Date post: | 22-Jan-2018 |
Category: |
Technology |
Upload: | jeff-katz |
View: | 25 times |
Download: | 0 times |
A Survey of
Structural
Insecurities in IoT
Jeff Katz
Senior Practice Lead IT / Engineering
Telefónica Germany NEXT GmbH
» The problem with this process is that no one
entity has any incentive, expertise, or even ability
to patch the software once it's shipped… We
simply have to fix this. «
-BRUCE SCHNEIER, Wired, 2014
What’s IoT?
3
• Industrial
• Agricultural
• Smart City
• Consumer (Smart Home, etc.)
There are forecast to be 28 billion connected devices worldwide by 2021
Almost 16 billion of them will be loTdevices
loT devices will over-take mobile phones as the largest category of connected devices in 2018
This will be driven by the spread of smartmeters and connected cars, as well as by consumer devices
The number of loTdevices in WesternEurope is projected to quadruplebetween 2015 and 2021
The Consumer IoT Market
How an idea becomes an IoT solution
– Let’s pretend: We are ”Melkin” a
multinational consumer device
company, and we want to make a
connected baby monitor
– Two-way audio streaming, there’s an
app, etc.
Let’s explore who is involved to bring this
product to shelves
5
Any resemblance to any real companies or products is strictly coincidental and not intended. This is not the story of a real product.
The Service
– We’re going to start with the App, and what we want the user experience to be
– External design agency engaged
– Click-dummy delivered
– External app agency engaged
– iOS, Android, etc. delivered under budget and time pressure
– Often developed before the hardware is even done
6
The ODM
– Factory in Guangzhou, China
– Manufactures Baby Monitors for many multinational companies
– Take existing model that matches our requirements
– Develop new plastics for it
– Firmware based on reference design from Chipset Manufacturer
– Completely white-label
(This is a real company and this is really how this works)
7
The Chipset Manufacturer
– Wants to sell chips
– Provides bare-minimum reference designs that show how to get something working
– Not responsible for end product, at all.
8
The Branded Device
– Purchased at retail from Big Box Store
– Provides the data and interface to provide the service
– What the customer installs in their home, next to their baby
– Connects to home WIFI
– Firmware developed by agency, based on reference from the ODM
– Melkin is responsible for warranty, sales, support, etc
9
The Platform
– Needs to connect the service to the device
– Should have minimal impact on the final cost of
the device
– Contracted by a third party, either build or buy—
Melkin doesn’t want to deal with it. Best case,
fully outsourced and managed. Worst-case:
Managed by Melkin
– Provides examples (firmware, app) how to
communicate with it
– Will work as long as they are paid for it
10
Overview
– App design: Outsourced
– App implementation: Outsourced
– Hardware Design: Outsourced
– Firmware: Outsourced, based on Outsourced example from Outsourced Chipset example
– Platform: Outsourced
– Seller: Retail Store
– Connectivity: Home WIFI (ISP), Home Router
– Final Product Responsibility: Melkin
11
What to do / Where to
address?
– Let’s fix the perverse incentives: Companies require security but actively choose against suppliers who price
it in to offers.
– GDPR huge help—significant fines for bad behavior for end responsible company
– Need to spread responsibility to all involved parties
– Proliferation of bad examples: Let’s build security in from the very beginning—Chipset manufacturers,
Reference Designs, etc.
– Education and guides on what to look for in products
– Financial incentives, positive or negative
– More openness: Open source, open spec, open APIs. Breaking the dependency chain to release a product.
12
Thank you. Let’s talk!
Jeff Katz
Senior Practice Lead IT / Engineering
Telefónica Germany NEXT GmbH
[email protected] • [email protected] • @kraln
https://developers.geeny.io
join the Geeny developer community!