A Survey of

Structural

Insecurities in IoT

Jeff Katz

Senior Practice Lead IT / Engineering

Telefónica Germany NEXT GmbH

» The problem with this process is that no one

entity has any incentive, expertise, or even ability

to patch the software once it's shipped… We

simply have to fix this. «

-BRUCE SCHNEIER, Wired, 2014

What’s IoT?

3

• Industrial

• Agricultural

• Smart City

• Consumer (Smart Home, etc.)

There are forecast to be 28 billion connected devices worldwide by 2021

Almost 16 billion of them will be loTdevices

loT devices will over-take mobile phones as the largest category of connected devices in 2018

This will be driven by the spread of smartmeters and connected cars, as well as by consumer devices

The number of loTdevices in WesternEurope is projected to quadruplebetween 2015 and 2021

The Consumer IoT Market

How an idea becomes an IoT solution

– Let’s pretend: We are ”Melkin” a

multinational consumer device

company, and we want to make a

connected baby monitor

– Two-way audio streaming, there’s an

app, etc.

Let’s explore who is involved to bring this

product to shelves

5

Any resemblance to any real companies or products is strictly coincidental and not intended. This is not the story of a real product.

The Service

– We’re going to start with the App, and what we want the user experience to be

– External design agency engaged

– Click-dummy delivered

– External app agency engaged

– iOS, Android, etc. delivered under budget and time pressure

– Often developed before the hardware is even done

6

The ODM

– Factory in Guangzhou, China

– Manufactures Baby Monitors for many multinational companies

– Take existing model that matches our requirements

– Develop new plastics for it

– Firmware based on reference design from Chipset Manufacturer

– Completely white-label

(This is a real company and this is really how this works)

7

The Chipset Manufacturer

– Wants to sell chips

– Provides bare-minimum reference designs that show how to get something working

– Not responsible for end product, at all.

8

The Branded Device

– Purchased at retail from Big Box Store

– Provides the data and interface to provide the service

– What the customer installs in their home, next to their baby

– Connects to home WIFI

– Firmware developed by agency, based on reference from the ODM

– Melkin is responsible for warranty, sales, support, etc

9

The Platform

– Needs to connect the service to the device

– Should have minimal impact on the final cost of

the device

– Contracted by a third party, either build or buy—

Melkin doesn’t want to deal with it. Best case,

fully outsourced and managed. Worst-case:

Managed by Melkin

– Provides examples (firmware, app) how to

communicate with it

– Will work as long as they are paid for it

10

Overview

– App design: Outsourced

– App implementation: Outsourced

– Hardware Design: Outsourced

– Firmware: Outsourced, based on Outsourced example from Outsourced Chipset example

– Platform: Outsourced

– Seller: Retail Store

– Connectivity: Home WIFI (ISP), Home Router

– Final Product Responsibility: Melkin

11

What to do / Where to

address?

– Let’s fix the perverse incentives: Companies require security but actively choose against suppliers who price

it in to offers.

– GDPR huge help—significant fines for bad behavior for end responsible company

– Need to spread responsibility to all involved parties

– Proliferation of bad examples: Let’s build security in from the very beginning—Chipset manufacturers,

Reference Designs, etc.

– Education and guides on what to look for in products

– Financial incentives, positive or negative

– More openness: Open source, open spec, open APIs. Breaking the dependency chain to release a product.

12

Thank you. Let’s talk!

Jeff Katz

Senior Practice Lead IT / Engineering

Telefónica Germany NEXT GmbH

jeff@geeny.io • jeff.katz@telefonica.com • @kraln

https://developers.geeny.io

join the Geeny developer community!