A New Solution to the IoT Security Problem

A New Solution to the IoT Security Problem

1

http://bit.ly/2hC9COL











































































































Agenda1. The IoT Security Problem

2. Introducing the IoT Back Channel

3. More Back Channel Use Cases

4. How To Implement the IoT Back Channel

2

Introduction• The internet of things

(IoT) industry faces a serious, global security threat.

• There is no “silver bullet” for IoT security.

• We see an opportunity to address IoT security using a relatively conventional method coupled with recent innovations in wireless networking.

!

3

The IoT Security Pandemic

• What: Millions of devices that have been or will soon be discovered, hacked, modified, or hijacked

• Who is affected: Enterprise, industrial, government, consumer users

• Where: Worldwide

• How: Poor crypto practices, weak or non-existent firmware update practices, manufacturers in denial, limited regulatory oversight, humans

• Risks: Disabled or hijacked physical world objects like Mirai. Modified endpoint data. Ransomware attacks. Spying. Homeland security. Personal safety.

4

http://www.computerworld.com/article/3124345/security/armies-of-hacked-iot-devices-launch-unprecedented-ddos-attacks.html

WiFi camera streams non-stop video content, creating network

congestion and opportunities for unwanted eavesdropping

WiFi SSID broadcasts continually, making for easy

discovery by hackers

Case Study: WiFi Camera Vulnerabilities

Ships with factory default password that is easy to

discover and hack

Some manufacturers rarely or never update

firmware

One of the target device types of Mirai Botnet attack

of Sept 2016

Some IP cameras rely on cloud services via non-

HTTPS connections

5

New IoT Security Requirements

Traditional IoT Security Requirement Challenges New IoT Security

Requirement

Single-Factor AuthenticationVulnerable to variety of attacks. Outdated authentication convention.

Multiple Factor Authentication

Key distribution at time of manufacturing

Vulnerable to security leaks, customer negligence. Dynamic key distribution

Broadcasted Unique Identifier

Ease of discovering endpoints helps hackers. Hidden Unique Identifier

Single Method of Firmware Update

Compromised endpoint may deny attempts to update firmware or restore factory defaults.

Multiple Means of Firmware Updates

No Kill Switch Requirement Increasingly autonomous endpoints. Artificial Intelligence. Kill Switch

Single Means of Configuration, Control, Alerts, Audit.

Tasks suited to narrowband or asynchronous comms are instead executed with resource-intensive and easily hacked broadband or other vulnerable wireless comm link

Multiple Means of Configuration and Control

6





7

We Have Online Back Channels

• Secondary forms of communication or “back channels” are now widely deployed as an internet security measure

• A second authentication credential is shared via a second network that is distinct from the first network

8

So Why No IoT Back Channel?

• Network availability. Lack of affordable, low power, long range network technology made a back channel impractical.

• Networking protocols. Most wireless protocols cannot execute the requirements of an IoT back channel. Example: LoRaWAN.

• Costs. Incremental costs can outweigh the benefits. Paying $10 per year (or even $5) for a cellular-based back channel is a non-starter when the goal is a sub-$20 endpoint.

9

http://bit.ly/2hjJE5T

Now Available: A Viable IoT Back Channel

• A “companion” wireless connection that enhances endpoint security and adds other valuable features

• Utilizes a discrete long range “LPWAN” radio and networking protocol that is inaccessible outside that radio’s local or metropolitan coverage area

• Can be implemented at a modest incremental cost and minimal or no impact to form factor

• Addresses many IoT security requirements

Endpoint

Two Radios

Default Gateway

Back Channel Device

Application

10

https://en.wikipedia.org/wiki/LPWAN

Two Factor AuthenticationHere’s just one example of how a back channel can help the IoT

11

Two Factor AuthenticationWe use the WiFi camera example throughout this presentation …. but the back channel can be applied to many IoT device types

Here’s just one example of how a back channel can help the IoT

12

Two Factor Authentication

Endpoint

WiFi Router

Back Channel Device

Application


13


Endpoint

WiFi Router

Back Channel Device

Application

End user seeks to access camera endpoint, via browser (application).

1


14


Endpoint

WiFi Router

Back Channel Device

Application

Camera endpoint notifies WiFi gateway that a second credential is required and will be sent via the back channel

2


15


1


Endpoint

WiFi Router

Back Channel Device

Application

Endpoint transmits credential via LoRa-enabled LPWAN back channel and displays information on back channel device screen.

Camera endpoint notifies WiFi gateway that a second credential is required and will be sent via the back channel

2

3


16


1


Two Factor Authentication via Back Channel

Authentication credential is only accessible to a user within the 1-2 mile (average) range of the LoRa-enabled endpoint, t h u s p r o v i d i n g a n additional physical layer/filter of authentication.

1-2 mile range

Endpoint

WiFi Router

Back Channel Device

17


Alternatively, back channel device can operate in a purely “passive” mode (e.g. using a key fob or other token with no visual display), where endpoint simply confirms that back channel device associated with entity performing a query is within range before authenticating WiFi-based command.

Endpoint

WiFi Router

Back Channel Device

18


Or, a less secure but potentially more convenient approach would use conventional 2-factor techniques like text messaging, email, or voice call authentication, requiring an internet connection from the back channel device.

Endpoint

WiFi Router

Back Channel Device

19

Back Channel RequirementsRequirement Description

Bi-directional Public key crypto, firmware updates, configuration and control all require a fully bi-directional wireless protocol.

Long Range Back channel gateways may be dynamically tuned to validate endpoints within range as far as 10 miles and as short as 100 meters.

Low Power Back channel may be embedded in battery-powered endpoints or mobile gateways like smart cards, smartphones, key fobs, and more.

Real-TimeBack channel must have latency of less than 2 seconds to minimize inconvenience of the additional authentication process and to facilitate real-time queries of the endpoint. For mission-critical or emergency/safety applications, real-time is non-negotiable.

Listen-Before-Talk Back channel must remain quiet to maximize privacy and battery life of the endpoint as well as mobile back channel gateways, and also to minimize network congestion.

OTA Firmware Back channel involved in any security or authentication task must have the ability to execute over-the-air firmware updates.

Public Key Crypto Back channel must support public key encryption, tokenization

Low Cost Price-sensitive end users are likely to pay only modestly, we believe, for an IoT back channel, probably <$5.00/unit.

20

Back Channel Technology Options

Requirement LoRaWAN Sigfox LTE Cat-M1 NB-IoT

Bi-directional ✓ ❌ ❌ ✓ ✓Long Range ✓ ✓ ✓ ✓ ✓Low Power ✓ ✓ ✓ ❌ ❌

Real-Time ✓ ❌ ❌ ✓ ✓Listen-Before-Talk ✓ ❌ ❌ ❌ ✓

OTA Firmware ✓ ❌ ❌ ✓ ✓ Public Key Crypto ✓ ❌ ❌ ✓ ✓

Low Cost ✓ ✓ ✓ ❌ ❌

by

21

http://bit.ly/2gVYjjF










































22

This Goes Way Beyond Security

Configuration Configure sensor parameters

Alerts Receive environmental sensor alerts (e.g. motion, temperature) without invoking

broadband connection

Maintenance Update firmware, restore factory settings

Query Search and query the content stored at the endpoint and avoid unnecessary

streaming

Security Provide two-factor authentication,

perform public key encryption, distribute and refresh keys and tokens

Privacy Eliminate traditional SSID, avoid

needless broadcasting of unique ID’s

Audits Audit inventory of keys and tokens,

firmware versions, sensor logs, battery life, maintenance history

IoT Back

Channel

Control Emergency kill switch, turn WiFi On/Off

(low power wakeup), set rules, send command to endpoint

23

Endpoint “Kill Switch”

• In the event of an endpoint hijack or malfunction, the IoT back channel can be used to disable the endpoint and prevent further spread of a botnet or stop physical harm to humans or property

• Kill switches are common. Smartphones, boating, mass transit, and many other examples.

• As artificial intelligence enables increasingly autonomous IoT endpoints, we will sleep better knowing there is a IoT kill switch available.

24

http://www.rya.org.uk/knowledge-advice/safe-boating/look-after-yourself/Pages/kill-cord.aspx

https://www.weforum.org/agenda/2016/06/does-ai-need-a-kill-switch/

Endpoint Kill Switch: How It Works

Endpoint

WiFi Router

Back Channel Device

Application

25

Camera endpoint is hijacked by “botnet army” such as Mirai. Endpoint participates in DDoS attacks, etc.


Endpoint

WiFi Router

Back Channel Device

Application

1

26


Endpoint

WiFi Router

Back Channel Device

Application

Application is unable to access camera endpoint via WiFi


2

1

27


Application is unable to access camera endpoint via WiFi


Endpoint

WiFi Router

Back Channel Device

Application

Back channel device is invoked to disable or “kill” the endpoint

3

2

1

28

Device ManagementFirmware updates. Perform more secure firmware updates without using the broadband channel. Does not rely on the use of broadcasting with global keys over the broadband connection, which is easily hacked (see Philips Hue light bulb hack for more)

The IoT back channel brings new ways of maintaining and operating endpoints

29

Device ManagementConfigure and control WiFi, Cellular, and Bluetooth devices without invoking those radios, optimizing battery life and privacy. Restore factory settings.

Firmware updates. Perform more secure firmware updates without using the broadband channel. Does not rely on the use of broadcasting with global keys over the broadband connection, which is easily hacked (see Philips Hue light bulb hack for more)


30




Instant handshaking. Complete handshaking with WiFi, Bluetooth and other devices with painfully slow handshaking protocols in under two seconds using a real-time IoT back channel.

31





Alerts. Route environmental sensor-based alerts through the back channel.

32


Power + Network Management. Utilize a “wake-on” LPWAN radio to “wake up” an otherwise high powered endpoint running cellular, WiFi, or satcom radios. Radios remain in “sleep” mode until awoken, at which point they can engage in conventional communications and return to sleep mode.



Alerts. Route environmental sensor-based alerts through the back channel.


33

Back Channel = Device Stealth• “Discovery-broadcast”

models of WiFi, Bluetooth, ZigBee, and LPWANs expose hackable traffic patterns to listeners.

• A stealthy listen-before-talk model eliminates such traffic patterns

• Innovation: key distribution (as in WiFi) can be done in co-ordination with stealthy back channel.

• Additional Reading (weblink):A Simple Proposal To Improve Security for the Internet of Things

34

http://bit.ly/1WQYcXC






35

Endpoint Implementation Example: WiFi Camera

Primary Channel Back Channel

Standard WiFi 802.11x DASH7 + LoRa

Primary Task Stream live video and audio Provide second-factor authentication

Other Jobs —Configuration and control of camera, over-the-air firmware updates, key refresh, query

endpoint content, enviro sensor alerts

Radio Frequency 2.45/5GHz 433/915/868 MHz

Max Data Rate up to 54 Mbps 50-200kbps

Traffic Pattern Predictable Unpredictable

Discovery SSID Broadcast Listen-before-talk

Authentication, Encryption WPA, WPA2 variants AES/EAX 128

36

IoT Back Channel: Endpoint and Gateway DesignsWiFi Camera Endpoint

Shared MCU

Back Channel Radio -

Narrowband (LoRa, NB-IoT,

et al)

Broadband Radio - WiFi,

Cellular, Satcom

Secure Element

Conventional WiFi Router

MCU

WiFi Radio - Broadband

Back Channel Gateway

MCU

Secure Element

LPWAN Radio - Narrowband (LoRa, NB-IoT,

et al)

37

Easy To Implement GatewaysSome examples for implementing back channel gateways

Option A: More Secure Less Convenient

Option B: Less Secure, Most Convenient

Text Message Voice CallEmail

USB StickWireless

Smart Card

• Accessible only within range of the endpoint

• Conventional form factors and available designs

• Estimated cost between $10-20

• Requires internet connection to back channel gateway

• Conventional two-factor authentication

• Low cost

Fixed Display

38

Simplify The Back Channel Deployment Decision

Only Haystack Provides a Universal IoT Back Channel Capability That Works Across Multiple LPWAN Technologies

OSI Layer

7 Application AllJoyn, Others

AllJoyn, Others

AllJoyn, Others AllJoyn, Others

6 Presentation

5 Session Partial Definition

4 Transport Partial Definition

3 Network Partial Definition

2 Data Link Partial Definition

1 Physical “PHY”

LoRa @ 169 - 960 MHz

Various @ 315 - 930 MHz

Various LTE Bands

SigFox @ 900, 868 MHz

NB-IoT

39

http://bit.ly/2cHRXFH

Back Channel Costs

Option Generic Approach Endpoint Gateway Comments Per Unit

Cost

A

• Add additional radio

• Add new LPWAN radio

• Add LPWAN antenna

• Add new LPWAN radio, antenna

• Semtech LoRa, TI CC 13XX, others. • LoRa is currently expensive ($4/part) but

we expect competition from TI and others to drive prices lower.

$1.00 - $4.00

B

• Re-use existing radio

• Re-use existing radio for LPWAN back channel

• Add LPWAN antenna

• Re-use existing radio for LPWAN back channel, add LPWAN antenna

• Back channel is a secondary networking stack over the same radio hardware.

• LTE, NFC, Bluetooth, WiFi. • TI CC1350 SoC offers combo Bluetooth

+ Sub-1GHz LPWAN capability.~$0.00

C

• Re-use existing radio —

• Re-use existing LTE or NFC radios for LPWAN back channel

• Mainly applicable to smart-phones. • Pre-existing NFC or LTE baseband

chipsets may be enhanced for sub-1GHz deployments.

~$0.00

D

• Add additional radio N/A

• Create dedicated gateway for LPWAN back channel

• Example: back channel radio added via USB stick or other peripheral.

~$10.00

Adding a back channel may be more economical than you might expect …

40

Summary1. Security is the #1 challenge facing the IoT industry and an

IoT back channel is one component of an effective IoT security strategy.

2. Two-factor authentication is a widely-used online security convention and will play a similar role for the IoT.

3. An IoT back channel requires a fully bi-directional, low power, wide area networking technology with support for public key cryptography, over-the-air firmware updates, and listen-before-talk operation.

4. Done correctly, an IoT back channel can be low cost, easy to use, and does more than just security.

5. Haystack helps developers deploy IoT back channels.41


More Information:

• Haystack + DASH7 Security Overview • Haystack And A Stealthier IoT • A Unified Networking Stack for LPWAN’s • A Comparison of Haystack and LoRaWAN • Why You Can’t Google the IoT

42

http://bit.ly/2hZuv6Z


http://bit.ly/2cHRXFH


http://bit.ly/1N3MSmv












































































































Fin

Contact: Patrick Burns [email protected]

DASH7 LoRa LoRaWAN Sigfox Wi-Sun IPv6 6lowPAN NB-IoT LTE Bluetooth WiFi ZigBee Thread

802.11 NFC Dell EMC Cisco Alcatel Nokia Ericsson General Electric Intel MediaTek NXP Samsung Orange 43

mailto:[email protected]












































































































A New Solution to the IoT Security Problem

Technology

Transcript of A New Solution to the IoT Security Problem