IoT Security Fundamentals That Must Be...
Transcript of IoT Security Fundamentals That Must Be...
IoT Security Fundamentals
That Must Be Solved
Fredrik Beckman
CEO Apptimate AB
Engagement Manager Combitech AB
September 2016
1
2
1. IoT products must die
2. Rosetta stone
3. Thanks' for letting me in!
4. The fall of the wall
5. Rubber bands
6. The disappearing act
3
IOT PRODUCTS MUST DIEproduct life cycle management and EOL
Release
Hack
Patch
Breach
Patch
New hack
SECURITY IS AN ITERATIVE PROCESS
4
Remote push updates
Maintain critical operation
Hot Swap
Supplier Swap
Don’t be the weakest link
LIABILITIES
Microsoft stopped providing security patches for Windows XP on April 8, 2014
5
THE NON-DIGITAL MARKET IS SLOW
Cars can live for 30 years or more
They need a recall or service intervals for updates
6
Digital is actually NO better
COBOL is still ALIVE and kicking:90% of Fortune 500 business systems are supported daily by COBOL
70% of all critical business logic and data is written in COBOL
* http://cobolpros.com/the-need-for-cobol/
7
IOT PRODUCTS WILL STAY ALIVE
WAY LONGER THAN EXPECTED
What’s your legacy?
8
ROSETTA STONEinteroperability
“The nice thing about IoT standards is that
you have so many to choose from;
And, if you do not like any of them, you can
just wait for next year’s model.”
Andrew S. TanenbaumProfessor Computer Science
Vrije Universiteit, Amsterdam
9
IOT -A WILD WEST
360+ IoT platforms
100+ protocols
11
DEVELOPER PAIN
- 6LowPAN by IETF (IPv6 for IoT)
- AllJoyn by AllSeen Alliance*
- AMQP by OASIS
- CoAP by IP for Smart Objects Alliance
- Contiki by Thingsquare*
- DDS by Object Management Group
- HomeKit by Apple*
- HTTP by W3C
- IoT Platform by Intel*
- Mbed by ARM*
- MQTT by IBM
- IoTivity by Open Interconnect Consortium*
- Stomp by Stomp Spec Group
- Thread by Thread Group
- WAMP by Tavendo
- WebSocket by IETF
- XMPP by XMPP Standards Foundation
- ZeroMQ by iMatix*
- ZigBee by ZigBee Alliance
- Z-Wave by Z-Wave Alliance
*platform rather than protocol
12
“The application shall
communicate with mobiles,
cloud, central database and IoT
sensors from all our suppliers!
It must be fast and SECURE!
And we need it next week!”
IT’S ABOUT THE WHOLE APPLICATION
- everything integrated –
WHERE IS THE WEAKEST LINK?
13
14
THANKS' FOR LETTING ME INremote access and control
HOW YOUR TEA KETTLE COULD TAKE IT ALL DOWN1
5
BlackBerry Security Summit 2016
REMOTE CONTROL DDoS
Manipulation
Control remotely
16
WIRED hacks a Jeep Cherokee
12 of 15 Bluetooth SmartLocks easy to hack
Hack attack causes 'massive damage'
at German steel works
17
THE FALL OF THE WALLdecentralized applications in public networks
18
No firewalls
Decentralized applications
End-2-End encryption needed
Strong authentication
Unique IDs is the key
Multiple applications per device
Application security
PUBLIC NETWORKS IS THE NEW NORM
19
RUBBER BANDSroaming over multiple network technologies with varying bandwidth
STAY CONNECTED
GPRS
3G
4G
LTE
5G
Satellite
WiFi
Bluetooth
DECT
Z-wave
ZigBee
…
AND MANY MORE
20
Roaming is essential
Different connection tech in different parts of applications
Security over a chain of connections, proxies, hubs
End-2-End securitystrong authenticationpersistent connection
live feed from equipmentpublic networks
varying connectionsystem integration
eHEALTH
IT’S ALL ABOUT THE APPLICATION – NOT THE COMPONENTS
Varying bandwidth and radio shadow
Constrained nodes & connections
Latency
Distributed processing
Fog computing
22
More reading about Object Security in constrained environments: http://significantbits.io/
23
THE DISAPPEARING ACTsimplicity and NO user configuration
24
THE ONLY SECURITY WORTH ANYTHING
IS THE ONE THAT IS USED
YOUR SECURITY SOLUTION MUST BE EASY TO USE FOR
USERS, ADMINISTRATORS,
DEVELOPERS AND INTEGRATORS
25
26
THANK [email protected]
IoT is all about the application,
and the application must be secure,
from start, for today and tomorrow
REMEMBER
1. EOL
2. Interoperability
3. Remote access
4. Public networks
5. Roaming over
constrained networks
6. Make it simple