These are the slides from Misha Seltzer's talk at Product of Things Conference in Tel Aviv on July 2018:
Who this talk is for: this talk is for product managers that want to avoid common design flaws that lead to easily hackable IoT devices.
After this workshop you will be able to:
Spot and eliminate security design flaws early
Know where you, as a PM, can get involved to improve your product's security
Learn from mistakes done by others, and not repeat them
What is covered:
RTOS as well as Linux-based IoT protection
Rules of thumb for basic IoT security
Unexpected areas from which security flaws might creep into your products.
In the land of IoT, with so many different companies/manufacturers competing for the same space, it's essential to have a good reputation. One embarrassingly hackable product can not only hurt sales but kill the company altogether.
In this talk, we'll go over a couple of cases of embarrassing IoT security flaws, learn how/where those mistakes were made, and what can you, as PMs, do not to repeat those mistakes.
4. 20+ Billion
Connected devices in enterprises
Biggest growth in devices businesses have seen.
Bigger than PC and mobile combined.
5. Armis is an industry leading company that
protects enterprises and enables them to
safely use IoT devices.
Armis’ mission:
Eliminate the IoT security blind spot, letting
enterprises discover and protect every
asset, and to use IoT and unmanaged
devices safely and securely.
What is ?
5
6. How can we protect a device we’ve never seen?
We’re looking at parameters like:
▰ What kind of data is transmitted?
▰ How much data is transmitted?
▰ Is the transmission encrypted?
▰ What protocols are used?
▰ [...]
7. How can we protect a device we’ve never seen?
We’re looking at parameters like:
▰ What kind of data is transmitted?
▰ How much data is transmitted?
▰ Is the transmission encrypted?
▰ What protocols are used?
▰ [...]
▰ Manufacturer reputation
8. 60% of Companies Fail in 6 Months Because
of This (It's Not What You Think)
https://www.inc.com/thomas-koulopoulos/the-biggest-risk-to-your-business-cant-be-eliminated
-heres-how-you-can-survive-i.html
Cisco: Most IoT projects are failing due to
lack of experience and security
https://www.zdnet.com/article/cisco-most-iot-projects-are-failing-due-to-lack-of-experience-and-
security/
Some stats to prove my point
8
11. “Hacked Smart Pens Can Lead to Data Breaches”
[...] was able to access
the backend servers
used by the healthcare
organization and view
sensitive information on
patients of several
doctors who used the
smart pens.
11
https://www.hipaajournal.com/exploitable-iv-infusion-pump-digital-smart-pen-vulnerabilities/
“
12. So - what to encrypt?
It’s important to encrypt
absolutely everything.
Both in rest and in
transit.
Use standard ciphers
and protocols. Do not
reinvent the wheel.
12
13. Data from IoT devices is usually easier to
steal, due to
▰ Increased connectivity
▰ The nature of its placement
▰ Many instances - easy to physically steal
▰ Hack one - hack all
Why is it different from other software/hardware?
13
14. PM Perspective
14
Compromising battery life or price of device for
encryption might seem excessive at this point,
but catching up later will be way more difficult.
▰ Do not delay work on data encryption
▰ Make sure sufficient separation is in place:
Do not let one compromised device get to
data of another device
15. Ensure your supply chain
It’s your responsibility to verify the your
manufacturers
15
2
16. “Police body cams found pre-installed with
notorious Conficker worm”
[...] multiple police cams
manufactured by Martel
Electronics came
pre-installed with
Win32/Conficker.B!inf.
16
https://arstechnica.com/information-technology/2015/11/police-body-cams-found-pre-installed-with-notorious-conficker-worm/
“
17. The responsibility is yours alone
The chinese factory may lose one client,
but you will lose all of yours.
▰ Make sure your supply chain has
security certifications (ISO, SOC, …)
▰ Routinely check product & production
▰ Recommend to your suppliers :)
17
18. PM Perspective
18
In many cases it’s up to the PM to choose the
manufacturer, and it’s up to the PM to oversee
production and quality.
▰ Don’t just choose the cheapest option
▰ Create a QA pipeline that is aware of security
▰ Make sure to routinely check on suppliers,
and insist on third-party security screenings
20. Use the newest OS, Libraries, Tools. Always.
How long does it take to
acquire malware after
installing Windows XP?
In 2008, according to
SANS Institute, it was 4
minutes (!!)
https://isc.sans.edu/diary/Survival+Time+on+the+Internet/4721
21. Who would do such a thing?
Philips 3.0T Ingenia
State of the art MRI
machine
Price: >$400,000
OS: Windows XP (!?)
22. Even the giants sin
Amazon echo uses
kernel v2.6.37
The EOL for this kernel
was March 2011 (!!)
23. How to use only the newest?
Even if you’ll only use the newest, it’ll
already be obsolete by the time to market
▰ Plan for updateability from day one
▰ Have routine sprints for updates
▰ IoT device should update automagically
23
24. PM Perspective
24
Creating a system for future updates might not
seem like the most pressing task at first, but it
becomes increasingly tougher as time goes on.
▰ Setting up time, and implementing well
early will save much valuable time later on
▰ IoT security is a hot topic right now, and
having the most up-to-date product can be
a good PR strategy
26. Secure your devices
The examples above are just a some anecdotes,
don’t let your company become another one.
Remember: Trust is hard to find, and easy to lose.
26