IoT Cooperation Strategy November 2016

Change of Security’s Paradigm “Traditional security method in IT environment is not effective anymore. So, device security and internalized-security technology are needed. Application Security PC/Server Network Traditional IT Security IoT Device Security [Solution by Sec Hardware/OS] Security Solution Added Device Secu. → Internalized Secu.

Problems of IoT Device Security “Device Security needed, But hard to React because of following problems” Limited processing power & memory Difficulty in installation & execution of security solution Easy physical access Difficulty in protection of certification or password by physical control Countless HW, OS, APP Various ways of threat or attack

Increased Threat for IoT Device Security “More dangerous because hardware control can be hijacked by hacking of firmware of IoT device” OS Level Firmware Hacking CPU Boot Loader Device OS Application SW Home appliance(100,000) Used for scattering spam mail (2014.01, Proofpoint) Chrysler Car Control hijacked by Firmware Attack (2015.08, WSOCTV) Hacking of NEST thermal control system - Appearance of IoT Ransomware (2016.08, ‘DEFCON’)

Development Process of Device Security “Developing from Laptop-based sec to Mobile, IOT-based sec But, not enough standardization for device security and remote-attestation ” 2005 2010 2015 Laptop Smart Phone IoT Device TPM Embedded SE Security built-in MCU ARM Trust Zone (Android) Secure Element (iOS) Hardware TPM Linux RTOS Firmware Windows iOS/Android iOS Android OS Windows SecureBoot Trusted Boot File System Encryption Application Sandbox Mutual Authentication Firmware Encryption Comm. Encryption Secure Boot Trusted Boot File System Encryption Application Sandbox (SE Linux) Key Security Measures Secure Boot Trusted Boot

Current position of market in IoT Security (US $) 7.9B YR 2015 36.95 (Source: MarketsandMarkets, Jan 2016) Billion YR 2020 CAGR: 36.1% IoT Security “Globally, IOT Security Market is in start-phase” 2015yr 8B will increase 2020yr about 40B Trend of introducing of R&D security format and certification South Korea, Introduction of IoT device security certification is scheduled from 2017yr. (Ministry of Science, ICT, and Future Planning, 2016)

Current position of market in IoT Security Chipset Vendors IoT Platforms IoT Service Providers Things Gateways IOT Service Platform Applications SECURITY PLATFORM (Device Security) (Gateway Security) ( • ) (Remote Attestation) (Device Security) (Gateway Security) ( • ) (Remote Attestation) (Device Security) ( • ) ( • ) ( • ) ( • ) (Gateway Security) ( • ) ( • ) ( • ) ( • ) (IoT Platform) ( • ) ( • ) ( • ) ( • ) (Remote Attestation)

Main Technology in IoT Security “Hardware-based certification / encrypt and digital-sign tech Can block illegal duplication or transformation of device” . Private-ID Certification Firmware encoding (Confidentiality) Secure boot and Update of code-sign (Integrity) Device Co-Certification Remote- Attestation (Remote Attestation) Specific information (Creation of Private-ID) CPU CPU Verify the integrity by exchange between digital-signed certification information and boot process information Root of Trust ✓ boot loader boot loader (Signature) ✓ Quote Kernel/ Firmware (Firmware decoding) (Signature) Server Health? ✓ RAM Kernel/ Firmware Boot Record Hash ? X (Signature) x Malware (Signature) Rootfs The current hash Z Reply (Firmware Encoding) Reboot to get back to clean image Prevention for illegal device duplication Prevention for illegal device transformation Detect duplicated or transformed device

How to apply IoT Security “Application of proper security and IoT service business remote-Attestation for every IoT Device, Gateway, Service Platform Device Platform Gateway Platform Service Platform Smart City Device Identity Remote Attestation Security Programmable MCU TPM (Trusted Platform Module) Device password Server open-key Maker open-key Device password Server open-key Maker open-key Smart Factory Server ? Health? Reply Send signed code Device open-key Hash Table Env. Energy SDK Smart Home SecurityOS Firmware encoding Secure Boot SELinux Verify the integrity by exchanging digital-signed boot process information RTOS Firmware encoding Secure Boot Embedded Linux Smart Farm Detection of illegally duplicated or camouflaged device Detection of illegally transformed device(HW, SW, setting point) Protection of Data and control order Safe signed patch HW Private-ID certification Prevention of illegal duplication Prevention of system transformation Message Sign/Encoding Update Code-sign HW Private-ID certification Prevention of system transformation Isolation of Application File/Communication Encoding Update Code-sign Health Safety

Case Study Ⅰ. LG Electronics “Introduce Security Module by Security MCU installed mini SD card” Secu. MCU SDK Security Module Mini SD Interface HW Private-ID certification Prevention of illegal duplication Prevention of system transformation Message Sign/Encoding Update Code-sign

Case Study Ⅱ. VS. “Introduce eSE built-in or eSE separate MCU style in Security Module.” eSE Built – in MCU eSE separate MCU Core Board Secure SoC MS1000 Device authentication Anti-cloning Message signing Anti-forgery Secure updates with signed code

Case Study Ⅲ. SK Telecom “Remote Attestation plug-in for SKT’s IoT Platform (ThingPlug)” Key Features Plan Develop Release Distribution manage Prevention of firmware transformation Date Protection Remote Monitoring Safe Update Secure Boot Password Library Device diagnosis Firmware sign FOTA Update Remote Attestation LoRa Device (i.e. AMI) LoRa Module SECURE MCU SDK

Case Study Ⅳ. Security Platform “Industrial Smart Factory Sensor Module(WICON)+Security Module [ Security Module ] WiFi BLE 3G, LTE Security Control Secure Element (Unique Private KEY, Public KEY of CA, Certificate of Mfg.) WICON Secure Boot MS500 (Security Built-in MCU) Device Authentication Comm. Encryption Secure Update with Signed Code

Recommendation for cooperation “Build device remote-attestation of business operator in IoT service as common standard requirement” ☞ can develop(or need development of) standard-proper Trusted boot(Security chip or maker) ☞ Security by Design & Privacy by Design Security Chip Maker Device Maker IoT service business operator 2015 <Security Exclusive processor> Trusted Boot & Remote Attestation Server Health? ? 2016 <Security Engine integral MCU> Reply Verify the integrity through digital-signed boot process information exchange by protection of password from every physical, logical attack. …

Thank you! 82-10-8384-7536 sdkjs215340@gmail.com Jaesoo Kim