Post on 25-May-2020
Next-genadvancedthreatdetectionsystem
TheroleofIPv6insecuringIoTSystem
#1.Security– abigchallengeforIoT
Fromuserperspective:Whichonewouldyouchoose?
Safer: + 1$
[Cyber] safer: + 20$
Fromuserperspective:Whichonewouldyouchoose?
Protocols&Standards:easysetup,wearable,wireless
Safer: + 1$
IoT - Wireless - Security ?
HackerandDDOS….byIoTdevices
20 -> 50 billion devices IoT by 2020
IoTSecurityisdifficult
Technical and Cost challenges for Vendors User’s willingness to pay
IoTandSecurity
How to secure the IoT world ???
#2.IoTSecurityRisks
IoTandSecurity
Device Firmware
Device Memory
Mobile Apps
Device InterfacesLocal Data Storage
Network Traffic
Vendor Backend API
3rd party Backend API
Update mechanism
Cloud web interface
And many things.....
OTA
Read/writedevicebywireless
• Manystandard• Manyconnection• NoIP(BLE,Zigbee,Z-wave,RF)• NoSecurityStandard
IoTProblems
IoTandSecurity
Gartner
IoTandSecurity
Gartner
#3.HowIPv6helpsecurityforIoT
• RemoteGatewayBLE,zigbee,z-wave
SimplewithIpv6
• RemoteGatewayBLE,zigbee,z-wave• Otherbrand,protocolcaninterface:Thinktalkthink
SimplewithIpv6
IPv6
• ReconnaissanceAttacks• DenialofServiceAttacks• Man-in-the-middleAttacks• ARPpoisoningAttacks• DDoS• MalwareAttacks
IPv4Problems
• MandatoryuseofIPSec• AH(AuthenticationHeader)• ESP(EncapsulatingSecurityPayload)
IPv6EnhancementforSecurity
• LargeAddressingSpace• Allocating64bitsforaddressing(asexpectedinanIPv6subnet)meansperforminganetscanof2^64(18446744073709551616)hosts.Itispracticallyimpossible.
IPv6EnhancementforSecurity
• NeighborDiscovery• BothNDandaddressauto-configurationcontributetomakeIPv6moresecurethanitspredecessor.
IPv6EnhancementforSecurity
• ReconnaissanceAttacks=>Better• DenialofServiceAttacks =>Better• Man-in-the-middleAttacks =>Better• ARPpoisoningAttacks =>Better• MalwareAttacks =>Better
IPv6EnhancementforIoT Security
IPv6EnhancementforIoT Security
Edge Technology Aspect Vulnerability Areas Remediation Options
Network: Wired and Wireless •Large attack surface•Flat networks and unauthenticated network access•Missing security
•Connectivity inventory•Secure protocols•Network zoning•Device authentication
Network: Internet and Other Public Connectivity
•Missing security•Legacy protocol support•Unsecure inbound connections
•Secure protocols•Inbound access control
Devices: Hardware/Software •Physical and logical tampering•Software reverse engineering
•Secure software development•Software hardening•Hardware tamper-proofing
Devices: Capability Constraints •Limited cryptographic options•Limited active security options
•Passive security•Low-power security techniques•Use of more-powerful edge devices, such as gateways
Devices: "Non-IT" Technology •Lack of applicable IT security capabilities, technologies and practices
•Combined cybersecurity and engineering practices•Adapted security patterns and technologies
Devices: COTS Components •Vulnerable common components •Secure software development•Secure updates
Devices: Software Updates •Lack of secure software update functions•Lack of updatability
•Verified update connectivity•Verified update packages
Devices: Actuator Hardware •Safety implications•Lack of manual user controls
•Use of hardware-based safety controls•Use of manual (backup) controls
IPv6EnhancementforIoT Security
Platform Technology Aspect Vulnerability Areas Remediation Options
Network: Edge and Enterprise Communications
•Lack of built-in protocol security•Legacy protocol support
•Secure protocols and secure protocol configuration•Use of TLS or DTLS as a default option•Use of standardized protocols, such as HTTP and MQTT
Network: Internet and Other Public Networks
•DoS attacks•API abuse
•Network-based API security measures•Client authentication
Software: Privileged User Access and Data Security
•Loss of security through risk aggregation
•Scope limits for privileged users•Privileged user monitoring•Strong authentication•Secure platform component configuration
Software: Security Capabilities •Lack of security capabilities, such as security monitoring and security management
•Using available platform capabilities•Extending platform software capabilities to powerful edge devices
#4.Conclusion
• SecurityisabigchallengeforIoT• IPv4hassomeprobleminsecurity• IPv6withenhancedfeaturescanhelpIoT
#4.Conclusion
Q&A!