y20151003 iot 資訊安全_趨勢科技分享

IoT Security SolutionTrend Micro Consumer CBUDirector, Global Consumer Sales Enablement and Business DevelopmentSteven Hsu ([email protected])

Agendaq Trend Micro Introduction

q Company Profileq SPN (Smart Protection Network)

q IoT Overview and Security Solutionq Year 2020 and Sharing Economyq IoT Service, Technology and Echo Systemq IoT Security challengesq IoT Hacking Case Studyq Trend IoT security solutions Overview

q Trend Micro Strengths in IoTq Q&A

Copyright 2015 Trend Micro Inc. 2

FoundedHeadquartersMarket Cap2014 SalesCustomers

1988, United StatesTokyo, Japan5B USD$1.05B USD500,000 businesses,Millions of consumers

A world safe for exchanging digital information

3

The world’s largest pure-‐play security software company

Copyright 2015 Trend Micro Inc.

Small Business Midsize Business EnterpriseConsumers

5200+ Employees, 38 Business units worldwide


Trend Micro leads the world in securityGlobal 500 accounts

l48 of the top 50 global corporationsl10 of the top 10 automotive companiesl10 of the top 10 telecom companiesl8 of the top 10 banksl9 of the top 10 oil companies

Trust Trend MicroSecurity Solutions

Trend Micro protects96% of the top 50 global corporations.

Trend Micro protects100% of the top 10 automotive companies.

Trend Micro protects100% of the top 10 telecom companies.

Trend Micro protects80% of the top10 banks.

Trend Micro protects90% of the top10 oil companies.

• AV Test awarded Internet Security with "Best Protection" in 2015, March 2015• ICSA Labs awards Trend Micro for 15 Year Excellence in Testing Award 2015, April 2015

Market Leadership Position

In the industry

With partners

• CRN 5 STAR Partner Program Guide Winner 2015, February 2015

In the cloud

• Simply Security was rated #1 in Best Cloud Security Blogs in 2015, March 2015• #1 Server Security Market ShareWorldwide Corporate Endpoint Server Security Revenue Share by Vendor, 2013 Source : IDC, 2014

• SC Magazine Award Finalist for Best Security Company 2015, January 2015

GLOBAL SENSOR NETWORK Collects More Information in More Places• Hundreds of millions of sensors• 16 billion threat queries daily

GLOBAL THREAT INTELLIGENCEAccurately Analyzes & Identifies Threats Faster• Identifies new threats 50x faster than average (NSS Labs)

PROACTIVE PROTECTIONBlocks Real-‐World Threats Sooner• 250M threats blocked daily• 500k new threats identified per day

Copyright 2014 Trend Micro Inc. Source: All values from Trend Micro Smart Protection Network statistics, July 2014


Trend Micro Consumer VisionEnjoy your digital life safely as a family!

End Point Security to Family ProtectionDevice care to People care

Solution to Service

7Confidential | Copyright 2015 TrendMicro Inc.

IoT Overview and Security Solution

2020 and Sharing Economy

IoT Service, Technology and Echo System

Market ChallengesIoT Security Concern

Trend Micro Solution

What will happen in 2020?


33 billion objects will be linked together globally. (included PC, Mobile, Smartphone -

Gartner)

Globally, in average each person will have more than 3 IoT devices.

Total data amount will be 40,206 exabytes and 37% will in cloud (IDC)

IDC estimated IoT marketing will reach to US$ 7,065 billion.

物聯網的精髓 - 有效率的資源運用與分配

分享 (Sharing) 使用權優於擁有權，使用商品服務化最大的內容網站， Facebook 不擁有內容; 最大的運輸服務公司，Uber 沒有計程車；最大的電子商務商，阿里巴巴並沒有任何的倉儲; Airbnb 也不擁有飯店。

互動 (Interacting) 你在看手機，手機也在看你設備上的感應器或是螢幕會追蹤我們的情緒，地點，觀察你觀看內容的時候是高興、是悲傷或是憤怒，並據此適合你當前情緒的內容。

流動 (Flowing) 所有的商業都是數據的商業客戶的資料和客戶一樣重要。不僅僅要收集資料，還應該讓資料動起來，讓資料和其它資料聯繫起來並分享出去，沒有分享出去的資料是沒用的。

認知 (Cognifying) 把智慧賦予事物，AI將會服務人類AI 將會成為一種服務。我們並不需要自己研發 AI，而是通過網路使用 AI 的説明解決一些事務。

共享經濟

Source: Kevin Kelly speech in CoWork event 2015 June

物聯網對製造業的機會


改變遊戲規則現況提高市值與降低風險與目前電子商務商做比較，製造業必需承擔庫存與產品生產過程中的所有風險，但是反觀電子商務商的市值卻遠高過於傳統製造業許多。電子商務商除了掌握產品價格談判與其物流管理的優勢之外，最主要的是他們掌握了消費者的資料與資訊，例如購買歷史資料與信用卡資料等。

洞悉你的客戶需求延伸產品生命週期管理至消費者使用習慣的回饋網際網路所帶來的便利使得產品價格透明化與全球化，這也導致如何有效的管理產品生命週期以降低產品生產風險，透過物聯網的設置，產品所回饋的資料彙整，再利用大數據資料的分析就可以充分了解消費者使用習慣並轉化成未來產品功能需求於產品生命管理系統內。

商品服務化掌握優質客戶提供優良服務是掌握優質客戶的首要條件，透過物聯網的機制與CRM的整合，產商可以早一步預想客戶所渴望的服務內容為何，進而在對的時間提供給予消費者，並轉換成優質客戶，此舉可以大大降低一次性購買的客戶數，提高客戶重複購買的機會。

市值比較 –高風險低市值，Why?


阿里巴巴市值6.2 兆臺幣

海爾市值 2 千億臺幣

市值4百億臺幣網路家庭

市值2 百億臺幣大同

市值7.5 千億臺幣樂天

市值9.5千億臺幣松下

亞馬遜市值7.4 兆臺幣

沃爾瑪市值 7 兆臺幣

改變遊戲規則現況


洞悉你的客戶需求

電子商務PLM CRMSCM ERP

生產製造通路銷售消費者

零售市場倉儲量販

信用卡資料

消費行為消費者資訊

會員募集產品促銷季節活動

電子商務PLM CRMSCM ERP 零售市場倉儲量販

信用卡資料

消費行為消費者資訊

會員募集產品促銷季節活動

IoT IoT

產品使用行為

產品功能數據

物聯網平台

產品使用年限

IoT

IoT

IoT


生產製造通路銷售消費者

電子商務PLM CRMSCM ERP 零售市場倉儲量販

信用卡資料

消費行為

消費者資訊

會員募集

產品促銷

季節活動

IoT

IoT

產品使用行為

即時性售後服務

物聯網平台

產品使用年限

IoTIoTIoT

商品服務化

產品功能數據

商品更新服務

舊換新服務

新產品試用服務


IoT Service, Technology and Echo System


IoT Services and Technology

IoT Ecosystem Challenges


Volume Variety Velocity

Intel machine to machine ecosystem graphic

IoT Market Challenges


Source: Worldwide and Regional Internet of Things (IoT) 2014–2020 Forecast: A Virtuous Circle of Proven Value and Demand


Tizen

AndroidFire OS

iOSWindows Phone

MeeGo

Palm OS

webOS

BlackBerry

symbian

FireFox

Sounds Familiar?


IoT Security Challenges

Security Concerns

IoT Security Research Findings


Source: HP Internet of Things Research http://www8.hp.com/h20195/V2/GetPDF.aspx/4AA5-‐4759ENW.pdf

of devices collected atleast one piece of

personal information viathe device, the cloud,

or its mobile application

of devices usedunencrypted network

service.

of devices along with theircloud and mobile

application enable anattacker to identify validuser accounts throughaccount enumeration

of devices along with theircloud and mobile

application componentsfailed to require

passwordsof a sufficient complexity

and length.

devices thatprovide user interfaces

were vulnerable to a rangeof issues such as persistentXSS and weak credentials.

Privacy Encryption HACK HACK AAA

An Expanded Attack Surface Increases the Challenge of Securing IoT Products

Copyright 2015 Trend Micro Inc. 21Source: http://ebooks.capgemini-‐consulting.com/security-‐in-‐the-‐internet-‐of-‐things/IoT_infograph.pdf

60% 55% 50%Securing access to theend-‐Point device

Securing thecommunication

channel

Deployingsecurity updates remotely on end-‐point devices

Key Challenges to Securing IoT Products: % of respondents

PC Security vs. IoT Security


PC

Add-‐on security

Powerful

Client/Server

Decline 10%

Build in security

IoT

Constrain

CloudGatewayEmbedded

Growth 40-‐50%


Cars Hack Study Case

Jeep Cherokee Hack Case Study


Fiat Chrysler Automobiles recall of 1.4 million vehicles with a potential

cybersecurity flaw

Man-‐in-‐the-‐Middle Attack• Samy Kamkar creator of OwnStar has presented a new gadget that could be

exploited to hacks GM Cars (OnStar App), BMW Remote, Mercedes-‐Benz mbrace, and Chrysler Uconnect apps.

• The tool allows to locate, Unlock, and Start Them

http://securityaffairs.co/wordpress/39375/hacking/ownstar-‐attack-‐bmw-‐chrysler-‐mercedes.html

• Marc Rogers and Kevin Mahaffeydisclosure Tesla's Model S with 5 vulnerabilities

• But both hackers said Tesla deserved credit for what it had got right about car software securitybecause Tesla's fleet could be updated "over the air"


Other Case Study

Rifle Hack Case Study


Integrated Toilet hack• The Satis is a "smart" toilet. It is controlled using LIXIL's "My Satis” Android

application, which communicates with the toilet using Bluetooth.• Vulnerability allow attacker to mess up with your toilet seat, flush out of

water, lift up/down the toilet seat

http://technews.tw/2013/08/13/high-‐tech-‐toilet-‐gets-‐hacker-‐warning-‐nothing-‐is-‐safe/

• The "My Satis" Android application has a hard-‐coded Bluetooth PIN of "0000” as can be seen in the following line of decompiled code from the application.

Could your fridge send you spam?

• Proofpoint says that between 23 December, 2013 and 6 January, 2014, the 100,000-‐strong botnet sent out more than 750,000 “malicious email communications” with more than “25 per cent of the volume sent by things that were not conventional laptops, desktop computers or mobile devices.”

http://www.independent.co.uk/life-‐style/gadgets-‐and-‐tech/news/could-‐your-‐fridge-‐send-‐you-‐spam-‐security-‐researchers-‐report-‐internet-‐of-‐things-‐botnet-‐9072033.html

Hacker hijacks wireless Foscam baby monitor, talks and freaks out nanny

• A hacker used the Foscam security camera to talk to the nanny of a one-‐year-‐old girl. She heard talking coming from the security camera, a man saying, "Oh, that's a beautiful baby.”

• Foscam has been reported three instance for these kind of hacking due to password vulnerability (empty user name required no password) and people using default user name/password

http://www.computerworld.com/article/2878741/hacker-‐hijacks-‐wireless-‐foscam-‐baby-‐monitor-‐talks-‐and-‐freaks-‐out-‐nanny.html

九陽智慧豆漿機

• With Wi-‐Fi function connect to Mobile App and Cloud. • Using network sniffer found out, Mobile IEMI is the Mobile ID to get the session

key thru the cloud, then get the device ID thru the session key.• Once go the device ID can send HTTP command to cloud and mess up with

different devices


http://www.freebuf.com/articles/terminal/78196.html

Shodan Expose on-‐line device• The Shodan search engine is the Google for the Internet of Things, a

playground for hackers and terrorists -‐-‐ and, maybe, a useful tool for companies looking to lock down their own environment


Even the FBI is worried about Internet of Things security


• FBI Sep. 10, 2015 issued a public service announcement regarding cybercrime opportunities posed by the connecting of all sorts of data-‐enabled devices, from medical gear to entertainment gadgets, to the Internet.

• The FBI cites "deficient security capabilities and difficulties for patching vulnerabilities in these devices, as well as a lack of consumer security awareness," with giving cybercrooks an opening to plot attack and steal information.

http://www.computerworld.com/article/2983793/data-security/even-the-fbi-is-worried-about-internet-of-things-security.html?phint=newt%3Dcomputerworld_security&phint=idg_eid%3D7e21d0a5c7c13c7adbc9bf097fb770ab#tk.CTWNLE_nlt_security_2015-09-14http://www.ic3.gov/media/2015/150910.aspx

Typical attack


AAA Penetration

Steal KeyCertification

FakeFirmware

Cloud Penetration

Backdoor Credentials Default Name/PasswordDirect Web AccessMan in the Middle

Get device fix key and certification to breakthe encryption and getaccess right

Modify Firmware and signed with steal KeyControl device for further penetration

Attack Cloud system for backend valuable data

1 2 3 4

Attack

authentication authorization accounting

Interface

Device Web App Mobile App Cloud

35Copyright 2015 Trend Micro Inc.

Trend Micro IoT Security Solutions Overview


Solution Deployment

Trend Micro Strength in IoT


1Top 3 worldwide security company with 26+ years experience and with full dedication in the security field.

Security

2Comprehensive Operation Infra

3Cloud Technology

4Big Data Analysis

Full experiences in different OS development with API creation and integration. Completed SOP for security update infra and data storage.

World first one create Cloud based security. Partners with Amazon AWS and Microsoft Azure with full experience in Cloud infra constriction.

Few company has the real experience in Hadoop deployment and apply in the real business operation.

Q&A

39Copyright 2015 Trend Micro Inc.

OWASP IoT Top 10 Security Concerns


Security concerns

1. Insecure Web Interface HACK

Category

2. Insufficient Authentication/Authorization AAA

3. Insecure Network Services HACK

4. Lack of Transport Encryption AAA

5. Privacy Concerns PRIVACY

6. Insecure Cloud Interface HACK

7. Insecure Mobile Interface HACK

8. Insufficient Security Configurability AAA

9. Insecure Software/Firmware HACK

10. Poor Physical Security PHYSICALSource: https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=OWASP_Internet_of_Things_Top_10_for_2014

!

!

!

!

!

!

!

!

!

!