© Cumulocity GmbH 2014
Debunking IoT Security Myths André Eickler
© Cumulocity GmbH 2014
Overview • What is Cumulocity? • What is the Internet of Things (IoT)? • What security challenges are there? • What common myths are there? • What you can do!
© Cumulocity GmbH 2014
What is Cumulocity? Where do we come from? • Started 2010 as Nokia Networks product line. • Independent company since 2012. • Originally targeted to the very security-aware telco industry. What do we do? • Cloud service to fundamentally reduce the complexity of deploying
Internet of Things solutions. • Pay-as-you-grow starting from €1/device/month.
© Cumulocity GmbH 2014
What is Cumulocity?
© Cumulocity GmbH 2014
What is the Internet of Things? Asset + Device + Application
© Cumulocity GmbH 2014
What security challenges are there? IoT devices are where your assets are. • Limited physical control over device and network connection. • “Data center distributed all over the country.”
IoT devices are extremely heterogeneous. • Little standardization, thousands of manufacturers and platforms. • “BYOD to the max.” IoT devices come in billions. • … at least if the analysts are right. • Great target for dDoS.
© Cumulocity GmbH 2014
What security challenges are there? IoT devices may control the physical world. • Production plants, cars, wheel chairs, … • Extremely attractive target for attacks. IoT business cases often rely on cheap devices. • Low-end devices make communication security difficult. • Often no remote patching or upgrade facility. • Mobile M2M tariffs are counted by the KB, SSL/VPN overhead
unwanted.
© Cumulocity GmbH 2014
What common myths are there? Actual issues are no surprise to security experts, but … • They are not viewed from the context of IoT. • They are misunderstood even by renowned publishers.
© Cumulocity GmbH 2014
IPSO Power Control
c’t 09/13, p.98
Myth #1: The “thing” must be a server
© Cumulocity GmbH 2014
Device is Server Device is Client Security Very High Risk No open port => lower Optimal for Actuators Sensors Data sharing By device
(not in mobile!) By server
Data Access & Scaling
Difficult to impossible
Easy and cheap
Addressing Static IP Dynamic & Private IP Consequence
Requires VPN
Requires Device Push
Myth #1: The “thing” must be a server
© Cumulocity GmbH 2014
Myth #2: A VPN solution is enough for security
© Cumulocity GmbH 2014
Myth #2: A VPN solution is enough for security • Industrial-level attacks often come from insiders – IoT is just a new
dimension. • IoT devices are often unattended and a VPN setup may be used as
entry point into the corporate network. • Mobile IoT devices can be still attacked through SMS (reconfiguration,
redirection, DoS). • VPN causes expensive overhead on mobile, customers complain
about an extra 10-90 MB of traffic per month.
© Cumulocity GmbH 2014
Myth #3: My protocol is better!
© Cumulocity GmbH 2014
What you can do! Translate your security practices to the IoT world. I.e., • Check physical security.
– USB/serial/LAN ports on devices in public places? – Tamper sensors included?
• Check network security. – Switch off SMS on the device or use a secure SMS service. – Switch off local/web element managers. – Replace standard/static passwords.
• Check application security. – Validate device protocol. Use device only as client to a secure IoT
service with individual credentials.
© Cumulocity GmbH 2014
What you can do! Don’t reinvent the wheel, pick an IoT middleware …
https://cumulocity.com