IoT Security Fundamentals

That Must Be Solved

Fredrik Beckman

CEO Apptimate AB

Engagement Manager Combitech AB

September 2016

1

2

1. IoT products must die

2. Rosetta stone

3. Thanks' for letting me in!

4. The fall of the wall

5. Rubber bands

6. The disappearing act

3

IOT PRODUCTS MUST DIEproduct life cycle management and EOL

Release

Hack

Patch

Breach

Patch

New hack

SECURITY IS AN ITERATIVE PROCESS

4

Remote push updates

Maintain critical operation

Hot Swap

Supplier Swap

Don’t be the weakest link

LIABILITIES

Microsoft stopped providing security patches for Windows XP on April 8, 2014

5

THE NON-DIGITAL MARKET IS SLOW

Cars can live for 30 years or more

They need a recall or service intervals for updates

6

Digital is actually NO better

COBOL is still ALIVE and kicking:90% of Fortune 500 business systems are supported daily by COBOL

70% of all critical business logic and data is written in COBOL

* http://cobolpros.com/the-need-for-cobol/

7

IOT PRODUCTS WILL STAY ALIVE

WAY LONGER THAN EXPECTED

What’s your legacy?

8

ROSETTA STONEinteroperability

“The nice thing about IoT standards is that

you have so many to choose from;

And, if you do not like any of them, you can

just wait for next year’s model.”

Andrew S. TanenbaumProfessor Computer Science

Vrije Universiteit, Amsterdam

9

IOT -A WILD WEST

360+ IoT platforms

100+ protocols

11

Google

DEVELOPER PAIN

- 6LowPAN by IETF (IPv6 for IoT)

- AllJoyn by AllSeen Alliance*

- AMQP by OASIS

- CoAP by IP for Smart Objects Alliance

- Contiki by Thingsquare*

- DDS by Object Management Group

- HomeKit by Apple*

- HTTP by W3C

- IoT Platform by Intel*

- Mbed by ARM*

- MQTT by IBM

- IoTivity by Open Interconnect Consortium*

- Stomp by Stomp Spec Group

- Thread by Thread Group

- WAMP by Tavendo

- WebSocket by IETF

- XMPP by XMPP Standards Foundation

- ZeroMQ by iMatix*

- ZigBee by ZigBee Alliance

- Z-Wave by Z-Wave Alliance

*platform rather than protocol

12

“The application shall

communicate with mobiles,

cloud, central database and IoT

sensors from all our suppliers!

It must be fast and SECURE!

And we need it next week!”

IT’S ABOUT THE WHOLE APPLICATION

- everything integrated –

WHERE IS THE WEAKEST LINK?

13

14

THANKS' FOR LETTING ME INremote access and control

HOW YOUR TEA KETTLE COULD TAKE IT ALL DOWN1

5

BlackBerry Security Summit 2016

REMOTE CONTROL DDoS

Manipulation

Control remotely

16

WIRED hacks a Jeep Cherokee

12 of 15 Bluetooth SmartLocks easy to hack

Hack attack causes 'massive damage'

at German steel works

17

THE FALL OF THE WALLdecentralized applications in public networks

18

No firewalls

Decentralized applications

End-2-End encryption needed

Strong authentication

Unique IDs is the key

Multiple applications per device

Application security

PUBLIC NETWORKS IS THE NEW NORM

19

RUBBER BANDSroaming over multiple network technologies with varying bandwidth

STAY CONNECTED

GPRS

3G

4G

LTE

5G

Satellite

WiFi

Bluetooth

DECT

Z-wave

ZigBee

…

AND MANY MORE

20

Roaming is essential

Different connection tech in different parts of applications

Security over a chain of connections, proxies, hubs

End-2-End securitystrong authenticationpersistent connection

live feed from equipmentpublic networks

varying connectionsystem integration

eHEALTH

IT’S ALL ABOUT THE APPLICATION – NOT THE COMPONENTS

Varying bandwidth and radio shadow

Constrained nodes & connections

Latency

Distributed processing

Fog computing

22

More reading about Object Security in constrained environments: http://significantbits.io/

23

THE DISAPPEARING ACTsimplicity and NO user configuration

24

THE ONLY SECURITY WORTH ANYTHING

IS THE ONE THAT IS USED

YOUR SECURITY SOLUTION MUST BE EASY TO USE FOR

USERS, ADMINISTRATORS,

DEVELOPERS AND INTEGRATORS

25

26

THANK YOUfredrik@apptimate.io

fredrik.beckman@combitech.se

IoT is all about the application,

and the application must be secure,

from start, for today and tomorrow

REMEMBER

1. EOL

2. Interoperability

3. Remote access

4. Public networks

5. Roaming over

constrained networks

6. Make it simple