Upload
verimatrix
View
395
Download
0
Embed Size (px)
Citation preview
IoT SecurityMake vs Buy?
Feb 2016
Copyright © 2016 Verimatrix, Inc.2
They Tell Us IoT Will be BIG!
Copyright © 2016 Verimatrix, Inc.3
Click icon to add picture
Opportunity vs Threat
Technical exposure
Business risk
Customer confidence
Regulatory compliance
Copyright © 2016 Verimatrix, Inc.4
More Connectivity >>> More Threat Surfaces
Device controlReprogrammingMan in middle • Intercepting communication• Alter communication • Pretend to be a different player
Jamming / Blocking ReplayCloning MonitoringData theft
Copyright © 2016 Verimatrix, Inc.5
Click icon to add picture
Attacker Incentive
Research
Hacktivist
Economic – Exploits or Crime
Terrorism
Cyber warfare
Copyright © 2016 Verimatrix, Inc.6
Attacks: SOHO examples
FAIL: Management backdoorsFAIL: Password vulnerabilitiesFAIL: Update verification
https://www.sohopelesslybroken.com/news.html
Copyright © 2016 Verimatrix, Inc.7
Attacks: Samsung Fridge
FAIL: test validity of SSL certificate
Threat: Neighbor stealing gmail credentials
http://www.theregister.co.uk/2015/08/24/smart_fridge_security_fubar/
Copyright © 2016 Verimatrix, Inc.8
Attacks: Vizio TV
FAIL: test validity of SSL certificate
Threat: Impact on privacy
Awareness: 6th link
http://arstechnica.com/security/2015/11/man-in-the-middle-attack-on-vizio-tvs-coughs-up-owners-viewing-habits/
Copyright © 2016 Verimatrix, Inc.9
Attacks: Baby Monitor
Baby monitor weaknesses overview:
http://fusion.net/story/192189/internet-connected-baby-monitors-trivial-to-hack/
Threat: someone close bylistening to you baby.
Copyright © 2016 Verimatrix, Inc.10
Attacks: Hue Light Bulb
Fail: Securing Token
Threat Control light – remotely http://www.dhanjani.com/blog/2013/08/hacking-lightbulbs.html
Copyright © 2016 Verimatrix, Inc.11
Attacks: Smart Meter
Open protocol / credentials
Threat: Smart meter data
provides info on • Appliance: HDR TV• Occupancy and schedule
From: Smart Meter Data: Privacy and Cybersecurity Congressional Research Service R42338
Copyright © 2016 Verimatrix, Inc.12
Attacks: Jeep
FAIL: No segmentationFAIL: No OTA update
http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
Threat: Loosing control in a driving car
Copyright © 2016 Verimatrix, Inc.13
weg
Attacks: Cloud
…and many others such as Sony
Copyright © 2016 Verimatrix, Inc.14
IoT Security Snapshot
Device Hardware Security
Secure DeviceUpdate
Secure IPCommunications
Data Management and Integrity
Threat monitoring& response
TPM (Trusted Platform Module) and SE (Secure Element)Used to harden software based security solutions in a layered security approach
secure storagesecure boot
Leverages security credentials and signature process to enable a trusted services for full or modular software update
Leverages security credentials to provide authenticated client comms end point and
connection oriented or connectionless secure communications framework
Activity tracking, Signature analysis, flagging threats and orchestrating
responseData aggregation, access control and
auditingPolicy compliance, regulatory compliance
Copyright © 2016 Verimatrix, Inc.15
IoT Vertical Markets – Generic ChallengesCloud data integrity
and compliance
Threat monitoringAnd response
Secure devicecommunications
Secure deviceupdate
Device integrityCredential mgmnt
Smart Home Automotive mHealth Smart Cities Industrial
Copyright © 2016 Verimatrix, Inc.16
weg
Who Would You Trust?
Not just for Christmas - typical lifetime tasks• Device credential management• Secure software update• Trusted secure IP communications – TCP, UDP, unicast, multicast• Device threat monitoring• Threat reporting/aggregation/alerting• Data curation - secure repository with regulatory and policy
compliance
Few in the industry with a broad, long term track record
Copyright © 2016 Verimatrix, Inc.17
weg
Summary
Threat surface of connected systems is extensive
The security challenge exists over the lifetime of the application
How do you combine innovation and system integrity