addressing the threats of iot
play

Addressing the threats of IoT Hans de Jong Technology Lead for - PowerPoint PPT Presentation

Feb 22, 2023 •150 likes •354 views

Addressing the threats of IoT Hans de Jong Technology Lead for Security Innovation & Fellow Head of NXP Product Security Incident Response Team (NXP PSIRT) NXP Semiconductors, Eindhoven # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza

  1. Addressing the threats of IoT Hans de Jong Technology Lead for Security Innovation & Fellow Head of NXP Product Security Incident Response Team (NXP PSIRT) NXP Semiconductors, Eindhoven # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza Utrecht | connects cybersecurity knowledge

  2. IoT, the upside • Can make life easier and better • Large market opportunity # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza Utrecht | connects cybersecurity knowledge

  3. IoT, the downside • It will only fly if security and privacy are well taken care of. – Otherwise people will not trust it and not buy it • If security and privacy are not taken care of, IoT can derail society. # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza Utrecht | connects cybersecurity knowledge

  4. How to get attacked? Logical attacks Physical attacks = rem ote attacks? = local attacks? Make use of Make use of physical software errors in vulnerabilities in the IoT the IoT device device # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza Utrecht | connects cybersecurity knowledge

  5. How to get attacked? Logical attacks Physical attacks = rem ote attacks? = local attacks? No! Make use of Make use of physical software errors in vulnerabilities in the IoT the IoT device device # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza Utrecht | connects cybersecurity knowledge

  6. What attacks to protect against? # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza Utrecht | connects cybersecurity knowledge

  7. What attacks to protect against? Aim to protect against Make a trade-off any local logical attack between investment in if an attacker can have the attack and value to local access. Same reason. be gained / damage (Only needed if attacks can do done (at any point more harm than to the attacker during the lifetime) alone) Aim to protect against any remote attack (logical & physical). Reason: they can be scripted and executed by laymen. # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza Utrecht | connects cybersecurity knowledge

  8. What to protect • Always protect integrity/ authenticity. • Protect confidentiality when needed (often the case). • Protect availability when needed. • Protect privacy when applicable. • Consider to protect against physical attacks – at least attacks that may give attacker full control over the device. – Boot protection – Lifecycle protection (avoid getting back to debug mode) – Protection of keys – Protection of usage of the keys (access control) # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza Utrecht | connects cybersecurity knowledge

  9. Three Principles for IoT Security • Protect the device as good as possible / necessary – See previous slides • * Assume it will be compromised during the lifetime.  Make sure there is a way to recover the device. – Without a truck-roll whenever possible. • * Limit the attractiveness of hacking the device, e.g. – Use diversified keys (different keys per device and per purpose): breaking one device does not break the system. – Limit the bandwidth for DNS requests * The last two require a secure anchor in the device. # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza Utrecht | connects cybersecurity knowledge

  10. Some other principles • Take care of privacy when applicable (look at GDPR!). • Strive to use isolation whenever possible. – Run keys, crypto and essential functions on a different core. • Make sure to be able to remotely update the device. – Plan for enough capabilities (e.g. memory, crypto, processing) during the foreseen lifetime. • As buyer: make sure that a security update service is provided and the support lifetime is stated in the contract. • End of security updates = end of life of the IoT device. • Know the security of what you buy. # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza Utrecht | connects cybersecurity knowledge

  11. How to know the security of Security certification – WHY? w hat you buy? Product A Product B Product A Product B # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza Utrecht | connects cybersecurity knowledge

  12. How about IoT? • Is security certification a solution for IoT? • For smartcards (passports, drivers licenses, identity cards, banking cards), there is Common Criteria certification – Security lab evaluates the product for weeks and gives points for any attack found (e.g. for time, knowledge and equipment needed). – Attack with the lowest amount of points determines the security of the product. – When above a threshold, a Certification Body will issue a certificate. • How about IoT devices? – With fast product life cycles. – With many security updates during its life time. # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza Utrecht | connects cybersecurity knowledge

  13. What does Common Criteria as a standard say? • Certification Body does not necessarily have to be a governmental entity Private Cert Body Public Cert Body What CC allows CC for smartcards • Cert Body does not need to check everything the lab has done in great detail Cert Body Lab Lab Cert Body CC for smartcards What CC allows # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza Utrecht | connects cybersecurity knowledge

  14. What does Common Criteria as Standard Say? • CC evaluator work units are guidance and not mandatory CC for smartcards What CC allows • No requirements how evidence is provided Interviews / Workshops Very formal documentation CC for smartcards What CC allows # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza Utrecht | connects cybersecurity knowledge

  15. What does Common Criteria as Standard Say? • No requirements on which development methodology to use Waterfall Approach Agile Approach CC for smartcards What CC allows # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza Utrecht | connects cybersecurity knowledge

  16. Lean security certification for IoT • CC Certification as applied for smartcards works for smartcards, but will not work for IoT. Expensive, static certification that cannot deal well with product updates. • A lean scheme for IoT can address the above mentioned issues as a Common Criteria based scheme by – Set up of a commercial Certification Body • Run by industry experts with a business understanding when operating – For IoT, keep the product assessment by an independent lab, but let the paradigm of a static “one time assessment only” shift towards assurance via continuous oversight • With a certain degree of freedom for updates • Enabling vendors to perform security updates immediately within approved boundaries • Requiring the vendors to continuously monitor their products and track vulnerabilities • Requiring the evaluator to audit vendor security monitoring processes in certain time frames • Requiring the evaluator to assess updates that are outside of approved boundaries – Reduction of evaluation formalisms and tedious documentation • Reducing efforts at vendors • Reducing efforts at evaluation laboratories on formal aspects # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza Utrecht | connects cybersecurity knowledge

  17. Should firmware be encrypted? • Local physical attacks are not scalable, but .. – When code can be taken from one device, it can sooner lead to finding remotely exploitable vulnerabilities. – Also consider brand damage and IP theft. • Hence firmware encryption may be good to consider. – Note that the key has to be on the device – So it is obfuscation – Makes attacks more difficult # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza Utrecht | connects cybersecurity knowledge

  18. Is this promoting security by obscurity? • We subscribe to Kerchhoff’s principle, … • … but Kerchhoff did not consider millions of devices with fixed ROM code in the field which are not updatable. – There always has to be some code in ROM So, where are we exactly? # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza Utrecht | connects cybersecurity knowledge

  19. Conclusions / Recommendations • Security is essential for making IoT successful while protecting society • Consider remote / local and logical / physical attacks – Some always, some depending on value to protect – Scope: the entire life time of the device • Make sure the device can be updated during its lifetime • Stop using devices when no longer maintained • Let governments and businesses for IoT devices that they buy demand – An update service for security patches – A minimum period that devices will be maintained – Certified devices • A CC certification infrastructure is needed that is appropriate for IoT # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza Utrecht | connects cybersecurity knowledge

  20. QUESTIONS? # dSymp dcypher Symposium 2017 | Oct 4th Media Plaza Utrecht | connects cybersecurity knowledge

Recommend

Addressing Threats from Addressing Threats from Abandoned Mines in California Abandoned Mines in

Addressing Threats from Addressing Threats from Abandoned Mines in California Abandoned Mines in

Addressing Threats from Addressing Threats from Abandoned Mines in California Abandoned Mines in California Communities Communities Jackson, Amador County Randy Adams, C.E.G. Randy Adams, C.E.G. California Environmental Protection Agency

401 views • 24 slides
Addressing Zika and Other Public Health Threats (Name) (N me) (Tit (T itle le) Carolyn

Addressing Zika and Other Public Health Threats (Name) (N me) (Tit (T itle le) Carolyn

Cross-Jurisdictional Considerations for Addressing Zika and Other Public Health Threats (Name) (N me) (Tit (T itle le) Carolyn Angus-Hornbuckle Nati tional nal India ian n Health lth Board rd National Indian health Board (E (Eve

391 views • 19 slides
Addressing emerging health threats and availability/ therapeutic challenges EMAs core

Addressing emerging health threats and availability/ therapeutic challenges EMAs core

Addressing emerging health threats and availability/ therapeutic challenges EMAs core recommendations Veterinary Stakeholders Workshop Presented by Helen Jukes on 6 December 2018 Vice Chair of CVMP An agency of the European Union Core

425 views • 9 slides
Small Island Innovations and New Technologies for Addressing Threats from Coastal Erosion and Sea

Small Island Innovations and New Technologies for Addressing Threats from Coastal Erosion and Sea

Small Island Innovations and New Technologies for Addressing Threats from Coastal Erosion and Sea Level Rise Dr. Adam Fenech, University of Prince Edward Island Building Small Island Resilience to Climate Change Symposium 22 September 2016

243 views • 21 slides
Addressing Threats and Vulnerabilities in Critical Interconnected Systems Jon Kleinberg Cornell

Addressing Threats and Vulnerabilities in Critical Interconnected Systems Jon Kleinberg Cornell

Addressing Threats and Vulnerabilities in Critical Interconnected Systems Jon Kleinberg Cornell University Washington DC Metro Map wmata.com Power Grid Florida Power Grid (Dale et al, Xu et al) Boston, Google Maps Social Network Facebook

620 views • 30 slides
The New IG Playbook for Addressing Digital Age Threats Agenda Increasing Risk of Cybera=acks 1

The New IG Playbook for Addressing Digital Age Threats Agenda Increasing Risk of Cybera=acks 1

The New IG Playbook for Addressing Digital Age Threats Agenda Increasing Risk of Cybera=acks 1 Guidelines from the New IG Playbook 2 Resources 3 Q & A 4 HypotheDcal Omega Inc. is a manufacturer that recently developed a unique

615 views • 23 slides
Addressing multiple threats of environmental crimes in East Asia and the Pacific Technical

Addressing multiple threats of environmental crimes in East Asia and the Pacific Technical

Addressing multiple threats of environmental crimes in East Asia and the Pacific Technical assistance strategy 2009 2012 Regional Centre for East Asia and the Pacific (RCEAP) Structure of presentation 1. Mandate 2. Challenges 3. Intervention

524 views • 29 slides
Addressing multiple threats of environmental crimes in East Asia and the Pacific Technical

Addressing multiple threats of environmental crimes in East Asia and the Pacific Technical

Addressing multiple threats of environmental crimes in East Asia and the Pacific Technical assistance strategy 2009 2012 Regional Centre for East Asia and the Pacific (RCEAP) Structure of presentation 1. Mandate 2. Challenges 3.

378 views • 24 slides
Lake Tanganyikas Fisheries and Fish Diversity: Addressing Threats from Village to Basin-Scale

Lake Tanganyikas Fisheries and Fish Diversity: Addressing Threats from Village to Basin-Scale

August 2018 Lake Tanganyikas Fisheries and Fish Diversity: Addressing Threats from Village to Basin-Scale Colin Apse Africa Freshwater Conservation Director The Nature Conservancy capse@tnc.org AFRICA | Lake Tanganyika 17% of

1.14k views • 17 slides
TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats

TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats

TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats Explosive ad incendiary Threats Bio Hazardous Powder Threats 3 Improvised mechanical Devices TR15 Smart Scan Can easily detect the component

192 views • 16 slides
Convention on the Convention on the Conservation of Conservation of Migratory Species of

Convention on the Convention on the Conservation of Conservation of Migratory Species of

Convention on the Convention on the Conservation of Conservation of Migratory Species of Migratory Species of Wild Animals Wild Animals Addressing Threats to Marine Addressing Threats to Marine Biodiversity Biodiversity Bert Lenten

251 views • 24 slides
53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats

53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats

53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats every minute* * Merrill Lynch ...Causing $3T USD in costs, and expected to double by 2021* * CyberSecurity Ventures (2015) Todays threat

508 views • 35 slides
Loom ing Threats - transcript of presentation video Nick : Team 4 Looming Threats, please give

Loom ing Threats - transcript of presentation video Nick : Team 4 Looming Threats, please give

Loom ing Threats - transcript of presentation video Nick : Team 4 Looming Threats, please give them a hand. Mark : Good afternoon, Simon and I have the absolute pleasure to be presenting on behalf of Team Looming Threats. So, one of the, I guess

377 views • 3 slides
the Cornwallis Group Tony Hopkin Managing Chair the Cornwallis Group History A small

the Cornwallis Group Tony Hopkin Managing Chair the Cornwallis Group History A small

An Introduction to the Cornwallis Group Tony Hopkin Managing Chair the Cornwallis Group History A small concerned gathering of analysts at ISMOR New threats to world peace OA addressing current or old threats Inadequate

417 views • 9 slides
CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats

CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats

CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats to small businesses 3. Cyber Recovery Insurance Y our presenters Anne Jackson Sarah Morton Gary Hibberd Sales Director, Lorega Sales and

342 views • 31 slides
Addressing Modes Chapter 11 S. Dandamudi Outline Addressing modes Examples Simple

Addressing Modes Chapter 11 S. Dandamudi Outline Addressing modes Examples Simple

Addressing Modes Chapter 11 S. Dandamudi Outline Addressing modes Examples Simple addressing modes Sorting (insertion sort) Register addressing mode Binary search Immediate addressing mode Arrays Memory

505 views • 33 slides
Addressing Modes Chapter 11 S. Dandamudi Outline Addressing modes Examples Simple

Addressing Modes Chapter 11 S. Dandamudi Outline Addressing modes Examples Simple

Addressing Modes Chapter 11 S. Dandamudi Outline Addressing modes Examples Simple addressing modes Sorting (insertion sort) Register addressing mode Binary search Immediate addressing mode Arrays Memory

561 views • 17 slides
Addressing mode in MIPS Different formats of addressing registers or memory locations are called

Addressing mode in MIPS Different formats of addressing registers or memory locations are called

Addressing mode in MIPS Different formats of addressing registers or memory locations are called addressing modes . Immediate addressing. where operand is a constant in the instruction. e.g. addi, lui, slti, andi, ori, sll, srl Register

430 views • 4 slides
Multi6 Threats draft-nordmark-multi6-threats-00.txt Design Team Members (alphabetical order):

Multi6 Threats draft-nordmark-multi6-threats-00.txt Design Team Members (alphabetical order):

Multi6 Threats draft-nordmark-multi6-threats-00.txt Design Team Members (alphabetical order): Iljitsch van Beijnum, Steve Bellovin, Brian Carpenter, Mike O'Dell, Sean Doran, Dave Katz, Tony Li, Erik Nordmark, and Pekka Savola Why? Allowing

612 views • 11 slides
Outline IP design goals 15-441/641: Computer Networks Traditional IP addressing IP

Outline IP design goals 15-441/641: Computer Networks Traditional IP addressing IP

9/3/2019 Outline IP design goals 15-441/641: Computer Networks Traditional IP addressing IP Addressing Addressing approaches Class-based addressing Fall 2019 Profs Peter Steenkiste & Justine Sherry Subnetting CIDR

582 views • 10 slides
Threats to Mobile Devices Possible attack threats to mobile devices Network exploit

Threats to Mobile Devices Possible attack threats to mobile devices Network exploit

Threats to Mobile Devices Possible attack threats to mobile devices Network exploit Hackers takes advantage of vulnerability or flaw of users web browser on mobile device in WiFi communication to attack victims. Hackers send

464 views • 30 slides
ICA ICA ICA Self-Defending Networks Digital antibodies neutralize threats

ICA ICA ICA Self-Defending Networks Digital antibodies neutralize threats

ICA ICA ICA Self-Defending Networks Digital antibodies neutralize threats Automatically responds to threats faster than any security team can Takes measured, targeted actions Does not disrupt day-to-day business or

169 views • 5 slides
ARM Assembler Addressing Modes Addressing Modes p. 1/14 op1 : Data Addressing Mode

ARM Assembler Addressing Modes Addressing Modes p. 1/14 op1 : Data Addressing Mode

Systems Architecture ARM Assembler Addressing Modes Addressing Modes p. 1/14 op1 : Data Addressing Mode Used when processing data Moving data from one register to another: D ESTINATION S OURCE D ESTINATION must be a

444 views • 17 slides
The New Era of Cyber Threats The Shift to Self-Learning, Self-Defending Networks Georgiana

The New Era of Cyber Threats The Shift to Self-Learning, Self-Defending Networks Georgiana

The New Era of Cyber Threats The Shift to Self-Learning, Self-Defending Networks Georgiana Wagemann Director of Sales, Darktrace Evolving Threats in a New Business Landscape Outsourced IT, SaaS, cloud, virtual, supply chain, IoT Not just data

412 views • 15 slides

More recommend