Building a secure future

Cybersecurity and the Internet of Things

Raj Samani, EMEA CTO McAfee
Sandhiprakash Bhide, Director of Innovation, Future IOT Solutions,
Application Ready Platform Division, IOT Group
.

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

The Connected Home The Last Decade

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

Typical Connected Home, Year 2000

2000

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

Typical Connected Home, Year 2000

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

Typical Connected Home, Year 2000

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

Typical Connected Home, Year 2000

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

Typical Connected Home, Year 2000

2013

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

Typical Connected Home, Year 2000

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

Typical Connected Home, Year 2000

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

Typical Connected Home, Year 2000

10

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

50B Devices will connect to Internet by the end of the decade.

They are unprotected and can be hacked loss of economic value & loss of
innocence (opt-in w/o knowing consequences)

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

11

New Security Threats to Personal IOT Devices

Baby Monitor: Hacker takes over baby monitor and shouts obscenities
at sleeping child. ABC. 13 Aug 2013)
Fridge sending out spam after web attack compromised gadgets. One
of > than 100K devices used in spam campaign. (BBC News. Jan 2014)

Wearable Computing Equals New Security Risks, (InformationWeek.

13 Jan 2013)
Medical Devices: Were starting to attach medical devices to electronic
health records, and theyre not secure.' (Healthcare IT News. May 2013)
Credit Card Information System: Target Confirms Point-of-Sale
Malware Was Used in Attack (Security Week. 13 Jan 2014)
.

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

12

What is security and implications of not having

security?

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

13

Anonymized data may not be as anonymous as is

believed. Or it may be now, but not in the future
How To Track Vehicles
Using Speed Data Alone

Car insurance companies reduce the cost of insurance

by gathering data about a customer's driving practices.

Carmakers keep data on

drivers' locations

Report finds automakers keeping info about drivers

location. Owners cant demand that info is destroyed

Connected Home
Invasion: The Methods

No incentive to secure products. With resources better

off spending on the features that consumers want

FTC Hearing IoT Privacy

Concerns

Anyone concerned about privacy would be well advised

to weigh in on this before the issue is taken over.
.

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

14

Data Storage requirements

15

May 16, 2016

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

Security Connected

May 16, 2016

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

16

Users Perspective of Security

Depends end user and the app
Data Protection

Privacy

Identity

Safety

Data safe from

theft or alteration

Release of
sensitive/ personal
info without
consent

Person remains
anonymous unless
opted-in

Does not cause any

harm to people

TRUST
.

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

17

IOT Security
Security necessarily segments the IOT market
Different usages require different security mechanisms
Cost sensitivity implies different security controls for different IOT
segments, i.e., smart meters
Three types of security technical issues for IOT devices
How to secure communications?
How to detect and recover from malware?
How to defend the physical security of low cost devices?
.

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

Sensor Security Challenge #1

Software-based sensor attack rates rising
Sensor data left unprotected:
1. By APIs;
2. In system memory (buffers)

Once access to sensor data is obtained, information can be

directly or indirectly inferred

Source: TapLogger: Inferring User Inputs on Smartphone Touchscreens Using On-board

Motion Sensors, WiSec12, April, 2012.
http://www.cse.psu.edu/~szhu/papers/taplogger.pdf
Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

Source: PlaceRaider: Virtual Theft in Physical Spaces with Smartphones,

Sept 27, 2012. http://arxiv.org/pdf/1209.5982v1.pdf
.

Sensor Security Challenge #2

Users cant tell if sensors are on/off and cannot control use
Sensor data can be faked -- not certified as authentic --allowing
attacks on sensor-data-based uses

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

Sensor Security Challenge #3

1. How do we keep the credentials provisioned in IoT devices secret
from attackers with physical access to the device?
Important for infrastructure IoT devices but perhaps not for
personal devices
2. How do we detect IOT Device being tampered?
Most IoT designs today assume device functionality is immutable
3. What market segments require device hardening from physical
attack (e.g., will vandalism be common in infrastructure devices)?

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

Protected Sensor Data Goals

1. Sensor data is protected at the source and remains
secure during processing.
2. Provide user an easy to use environment with policies to
control sensor data processing and use.
3. Address problem in a way that is scalable (platform &
sensor types)

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

What about today?

Security. Unlike PC-based SCADA systems that are vulnerable to
virus and malware attacks, our system is housed on cloud based
servers. These servers are overseen by highly skilled technicians
negating the need for anti-virus updates and continuous security
vulnerability patches required by PC-based solutions

23

May 16,
2016

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

For more information

White Paper: http://www.mcafee.com/hk/resources/whitepapers/wp-smart-grid-cyber-security.pdf

@Raj_Samani & @CyberGridBook

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014

Q&A
.

Intel Corporation, Sandhiprakash (Sandhi) Bhide, Raj Samani, Tsensor Summit, Sept. 15-17, 2014