Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Y20151003 IoT 資訊安全_趨勢科技分享
1. IoT
Security
Solution
Trend
Micro
Consumer
CBU
Director,
Global
Consumer
Sales
Enablement
and
Business
Development
Steven
Hsu
(steven_hsu@trend.com.tw)
2. Agenda
q Trend
Micro
Introduction
q Company
Profile
q SPN
(Smart
Protection
Network)
q IoT
Overview
and
Security
Solution
q Year
2020
and
Sharing
Economy
q IoT
Service,
Technology
and
Echo
System
q IoT
Security
challenges
q IoT
Hacking
Case
Study
q Trend
IoT
security
solutions
Overview
q Trend
Micro
Strengths
in
IoT
q Q&A
Copyright
2015
Trend
Micro
Inc.
2
3. Founded
Headquarters
Market
Cap
2014
Sales
Customers
1988,
United
States
Tokyo,
Japan
5B
USD
$1.05B
USD
500,000
businesses,
Millions
of
consumers
A
world
safe for
exchanging
digital
information
3
The
world’s
largest
pure-‐play
security
software
company
Copyright
2015
Trend
Micro
Inc.
Small
Business Midsize
Business EnterpriseConsumers
5200+
Employees,
38
Business
units
worldwide
4. Copyright
2015
Trend
Micro
Inc.
4
Trend
Micro
leads
the
world
in
security
Global
500
accounts
l48
of
the
top
50
global
corporations
l10
of
the
top
10
automotive
companies
l10
of
the
top
10
telecom
companies
l8
of
the
top
10
banks
l9
of
the
top
10
oil
companies
Trust
Trend
Micro
Security
Solutions
Trend
Micro
protects
96%
of
the
top
50
global
corporations.
Trend
Micro
protects
100% of
the
top
10
automotive
companies.
Trend
Micro
protects
100%
of
the
top
10
telecom
companies.
Trend
Micro
protects
80%
of
the
top
10
banks.
Trend
Micro
protects
90%
of
the
top
10
oil
companies.
• AV
Test
awarded
Internet
Security
with
"Best
Protection"
in
2015,
March
2015
• ICSA
Labs
awards
Trend
Micro
for
15
Year
Excellence
in
Testing
Award
2015,
April
2015
Market
Leadership
Position
In
the
industry
With
partners
• CRN
5
STAR
Partner
Program
Guide
Winner
2015,
February
2015
In
the
cloud
• Simply
Security
was
rated
#1
in
Best
Cloud
Security
Blogs
in
2015,
March
2015
• #1
Server
Security
Market
Share
Worldwide
Corporate
Endpoint
Server
Security
Revenue
Share
by
Vendor,
2013
Source
:
IDC,
2014
• SC
Magazine
Award
Finalist
for
Best
Security
Company
2015,
January
2015
5. GLOBAL
SENSOR
NETWORK
Collects
More
Information
in
More
Places
• Hundreds
of
millions
of
sensors
• 16
billion
threat
queries
daily
GLOBAL
THREAT
INTELLIGENCE
Accurately
Analyzes
&
Identifies
Threats
Faster
• Identifies
new
threats
50x
faster
than
average
(NSS
Labs)
PROACTIVE
PROTECTION
Blocks
Real-‐World
Threats
Sooner
• 250M
threats
blocked
daily
• 500k
new
threats
identified
per
day
Copyright
2014
Trend
Micro
Inc.
Source: All values from Trend Micro Smart
Protection Network statistics, July 2014
6. Copyright
2015
Trend
Micro
Inc.
6
Trend
Micro
Consumer
Vision
Enjoy your digital life safely as a family!
End Point Security to Family Protection
Device care to Peoplecare
Solution to Service
7. 7Confidential | Copyright 2015 TrendMicro Inc.
IoT
Overview
and
Security
Solution
2020 and
Sharing
Economy
IoT Service,
Technology and
Echo System
Market Challenges
IoT Security Concern
Trend Micro Solution
8. What
will
happen
in
2020?
Copyright
2015
Trend
Micro
Inc.
8
33 billion objects will be
linked together globally.
(included PC, Mobile, Smartphone -
Gartner)
Globally, in average
each person will have
more than 3 IoT devices.
Total data amount will
be 40,206 exabytes and
37% will in cloud (IDC)
IDC estimated IoT
marketing will reach to
US$ 7,065 billion.
9. 物聯網的精髓 - 有效率的資源運用與分配
分享 (Sharing) 使用權優於擁有權,使用商品服務化
最大的內容網站, Facebook
不擁有內容;
最大的運輸服務公司,Uber
沒有計程車;
最大的電子商務商,阿里巴巴並沒有任何的倉儲;
Airbnb
也不擁有飯店。
互動 (Interacting) 你在看手機,手機也在看你
設備上的感應器或是螢幕會追蹤我們的情緒,地點,觀察你觀看內容的時候是高興、
是悲傷或是憤怒,並據此適合你當前情緒的內容。
流動 (Flowing) 所有的商業都是數據的商業
客戶的資料和客戶一樣重要。 不僅僅要收集資料,還應該讓資料動起來,讓資料和
其它資料聯繫起來並分享出去,沒有分享出去的資料是沒用的。
認知 (Cognifying) 把智慧賦予事物,AI將會服務人類
AI
將會成為一種服務。 我們並不需要自己研發 AI,而是通過網路使用 AI
的説明解決
一些事務。
共享經濟
Source:
Kevin
Kelly
speech
in
CoWork
event
2015
June
16. IoT
Ecosystem
Challenges
Copyright
2015
Trend
Micro
Inc.
16
Volume Variety Velocity
Intel
machine
to
machine
ecosystem
graphic
17. IoT
Market
Challenges
Copyright
2015
Trend
Micro
Inc.
17
Source:
Worldwide
and
Regional
Internet
of
Things
(IoT)
2014–2020
Forecast:
A
Virtuous
Circle
of
Proven
Value
and
Demand
18. Copyright
2015
Trend
Micro
Inc.
18
Tizen
Android
Fire OS
iOSWindows Phone
MeeGo
Palm OS
webOS
BlackBerry
symbian
FireFox
Sounds
Familiar?
20. IoT
Security
Research
Findings
Copyright
2015
Trend
Micro
Inc.
20
Source:
HP
Internet
of
Things
Research
http://www8.hp.com/h20195/V2/GetPDF.aspx/4AA5-‐4759ENW.pdf
of
devices
collected
at
least
one
piece
of
personal
information
via
the
device,
the
cloud,
or
its
mobile
application
of
devices
used
unencrypted
network
service.
of
devices
along
with
their
cloud
and
mobile
application
enable
an
attacker
to
identify
valid
user
accounts
through
account
enumeration
of
devices
along
with
their
cloud
and
mobile
application
components
failed
to
require
passwords
of
a
sufficient
complexity
and
length.
devices
that
provide
user
interfaces
were
vulnerable
to
a
range
of
issues
such
as
persistent
XSS
and
weak
credentials.
Privacy Encryption HACK HACK AAA
21. An
Expanded
Attack
Surface
Increases
the
Challenge
of
Securing
IoT
Products
Copyright
2015
Trend
Micro
Inc.
21Source:
http://ebooks.capgemini-‐consulting.com/security-‐in-‐the-‐internet-‐of-‐things/IoT_infograph.pdf
60% 55% 50%
Securing
access
to
the
end-‐Point
device
Securing
the
communication
channel
Deploying
security
updates
remotely
on
end-‐
point
devices
Key
Challenges
to
Securing
IoT
Products:
%
of
respondents
22. PC
Security
vs.
IoT
Security
Copyright
2015
Trend
Micro
Inc.
22
PC
Add-‐on
security
Powerful
Client/Server
Decline
10%
Build
in
security
IoT
Constrain
Cloud
Gateway
Embedded
Growth
40-‐50%
24. Jeep
Cherokee
Hack
Case
Study
Copyright
2015
Trend
Micro
Inc.
24
Fiat
Chrysler
Automobiles
recall
of
1.4
million
vehicles
with
a
potential
cybersecurity
flaw
25. Man-‐in-‐the-‐Middle
Attack
• Samy
Kamkar
creator
of
OwnStar
has
presented
a
new
gadget
that
could
be
exploited
to
hacks
GM
Cars
(OnStar
App),
BMW
Remote,
Mercedes-‐Benz
mbrace,
and
Chrysler
Uconnect
apps.
• The
tool
allows
to
locate,
Unlock,
and
Start
Them
http://securityaffairs.co/wordpress/39375/hacking/ownstar-‐attack-‐bmw-‐chrysler-‐mercedes.html
• Marc
Rogers and Kevin
Mahaffey
disclosure Tesla's
Model
S
with
5
vulnerabilities
• But
both
hackers said
Tesla
deserved
credit
for
what
it
had
got
right
about
car
software
security
because
Tesla's
fleet
could
be
updated
"over
the
air"
28. Integrated
Toilet
hack
• The
Satis
is
a
"smart"
toilet.
It
is
controlled
using
LIXIL's
"My
Satis”
Android
application,
which
communicates
with
the
toilet
using
Bluetooth.
• Vulnerability
allow
attacker
to
mess
up
with
your
toilet
seat,
flush
out
of
water,
lift
up/down
the
toilet
seat
http://technews.tw/2013/08/13/high-‐tech-‐toilet-‐gets-‐hacker-‐warning-‐nothing-‐is-‐safe/
• The
"My
Satis"
Android
application
has
a
hard-‐coded
Bluetooth
PIN
of
"0000”
as
can
be
seen
in
the
following
line
of
decompiled
code
from
the
application.
29. Could
your
fridge
send
you
spam?
• Proofpoint
says
that
between
23
December,
2013
and
6
January,
2014,
the
100,000-‐
strong
botnet
sent
out
more
than
750,000
“malicious
email
communications”
with
more
than
“25
per
cent
of
the
volume
sent
by
things
that
were
not
conventional
laptops,
desktop
computers
or
mobile
devices.”
http://www.independent.co.uk/life-‐style/gadgets-‐and-‐tech/news/could-‐your-‐fridge-‐send-‐you-‐spam-‐security-‐researchers-‐report-‐internet-‐of-‐things-‐
botnet-‐9072033.html
30. Hacker
hijacks
wireless
Foscam
baby
monitor,
talks
and
freaks
out
nanny
• A
hacker
used
the
Foscam
security
camera
to
talk
to
the
nanny
of
a
one-‐year-‐old
girl.
She
heard
talking
coming
from
the
security
camera,
a
man
saying,
"Oh,
that's
a
beautiful
baby.”
• Foscam
has
been
reported
three
instance
for
these
kind
of
hacking
due
to
password
vulnerability
(empty
user
name
required
no
password)
and
people
using
default
user
name/password
http://www.computerworld.com/article/2878741/hacker-‐hijacks-‐wireless-‐foscam-‐baby-‐monitor-‐talks-‐and-‐freaks-‐out-‐nanny.html
31. 九陽智慧豆漿機
• With
Wi-‐Fi
function
connect
to
Mobile
App
and
Cloud.
• Using
network
sniffer
found
out,
Mobile
IEMI
is
the
Mobile
ID
to
get
the
session
key
thru
the
cloud,
then
get
the
device
ID
thru
the
session
key.
• Once
go
the
device
ID
can
send
HTTP
command
to
cloud
and
mess
up
with
different
devices
Copyright
2015
Trend
Micro
Inc.
31
http://www.freebuf.com/articles/terminal/78196.html
32. Shodan
Expose
on-‐line
device
• The
Shodan
search
engine
is
the
Google
for
the
Internet
of
Things,
a
playground
for
hackers
and
terrorists
-‐-‐ and,
maybe,
a
useful
tool
for
companies
looking
to
lock
down
their
own
environment
Copyright
2015
Trend
Micro
Inc.
32
33. Even
the
FBI
is
worried
about
Internet
of
Things
security
Copyright
2015
Trend
Micro
Inc.
33
• FBI
Sep.
10,
2015
issued
a
public
service
announcement
regarding
cybercrime
opportunities
posed
by
the
connecting
of
all
sorts
of
data-‐enabled
devices,
from
medical
gear
to
entertainment
gadgets,
to
the
Internet.
• The
FBI
cites
"deficient
security
capabilities
and
difficulties
for
patching
vulnerabilities
in
these
devices,
as
well
as
a
lack
of
consumer
security
awareness,"
with
giving
cybercrooks
an
opening
to
plot
attack
and
steal
information.
http://www.computerworld.com/article/2983793/data-security/even-the-fbi-is-worried-about-internet-of-things-
security.html?phint=newt%3Dcomputerworld_security&phint=idg_eid%3D7e21d0a5c7c13c7adbc9bf097fb770ab#tk.CTWNLE_nlt_security_2015-09-14
http://www.ic3.gov/media/2015/150910.aspx
34. Typical
attack
Copyright
2015
Trend
Micro
Inc.
34
AAA
Penetration
Steal Key
Certification
Fake
Firmware
Cloud
Penetration
Backdoor
Credentials
Default
Name/Password
Direct
Web
Access
Man
in
the
Middle
Get device fix
key
and
certification to break
the encryption and
get
access right
Modify
Firmware
and
signed
with
steal
Key
Control
device
for
further
penetration
Attack
Cloud
system
for
backend
valuable
data
1 2 3 4
Attack
authentication
authorization
accounting
Interface
Device Web
App Mobile
App Cloud
38. Trend
Micro
Strength
in
IoT
Copyright
2015
Trend
Micro
Inc.
38
1Top
3
worldwide
security
company
with
26+
years
experience
and
with
full
dedication
in
the
security
field.
Security
2
Comprehensive Operation Infra
3
Cloud Technology
4
Big Data Analysis
Full
experiences
in
different
OS
development
with
API
creation
and
integration.
Completed
SOP
for
security
update
infra
and
data
storage.
World
first
one
create
Cloud
based
security.
Partners
with
Amazon
AWS
and
Microsoft
Azure
with
full
experience
in
Cloud
infra
constriction.
Few
company
has
the
real
experience
in
Hadoop
deployment
and
apply
in
the
real
business
operation.