The INTERNET of THINGS? Securing Connected Devices

The INTERNET of THINGS?
March 16th, 2016
Chadi HANTOUCHE
Cybersecurity Senior Manager
@chadihantouche
Can we SECURE

2
Agenda
1. At the heart of digital transformation►
2. CARA: the 4 risk dimensions
3. Which security measures?
4. Final thoughts

3
Connected devices are expanding in all areas
Home automation Physical security
Healthcare and comfort
Light bulbs Thermostats
Thermometers
TVs
Door locks
Wristbands
Smoke detectorsCCTVs
CarsBike sensors
Forks Tensiometer
Heart rate monitorsGlasses
Watches
Trackers
Strollers
Keychains Padlocks
Vehicles and mobility
Roller blinds
16 March 2016 - Property of Solucom, all rights reserved

4
26
billion
30
billion
50
billion
80
billion
212
billion
Billions of smart devices announced for 2020…
Some estimations are quite high…
… and some others more moderate!

5
…but projects and PoCs are already here!
Singapore V2x initiative
John Hancock policy holders who wear
Internet-connected Fitbit can get discounts of up
to 15% on their life insurance policy.
John Hancock + Fitbit
Allianz partnered with Nest Labs in order to
give every new subscriber a smoke detector.
Allianz + Nest Labs
BMW Innovation introduced at CES 2015 a car
model that can be remotely controlled by a
smartwatch.
BMW + Samsung
In 2015, the EDB of Singapore has largely
funded the US$16 million that will be pumped
into the NTU-NXP (semi-conductors firm)
project, involving 100 vehicles and 50 roadside
units within 4 years

6
A broader attack surface for cybercriminals
Examples of attacks on smart devices
Personal data theft of the carrier,
pacemaker control (sending shocks
possibly leading to a heart attack),
possibility of infecting other
pacemakers in range.
Use of a Web browser to take
control of the camera, change the
DNS settings and inject viruses into
other applications.
Black Hat USA: demonstration of a
remote pacemaker hack
Remote Intrusion, including the ability
to kill the engine, engage or disable the
brakes, or track the car’s GPS position.
Black Hat USA: demonstration of a Jeep
Cherokee complete remote control
Black Hat USA: demonstration of an
intrusion on a connected TV
Demonstration of attacks on the Smart
home control hubs from connected
devices (NEST Thermostat, INSTEON
Hub…).
Black Hat USA: demonstration of attacks
on home connected devices

7
Risk categories are shared by all connected devices
Heart rate
monitorsThermometers
Blood pressure
monitors
Baby-strollers
Smartwatches
Roller blinds
Thermostats
Door
locks
CCTVs
Personal data
leakage
Loss of collected data’s
confidentiality and integrity
Endangering
safety of persons
Denial of
service
Access control
bypass
Unavailability of the
sensor/device
…
Cars
Smoke detectors
Light bulbs
Home
automation
Healthcare
Physical
security
Mobility

8
Agenda
1. At the heart of digital transformation
2. CARA: the 4 risk dimensions►
4. Final thoughts

9
Risk dimensions of connected devices
4 possible settings for smart devices in a business context
Companies that manufacture connected
devices must take security into account from
the design phase, since they have a
responsibility towards their customers.
Companies that allow the use of employees’
connected devices (as a BYOD service), have
to protect professional data.
Companies that recommend connected
devices to their customers have a diffused
responsibility that extends over time regarding
the customers.
Companies that buy connected devices and
deploy them internally share responsibilities
on technologies choices and integration
phases.
Create
Recommend
Acquire
Accommodate

10
Risk dimensions of connected devices
The risks depend on the organization’s/company’s setting
Discovering security flaws in connected
devices could endanger users or their data,
and therefore the reputation and liability of the
manufacturer.
Loss or theft of corporate data to which
connected devices have access, or intrusion
facilitation.
Leakage of (possibly personal) data or
physical damages that could lead to a
company liability, or reputation damage.
Integration of these new technologies within
the business process without proper security,
which could increase the IT systems’ attack
surface.
Create
Recommend
Acquire
Accommodate

11
A simple tool to interact with business stakeholders: the heat map
Usages risk levels
Complexity to
customize security
CREATE
ACQUIRE
RECOMMEND
ACCOMMODATE
USE 1 USE 2 USE 3 USE 4

12
Practical applications in a B2C banking context
I would like to reflect an
innovative image by allowing
our customers to virtually
browse their investment
portfolio!
New smartwatches are
released, we need an
application! Besides, we must
boost our smartphone
applications with new
features.
We would like to simplify the payment process without
getting surpassed by GAFA, could we test contactless
payment wristbands?
It would be really great to
recognize customers when
they enter the agency!
What if we equipped our advisors with wristbands to
perform digital signature?

13
Practical application of the heat map in a B2C banking context
NOTIFICATION CONSULTATION MODIFICATION TRANSACTION
CREATE
ACQUIRE
RECOMMEND
ACCOMMODATE
Contactless payment with
a connected wristband
Customer identification
with Google Glass
Digital signature with
a smartwatch
Stock portfolio 3D visualization
with Oculus Rift
Accounts notification and checking on a smartwatch Account data change or transaction with a smartphone
Usages risk levels
Complexity to
customize security

14
Practical application: risk zone identification
Usages risk levels
CREATE
ACQUIRE
RECOMMEND
ACCOMMODATE
Contactless payment with
a connected wristband
Customer identification
with Google Glass
Digital signature with
a smartwatch
Stock portfolio 3D visualization
with Oculus Rift
Accounts notification and checking on a smartwatch Account data change or transaction with a smartphone
Complexity to
customize security

15
Agenda
3. Which security measures?►
4. Final thoughts

16
Security measures are the usual ones…

17
…but their implementation must be innovative!

18
…but their implementation must be innovative!
Various with the same OS but different battery lives
Apple’s recommendations for Apple Watch developers
Typing a password on a small screen
would be difficult for the user.
• Limited processing power
Computing
• Take into account the fact that
communication with the connected
devices is usually done with
Bluetooth or NFC connections
Connectivity
• Possible actions strongly depend
on the size, form-factor and
features of the device!
User Experience
• Pay attention to implementation
choices, e.g. for data encryption
(asymmetric vs. symmetric
encryption)
Battery Life

19
… and which should be prioritized
• Integrate security in the early design
phases.
• In particular, ensure security update
capabilities throughout the (possibly
long) device lifecycle.
• Ensure that device identities are properly
managed.
• Request custom hardening from the
manufacturers.
• Clearly define liabilities (and data
ownership).
• Ensure regulatory compliance.
• Ensure the recommended devices have a
proper security level.
• Make users aware of their
responsibilities.
• Enforce a user charter.
• Reuse previous BYOD projects.
But also:
Think outside the box!
Create Acquire
AccommodateRecommend

20
Example of innovative security
Source : PRESERVE Project, www.preserve-project.eu
The car embeds a HSM, and
hundreds of certificates
Another use case: connected cars and roads
with a strong need of both integrity and privacy
The certificate used to ensure the
integrity of messages is changed at
a random frequency
When going to the garage for tune-
up, the certificates can be renewed

21
Agenda
4. Final thoughts►

22
4 recommendations towards security for the IoT
Do not secure the IoT devices like your usual IT!
It is important to understand the business stakes
during the whole device lifecycle, in order to
clarify and anticipate possible risks.
Talk with the business stakeholders
MARKETING AND
SALES
MANUFACTURERS
HUMAN RESSOURCS
BOARD
SUPPLY CHAIN
MANAGEMENT
RESEARCH AND
DEVELOPMENT
ADMINISTRATION
LEGAL DEPARTMENT

23
The risks of connected devices may differ
depending on the usages and the setting
(CARA).
Furthermore, depending on your industry, the
devices will not be used the same way.
Clarify the use cases
Low risk High risk
Examples in banking

24
TIZEN
PEEBLE OS
OS
MICRIUM
ANDROID
WATCH OS
FREE
RTOS
I’M DROID
Two relatively similar devices may not be equally
secured.
It becomes necessary to identify the specifics of
the platforms and the associated limits.
Analyze the market and the platforms

25
Take into account the context in which connected
devices evolve, as well as their characteristics:
autonomy, range, user experience…
Think outside the box to implement security

26
It is important to understand the business stakes
during the whole device lifecycle, in order to
clarify and anticipate possible risks.
The risks of connected devices may differ
depending on the usages and the setting
(CARA).
Furthermore, depending on your industry, the
devices will not be used the same way.
Two relatively similar devices may not be equally
secured.
It becomes necessary to identify the specifics of
the platforms and the associated limits.
Take into account the context in which connected
devices evolve, as well as their characteristics:
autonomy, range, user experience…
Analyze the market and the platforms
Talk with the business stakeholders Clarify the use cases
Think outside the box to implement security

www.solucom.fr
Chadi HANTOUCHE
Cybersecurity Senior Manager
chadi.hantouche@solucom.sg
@chadihantouche

The INTERNET of THINGS? Securing Connected Devices

Recommended

Recommended

More Related Content

What's hot

What's hot (11)

Viewers also liked

Viewers also liked (20)

Similar to The INTERNET of THINGS? Securing Connected Devices

Similar to The INTERNET of THINGS? Securing Connected Devices (20)

More from n|u - The Open Security Community

More from n|u - The Open Security Community (20)

Recently uploaded

Recently uploaded (20)

The INTERNET of THINGS? Securing Connected Devices