Securing IoT Applications

  • View
    922

  • Download
    0

Embed Size (px)

DESCRIPTION

 

Text of Securing IoT Applications

  • 1. SecuringtheInternetofThings PaulFremantle CTO,WSO2(paul@wso2.com) PhDresearcher,PortsmouthUniversity (paul.fremantle@port.ac.uk) @pzfreo

2. Aboutme CTOandCo-Founder WSO2 OpenSourceMiddleware plaLorm Part-MmePhDlookingat security WorkinginApachefor 14years WorkingwithCloud, SOA,APIs,MQTT,IoT 2 3. Firstly,doesitmaQer? 4. Google Hacking 5. hQp://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/ 6. hQp://freo.me/1pbUmof 7. SowhatisdierentaboutIoT? Thelongevityofthedevice Updatesareharder(orimpossible) Thesizeofthedevice CapabiliMesarelimitedespeciallyaroundcrypto Thefactthereisadevice UsuallynoUIforenteringuseridsandpasswords Thedata O_enhighlypersonal Themindset Appliancemanufacturersdontthinklikesecurityexperts Embeddedsystemsareo_endevelopedbygrabbingexisMng chips,designs,etc 8. PhysicalHacks APracMcalAQackontheMIFAREClassic: hQp://www.cs.ru.nl/~aviog/publicaMons/AQack.MIFARE.pdf KarstenNohlandHenrykPlotz.MIFARE,LiQleSecurity,DespiteObscurity 9. Ortrythisathome? hQp://freo.me/1g15BiG 10. hQp://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.html 11. HardwarerecommendaMons Dontrelyonobscurity 12. HardwarerecommendaMons Dontrelyonobscurity Dontrelyonobscurity Dontrelyonobscurity Dontrelyonobscurity Dontrelyonobscurity Dontrelyonobscurity Dontrelyonobscurity 13. HardwareRecommendaMon#2 Unlockingasingledeviceshouldriskonlythat devicesdata 14. TheNetwork 15. Cryptoonsmalldevices PracMcalConsideraMonsandImplementaMon ExperiencesinSecuringSmartObjectNetworks hQp://tools.ieL.org/html/dra_-aks-crypto-sensors-02 16. ROMrequirements 17. ECCispossible (andaboutfastenough) 18. Crypto BorrowedfromChrisSwan: hQp://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13 19. WontARMjustsolvethisproblem? 20. CostmaQers 8bits $5retail $1orlesstoembed 32bits $25retail $??toembed 21. AnotheropMon? 22. SIMONandSPECK hQps://www.schneier.com/blog/archives/2013/07/simon_and_speck.html 23. DatagramTransportLayerSecurity (DTLS) UDPbasedequivalenttoTLS hQps://tools.ieL.org/html/rfc4347 24. KeydistribuMon 25. CoAP ConstrainedApplicaMonProtocol hQp://tools.ieL.org/html/dra_-ieL-core-coap-18 REST-likemodelbuiltonUDP CaliforniumprojectcomingsoontoEclipseIoT NoauthenMcaMonorauthorizaMon ReliesonDLTSordatainthebody 26. MQTT 27. MQTT Verylightweightmessagingprotocol Designedfor8-bitcontrollers,SCADA,etc Lowpower,lowbandwidth Binaryheaderof2bytes LotsofimplementaMons MosquiQo,Paho,RSMBandMoqueQefromEclipse Clients: Arduino,Perl,Python,PHP,C,Java,JS/Node.js,.Net,etc Plusanevenlighter-weightversionforZigbee MQTT-SN(SensorNetwork) 28. MQTT ReliesonTLSforcondenMality Username/Passwordeld 29. Passwords Passwordssuckforhumans Theysuckevenmorefordevices 30. Tokens 31. WhyOAuth2? Widelyimplemented PreQygood Ofcoursethereisnever100%agreement Orcertaintywithsecurityprotocols NotjustHTTP: hQp://tools.ieL.org/html/dra_-ieL-kiQen-sasl- oauth-12 OAuth2usedwithSSL 32. WhyFIAMforIoT? Canenableameaningfulconsentmechanism forsharingofdevicedata GivingadeviceatokentouseonAPIcalls beQerthangivingitapassword Revokable Granular Mayberelevantforboth Devicetocloud Cloudtoapp 33. TwoaspectsusingOAuthwithIoT Onthedevice Tokensaregood LimiMngtheaccessofthedevice Onthecloud Puvngusersincontroloftheirdata JustgoodcurrentpracMce DemowithMQTT ButnotjustforMQTT Alsoforthecloud,CoAP,andotherprotocolstoo 34. Democomponents MosquiQo (OpenSourceMQTT Broker) AcMngasResource Server MosquiQo_py_auth mqQ-oauth2.py IdP WSO2IdenMty Server ESB IntrospecMon API Refresher.py Arduino CreateToken.py 1 2 3 4 5 6 35. WSO2IdenMtyServer 36. Lessonslearnt MQTTandMPU/I2Ccodeis97%ofDuemilanove AddingthenallogictodoOAuth2owpusheditto99% NoTLSinthisdemoisabigissue DierentOauth2implementaMonsbehavedierently (e.g.changingtherefreshtokeneveryMmeyourefresh) Needtobeabletoupdatethescopeoftokenifthiswill workforlongtermembeddeddevices TherefreshowshouldnotreallygoviatheResource server Easyx MQTTshouldhaveawelldenedmodelforsendinga messagetojustoneclient(securely) 37. WhatIhaventcoveredenoughof 38. Summary Thinkaboutsecuritywithyournextdevice Weasacommunityneedtomakesurethat thenextgeneraMonofIoTdevicesaresecure Weneedtocreateexemplars Shields Libraries Serverso_ware Standards 39. QuesMons?