Securing IoT Connected Device Applications - GOTO Blog .Securing IoT Connected Device Applications

  • View
    215

  • Download
    0

Embed Size (px)

Text of Securing IoT Connected Device Applications - GOTO Blog .Securing IoT Connected Device Applications

  • Securing IoT Connected Device Applications

    Ian Massingham Technology Evangelist, AWS

    IanMmmm

  • IoT isnt a new use-case for AWS

    Amazon SNS Mobile Push

    and Notifications

    Amazon DynamoDB

    Predictable and Scalable NoSQL

    Data Store

    AWS Lambda Run Code in

    Response to Events

    Amazon Redshift Petabyte-Scale

    Data Warehouse

    and more

    Amazon API Gateway

    Build, Deploy, and Manage APIs

    Amazon Kinesis Streaming Analytics

    Amazon Cognito User Identity and Data

    Synchronization

  • AWS IoT: simplify and accelerate IoT development

    Amazon SNS Mobile Push

    and Notifications

    Amazon DynamoDB

    Predictable and Scalable NoSQL

    Data Store

    AWS Lambda Run Code in

    Response to Events

    Amazon Redshift Petabyte-Scale

    Data Warehouse

    and more

    Amazon API Gateway

    Build, Deploy, and Manage APIs

    Amazon Kinesis Streaming Analytics

    Amazon Cognito User Identity and Data

    Synchronization

    AWS IoT Connect Devices to

    the Cloud

  • AWS IoT

    Securely connect one or one billion devices to AWS, so they can interact with applications and other devices

  • http://192.168.1.200:8080

  • http://192.168.1.200:8080

  • http://192.168.1.200:8080 http://a.public.address:8080

  • http://192.168.1.200:8080 http://a.public.address:8080

  • http://192.168.1.200:8080 http://a.public.address:8080

  • http://192.168.1.200:8080 http://a.public.address:8080

  • http://192.168.1.200:8080 http://a.public.address:8080

  • http://192.168.1.200:8080 http://a.public.address:8080

  • http://192.168.1.200:8080 http://a.public.address:8080

  • http://192.168.1.200:8080 http://a.public.address:8080

  • http://192.168.1.200:8080 http://a.public.address:8080

  • DADDY, WHERE DO BOTNETS COME FROM?

  • It doesnt have to be this way

  • http://192.168.1.200:8080

  • http://192.168.1.200:8080

  • IoT Security: One Slide Primer

    Variably-constrained devices

    Variably-constrained environment & networks

    Remote locations, variable physical security

    Diverse IoT market segments, threat models

    Variable criticality of the IoT applications

  • Start with a threat model

  • Safety

  • Bad things can happen in the real

    world

  • How can we defend against these threats?

  • Secure Communications with Things

    Strong Thing Identity

    Fine-grained Authorisation for: Thing Management (Control plane) Pub/Sub Data Access (Data plane) Access to Services (To add features)

  • Secure Communications with Things

  • Mutual TLS Authentication

    TLS/SSL

    MUTUAL TLS AUTHENTICATION

  • Public Key Cryptography Options

    For same bits & level of security ECC keys are much smaller that RSA keys

    Symmetric Key Size (bits) RSA Key Size (bits) Elliptic Curve Key size (bits)80 1024 160

    112 2048 224128 3072 256192 7680 384256 15360 512

    https://aws.amazon.com/blogs/iot/elliptic-curve-cryptography-and-forward-secrecy-support-in-aws-iot-3/

  • Communicating with non-things (Humans)

  • How we implement this

    MQTT + Mutual Authn TLS AWS Authn + HTTPS

    Server Authn TLS + Cert TLS + Cert

    Client Authn TLS + Cert AWS API Keys

    Confidentiality TLS TLS

    Protocol MQTT HTTP

  • Strong Thing Identity

  • Strong Thing Identity

    X.509 Certificates

    https://aws.amazon.com/blogs/iot/just-in-time-registration-of-device-certificates-on-aws-iot/

  • Fine Grained Authorisation

  • AWS IoT

  • AWS IoT

    Data Plane

    Control Plane

    Service Access

    Data Plane

  • Applying Permissions to Thing Management

    { "Version": "2012-10-17", "Statement": [ { "Sid": ManageCerts", "Action": [ "iot:CreateCertificateAndKeys", "iot:CreateCertificateFromCsr", "iot:DescribeCertificate", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:ListCertificates ], "Effect": "Allow", "Resource": "*" } ] }

    { "Version": "2012-10-17", "Statement": [ { "Sid": "RevokeOneThing", "Action": [ "iot:UpdateCertificate" ], "Effect": "Allow", "Resource": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0SNIP026d9", "Condition": { "IpAddress": { "aws:SourceIp": "192.168.42.54" } } } ] }

  • Allowing/Denying Access to MQTT Topics

    { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update"] }, { "Effect":"Allow", "Action":[ "iot:Subscribe", "iot:Receive" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: topicfilter/$aws/things/MyThing/shadow/*" ] } ] }

  • Hardware Security (Private Key & Platform Protection)

  • IoT Gateways

  • Amtel Zero Touch Secure Provisioning Kit

  • If you spend a lot of time on securing your IoT applications,

    youre not spending time solving problems for your customers.

  • So dont build a platform, unless youre building a platform. In

    which case, fine, build a platform.

  • Building Hello World (for IoT Developers)

  • Turns out, developers are creative

  • Sassy Ping PongScore Keeper

    Source: https://www.hackster.io/youngd/ping-pong-showdown-eabaed

  • Slack-powered Doorbell

    Source: www.theatlantic.com/notes/2016/07/make-every-week-2-a-silent-slack-powered-doorbell/490880/

  • Source: http://www.andrewmcgill.me/2016/08/19/make-every-week-sweetgreen-salad-button.html

    EmergencySweet Green Ordering

  • Push a button to get directions to the right meal within your budget. (Integrate time of day, weather, Google Directions, Yelp, and Stripe)

    Source: https://medium.com/@_adeel/nerding-out-with-the-amazon-iot-button-84a6e14b6b28#.ekd5hsnez

  • How does it work?Invoke a Lambda function

    Put object in an S3 bucket

    Insert, Update, Read from a DynamoDB table

    Publish to an SNS Topic or Endpoint

    Publish to a Kinesis stream

    Kinesis Firehose > Redshift

    Republish to AWS IoT

    AWS IoT

  • But wait, I live in Europe and I want to do this. Right now!

  • HARDWARE YOU WILL (& MIGHT) NEED

    A Raspberry Pi

    Electronics Kit Try the SunFounder 37 modules Sensor Kit v2.0 for

    Raspberry Pi 3, 2, Model B+ with 40-Pin GPIO Extension Board & Jump Wires

    http://www.amazon.co.uk/dp/B014PF05ZA Example tutorial

    Raspberry Pi Sense Hat (optional fun) https://www.raspberrypi.org/products/sense-hat/

    http://www.amazon.co.uk/dp/B00P66XRNKhttps://www.sunfounder.com/learn/sensor-kit-v2-0-for-raspberry-pi-b-plus/lesson-6-button-module-sensor-kit-v2-0-for-b-plus.htmlhttps://www.raspberrypi.org

  • SETTING UP FOR GPIO/SENSE HAT

    Your own electronics/sensor build C (for embedded C)

    http://wiringpi.com Python Wrapper Module for WiringPI

    https://github.com/WiringPi/WiringPi-Python

    For the Sense Hat Python Module

    https://github.com/RPi-Distro/python-sense-hat

    http://wiringpi.comhttps://github.com/WiringPi/WiringPi-Pythonhttps://github.com/RPi-Distro/python-sense-hat

  • SETTING UP FOR AWS IOT

    Use the AWS Console to create your device

    Download the required crypto materials & save the C header file contents with your endpoint, cert, and key details

    Download & set up your chosen AWS IoT SDK Get them at : https://aws.amazon.com/iot/sdk/

    Building the C SDK on the Raspberry Pi requires the CppUTest library from: https://github.com/cpputest/cpputest/releases/tag/v3.6

    Get started with the sample applications that come with the AWS SDKs

    https://aws.amazon.com/iot/sdk/https://github.com/cpputest/cpputest/releases/tag/v3.6

  • EXAMPLES & DEMOS

    Emulating the AWS IoT Button (C++) https://github.com/ianmas-aws/iot-button-emulator

    Controlling the Sense Hat via AWS IoT Device Shadow (Python) https://github.com/ianmas-aws/PiPyIoT

    https://github.com/ianmas-aws/iot-button-emulatorhttps://github.com/ianmas-aws/PiPyIoT

  • Go Build, Have Fun

    Ian Massingham Technology Evangelist, AWS

    IanMmmm

  • 1.

  • 2.

  • 2.

  • 3.

  • 4.

  • Alert Someone: AWS IoT to AWS Lambda to SNS

    Lambda Function

    AWS IoT Rules Engine

    PolicyPrivate Key & Certificate

    Button

    RuleSDK

    AWS IoT

    AWS Services

    Execution Role Policy

    SNS Topic

    PermissionAction

    SNS Topic Subscription

    Rule: Select * from iotbutton/+

    Event Source

    Function

    SMS or Email

  • Count items or Track Usage: AWS IoT to DynamoDB to Dashboard

    DynamoDB

    Rules Engine

    Dashboard

    S3 Website

    Lambda Function

    PolicyPrivate Key & Certificate

    Button

    RuleSDK

    AWS IoT

    AWS Services

    Execution Role

    PolicyPermissionAction

    Rule: Select * from iotbutton/+

    Event Source

    FunctionD