How (not) to trust your IoT device
As security consultants, we get the unique opportunity to gain an in-depth view into many different industrial IoT environments. From the small local power plant to the large-scale international mobility service provider, one issue seems to be always bigger than initially expected: How can I trust my devices?
IoT devices in consumer and industrial environments can hardly be successfully protected against physical access by attackers in the long run, so that the trust problem comes to the foreground.
The challenge is not only to trust data received from a device, but also to not have intellectual property (IP) or other confidential data sent to the device stolen.
In the presentation we show typical missteps and challenges for each layer of an IoT environment, which we often find in our security audits, and provide possible solutions.
- Trust towards OEMs, the supply chain and partners
- Creating a core root of trust on the device
- How components such as TPM chips, ARM Trust Zones and Intel SGX can and can't help
- Common pitfalls in the protection of the device against physical attacks
- Explaining typical issues such as how to trust the time on the device
- How to extend the trust into the IoT cloud and from there into the company’s ERP, device management and data analytics tools
- Revoking trusts
We illustrate ways to create a chain of trust from within the device up to the data analytics and device management services while dealing with real-world conditions such as limited resources.
Safety & Security