some iot security learnings
TRANSCRIPT
© EVRYTHNG INC. | 2016COMMERCIAL & CONFIDENTIAL
Smarter productscome with EVRYTHNG
For Customers title slide
Some IoT Security Learnings & PerspectivesFrom a Developers / CTOs view point
Dominique Guinard, CTO – co-founder@domguinard@EVRYTHNG
What’s the IoT?Have you been sleeping for the past few years?
The IoT is a science primarily focusing on creating the most
complex ways of turning lights on.
“ “[@domguinard]
@ConnectEvrythng© EVRYTHNG Limited | Confidential | 2013 @EVRYTHNG© EVRYTHNG | Confidential | 2014
+Pre IoT
@ConnectEvrythng© EVRYTHNG Limited | Confidential | 2013 @EVRYTHNG© EVRYTHNG | Confidential | 2014
Post IoT
Really need a better definition? Okay...
▪ DEFINITION:The Internet of Things is a system of physical objects that can be discovered, monitored, controlled, or interacted with by electronic devices that communicate over various networking interfaces and eventually can be connected to the wider Internet.
EVRYTHNG?In a nutshell!
EVRYTHNG in a Nutshell
▪ ~ 60 people worldwide in 2017▪ New York, London, San
Francisco▪ 1/2 Billion unique managed
THNGS▪ 100s of Billions of managed
products
We are hiring! https://evrythng.com/about/jobs/
What do we provide?
Any consumer application Any business application or ecosystem
Any product with tags Any product with connectivity
Free tier for developers on: http://developers.evrythng.com
EVRYTHNG: The Web of Things Platform
Tagged products
THNGHUB
Connected products
EVRYTHNG CLOUDLOCAL
Clouds
Web & Native Apps
DashboardsRESTMQTTCoAPWS
via gateway
Cloud 2 CloudPlug-ins
APIs & SDKs
Metrics EngineBig data DB
THNG Push
THNG Access
direct
Mobile & Web SDKs
ADIEngine
ENTERPRISE
ReactorTHNGScan
▪ 10 billion “born digital” apparel products by 2017
▪ Identity as NFC, QR, UHF RFID - Activation by brands
▪ Rochambeau:
▪ Jacket comes with personalized content and VIP event/retail experiences to enhance ownership
Success Story
Case Study
▪ iHome uses EVRYTHNG for their next-gen family of smart home products
− 4 different products: smart plugs, smart monitors, etc.
− 1 of 5 initial HomeKit certified products
− Uses out-the-box Marvell toolkit for devices with MQTT support
− Integrated with Nest, SmartThings, Wink, and with iHome CRM
− Android and iOS apps for setup, creating scenes, timers and granting access to other users
Success Story +
Learnings #1:Don’t re-invent the wheel, your wheel won’t be secure for years!
Choose your network protocols wisely!
Reuse the Web: Web of Things Architecture
▪ Converge all the Things towards Web protocols!
− Web Gateway▪ WoT principles:▪ Reuse the Web!▪ => Choose secure Web
protocols− HTTPS, WSS with TLS
▪ Unless:− Battery powered− Very low-power− Need for a mesh
Learnings #2:#1 sometimes does not work… sorry!
“Good” excuses (today):Battery powered?Very low-power?Need for a mesh?
Very different breeds of embedded devices!
VSMulticores32-64 BitsX GB of RAMX GB of Flash
Microcontroller8 BitsX KB of RAMX KB of ROM
There is hope!
Learnings #3:People don’t do change passwords, they just don’t!
Get the basics right!
▪ DynDNS DDoS “IoT” attacks Oct 21 2016:
− Based on device with default passwords
▪ CloudPet IoT kids attack:− No password on
exposed MongoDB▪ Many IoT devices not
using TLS
There are nice tools that can help!
▪ OWASP IoT▪ GSMA IoT Security
Self-Assessment▪ Shodan.io▪ Hire a security
professional!
Learnings #4:You will need to release security
fixes to Things, and people don’t likedownloading patches on fridges...
Very different breeds of embedded devices!
▪ Good dual firmware solutions for low-power RTOS devices
− Beware: certificates do expire!
▪ Wink Hub 2015▪ Great container based
solutions for Linux based devicesVS
A Store of Containers for all the Things: Ubuntu Core
[https://www.ubuntu.com/core]
Some thoughts for the (not so far) future!
“[...] Next comes ubiquitous computing, or the age of calm technology, when technology recedes into the background of our lives [...]”[Mark Weiser, 1988]
A device on the Internet= a device on the Internet!
● DDoS attacks against IoT devices
● UDP flooding / TCP SYN attacks
● Hacking the physical world
Think useable security● How do we make security more accessible to the masses?
● Make security experts and usability experts work together!
IoT Things and Devicesgenerate data, privacy?
● People are actually used to give away their privacy (mobile phone?) for a real benefit
● Empower people to understand what they share and monetize it
Trust @ IoT: Blockchains might help!
+▪ Nice properties of
blockchains:− Coordination− Resilience− Compliance− Consensus− Transparency− Immutability− Security− Trust
Every Action in the EVRYTHNG system can now be automatically backed by a corresponding Blockchain transaction that guarantees the Action was genuine and hasn't been tampered with.
39% off “Building the Web of Things” with code “39guinard” on http://manning.com
Contact: @domguinardhttp://dom.guinard.org
See: http://book.webofthings.io
We are hiring!