SlideShare a Scribd company logo

Security challenges for IoT

WSO2, profile picture
WSO2

The document discusses security challenges for internet of things (IoT) devices. It outlines three rules for IoT security: don't be dumb, think about what's different from traditional internet security, and be smart. What's different about IoT includes the long lifespan of devices which makes updates difficult, limited capabilities of small devices, and highly personal user data. The document recommends not relying on security through obscurity and considering cryptography options that can work on small devices like ECC. It also discusses secure protocols and identity management through federated identity as an option for authentication and authorization with IoT devices.

Technology
1 of 47
Downloaded 270 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Your Thing is pwnd Security Challenges for the Internet of Things   Paul  Fremantle   CTO  and  Co-­‐Founder,  WSO2   @pzfreo  #wso2  #wso2con  
Firstly,  does  it  even  maAer?    
Security challenges for IoT
“Google Hacking”
Security challenges for IoT
My  three  rules  for  IoT  security   •  1.  Don’t  be  dumb   •  2.  Think  about  what’s  different   •  3.  Do  be  smart  
My  three  rules  for  IoT  security   •  1.  Don’t  be  dumb   –  The  basics  of  Internet  security  haven’t  gone  away   •  2.  Think  about  what’s  different   –  What  are  the  unique  challenges  of  your  device?   •  3.  Do  be  smart   –  Use  the  best  pracQce  from  the  Internet  
Security challenges for IoT
http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/
Security challenges for IoT
http://freo.me/1pbUmofhttp://freo.me/1pbUmof
So  what  is  different  about  IoT?   •  The  fact  there  is  a  device   –  Yes  –  its  hardware!     –  Ease  of  use  is  almost  always  at  odds  with  security   •  The  longevity  of  the  device   –  Updates  are  harder  (or  impossible)   •  The  size  of  the  device   –  CapabiliQes  are  limited  –  especially  around  crypto   •  The  data   –  OXen  highly  personal   •  The  mindset   –  Appliance  manufacturers  don’t  always  think  like  security  experts   –  Embedded  systems  are  oXen  developed  by  grabbing  exisQng  chips,  designs,  etc  
Physical  Hacks   A Practical Attack on the MIFARE Classic: http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf Karsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity
Security challenges for IoT
Or  try  this  at  home?   hAp://freo.me/1g15BiG    
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.html
Hardware  recommendaQons   •  Don’t  rely  on  obscurity    
Hardware  recommendaQons   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity    
Hardware  RecommendaQon  #2     •  Unlocking  a  single  device  should  risk  only  that   device’s  data  
The  Network  
hAp://ubertooth.sourceforge.net/  hAps://www.usenix.org/conference/woot13/ workshop-­‐program/presentaQon/ryan  
Crypto  on  small  devices   •  PracQcal  ConsideraQons  and  ImplementaQon  Experiences  in   Securing  Smart  Object  Networks   –  hAp://tools.ied.org/html/draX-­‐aks-­‐crypto-­‐sensors-­‐02  
ROM  requirements  
ECC  is  possible     (and  about  fast  enough)  
Crypto   Borrowed from Chris Swan: http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13
Won’t  ARM  just  solve  this  problem?  
Cost  maAers   8 bits $5 retail $1 or less to embed 32 bits $25 retail $?? to embed
Another  opQon?  
SIMON  and  SPECK   https://www.schneier.com/blog/archives/2013/07/simon_and_speck.html
Datagram  Transport  Layer   Security  (DTLS)   •  UDP  based  equivalent  to  TLS   •  hAps://tools.ied.org/html/rfc4347  
Key  distribuQon  
Passwords   •  Passwords  suck  for  humans   •  They  suck  even  more  for  devices    
Security challenges for IoT
Security challenges for IoT
Security challenges for IoT
Why  Federated  IdenQty  for  Things?   •  Enable  a  meaningful  consent  mechanism  for  sharing  of  device  data   •  Giving  a  device  a  token  to  use  on  API  calls  beAer  than  giving  it  a   password   –  Revokable   –  Granular   •  May  be  relevant  for  both   –  Device  to  cloud   –  Cloud  to  app   •  “IdenQty  is  the  new  perimeter”  
MQTT  
MQTT  and  OAuth2    
    An     Open  Source     IdenQty   and     EnQtlement   Management     Server       Apache  Licensed   LDAP,  JDBC,  AcQve  Directory,  SCIM,  SPML   SAML2,  OpenID  Connect,  WS-­‐Trust,  Kerberos   OAuth  1.0/2.0,  XACML  2.0,  XACML  3.0   XDAS,  Web  Console,  SOAP  Admin   MulQ-­‐tenant,  Clusterable,  HA,  24x7  support   39   What  is  WSO2  IdenQty  Server?  
Other  WSO2  technology  to  help  you   •  WSO2  BAM  –  monitoring   •  WSO2  CEP  –  realQme  fraud  detecQon   •  WSO2  API  Manager  –  securing  API  endpoints    
Real  Qme  event  processing  
Are you setting up for the next privacy or security breach?
Security challenges for IoT
Exemplars   •  Shields   •  Libraries   •  Server  Frameworks   •  Standards  and  Profiles  
Summary   •  1.  Don’t  be  dumb   •  2.  Think  about  the  differences   •  3.  Be  smart     •  4.  Create  and  publish  exemplars  
WSO2 Reference Architecture for the Internet of Things http://freo.me/iot-ra
Thank  You  

More Related Content

PPT
IoT security (Internet of Things)
Sanjay Kumar (Seeking options outside India)
 
PDF
Security challenges in IoT
Vishnupriya T H
 
PPTX
Iot Security
MAITREYA MISRA
 
PDF
5G Security Briefing
3G4G
 
PDF
Will Internet of Things (IoT) be secure enough?
Ravindra Dastikop
 
PDF
IOT Security
Sylvain Martinez
 
PPTX
IoT security
YashKesharwani2
 
PPTX
IoT Security
Peter Waher
 
IoT security (Internet of Things)
Sanjay Kumar (Seeking options outside India)
 
Security challenges in IoT
Vishnupriya T H
 
Iot Security
MAITREYA MISRA
 
5G Security Briefing
3G4G
 
Will Internet of Things (IoT) be secure enough?
Ravindra Dastikop
 
IOT Security
Sylvain Martinez
 
IoT security
YashKesharwani2
 
IoT Security
Peter Waher
 

What's hot (20)

PPTX
Iot
Vishwas N
 
PDF
IoT Security
Narudom Roongsiriwong, CISSP
 
PPTX
Iot(security)
Shreya Pohekar
 
PDF
Internet of Things (IoT) - We Are at the Tip of An Iceberg
Dr. Mazlan Abbas
 
PPT
Iot
RaheemUnnisa1
 
PDF
Basics of Cyber Security
Nikunj Thakkar
 
PPTX
Iot Security, Internet of Things
Bryan Len
 
PDF
Cybersecurity Skills in Industry 4.0
Eryk Budi Pratama
 
PPTX
Introduction to IoT Security
CAS
 
PPTX
Zero Trust Network Access
Er. Ajay Sirsat
 
PDF
Responsible AI & Cybersecurity: A tale of two technology risks
Liming Zhu
 
PPTX
IOT
Gaurav Dwivedi
 
PDF
IoT Security Challenges and Solutions
Intel® Software
 
PDF
Security architecture
Duncan Unwin
 
PPTX
IOT privacy and Security
noornabi16
 
PPTX
Ns lecture5: Introduction to Computer, Information, and Network Security.
Aksum Institute of Technology(AIT, @Letsgo)
 
PPT
Security Requirements in IoT Architecture
Vrince Vimal
 
PDF
Overview of IoT and Security issues
Anastasios Economides
 
PDF
IoT Networking
Hitesh Mohapatra
 
PDF
IT Security - Guidelines
Pedro Espinosa
 
Iot
Vishwas N
 
IoT Security
Narudom Roongsiriwong, CISSP
 
Iot(security)
Shreya Pohekar
 
Internet of Things (IoT) - We Are at the Tip of An Iceberg
Dr. Mazlan Abbas
 
Iot
RaheemUnnisa1
 
Basics of Cyber Security
Nikunj Thakkar
 
Iot Security, Internet of Things
Bryan Len
 
Cybersecurity Skills in Industry 4.0
Eryk Budi Pratama
 
Introduction to IoT Security
CAS
 
Zero Trust Network Access
Er. Ajay Sirsat
 
Responsible AI & Cybersecurity: A tale of two technology risks
Liming Zhu
 
IOT
Gaurav Dwivedi
 
IoT Security Challenges and Solutions
Intel® Software
 
Security architecture
Duncan Unwin
 
IOT privacy and Security
noornabi16
 
Ns lecture5: Introduction to Computer, Information, and Network Security.
Aksum Institute of Technology(AIT, @Letsgo)
 
Security Requirements in IoT Architecture
Vrince Vimal
 
Overview of IoT and Security issues
Anastasios Economides
 
IoT Networking
Hitesh Mohapatra
 
IT Security - Guidelines
Pedro Espinosa
 
Ad

Viewers also liked (20)

PPTX
IoT App Development Areas And Major Challenges
astoria0128
 
PDF
Challenges in the IoT
EUBrasilCloudFORUM .
 
PPTX
Your Thing is Pwned - Security Challenges for the IoT
WSO2
 
PDF
BUD17-104: Scripting Languages in IoT: Challenges and Approaches
Linaro
 
PPTX
introduction to Embedded System Security
Adel Barkam
 
PDF
IoT Security: Problems, Challenges and Solutions
Liwei Ren任力偉
 
PPTX
IoT Security Risks and Challenges
OWASP Delhi
 
PPTX
IoT - IT 423 ppt
Mhae Lyn
 
PDF
Internet of Things security-issues
MobileMonday Atlanta
 
PPT
IBM BC2015 - Internet of Things - from hype to reality
IBM Sverige
 
PDF
Digital Trust: How Identity Tackles the Privacy, Security and IoT Challenge
ForgeRock
 
PDF
Cybesecurity of the IoT
Altoros
 
PPTX
Internet of Things
Sigma Software
 
PDF
Highland Property Management Data Management
Casey Hynes
 
PPTX
Internet of thing (IoT and cloud convergence opportunitis and challenges
Dr.-Ing Abdur Rahim Biswas
 
PDF
Big Data Analytics & IoT Challenges
Big Data for You
 
PDF
Internet of Things
Prithwis Mukerjee
 
PPTX
Predix Analytics
Altoros
 
PPTX
Security issues and solutions : IoT
Jinia Bhowmik
 
PDF
IoT Security and Privacy Considerations
Kenny Huang Ph.D.
 
IoT App Development Areas And Major Challenges
astoria0128
 
Challenges in the IoT
EUBrasilCloudFORUM .
 
Your Thing is Pwned - Security Challenges for the IoT
WSO2
 
BUD17-104: Scripting Languages in IoT: Challenges and Approaches
Linaro
 
introduction to Embedded System Security
Adel Barkam
 
IoT Security: Problems, Challenges and Solutions
Liwei Ren任力偉
 
IoT Security Risks and Challenges
OWASP Delhi
 
IoT - IT 423 ppt
Mhae Lyn
 
Internet of Things security-issues
MobileMonday Atlanta
 
IBM BC2015 - Internet of Things - from hype to reality
IBM Sverige
 
Digital Trust: How Identity Tackles the Privacy, Security and IoT Challenge
ForgeRock
 
Cybesecurity of the IoT
Altoros
 
Internet of Things
Sigma Software
 
Highland Property Management Data Management
Casey Hynes
 
Internet of thing (IoT and cloud convergence opportunitis and challenges
Dr.-Ing Abdur Rahim Biswas
 
Big Data Analytics & IoT Challenges
Big Data for You
 
Internet of Things
Prithwis Mukerjee
 
Predix Analytics
Altoros
 
Security issues and solutions : IoT
Jinia Bhowmik
 
IoT Security and Privacy Considerations
Kenny Huang Ph.D.
 
Ad

Similar to Security challenges for IoT (20)

PPTX
Your Thing is pwnd - Security Challenges for the Internet of Things
WSO2
 
PPTX
IoT World - creating a secure robust IoT reference architecture
Paul Fremantle
 
PPTX
A Reference Architecture for IoT: How to create a resilient, secure IoT cloud
WSO2
 
PDF
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2
 
PDF
IoT security zigbee -- Null Meet bangalore
veerababu penugonda(Mr-IoT)
 
PDF
Securing IoT Applications
WSO2
 
PDF
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
PDF
The Internet of Things: We've Got to Chat
Duo Security
 
PDF
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 
PPTX
Security challenges for internet of things
Monika Keerthi
 
PDF
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
Brian Knopf
 
PPTX
How to hide your browser 0-day @ Disobey
Zoltan Balazs
 
ODP
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Tamas K Lengyel
 
PPTX
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 
PPT
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
PDF
Mickey pacsec2016_final
PacSecJP
 
PDF
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
PPTX
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
PaloAltoNetworks
 
PPTX
Securing the Internet of Things
Paul Fremantle
 
PDF
Automated Malware Analysis and Cyber Security Intelligence
Jason Choi
 
Your Thing is pwnd - Security Challenges for the Internet of Things
WSO2
 
IoT World - creating a secure robust IoT reference architecture
Paul Fremantle
 
A Reference Architecture for IoT: How to create a resilient, secure IoT cloud
WSO2
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2
 
IoT security zigbee -- Null Meet bangalore
veerababu penugonda(Mr-IoT)
 
Securing IoT Applications
WSO2
 
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
The Internet of Things: We've Got to Chat
Duo Security
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 
Security challenges for internet of things
Monika Keerthi
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
Brian Knopf
 
How to hide your browser 0-day @ Disobey
Zoltan Balazs
 
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Tamas K Lengyel
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
Mickey pacsec2016_final
PacSecJP
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
PaloAltoNetworks
 
Securing the Internet of Things
Paul Fremantle
 
Automated Malware Analysis and Cyber Security Intelligence
Jason Choi
 

More from WSO2 (20)

PDF
Demystifying CMS-0057-F - Compliance Made Seamless with WSO2
WSO2
 
PDF
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
WSO2
 
PDF
Modern Platform Engineering with Choreo - The AI-Native Internal Developer Pl...
WSO2
 
PDF
Application Modernization with Choreo - The AI-Native Internal Developer Plat...
WSO2
 
PDF
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
WSO2
 
PDF
Platformless Modernization with Choreo.pdf
WSO2
 
PDF
Application Modernization with Choreo for the BFSI Sector
WSO2
 
PDF
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
WSO2
 
PDF
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
WSO2
 
PPTX
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2
 
PPTX
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2
 
PPTX
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2
 
PPTX
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
PPTX
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
PPTX
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2
 
PPTX
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2
 
PPTX
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2
 
PDF
Mastering Intelligent Digital Experiences with Platformless Modernization
WSO2
 
PDF
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
PDF
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
Demystifying CMS-0057-F - Compliance Made Seamless with WSO2
WSO2
 
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
WSO2
 
Modern Platform Engineering with Choreo - The AI-Native Internal Developer Pl...
WSO2
 
Application Modernization with Choreo - The AI-Native Internal Developer Plat...
WSO2
 
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
WSO2
 
Platformless Modernization with Choreo.pdf
WSO2
 
Application Modernization with Choreo for the BFSI Sector
WSO2
 
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
WSO2
 
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
WSO2
 
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2
 
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2
 
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2
 
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2
 
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2
 
Mastering Intelligent Digital Experiences with Platformless Modernization
WSO2
 
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 

Recently uploaded (20)

PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Approach and Philosophy of On baking technology
30anthuong17
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
KodekX | Application Modernization Development
KodekX
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 

Security challenges for IoT

  • 1. Your Thing is pwnd Security Challenges for the Internet of Things   Paul  Fremantle   CTO  and  Co-­‐Founder,  WSO2   @pzfreo  #wso2  #wso2con  
  • 2. Firstly,  does  it  even  maAer?    
  • 6. My  three  rules  for  IoT  security   •  1.  Don’t  be  dumb   •  2.  Think  about  what’s  different   •  3.  Do  be  smart  
  • 7. My  three  rules  for  IoT  security   •  1.  Don’t  be  dumb   –  The  basics  of  Internet  security  haven’t  gone  away   •  2.  Think  about  what’s  different   –  What  are  the  unique  challenges  of  your  device?   •  3.  Do  be  smart   –  Use  the  best  pracQce  from  the  Internet  
  • 12. So  what  is  different  about  IoT?   •  The  fact  there  is  a  device   –  Yes  –  its  hardware!     –  Ease  of  use  is  almost  always  at  odds  with  security   •  The  longevity  of  the  device   –  Updates  are  harder  (or  impossible)   •  The  size  of  the  device   –  CapabiliQes  are  limited  –  especially  around  crypto   •  The  data   –  OXen  highly  personal   •  The  mindset   –  Appliance  manufacturers  don’t  always  think  like  security  experts   –  Embedded  systems  are  oXen  developed  by  grabbing  exisQng  chips,  designs,  etc  
  • 13. Physical  Hacks   A Practical Attack on the MIFARE Classic: http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf Karsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity
  • 15. Or  try  this  at  home?   hAp://freo.me/1g15BiG    
  • 17. Hardware  recommendaQons   •  Don’t  rely  on  obscurity    
  • 18. Hardware  recommendaQons   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity    
  • 19. Hardware  RecommendaQon  #2     •  Unlocking  a  single  device  should  risk  only  that   device’s  data  
  • 22. Crypto  on  small  devices   •  PracQcal  ConsideraQons  and  ImplementaQon  Experiences  in   Securing  Smart  Object  Networks   –  hAp://tools.ied.org/html/draX-­‐aks-­‐crypto-­‐sensors-­‐02  
  • 24. ECC  is  possible     (and  about  fast  enough)  
  • 25. Crypto   Borrowed from Chris Swan: http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13
  • 26. Won’t  ARM  just  solve  this  problem?  
  • 27. Cost  maAers   8 bits $5 retail $1 or less to embed 32 bits $25 retail $?? to embed
  • 29. SIMON  and  SPECK   https://www.schneier.com/blog/archives/2013/07/simon_and_speck.html
  • 30. Datagram  Transport  Layer   Security  (DTLS)   •  UDP  based  equivalent  to  TLS   •  hAps://tools.ied.org/html/rfc4347  
  • 32. Passwords   •  Passwords  suck  for  humans   •  They  suck  even  more  for  devices    
  • 36. Why  Federated  IdenQty  for  Things?   •  Enable  a  meaningful  consent  mechanism  for  sharing  of  device  data   •  Giving  a  device  a  token  to  use  on  API  calls  beAer  than  giving  it  a   password   –  Revokable   –  Granular   •  May  be  relevant  for  both   –  Device  to  cloud   –  Cloud  to  app   •  “IdenQty  is  the  new  perimeter”  
  • 39.     An     Open  Source     IdenQty   and     EnQtlement   Management     Server       Apache  Licensed   LDAP,  JDBC,  AcQve  Directory,  SCIM,  SPML   SAML2,  OpenID  Connect,  WS-­‐Trust,  Kerberos   OAuth  1.0/2.0,  XACML  2.0,  XACML  3.0   XDAS,  Web  Console,  SOAP  Admin   MulQ-­‐tenant,  Clusterable,  HA,  24x7  support   39   What  is  WSO2  IdenQty  Server?  
  • 40. Other  WSO2  technology  to  help  you   •  WSO2  BAM  –  monitoring   •  WSO2  CEP  –  realQme  fraud  detecQon   •  WSO2  API  Manager  –  securing  API  endpoints    
  • 41. Real  Qme  event  processing  
  • 42. Are you setting up for the next privacy or security breach?
  • 44. Exemplars   •  Shields   •  Libraries   •  Server  Frameworks   •  Standards  and  Profiles  
  • 45. Summary   •  1.  Don’t  be  dumb   •  2.  Think  about  the  differences   •  3.  Be  smart     •  4.  Create  and  publish  exemplars  
  • 46. WSO2 Reference Architecture for the Internet of Things http://freo.me/iot-ra