Save 37% off PRO during our Black Friday Sale! »

The Internet of Things and iOS: Don’t let your toaster bring down the internet!

The Internet of Things and iOS: Don’t let your toaster bring down the internet!

Amazon Alexa, Google Home, HomeKit, and Cortana are more than personal assistants and seem to be the next big battle the big four will go into, but why is this so important to them? There are two components to those assistants; the first is integration with your personalized data that gathered from the apps you use and the second is their IoT capability automating your devices at home. With almost every manufacturing company hiring engineers like crazy to get their devices into the cloud, the results are very different ranging from really bad to great solutions. This behavior shows that we are in the Wild West when it comes to how cloud integrations, device security, and backend security is being implemented. That is why we as pioneers of this technology have to help shape the future by avoiding common pitfalls, secure private data responsibly and don’t end up accidentally weaponizing our IoT creations. In this talk, I’m going to talk about lessons learned from developing a major IoT platform that controls about a quarter million appliances in the US and Canada. We’re also going to take a look at pitfalls we have overcome and which possibly nice looking shortcuts you should avoid no matter how small your iOS client or IoT device is.

Fe1782174fa3f0a2d07011df414a1267?s=128

Florian Harr

August 16, 2017
Tweet

Transcript

  1. None
  2. iOS and IoT: Don’t let your toaster bring down the

    internet!
  3. Florian Harr @caffeineflo #1 - iOS and IoT | @caffeineflo

    | 360iDev 2017
  4. 0 2,250,000,000 4,500,000,000 6,750,000,000 9,000,000,000 2017 US Population World IoT

    Devices Sources: Gartner and US Census Bureau #2 - iOS and IoT | @caffeineflo | 360iDev 2017
  5. 0 7,500,000,000 15,000,000,000 22,500,000,000 30,000,000,000 2017 2020 US Population World

    IoT Devices US Population World IoT Devices Sources: Gartner and US Census Bureau #3 - iOS and IoT | @caffeineflo | 360iDev 2017
  6. 0 20,000,000,000 40,000,000,000 60,000,000,000 80,000,000,000 2017 2020 2025 US Population

    World IoT Devices US Population World IoT Devices US Population World IoT Devices Sources: Gartner and US Census Bureau #4 - iOS and IoT | @caffeineflo | 360iDev 2017
  7. 0 7500 15000 22500 30000 1500 1600 1700 1800 1850

    1900 1950 1999 2008 2010 2012 2016 2017 2018 2020 USA World IoT Z1 iPhone I IoT ? Sources: Wikipedia #5 - iOS and IoT | @caffeineflo | 360iDev 2017 Xerox Alto
  8. Konrad Zuse’s Z1 1936 - 1938 #6 - iOS and

    IoT | @caffeineflo | 360iDev 2017 Source: Wikimedia
  9. Xerox Alto 1973 #7 - iOS and IoT | @caffeineflo

    | 360iDev 2017 Source: Wikimedia
  10. iPhone 1 2007 #8 - iOS and IoT | @caffeineflo

    | 360iDev 2017 Source: Wikimedia
  11. Smart Toaster 2016 #9 - iOS and IoT | @caffeineflo

    | 360iDev 2017 Source: Griffin
  12. Smart Smart Toaster? 2020 #10 - iOS and IoT |

    @caffeineflo | 360iDev 2017
  13. #10 - iOS and IoT | @caffeineflo | 360iDev 2017

  14. None
  15. iOS Security

  16. iOS Security IoT Security

  17. iOS Security IoT Security Data Security Source: Waldo Wikia

  18. #12 - iOS and IoT | @caffeineflo | 360iDev 2017

  19. #12 - iOS and IoT | @caffeineflo | 360iDev 2017

    But Security Is Complex …
  20. #12 - iOS and IoT | @caffeineflo | 360iDev 2017

    But Security Is Complex …
  21. #12 - iOS and IoT | @caffeineflo | 360iDev 2017

    But Security Is Complex …
  22. iOS Client Security #13 - iOS Security | @caffeineflo |

    360iDev 2017
  23. #14 - iOS Security | @caffeineflo | 360iDev 2017

  24. #14 - iOS Security | @caffeineflo | 360iDev 2017 •

    Foscam?
  25. #14 - iOS Security | @caffeineflo | 360iDev 2017 •

    Foscam?
  26. #14 - iOS Security | @caffeineflo | 360iDev 2017 •

    Xiaomi? • Foscam?
  27. #14 - iOS Security | @caffeineflo | 360iDev 2017 •

    Xiaomi? • Foscam?
  28. #14 - iOS Security | @caffeineflo | 360iDev 2017 •

    Xiaomi? • Foscam?
  29. #14 - iOS Security | @caffeineflo | 360iDev 2017 •

    Xiaomi? • Foscam?
  30. #14 - iOS Security | @caffeineflo | 360iDev 2017 •

    Xiaomi? • Foscam? • WeVibe?
  31. #14 - iOS Security | @caffeineflo | 360iDev 2017 •

    Xiaomi? • Foscam? • WeVibe? Images Source: iTunes, Wikipedia, WeVibe
  32. Nest #15 - iOS Security | @caffeineflo | 360iDev 2017

  33. Nest #15 - iOS Security | @caffeineflo | 360iDev 2017

  34. Nest • 25 API Calls (7 Analytics related) • Drop

    to Legacy API when blocking calls • No local communication • OpenThread (OSS) communication protocol #16 - iOS Security | @caffeineflo | 360iDev 2017
  35. Ecobee #17 - iOS Security | @caffeineflo | 360iDev 2017

  36. Ecobee #17 - iOS Security | @caffeineflo | 360iDev 2017

  37. Ecobee • 19 API Calls (4 Analytics related all to

    the same host) • No local communication • Proprietary Communication Protocol #18 - iOS Security | @caffeineflo | 360iDev 2017
  38. Xiaomi #19 - iOS Security | @caffeineflo | 360iDev 2017

  39. Xiaomi #19 - iOS Security | @caffeineflo | 360iDev 2017

  40. Xiaomi • 34 API Calls (~50% contains analytics) • Data

    Blobs get uploaded • SW locks • Proprietary communication protocols #20 - iOS Security | @caffeineflo | 360iDev 2017
  41. Doing More With Less • "webServiceURL" : “…” missing •

    Re-Validation at the gate • Posted in 2013, not fixed as of Aug 10, 2017 #21 - iOS Security | @caffeineflo | 360iDev 2017
  42. Doing More With Less • "webServiceURL" : “…” missing •

    Re-Validation at the gate • Posted in 2013, not fixed as of Aug 10, 2017 #21 - iOS Security | @caffeineflo | 360iDev 2017
  43. Doing More With Less • "webServiceURL" : “…” missing •

    Re-Validation at the gate • Posted in 2013, not fixed as of Aug 10, 2017 #21 - iOS Security | @caffeineflo | 360iDev 2017
  44. • Transport Layer Protection (Certificate and Public Key Pinning) •

    iOS Keychain (not CoreData) for important data • Provide local discovery/communication • Do more with less (use provided APIs and technologies) • Set friendly defaults • OWASP iOS Developer Cheat Sheet • Check: https://github.com/caffeineflo/iOS-IoT-Resources/tree/master/ iOS_Security #22 - iOS Security | @caffeineflo | 360iDev 2017
  45. IoT Device Security #23 - IoT Security | @caffeineflo |

    360iDev 2017
  46. #24 - IoT Security | @caffeineflo | 360iDev 2017

  47. • Based on open standards (Zigbee, CoAP) #24 - IoT

    Security | @caffeineflo | 360iDev 2017
  48. • Based on open standards (Zigbee, CoAP) • Local only

    hub (remote via 3rd-party) #24 - IoT Security | @caffeineflo | 360iDev 2017
  49. • Based on open standards (Zigbee, CoAP) • Local only

    hub (remote via 3rd-party) • Integrates with other systems #24 - IoT Security | @caffeineflo | 360iDev 2017
  50. • Based on open standards (Zigbee, CoAP) • Local only

    hub (remote via 3rd-party) • Integrates with other systems • Works out of the box #24 - IoT Security | @caffeineflo | 360iDev 2017
  51. • Based on open standards (Zigbee, CoAP) • Local only

    hub (remote via 3rd-party) • Integrates with other systems • Works out of the box • Friendly defaults #24 - IoT Security | @caffeineflo | 360iDev 2017
  52. • Based on open standards (Zigbee, CoAP) • Local only

    hub (remote via 3rd-party) • Integrates with other systems • Works out of the box • Friendly defaults #24 - IoT Security | @caffeineflo | 360iDev 2017 Source: Wikimedia
  53. • Based on open standards (Zigbee, CoAP) • Local only

    hub (remote via 3rd-party) • Integrates with other systems • Works out of the box • Friendly defaults • Ikea Trådfri #24 - IoT Security | @caffeineflo | 360iDev 2017 Source: Wikimedia
  54. Coming Soon

  55. • BITAG IoT Security and Privacy Recommendations • Open Connectivity

    Foundation • Linux foundation IoTivity • OWASP IoT Project • For real patriots: DHS IoT Principles (Caution) • Check: https://github.com/caffeineflo/iOS-IoT- Resources/tree/master/IoT_Security #25 - IoT Security | @caffeineflo | 360iDev 2017 Internet of Things (IoT) Security and Privacy Recommendations A BROADBAND INTERNET TECHNICAL ADVISORY GROUP TECHNICAL WORKING GROUP REPORT A Uniform Agreement Report Issued: November 2016
  56. None
  57. Data Security #27 - Data Security | @caffeineflo | 360iDev

    2017
  58. 110111111000010001110101100000000 #28 - Data Security | @caffeineflo | 360iDev 2017

  59. 110111111000010001110101100000000 7.500.000.000 #28 - Data Security | @caffeineflo | 360iDev

    2017
  60. 110111111000010001110101100000000 7.500.000.000 233 #28 - Data Security | @caffeineflo |

    360iDev 2017
  61. #29 - Data Security | @caffeineflo | 360iDev 2017

  62. #29 - Data Security | @caffeineflo | 360iDev 2017 Source:

    AndroidCentral
  63. #29 - Data Security | @caffeineflo | 360iDev 2017 Source:

    AndroidCentral
  64. #29 - Data Security | @caffeineflo | 360iDev 2017 Source:

    AndroidCentral Source: AshleyMadison Source: Twitter
  65. • Keep transferred data to a minimum • Properly lock

    and encrypt data • Scheduled maintenance • Disclose data breaches • Think like a hacker • Authentication Should be More Than a (Global) Binary State • Check: https://github.com/caffeineflo/iOS-IoT-Resources/tree/master/ Data_Security #30 - Data Security | @caffeineflo | 360iDev 2017
  66. None
  67. Think Like A Hacker Find weak spots in your application

    #32 - Extro | @caffeineflo | 360iDev 2017
  68. Know Industry Standards And State of The Technology Keep yourself

    informed. Contribute and use https://github.com/caffeineflo/iOS-IoT-Resources #33 - Extro | @caffeineflo | 360iDev 2017
  69. It’s A Wild Wild West Learn from mistakes of others

    Adopt risk assessment techniques like FMEA #34 - Extro | @caffeineflo | 360iDev 2017
  70. Take Responsibility For The Whole Lifecycle Security Patches, Regular Maintenance,

    Monitoring #35 - Extro | @caffeineflo | 360iDev 2017
  71. Trust No One Keep encryption on all environments and on

    all data #36 - Extro | @caffeineflo | 360iDev 2017
  72. Lessons Learned 1. Lead Only With Research 2. Future Proof

    Software and Hardware 3. Do the legwork upfront (Technology Stack, FMEA) 4. Follow Standards and update along the way 5. Choose the right tooling and platform 6. Have a backup plan for offline situations 7. Lab != Production #37 - Extro | @caffeineflo | 360iDev 2017
  73. Talk-Resources • https://github.com/caffeineflo/iOS-IoT-Resources • OWASP • The Internet of Things

    is Going to Destroy Us All • Mobile Security Testing Guide • Drawings were made for this talk by @maxaro #38 - Extro | @caffeineflo | 360iDev 2017