Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely Leverage IoT

Drones, Phones, and Pwns: The Promise (and Dangers) of IoT APIs

© 2014 CA. All rights reserved.

<name>

<date> Jaime Ryan

Senior Director, Product Management & Strategy

CA Technologies

July 23, 2014

2 © 2014 CA. ALL RIGHTS RESERVED.

What does the future hold?


These ain’t your daddy’s drones


They’re accessible


They’re affordable


They’re powerful


They’re ubiquitous


They’re unobtrusive


What happens when we scale up?


What can we accomplish now?


Emergency services


Emergency services


Even the innocuous


Location is important


Detail is important


What does this have to do with the Internet of Things?


Internet


Things


WCoT (Word Cloud of Things)


Dumb Things

Collect Data Do Something

Quantified Self Track exercise, calories consumed, sleeping habits

Suggestion-based fitness Create customized workouts, social running routes, sleep suggestions

Surveillance Capture images/video – home, retail, gambling

Security Unlock door based on Bluetooth or NFC proximity

Agricultural Sensors Track conditions in soil, air, supply chain

Industrial Farm Equipment Increase/decrease irrigation, feed, pesticides

Smart Parking Record and plot empty parking spaces

Connected Meters Email driver when it’s time to pay for more time

Disease Tracking Wearables Sensors in underwear, pacemakers,

Notification and Medication Administration

Remind patient to take medications; notify emergency medical personnel prior to seizure

Manage Retail Inventory Location of items in-store, automatically updated inventory

Ordering/Loss Prevention Place new order upon low inventory; alert staff if removed from store

Energy Usage Tracking Identify power-guzzling appliances, collect meter readings

Home Automation Turn on lights, manage AC/heating, regulate power


Supply Chain


The evolution of connectivity


Smart Things

Bridge the gap between dumb things

Allow for human interaction and decision-making

Create/enforce policy - IFTTT

Portal/UI into the world of data

App-based

Laptops, desktops, tablets, phones, smartwatches


What does the architecture look like?

Cloud

Sensors & Actuators

Mobile/App

Marketplace

Mobile/App Server

Gateway

Server Gateway

Overlapping Domains of Interest (Clustered Graphs)

Mobile/App

Mobile/App

Mobile/App

Domain A

Domain B

Domain C = A ∩ B

Domain E = C ∩ …


Lots of Frameworks


Lots of Protocols


Lots of SDKs


APIs are fundamental to the Internet of Things

{ “min”: “23C”, “max”: “11C”…}


How could I get pwned?


Data exposure


Of the worst kind


Cars


Game consoles


Facebook


Phones


Address Books


Not just the NSA


Not even just law enforcement


What are the concerns?

IDENTITY

CUSTODY

PRIVACY

• How do we make sure we retain control? • How do we authenticate ourselves in person and online? • How do we delegate information to interested parties?

• Who has our information? • What information do they have? • What do they need? • Who do we trust? Why?

• How does information get from one place to another? • Are those pathways secure? • What role do we play?


Maintain awareness


Maintain awareness


My identities and data


What steps to take in this new interconnected world?


APIs are Central to the Modern Enterprise


An Enterprise API Management Solution

Internet of Things

Partners/ 3rd-party Developer Community

Cloud Services

BYOD

Sister Company APIs Daughter Company APIs

…


Developer Management

Health Tracking

Workflow

Performance Global Staging Developer Enrollment

API Docs

Forums

API Explorer

Rankings Quotas

Plans

Analytics Reporting

Config Migration

Patch Management Policy Migration

Operations Management

Throttling Prioritization Caching

Routing Traffic Control Transformation

Security

Interface Management

Composition Authentication Single Sign On API Keys Entitlements

OAuth 1.x OAuth 2.0 OpenID Connect

Identity Management

Key Functional Areas of API Management

Token Service


Questions?

Senior Director, Prouct Management & Strategy

[email protected]

@JRyanL7

https://www.facebook.com/Layer7

linkedin.com/company/ca-technologies

ca.com

Jaime Ryan


References

http://techcrunch.com/2014/04/14/google-acquires-titan-aerospace-the-drone-company-pursued-by-facebook/

http://www.cnet.com/news/google-buys-solar-powered-drone-company-titan-aerospace/

http://finance.yahoo.com/news/facebooks-feature-users-thoroughly-creeped-005800620.html

http://www.foxnews.com/leisure/2013/09/04/hackers-find-weaknesses-in-car-computer-systems/

http://www.mirror.co.uk/news/technology-science/technology/spies-can-listen-your-iphone-3670347

http://www.theblaze.com/stories/2013/08/02/report-fbi-can-remotely-turn-on-phone-microphones-for-spying/

http://www.theblaze.com/stories/2011/04/18/can-your-smartphone-use-your-microphone-camera-to-gather-data-yes/

http://www.usatoday.com/story/news/nation/2013/12/08/cellphone-data-spying-nsa-police/3902809/

cow: https://www.flickr.com/photos/julochka/

milk: https://www.flickr.com/photos/crazytales562/

https://security.google.com/settings/security/permissions?pli=1

https://www.facebook.com/help/405183566203254/

http://www.businessinsider.com/facebook-app-privacy-controls-2012-10


Copyright © 2014 CA. The Nike logo is either a registered trademark or trademark of Nike Corporation in the United States and/or other countries. The Sonos logo is either a registered trademark or trademark of Sonos Corporation in the United States and/or other countries. The Google logo is either a registered trademark or trademark of Google Corporation in the United States and/or other countries. The Facebook logo is either a registered trademark or trademark of Facebook Corporation in the United States and/or other countries. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

Certain information in this publication may outline CA’s general product direction. However, CA may make modifications to any CA product, software program, method or procedure described in this publication at any time without notice, and the development, release and timing of any features or functionality described in this publication remain at CA’s sole discretion. CA will support only the referenced products in accordance with (i) the documentation and specifications provided with the referenced product, and (ii)CA’s then-current maintenance and support policy for the referenced product. Notwithstanding anything in this publication to the contrary, this publication shall not: (i) constitute product documentation or specifications under any existing or future written license agreement or services agreement relating to any CA software product, or be subject to any warranty set forth in any such written agreement; (ii) serve to affect the rights and/or obligations of CA or its licensees under any existing or future written license agreement or services agreement relating to any CA software product; or (iii) serve to amend any product documentation or specifications for any CA software product.

THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost data, even if CA is expressly advised in advance of the possibility of such damages.

Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely Leverage IoT

Technology

internet of things

smart things

dumb things

domain b domain c

theyre accessible

theyre affordable

theyre powerful

theyre ubiquitous