process automation can be used to catalog attack vectors.


Balancing Public Good and Personal Privacy - Challenges in De-Identifying Open Datasets
Emilie Corcoran | Security Operations Engineer, Geotab
Eugene Kang | Information Technology Security Specialist, Geotab

April 18, 2018 | 8:00 AM - 8:30 AM

The challenges inherent in data de-identification, especially regarding open datasets, can be addressed with the appropriate protocols. Remember that, while difficult, the process of publishing open datasets is a public good. Ultimately, this requires a paradigm shift from simply publishing data, towards the extension of the role of data stewardship outside of the organization.

Learning Objectives:
1: Learn why open datasets are a great societal boon.
2: Explore unique challenges regarding de-identification and data stewardship exist.
3: Understand why companies must commit to providing open datasets for the public good.


Connected Medical Devices – Saving or Harming Patients
Lisa Green | Director of People Relations, Independent Security Evaluators
Dan Birtwhistle | Senior Director Product Development Security, GE Healthcare
Steve Curd | President and CEO, Scaeva Technologies
David Scott | Product Security Officer, Medication Management Solutions, Becton Dickenson & Co.

April 18, 2018 | 1:00 PM - 1:50 PM

The potential for an adversary to gain access to a medical device is a life-or-death problem that manufacturers must address. This panel will focus on the current state of security in connected medical devices, technologies such as blockchain that can improve security, FDA security requirements and what they mean to manufacturers, and the impact security has on healthcare facilities and patients.

Learning Objectives:
1: Understand dialogue needed between hospitals, manufacturers and security researchers.
2: Explore the future of connected medical security.
3: Learn from real perspectives of key players in this industry conversation.


Exploiting Cloud Synchronisation to Mass Hack IoTs
Alexandru Balan | Chief Security Researcher, Bitdefender
April 19, 2018 | 10:30 AM - 11:00 AM

Most hacks against smart devices require either proximity or some other form of direct access (port forwarding/UPnP). That being said, what if devices could be hacked up to full remote code execution and root access without direct access and from the other side of the world? And what if the number of devices susceptible to this attack could be large enough to be the next big IoT botnet?

Learning Objectives:
1: See how easy IoT hacking is if you know where to look.
2: Learn how tough it is to defend against these attacks for the average user.
3: Understand why the security community must focus more on researching remote exploits.


IoT Hardware Hacking - Demoing Firmware Extraction and Protection Methods
Deral Heiland | Research Lead (IoT), Rapid7
Nathan Sevier | Senior Security Consultant, Rapid7

April 18, 2018 | 1:50 PM - 2:15 PM

As IoT security becomes more critical day-by-day, having an operational understanding of physical device security and protection of intellectual property is crucial. This demo-driven lab will explore the processes around physical attacks against embedded IoT devices, with the goal of gaining access to firmware and data stored therein.

Learning Objectives:
1: Understand physical attacks on IoT hardware and how to protect from them.
2: Understand issues related to the protection of intellectual property on IoT.
3: Learn new skills related to hardware testing and examination.


Lateral Attacks Between Connected Devices In Action
M Carlton | VP of Research, Senrio
Stephen Ridley | Founder and CTO, Senrio

April 19, 2018 | 3:00 PM - 3:30 PM

The threat of lateral attacks between IoT devices requires increased awareness. IoT devices are segmented from business networks and considered untrustworthy. But if they are risky, why do we trust them on a network together? Using critical vulnerabilities in popular devices, we will demonstrate the threat posed by lateral attacks, illustrating that segmentation alone is an insufficient defense.

Learning Objectives:
1: Improve your understanding of lateral attacks.
2: Learn more about threats posed to and from IoT devices.
3: Understand the offense to improve your defense.


Robotic Telepresence - Is Your Enemy Watching You?
Dan Regalado | Principal Security Researcher, Zingbox
April 18, 2018 | 8:30 AM - 9:00 AM

Robotic telepresence is the next generation technology that allows a person to replicate himself in a remote location. He can see you, hear you, interact with you and move all around your place, but wait a second, what if the person inside your place is not the expected one? During this talk, different attack vectors will be presented with live demo on stage!

Learning Objectives:
1: Gain insight into robotic telepresence technology.
2: Explore security recommendations for robotic telepresence architects.
3: Explore security recommendations for robotic telepresence customers.


Care Delivery Workflow Attacks through Behaviorial eManipulation
Ted Harrington | Executive Partner, Independent Security Evaluators
Dr. Konstantinos Triantafillou | Orthopaedic Trauma Surgeon and Assistant Professor, University of Tennessee Medical Center
April 19, 2018 | 11:00 AM - 11:45 AM

Co-presented by a practicing orthopedic trauma surgeon and leading IoT security expert, this unique session will analyze the real-world implications of exploiting connected medical devices. Unlike most healthcare security research, this session incorporates not only lessons from security research, but considers them from the viewpoint of the actual end user: the physician.

Learning Objectives:
1: Learn about the intersection of technical exploits and social engineering.
2: Learn how exploits on medical devices can manipulate physician behavior.
3: Learn how attackers can leverage care workflows to deliver payload.


Schedule:

Tuesday, April 17, 4:30 PM – 6:00 PM
(opens with CyBEER Ops - access included for Full Conference passholders, guest tickets available for purchase)
Wednesday, April 18, 8:00 AM – 5:00 PM (open to all badge types)
Thursday, April 19, 8:00 AM – 3:30 PM (open to all badge types)

Location:

The Sandbox will be located in the Marriott Marquis, Yerba Buena 8, adjacent to the RSAC Early Stage Expo.