null singapore - can we secure the iot - chadi hantouche

The INTERNET of THINGS?

March 16th, 2016

Chadi HANTOUCHE

Cybersecurity Senior Manager

@chadihantouche

Can we SECURE

2

Agenda

1. At the heart of digital transformation ►

2. CARA: the 4 risk dimensions

3. Which security measures?

4. Final thoughts

3

Connected devices are expanding in all areas

Home automation Physical security

Healthcare and comfort

Light bulbs Thermostats

Thermometers

TVs Door locks

Wristbands

Smoke detectors CCTVs

Cars Bike sensors Forks Tensiometer

Heart rate monitors Glasses

Watches

Trackers

Strollers

Keychains Padlocks

Vehicles and mobility

Roller blinds

16 March 2016 - Property of Solucom, all rights reserved

4

26 billion

30

billion

50

billion

80

billion

212

billion

Billions of smart devices announced for 2020…

Some estimations are quite high…

… and some others more moderate!


5

…but projects and PoCs are already here!

Singapore V2x initiative

John Hancock policy holders who wear

Internet-connected Fitbit can get discounts of up

to 15% on their life insurance policy.

John Hancock + Fitbit

Allianz partnered with Nest Labs in order to

give every new subscriber a smoke detector.

Allianz + Nest Labs

BMW Innovation introduced at CES 2015 a car

model that can be remotely controlled by a

smartwatch.

BMW + Samsung


In 2015, the EDB of Singapore has largely

funded the US$16 million that will be pumped

into the NTU-NXP (semi-conductors firm)

project, involving 100 vehicles and 50 roadside

units within 4 years

6

A broader attack surface for cybercriminals

Examples of attacks on smart devices

Personal data theft of the carrier,

pacemaker control (sending shocks

possibly leading to a heart attack),

possibility of infecting other

pacemakers in range.

Use of a Web browser to take

control of the camera, change the

DNS settings and inject viruses into

other applications.

Black Hat USA: demonstration of a

remote pacemaker hack

Remote Intrusion, including the ability

to kill the engine, engage or disable the

brakes, or track the car’s GPS position.

Black Hat USA: demonstration of a Jeep

Cherokee complete remote control

Black Hat USA: demonstration of an

intrusion on a connected TV

Demonstration of attacks on the Smart

home control hubs from connected

devices (NEST Thermostat, INSTEON

Hub…).

Black Hat USA: demonstration of attacks

on home connected devices


7

Risk categories are shared by all connected devices

Heart rate

monitors Thermometers

Blood pressure

monitors

Baby-strollers

Smartwatches Roller blinds

Thermostats

Door

locks

CCTVs

Personal data

leakage Loss of collected data’s

confidentiality and integrity

Endangering

safety of persons

Denial of

service

Access control

bypass

Unavailability of the

sensor/device

…

Cars

Smoke detectors

Light bulbs

Home

automation

Healthcare

Physical

security

Mobility


8

Agenda


1. At the heart of digital transformation

2. CARA: the 4 risk dimensions ►


4. Final thoughts

9

Risk dimensions of connected devices

4 possible settings for smart devices in a business context

Companies that manufacture connected

devices must take security into account from

the design phase, since they have a

responsibility towards their customers.

Companies that allow the use of employees’

connected devices (as a BYOD service), have

to protect professional data.

Companies that recommend connected

devices to their customers have a diffused

responsibility that extends over time regarding

the customers.

Companies that buy connected devices and

deploy them internally share responsibilities

on technologies choices and integration

phases.

Create

Recommend

Acquire

Accommodate


10

Risk dimensions of connected devices

The risks depend on the organization’s/company’s setting

Discovering security flaws in connected

devices could endanger users or their data,

and therefore the reputation and liability of the

manufacturer.

Loss or theft of corporate data to which

connected devices have access, or intrusion

facilitation.

Leakage of (possibly personal) data or

physical damages that could lead to a

company liability, or reputation damage.

Integration of these new technologies within

the business process without proper security,

which could increase the IT systems’ attack

surface.

Create

Recommend

Acquire

Accommodate


11

A simple tool to interact with business stakeholders: the heat map

Usages risk levels

Complexity to

customize security

CREATE

ACQUIRE

RECOMMEND

ACCOMMODATE

USE 1 USE 2 USE 3 USE 4


12

Practical applications in a B2C banking context

I would like to reflect an

innovative image by allowing

our customers to virtually

browse their investment

portfolio!

New smartwatches are

released, we need an

application! Besides, we must

boost our smartphone

applications with new

features.

We would like to simplify the payment process without

getting surpassed by GAFA, could we test contactless

payment wristbands?

It would be really great to

recognize customers when

they enter the agency!

What if we equipped our advisors with wristbands to

perform digital signature?


13

Practical application of the heat map in a B2C banking context

NOTIFICATION CONSULTATION MODIFICATION TRANSACTION

CREATE

ACQUIRE

RECOMMEND

ACCOMMODATE

Contactless payment with

a connected wristband

Customer identification

with Google Glass

Digital signature with

a smartwatch

Stock portfolio 3D visualization

with Oculus Rift

Accounts notification and checking on a smartwatch Account data change or transaction with a smartphone

Usages risk levels

Complexity to

customize security


14

Practical application: risk zone identification

Usages risk levels


CREATE

ACQUIRE

RECOMMEND

ACCOMMODATE

Contactless payment with

a connected wristband

Customer identification

with Google Glass

Digital signature with

a smartwatch

Stock portfolio 3D visualization

with Oculus Rift

Accounts notification and checking on a smartwatch Account data change or transaction with a smartphone

Complexity to

customize security


15

Agenda




3. Which security measures? ►

4. Final thoughts

16

Security measures are the usual ones…


17

…but their implementation must be innovative!


18

…but their implementation must be innovative!

Various with the same OS but different battery lives

Apple’s recommendations for Apple Watch developers

Typing a password on a small screen

would be difficult for the user.

• Limited processing power

Computing

• Take into account the fact that communication with the connected devices is usually done with Bluetooth or NFC connections

Connectivity

• Possible actions strongly depend on the size, form-factor and features of the device!

User Experience

• Pay attention to implementation choices, e.g. for data encryption (asymmetric vs. symmetric encryption)

Battery Life


19

… and which should be prioritized

• Integrate security in the early design

phases.

• In particular, ensure security update

capabilities throughout the (possibly

long) device lifecycle.

• Ensure that device identities are properly

managed.

• Request custom hardening from the

manufacturers.

• Clearly define liabilities (and data

ownership).

• Ensure regulatory compliance.

• Ensure the recommended devices have a

proper security level.

• Make users aware of their

responsibilities.

• Enforce a user charter.

• Reuse previous BYOD projects.

But also:

Think outside the box!

Create Acquire

Accommodate Recommend


20

Example of innovative security

Source : PRESERVE Project, www.preserve-project.eu

The car embeds a HSM, and

hundreds of certificates

Another use case: connected cars and roads

with a strong need of both integrity and privacy

The certificate used to ensure the

integrity of messages is changed at

a random frequency

When going to the garage for tune-

up, the certificates can be renewed


http://www.preserve-project.eu/



21

Agenda





4. Final thoughts ►

22

4 recommendations towards security for the IoT

Do not secure the IoT devices like your usual IT!

It is important to understand the business stakes

during the whole device lifecycle, in order to

clarify and anticipate possible risks.

Talk with the business stakeholders

MARKETING AND

SALES

MANUFACTURERS

HUMAN RESSOURCS

BOARD

SUPPLY CHAIN

MANAGEMENT

RESEARCH AND

DEVELOPMENT

ADMINISTRATION

LEGAL DEPARTMENT


23



The risks of connected devices may differ

depending on the usages and the setting

(CARA).

Furthermore, depending on your industry, the

devices will not be used the same way.

Clarify the use cases


Low risk High risk

Examples in banking


24


TIZEN PEEBLE OS

OS

MICRIUM

ANDROID

WATCH OS

FREE

RTOS

I’M DROID


Two relatively similar devices may not be equally

secured.

It becomes necessary to identify the specifics of

the platforms and the associated limits.

Analyze the market and the platforms


25



Take into account the context in which connected

devices evolve, as well as their characteristics:

autonomy, range, user experience…

Think outside the box to implement security


26


It is important to understand the business stakes

during the whole device lifecycle, in order to

clarify and anticipate possible risks.

The risks of connected devices may differ

depending on the usages and the setting

(CARA).

Furthermore, depending on your industry, the

devices will not be used the same way.

Two relatively similar devices may not be equally

secured.

It becomes necessary to identify the specifics of

the platforms and the associated limits.

Take into account the context in which connected

devices evolve, as well as their characteristics:

autonomy, range, user experience…

Analyze the market and the platforms

Talk with the business stakeholders Clarify the use cases

Think outside the box to implement security



www.solucom.fr

Chadi HANTOUCHE

Cybersecurity Senior Manager

[email protected]

@chadihantouche

null singapore - can we secure the iot - chadi hantouche

Technology