Securing the Internet of ThingsGSMA Security and Privacy PrinciplesIan Smith – GSMA IoT Security Lead - ismith@gsma.com

Introducing the GSMA

The GSMA represents the interests of mobile operators worldwide, uniting nearly 800 operators with more than 250 companies in the broader mobile ecosystem, including handset and device makers, software

companies, equipment providers and Internet companies.The GSMA also produces industry-leading events such as Mobile World Congress, Mobile World Congress

Shanghai and the Mobile 360 Series conferences.

GSMA IoT Security and Privacy Resources

3

Principles

Guidelines

Detailed Control Statements

IoT SecuritySelf-Assessment

IoT SecuritySelf-Assessment

Process Checklist

CLP.11

CLP.12 CLP.13 CLP.14

CLP.17 CLP.19

Security ChallengesIoT Security ModelRisk AssessmentsPrivacy ConsiderationsExamples

Security ChallengesIoT Security ModelRisk AssessmentsPrivacy ConsiderationsExamples

Guidelines for the Whole IoT Ecosystem

4

SecurityPrinciples

SecurityGuidelines

Detailed Control Statements

IoT SecuritySelf-Assessment

IoT SecuritySelf-Assessment

Process Checklist

Over 200 Pages of Generic Advice and RecommendationsTo Secure Devices, Service Platforms and Networks

3 ‘Worked’ Examples – Wearables, Personal Drone and AutomotiveRisk and Privacy Impact Assessments

12 Principal Attack Models85 Detailed Recommendations

Self-Assessment Process and Checklist

Security ChallengesIoT Security ModelRisk AssessmentsPrivacy ConsiderationsExamples

Based Upon a Generic IoT Architecture

5

SecurityPrinciples

SecurityGuidelines

Detailed Control Statements

IoT SecuritySelf-Assessment

IoT SecuritySelf-Assessment

Process Checklist

Security ChallengesIoT Security ModelRisk AssessmentsPrivacy ConsiderationsExamples

Applicable to All Type of Services

6

SecurityPrinciples

SecurityGuidelines

Detailed Control Statements

IoT SecuritySelf-Assessment

IoT SecuritySelf-Assessment

Process Checklist

Transport

Smart Homes

HealthAgriculture

Industrial Energy

Security ChallengesIoT Security ModelRisk AssessmentsPrivacy ConsiderationsExamples

Focuses on The Key IoT Challenges

7

SecurityPrinciples

SecurityGuidelines

Detailed Control Statements

IoT SecuritySelf-Assessment

IoT SecuritySelf-Assessment

Process Checklist

Ensuring that system integrity can be verified, tracked, and monitored

AVAILABILITY IDENTITY PRIVACY INTEGRITY

LOW COMPLEXITY LOW POWER LONG

LIFECYCLESPHYSICALLY ACCESSIBLE

in services and devices that are

How to ensure:

Ensuring constant connectivity between Endpoints and their

respective services

Authenticating Endpoints, services, and the customer or

end-user operating the Endpoint

Reducing the potential for harm to individual end-users.

Ensuring that system integrity can be verified, tracked, and monitored.

No permanent power supplyPossibly permanent, but limited power supply.

Low processing capability.Small amounts of memory.Constrained operating system.

Requires cryptographic design that lasts a lifetime.Manage security vulnerabilities which can’t be patched within the endpoint.

Access to local interfaces inside the IoT endpoint.Hardware components and interfaces potential target of attackers.

Security ChallengesIoT Security ModelRisk AssessmentsPrivacy ConsiderationsExamples

Recommended Privacy Considerations

8

SecurityPrinciples

SecurityGuidelines

Detailed Control Statements

IoT SecuritySelf-Assessment

IoT SecuritySelf-Assessment

Process Checklist

• Promotes IoT Privacy by Design

• Provides recommendations to ensure IoT service providers:

– Have a privacy compliance process.– Identify sources of personal data.– Have processes to protect personal

data.– Understand lawful intercept

responsibilities.– Protect the privacy of user data.

What happened?

The Dyn cyberattack took place on October 21, 2016, and involved multiple denial-of-service attacks (DoS attacks) targeting systems operated by Domain Name System (DNS) provider Dyn which made major Internet platforms and services unavailable to large swaths of users in Europe and North America. Services affected included: Airbnb, Amazon, Netflix, PayPal & Twitter.

What was the cause?

The distributed denial-of-service (DDoS) attack was accomplished through a large number of DNS lookup requests from tens of millions of IP addresses. The activities are believed to have been executed through a botnet consisting of a large number of IoT devices - such as printers, IP cameras, residential gateways and baby monitors - that had been infected with the Mirai malware.

With an estimated load of 1.2 terabits per second, the attack is, according to experts, the largest DDoS on record

9

IoT Security Case Study #1 - The Dyn Cyberattack

What was the vulnerability that was exploited?

Devices infected by Mirai continuously scan the internet for IoT devices. Mirai then identifies vulnerable IoT devices using a table of common factory default usernames and passwords, and logs into them to infect them with the Mirai malware.

Infected devices will continue to function normally, except for occasional sluggishness, and an increased use of bandwidth.

Which Recommendations in the GSMA IoT Security Guidelines would have prevented this?

Some key recommendations taken form GSMA document CLP.13:• Section 5.10 – How should I Implement Secure Remote Management

• Section 6.9 – Endpoint Password Management

See: https://en.wikipedia.org/wiki/2016_Dyn_cyberattack for more information

What happened?

In 2014 security researchers Charlie Miller and Chris Valasek successfully demonstrated a remote attack on the safety critical functions of a Jeep Cherokee whilst it was being driven by a journalist at 70mph on a freeway. This led to Fiat Chrysler to recall

1.4 million vehicles for a security patch to be applied – incurring huge cost and brand damage in the process.

What was the cause?

Miller and Chris Valasek exploited a chain of security vulnerabilities to perform this attack. Firstly they performed a brute force attack to connect to the on-board Wi-Fi within the vehicle. Using this connectivity they hacked the Linux based ‘head unit’ which in turn allowed them to alter the firmware of a microcontroller which has access the vehicles internal communications network(CAN bus). With access to the CAN bus they could interfere with safety critical functions such as the vehicles braking system.

10

IoT Security Case Study #2 - The Jeep Cherokee Hack

What was the vulnerability that was exploited?

Tthe key vulnerabilities were the provisioning of weak Wi-Fi access credentials, communications ports being left open, lack of authentication on communications channels and lack of protection for firmware updates

Which Recommendations in the GSMA IoT Security Guidelines would have prevented this?

Some key recommendations taken form GSMA document CLP.13:• Section 5.6 - How do I Disallow Tampering of Firmware and Software

• Section 6.8 – Uniquely Provision Each Endpoint - to strengthen the WiFi password• Section 6.9 – Disable Debugging and Testing Technologies – To disable unused communication ports.

See: https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ for more information

GSMA IoT Security Self-Assessment

11

A flexible approach to IoT Security Evaluation

Structured

Referenced to Guidelines

Concise Questions

Security ChallengesIoT Security ModelRisk AssessmentsPrivacy ConsiderationsExamples

A Flexible Framework is the Key to Success

12

SecurityPrinciples

SecurityGuidelines

Detailed Control Statements

IoT SecuritySelf-Assessment

IoT SecuritySelf-Assessment

Process Checklist

FLEXIBILITY

Only flexible IoT security and privacy processes and recommendation can address the huge diversity in IoT services that will come to market in the next few years

13

GSMA IoT Resources

The GSMA also publishes a huge amount of IoT resources on the GSMA Connected Living Website:

To find out more about:

Go to: www.gsma.com/connectedliving

IoT Security Self-Assessment:http://www.gsma.com/connectedliving/iot-security-self-assessment/

IoT Security Guidelines:http://www.gsma.com/iotsecurity