31 January 2017
The Importance of Security for Safety in IoT
Dr. Cédric Lévy-Bencheton, IOActive
With the rise of the Internet of Things, every object becomes connected to the Internet. These objects bring us added-value services in our daily life, by exchanging data on networks and computers. This becomes a real concern when manufacturer IoT-ify safety devices without thinking about their security.
In this talk, we try to raise awareness on what could be the consequences of insecure IoT safety devices. As an example, we present common vulnerabilities found in cars and propose solutions that should improve the safety of citizens through security. We extend the discussion to Critical Infrastructures and what current efforts exist in the community to make future IoT deployments more safe and secure.
Dr. Cédric Lévy-Bencheton is Managing Consultant at IOActive, the only security consultancy with a global presence and deep expertise in hardware, software, and wetware assessments. He promotes the need for security in every domain of our society, with a focus on the Internet of Things.
Previously, Dr. Cédric Lévy-Bencheton was expert in cyber security at ENISA, the European Union Agency for Network and Information Security, where he developed the area of Smart Infrastructures and the concept of security for Safety. Before that, he designed critical networks for public transports. He was also a researcher in telecommunications.
Dr. Cédric Lévy-Bencheton has obtained a Ph.D. in Telecommunications from University Lyon in 2011.
Investigating the Origins of RSA Public Keys
Dan Cvrcek (@DanCvrcek)
Original paper by Petr Svenda et al (Masaryk University, Czech Republic), presented by Dan Cvrcek (including some practical results by Enigma Bridge)
Can bits of an RSA public key leak information about design and implementation choices such as the prime generation algorithm? We analysed over 60 million freshly generated key pairs from 22 open- and closed-source libraries and from 16 different smartcards,revealing significant leakage. The bias introduced by different choices is sufficiently large to classify a probable library or smartcard with high accuracy based only on the values of public keys.
Such a classification can be used to decrease the anonymity set of users of anonymous mailers or operators of linked Tor hidden services, to quickly detect keys from the same vulnerable library or to verify a claim of use of secure hardware by a remote party.
The talk will be based on Usenix Security 2016 paper and will also provide fresh details from our continuous analysis of more libraries and smartcards we perform after the conference itself.