Securing IoT applications

Your Thing is pwndSecurity Challenges for the Internet of ThingsPaul FremantleCTO, WSO2 (paul@wso2.com)PhD researcher, Portsmouth University(paul.fremantle@port.ac.uk) @pzfreo#wso2

#iotconf@iotconf

Firstly, does it even matter?

My three rules for IoT security1. Dont be stupid

2. Be smart

3. Think about whats different

My three rules for IoT security1. Dont be stupidThe basics of Internet security havent gone away2. Be smartUse the best practice from the Internet3. Think about whats differentWhat are the unique challenges of your device?

Google Hacking

http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/

http://freo.me/1pbUmof

Lots of people are emailing me and joking about what theyd do if they hacked the device, said Way. We believe this device is not hackable. But even if somebody managed to get in, the worst consequence would be lots of women having orgasms in unusual places.

11

So what is different about IoT?The longevity of the deviceUpdates are harder (or impossible)The size of the deviceCapabilities are limited especially around cryptoThe fact there is a deviceUsually no UI for entering userids and passwordsThe dataOften highly personalThe mindsetAppliance manufacturers dont think like security expertsEmbedded systems are often developed by grabbing existing chips, designs, etc

Physical Hacks

A Practical Attack on the MIFARE Classic: http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf Karsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity

UltraResethttps://intrepidusgroup.com/insight/2012/09/ultrareset-bypassing-nfc-access-control-with-your-smartphone/

Or try this at home?http://freo.me/1g15BiG

http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.html

Hardware recommendationsDont rely on obscurity

Hardware recommendationsDont rely on obscurityDont rely on obscurityDont rely on obscurityDont rely on obscurityDont rely on obscurityDont rely on obscurityDont rely on obscurity

Hardware Recommendation #2Unlocking a single device should risk only that devices data

The Network

Crypto on small devicesPractical Considerations and Implementation Experiences in Securing Smart Object Networkshttp://tools.ietf.org/html/draft-aks-crypto-sensors-02

ROM requirements

ECC is possible (and about fast enough)

Crypto

Borrowed from Chris Swan: http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13

Wont ARM just solve this problem?

Cost matters

8 bits$5 retail$1 or less to embed32 bits$25 retail$?? to embed

Another option?

SIMON and SPECK

https://www.schneier.com/blog/archives/2013/07/simon_and_speck.html

Datagram Transport Layer Security(DTLS)UDP based equivalent to TLShttps://tools.ietf.org/html/rfc4347

Key distribution

How do you distribute keys to devices?Usually at manufacture time

Complex to update

What about expiration?

PasswordsPasswords suck for humansThey suck even more for devices

MQTT

Why Federated Identity for IoT?Can enable a meaningful consent mechanism for sharing of device dataGiving a device a token to use on API calls better than giving it a passwordRevokableGranularMay be relevant for bothDevice to cloudCloud to app

Device to CloudPut an OAuth2 token on the deviceSet the scope to be limited This device can publish to this topicSupport refresh model

Quick DemoApologies. This is not a slick demo!

Cloud to AppThe same technology can be used to enable some app to subscribe to a specific topicMuch easier than with Arduino!

Lessons learntOAuth2 Token lengths are usually ok (no promise though)OpenId Connect much largerRegistration is hardMQTT and MPU / I2C code is 97% of DuemilanoveAdding the final logic to do OAuth2 flow pushed it to 99%No TLS in this demo is a big issueDifferent OAuth2 implementations behave differently Need to disable updating the refresh token with every refreshNeed to be able to update the scope of token if this will work for long term embedded devicesMQTT needs some better designed patterns for RPCStandardised

More informationhttp://pzf.fremantle.org/2013/11/using-oauth-20-with-mqtt.html

http://siot-workshop.org/

OpenId Connect

Are you creating the next privacy breach?

SummaryThink about security with your next deviceWe as a community need to make sure that the next generation of IoT devices are secureWe need to create exemplarsShieldsLibrariesServer softwareStandards

WSO2 Reference Architecture for the Internet of Things http://freo.me/iotra