Post on 28-Jul-2015
CloudCamp Chicago
“The Internet of Things”
#cloudcamp @CloudCamp_CHI
Sponsored by
Hosted by
Emcee
Margaret Walker Cohesive Networks
Tweet: @CloudCamp_Chi #cloudcamp
#cloudcamp @CloudCamp_CHI
Sponsored by
Hosted by
… sponsored by you!
William Knowles - Evident.io Chuck Mackie - Maven Wave Partners Chacko Kurian - Complete Health Systems, LC Danai Samuriwo - tenniswithd Charlie Havens - Global Tech & Resources Jessica Hitch - Pariveda Solutions
6:00 pm Introductions 6:05 pm: Lightning Talks
The Internet of (Insecure) Things - Chandler Howell, Engineering Manager at Nexum @chandlerhowell CPL MakerLab: Intriging the General Public - Jorge Garcia, Maker Navigator for the CPL MakerLab @yorickgarcia "Connecting Vehicles on Google Cloud Platform" - David Patterson, Senior Principal at Maven Wave Partners IoT in Healthcare - Harold Clampitt, CEO & Founder at American RFID Solutions, LLC @haroldclampitt "IoT Perspectives from the Trenches" - Steven Loving, Director of Business Development at Infobrite
7:00 pm: Unpanel 7:45 pm: Networking, drinks and pizza
Agenda
#cloudcamp @CloudCamp_CHI
Sponsored by
Hosted by
"The Internet of (Insecure) Things"
Chandler Howell, Engineering Manager at Nexum
Tweet: @chandlerhowell #cloudcamp
#cloudcamp @CloudCamp_CHI
Sponsored by
Hosted by
The Internet of(Insecure)
Things
Chandler HowellJune 2015
The Internet of (Insecure) Things
1. Smart is the New Dumb2. When Worlds Collide3. Failure Modes4. A Parade of Horrors5. So What Should I do Now?
SMART IS THE NEW DUMBIronic, really
Smart is the New Dumb
Smart, but VulnerableSecurity is not a priority of IoT (yet)
Focus is on Time to marketFeatures & Functionality
Focus is NOT onSecurityMaintainabilityLongevity
WHEN WORLDS COLLIDEWe ain’t seen nothing yet
When Worlds Collide
Lifecycles are mismatchedTechnology lifecycles are very short
Devices go EOL in 3-5 years or less
Consumer lifecycles are longerRefrigerators, coffee makers, etc. can last 10 years
Industrial Equipment may outlive youHeavy Equipment can have service lives >50 years
FAILURE MODESHow can I fail thee? Let me count the ways…
Failure Modes
1. Get Broken
2. Get Leveraged
3. Get Exploited
Failure Modes
Get BrokenDamage or destroy the device or attached devices
For example…Plant Control SystemsPeople with Pacemakers
Failure Modes
Get LeveragedCompromised Device is used as a vector for
other Badness
For Example…Unlock a Smart HomeJoin a botnetProvide a beachhead for APT
Failure Modes
Get ExploitedThe device can be used to spy on people, either
directly or indirectly
Yes, even more examples…Smart TV’sData & MetaData Collection
A PARADE OF HORRORSIt’s spelled “IoT” but it’s pronounced “Fail”
A Parade of Horrors
Welcome to the Future
A Parade of Horrors
Consumer Goods
RefrigeratorsSmart Fridges found in a botnet (2014)25% of devices in that large botnet were IoT
Televisions & ElectronicsSamsung “Smart TV” SpyingNumerous XSS, local exploits
Light BulbsLIFX “Smart” Bulbs authentication flawsDisclosed credentials for attached wi-fi
A Parade of Horrors
Medical DevicesSurgical and anesthesia devicesVentilatorsDrug infusion pumpsPacemakersExternal defibrillatorsPatient monitorsLaboratory and analysis equipment
Pretty much every type of failure you can imagine
A Parade of Horrors
CarsBlack Boxes
Data stolen or alteredRemote Lock/Unlock and starters
Key fobs and alarm protocols brokenON*Star
Hacked & Abused by Law EnforcementBraking & steering controls
Integration with entertainment/dash allowed access and compromise
A Parade of Horrors
Airplanes
DronesDefinitely
In-Flight EntertainmentDefinitely
Passenger Flight ControlMaybe
A Parade of Horrors
Infrastructure
Traffic LightsPlaintext wirelessWeak/No Authentication
Industrial Control Systems2008: Turkish Gas Pipeline Destroyed2010: Iranian Gas Centrifuges (Stuxnet)2014: Steel Mill’s Blast Furnace ($17mm in damage)
Utility MetersWeak AuthenticationInaccurate readings == Fraud
Tampered or otherwise
SO WHAT SHOULD I DO?Can I have a hint?
Fortunately, not this.
So what should I do?
So what should I do?
Realize these are not new problemsInsecure computers are nothing new
Think in terms of Failure ModesUse these to understand your threats
Expect Novel attack typesInference AttacksSide-Channel Attacks
So what should I do?
Architect for Insecure ThingsAssume devices are insecure by defaultIf not today, they will be some day
Leverage Security Tools & ProcessesDefense-in-DepthThreat ModelingIncident Response
So what should I do?
Assess whether the Smart is worth the Risk
Don’t forget how to live without IoT
Think of it in Business Continuity Planning (BCP) or Disaster Recovery (DR) termsSmart Devices are just another system to fail
Get Dumb Again
Like Power Over Ethernet (PoE) light bulbs…THANK YOU!
Well, that was fun.
"Chicago Public Library MakerLab: Intriging the General Public "
Jorge Garcia, Maker Navigator for the CPL MakerLab
Tweet: @yorickgarcia #cloudcamp
#cloudcamp @CloudCamp_CHI
Sponsored by
Hosted by
"Connecting Vehicles on Google Cloud Platform"
David Patterson, Senior Principal at Maven Wave Partners
Tweet: @CloudCamp_Chi #cloudcamp
#cloudcamp @CloudCamp_CHI
Sponsored by
Hosted by
Connected Bike on Google Cloud Platform
David Patterson - Senior Principaldavid.patterson@mavenwave.com
Client Vision
Allow riders to “plug-in” their devices to receive information about their planned ride. Create a community to share ride experiences - popular rides, scenic roads, and POI’s
Motorcycle Manufacturer: Connected Bike POC
1
Bike Performance
Project Goals
1
2
3
Bike and location data collection
Location-based alerts
Scalable data collection
4Post-ride services and analytics
Motorcycle Manufacturer: Connected Bike POC
Motorcycle Manufacturer: Connected Bike POC
Product Inspiration Competitive Advantage
Third-party aftermarket products
Other vehicle apps - e.g. Tesla
● Tremendous brand loyalty
● Strong sense of community among
customers
● Proprietary engine codes / engineering
knowledge
Motorcycle Manufacturer: Connected Bike POC
Engine byte stream Onboard Location
Data Acquisition
LOCATION
ALERTPRECIPITATION FORECAST
Alerts pushed to preferred rider and/or passenger devices
Motorcycle Manufacturer: Connected Bike POC
Google App Engine
Backend
Precipitation Alerts
Dashboards showing real-time positioning and engine metrics
Motorcycle Manufacturer: Connected Bike POC
Motorcycle Manufacturer: Connected Bike POC
Android
App Engine
Datastore
BigQuery
Google Cloud Messaging
Guaranteed push notifications to mobile devices
Fully managed application platform. Cost scales with application adoption
Fully managed NoSQL data storage. Extremely scalable random I/O
Big Data Service to perform interactive analysis on massive amounts of data
Native client application
Clients & Frontends
Backend Services
Storage
Motorcycle Manufacturer: Connected Bike POC
Data Providers
Ride Data
2
6
4
3
5
7
1
Thank You
"IoT in Healthcare" Harold Clampitt, CEO & Founder at American RFID Solutions, LLC
Tweet: @haroldclampitt #cloudcamp
#cloudcamp @CloudCamp_CHI
Sponsored by
Hosted by
American RFID Solutions, LLC © 2015
American RFID Solutions, LLC © 2015
American RFID Solutions, LLC © 2015
• ‘things’ have an aperture and become active participants:
in business
in vacations
In hobbies
• information and processes offer real time situation awareness
interact and communicate:
among themselves
with the environment by exchanging data and information
‘sensed’ about the environment
• running processes:
trigger actions
create services
autonomously with or without direct human intervention
American RFID Solutions, LLC © 2015
"IoT Perspectives from the Trenches"
Steven Loving, Director of Business Development at Infobrite
Tweet: @ Infobrite #cloudcamp
#cloudcamp @CloudCamp_CHI
Sponsored by
Hosted by
Internet of Things
“Lightning” Talk
Cloud Camp Chicago
Steven Loving (IoT Chicago Meet-‐up)
2015
2
3
4
Consumer Safety. Protect home investments with affordable remote monitoring.
Savings. Save money by decreasing energy usage from home products.
Comfort. Maximize time with remote home product and appliance management.
Smart Service. Take advantage of remote diagnostic testing and advanced customer service programs.
Green. Reduce energy consumption and protect the environment.
Value, Growth, Savings Driving Business and Consumer Benefits
Business Diversify. Diversify revenue strategies and earn income from new sources.
New Markets. Engage current and high potential mobile customers.
Efficient Diagnostics. Save money with remote product diagnostic testing and monitoring.
Quality Customer Service. Provide best-in-class customer service with new product information and advice.
Brand Reputation. Build brand reputation for product innovation and leadership.
5
Industrial Automa3on Smart Health
Smart Home Smart City
“Things having iden33es and virtual personali3es opera3ng in smart spaces using intelligent interfaces to connect and communicate within social, environmental, and user
contexts”
6
7
Devices, Products, Assets On-‐premise, In the field
M2M Enabled Devices
Device PlaOorm Applica3on PlaOorm
Smart Enterprise Infrastructure
Smart Product Developm
ent
Network
M2M Sensors Actuators
LAN, WIFI Cellular
M2M
Gateway
WAN
Device Mgmt. Enablement Cer3fica3on Provisioning Security Data Rules Alerts Real Time Analy3cs
Data Collec3on Applica3on Integra3on Analy3cs Dashboards Data Models Applica3on Dev. Applica3on Sec. Enterprise Systems
1+N
8
9
10
Devices speak wirelessly to Home hub
Hub plugs into home router to access Internet
Cloud links devices, applica3ons and analy3cs
Consumer controls Home from phone
11
Whirlpool 6th Sense
“20 % of your day is used For meal / clothes mgmt”
IoT Use Cases: • Home AutomaNon • Energy Savings
MSRP Various (washer, dryer, dish, frig.)
EsNmated Volume 50,000+
ConnecNvity Wi-‐Fi
Channels
11
“Never worry if your garage door is open again”
IoT Use Cases: • Awareness & ProtecNon • Home AutomaNon
Product Use Cases • Control your garage door and your
house lights through your smart phone • Get noNfied if your garage door opens or
if you forgot to close your garage door • Know if your garage door opened while
you were away
MSRP $129.99
EsNmated Volume 250,000+
ConnecNvity Wi-‐Fi
Channels
Chamberlain MyQ
12
13
A Connect Cloud Pla`orm -‐ Sample
AES 128 Encryp3on and key management from the device. SSL and two factor authen3ca3on for data transfer and storage in the cloud.
Normalize Data to your exis3ng ERP, CRM and BI systems
Both backup & recovery and 3me series storage available using dedicated virtual machines running Cassandra DB Android, iOS, and
Windows Push no3fica3ons, SMS, and email
Real 3me weather and 3me of day energy pricing
SLA: -‐ 99.9% up3me -‐ Sub-‐second latency
Mobile appp development plaOorm to speed app development.
• Technology is Fragmented – Lack of Common Standards (fragmented) – Closed Systems
• Users are Concerned – Security / Privacy Challenges – Complexity
• Business Challenges
14
Actor
Cloud (s)
Device
Actor
Devices / Data
Sensors
Actor
Interface
Devices
Device
Interface
Device
Interface
Systems, Products Services
Other Service Users
Mac/PC
Smartphone
Smartphone Screen
Smartphone
Accelerometer
Products (1+N)
15
16
Thank You
17
Un-panel Discussion
volunteer to join the panel & ask questions from the floor!
#cloudcamp @CloudCamp_CHI
Sponsored by
Hosted by
Unconference
Small groups & discussions, network
Pizza’s almost here!
#cloudcamp @CloudCamp_CHI
Sponsored by
Hosted by