y20151003 iot 資訊安全_趨勢科技分享
TRANSCRIPT
IoT Security SolutionTrend Micro Consumer CBUDirector, Global Consumer Sales Enablement and Business DevelopmentSteven Hsu ([email protected])
Agendaq Trend Micro Introduction
q Company Profileq SPN (Smart Protection Network)
q IoT Overview and Security Solutionq Year 2020 and Sharing Economyq IoT Service, Technology and Echo Systemq IoT Security challengesq IoT Hacking Case Studyq Trend IoT security solutions Overview
q Trend Micro Strengths in IoTq Q&A
Copyright 2015 Trend Micro Inc. 2
FoundedHeadquartersMarket Cap2014 SalesCustomers
1988, United StatesTokyo, Japan5B USD$1.05B USD500,000 businesses,Millions of consumers
A world safe for exchanging digital information
3
The world’s largest pure-‐play security software company
Copyright 2015 Trend Micro Inc.
Small Business Midsize Business EnterpriseConsumers
5200+ Employees, 38 Business units worldwide
Copyright 2015 Trend Micro Inc. 4
Trend Micro leads the world in securityGlobal 500 accounts
l48 of the top 50 global corporationsl10 of the top 10 automotive companiesl10 of the top 10 telecom companiesl8 of the top 10 banksl9 of the top 10 oil companies
Trust Trend MicroSecurity Solutions
Trend Micro protects96% of the top 50 global corporations.
Trend Micro protects100% of the top 10 automotive companies.
Trend Micro protects100% of the top 10 telecom companies.
Trend Micro protects80% of the top10 banks.
Trend Micro protects90% of the top10 oil companies.
• AV Test awarded Internet Security with "Best Protection" in 2015, March 2015• ICSA Labs awards Trend Micro for 15 Year Excellence in Testing Award 2015, April 2015
Market Leadership Position
In the industry
With partners
• CRN 5 STAR Partner Program Guide Winner 2015, February 2015
In the cloud
• Simply Security was rated #1 in Best Cloud Security Blogs in 2015, March 2015• #1 Server Security Market ShareWorldwide Corporate Endpoint Server Security Revenue Share by Vendor, 2013 Source : IDC, 2014
• SC Magazine Award Finalist for Best Security Company 2015, January 2015
GLOBAL SENSOR NETWORK Collects More Information in More Places• Hundreds of millions of sensors• 16 billion threat queries daily
GLOBAL THREAT INTELLIGENCEAccurately Analyzes & Identifies Threats Faster• Identifies new threats 50x faster than average (NSS Labs)
PROACTIVE PROTECTIONBlocks Real-‐World Threats Sooner• 250M threats blocked daily• 500k new threats identified per day
Copyright 2014 Trend Micro Inc. Source: All values from Trend Micro Smart Protection Network statistics, July 2014
Copyright 2015 Trend Micro Inc. 6
Trend Micro Consumer VisionEnjoy your digital life safely as a family!
End Point Security to Family ProtectionDevice care to People care
Solution to Service
7Confidential | Copyright 2015 TrendMicro Inc.
IoT Overview and Security Solution
2020 and Sharing Economy
IoT Service, Technology and Echo System
Market ChallengesIoT Security Concern
Trend Micro Solution
What will happen in 2020?
Copyright 2015 Trend Micro Inc. 8
33 billion objects will be linked together globally. (included PC, Mobile, Smartphone -
Gartner)
Globally, in average each person will have more than 3 IoT devices.
Total data amount will be 40,206 exabytes and 37% will in cloud (IDC)
IDC estimated IoT marketing will reach to US$ 7,065 billion.
物聯網的精髓 - 有效率的資源運用與分配
分享 (Sharing) 使用權優於擁有權,使用商品服務化最大的內容網站, Facebook 不擁有內容; 最大的運輸服務公司,Uber 沒有計程車;最大的電子商務商,阿里巴巴並沒有任何的倉儲; Airbnb 也不擁有飯店。
互動 (Interacting) 你在看手機,手機也在看你設備上的感應器或是螢幕會追蹤我們的情緒,地點,觀察你觀看內容的時候是高興、是悲傷或是憤怒,並據此適合你當前情緒的內容。
流動 (Flowing) 所有的商業都是數據的商業客戶的資料和客戶一樣重要。不僅僅要收集資料,還應該讓資料動起來,讓資料和其它資料聯繫起來並分享出去,沒有分享出去的資料是沒用的。
認知 (Cognifying) 把智慧賦予事物,AI將會服務人類AI 將會成為一種服務。我們並不需要自己研發 AI,而是通過網路使用 AI 的説明解決一些事務。
共享經濟
Source: Kevin Kelly speech in CoWork event 2015 June
物聯網對製造業的機會
Copyright 2015 Trend Micro Inc. 10
改變遊戲規則現況 提高市值與降低風險與目前電子商務商做比較,製造業必需承擔庫存與產品生產過程中的所有風險,但是反觀電子商務商的市值卻遠高過於傳統製造業許多。電子商務商除了掌握產品價格談判與其物流管理的優勢之外,最主要的是他們掌握了消費者的資料與資訊,例如購買歷史資料與信用卡資料等。
洞悉你的客戶需求 延伸產品生命週期管理至消費者使用習慣的回饋網際網路所帶來的便利使得產品價格透明化與全球化,這也導致如何有效的管理產品生命週期以降低產品生產風險,透過物聯網的設置,產品所回饋的資料彙整,再利用大數據資料的分析就可以充分了解消費者使用習慣並轉化成未來產品功能需求於產品生命管理系統內。
商品服務化 掌握優質客戶提供優良服務是掌握優質客戶的首要條件,透過物聯網的機制與CRM的整合,產商可以早一步預想客戶所渴望的服務內容為何,進而在對的時間提供給予消費者,並轉換成優質客戶,此舉可以大大降低一次性購買的客戶數,提高客戶重複購買的機會。
市值比較 –高風險低市值,Why?
Copyright 2015 Trend Micro Inc. 11
阿里巴巴市值6.2 兆臺幣
海爾市值 2 千億臺幣
市值4百億臺幣網路家庭
市值2 百億臺幣大同
市值7.5 千億臺幣樂天
市值9.5千億臺幣松下
亞馬遜市值7.4 兆臺幣
沃爾瑪市值 7 兆臺幣
改變遊戲規則現況
Copyright 2015 Trend Micro Inc. 12
洞悉你的客戶需求
電子商務PLM CRMSCM ERP
生產製造 通路銷售 消費者
零售市場 倉儲 量販
信用卡資料
消費行為消費者資訊
會員募集 產品促銷季節活動
電子商務PLM CRMSCM ERP 零售市場 倉儲 量販
信用卡資料
消費行為消費者資訊
會員募集 產品促銷季節活動
IoT IoT
產品使用行為
產品功能數據
物聯網平台
產品使用年限
IoT
IoT
IoT
Copyright 2015 Trend Micro Inc. 13
生產製造 通路銷售消費者
電子商務PLM CRMSCM ERP 零售市場 倉儲 量販
信用卡資料
消費行為
消費者資訊
會員募集
產品促銷
季節活動
IoT
IoT
產品使用行為
即時性售後服務
物聯網平台
產品使用年限
IoTIoTIoT
商品服務化
產品功能數據
商品更新服務
舊換新服務
新產品試用服務
14Confidential | Copyright 2015 TrendMicro Inc.
IoT Service, Technology and Echo System
Copyright 2015 Trend Micro Inc. 15
IoT Services and Technology
IoT Ecosystem Challenges
Copyright 2015 Trend Micro Inc. 16
Volume Variety Velocity
Intel machine to machine ecosystem graphic
IoT Market Challenges
Copyright 2015 Trend Micro Inc. 17
Source: Worldwide and Regional Internet of Things (IoT) 2014–2020 Forecast: A Virtuous Circle of Proven Value and Demand
Copyright 2015 Trend Micro Inc. 18
Tizen
AndroidFire OS
iOSWindows Phone
MeeGo
Palm OS
webOS
BlackBerry
symbian
FireFox
Sounds Familiar?
19Confidential | Copyright 2015 TrendMicro Inc.
IoT Security Challenges
Security Concerns
IoT Security Research Findings
Copyright 2015 Trend Micro Inc. 20
Source: HP Internet of Things Research http://www8.hp.com/h20195/V2/GetPDF.aspx/4AA5-‐4759ENW.pdf
of devices collected atleast one piece of
personal information viathe device, the cloud,
or its mobile application
of devices usedunencrypted network
service.
of devices along with theircloud and mobile
application enable anattacker to identify validuser accounts throughaccount enumeration
of devices along with theircloud and mobile
application componentsfailed to require
passwordsof a sufficient complexity
and length.
devices thatprovide user interfaces
were vulnerable to a rangeof issues such as persistentXSS and weak credentials.
Privacy Encryption HACK HACK AAA
An Expanded Attack Surface Increases the Challenge of Securing IoT Products
Copyright 2015 Trend Micro Inc. 21Source: http://ebooks.capgemini-‐consulting.com/security-‐in-‐the-‐internet-‐of-‐things/IoT_infograph.pdf
60% 55% 50%Securing access to theend-‐Point device
Securing thecommunication
channel
Deployingsecurity updates remotely on end-‐point devices
Key Challenges to Securing IoT Products: % of respondents
PC Security vs. IoT Security
Copyright 2015 Trend Micro Inc. 22
PC
Add-‐on security
Powerful
Client/Server
Decline 10%
Build in security
IoT
Constrain
CloudGatewayEmbedded
Growth 40-‐50%
23Confidential | Copyright 2015 TrendMicro Inc.
Cars Hack Study Case
Jeep Cherokee Hack Case Study
Copyright 2015 Trend Micro Inc. 24
Fiat Chrysler Automobiles recall of 1.4 million vehicles with a potential
cybersecurity flaw
Man-‐in-‐the-‐Middle Attack• Samy Kamkar creator of OwnStar has presented a new gadget that could be
exploited to hacks GM Cars (OnStar App), BMW Remote, Mercedes-‐Benz mbrace, and Chrysler Uconnect apps.
• The tool allows to locate, Unlock, and Start Them
http://securityaffairs.co/wordpress/39375/hacking/ownstar-‐attack-‐bmw-‐chrysler-‐mercedes.html
• Marc Rogers and Kevin Mahaffeydisclosure Tesla's Model S with 5 vulnerabilities
• But both hackers said Tesla deserved credit for what it had got right about car software securitybecause Tesla's fleet could be updated "over the air"
26Confidential | Copyright 2015 TrendMicro Inc.
Other Case Study
Rifle Hack Case Study
Copyright 2015 Trend Micro Inc. 27
Integrated Toilet hack• The Satis is a "smart" toilet. It is controlled using LIXIL's "My Satis” Android
application, which communicates with the toilet using Bluetooth.• Vulnerability allow attacker to mess up with your toilet seat, flush out of
water, lift up/down the toilet seat
http://technews.tw/2013/08/13/high-‐tech-‐toilet-‐gets-‐hacker-‐warning-‐nothing-‐is-‐safe/
• The "My Satis" Android application has a hard-‐coded Bluetooth PIN of "0000” as can be seen in the following line of decompiled code from the application.
Could your fridge send you spam?
• Proofpoint says that between 23 December, 2013 and 6 January, 2014, the 100,000-‐strong botnet sent out more than 750,000 “malicious email communications” with more than “25 per cent of the volume sent by things that were not conventional laptops, desktop computers or mobile devices.”
http://www.independent.co.uk/life-‐style/gadgets-‐and-‐tech/news/could-‐your-‐fridge-‐send-‐you-‐spam-‐security-‐researchers-‐report-‐internet-‐of-‐things-‐botnet-‐9072033.html
Hacker hijacks wireless Foscam baby monitor, talks and freaks out nanny
• A hacker used the Foscam security camera to talk to the nanny of a one-‐year-‐old girl. She heard talking coming from the security camera, a man saying, "Oh, that's a beautiful baby.”
• Foscam has been reported three instance for these kind of hacking due to password vulnerability (empty user name required no password) and people using default user name/password
http://www.computerworld.com/article/2878741/hacker-‐hijacks-‐wireless-‐foscam-‐baby-‐monitor-‐talks-‐and-‐freaks-‐out-‐nanny.html
九陽智慧豆漿機
• With Wi-‐Fi function connect to Mobile App and Cloud. • Using network sniffer found out, Mobile IEMI is the Mobile ID to get the session
key thru the cloud, then get the device ID thru the session key.• Once go the device ID can send HTTP command to cloud and mess up with
different devices
Copyright 2015 Trend Micro Inc. 31
http://www.freebuf.com/articles/terminal/78196.html
Shodan Expose on-‐line device• The Shodan search engine is the Google for the Internet of Things, a
playground for hackers and terrorists -‐-‐ and, maybe, a useful tool for companies looking to lock down their own environment
Copyright 2015 Trend Micro Inc. 32
Even the FBI is worried about Internet of Things security
Copyright 2015 Trend Micro Inc. 33
• FBI Sep. 10, 2015 issued a public service announcement regarding cybercrime opportunities posed by the connecting of all sorts of data-‐enabled devices, from medical gear to entertainment gadgets, to the Internet.
• The FBI cites "deficient security capabilities and difficulties for patching vulnerabilities in these devices, as well as a lack of consumer security awareness," with giving cybercrooks an opening to plot attack and steal information.
http://www.computerworld.com/article/2983793/data-security/even-the-fbi-is-worried-about-internet-of-things-security.html?phint=newt%3Dcomputerworld_security&phint=idg_eid%3D7e21d0a5c7c13c7adbc9bf097fb770ab#tk.CTWNLE_nlt_security_2015-09-14http://www.ic3.gov/media/2015/150910.aspx
Typical attack
Copyright 2015 Trend Micro Inc. 34
AAA Penetration
Steal KeyCertification
FakeFirmware
Cloud Penetration
Backdoor Credentials Default Name/PasswordDirect Web AccessMan in the Middle
Get device fix key and certification to breakthe encryption and getaccess right
Modify Firmware and signed with steal KeyControl device for further penetration
Attack Cloud system for backend valuable data
1 2 3 4
Attack
authentication authorization accounting
Interface
Device Web App Mobile App Cloud
35Copyright 2015 Trend Micro Inc.
Trend Micro IoT Security Solutions Overview
Copyright 2015 Trend Micro Inc. 36
Copyright 2015 Trend Micro Inc. 37
Solution Deployment
Trend Micro Strength in IoT
Copyright 2015 Trend Micro Inc. 38
1Top 3 worldwide security company with 26+ years experience and with full dedication in the security field.
Security
2Comprehensive Operation Infra
3Cloud Technology
4Big Data Analysis
Full experiences in different OS development with API creation and integration. Completed SOP for security update infra and data storage.
World first one create Cloud based security. Partners with Amazon AWS and Microsoft Azure with full experience in Cloud infra constriction.
Few company has the real experience in Hadoop deployment and apply in the real business operation.
Q&A
39Copyright 2015 Trend Micro Inc.
Thank you!
Copyright © 2015 Trend Micro Incorporated. All rights reserved. 40
OWASP IoT Top 10 Security Concerns
Copyright 2015 Trend Micro Inc. 41
Security concerns
1. Insecure Web Interface HACK
Category
2. Insufficient Authentication/Authorization AAA
3. Insecure Network Services HACK
4. Lack of Transport Encryption AAA
5. Privacy Concerns PRIVACY
6. Insecure Cloud Interface HACK
7. Insecure Mobile Interface HACK
8. Insufficient Security Configurability AAA
9. Insecure Software/Firmware HACK
10. Poor Physical Security PHYSICALSource: https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=OWASP_Internet_of_Things_Top_10_for_2014
!
!
!
!
!
!
!
!
!
!