Debunking IoT Security Myths

  • Published on

  • View

  • Download

Embed Size (px)


Presentation for the Internet Security Days 2014 ( about common security challenges and myths in the Internet of Things domain.


  • 1. Debunking IoT Security Myths Cumulocity GmbH 2014 Andr Eickler
  • 2. Overview What is Cumulocity? What is the Internet of Things (IoT)? What security challenges are there? What common myths are there? What you can do! Cumulocity GmbH 2014
  • 3. What is Cumulocity? Where do we come from? Started 2010 as Nokia Networks product line. Independent company since 2012. Originally targeted to the very security-aware telco industry. What do we do? Cloud service to fundamentally reduce the complexity of deploying Internet of Things solutions. Pay-as-you-grow starting from 1/device/month. Cumulocity GmbH 2014
  • 4. What is Cumulocity? Cumulocity GmbH 2014
  • 5. What is the Internet of Things? Asset + Device + Application Cumulocity GmbH 2014
  • 6. What security challenges are there? IoT devices are where your assets are. Limited physical control over device and network connection. Data center distributed all over the country. IoT devices are extremely heterogeneous. Little standardization, thousands of manufacturers and platforms. BYOD to the max. IoT devices come in billions. at least if the analysts are right. Great target for dDoS. Cumulocity GmbH 2014
  • 7. What security challenges are there? IoT devices may control the physical world. Production plants, cars, wheel chairs, Extremely attractive target for attacks. IoT business cases often rely on cheap devices. Low-end devices make communication security difficult. Often no remote patching or upgrade facility. Mobile M2M tariffs are counted by the KB, SSL/VPN overhead unwanted. Cumulocity GmbH 2014
  • 8. What common myths are there? Actual issues are no surprise to security experts, but They are not viewed from the context of IoT. They are misunderstood even by renowned publishers. Cumulocity GmbH 2014
  • 9. Cumulocity GmbH 2014 IPSO Power Control ct 09/13, p.98 Myth #1: The thing must be a server
  • 10. Myth #1: The thing must be a server Cumulocity GmbH 2014 Device is Server Device is Client Security Very High Risk No open port => lower Optimal for Actuators Sensors Data sharing By device (not in mobile!) By server Data Access & Scaling Difficult to impossible Easy and cheap Addressing Static IP Dynamic & Private IP Consequence Requires VPN Requires Device Push
  • 11. Myth #2: A VPN solution is enough for security Cumulocity GmbH 2014
  • 12. Myth #2: A VPN solution is enough for security Industrial-level attacks often come from insiders IoT is just a new dimension. IoT devices are often unattended and a VPN setup may be used as entry point into the corporate network. Mobile IoT devices can be still attacked through SMS (reconfiguration, redirection, DoS). VPN causes expensive overhead on mobile, customers complain about an extra 10-90 MB of traffic per month. Cumulocity GmbH 2014
  • 13. Myth #3: My protocol is better! Cumulocity GmbH 2014
  • 14. What you can do! Translate your security practices to the IoT world. I.e., Check physical security. USB/serial/LAN ports on devices in public places? Tamper sensors included? Check network security. Switch off SMS on the device or use a secure SMS service. Switch off local/web element managers. Replace standard/static passwords. Check application security. Validate device protocol. Use device only as client to a secure IoT service with individual credentials. Cumulocity GmbH 2014
  • 15. What you can do! Dont reinvent the wheel, pick an IoT middleware Cumulocity GmbH 2014