IoT is at the peak of the hype cycle - what they call the 'Peak of Inflated Expectations’. The complexity of the cybersecurity landscape is at an all-time high, with security researchers, vendors and even governments all trying to come to a consensus for making the cyber-world a safer place. In this world of lightning-fast development cycles, it may intuitively feel like security gets left behind. The battle over standards is always a struggle. The unresolved problem of software updates and short vendor support cycle combined with the lack of effort into security makes these devices an easy target. Companies not only need to update their technology stack for the evolving security landscape but also their mindset, processes and culture. This talk will shine a light on some of the challenges that today’s executives face in finding and fixing systemic problems in and outside of security through people, tools and understanding.

1. Gianluca Varisco, CISO Arduino
Paris Open Source Summit - 10/12/2019
The evolving (IoT) security
landscape
@gvarisco

2. TODAY FORMERLY
Who am I? @gvarisco

3. Enabling anyone
to innovate by
making complex
technologies
simple to use.

4. Developing secure and reliable IoT
applications can be hard

5. Hardware
Nodes (Devices, Sensors)
Constrained devices
Require C/C++ firmware skills
Effective Power Management
depends on Firmware
Gateways
Remote connections, SSH
Device management
Radio / Networks
Long range / Low Power
Source:
https://makezine.com/2017/06/27/state-boards-platforms-pro
ducts-purposes-current-crop-microcontrollers-vies-attention/

6. Cloud Software
Many different
languages, protocols,
libraries, security
standards, etc.

7. Data & persistence
Different data formats
make data manipulation
and interpretation
difficult

8. 8
The IoT Landscape is quite fragmented

9. 9
The IoT “Line of Insanity”™

10. We are drowning in technology.
We are not becoming more secure.

11. 11
− Not realizing to be potential targets
− Treating cybersecurity as an IT
problem
− Thinking threats are only external
rather than internal or accidental
− Thinking the cloud provider is in
charge of data/infra security (oh,
and backups!)
− Not using properly their e-mail
infrastructure, especially if managed
by 3rd parties
We are wasting billions to “defend
ourselves” from APTs. Buying
Next-Gen appliances. Following
predictions and hypes.
Don't be scared to go back to
basics with your cybersecurity
strategy.
Many of us are still making the same, old mistakes

12. 12
− PERVASIVENESS: You won’t have one IoT device, you’ll have ten.
− That’s a lot of new attack surface to your life and/or business
− UNIQUENESS: IoT devices are a wild-west of mixed technologies.
− How do I patch firmware on these dozen devices?
− Which random vendor made the HW inside the device?
So? What’s wrong in IoT?

13. 13
− ECOSYSTEM: Your vendor may be leveraging six other vendors
− Where’s your data going once it enters that IoT device?
− Who has access to your network via proxy connections?
So? What’s wrong in IoT?

14. 14
Why does it matter?

15. 15
IoT vs Web Stack

16. 16
IoT attack surface identification
Source: Security Innovation

17. 17
IoT: assessing the risks
Source: Security Innovation

18. 18
− Insufficient Security training
− Humans #1 weak point: building,
deploying, using
− Weak Physical Security
− Debug interfaces (JTAG, UART, etc.) and USB ports allow unintended
device or data access
− Infrequent updates
− Firmware, device apps, admin apps/interfaces
− Expensive and/or remote IoT devices long lifespan (difficult to
update)
TOP 4 IoT Security Risks

19. 19
− Weak Data Protection
− Data at rest/transit uses weak encryption techniques
− Lack of dedicated security chips and modules to store sensitive data.
TOP 4 IoT Security Risks

20. 20
− Privacy
− PII leakage
− Mass surveillance
− Stalking
− Theft
− Data breaches
− Liability
− Reputation
− Botnets, e.g. Mirai, for mass hacking
End-user risks

21. IoT Security Excuses
(aka #YOLOSEC)

22. 22
− Vulnerabilities bypassing password protection:
− Memory corruption issues (Buffer Overflow, Format String, etc.)
− CSRF
− Backdoor accounts
− Lack of brute-force protection
I am safe, I changed all my passwords

23. 23
− Patches are often late by years
− Many IoT devices do not get a patch, ever
I am safe, I regularly patch all of my IoT devices

24. 24
− If your IoT device has an Internet routable IPv4(/v6) address, without
any firewall port filtering:
− Just prepare for apocalypse
− Seriously, don’t do that
− CCTV is OCTV today
Problems with direct IPv4(/v6) connection

25. 25
The IoT device is only available in a closed network

26. 26
The device is only exposed in my area (physically)

27. 27
− NAT is sneaky evil
− Users believe they are safe behind home router NAT
− Developers created ways to connect devices behind NAT, seamless
I am safe, home network, behind NAT

28. 28
Think again:
− UPNP
− IPv6
− Teredo (encapsulates IPv6 packets within UDP/IPv4 datagrams)
− Cloud
I am safe, home network, behind NAT

29. 29
Lateral movement

30. For the next 5-10 years, assume
your IoT device has horrible
security holes it won’t receive
patches for, ever.

31. Lack of visibility is in fact the main
precursor to security incidents.

32. Many of us don’t have IR capabilities.
They all immediately PANIC!
Organizations are still getting breached due to poor
key/credentials management, unpatched
applications and misconfigured services (eg. cloud
databases).

33. 33
− It’s very hard to report vulnerabilities
− Often vendors do not have a Coordinated
Vulnerability Disclosure (CVD) policy
− FTC and/or ENISA recommendations for customers’
safety are not always followed
− Just few of the EU member states do have a CVD
framework in place at national level
− CEPS’ report on «Software Vulnerability Disclosure
in Europe» aims at helping member states with the
technology, the policies and legal challenges
ahead.
Reporting vulnerabilities

34. 34
Mandatory Shodan slide
www.shodan.io

35. Our strategy

36. 36
The “PANINI” Concept:

37. 37

38. 38
WHAT ARDUINO PROVIDES
Sensors Data +
Device Interaction
Automatic
Code Generation
Arduino Hardware
Secure
Cloud Connection
Device Management
OTA Updates
Firmware Changes
Business Logic
Firmware Upload
Certificate or Password
Provisioning
Dashboards Third Parties IoT SaaS
Arduino IoT Cloud

39. 39
Security
Secure in every layer
Hardware
Software
Data

40. 40
Core to the future and success of IoT is the “security of things”
Device
Identity
Anti-tampering
Key
Management
Encrypted
Transport and
Data
Confidentiality

41. 41
SECURE ELEMENT

42. 42
Hardware Security
ATECC508A/ATECC608A Cryptographic Co-Processor from Microchip Technology
What we use it for?
– Secure Hardware-Based Key Storage
up to 16 keys, certificates or data
– Hardware Support for Asymmetric Sign, Verify, Key Agreement
ECDSA, ECDH, NIST P256 Elliptic Curve Support
– Internal high-quality FIPS Random Number Generator (RNG)

43. 43
Data encryption and secure authentication
– All traffic to/from Arduino IoT Cloud is encrypted using Transport Layer Security (TLS)
– Device authentication using X.509 certificates
– Initial support for JSON Web Tokens (ECDSA P-256 SHA-256) in ArduinoECCX08 library
– AES-128 (for LoRaWAN™), AES-CMAC for messages exchange, which includes encryption
and integrity.

44. THAT’S A WRAP,
THANK YOU!
Gianluca Varisco <g.varisco@arduino.cc>
@gvarisco