Iot secure connected devices indicthreads
Download as PPT, PDF1 like596 views
The document discusses strategies for building secure connected devices, emphasizing the importance of established security standards and transport layer security (TLS) for device interactions. It highlights the risks associated with increased attack surfaces and the need for comprehensive user authentication and device management. Additionally, it addresses concerns about malware and the necessity of strong encryption and firmware management to mitigate potential security vulnerabilities.
Iot secure connected devices indicthreads
- 1. Building Secure Connected Devices Kedar Sovani
- 2. Who am I? • IoT @ Marvell for 7 years • 1st Apple HomeKit SDK, 1st Google Weave on μC • Powering millions of Wi-Fi IoT devices in the field
- 9. Google for the term IoT Security
- 10. Result Type I: Doomsday Hacking Scenarios
- 11. Yes, security is a concern • Increased surface area for attacks • Connects to the physical world around us • Newer and tinier hardware • Newer developers
- 12. Courtesy: Darkreading.com Result Type II: Buy Our Product
- 13. But How Do I Build for Security?
- 14. Secure By Design
- 20. Remote Access
- 22. Standards! • No home-grown security schemes • Rely on established security standards #2
- 23. TLS • Transport Layer Security • Certificate-based Server Authentication • Secure Key Exchange • Encrypted Channel • Certificate-based Device Authentication • Secures Bank Transactions
- 24. Technology Advancements • Hardware Capability • Memory • CPU • Strong Software • Many Open Source implementations
- 26. Courtesy: Ars Technica An interesting search engine
- 28. Malformed Content? • What about: malware/viruses? • Communicate with known server • controller by known entities • Write protection
- 30. Local Access
- 32. Local Network • Acts as a client for outside world • router firewall • Encrypted traffic at the MAC layer • Requires Password/Certificate for access (explicit delegation)
- 33. Switch Network? • Remember AP Security • Force physical access to reset-to-factory
- 35. Authenticate the other endpoint! #3
- 36. Authenticate the other endpoint!
- 38. Compromised User • Guest access to the network? • Malware on user’s phone? • Additional Cryptographic layers on top of the MAC layer • User Management
- 39. Tradeoff
- 40. Physical Access
- 43. Physical modification • Change the server address/keys? • Change the firmware? • Trusted Boot • Signed Firmware • Encryption
- 44. Device Phishing • Completely change the device? • Device Authentication – PKI
- 45. Zarro Boogs Found! • Firmware upgradeability • Connectivity Bonus: evolving appliances • Fix security vulnerabilities • Possible attack vector
- 46. Scrutinize #4
Editor's Notes
- #22: Mention that direct access to the device is protected by the gateway/firewall man in the middle - read/modify traffic replay - open door lock dns spoof - redirect to malicious server
- #27: Talk about user-association challenges, TLS, authorized APIs OLA Money example
- #32: From an attacker’s point of view, attack vector limited to being near each device and then exploiting the vulnerability
- #35: From an attacker’s point of view, attack vector limited to being near each device and then exploiting the vulnerability