Speaker
Description
The introduction of the Internet of Things (IoT) was a big revolution by interconnecting embedded devices over the network made for specific purposes. IoT has changed the world we live in from the way we measure, make calls, print information and even the way we get energy in our offices or homes. There are a lot of categories of IoT devices like printers, closed-circuit television cameras (CCTV), programmable logic controller (PLCs), IP phones, network storage devices, oscilloscopes and many more. As IoT devices started growing, security issues have emerged. For end-users, functionality or convenience aspects of IoT products matter more than focusing on security.
We take this fact as a motivation for our work and developed a tool that detects IoT devices by automatically scanning the network. We found 19 categories of devices with our NetScanIoT tool and then performed a vulnerability assessment of these heterogeneous devices manually over the large-scale network at European Organization for Nuclear Research (CERN). We hereby discovered that even administrators of IoT devices working in the IT sector do not configure their devices properly.
In this paper, we propose a method to identify IoT devices using the web interface as a start for security experts, when assessing the risk of IoT devices. We evaluated our approach with 11 categories of devices installed in CERN, which include 42 device models manufactured by 26 vendors across the world. Web-IoT Detection (WID) identifies the manufacturer, device model, and the firmware version currently running on the device.
Summary
We present our results to identify and assess IoT devices on a large-scale and heterogeneous network. This work shows that IoT devices endanger networks significantly. With our NetScanIoT software, a total of 19 categories of IoT devices were detected successfully. After identifying these devices with WID, we performed a manual vulnerability assessment on them. This assessment showed that IoT manufacturers did not secure their devices and, moreover, on certain devices did not allow the user to change the credentials at all. The Web-IoT detection tool was able to identify 11 out of 19 categories of IoT devices consisting of 42 various models, manufactured by 26 different vendors. We also identified the corresponding manufacturer and firmware version for these 42 device models which can be used later on for risk identification, associated with these firmware versions.
