some iot security learnings
TRANSCRIPT
![Page 1: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/1.jpg)
© EVRYTHNG INC. | 2016COMMERCIAL & CONFIDENTIAL
Smarter productscome with EVRYTHNG
For Customers title slide
Some IoT Security Learnings & PerspectivesFrom a Developers / CTOs view point
Dominique Guinard, CTO – co-founder@domguinard@EVRYTHNG
![Page 2: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/2.jpg)
What’s the IoT?Have you been sleeping for the past few years?
![Page 3: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/3.jpg)
The IoT is a science primarily focusing on creating the most
complex ways of turning lights on.
“ “[@domguinard]
![Page 4: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/4.jpg)
@ConnectEvrythng© EVRYTHNG Limited | Confidential | 2013 @EVRYTHNG© EVRYTHNG | Confidential | 2014
+Pre IoT
![Page 5: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/5.jpg)
@ConnectEvrythng© EVRYTHNG Limited | Confidential | 2013 @EVRYTHNG© EVRYTHNG | Confidential | 2014
Post IoT
![Page 6: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/6.jpg)
Really need a better definition? Okay...
▪ DEFINITION:The Internet of Things is a system of physical objects that can be discovered, monitored, controlled, or interacted with by electronic devices that communicate over various networking interfaces and eventually can be connected to the wider Internet.
![Page 7: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/7.jpg)
EVRYTHNG?In a nutshell!
![Page 8: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/8.jpg)
EVRYTHNG in a Nutshell
▪ ~ 60 people worldwide in 2017▪ New York, London, San
Francisco▪ 1/2 Billion unique managed
THNGS▪ 100s of Billions of managed
products
We are hiring! https://evrythng.com/about/jobs/
![Page 9: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/9.jpg)
What do we provide?
Any consumer application Any business application or ecosystem
Any product with tags Any product with connectivity
Free tier for developers on: http://developers.evrythng.com
![Page 10: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/10.jpg)
EVRYTHNG: The Web of Things Platform
Tagged products
THNGHUB
Connected products
EVRYTHNG CLOUDLOCAL
Clouds
Web & Native Apps
DashboardsRESTMQTTCoAPWS
via gateway
Cloud 2 CloudPlug-ins
APIs & SDKs
Metrics EngineBig data DB
THNG Push
THNG Access
direct
Mobile & Web SDKs
ADIEngine
ENTERPRISE
ReactorTHNGScan
![Page 11: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/11.jpg)
▪ 10 billion “born digital” apparel products by 2017
▪ Identity as NFC, QR, UHF RFID - Activation by brands
▪ Rochambeau:
▪ Jacket comes with personalized content and VIP event/retail experiences to enhance ownership
Success Story
![Page 12: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/12.jpg)
Case Study
▪ iHome uses EVRYTHNG for their next-gen family of smart home products
− 4 different products: smart plugs, smart monitors, etc.
− 1 of 5 initial HomeKit certified products
− Uses out-the-box Marvell toolkit for devices with MQTT support
− Integrated with Nest, SmartThings, Wink, and with iHome CRM
− Android and iOS apps for setup, creating scenes, timers and granting access to other users
Success Story +
![Page 13: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/13.jpg)
Learnings #1:Don’t re-invent the wheel, your wheel won’t be secure for years!
![Page 14: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/14.jpg)
Choose your network protocols wisely!
![Page 15: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/15.jpg)
Reuse the Web: Web of Things Architecture
▪ Converge all the Things towards Web protocols!
− Web Gateway▪ WoT principles:▪ Reuse the Web!▪ => Choose secure Web
protocols− HTTPS, WSS with TLS
▪ Unless:− Battery powered− Very low-power− Need for a mesh
![Page 16: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/16.jpg)
![Page 17: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/17.jpg)
Learnings #2:#1 sometimes does not work… sorry!
“Good” excuses (today):Battery powered?Very low-power?Need for a mesh?
![Page 18: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/18.jpg)
Very different breeds of embedded devices!
VSMulticores32-64 BitsX GB of RAMX GB of Flash
Microcontroller8 BitsX KB of RAMX KB of ROM
![Page 19: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/19.jpg)
There is hope!
![Page 20: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/20.jpg)
Learnings #3:People don’t do change passwords, they just don’t!
![Page 21: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/21.jpg)
Get the basics right!
▪ DynDNS DDoS “IoT” attacks Oct 21 2016:
− Based on device with default passwords
▪ CloudPet IoT kids attack:− No password on
exposed MongoDB▪ Many IoT devices not
using TLS
![Page 22: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/22.jpg)
There are nice tools that can help!
▪ OWASP IoT▪ GSMA IoT Security
Self-Assessment▪ Shodan.io▪ Hire a security
professional!
![Page 23: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/23.jpg)
Learnings #4:You will need to release security
fixes to Things, and people don’t likedownloading patches on fridges...
![Page 24: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/24.jpg)
Very different breeds of embedded devices!
▪ Good dual firmware solutions for low-power RTOS devices
− Beware: certificates do expire!
▪ Wink Hub 2015▪ Great container based
solutions for Linux based devicesVS
![Page 26: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/26.jpg)
A Store of Containers for all the Things: Ubuntu Core
[https://www.ubuntu.com/core]
![Page 27: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/27.jpg)
Some thoughts for the (not so far) future!
“[...] Next comes ubiquitous computing, or the age of calm technology, when technology recedes into the background of our lives [...]”[Mark Weiser, 1988]
![Page 28: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/28.jpg)
A device on the Internet= a device on the Internet!
● DDoS attacks against IoT devices
● UDP flooding / TCP SYN attacks
● Hacking the physical world
![Page 29: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/29.jpg)
Think useable security● How do we make security more accessible to the masses?
● Make security experts and usability experts work together!
![Page 30: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/30.jpg)
IoT Things and Devicesgenerate data, privacy?
● People are actually used to give away their privacy (mobile phone?) for a real benefit
● Empower people to understand what they share and monetize it
![Page 31: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/31.jpg)
Trust @ IoT: Blockchains might help!
+▪ Nice properties of
blockchains:− Coordination− Resilience− Compliance− Consensus− Transparency− Immutability− Security− Trust
Every Action in the EVRYTHNG system can now be automatically backed by a corresponding Blockchain transaction that guarantees the Action was genuine and hasn't been tampered with.
![Page 32: Some IoT Security Learnings](https://reader031.vdocument.in/reader031/viewer/2022030313/58e49f7a1a28abf5428b5d37/html5/thumbnails/32.jpg)
39% off “Building the Web of Things” with code “39guinard” on http://manning.com
Contact: @domguinardhttp://dom.guinard.org
See: http://book.webofthings.io
We are hiring!