Your Thing is Pwned - Security Challenges for the IoT
-
Upload
wso2-inc -
Category
Investor Relations
-
view
1.135 -
download
0
Transcript of Your Thing is Pwned - Security Challenges for the IoT
Securing IoT applications
Your Thing is pwndSecurity Challenges for the Internet of ThingsPaul FremantleCTO, WSO2 ([email protected])PhD researcher, Portsmouth University([email protected]) @pzfreo#wso2
#iotconf@iotconf
Firstly, does it even matter?
My three rules for IoT security1. Dont be stupid
2. Be smart
3. Think about whats different
My three rules for IoT security1. Dont be stupidThe basics of Internet security havent gone away2. Be smartUse the best practice from the Internet3. Think about whats differentWhat are the unique challenges of your device?
Google Hacking
http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/
http://freo.me/1pbUmof
Lots of people are emailing me and joking about what theyd do if they hacked the device, said Way. We believe this device is not hackable. But even if somebody managed to get in, the worst consequence would be lots of women having orgasms in unusual places.
11
So what is different about IoT?The longevity of the deviceUpdates are harder (or impossible)The size of the deviceCapabilities are limited especially around cryptoThe fact there is a deviceUsually no UI for entering userids and passwordsThe dataOften highly personalThe mindsetAppliance manufacturers dont think like security expertsEmbedded systems are often developed by grabbing existing chips, designs, etc
Physical Hacks
A Practical Attack on the MIFARE Classic: http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf Karsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity
UltraResethttps://intrepidusgroup.com/insight/2012/09/ultrareset-bypassing-nfc-access-control-with-your-smartphone/
Or try this at home?http://freo.me/1g15BiG
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.html
Hardware recommendationsDont rely on obscurity
Hardware recommendationsDont rely on obscurityDont rely on obscurityDont rely on obscurityDont rely on obscurityDont rely on obscurityDont rely on obscurityDont rely on obscurity
Hardware Recommendation #2Unlocking a single device should risk only that devices data
The Network
Crypto on small devicesPractical Considerations and Implementation Experiences in Securing Smart Object Networkshttp://tools.ietf.org/html/draft-aks-crypto-sensors-02
ROM requirements
ECC is possible (and about fast enough)
Crypto
Borrowed from Chris Swan: http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13
Wont ARM just solve this problem?
Cost matters
8 bits$5 retail$1 or less to embed32 bits$25 retail$?? to embed
Another option?
SIMON and SPECK
https://www.schneier.com/blog/archives/2013/07/simon_and_speck.html
Datagram Transport Layer Security(DTLS)UDP based equivalent to TLShttps://tools.ietf.org/html/rfc4347
Key distribution
How do you distribute keys to devices?Usually at manufacture time
Complex to update
What about expiration?
PasswordsPasswords suck for humansThey suck even more for devices
MQTT
Why Federated Identity for IoT?Can enable a meaningful consent mechanism for sharing of device dataGiving a device a token to use on API calls better than giving it a passwordRevokableGranularMay be relevant for bothDevice to cloudCloud to app
Device to CloudPut an OAuth2 token on the deviceSet the scope to be limited This device can publish to this topicSupport refresh model
Quick DemoApologies. This is not a slick demo!
Cloud to AppThe same technology can be used to enable some app to subscribe to a specific topicMuch easier than with Arduino!
Lessons learntOAuth2 Token lengths are usually ok (no promise though)OpenId Connect much largerRegistration is hardMQTT and MPU / I2C code is 97% of DuemilanoveAdding the final logic to do OAuth2 flow pushed it to 99%No TLS in this demo is a big issueDifferent OAuth2 implementations behave differently Need to disable updating the refresh token with every refreshNeed to be able to update the scope of token if this will work for long term embedded devicesMQTT needs some better designed patterns for RPCStandardised
More informationhttp://pzf.fremantle.org/2013/11/using-oauth-20-with-mqtt.html
http://siot-workshop.org/
OpenId Connect
Are you creating the next privacy breach?
SummaryThink about security with your next deviceWe as a community need to make sure that the next generation of IoT devices are secureWe need to create exemplarsShieldsLibrariesServer softwareStandards
WSO2 Reference Architecture for the Internet of Things http://freo.me/iotra