3. Agenda
The Basics
IoT?
The concepts
Digging a little deeper
Supply Chain
Push out those ideas to
market
The realities
Numbers on the rise
The issues
Pfft...whats security? But wait,
my privacy
The Resolutions
Saving the world
5. “The Internet of Things (IoT) is the
network of physical objects that
contain embedded technology to
communicate and sense or interact
with their internal states or the
external environment..Source: http://www.gartner.com/it-glossary/internet-of-things/
18. Original Design Manufacturer (ODM)
❏ designs and manufactures a product
❏ eventually rebranded by another firm for sale
❏ allow the brand firm to produce (either as a supplement or
solely) without having to engage in the organization or running
of a factory.
❏ own cloud infrastructures for customers
❏ Provide SDKs
★ Many ODMs in China
★ A dime a dozen
http://en.wikipedia.org/wiki/Original_design_manufa
cturer
19. Cloud Service Providers
❏ Amazon
❏ Microsoft
❏ Google
❏ Thingsworx
❏ ODM Clouds
❏ Have their own SDKs
❏ Who knows where else?
http://en.wikipedia.org/wiki/Original_design_manufa
cturer
20. Original Equipment Manufacturer (OEM)
❏ Manufacturers who resell another company's
product under their own name and branding.
❏ Offers its own warranty, support and licensing
of the product.
http://en.wikipedia.org/wiki/Original_design_manufa
cturer
21. IoT Supply Chain Process
BSP ODM OEM
★ Each likely to outsource development work
and have multiple teams
CSP
25. Supply Chain Process (Cont)
Sales
★ Get the
business
★ Outreach
★ Create
relationships
PM’s
★ Prioritizes
★ Objective
Based
★ Project specific
to engineer
team
Engineers
★ Write Code
★ May not be a
big team
★ Different
workflows per
dev team
★ Split up into
features. I.E UI
team, UX team,
backend,
Android, iOS
35. ❏ Network Security
❏ ACLs
❏ Systems
❏ DB
❏ Web servers
❏ LBs
❏ Daemons
❏ Application Security
❏ Language
❏ Frameworks
❏ 3rd Party Libs
Web App / Operational Security
A lot of work!!!....
36. ❏ Windows
❏ OSX
❏ Old School CD setup
❏ Data storage
❏ Data permissions
❏ Persistence
Desktop Apps
41. “Because computers go through so
many hands before they’re delivered
to you, there’s a serious concern
that anyone could backdoor the
computer without your knowledge
Source: Jonathan Brossard-http://resources.infosecinstitute.com/hardware-attacks-
backdoors-and-electronic-component-qualification/
42. What not to do
❏ UART pins exposed unauthenticated or using
simple passwords
❏ Manufacturing Debugging Scripts
❏ Backdoors using secret user agents
❏ Private Keys on devices (Dont rely on
obscurity)
❏ Default Passwords
★ Ton of other backdoors from software down to
HDL code in the chipset
43. Secure It Already (Embedded)
❏ Restrict Shell with
tamper resistant
epoxy and silk
screen
❏ Very long passwds
❏ Update Kernel and
Packages
❏ Harden OS by
removing unused
code
❏ Secure updates
❏ Secure C Functions
❏ Verify and test code
46. “Implement “security by design.”
Rather than grafting security on as
an afterthought, build it into your
products or services at the outset of
your planning process
Source:https://www.ftc.gov/system/files/documents/plain-language/pdf0199-
carefulconnections-buildingsecurityinternetofthings.pdf
47. FTC and EU Commission
❏ Privacy By Design
❏ Security By Design
❏ Categorization of IoT devices
❏ Biggest Consumer Protection
http://www.ftc.gov/news-events/press-releases/2013/04/ftc-seeks-
input-privacy-and-security-implications-internet-things
55. Fixing The IoT
❏ LIABILITY!
❏ Security service agreements with ODMs
❏ Legal repercussions
❏ Community Projects
❏ Security Awareness
❏ Security Processes into SDLC
❏ A common certification standard (Wi-FI &
Zigbee)
★ Realistic? ……… Maybe
In embedded systems, a board support package (BSP) is implementation of specific support code (software) for a given (device motherboard) board that conforms to a given operating system. It is commonly built with a bootloader that contains the minimal device support to load the operating system and device drivers for all the devices on the board. Some suppliers also provide a root file system, a toolchain for making programs to run on the embedded system (which would be part of the architecture support package), and configurators for the devices (while running). http://en.wikipedia.org/wiki/Board_support_package
First, companies should build security into their devices at the outset, rather than as an
afterthought. As part of the security by design process, companies should consider:
(1) conducting a privacy or security risk assessment; (2) minimizing the data they collect and
retain; and (3) testing their security measures before launching their products. Second, with
respect to personnel practices, companies should train all employees about good security, and
ensure that security issues are addressed at the appropriate level of responsibility within the
organization. Third, companies should retain service providers that are capable of maintaining
reasonable security and provide reasonable oversight for these service providers. Fourth, when
companies identify significant risks within their systems, they should implement a defense-indepth
approach, in which they consider implementing security measures at several levels. Fifth,
companies should consider implementing reasonable access control measures to limit the ability
of an unauthorized person to access a consumer’s device, data, or even the consumer’s network.
Finally, companies should continue to monitor products throughout the life cycle and, to the
extent feasible, patch known vulnerabilities.