Nadir Izrael CTO & Founder

Who is your device talking to?

40% 46% 280%

2015 2016 2017 Businesses can’t see 40% of 46% of US companies had a breach IoT attacks exploded by 280% the devices in their environment or security issue via IoT devices in the first half of 2017

June 2017 Armis Labs June 2017 IDC Aug 2017 TechRepublic/F5

Internet URL Link Download Pair Device

• 5.3B Devices At Risk • Android, Windows, Linux, and iOS • 8 Vulnerabilities (4 critical) • Most serious Bluetooth vulnerability to date • Enables RCE and MiTM

• 1 Info Leak • 1 MiTM • 1 Info Leak • 1 RCE • Pre-iOS 10 • 2 RCE • 1 RCE • Pre- tvOS 9 • 1 MiTM

• Google Pixel • Windows Desktops • Samsung Gear S3 • iPhone (Smartwatch) • Samsung Galaxy • Windows Laptops • iPad • Samsung Smart TVs • Samsung Galaxy Tab • iPod • Samsung Family Hub • LG Watch Sport • Apple TV (Smart refrigerator) • Pumpkin Car Audio System

• 8.2B Devices

• 2B Monthly Active Devices 2 Billion

• 2B Devices Globally 2 Billion • 1B Active Devices (iOS, tvOS, watch OS) • 1B iOS Devices 130 Million • 130M pre-iOS 10 • Linux Is Unknown 1.2 Billion • 8B “Things” In Use Today (Gartner) Armis Estimate • 5.3B Devices At Risk (largest ever) 5.3 Billion

Android Linux Patchable (240M) Patchable (900M) 20%

55% 45% Gingerbread Nougat Ice Cream Sandwich Marshmallow 80% Jelly Bean KitKat Lollipop

Unpatchable (960M) Unpatchable (1.1B)

High Privileges

• Bluetooth is “on” and discoverable Bluetooth • User must find and proactively “pair” to the Speakers device ConnectedConnect • Some authentication or PIN to connect • Devices exchange keys, and auto connect without Device 1 Device 2 discoverable mode (Smart Phone) (Bluetooth Speakers)

• Bluetooth is “on”

Bluetooth • Attacker gets the MAC Bluetooth

address 00:2b:09:6f:2b:01 • Attacker initiates Bluetooth RCE and attacks via using a MiTM BlueBorne vulnerability • No user interaction required • No pairing • No approval Attacker Target • Attacker can take over, create (Laptop) (Smart Phone) MiTM, get encryption keys, etc.

Attacker

• Worm-like potential • Deliver ransomware • Spread botnet • Steal credentials • More…

Attacker Linux PC (Laptop)

Target (Keyboard) • User connected to Linux desktop Attacker uses info leak to get encryption keys of the keyboard • Attacker intercepts keystrokes without running code or doing MiTM • Attacker can also inject keystrokes to the targeted device

Target (Headset) • User connected to Android smartphone • Attacker uses info leak to get encryption keys of the headset • Attacker intercepts headset audio (eavesdropping on calls for instance)

Corporate Network Internet

IMPORTANT User Interaction Required – Users Select The Network

WiFi Pineapple

Corporate Network Internet

IMPORTANT No User Interaction Required

Bluetooth Pineapple

Network NAC Endpoint Security Agent

Visibility and control is the least where unmanaged device density is the greatest.

Device Tracking Device Type Behavior Connections Reputation Version Data-at-Rest History

• Modernize, not rip & replace • Monitor from access layer up • Wired and wirelessly • See device behavior • Detect suspicious or malicious behavior

• Modernize, not rip & replace • Monitor from access layer up • Wired and wirelessly • See device behavior • Detect suspicious or malicious behavior • Must correlate higher in the network • Integration with existing packet capture or perimeter solutions

No Device Behavioral Integrated Agent Centric Insights Solution