IoT Threats IoT Use CasesSeven Layers of IoT Security

Summary

2017

8.4B DEVICES

20.4B DEVICES

2020

Gartner Gartner

*Excludes smartphones, tablets, and computers

2017

8.4B DEVICES

28.1B DEVICES

2020

IDCGartner

*Excludes smartphones, tablets, and computers

2017

8.4B DEVICES

1TDEVICES

2035

SoftBankGartner

*Excludes smartphones, tablets, and computers

Source: Infonetics Research

������������%$�� � �#��"����

���� �����!������&�

Source: Gartner

1�

Scan for telnet and/or known vulnerabilities

Brute force, stuffcreds, or exploit vulnerabilities

Same admincreds across all devices

2���� �

Install malware

Auto build thingbot

��������������

3����!

• DDoS• Banking trojans• PDoS, physical• Mine cryptocurrency• MiTM, data theft

• Darknet/s• Tor networks• Click, ad fraud • Political hacking• Cyber warfare

• Spy, surveillance• Credential stuffing• DNS redirect• Ransomware• Spam relay

Industries of Top 50 Attacking IPs

• China: 44%

• US: 6%

• Russia: 6%

• France: 4%

• Brazil: 3%

• Ukraine: 3%

• India: 2%

• Vietnam: 2%

• Japan: 1%

• Argentina: 1%

Top 10 Attacking Countries

Top 10 Attack Destination Countries

Country1 Spain

2 Hungary

3 US

4 Singapore

5 France

6 Italy

7 Canada

8 Norway

9 UK

10 Bulgaria

Top 50 Attacking IPs

• 36 of 50 in China

• 66% of IPs have been consistently attacking for 2 years

• Compromised IoT devices do not get cleaned up

Source: F5 Labs Threat Analysis Report "The Hunt for IoT", March 2018

84%Telco/ISP

14%Hosting

Manufacturing2%

••

•

••

400

600

990

1200

Spamhaus Brian Krebs OVH Dyn

Mirai DDoS attacksPrior world record

Connected devices

Broker

Traffic

IoT platform

Devices Internet Proxy Application

Traffic

SSL everywhere, avoid man in the middle

Connected devicesIoT platform

SSL offload

Broker

2. Revocation

© 2018 F5 Networks 20

SSL offload

Traffic

Cert-based authentication

Manage certificates – Good / bad / expired / compromised devices

Connected devicesIoT platform

Broker

© 2018 F5 Networks 21

Car / Sensor / Brake / Temperature

Topic

Enforce – Device topics and quality of service

Field Name Value SelectionType StandardService port Either type or select MQTT service portConfiguration AdvancedProtocol TCPMQTT Click to enable MQTT

© 2018 F5 Networks 22

SSL tunnels

MQTT brokers

Traffic

IoT App Azure

IoT App AWS

IoT App Data Center

SSL offload

Traffic steering based on content

Traffic steering to cloud, on-premises, hybrid, multi-cloud

Connected devicesData center / Private cloud

© 2018 F5 Networks 23

SSL

Broker

TLS CERTIFICATE SUBJECT ID

Traffic

Cert-based authentication

Do not rely on passwords: Use common name from the certificate in the headers to authenticate to the backend IoT application

IoT platformConnected devices

© 2018 F5 Networks 24

SSL tunnels

MQTT brokers

Traffic

Partition 2

Partition 1

Partition 3

SSL offload

Secure zones based on things

attributes

Agility to create different security zones, per group of devices or types of devices

Data center / Private cloudConnected devices

App: MQTT, CoAP, XMPP, AMQP

Session: SSL/TLS/DTLS

Transport: TCP/UDP

Network: IPv4, IPv6

Application: HTTP, DNS

Session: SSL/TLS/DTLS

Transport: TCP/UDP

Network: IPv4, IPv6

Web application IoT application

Verticals MQTT CoAP AMQP XMPP HTTP HTTP 2.0 WebSkt LWM2M

ManufacturingFactories, Mining

UtilitiesEnergy

Smart spacesHome, Building, City

TransportationCars, Public transit

Platform providersCloud, Service, Integration

MQTT ‒ Message Queuing Telemetry TransportCoAP ‒ Constrained Application ProtocolXMPP ‒ Extensible Messaging and Presence ProtocolAMQP ‒ Advanced Message Queuing Protocol

1.2.3.4.5.6.7.

... all of this makes up an IoT Firewall for your IoT applications and services

Connected cars

••••

•••

3rd party app

MQTT/TLS

HTTPS

Enterprise appsin data centerMQTT + iRules

ADC, Security, Traffic Management

MQTT broker & Enterprise Service Bus

Machine to Machine

HTTPS

3M to 8M vehicles

AMQP

MQTT

REST

JMS

Human to Machine Interface

Connected box

•

•

•

•

•

•

•

•

MQTT/WebsocketsMQTT client

Enterprise apps

in data center

MQTT + iRules

ADC, Security,

Traffic ManagementX.509 certs

installed5M-10M set-top boxes

MQTT

Extract JWT token from MQTT

message for authentication HMAC

MQTT client

MQTT broker & client

Power meters

••

••

Tiered data centerADC, Security,

Traffic Management.

CoAP

IPv6 CoAP (UDP)• Power meter on mesh• 2G/3G CMDA • Private network

Vacuum cleaners

•

•

•

•

•

90% MQTTRobot vacuum cleaner

AWS brokersMQTT + iRules ADC, Security,

Traffic Management

In-houseWiFi

MQTT

Updates

10% HTTP

•

•

•

•

•