Some IoT Security Learnings

© EVRYTHNG INC. | 2016COMMERCIAL & CONFIDENTIAL

Smarter productscome with EVRYTHNG

For Customers title slide

Some IoT Security Learnings & PerspectivesFrom a Developers / CTOs view point

Dominique Guinard, CTO – co-founder@domguinard@EVRYTHNG

What’s the IoT?Have you been sleeping for the past few years?

The IoT is a science primarily focusing on creating the most

complex ways of turning lights on.

“ “[@domguinard]

@ConnectEvrythng© EVRYTHNG Limited | Confidential | 2013 @EVRYTHNG© EVRYTHNG | Confidential | 2014

+Pre IoT

@ConnectEvrythng© EVRYTHNG Limited | Confidential | 2013 @EVRYTHNG© EVRYTHNG | Confidential | 2014

Post IoT

Really need a better definition? Okay...

▪ DEFINITION:The Internet of Things is a system of physical objects that can be discovered, monitored, controlled, or interacted with by electronic devices that communicate over various networking interfaces and eventually can be connected to the wider Internet.

EVRYTHNG?In a nutshell!

EVRYTHNG in a Nutshell

▪ ~ 60 people worldwide in 2017▪ New York, London, San

Francisco▪ 1/2 Billion unique managed

THNGS▪ 100s of Billions of managed

products

We are hiring! https://evrythng.com/about/jobs/

What do we provide?

Any consumer application Any business application or ecosystem

Any product with tags Any product with connectivity

Free tier for developers on: http://developers.evrythng.com

EVRYTHNG: The Web of Things Platform

Tagged products

THNGHUB

Connected products

EVRYTHNG CLOUDLOCAL

Clouds

Web & Native Apps

DashboardsRESTMQTTCoAPWS

via gateway

Cloud 2 CloudPlug-ins

APIs & SDKs

Metrics EngineBig data DB

THNG Push

THNG Access

direct

Mobile & Web SDKs

ADIEngine

ENTERPRISE

ReactorTHNGScan

▪ 10 billion “born digital” apparel products by 2017

▪ Identity as NFC, QR, UHF RFID - Activation by brands

▪ Rochambeau:

▪ Jacket comes with personalized content and VIP event/retail experiences to enhance ownership

Success Story

Case Study

▪ iHome uses EVRYTHNG for their next-gen family of smart home products

− 4 different products: smart plugs, smart monitors, etc.

− 1 of 5 initial HomeKit certified products

− Uses out-the-box Marvell toolkit for devices with MQTT support

− Integrated with Nest, SmartThings, Wink, and with iHome CRM

− Android and iOS apps for setup, creating scenes, timers and granting access to other users

Success Story +

Learnings #1:Don’t re-invent the wheel, your wheel won’t be secure for years!

Choose your network protocols wisely!

Reuse the Web: Web of Things Architecture

▪ Converge all the Things towards Web protocols!

− Web Gateway▪ WoT principles:▪ Reuse the Web!▪ => Choose secure Web

protocols− HTTPS, WSS with TLS

▪ Unless:− Battery powered− Very low-power− Need for a mesh

Learnings #2:#1 sometimes does not work… sorry!

“Good” excuses (today):Battery powered?Very low-power?Need for a mesh?

Very different breeds of embedded devices!

VSMulticores32-64 BitsX GB of RAMX GB of Flash

Microcontroller8 BitsX KB of RAMX KB of ROM

There is hope!

Learnings #3:People don’t do change passwords, they just don’t!

Get the basics right!

▪ DynDNS DDoS “IoT” attacks Oct 21 2016:

− Based on device with default passwords

▪ CloudPet IoT kids attack:− No password on

exposed MongoDB▪ Many IoT devices not

using TLS

There are nice tools that can help!

▪ OWASP IoT▪ GSMA IoT Security

Self-Assessment▪ Shodan.io▪ Hire a security

professional!

Learnings #4:You will need to release security

fixes to Things, and people don’t likedownloading patches on fridges...

Very different breeds of embedded devices!

▪ Good dual firmware solutions for low-power RTOS devices

− Beware: certificates do expire!

▪ Wink Hub 2015▪ Great container based

solutions for Linux based devicesVS

Container for all the Things: Resin.io

[http://resin.io]

A Store of Containers for all the Things: Ubuntu Core

[https://www.ubuntu.com/core]

Some thoughts for the (not so far) future!

“[...] Next comes ubiquitous computing, or the age of calm technology, when technology recedes into the background of our lives [...]”[Mark Weiser, 1988]

A device on the Internet= a device on the Internet!

● DDoS attacks against IoT devices

● UDP flooding / TCP SYN attacks

● Hacking the physical world

Think useable security● How do we make security more accessible to the masses?

● Make security experts and usability experts work together!

IoT Things and Devicesgenerate data, privacy?

● People are actually used to give away their privacy (mobile phone?) for a real benefit

● Empower people to understand what they share and monetize it

Trust @ IoT: Blockchains might help!

+▪ Nice properties of

blockchains:− Coordination− Resilience− Compliance− Consensus− Transparency− Immutability− Security− Trust

Every Action in the EVRYTHNG system can now be automatically backed by a corresponding Blockchain transaction that guarantees the Action was genuine and hasn't been tampered with.

39% off “Building the Web of Things” with code “39guinard” on http://manning.com

Contact: @domguinardhttp://dom.guinard.org

See: http://book.webofthings.io

We are hiring!