debunking iot security myths
DESCRIPTION
Presentation for the Internet Security Days 2014 (http://isd.eco.de/en/) about common security challenges and myths in the Internet of Things domain.TRANSCRIPT
![Page 1: Debunking IoT Security Myths](https://reader033.vdocuments.net/reader033/viewer/2022051312/547c313a5906b559798b46c2/html5/thumbnails/1.jpg)
© Cumulocity GmbH 2014
Debunking IoT Security Myths André Eickler
![Page 2: Debunking IoT Security Myths](https://reader033.vdocuments.net/reader033/viewer/2022051312/547c313a5906b559798b46c2/html5/thumbnails/2.jpg)
© Cumulocity GmbH 2014
Overview • What is Cumulocity? • What is the Internet of Things (IoT)? • What security challenges are there? • What common myths are there? • What you can do!
![Page 3: Debunking IoT Security Myths](https://reader033.vdocuments.net/reader033/viewer/2022051312/547c313a5906b559798b46c2/html5/thumbnails/3.jpg)
© Cumulocity GmbH 2014
What is Cumulocity? Where do we come from? • Started 2010 as Nokia Networks product line. • Independent company since 2012. • Originally targeted to the very security-aware telco industry. What do we do? • Cloud service to fundamentally reduce the complexity of deploying
Internet of Things solutions. • Pay-as-you-grow starting from €1/device/month.
![Page 4: Debunking IoT Security Myths](https://reader033.vdocuments.net/reader033/viewer/2022051312/547c313a5906b559798b46c2/html5/thumbnails/4.jpg)
© Cumulocity GmbH 2014
What is Cumulocity?
![Page 5: Debunking IoT Security Myths](https://reader033.vdocuments.net/reader033/viewer/2022051312/547c313a5906b559798b46c2/html5/thumbnails/5.jpg)
© Cumulocity GmbH 2014
What is the Internet of Things? Asset + Device + Application
![Page 6: Debunking IoT Security Myths](https://reader033.vdocuments.net/reader033/viewer/2022051312/547c313a5906b559798b46c2/html5/thumbnails/6.jpg)
© Cumulocity GmbH 2014
What security challenges are there? IoT devices are where your assets are. • Limited physical control over device and network connection. • “Data center distributed all over the country.”
IoT devices are extremely heterogeneous. • Little standardization, thousands of manufacturers and platforms. • “BYOD to the max.” IoT devices come in billions. • … at least if the analysts are right. • Great target for dDoS.
![Page 7: Debunking IoT Security Myths](https://reader033.vdocuments.net/reader033/viewer/2022051312/547c313a5906b559798b46c2/html5/thumbnails/7.jpg)
© Cumulocity GmbH 2014
What security challenges are there? IoT devices may control the physical world. • Production plants, cars, wheel chairs, … • Extremely attractive target for attacks. IoT business cases often rely on cheap devices. • Low-end devices make communication security difficult. • Often no remote patching or upgrade facility. • Mobile M2M tariffs are counted by the KB, SSL/VPN overhead
unwanted.
![Page 8: Debunking IoT Security Myths](https://reader033.vdocuments.net/reader033/viewer/2022051312/547c313a5906b559798b46c2/html5/thumbnails/8.jpg)
© Cumulocity GmbH 2014
What common myths are there? Actual issues are no surprise to security experts, but … • They are not viewed from the context of IoT. • They are misunderstood even by renowned publishers.
![Page 9: Debunking IoT Security Myths](https://reader033.vdocuments.net/reader033/viewer/2022051312/547c313a5906b559798b46c2/html5/thumbnails/9.jpg)
© Cumulocity GmbH 2014
IPSO Power Control
c’t 09/13, p.98
Myth #1: The “thing” must be a server
![Page 10: Debunking IoT Security Myths](https://reader033.vdocuments.net/reader033/viewer/2022051312/547c313a5906b559798b46c2/html5/thumbnails/10.jpg)
© Cumulocity GmbH 2014
Device is Server Device is Client Security Very High Risk No open port => lower Optimal for Actuators Sensors Data sharing By device
(not in mobile!) By server
Data Access & Scaling
Difficult to impossible
Easy and cheap
Addressing Static IP Dynamic & Private IP Consequence
Requires VPN
Requires Device Push
Myth #1: The “thing” must be a server
![Page 11: Debunking IoT Security Myths](https://reader033.vdocuments.net/reader033/viewer/2022051312/547c313a5906b559798b46c2/html5/thumbnails/11.jpg)
© Cumulocity GmbH 2014
Myth #2: A VPN solution is enough for security
![Page 12: Debunking IoT Security Myths](https://reader033.vdocuments.net/reader033/viewer/2022051312/547c313a5906b559798b46c2/html5/thumbnails/12.jpg)
© Cumulocity GmbH 2014
Myth #2: A VPN solution is enough for security • Industrial-level attacks often come from insiders – IoT is just a new
dimension. • IoT devices are often unattended and a VPN setup may be used as
entry point into the corporate network. • Mobile IoT devices can be still attacked through SMS (reconfiguration,
redirection, DoS). • VPN causes expensive overhead on mobile, customers complain
about an extra 10-90 MB of traffic per month.
![Page 13: Debunking IoT Security Myths](https://reader033.vdocuments.net/reader033/viewer/2022051312/547c313a5906b559798b46c2/html5/thumbnails/13.jpg)
© Cumulocity GmbH 2014
Myth #3: My protocol is better!
![Page 14: Debunking IoT Security Myths](https://reader033.vdocuments.net/reader033/viewer/2022051312/547c313a5906b559798b46c2/html5/thumbnails/14.jpg)
© Cumulocity GmbH 2014
What you can do! Translate your security practices to the IoT world. I.e., • Check physical security.
– USB/serial/LAN ports on devices in public places? – Tamper sensors included?
• Check network security. – Switch off SMS on the device or use a secure SMS service. – Switch off local/web element managers. – Replace standard/static passwords.
• Check application security. – Validate device protocol. Use device only as client to a secure IoT
service with individual credentials.
![Page 15: Debunking IoT Security Myths](https://reader033.vdocuments.net/reader033/viewer/2022051312/547c313a5906b559798b46c2/html5/thumbnails/15.jpg)
© Cumulocity GmbH 2014
What you can do! Don’t reinvent the wheel, pick an IoT middleware …
https://cumulocity.com