Save 37% off PRO during our Black Friday Sale! »

MobileEra 2017: The Internet of Things and iOS: Don’t let your toaster bring down the internet!

MobileEra 2017: The Internet of Things and iOS: Don’t let your toaster bring down the internet!

Amazon Alexa, Google Home, HomeKit, and Cortana are more than personal assistants and seem to be the next big battle the big four will go into, but why is this so important to them? There are two components to those assistants; the first is integration with your personalized data that gathered from the apps you use and the second is their IoT capability automating your devices at home. With almost every manufacturing company hiring engineers like crazy to get their devices into the cloud, the results are very different ranging from really bad to great solutions. This behavior shows that we are in the Wild West when it comes to how cloud integrations, device security, and backend security is being implemented. That is why we as pioneers of this technology have to help shape the future by avoiding common pitfalls, secure private data responsibly and don’t end up accidentally weaponizing our IoT creations. In this talk, I’m going to talk about lessons learned from developing a major IoT platform that controls about a quarter million appliances in the US and Canada. We’re also going to take a look at pitfalls we have overcome and which possibly nice looking shortcuts you should avoid no matter how small your iOS client or IoT device is.

Fe1782174fa3f0a2d07011df414a1267?s=128

Florian Harr

October 05, 2017
Tweet

Transcript

  1. None
  2. iOS and IoT: Don’t let your toaster bring down the

    internet! https://github.com/caffeineflo/iOS-IoT-Resources
  3. Florian Harr @caffeineflo #1 - iOS and IoT | @caffeineflo

    | MobileEra 2017
  4. 0 2,250,000,000 4,500,000,000 6,750,000,000 9,000,000,000 2017 US Population World IoT

    Devices Sources: Gartner and US Census Bureau #2 - iOS and IoT | @caffeineflo | MobileEra 2017
  5. 0 2,250,000,000 4,500,000,000 6,750,000,000 9,000,000,000 2017 Norway World IoT Devices

    Sources: Wikipedia and US Census Bureau #2 - iOS and IoT | @caffeineflo | MobileEra 2017
  6. 0 7,500,000,000 15,000,000,000 22,500,000,000 30,000,000,000 2017 2020 US Population World

    IoT Devices US Population World IoT Devices Sources: Gartner and US Census Bureau #3 - iOS and IoT | @caffeineflo | MobileEra 2017
  7. 0 20,000,000,000 40,000,000,000 60,000,000,000 80,000,000,000 2017 2020 2025 US Population

    World IoT Devices US Population World IoT Devices US Population World IoT Devices Sources: Gartner and US Census Bureau #4 - iOS and IoT | @caffeineflo | MobileEra 2017
  8. #4 - iOS and IoT | @caffeineflo | MobileEra 2017

    30-50
 devices 62 000 000 000
 Devices ~7 500 000 000 
 ppl
  9. 0 7500 15000 22500 30000 1500 1600 1700 1800 1850

    1900 1950 1999 2008 2010 2012 2016 2017 2018 2020 USA World IoT Z1 iPhone I IoT ? Sources: Wikipedia #5 - iOS and IoT | @caffeineflo | MobileEra 2017 Xerox Alto Population/ Devices Year
  10. Konrad Zuse’s Z1 1936 - 1938 #6 - iOS and

    IoT | @caffeineflo | MobileEra 2017 Source: Wikimedia
  11. Xerox Alto 1973 #7 - iOS and IoT | @caffeineflo

    | MobileEra 2017 Source: Wikimedia
  12. iPhone 1 2007 #8 - iOS and IoT | @caffeineflo

    | MobileEra 2017 Source: Wikimedia
  13. Smart Toaster 2016 #9 - iOS and IoT | @caffeineflo

    | MobileEra 2017 Source: Griffin
  14. Smart Smart Toaster? 2020 #10 - iOS and IoT |

    @caffeineflo | MobileEra 2017
  15. #10 - iOS and IoT | @caffeineflo | MobileEra 2017

  16. iOS Security IoT Security Data Security Source: Wikimedia

  17. #12 - iOS and IoT | @caffeineflo | MobileEra 2017

    But Security Is Complex …
  18. (iOS) Client Security #13 - iOS Security | @caffeineflo |

    MobileEra 2017
  19. #14 - iOS Security | @caffeineflo | MobileEra 2017 •

    Xiaomi? • Foscam? • WeVibe? Images Source: iTunes, Wikipedia, WeVibe
  20. Nest #15 - iOS Security | @caffeineflo | MobileEra 2017

  21. Nest • 25 API Calls (7 Analytics related, 5 different

    Hosts) • Drop to Legacy API • No local communication • OpenThread (OSS) communication protocol #16 - iOS Security | @caffeineflo | MobileEra 2017
  22. Ecobee #17 - iOS Security | @caffeineflo | MobileEra 2017

  23. Ecobee • 19 API Calls (4 Analytics related, 2 Hosts)

    • No local communication • Proprietary Communication Protocol #18 - iOS Security | @caffeineflo | MobileEra 2017
  24. Xiaomi #19 - iOS Security | @caffeineflo | MobileEra 2017

  25. Xiaomi • 34 API Calls (~50% contains analytics) • Data

    Blobs get uploaded • SW locks • Proprietary communication protocols #20 - iOS Security | @caffeineflo | MobileEra 2017
  26. Doing More With Less • "webServiceURL" : “…” missing •

    Re-Validation at the gate • Posted in 2013, not fixed as of Oct 5, 2017 #21 - iOS Security | @caffeineflo | MobileEra 2017
  27. • Transport Layer Protection (Certificate and Public Key Pinning) •

    iOS Keychain (not CoreData) for important data • Provide local discovery/communication • Do more with less (use provided APIs and technologies) • Set friendly defaults • OWASP iOS Developer Cheat Sheet • Check: https://github.com/caffeineflo/iOS-IoT-Resources/tree/master/ iOS_Security #22 - iOS Security | @caffeineflo | MobileEra 2017
  28. IoT Device Security #23 - IoT Security | @caffeineflo |

    MobileEra 2017
  29. • Based on open standards (Zigbee, CoAP) • Local only

    hub (remote via 3rd-party) • Integrates with other systems • Works out of the box • Friendly defaults • Ikea Trådfri #24 - IoT Security | @caffeineflo | MobileEra 2017 Source: Wikimedia
  30. Coming Soon

  31. • BITAG IoT Security and Privacy Recommendations • Open Connectivity

    Foundation • Linux Foundation IoTivity • OWASP IoT Project • Check: https://github.com/caffeineflo/iOS-IoT- Resources/tree/master/IoT_Security #25 - IoT Security | @caffeineflo | MobileEra 2017 Internet of Things (IoT) Security and Privacy Recommendations A BROADBAND INTERNET TECHNICAL ADVISORY GROUP TECHNICAL WORKING GROUP REPORT A Uniform Agreement Report Issued: November 2016
  32. None
  33. Data Security #27 - Data Security | @caffeineflo | MobileEra

    2017
  34. 110111111000010001110101100000000 7.500.000.000 233 #28 - Data Security | @caffeineflo |

    MobileEra 2017
  35. #29 - Data Security | @caffeineflo | MobileEra 2017 Source:

    AndroidCentral Source: AshleyMadison Source: Twitter
  36. • Keep transferred data to a minimum • Properly lock

    and encrypt data • Scheduled maintenance • Disclose data breaches • Think like a hacker • Authentication Should be More Than a (Global) Binary State • Check: https://github.com/caffeineflo/iOS-IoT-Resources/tree/master/ Data_Security #30 - Data Security | @caffeineflo | MobileEra 2017
  37. None
  38. Think Like A Hacker Find weak spots in your application

    #32 - Extro | @caffeineflo | MobileEra 2017
  39. Know Industry Standards And State of The Technology Keep yourself

    informed. Contribute and use https://github.com/caffeineflo/iOS-IoT-Resources #33 - Extro | @caffeineflo | MobileEra 2017
  40. It’s A Wild Wild West Learn from mistakes of others

    Adopt risk assessment techniques like FMEA #34 - Extro | @caffeineflo | MobileEra 2017
  41. Take Responsibility For The Whole Lifecycle Security Patches, Regular Maintenance,

    Monitoring #35 - Extro | @caffeineflo | MobileEra 2017
  42. Trust No One Keep encryption on all environments and on

    all data #36 - Extro | @caffeineflo | MobileEra 2017
  43. Lessons Learned 1. Lead Only With Research 2. Future Proof

    Software and Hardware 3. Do the legwork upfront (Technology Stack, FMEA) 4. Follow Standards and update along the way 5. Choose the right tooling and platform 6. Have a backup plan for offline situations 7. Lab != Production #37 - Extro | @caffeineflo | MobileEra 2017
  44. Talk-Resources • https://github.com/caffeineflo/iOS-IoT-Resources • OWASP • The Internet of Things

    is Going to Destroy Us All • Mobile Security Testing Guide • Drawings were made for this talk by @maxaro #38 - Extro | @caffeineflo | MobileEra 2017