For those who didn't come to our conference "Security by Design : An IoT must have", or those who want to see it again, here is the presentation made by Gemalto.
3. We enable trust in two interlocking ways…
…by developing secure, innovative software
WE
AUTHENTICATE
PEOPLE AND
DEVICES
WE
PROTECT
DATA ACROSS
NETWORKS AND
THE CLOUD
GemaltoCinterion Module Services - Secure Package3
4. Our secure software & encryption help secure digital
exchanges for billions of individuals and things
3,000
R&D ENGINEERS
88NEW PATENTS
FILED IN 2017
€3bn
2017 REVENUE
+2bn
END USERS
BENEFIT FROM
OUR SOLUTIONS
GemaltoCinterion Module Services - Secure Package4
6. Can you guess what this image represents ?
A
Le Bourget
Airport?
B
Gemalto
Headquarters in
Paris?
C
Secret US
military base?
7. Cinterion Module Services - Secure Package
How many devices were needed to take down the
most resilient DNS server ?
Amazon’s North American product sales operations as a result of the infamous 2016 Dyn
cyberattack, the ~211 minutes of service disruption resulted in a loss of $32 million
9. Device and data trustworthiness are the cornerstone
of the IoT
Source: Gartner 2015
Why are things getting more and more
connected ?
$
Make financial decisions Ensure system availability
Strong trust in the
endpoints and the data
they generate is the
cornerstone of IoT
GemaltoCinterion Module Services - Secure Package6
10. Security : It is all about 4 KEY principles
Principle #1
Trust the source
sending the data
with a root of trust
Create unique
identities through
unforgeable
cryptographic
material injected at
the manufacturing
(never passwords)
Principle #3
Make sure only the
authorized servers
can read the data
Encrypt and sign
the data
In all data exchanges
to ensure privacy
and integrity
Principle #2
Ensure that the
exchange of data is
only among trusted
entities
Make use of Mutual
authentication
devices and
back-end through
PKI
Principle #4
Enable security
updatability to
cope with evolving
threats
Keep firmware and
software updated
and trust the source
of the new code
GemaltoCinterion Module Services - Secure Package8
11. Cinterion Module Services - Secure Package11
Backend Device
Cellular
security
TLS security
Applicative signature
There is not only 1 security but several
12. The ecosystem is mandating service providers and
OEM to apply security schemes
► Regulators
(UK) Keys update every 1 to 5 years
End-to-end data encryption &
access management
Firmware updates
► Ecosystem
IoT clouds providers mandate the use
of certificates and thus PKI in
devices connected to their platforms
Source: Gartner, Forecast IoT Security Worldwide 2018
GemaltoCinterion Module Services - Secure Package9
13. Implementing device security adds operational complexity
Across-the-board complexity is often the main barrier to good security
practices!
Leveraging public IoT
clouds requires to master
PKI technology and to
adapt production
processes
Manufacturing
constraints
Connected objects have
low computing power,
face energy constrains,
and use restricted data
channels
Device Resource
Constraints
Manage secure update
through signed and
validate software
packages is mandatory to
face evolving threats
Outdated software
GemaltoCinterion Module Services - Secure Package10
15. The Cinterion module as an enabler of trust for your
next IoT project
Trusted Identities
Pre-issued
diversified X.509
certificates in the
module secure domain
Data Protection
Secure networking
stack and trusted
software updates
IoT Clouds Secure
IoT Applications
GemaltoCinterion Module Services - Secure Package14
16. The Cinterion module as an enabler of trust for your
next IoT project
GemaltoCinterion Module Services - Secure Package15
Identity generation Identity Provisioning Lifecycle management1 2 3
Saves deploying secure production
facilities and management of PKI
Gives assurance there is no over-
production (anti-counterfeiting) allowing
to externalize the manufacturing with
peace-of-mind
Secure enrollment of devices into any
IoT hub (Azure, AWS, Oracle and the like)
automated through the service portal with
same effort for small to large fleet
Feature to request on demand data
encryption with Gemalto DPODTM
On-demand over-the-air key update
• Revocation : invalidates the device
identities if a security breach is
suspected
• Renew: to renew certificate
• Update: To change cloud provider or to
give access to new 3rd party
Device
Secure Device Access
Sensitive Data Security
Communication Encryption
Protect Software Integrity
Cloud
Big Data Encryption
Server Protection
Cloud Application Security
performed with a software defined radio connected to a laptop, or in a cheaper and stealthier package, an Arduino board with an attached radio receiver
To refute the ability of car companies to keep up with hackers, Three European computer scientists say they have known about the flaws to VW keys since 2012, and warned automakers. VW only uses 4 certs for 100 million keys over the past 20 years!!
Wired Article: A New Wireless Hack Can Unlock 100 Million Volkswagens – must read article:
https://www.wired.com/2016/08/oh-good-new-hack-can-unlock-100-million-volkswagens/
The Hack: It’s not a Matter of if, but When:
http://www.datacenterknowledge.com/archives/2017/07/18/making-security-priority-connected-cars/
The list of impacted cars includes luxury vehicles from Volkswagen's Porsche, Audi, Bentley, and Lamborghini brands.
Researchers broke the transponder's 96-bit cryptographic system, by listening in twice to the radio communication between the key and the transponder.
This reduced the pool of potential secret key matches, and opened up the 'brute force' option, which involved running through 196,607 options of secret keys until they found the one that could start the car.
Then in 2013, Volkswagen sued the universities - and the researchers personally - to block them from publishing their discovery to fellow academics, according to court documents, but now a legal settlement has allowed the documents to go public.
The researchers say the flaw lies in the widely-used Megamos Crypto transponder, which is responsible for the encryption between the car and remote.
The flaw is similar to the Rolljam, which can built for $30 (£20), and let amateur hackers open dozens of cars and even get into garages.
The hacker behind the project says it will open cars from Chrysler, Daewoo, Fiat, GM, Honda, Toyota, Volvo, Volkswagen Group, Clifford, Shurlok, and Jaguar.
Read more: http://www.dailymail.co.uk/sciencetech/article-3201564/Hackers-reveal-flaw-100-cars-kept-secret-Volkwagen-TWO-YEARS-Bug-used-unlock-Kia-Lamborghini.html#ixzz4ppcnbuHc
PKI has emerged as the digital identification, authentication and encryption standard. PKI certificates provide a strong framework for identifying and authenticating individual devices, and are regarded by many experts as the first step to securing the entire IoT ecosystem. As businesses attempt to secure the IoT, PKI is re-emerging as a cost-effective and proven technology that delivers a secure and high-performance solution.
AWS IoT mandates the use of certificates in devices connected to the cloud. But it doesn’t automatically, and securely, provision these certificates at scale, and manage them for the lifetime of the devices. It is challenging to rotate these certificates deployed in remote devices.
Where does it all start from ?
Need to securely connect objects that have a low computing power
Want to leverage shared IoT infrastructure (IoT Clouds from MS, Amazon, IBM, Oracle)
Want to build my own Private IoT Cloud but don‘t have previous experience with PKI-infrastructure
Public IoT hubs mandate a high level of trust on the endpoints and the use of a secure communications channel
Diversification and efficient provisioning of identities becomes a mandatory step in your production environment
Secure storage of those identities in the device and in the cloud becomes a key aspect of your system design
Securely connecting millions of devices with no effort
Leveraging the embedded IP and TLS stack of the Cinterion Modules reduces computing requirements of your host processor
Built-in and diversified X.509 client certificates in the module‘s secure domain offloads your production site from cumbersome key generation and provisioning tasks
Automated provisioning into public IoT hubs makes device onboarding a snap (we support the Azure IoT Hub and AWS IoT Hub)
API‘s for automated provisioning into private IoT deployments simplify your logistics
Leveraging the TKM as-a-service for generation and storage of credentials reduces your TCO
On-demand key rotation secures your devices over lifecycle, to respond if a security breach is suspected
FOTA and software lifecycle management help in keepin