Upgrade to Pro — share decks privately, control downloads, hide ads and more …

MobileEra 2017: The Internet of Things and iOS:...

MobileEra 2017: The Internet of Things and iOS: Don’t let your toaster bring down the internet!

Amazon Alexa, Google Home, HomeKit, and Cortana are more than personal assistants and seem to be the next big battle the big four will go into, but why is this so important to them? There are two components to those assistants; the first is integration with your personalized data that gathered from the apps you use and the second is their IoT capability automating your devices at home. With almost every manufacturing company hiring engineers like crazy to get their devices into the cloud, the results are very different ranging from really bad to great solutions. This behavior shows that we are in the Wild West when it comes to how cloud integrations, device security, and backend security is being implemented. That is why we as pioneers of this technology have to help shape the future by avoiding common pitfalls, secure private data responsibly and don’t end up accidentally weaponizing our IoT creations. In this talk, I’m going to talk about lessons learned from developing a major IoT platform that controls about a quarter million appliances in the US and Canada. We’re also going to take a look at pitfalls we have overcome and which possibly nice looking shortcuts you should avoid no matter how small your iOS client or IoT device is.

Florian Harr

October 05, 2017
Tweet

More Decks by Florian Harr

Other Decks in Programming

Transcript

  1. iOS and IoT: Don’t let your toaster bring down the

    internet! https://github.com/caffeineflo/iOS-IoT-Resources
  2. 0 2,250,000,000 4,500,000,000 6,750,000,000 9,000,000,000 2017 US Population World IoT

    Devices Sources: Gartner and US Census Bureau #2 - iOS and IoT | @caffeineflo | MobileEra 2017
  3. 0 2,250,000,000 4,500,000,000 6,750,000,000 9,000,000,000 2017 Norway World IoT Devices

    Sources: Wikipedia and US Census Bureau #2 - iOS and IoT | @caffeineflo | MobileEra 2017
  4. 0 7,500,000,000 15,000,000,000 22,500,000,000 30,000,000,000 2017 2020 US Population World

    IoT Devices US Population World IoT Devices Sources: Gartner and US Census Bureau #3 - iOS and IoT | @caffeineflo | MobileEra 2017
  5. 0 20,000,000,000 40,000,000,000 60,000,000,000 80,000,000,000 2017 2020 2025 US Population

    World IoT Devices US Population World IoT Devices US Population World IoT Devices Sources: Gartner and US Census Bureau #4 - iOS and IoT | @caffeineflo | MobileEra 2017
  6. #4 - iOS and IoT | @caffeineflo | MobileEra 2017

    30-50
 devices 62 000 000 000
 Devices ~7 500 000 000 
 ppl
  7. 0 7500 15000 22500 30000 1500 1600 1700 1800 1850

    1900 1950 1999 2008 2010 2012 2016 2017 2018 2020 USA World IoT Z1 iPhone I IoT ? Sources: Wikipedia #5 - iOS and IoT | @caffeineflo | MobileEra 2017 Xerox Alto Population/ Devices Year
  8. Konrad Zuse’s Z1 1936 - 1938 #6 - iOS and

    IoT | @caffeineflo | MobileEra 2017 Source: Wikimedia
  9. Xerox Alto 1973 #7 - iOS and IoT | @caffeineflo

    | MobileEra 2017 Source: Wikimedia
  10. iPhone 1 2007 #8 - iOS and IoT | @caffeineflo

    | MobileEra 2017 Source: Wikimedia
  11. Smart Toaster 2016 #9 - iOS and IoT | @caffeineflo

    | MobileEra 2017 Source: Griffin
  12. Smart Smart Toaster? 2020 #10 - iOS and IoT |

    @caffeineflo | MobileEra 2017
  13. #14 - iOS Security | @caffeineflo | MobileEra 2017 •

    Xiaomi? • Foscam? • WeVibe? Images Source: iTunes, Wikipedia, WeVibe
  14. Nest • 25 API Calls (7 Analytics related, 5 different

    Hosts) • Drop to Legacy API • No local communication • OpenThread (OSS) communication protocol #16 - iOS Security | @caffeineflo | MobileEra 2017
  15. Ecobee • 19 API Calls (4 Analytics related, 2 Hosts)

    • No local communication • Proprietary Communication Protocol #18 - iOS Security | @caffeineflo | MobileEra 2017
  16. Xiaomi • 34 API Calls (~50% contains analytics) • Data

    Blobs get uploaded • SW locks • Proprietary communication protocols #20 - iOS Security | @caffeineflo | MobileEra 2017
  17. Doing More With Less • "webServiceURL" : “…” missing •

    Re-Validation at the gate • Posted in 2013, not fixed as of Oct 5, 2017 #21 - iOS Security | @caffeineflo | MobileEra 2017
  18. • Transport Layer Protection (Certificate and Public Key Pinning) •

    iOS Keychain (not CoreData) for important data • Provide local discovery/communication • Do more with less (use provided APIs and technologies) • Set friendly defaults • OWASP iOS Developer Cheat Sheet • Check: https://github.com/caffeineflo/iOS-IoT-Resources/tree/master/ iOS_Security #22 - iOS Security | @caffeineflo | MobileEra 2017
  19. • Based on open standards (Zigbee, CoAP) • Local only

    hub (remote via 3rd-party) • Integrates with other systems • Works out of the box • Friendly defaults • Ikea Trådfri #24 - IoT Security | @caffeineflo | MobileEra 2017 Source: Wikimedia
  20. • BITAG IoT Security and Privacy Recommendations • Open Connectivity

    Foundation • Linux Foundation IoTivity • OWASP IoT Project • Check: https://github.com/caffeineflo/iOS-IoT- Resources/tree/master/IoT_Security #25 - IoT Security | @caffeineflo | MobileEra 2017 Internet of Things (IoT) Security and Privacy Recommendations A BROADBAND INTERNET TECHNICAL ADVISORY GROUP TECHNICAL WORKING GROUP REPORT A Uniform Agreement Report Issued: November 2016
  21. #29 - Data Security | @caffeineflo | MobileEra 2017 Source:

    AndroidCentral Source: AshleyMadison Source: Twitter
  22. • Keep transferred data to a minimum • Properly lock

    and encrypt data • Scheduled maintenance • Disclose data breaches • Think like a hacker • Authentication Should be More Than a (Global) Binary State • Check: https://github.com/caffeineflo/iOS-IoT-Resources/tree/master/ Data_Security #30 - Data Security | @caffeineflo | MobileEra 2017
  23. Think Like A Hacker Find weak spots in your application

    #32 - Extro | @caffeineflo | MobileEra 2017
  24. Know Industry Standards And State of The Technology Keep yourself

    informed. Contribute and use https://github.com/caffeineflo/iOS-IoT-Resources #33 - Extro | @caffeineflo | MobileEra 2017
  25. It’s A Wild Wild West Learn from mistakes of others

    Adopt risk assessment techniques like FMEA #34 - Extro | @caffeineflo | MobileEra 2017
  26. Take Responsibility For The Whole Lifecycle Security Patches, Regular Maintenance,

    Monitoring #35 - Extro | @caffeineflo | MobileEra 2017
  27. Trust No One Keep encryption on all environments and on

    all data #36 - Extro | @caffeineflo | MobileEra 2017
  28. Lessons Learned 1. Lead Only With Research 2. Future Proof

    Software and Hardware 3. Do the legwork upfront (Technology Stack, FMEA) 4. Follow Standards and update along the way 5. Choose the right tooling and platform 6. Have a backup plan for offline situations 7. Lab != Production #37 - Extro | @caffeineflo | MobileEra 2017
  29. Talk-Resources • https://github.com/caffeineflo/iOS-IoT-Resources • OWASP • The Internet of Things

    is Going to Destroy Us All • Mobile Security Testing Guide • Drawings were made for this talk by @maxaro #38 - Extro | @caffeineflo | MobileEra 2017