Selecting for Security: Searching for Risks from the Supply Chain in IoT Devices at Scale presented at SupplyChainCybersecuritySummit 2019

by Ryan Speers,

Summary : In this presentation, attendees will learn about supply chain risks specific to Internet of Things (IoT) products, gain an understanding of current challenges for manufacturers and users in addressing these threats, and leave with the tools to combat these risks in their enterprise. We will first cover the risks introduced to IoT products due to the unique supply chains involved in producing them. From this, we will cover the different ways that security-conscious companies making devices try to mitigate those risks, but also where they run into challenges. Finally, we review the industry best practices for assessing supply chain risks in potential products (e.g., vendor questionnaires, etc) -- and where these methods fail to provide security. We will highlight the 5 top items that an IoT acquisition policy should verify (from a technical practitioner perspective) -- specifically minimizing supply chain threats -- and discuss methods for how these can be done today (discussing solutions that are simple and scrapy, homegrown or free/open-source). These are actionable take-aways that will arm attendees to make a difference immediately at their organizations. Recognizing the challenges faced in evaluations at scale, we will discuss how automated analysis is the future for helping empower companies to evaluate such issues at scale.

Ryan Speers: Ryan Speers and Ricky Melgares are Computer Science majors at Dartmouth College, pursuing a senior honors thesis in Zigbee security under Professor Sergey Bratus. So far, their thesis work has entailed receiving an accidental forwarding of a vendors internal email thread discussing the cons of us being security researchers wanting to buy their products, getting caught by campus security physically probing a sensor network, ripping apart the 802.15.4 and ZigBee protocols frame by fame, and spoofing these frames for a variety of attacks. They wish to remind you that “your RF is showing” and that wireless injection is king.