360 Wang Yangdong: IOT devices require all-round security protection, and every detail cannot be ignored

[51CTO.com original article] On December 1-2, 2017, the WOTD Global Software Development Technology Summit hosted by 51CTO will be held in Shenzhen Zhongzhou Marriott Hotel. The theme of this summit is software development, and dozens of expert guests will bring many wonderful technical content sharing. At that time, Wang Yangdong, head of the cloud security team of 360 Information Security Department, will share the keynote speech "IoT Device Security Talk" with guests in the Internet of Things (IOT) technology special session, and elaborate on how to improve the security protection level of IoT devices in the Internet of Things era. 51CTO sincerely invites you to come to the conference and share the joy brought by technology with us.

Unveiling the security specificity of smart hardware

[[207692]]

Wang Yangdong is a senior security researcher at 360 Information Security Department and the head of 360 GearTeam. He has a deep understanding of the security of smart hardware in the era of the Internet of Things. He told reporters that the functions of smart hardware products are complex and varied, and the means and purposes of attacks are also different. He gave examples, including brute force attacks on smart cameras to steal data and plant botnet viruses, network hijacking by invading routers and hijacking DNS servers, and attacks on smart door locks to bypass user authorization to open the door... "The most common attacks currently known are mainly invading the DDoS network of smart device components to achieve large-scale DDoS attacks."

Wang Yangdong analyzed that the reason why smart hardware has been subjected to so many security attacks is that it is still an emerging market. Compared with traditional security, the security foundation at the software level is not as strong as traditional PC security, and it is easy to be breached by malicious users. In addition, the manufacturers of smart hardware are relatively scattered and the standards are not unified. It is difficult to use a more universal security solution between different types of devices from different manufacturers, which also increases the difficulty of smart hardware security reinforcement; in addition, since most smart hardware uses low-power and wireless communication solutions, it is impossible to achieve strong wireless encryption communication in some scenarios, resulting in wireless communication content being easily cracked by third parties.

He emphasized that the security issues in every link of the use of smart hardware cannot be ignored. Their importance varies in different scenarios. For example, vehicle sensors such as tire pressure detection and sensors on medical devices such as pacemakers. When these sensors are attacked and generate erroneous data, they may directly endanger lives in some scenarios. For this reason, if you want to do a good job of defense, you must be comprehensive, because problems in every environment may be fatal.

When asked by reporters how to alleviate the current security situation of the Internet of Things, Wang Yangdong admitted that since the current IoT industry is still relatively rudimentary, many low-end security issues have not been completely resolved. For example, command injection, authentication bypass and other types of vulnerabilities that are rarely seen in traditional security still appear repeatedly in some manufacturers' devices. He said that for equipment manufacturers, improving the level of security defense should start with these low-end security issues. First, the confidentiality of communication content should be guaranteed, and user data should be encrypted using a stronger hybrid encryption algorithm. Secondly, the validity of the official server identity should be verified to confirm that the communication server has not been maliciously hijacked. In addition, the number of local monitoring network services should be reduced to reduce the attack surface.

What has 360 done for IOT security?

As an Internet company focused on security, 360 has always had more Internet security experience than traditional security vendors, and is better able to keep up with the development trends of the security industry and adapt. And because of its security background, 360's IoT products have invested far more experience in security than other IoT product manufacturers. Thanks to 360's numerous IoT product types and usage scenarios, 360 has more security experience in usage scenarios and a broader security vision than other smart hardware manufacturers.

It is understood that in the field of IoT security, 360 has launched the 360 ​​IoT Security Guardian Plan through 360SRC on the basis of daily security audits, and has joined forces with a large number of white hat security researchers in the industry to discover and solve problems, discover their own security flaws and actively correct them; while solving the security problems of their own IoT products, 360 is also actively helping other manufacturers to discover problems and inform them in a timely manner, and assist in proposing solutions; in the field of unknown vulnerability defense, 360 is also exploring how to implement a set of efficient vulnerability mitigation solutions to reduce the harm of unknown vulnerability attacks. In addition, 360 will also use existing security experience to promptly discover existing security issues in the daily use scenarios of the majority of users and notify users of the problems in a timely manner.

At the end of the interview, Wang Yangdong told reporters that with the popularization and growth of mobile Internet and the development of smart technology, people will rely more and more on smart devices in the future, from smart homes, smart wearables, and smart cars to smart cities, smart power plants and other infrastructure. Different fields will make the functional positioning of smart devices more refined and professional, and the attack threats they face will also vary greatly. In terms of security defense, there is no universal method that can solve all security problems once and for all. Faced with such a wide range of usage scenarios and such professional functional segmentation, security defense can only keep up with the development of the industry and make timely adjustments to adapt to changes. Each new function is a new field and needs to receive enough attention.

Use the coupon code [2017WOTDSZ] and join me at WOTD Global Software Development Technology Summit. 20 % off, only 48 hours left!

[51CTO original article, please indicate the original author and source as 51CTO.com when reprinting on partner sites]