IoT SecurityMake vs Buy?

Feb 2016

Copyright © 2016 Verimatrix, Inc.2

They Tell Us IoT Will be BIG!

Copyright © 2016 Verimatrix, Inc.3

Click icon to add picture

Opportunity vs Threat

Technical exposure

Business risk

Customer confidence

Regulatory compliance

Copyright © 2016 Verimatrix, Inc.4

More Connectivity >>> More Threat Surfaces

Device controlReprogrammingMan in middle • Intercepting communication• Alter communication • Pretend to be a different player

Jamming / Blocking ReplayCloning MonitoringData theft

Copyright © 2016 Verimatrix, Inc.5

Click icon to add picture

Attacker Incentive

Research

Hacktivist

Economic – Exploits or Crime

Terrorism

Cyber warfare

Copyright © 2016 Verimatrix, Inc.6

Attacks: SOHO examples

FAIL: Management backdoorsFAIL: Password vulnerabilitiesFAIL: Update verification

https://www.sohopelesslybroken.com/news.html

Copyright © 2016 Verimatrix, Inc.7

Attacks: Samsung Fridge

FAIL: test validity of SSL certificate

Threat: Neighbor stealing gmail credentials

http://www.theregister.co.uk/2015/08/24/smart_fridge_security_fubar/

Copyright © 2016 Verimatrix, Inc.8

Attacks: Vizio TV

FAIL: test validity of SSL certificate

Threat: Impact on privacy

Awareness: 6th link

http://arstechnica.com/security/2015/11/man-in-the-middle-attack-on-vizio-tvs-coughs-up-owners-viewing-habits/

Copyright © 2016 Verimatrix, Inc.9

Attacks: Baby Monitor

Baby monitor weaknesses overview:

http://fusion.net/story/192189/internet-connected-baby-monitors-trivial-to-hack/

Threat: someone close bylistening to you baby.

Copyright © 2016 Verimatrix, Inc.10

Attacks: Hue Light Bulb

Fail: Securing Token

Threat Control light – remotely http://www.dhanjani.com/blog/2013/08/hacking-lightbulbs.html

Copyright © 2016 Verimatrix, Inc.11

Attacks: Smart Meter

Open protocol / credentials

Threat: Smart meter data

provides info on • Appliance: HDR TV• Occupancy and schedule

From: Smart Meter Data: Privacy and Cybersecurity Congressional Research Service R42338

Copyright © 2016 Verimatrix, Inc.12

Attacks: Jeep

FAIL: No segmentationFAIL: No OTA update

http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

Threat: Loosing control in a driving car

Copyright © 2016 Verimatrix, Inc.13

weg

Attacks: Cloud

…and many others such as Sony

Copyright © 2016 Verimatrix, Inc.14

IoT Security Snapshot

Device Hardware Security

Secure DeviceUpdate

Secure IPCommunications

Data Management and Integrity

Threat monitoring& response

TPM (Trusted Platform Module) and SE (Secure Element)Used to harden software based security solutions in a layered security approach

secure storagesecure boot

Leverages security credentials and signature process to enable a trusted services for full or modular software update

Leverages security credentials to provide authenticated client comms end point and

connection oriented or connectionless secure communications framework

Activity tracking, Signature analysis, flagging threats and orchestrating

responseData aggregation, access control and

auditingPolicy compliance, regulatory compliance

Copyright © 2016 Verimatrix, Inc.15

IoT Vertical Markets – Generic ChallengesCloud data integrity

and compliance

Threat monitoringAnd response

Secure devicecommunications

Secure deviceupdate

Device integrityCredential mgmnt

Smart Home Automotive mHealth Smart Cities Industrial

Copyright © 2016 Verimatrix, Inc.16

weg

Who Would You Trust?

Not just for Christmas - typical lifetime tasks• Device credential management• Secure software update• Trusted secure IP communications – TCP, UDP, unicast, multicast• Device threat monitoring• Threat reporting/aggregation/alerting• Data curation - secure repository with regulatory and policy

compliance

Few in the industry with a broad, long term track record

Copyright © 2016 Verimatrix, Inc.17

weg

Summary

Threat surface of connected systems is extensive

The security challenge exists over the lifetime of the application

How do you combine innovation and system integrity

Discussion

info@verimatrix.com

Copyright © 2016 Verimatrix, Inc.