December, 2016 IoT Security - T&VS · • Most IoT products have security measures that are 10 years out of date • HP: 70% of the IoT devices and sensors examined were susceptible

December, 2016

Test and Verification Solutions

IoT Security

Helping companies develop products that are:

Reliable, Safe and Secure.

Agenda

• IoT Security issues

• Re-building trust in IoT

• About the IoT Security Foundation

• T&VS IoT Lab

Copyright T&VS Limited | Private & Confidential | Page 8

▪ $: The economic impact of the Internet of Things will be measured in $trillions.

▪ ∑: The number of connected devices will be measured in billions.

▪ ∞: The resultant benefits of a connected society are significant, disruptive and transformational.

IoT: What more can be said?


But we can’t carry on like this


IoT headlines – lack of consumer trust


Example - IoT issues

▪ (1) Nest Protect smoke alarm fault in 2014. The alarm could bedeactivated by waving at the device putting it into sleep mode.• Fix – users had to disable wave gesture feature, and a patch was made available via wifi.

▪ (2) Nest home thermostat recent fault meant the heating woulddeactivate and could not be turned back on.• Fix – a manual reset or 9 step procedure.

▪ (3) Nest Cam and Dropcam frequent outages on service for live homestreaming – potential baby monitoring.• Fix – no fix yet, was a service outage on the live video streams.


Botnet DNS attack

▪ Hackers hijacked millions of IoT devices

▪ Sent vast amounts of junk traffic at DNS services operated by US company Dyn

▪ Popular websites inaccessible.

Two things are clear, however: the

freewheeling idiots of the Internet of Things

business need the fear of regulation put

into them – and so do network owners and

operators.


Why are IoT devices so vulnerable?

Quality

Assurance

Security

Connectivity

standards

• Nest home thermostat had a fault where the heating

would deactivate and not be turned back on

• Petnet smart pet feeder recent incident saw a third-party

server service failure, causing pet feeds to be missed.

• Most IoT products have security measures that are 10

years out of date

• HP: 70% of the IoT devices and sensors examined were

susceptible to the vulnerabilities in the OWASP IoT Top 10

Connected devices create an increased level of intrusion, generating new types

and unprecedented quantities of data, raising potential quality and security issues.

onem2mOpen Interconnection

ConsortiumWireless IoT forum

IETF ZigBee AllianceIndustrial Internet

Consortium

ITUAllSeen

GSMAAlliance

IEEE AllJoyn Thread


Standards bodies – building TRUST

▪ The BSI (British Standards Institute) attempts to build TRUST with consumers• Can we build standards that guarantee some level of confidence

▪ Do we need different levels of confidence?• Autonomous car vs. smoke detector vs. pet feeder

• In safety systems we start with a hazard analysis• From that we can set an integrity level

• And that implies different levels of development practises

▪ The NMI prefers levels of sign off• Self- certification

• External certification

• Independent certification

• Full certification against industry standards


Building consumer trust in the IoT

▪ Regulation• By Government?

• The need is too immediate

• Things are changing too quickly

• Self-regulation• the IOTSF approach

• But backed by audits by customers and independent

• Independent bodies • Independent testing labs

• Collaborating with bodies such as the British Standards Inst

• Legal action – USA class action suits

10/04/2017 Public 19

IoT Security Foundation (IoTSF)

Introduction 2016

The IoT Security Foundation was launched on Sept 23rd 2015 in response to

wide-ranging concerns from multiple stakeholder groups regarding the security

aspects of IoT deployment

Introducing the Internet of Things

Security Foundation

www.iotsecurityfoundation.o

rg

SECURITY FIRST

FIT FOR PURPOSE

RESILIENCE

Designed in at the start

Right-sized for application

Through operating life

Our Values

10/04/2017 22

Executive Steering Board

Prof. John Haine, Chair, University of Bristol

Prof. David Rogers, CEO, Copper Horse Solutions

Prof. Ben Azvine, Global Head of Security Research, BT

Prof. Kenny Paterson, RHUL

Ken Munro, Partner, PenTest Partners

Dr. Steve Babbage, Chief Crytographer, Distinguished Engineer, Vodafone Group

Haydn Povey, CEO, Secure Thingz

John Moor, IoTSF MD

Majid Bemanian, Director Segment Marketing, Imagination Technologies

Richard Marshall, Xitex Ltd.

Working Across Continents

10/04/2017 24

Online Collaboration Platform Physical Meetings

We invite you to join us!

10/04/2017 25

More than 70 members in 1st year.

Now “brands” joining each monthSee https://iotsecurityfoundation.org/our-members/

How we are organized

Members

Plenary Group

Executive Steering Board

Working Groups

Working Group 1: Self-Certification

Working Group 2: Connected Consumer / Home

Working Group 3: Patching Constrained devices

Working Group 4: Vulnerability Disclosure

Working Group 5: IoT Landscape

2016 Priority Working Groups Chaired by:

MikeBartley,T&VS

Working Group 1: Self-

Certification Scheme

The objective of this working group is to determine

appropriate requirements for a low-cost, accessible and fit-for-

purpose system of self-certification in order to improve the

quality and pervasiveness of security in IoT products.

27Confidential & copyright © IoTSF 2016

Self-certificate

Is this the way forward?

Working Group 2: Connected

Consumer Products

This working group is producing security best practice guidelines for

various classes of consumer devices which covers important topics such

as:


➢ Classification of Data

➢ Physical Security

➢ Device Secure Boot

➢ Secure Operating System

➢ Application Security

➢ Credential Management

➢ Encryption

➢ Network Connections

➢ Software Updates

➢ Logging

Working Group 3: Patching

Constrained Devices

A major challenge for low cost IoT systems will be how to

ensure systems are maintained and updated over their life

cycle. This working group will produce best practice guidance

for systems deploying constrained-resource elements.


Working Group 3

Patching Constrained Devices:

Members

Starware Design

Working Group 4: Framework for

Vulnerability Disclosure

What happens when a researcher identifies security

vulnerabilities in your product or service? This working group

seeks to educate the need for establishing a channel of

communication and determining a framework of best practice

for both researchers and companies to follow.


Working Group 5: IoT Security

Landscape

This working group maps applications of IoT at a high level,

from a system-wide and end to end perspective, to identify

where vulnerabilities may lie and inform future IoTSF work.


Marking the IoT Supply Chain of Trust

➢John Haine

https://iotsecurityfoundation.org/

https://iotsecurityfoundation.org/

Complex products

Device Hardware

Sensor

Actuator

TPM

Comms module

Firmware

Encryption keys

Complex supply chain

ODM –Develops

and makes device

Software developer

Software developers

Software developer

Chip vendor

Software developer

Comms module vendor

“Brand Owner” –markets

and supports service

Users

Software

developer

IP vendor

Trusted supply chain

ODM –Develops

and makes device

Software developer

Software developers

Software developer

Chip vendor

Software developer

Comms module vendor

“Brand Owner” –markets

and supports service

Users

Software

developer

IP vendor

OTS RTOS

= IoTSF stamp of approval = not approved, requires separate audit

IoTSF members…

➢ Follow the security guidelines for the relevant device class

➢ Complete WG1 questionnaire with all questions answered

➢Assemble evidence of conformance - think “Technical Construction File”

➢Are entitled to use the Foundation Trustmark for the product (possibly subject to audit)

More information at

10/04/2017

54

[email protected]

https://iotsecurityfoundation.org

One last thing…

10/04/2017 55


Testing challenges – mass interoperability

▪ Many Communication protocols:• Mobile Z-Wave • Wifi 6LowPAN• Bluetooth Thread • Zigbee NFC

▪ Simulate wide range of Networking conditions:• RF testing• cell handovers• low signal strength• protocol analysis• moving between 2G, 3G & LTE or wifi

▪ Test scenarios to consider:• Moving between networks• Losing power on upgrade• Low bandwidth• Simulate signal loss (going through a tunnel)• Patching the device


Communication protocols - scenarios

1 Device registers to network and data connection is successfully established

2 Verify the data transferred from device to IoT platform.

3 IoT device can transfer/move between network connection types (if applicable.)

4 Device Application “stores and forwards” data to minimise the number of network

connections made by the device.

5 IoT Device Application uses dynamic polling intervals.

6 Check IoT Device Application behaviour in situations when network

communication requests fail

7 Check IoT Device Application reports power failure

8 Check IoT Device Application’s use of “off-peak’ communication

9 Check behaviour of IoT Device Application when resetting the Communications

Module after any communication failures or error conditions

10 Upgrade testing – verify post upgrade the comms unit is functioning correctly

11 Check the IoT Communications Module does not send unsolicited messages

12 Check the IoT Communications Module sends only a AAAA DNS Query. IPV6


Security testing – OWASP TOP 10

1.) Insecure web interface2.) Insufficient authentication/authorization3.) Insecure network services4.) Lack of transport encryption5.) Privacy concerns6.) Insecure cloud interface7.) Insecure mobile interface8.) Insufficient security configurability9.) Insecure software/firmware10.) Poor physical security


T&VS IoT Device Lab & Certification process

▪ Ensure IoT products conform against the latest industry standards, and QA & security testing best practices

▪ Rebuild consumer trust in IoT devices

▪ IoT certifications include:• T&VS IoT Network Certification

• T&VS IoT Security Certification


IoT Certification Model

Bronze Level

• deemed low risk

• selection of key tests executed

• no monitoring ongoing required

Silver Level

• deemed middle risk

• execute medium size test suite from selection

of key standards

• manufacturer can patch/update product as

long as correct procedures followed and tested

Gold Level

• deemed high risk

• full conformance against key standards and

each update/patch to be verified by BSI

Certification

Level

Network Connectivity – Certification End-2-End Security – Certification

Prerequisites Confirm which protcols are in or out of

scope: eg

• Mobile (GSM/GPRS/EDGE (2G),

UMTS/HSPA (3G), LTE (4G))

• Wifi

• Hypercat

Risk assessment performed, eg:

• What assets (digital or physical) need to be

protected?

• What groups of people (tangible or

intangible) are potential threat actors?

• What is a threat to the organization?

Assessment For each identified protocol the specified

test pack will then be executed

depending on level selected.

Following the risk assessment, the specified test

pack will then be executed depending on level

selected.

Step1 - Assessment Step2 - Level Assigned


Example Certification Cost model

▪ Certifications:• Network

• Security

▪ Example protocol:

• Mobile (UMTS/HSPA (3G))


T&VS IoT - Bronze CertificationCertification Level IoT - Network Interfaces & Connectivity –

Certification

IoT – End-2-End

Security – Certification

Ongoing maintenance

Bronze

Level(deemed low

risk - selection

of key tests

executed. No

monitoring

ongoing

required.)

Selection of key smoke test scenarios

against the specified protocol(s)

(generic examples):

• IoT Device registers to network

and data connection is successfully

established.

• Verify the data transferred from

device to IoT platform.

• IoT device can transfer/move

between network connection

types (if applicable.)

OWASP top 10 Scheduled:

• Monthly newsletter (highlighting general IoT

connectivity and security conformance issues

relevant to the IoT device)

• A six monthly report on connectivity and

security conformance issues specific to their

device.

Optional:

• Request a specific (paid) report at any time -

will be done asap but guaranteed within 4

weeks

• Optional six monthly re-test (extra cost at

80% of standard bronze certification price)

• Can request re-test at any point – will be

done asap but guaranteed within 6 weeks

(extra cost at price of standard bronze

certification)

Pricing

T&VS offshore £4,000 £4,000 £5,000

(1 year service)T&VS Bristol Lab £6,500 £6,000

Example protocol: Mobile

(UMTS/HSPA (3G))


T&VS IoT - Silver CertificationCertification

Level

IoT - Network Interfaces &

Connectivity – Certification

IoT – End-2-End Security –

Certification

Ongoing maintenance

Silver Level(deemed middle

risk – execute

medium size test

suite from

selection of key

standards.

Manufacturer

can

patch/update

product as long

as correct

procedures

followed and

tested)

Selection of key tests against following standards:

• GSMA IoT connection efficiency guidelines

• onem2m connection standards

And specified protocols including (generic

examples):

• All bronze level test scenarios

• Device registers to network and data connection

is successfully established.

• Verify the data transferred from device to IoT

platform.

• IoT device can transfer/move between network

connection types (if applicable.)

• Check IoT Device Application uses a secure data

connection

• Upgrade testing

• Check the IoT Communications Module does not

send unsolicited messages

Selection of key/high priority tests against

following standards:

• GSMA IoT security standards

• Onem2m security standards

• OWASP Internet of Things Top 10

• Online Trust Alliance’s IoT Trust Framework

Including (examples):

• All bronze level test scenarios

• Authentication / authorisation eg Ensure

that web interfaces disallows weak

passwords

• Encryption model eg ensure that web

interfaces has the ability to use HTTPS

• Cloud interface. Eg cloud-based web

interface has an account lockout

mechanism

• Software / firmware. Eg Ensure all devices

operate with a minimal number of network

ports active

• Physical security. Eg Operating System can

not be accessed via unintended methods

such as through an unnecessary USB port

Scheduled:

• Monthly newsletter (highlighting

general IoT connectivity and security

conformance issues relevant to the IoT

device)

• A quarterly report on connectivity and

security conformance issues specific to

their device.

Optional:

• Request a specific (paid) report at any

time - will be done asap but guaranteed

within 2 weeks

• Optional quarterly re-test (extra cost at

80% of standard silver certification

price)

• Can request re-test at any point – will

be done asap but guaranteed within 4

weeks (extra cost at price of standard

silver certification)

Pricing

T&VS offshore £7,000 £7,000

£10,000

(1 year service)

T&VS Bristol Lab£11,500 £11,500


(UMTS/HSPA (3G))


T&VS IoT - Gold CertificationCertification Level IoT - Network Interfaces & Connectivity – Certification IoT – End-2-End Security –

Certification

Ongoing maintenance

Gold Level(deemed high

risk – full

conformance

against key

standards and

each

update/patch

to be verified)

Full conformance test packs executed against following standards:

• GSMA IoT connection efficiency guidelines


And specified protocols including (generic examples):

• All bronze & silver level test scenarios

• Device registers to network and data connection is successfully

established.

• Verify the data transferred from device to IoT platform.

• IoT device can transfer/move between network connection types (if

applicable.)

• Device Application “stores and forwards” data to minimise the

number of network connections made by the device.

• IoT Device Application uses dynamic polling intervals.

• IoT Device Application adapts to changes in network communication

latency and data speed.

• Check IoT Device Application behaviour in situations when network

communication requests fail: 6 different.

• Check IoT Device Application reports power failure

• Check IoT Device Application’s use of “off-peak’ communication

• Check behaviour of IoT Device Application when resetting the

Communications Module after any communication failures or error

conditions.

• Check IoT Device Application uses a secure data connection

• Upgrade testing

• Check the IoT Communications Module does not send unsolicited

messages

• Check the IoT Communications Module sends only a AAAA DNS

Query. IPV6

Full conformance test packs executed against

following standards:

• GSMA IoT security standards

• Onem2m security standards

• OWASP Internet of Things Top 10

• Online Trust Alliance’s IoT Trust Framework

Including (examples):

• All bronze & silver level test scenarios

• Authentication / authorisation eg Ensure that

web interfaces disallows weak passwords

• Encryption model eg ensure that web

interfaces has the ability to use HTTPS

• Cloud interface. Eg cloud-based web interface

has an account lockout mechanism

• Software / firmware. Eg Ensure all devices

operate with a minimal number of network

ports active

• Physical security. Eg Operating System can

not be accessed via unintended methods

such as through an unnecessary USB port

Scheduled:

• Monthly newsletter (highlighting

general IoT connectivity and

security conformance issues

relevant to the IoT device)

• A monthly report on connectivity

and security conformance issues

specific to their device.

Optional:

• Request a specific (paid) report

at any time - will be done asap

but guaranteed within 1 week

• Optional monthly re-test (extra

cost at 80% of standard gold

certification price)

• Can request re-test at any point –

will be done asap but guaranteed

within 2 weeks (extra cost at

price of standard gold

certification)

Pricing

T&VS offshore £14,000 £14,000 £18,000

(1 year service)T&VS Bristol Lab £21,500 £21,500


(UMTS/HSPA (3G))


Assumptions

▪ Examples prices given for mobile network protocol connectivity

▪ All figures are indicative

▪ Network certification price is per connectivity protocol (there may be multiple per device)

▪ Costs may vary based on:• connection protocols covered

• scenarios complexity

• configurations required

▪ Ongoing maintenance is for 1 year service model• scheduled and optional retests are at extra cost


T&VS IoT Device Lab facility

▪ Global strategic partnership

▪ Communication protocols:• Mobile Z-Wave • Wifi 6LowPAN• Bluetooth Thread • Zigbee NFC

▪ Simulate wide range of Networking conditions:• RF testing• cell handovers• low signal strength• protocol analysis• moving between 2G, 3G & LTE or wifi.


IoT Network connectivity – certification (1)

Purpose ensure IoT solutions verified against a wide range of networking connection and connectivity protocols

Standards / Guidelines

For example• GSMA IoT connection efficiency guidelines• onem2m connection standards

Example scenarios 1.) IoT Device Application should minimize the number of networkconnections between the IoT Device and the network.2.) IoT Device Application should be designed to cope withvariances in mobile network data speed and latency consideringthe variety in performance of communications technologies suchas 3G, WIFI, LTE.3.) The IoT Device Application should always be prepared tohandle situations when communication requests fail.4.) Communication retry mechanisms implemented verified.


IoT End 2 end security – certification (2)

Purpose ensure IoT solutions verified against a wide range of security conditions and scenarios

Standards / Guidelines

For example• GSMA IoT security standards• Onem2m security standards• OWASP Internet of Things Top 10• Online Trust Alliance’s IoT Trust Framework

Example scenarios 1.) Authentication / authorisation eg Ensure that web interfacesdisallows weak passwords.2.) Encryption model eg ensure that web interfaces has the abilityto use HTTPS.3.) Cloud interface. Eg cloud-based web interface has an accountlockout mechanism.4.) Software / firmware. Eg Ensure all devices operate with aminimal number of network ports active.5.) Physical security. Eg Operating System can not be accessed viaunintended methods such as through an unnecessary USB port.


IoT Kitemark Model

IoT Network connectivity – (1) IoT End 2 end security – (2)

Purpose ensure IoT solutions verified against a wide range of networking connection / connectivity protocols

ensure IoT solutions verified against a wide range of security conditions and scenarios

Standards • GSMA IoT connection efficiencyguidelines


• GSMA IoT security standards• Onem2m security standards• OWASP Internet of Things Top 10• Online Trust Alliance’s IoT Trust

Framework

Example scenarios

1.) minimize the number of network connections. 2.) cope with variances in network data speed and latency considering 3.) communication requests fail.4.) Communication retry mechanisms implemented verified.

1.) Authentication / authorisation eginterfaces disallows weak passwords.2.) Encryption model eg HTTPS.3.) Cloud interface has account lockout4.) Software / firmware. Eg Ensure alldevices operate with a minimalnumber of network ports active.


Summary

▪ Increased regulation

▪ Focus on QA & security

▪ IoT ongoing maintenance

▪ IoT Kitemark model

▪ Rebuild consumer trust

Unless these issues are addressed the only winners in the IoT wild west will be the hackers.

December, 2016

Test and Verification Solutions

THANK YOU

Documents

December, 2016 IoT Security - T&VS · • Most IoT products have security measures that are 10 years out of date • HP: 70% of the IoT devices and sensors examined were susceptible