SlideShare a Scribd company logo

Null Singapore - Can We secure the IoT - Chadi Hantouche

n|u - The Open Security Community
n|u - The Open Security Community

Presentation by Chadi Hantouche on can we secure the IoT, problems and solutions

Technology
1 of 27
Download to read offline
The INTERNET of THINGS? March 16th, 2016 Chadi HANTOUCHE Cybersecurity Senior Manager @chadihantouche Can we SECURE
2 Agenda 1. At the heart of digital transformation► 2. CARA: the 4 risk dimensions 3. Which security measures? 4. Final thoughts
3 Connected devices are expanding in all areas Home automation Physical security Healthcare and comfort Light bulbs Thermostats Thermometers TVs Door locks Wristbands Smoke detectorsCCTVs CarsBike sensors Forks Tensiometer Heart rate monitorsGlasses Watches Trackers Strollers Keychains Padlocks Vehicles and mobility Roller blinds 16 March 2016 - Property of Solucom, all rights reserved
4 26 billion 30 billion 50 billion 80 billion 212 billion Billions of smart devices announced for 2020… Some estimations are quite high… … and some others more moderate! 16 March 2016 - Property of Solucom, all rights reserved
5 …but projects and PoCs are already here! Singapore V2x initiative John Hancock policy holders who wear Internet-connected Fitbit can get discounts of up to 15% on their life insurance policy. John Hancock + Fitbit Allianz partnered with Nest Labs in order to give every new subscriber a smoke detector. Allianz + Nest Labs BMW Innovation introduced at CES 2015 a car model that can be remotely controlled by a smartwatch. BMW + Samsung 16 March 2016 - Property of Solucom, all rights reserved In 2015, the EDB of Singapore has largely funded the US$16 million that will be pumped into the NTU-NXP (semi-conductors firm) project, involving 100 vehicles and 50 roadside units within 4 years
6 A broader attack surface for cybercriminals Examples of attacks on smart devices Personal data theft of the carrier, pacemaker control (sending shocks possibly leading to a heart attack), possibility of infecting other pacemakers in range. Use of a Web browser to take control of the camera, change the DNS settings and inject viruses into other applications. Black Hat USA: demonstration of a remote pacemaker hack Remote Intrusion, including the ability to kill the engine, engage or disable the brakes, or track the car’s GPS position. Black Hat USA: demonstration of a Jeep Cherokee complete remote control Black Hat USA: demonstration of an intrusion on a connected TV Demonstration of attacks on the Smart home control hubs from connected devices (NEST Thermostat, INSTEON Hub…). Black Hat USA: demonstration of attacks on home connected devices 16 March 2016 - Property of Solucom, all rights reserved
7 Risk categories are shared by all connected devices Heart rate monitorsThermometers Blood pressure monitors Baby-strollers Smartwatches Roller blinds Thermostats Door locks CCTVs Personal data leakage Loss of collected data’s confidentiality and integrity Endangering safety of persons Denial of service Access control bypass Unavailability of the sensor/device … Cars Smoke detectors Light bulbs Home automation Healthcare Physical security Mobility 16 March 2016 - Property of Solucom, all rights reserved
8 Agenda 16 March 2016 - Property of Solucom, all rights reserved 1. At the heart of digital transformation 2. CARA: the 4 risk dimensions► 3. Which security measures? 4. Final thoughts
9 Risk dimensions of connected devices 4 possible settings for smart devices in a business context Companies that manufacture connected devices must take security into account from the design phase, since they have a responsibility towards their customers. Companies that allow the use of employees’ connected devices (as a BYOD service), have to protect professional data. Companies that recommend connected devices to their customers have a diffused responsibility that extends over time regarding the customers. Companies that buy connected devices and deploy them internally share responsibilities on technologies choices and integration phases. Create Recommend Acquire Accommodate 16 March 2016 - Property of Solucom, all rights reserved
10 Risk dimensions of connected devices The risks depend on the organization’s/company’s setting Discovering security flaws in connected devices could endanger users or their data, and therefore the reputation and liability of the manufacturer. Loss or theft of corporate data to which connected devices have access, or intrusion facilitation. Leakage of (possibly personal) data or physical damages that could lead to a company liability, or reputation damage. Integration of these new technologies within the business process without proper security, which could increase the IT systems’ attack surface. Create Recommend Acquire Accommodate 16 March 2016 - Property of Solucom, all rights reserved
11 A simple tool to interact with business stakeholders: the heat map Usages risk levels Complexity to customize security CREATE ACQUIRE RECOMMEND ACCOMMODATE USE 1 USE 2 USE 3 USE 4 16 March 2016 - Property of Solucom, all rights reserved
12 Practical applications in a B2C banking context I would like to reflect an innovative image by allowing our customers to virtually browse their investment portfolio! New smartwatches are released, we need an application! Besides, we must boost our smartphone applications with new features. We would like to simplify the payment process without getting surpassed by GAFA, could we test contactless payment wristbands? It would be really great to recognize customers when they enter the agency! What if we equipped our advisors with wristbands to perform digital signature? 16 March 2016 - Property of Solucom, all rights reserved
13 Practical application of the heat map in a B2C banking context NOTIFICATION CONSULTATION MODIFICATION TRANSACTION CREATE ACQUIRE RECOMMEND ACCOMMODATE Contactless payment with a connected wristband Customer identification with Google Glass Digital signature with a smartwatch Stock portfolio 3D visualization with Oculus Rift Accounts notification and checking on a smartwatch Account data change or transaction with a smartphone Usages risk levels Complexity to customize security 16 March 2016 - Property of Solucom, all rights reserved
14 Practical application: risk zone identification Usages risk levels NOTIFICATION CONSULTATION MODIFICATION TRANSACTION CREATE ACQUIRE RECOMMEND ACCOMMODATE Contactless payment with a connected wristband Customer identification with Google Glass Digital signature with a smartwatch Stock portfolio 3D visualization with Oculus Rift Accounts notification and checking on a smartwatch Account data change or transaction with a smartphone Complexity to customize security 16 March 2016 - Property of Solucom, all rights reserved
15 Agenda 16 March 2016 - Property of Solucom, all rights reserved 1. At the heart of digital transformation 2. CARA: the 4 risk dimensions 3. Which security measures?► 4. Final thoughts
16 Security measures are the usual ones… 16 March 2016 - Property of Solucom, all rights reserved
17 …but their implementation must be innovative! 16 March 2016 - Property of Solucom, all rights reserved
18 …but their implementation must be innovative! Various with the same OS but different battery lives Apple’s recommendations for Apple Watch developers Typing a password on a small screen would be difficult for the user. • Limited processing power Computing • Take into account the fact that communication with the connected devices is usually done with Bluetooth or NFC connections Connectivity • Possible actions strongly depend on the size, form-factor and features of the device! User Experience • Pay attention to implementation choices, e.g. for data encryption (asymmetric vs. symmetric encryption) Battery Life 16 March 2016 - Property of Solucom, all rights reserved
19 … and which should be prioritized • Integrate security in the early design phases. • In particular, ensure security update capabilities throughout the (possibly long) device lifecycle. • Ensure that device identities are properly managed. • Request custom hardening from the manufacturers. • Clearly define liabilities (and data ownership). • Ensure regulatory compliance. • Ensure the recommended devices have a proper security level. • Make users aware of their responsibilities. • Enforce a user charter. • Reuse previous BYOD projects. But also: Think outside the box! Create Acquire AccommodateRecommend 16 March 2016 - Property of Solucom, all rights reserved
20 Example of innovative security Source : PRESERVE Project, www.preserve-project.eu The car embeds a HSM, and hundreds of certificates Another use case: connected cars and roads with a strong need of both integrity and privacy The certificate used to ensure the integrity of messages is changed at a random frequency When going to the garage for tune- up, the certificates can be renewed 16 March 2016 - Property of Solucom, all rights reserved
21 Agenda 16 March 2016 - Property of Solucom, all rights reserved 1. At the heart of digital transformation 2. CARA: the 4 risk dimensions 3. Which security measures? 4. Final thoughts►
22 4 recommendations towards security for the IoT Do not secure the IoT devices like your usual IT! It is important to understand the business stakes during the whole device lifecycle, in order to clarify and anticipate possible risks. Talk with the business stakeholders MARKETING AND SALES MANUFACTURERS HUMAN RESSOURCS BOARD SUPPLY CHAIN MANAGEMENT RESEARCH AND DEVELOPMENT ADMINISTRATION LEGAL DEPARTMENT 16 March 2016 - Property of Solucom, all rights reserved
23 4 recommendations towards security for the IoT Do not secure the IoT devices like your usual IT! The risks of connected devices may differ depending on the usages and the setting (CARA). Furthermore, depending on your industry, the devices will not be used the same way. Clarify the use cases NOTIFICATION CONSULTATION MODIFICATION TRANSACTION Low risk High risk Examples in banking 16 March 2016 - Property of Solucom, all rights reserved
24 4 recommendations towards security for the IoT TIZEN PEEBLE OS OS MICRIUM ANDROID WATCH OS FREE RTOS I’M DROID Do not secure the IoT devices like your usual IT! Two relatively similar devices may not be equally secured. It becomes necessary to identify the specifics of the platforms and the associated limits. Analyze the market and the platforms 16 March 2016 - Property of Solucom, all rights reserved
25 4 recommendations towards security for the IoT Do not secure the IoT devices like your usual IT! Take into account the context in which connected devices evolve, as well as their characteristics: autonomy, range, user experience… Think outside the box to implement security 16 March 2016 - Property of Solucom, all rights reserved
26 4 recommendations towards security for the IoT It is important to understand the business stakes during the whole device lifecycle, in order to clarify and anticipate possible risks. The risks of connected devices may differ depending on the usages and the setting (CARA). Furthermore, depending on your industry, the devices will not be used the same way. Two relatively similar devices may not be equally secured. It becomes necessary to identify the specifics of the platforms and the associated limits. Take into account the context in which connected devices evolve, as well as their characteristics: autonomy, range, user experience… Analyze the market and the platforms Talk with the business stakeholders Clarify the use cases Think outside the box to implement security 16 March 2016 - Property of Solucom, all rights reserved Do not secure the IoT devices like your usual IT!
www.solucom.fr Chadi HANTOUCHE Cybersecurity Senior Manager chadi.hantouche@solucom.sg @chadihantouche

Recommended

Digital Revolution 4.0 is Here Today
Digital Revolution 4.0 is Here TodayDigital Revolution 4.0 is Here Today
Digital Revolution 4.0 is Here Today
Dr. Mazlan Abbas
 
Intelliscape IOR smart street pole
Intelliscape IOR smart street poleIntelliscape IOR smart street pole
Intelliscape IOR smart street pole
Mike Maziarka
 
SecureMAG vol9
SecureMAG vol9SecureMAG vol9
SecureMAG vol9
alvin chin
 
Augmate connect white paper
Augmate connect white paperAugmate connect white paper
Augmate connect white paper
Etheralabs
 
Industrial io t market
Industrial io t marketIndustrial io t market
Industrial io t market
danishsmith01
 
GDPR - a real opportunity for a new digital revolution (2018)
GDPR - a real opportunity for a new digital revolution (2018)GDPR - a real opportunity for a new digital revolution (2018)
GDPR - a real opportunity for a new digital revolution (2018)
Marjola Begaj
 
Empowering Digital Lifestyle in Internet of Things
Empowering Digital Lifestyle in Internet of ThingsEmpowering Digital Lifestyle in Internet of Things
Empowering Digital Lifestyle in Internet of Things
Dr. Mazlan Abbas
 
A Tea Talk on Industry 4.0
A Tea Talk on Industry 4.0A Tea Talk on Industry 4.0
A Tea Talk on Industry 4.0
Dr. Mazlan Abbas
 

Recommended

Digital Revolution 4.0 is Here Today
Digital Revolution 4.0 is Here TodayDigital Revolution 4.0 is Here Today
Digital Revolution 4.0 is Here Today
Dr. Mazlan Abbas
 
Intelliscape IOR smart street pole
Intelliscape IOR smart street poleIntelliscape IOR smart street pole
Intelliscape IOR smart street pole
Mike Maziarka
 
SecureMAG vol9
SecureMAG vol9SecureMAG vol9
SecureMAG vol9
alvin chin
 
Augmate connect white paper
Augmate connect white paperAugmate connect white paper
Augmate connect white paper
Etheralabs
 
Industrial io t market
Industrial io t marketIndustrial io t market
Industrial io t market
danishsmith01
 
GDPR - a real opportunity for a new digital revolution (2018)
GDPR - a real opportunity for a new digital revolution (2018)GDPR - a real opportunity for a new digital revolution (2018)
GDPR - a real opportunity for a new digital revolution (2018)
Marjola Begaj
 
Empowering Digital Lifestyle in Internet of Things
Empowering Digital Lifestyle in Internet of ThingsEmpowering Digital Lifestyle in Internet of Things
Empowering Digital Lifestyle in Internet of Things
Dr. Mazlan Abbas
 
A Tea Talk on Industry 4.0
A Tea Talk on Industry 4.0A Tea Talk on Industry 4.0
A Tea Talk on Industry 4.0
Dr. Mazlan Abbas
 
The Internet of Things in insurance
The Internet of Things in insurance The Internet of Things in insurance
The Internet of Things in insurance
Andrea Silvello
 
TKSTAR GPS Tracker Review
TKSTAR GPS Tracker ReviewTKSTAR GPS Tracker Review
TKSTAR GPS Tracker Review
SHarriman1
 
Making a Better World with Technology Innovations
Making a Better World with Technology InnovationsMaking a Better World with Technology Innovations
Making a Better World with Technology Innovations
Imesh Gunaratne
 
Industrial internet of things (IIOT) - special report-2017
Industrial internet of things (IIOT) - special report-2017Industrial internet of things (IIOT) - special report-2017
Industrial internet of things (IIOT) - special report-2017
Ian Beckett
 
Tracxn Research — Wearable Technology Landscape, December 2016
Tracxn Research — Wearable Technology Landscape, December 2016Tracxn Research — Wearable Technology Landscape, December 2016
Tracxn Research — Wearable Technology Landscape, December 2016
Tracxn
 
The Top 5 Fintech Trends Everyone Should Be Watching In 2020
The Top 5 Fintech Trends Everyone Should Be Watching In 2020The Top 5 Fintech Trends Everyone Should Be Watching In 2020
The Top 5 Fintech Trends Everyone Should Be Watching In 2020
Bernard Marr
 
Business Innovation Case Study - Pitney Bowes and Location Intelligence
Business Innovation Case Study - Pitney Bowes and Location IntelligenceBusiness Innovation Case Study - Pitney Bowes and Location Intelligence
Business Innovation Case Study - Pitney Bowes and Location Intelligence
Jigisha Aryya
 
Mobile World Congress 2015: What we learned at MWC and what brands have to kn...
Mobile World Congress 2015: What we learned at MWC and what brands have to kn...Mobile World Congress 2015: What we learned at MWC and what brands have to kn...
Mobile World Congress 2015: What we learned at MWC and what brands have to kn...
yann le gigan
 
Internet of Things (IoT) Strategic Patent Development 1Q 2016
Internet of Things (IoT) Strategic Patent Development 1Q 2016Internet of Things (IoT) Strategic Patent Development 1Q 2016
Internet of Things (IoT) Strategic Patent Development 1Q 2016
Alex G. Lee, Ph.D. Esq. CLP
 
M2M group presentation
M2M group presentation M2M group presentation
M2M group presentation
Hassan Magdy
 
Online Travel Trends Report 2021
Online Travel Trends Report 2021 Online Travel Trends Report 2021
Online Travel Trends Report 2021
Mauricio Prieto
 
DNS hijacking - null Singapore
DNS hijacking - null SingaporeDNS hijacking - null Singapore
DNS hijacking - null Singapore
n|u - The Open Security Community
 
Hacker's jargons
Hacker's jargonsHacker's jargons
Hacker's jargons
n|u - The Open Security Community
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 
Three things that rowhammer taught me by Halvar Flake
Three things that rowhammer taught me by Halvar FlakeThree things that rowhammer taught me by Halvar Flake
Three things that rowhammer taught me by Halvar Flake
n|u - The Open Security Community
 
Attacking VPN's
Attacking VPN'sAttacking VPN's
Attacking VPN's
n|u - The Open Security Community
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
n|u - The Open Security Community
 
News Bytes - December 2015
News Bytes - December 2015News Bytes - December 2015
News Bytes - December 2015
n|u - The Open Security Community
 
Newbytes NullHyd
Newbytes NullHydNewbytes NullHyd
Newbytes NullHyd
n|u - The Open Security Community
 
The LabRat - Physical backdoor hacks and IOT primer
The LabRat - Physical backdoor hacks and IOT primerThe LabRat - Physical backdoor hacks and IOT primer
The LabRat - Physical backdoor hacks and IOT primer
n|u - The Open Security Community
 
Charity Retail Conference 2015: Security & Compliance
Charity Retail Conference 2015: Security & ComplianceCharity Retail Conference 2015: Security & Compliance
Charity Retail Conference 2015: Security & Compliance
propatrea
 

More Related Content

What's hot

What's hot (11)

The Internet of Things in insurance
The Internet of Things in insurance The Internet of Things in insurance
The Internet of Things in insurance
 
TKSTAR GPS Tracker Review
TKSTAR GPS Tracker ReviewTKSTAR GPS Tracker Review
TKSTAR GPS Tracker Review
 
Making a Better World with Technology Innovations
Making a Better World with Technology InnovationsMaking a Better World with Technology Innovations
Making a Better World with Technology Innovations
 
Industrial internet of things (IIOT) - special report-2017
Industrial internet of things (IIOT) - special report-2017Industrial internet of things (IIOT) - special report-2017
Industrial internet of things (IIOT) - special report-2017
 
Tracxn Research — Wearable Technology Landscape, December 2016
Tracxn Research — Wearable Technology Landscape, December 2016Tracxn Research — Wearable Technology Landscape, December 2016
Tracxn Research — Wearable Technology Landscape, December 2016
 
The Top 5 Fintech Trends Everyone Should Be Watching In 2020
The Top 5 Fintech Trends Everyone Should Be Watching In 2020The Top 5 Fintech Trends Everyone Should Be Watching In 2020
The Top 5 Fintech Trends Everyone Should Be Watching In 2020
 
Business Innovation Case Study - Pitney Bowes and Location Intelligence
Business Innovation Case Study - Pitney Bowes and Location IntelligenceBusiness Innovation Case Study - Pitney Bowes and Location Intelligence
Business Innovation Case Study - Pitney Bowes and Location Intelligence
 
Mobile World Congress 2015: What we learned at MWC and what brands have to kn...
Mobile World Congress 2015: What we learned at MWC and what brands have to kn...Mobile World Congress 2015: What we learned at MWC and what brands have to kn...
Mobile World Congress 2015: What we learned at MWC and what brands have to kn...
 
Internet of Things (IoT) Strategic Patent Development 1Q 2016
Internet of Things (IoT) Strategic Patent Development 1Q 2016Internet of Things (IoT) Strategic Patent Development 1Q 2016
Internet of Things (IoT) Strategic Patent Development 1Q 2016
 
M2M group presentation
M2M group presentation M2M group presentation
M2M group presentation
 
Online Travel Trends Report 2021
Online Travel Trends Report 2021 Online Travel Trends Report 2021
Online Travel Trends Report 2021
 

Viewers also liked

Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 

Viewers also liked (20)

DNS hijacking - null Singapore
DNS hijacking - null SingaporeDNS hijacking - null Singapore
DNS hijacking - null Singapore
 
Hacker's jargons
Hacker's jargonsHacker's jargons
Hacker's jargons
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
 
Three things that rowhammer taught me by Halvar Flake
Three things that rowhammer taught me by Halvar FlakeThree things that rowhammer taught me by Halvar Flake
Three things that rowhammer taught me by Halvar Flake
 
Attacking VPN's
Attacking VPN'sAttacking VPN's
Attacking VPN's
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
 
News Bytes - December 2015
News Bytes - December 2015News Bytes - December 2015
News Bytes - December 2015
 
Newbytes NullHyd
Newbytes NullHydNewbytes NullHyd
Newbytes NullHyd
 
The LabRat - Physical backdoor hacks and IOT primer
The LabRat - Physical backdoor hacks and IOT primerThe LabRat - Physical backdoor hacks and IOT primer
The LabRat - Physical backdoor hacks and IOT primer
 
Charity Retail Conference 2015: Security & Compliance
Charity Retail Conference 2015: Security & ComplianceCharity Retail Conference 2015: Security & Compliance
Charity Retail Conference 2015: Security & Compliance
 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokens
 
Firewalking
FirewalkingFirewalking
Firewalking
 
Stegano Secrets - Python
Stegano Secrets - PythonStegano Secrets - Python
Stegano Secrets - Python
 
INTELLIGENT FACE RECOGNITION TECHNIQUES
INTELLIGENT FACE RECOGNITION TECHNIQUESINTELLIGENT FACE RECOGNITION TECHNIQUES
INTELLIGENT FACE RECOGNITION TECHNIQUES
 
InSecurity in E-Commerce Applications
InSecurity in E-Commerce ApplicationsInSecurity in E-Commerce Applications
InSecurity in E-Commerce Applications
 
Managing third party libraries
Managing third party librariesManaging third party libraries
Managing third party libraries
 
Firewall Penetration Testing
Firewall Penetration TestingFirewall Penetration Testing
Firewall Penetration Testing
 
Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0
 
Unit 2 e commerce applications
Unit 2 e commerce applicationsUnit 2 e commerce applications
Unit 2 e commerce applications
 

Similar to Null Singapore - Can We secure the IoT - Chadi Hantouche

Silicon Valley Workshop: IoT/Big Data/AI Innovation & Strategy Insights from ...
Silicon Valley Workshop: IoT/Big Data/AI Innovation & Strategy Insights from ...Silicon Valley Workshop: IoT/Big Data/AI Innovation & Strategy Insights from ...
Silicon Valley Workshop: IoT/Big Data/AI Innovation & Strategy Insights from ...
Alex G. Lee, Ph.D. Esq. CLP
 
WP-Privacy-IoT-Era - PRODUCTION
WP-Privacy-IoT-Era - PRODUCTIONWP-Privacy-IoT-Era - PRODUCTION
WP-Privacy-IoT-Era - PRODUCTION
John Pinson
 
Microservices: The Future-Proof Framework for IoT
Microservices: The Future-Proof Framework for IoTMicroservices: The Future-Proof Framework for IoT
Microservices: The Future-Proof Framework for IoT
Capgemini
 
Internet of Things (IoT) Strategy : Patent Perspectives
Internet of Things (IoT) Strategy : Patent PerspectivesInternet of Things (IoT) Strategy : Patent Perspectives
Internet of Things (IoT) Strategy : Patent Perspectives
Alex G. Lee, Ph.D. Esq. CLP
 
Jump start EU Data Privacy Compliance with Data Classification
Jump start EU Data Privacy Compliance with Data ClassificationJump start EU Data Privacy Compliance with Data Classification
Jump start EU Data Privacy Compliance with Data Classification
Watchful Software
 

Similar to Null Singapore - Can We secure the IoT - Chadi Hantouche (20)

IoT Breakfast Briefing
IoT Breakfast BriefingIoT Breakfast Briefing
IoT Breakfast Briefing
 
Silicon Valley Workshop: IoT/Big Data/AI Innovation & Strategy Insights from ...
Silicon Valley Workshop: IoT/Big Data/AI Innovation & Strategy Insights from ...Silicon Valley Workshop: IoT/Big Data/AI Innovation & Strategy Insights from ...
Silicon Valley Workshop: IoT/Big Data/AI Innovation & Strategy Insights from ...
 
Meetup8 IoT trends 2016
Meetup8 IoT trends 2016Meetup8 IoT trends 2016
Meetup8 IoT trends 2016
 
IBM Xforce Q4 2014
IBM Xforce Q4 2014IBM Xforce Q4 2014
IBM Xforce Q4 2014
 
WP-Privacy-IoT-Era - PRODUCTION
WP-Privacy-IoT-Era - PRODUCTIONWP-Privacy-IoT-Era - PRODUCTION
WP-Privacy-IoT-Era - PRODUCTION
 
IoT + Big Data + Cloud + AI Integration Strategy Insights from Patents
IoT + Big Data + Cloud + AI Integration Strategy Insights from PatentsIoT + Big Data + Cloud + AI Integration Strategy Insights from Patents
IoT + Big Data + Cloud + AI Integration Strategy Insights from Patents
 
Microservices: The Future-Proof Framework for IoT
Microservices: The Future-Proof Framework for IoTMicroservices: The Future-Proof Framework for IoT
Microservices: The Future-Proof Framework for IoT
 
The Internet of Things: the 4 security dimensions of smart devices
The Internet of Things: the 4 security dimensions of smart devicesThe Internet of Things: the 4 security dimensions of smart devices
The Internet of Things: the 4 security dimensions of smart devices
 
Achieving Relevance in a Digital Landscape
Achieving Relevance in a Digital LandscapeAchieving Relevance in a Digital Landscape
Achieving Relevance in a Digital Landscape
 
Zero Distance - Transform or Die! by Thomas Spreitzer
Zero Distance - Transform or Die! by Thomas SpreitzerZero Distance - Transform or Die! by Thomas Spreitzer
Zero Distance - Transform or Die! by Thomas Spreitzer
 
Pas d'IoT sans Identité!
Pas d'IoT sans Identité!Pas d'IoT sans Identité!
Pas d'IoT sans Identité!
 
Wearables devices market and technology
Wearables devices market and technologyWearables devices market and technology
Wearables devices market and technology
 
160309 테헤란로 런치클럽_특허 관점의 IoT 전략(IoT Strategy : Patent Perspectives)
160309 테헤란로 런치클럽_특허 관점의 IoT 전략(IoT Strategy : Patent Perspectives)160309 테헤란로 런치클럽_특허 관점의 IoT 전략(IoT Strategy : Patent Perspectives)
160309 테헤란로 런치클럽_특허 관점의 IoT 전략(IoT Strategy : Patent Perspectives)
 
02_Internet-of-things-IOT-by-Davis-M-Onsakia_ISOC-IoT-SIG.pptx
02_Internet-of-things-IOT-by-Davis-M-Onsakia_ISOC-IoT-SIG.pptx02_Internet-of-things-IOT-by-Davis-M-Onsakia_ISOC-IoT-SIG.pptx
02_Internet-of-things-IOT-by-Davis-M-Onsakia_ISOC-IoT-SIG.pptx
 
ForgeRock Gartner 2016 Security & Risk Management Summit
ForgeRock Gartner 2016 Security & Risk Management Summit ForgeRock Gartner 2016 Security & Risk Management Summit
ForgeRock Gartner 2016 Security & Risk Management Summit
 
Internet of Things (IoT) Strategy : Patent Perspectives
Internet of Things (IoT) Strategy : Patent PerspectivesInternet of Things (IoT) Strategy : Patent Perspectives
Internet of Things (IoT) Strategy : Patent Perspectives
 
Mobile World Congress 2018 Review by Marco Papale
Mobile World Congress 2018 Review by Marco PapaleMobile World Congress 2018 Review by Marco Papale
Mobile World Congress 2018 Review by Marco Papale
 
IoT and Insurance - Insurance breakfast
IoT and Insurance - Insurance breakfastIoT and Insurance - Insurance breakfast
IoT and Insurance - Insurance breakfast
 
Jump start EU Data Privacy Compliance with Data Classification
Jump start EU Data Privacy Compliance with Data ClassificationJump start EU Data Privacy Compliance with Data Classification
Jump start EU Data Privacy Compliance with Data Classification
 
Internet of Things (IoT) Strategic Patent Development and Monetization for Ne...
Internet of Things (IoT) Strategic Patent Development and Monetization for Ne...Internet of Things (IoT) Strategic Patent Development and Monetization for Ne...
Internet of Things (IoT) Strategic Patent Development and Monetization for Ne...
 

More from n|u - The Open Security Community

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Null Singapore - Can We secure the IoT - Chadi Hantouche

  • 1. The INTERNET of THINGS? March 16th, 2016 Chadi HANTOUCHE Cybersecurity Senior Manager @chadihantouche Can we SECURE
  • 2. 2 Agenda 1. At the heart of digital transformation► 2. CARA: the 4 risk dimensions 3. Which security measures? 4. Final thoughts
  • 3. 3 Connected devices are expanding in all areas Home automation Physical security Healthcare and comfort Light bulbs Thermostats Thermometers TVs Door locks Wristbands Smoke detectorsCCTVs CarsBike sensors Forks Tensiometer Heart rate monitorsGlasses Watches Trackers Strollers Keychains Padlocks Vehicles and mobility Roller blinds 16 March 2016 - Property of Solucom, all rights reserved
  • 4. 4 26 billion 30 billion 50 billion 80 billion 212 billion Billions of smart devices announced for 2020… Some estimations are quite high… … and some others more moderate! 16 March 2016 - Property of Solucom, all rights reserved
  • 5. 5 …but projects and PoCs are already here! Singapore V2x initiative John Hancock policy holders who wear Internet-connected Fitbit can get discounts of up to 15% on their life insurance policy. John Hancock + Fitbit Allianz partnered with Nest Labs in order to give every new subscriber a smoke detector. Allianz + Nest Labs BMW Innovation introduced at CES 2015 a car model that can be remotely controlled by a smartwatch. BMW + Samsung 16 March 2016 - Property of Solucom, all rights reserved In 2015, the EDB of Singapore has largely funded the US$16 million that will be pumped into the NTU-NXP (semi-conductors firm) project, involving 100 vehicles and 50 roadside units within 4 years
  • 6. 6 A broader attack surface for cybercriminals Examples of attacks on smart devices Personal data theft of the carrier, pacemaker control (sending shocks possibly leading to a heart attack), possibility of infecting other pacemakers in range. Use of a Web browser to take control of the camera, change the DNS settings and inject viruses into other applications. Black Hat USA: demonstration of a remote pacemaker hack Remote Intrusion, including the ability to kill the engine, engage or disable the brakes, or track the car’s GPS position. Black Hat USA: demonstration of a Jeep Cherokee complete remote control Black Hat USA: demonstration of an intrusion on a connected TV Demonstration of attacks on the Smart home control hubs from connected devices (NEST Thermostat, INSTEON Hub…). Black Hat USA: demonstration of attacks on home connected devices 16 March 2016 - Property of Solucom, all rights reserved
  • 7. 7 Risk categories are shared by all connected devices Heart rate monitorsThermometers Blood pressure monitors Baby-strollers Smartwatches Roller blinds Thermostats Door locks CCTVs Personal data leakage Loss of collected data’s confidentiality and integrity Endangering safety of persons Denial of service Access control bypass Unavailability of the sensor/device … Cars Smoke detectors Light bulbs Home automation Healthcare Physical security Mobility 16 March 2016 - Property of Solucom, all rights reserved
  • 8. 8 Agenda 16 March 2016 - Property of Solucom, all rights reserved 1. At the heart of digital transformation 2. CARA: the 4 risk dimensions► 3. Which security measures? 4. Final thoughts
  • 9. 9 Risk dimensions of connected devices 4 possible settings for smart devices in a business context Companies that manufacture connected devices must take security into account from the design phase, since they have a responsibility towards their customers. Companies that allow the use of employees’ connected devices (as a BYOD service), have to protect professional data. Companies that recommend connected devices to their customers have a diffused responsibility that extends over time regarding the customers. Companies that buy connected devices and deploy them internally share responsibilities on technologies choices and integration phases. Create Recommend Acquire Accommodate 16 March 2016 - Property of Solucom, all rights reserved
  • 10. 10 Risk dimensions of connected devices The risks depend on the organization’s/company’s setting Discovering security flaws in connected devices could endanger users or their data, and therefore the reputation and liability of the manufacturer. Loss or theft of corporate data to which connected devices have access, or intrusion facilitation. Leakage of (possibly personal) data or physical damages that could lead to a company liability, or reputation damage. Integration of these new technologies within the business process without proper security, which could increase the IT systems’ attack surface. Create Recommend Acquire Accommodate 16 March 2016 - Property of Solucom, all rights reserved
  • 11. 11 A simple tool to interact with business stakeholders: the heat map Usages risk levels Complexity to customize security CREATE ACQUIRE RECOMMEND ACCOMMODATE USE 1 USE 2 USE 3 USE 4 16 March 2016 - Property of Solucom, all rights reserved
  • 12. 12 Practical applications in a B2C banking context I would like to reflect an innovative image by allowing our customers to virtually browse their investment portfolio! New smartwatches are released, we need an application! Besides, we must boost our smartphone applications with new features. We would like to simplify the payment process without getting surpassed by GAFA, could we test contactless payment wristbands? It would be really great to recognize customers when they enter the agency! What if we equipped our advisors with wristbands to perform digital signature? 16 March 2016 - Property of Solucom, all rights reserved
  • 13. 13 Practical application of the heat map in a B2C banking context NOTIFICATION CONSULTATION MODIFICATION TRANSACTION CREATE ACQUIRE RECOMMEND ACCOMMODATE Contactless payment with a connected wristband Customer identification with Google Glass Digital signature with a smartwatch Stock portfolio 3D visualization with Oculus Rift Accounts notification and checking on a smartwatch Account data change or transaction with a smartphone Usages risk levels Complexity to customize security 16 March 2016 - Property of Solucom, all rights reserved
  • 14. 14 Practical application: risk zone identification Usages risk levels NOTIFICATION CONSULTATION MODIFICATION TRANSACTION CREATE ACQUIRE RECOMMEND ACCOMMODATE Contactless payment with a connected wristband Customer identification with Google Glass Digital signature with a smartwatch Stock portfolio 3D visualization with Oculus Rift Accounts notification and checking on a smartwatch Account data change or transaction with a smartphone Complexity to customize security 16 March 2016 - Property of Solucom, all rights reserved
  • 15. 15 Agenda 16 March 2016 - Property of Solucom, all rights reserved 1. At the heart of digital transformation 2. CARA: the 4 risk dimensions 3. Which security measures?► 4. Final thoughts
  • 16. 16 Security measures are the usual ones… 16 March 2016 - Property of Solucom, all rights reserved
  • 17. 17 …but their implementation must be innovative! 16 March 2016 - Property of Solucom, all rights reserved
  • 18. 18 …but their implementation must be innovative! Various with the same OS but different battery lives Apple’s recommendations for Apple Watch developers Typing a password on a small screen would be difficult for the user. • Limited processing power Computing • Take into account the fact that communication with the connected devices is usually done with Bluetooth or NFC connections Connectivity • Possible actions strongly depend on the size, form-factor and features of the device! User Experience • Pay attention to implementation choices, e.g. for data encryption (asymmetric vs. symmetric encryption) Battery Life 16 March 2016 - Property of Solucom, all rights reserved
  • 19. 19 … and which should be prioritized • Integrate security in the early design phases. • In particular, ensure security update capabilities throughout the (possibly long) device lifecycle. • Ensure that device identities are properly managed. • Request custom hardening from the manufacturers. • Clearly define liabilities (and data ownership). • Ensure regulatory compliance. • Ensure the recommended devices have a proper security level. • Make users aware of their responsibilities. • Enforce a user charter. • Reuse previous BYOD projects. But also: Think outside the box! Create Acquire AccommodateRecommend 16 March 2016 - Property of Solucom, all rights reserved
  • 20. 20 Example of innovative security Source : PRESERVE Project, www.preserve-project.eu The car embeds a HSM, and hundreds of certificates Another use case: connected cars and roads with a strong need of both integrity and privacy The certificate used to ensure the integrity of messages is changed at a random frequency When going to the garage for tune- up, the certificates can be renewed 16 March 2016 - Property of Solucom, all rights reserved
  • 21. 21 Agenda 16 March 2016 - Property of Solucom, all rights reserved 1. At the heart of digital transformation 2. CARA: the 4 risk dimensions 3. Which security measures? 4. Final thoughts►
  • 22. 22 4 recommendations towards security for the IoT Do not secure the IoT devices like your usual IT! It is important to understand the business stakes during the whole device lifecycle, in order to clarify and anticipate possible risks. Talk with the business stakeholders MARKETING AND SALES MANUFACTURERS HUMAN RESSOURCS BOARD SUPPLY CHAIN MANAGEMENT RESEARCH AND DEVELOPMENT ADMINISTRATION LEGAL DEPARTMENT 16 March 2016 - Property of Solucom, all rights reserved
  • 23. 23 4 recommendations towards security for the IoT Do not secure the IoT devices like your usual IT! The risks of connected devices may differ depending on the usages and the setting (CARA). Furthermore, depending on your industry, the devices will not be used the same way. Clarify the use cases NOTIFICATION CONSULTATION MODIFICATION TRANSACTION Low risk High risk Examples in banking 16 March 2016 - Property of Solucom, all rights reserved
  • 24. 24 4 recommendations towards security for the IoT TIZEN PEEBLE OS OS MICRIUM ANDROID WATCH OS FREE RTOS I’M DROID Do not secure the IoT devices like your usual IT! Two relatively similar devices may not be equally secured. It becomes necessary to identify the specifics of the platforms and the associated limits. Analyze the market and the platforms 16 March 2016 - Property of Solucom, all rights reserved
  • 25. 25 4 recommendations towards security for the IoT Do not secure the IoT devices like your usual IT! Take into account the context in which connected devices evolve, as well as their characteristics: autonomy, range, user experience… Think outside the box to implement security 16 March 2016 - Property of Solucom, all rights reserved
  • 26. 26 4 recommendations towards security for the IoT It is important to understand the business stakes during the whole device lifecycle, in order to clarify and anticipate possible risks. The risks of connected devices may differ depending on the usages and the setting (CARA). Furthermore, depending on your industry, the devices will not be used the same way. Two relatively similar devices may not be equally secured. It becomes necessary to identify the specifics of the platforms and the associated limits. Take into account the context in which connected devices evolve, as well as their characteristics: autonomy, range, user experience… Analyze the market and the platforms Talk with the business stakeholders Clarify the use cases Think outside the box to implement security 16 March 2016 - Property of Solucom, all rights reserved Do not secure the IoT devices like your usual IT!
  • 27. www.solucom.fr Chadi HANTOUCHE Cybersecurity Senior Manager chadi.hantouche@solucom.sg @chadihantouche