Jeff Katz of Geeny presented at a workshop on Internet of Things Security at ThingsCon Amsterdam 2017 1 December 2017. From Internet of Shit to secure Internet of Thing – What we can learn from epic securtiy fails to create better IoT products and applications.

1. A Survey of Structural
Insecurities in IoT
Jeff Katz
Senior Practice Lead IT / Engineering
Telefónica Germany NEXT GmbH

2. » The problem with this process is that no one
entity has any incentive, expertise, or even ability
to patch the software once it's shipped… We
simply have to fix this. «
-BRUCE SCHNEIER, Wired, 2014

3. Agenda
– Relevant quote
– Agenda
– Speaker Info
– Sales
– Channels
– Retail deep-dive
– Telefónica
– Geeny
~20 minutes | english
3

4. Jeff Katz
– American living in Germany for six years
– Founded companies in Finance, IT, Security
– Founded hardware accelerator called
HARDWARE.co
– Spoken around the world on Security and Privacy
in IoT
– Background in Electrical Engineering and
Embedded Development
– Currently working for Telefónica NEXT on IoT
Platform
4

5. What’s IoT?
5
• Industrial
• Agricultural
• Smart City
• Consumer (Smart Home, etc.)

6. There are
forecast to be
28 billion
connected
devices
worldwide by
2021
Almost 16
billion of them
will be loT
devices
loT devices will over-take
mobile phones as the
largest category of
connected devices in
2018
This will be driven by
the spread of smart
meters and
connected cars, as
well as by consumer
devices
The number of loT
devices in Western
Europe is
projected to
quadruple
between 2015 and
2021
The Consumer IoT Market

7. How an idea becomes an IoT solution
– Let’s pretend: We are ”Melkin” a
multinational consumer device
company, and we want to make a
connected baby monitor
– Two-way audio streaming, there’s an
app, etc.
Let’s explore who is involved to bring this
product to shelves
7
Any resemblance to any real companies or
products is strictly coincidental and not
intended. This is not the story of a real
product.

8. The Service
– We’re going to start with the App, and what we want the user experience to be
– External design agency engaged
– Click-dummy delivered
– External app agency engaged
– iOS, Android, etc. delivered under budget and time pressure
– Often developed before the hardware is even done
8

9. The ODM
– Factory in Guangzhou, China
– Manufactures Baby Monitors for many
multinational companies
– Take existing model that matches our
requirements
– Develop new plastics for it
– Firmware based on reference design from
Chipset Manufacturer
– Completely white-label
(This is a real company and this is really how
this works)
9

10. The Chipset Manufacturer
– Wants to sell chips
– Provides bare-minimum reference designs that show how to get something working
– Not responsible for end product, at all.
10

11. The Branded Device
– Purchased at retail from Big Box Store
– Provides the data and interface to provide the service
– What the customer installs in their home, next to their baby
– Connects to home WIFI
– Firmware developed by agency, based on reference from the ODM
– Melkin is responsible for warranty, sales, support, etc
11

12. The Platform
– Needs to connect the service to the device
– Should have minimal impact on the final cost
of the device
– Contracted by a third party, either build or
buy—Melkin doesn’t want to deal with it. Best
case, fully outsourced and managed. Worst-
case: Managed by Melkin
– Provides examples (firmware, app) how to
communicate with it
– Example: Arrayent
12

13. Overview
– App design: Outsourced
– App implementation: Outsourced
– Hardware Design: Outsourced
– Firmware: Outsourced, based on Outsourced example from Outsourced Chipset example
– Platform: Outsourced
– Seller: Retail Store
– Connectivity: Home WIFI (ISP), Home Router
– Final Product Responsibility: Melkin
13

14. What to do / Where to address?
– Let’s fix the perverse incentives: Companies require security but actively choose against suppliers who
price it in to offers.
– GDPR huge help—significant fines for bad behavior for end responsible company
– Need to spread responsibility to all involved parties
– Proliferation of bad examples: Let’s build security in from the very beginning—Chipset manufacturers,
Reference Designs, etc.
– Education and guides on what to look for in products
– More openness: Open source, open spec, open APIs,
– Financial incentives, positive or negative
14

15. Thank you. Let’s talk!
Jeff Katz
Senior Practice Lead IT / Engineering
Telefónica Germany NEXT GmbH
jeff@geeny.io • jeff.katz@telefonica.com • @kraln
https://developers.geeny.io
join the Geeny developer community