View
1
Download
0
Category
Preview:
Citation preview
Securing the Internet of ThingsGSMA Security and Privacy PrinciplesIan Smith – GSMA IoT Security Lead - ismith@gsma.com
Introducing the GSMA
The GSMA represents the interests of mobile operators worldwide, uniting nearly 800 operators with more than 250 companies in the broader mobile ecosystem, including handset and device makers, software
companies, equipment providers and Internet companies.The GSMA also produces industry-leading events such as Mobile World Congress, Mobile World Congress
Shanghai and the Mobile 360 Series conferences.
GSMA IoT Security and Privacy Resources
3
Principles
Guidelines
Detailed Control Statements
IoT SecuritySelf-Assessment
IoT SecuritySelf-Assessment
Process Checklist
CLP.11
CLP.12 CLP.13 CLP.14
CLP.17 CLP.19
Security ChallengesIoT Security ModelRisk AssessmentsPrivacy ConsiderationsExamples
Security ChallengesIoT Security ModelRisk AssessmentsPrivacy ConsiderationsExamples
Guidelines for the Whole IoT Ecosystem
4
SecurityPrinciples
SecurityGuidelines
Detailed Control Statements
IoT SecuritySelf-Assessment
IoT SecuritySelf-Assessment
Process Checklist
Over 200 Pages of Generic Advice and RecommendationsTo Secure Devices, Service Platforms and Networks
3 ‘Worked’ Examples – Wearables, Personal Drone and AutomotiveRisk and Privacy Impact Assessments
12 Principal Attack Models85 Detailed Recommendations
Self-Assessment Process and Checklist
Security ChallengesIoT Security ModelRisk AssessmentsPrivacy ConsiderationsExamples
Based Upon a Generic IoT Architecture
5
SecurityPrinciples
SecurityGuidelines
Detailed Control Statements
IoT SecuritySelf-Assessment
IoT SecuritySelf-Assessment
Process Checklist
Security ChallengesIoT Security ModelRisk AssessmentsPrivacy ConsiderationsExamples
Applicable to All Type of Services
6
SecurityPrinciples
SecurityGuidelines
Detailed Control Statements
IoT SecuritySelf-Assessment
IoT SecuritySelf-Assessment
Process Checklist
Transport
Smart Homes
HealthAgriculture
Industrial Energy
Security ChallengesIoT Security ModelRisk AssessmentsPrivacy ConsiderationsExamples
Focuses on The Key IoT Challenges
7
SecurityPrinciples
SecurityGuidelines
Detailed Control Statements
IoT SecuritySelf-Assessment
IoT SecuritySelf-Assessment
Process Checklist
Ensuring that system integrity can be verified, tracked, and monitored
AVAILABILITY IDENTITY PRIVACY INTEGRITY
LOW COMPLEXITY LOW POWER LONG
LIFECYCLESPHYSICALLY ACCESSIBLE
in services and devices that are
How to ensure:
Ensuring constant connectivity between Endpoints and their
respective services
Authenticating Endpoints, services, and the customer or
end-user operating the Endpoint
Reducing the potential for harm to individual end-users.
Ensuring that system integrity can be verified, tracked, and monitored.
No permanent power supplyPossibly permanent, but limited power supply.
Low processing capability.Small amounts of memory.Constrained operating system.
Requires cryptographic design that lasts a lifetime.Manage security vulnerabilities which can’t be patched within the endpoint.
Access to local interfaces inside the IoT endpoint.Hardware components and interfaces potential target of attackers.
Security ChallengesIoT Security ModelRisk AssessmentsPrivacy ConsiderationsExamples
Recommended Privacy Considerations
8
SecurityPrinciples
SecurityGuidelines
Detailed Control Statements
IoT SecuritySelf-Assessment
IoT SecuritySelf-Assessment
Process Checklist
• Promotes IoT Privacy by Design
• Provides recommendations to ensure IoT service providers:
– Have a privacy compliance process.– Identify sources of personal data.– Have processes to protect personal
data.– Understand lawful intercept
responsibilities.– Protect the privacy of user data.
What happened?
The Dyn cyberattack took place on October 21, 2016, and involved multiple denial-of-service attacks (DoS attacks) targeting systems operated by Domain Name System (DNS) provider Dyn which made major Internet platforms and services unavailable to large swaths of users in Europe and North America. Services affected included: Airbnb, Amazon, Netflix, PayPal & Twitter.
What was the cause?
The distributed denial-of-service (DDoS) attack was accomplished through a large number of DNS lookup requests from tens of millions of IP addresses. The activities are believed to have been executed through a botnet consisting of a large number of IoT devices - such as printers, IP cameras, residential gateways and baby monitors - that had been infected with the Mirai malware.
With an estimated load of 1.2 terabits per second, the attack is, according to experts, the largest DDoS on record
9
IoT Security Case Study #1 - The Dyn Cyberattack
What was the vulnerability that was exploited?
Devices infected by Mirai continuously scan the internet for IoT devices. Mirai then identifies vulnerable IoT devices using a table of common factory default usernames and passwords, and logs into them to infect them with the Mirai malware.
Infected devices will continue to function normally, except for occasional sluggishness, and an increased use of bandwidth.
Which Recommendations in the GSMA IoT Security Guidelines would have prevented this?
Some key recommendations taken form GSMA document CLP.13:• Section 5.10 – How should I Implement Secure Remote Management
• Section 6.9 – Endpoint Password Management
See: https://en.wikipedia.org/wiki/2016_Dyn_cyberattack for more information
What happened?
In 2014 security researchers Charlie Miller and Chris Valasek successfully demonstrated a remote attack on the safety critical functions of a Jeep Cherokee whilst it was being driven by a journalist at 70mph on a freeway. This led to Fiat Chrysler to recall
1.4 million vehicles for a security patch to be applied – incurring huge cost and brand damage in the process.
What was the cause?
Miller and Chris Valasek exploited a chain of security vulnerabilities to perform this attack. Firstly they performed a brute force attack to connect to the on-board Wi-Fi within the vehicle. Using this connectivity they hacked the Linux based ‘head unit’ which in turn allowed them to alter the firmware of a microcontroller which has access the vehicles internal communications network(CAN bus). With access to the CAN bus they could interfere with safety critical functions such as the vehicles braking system.
10
IoT Security Case Study #2 - The Jeep Cherokee Hack
What was the vulnerability that was exploited?
Tthe key vulnerabilities were the provisioning of weak Wi-Fi access credentials, communications ports being left open, lack of authentication on communications channels and lack of protection for firmware updates
Which Recommendations in the GSMA IoT Security Guidelines would have prevented this?
Some key recommendations taken form GSMA document CLP.13:• Section 5.6 - How do I Disallow Tampering of Firmware and Software
• Section 6.8 – Uniquely Provision Each Endpoint - to strengthen the WiFi password• Section 6.9 – Disable Debugging and Testing Technologies – To disable unused communication ports.
See: https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ for more information
GSMA IoT Security Self-Assessment
11
A flexible approach to IoT Security Evaluation
Structured
Referenced to Guidelines
Concise Questions
Security ChallengesIoT Security ModelRisk AssessmentsPrivacy ConsiderationsExamples
A Flexible Framework is the Key to Success
12
SecurityPrinciples
SecurityGuidelines
Detailed Control Statements
IoT SecuritySelf-Assessment
IoT SecuritySelf-Assessment
Process Checklist
FLEXIBILITY
Only flexible IoT security and privacy processes and recommendation can address the huge diversity in IoT services that will come to market in the next few years
13
GSMA IoT Resources
The GSMA also publishes a huge amount of IoT resources on the GSMA Connected Living Website:
To find out more about:
Go to: www.gsma.com/connectedliving
IoT Security Self-Assessment:http://www.gsma.com/connectedliving/iot-security-self-assessment/
IoT Security Guidelines:http://www.gsma.com/iotsecurity
Recommended