Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Your Thing is Pwned - Security Challenges for the IoT

1 309 vues

Publié le

The Internet of Things and Machine to Machine are growing areas, and security and privacy are prime issues. In this session security challenges are examined around using M2M devices with protocols such as MQTT & CoAP - encryption, federated identity and authorisation models in particular.

On the topic of encryption, we’ll examine securing MQTT with TLS, challenges with Arduino, and using hardware encryption for microcontrollers. A key privacy requirement for user-centric IoT use cases will be giving users control over how their things collect and share data. On the Internet, protocols like OAuth 2.0, OpenID Connect & User Managed Access have been defined to enable a privacy-respecting user consent & authorization model. We'll look at the issues with applying these protocols to the M2M world and review existing proposals & activity for extending the above M2M protocols to include federated identity concepts.

The session included a live demonstration of Arduino and Eclipse Paho inter-operating secured by OAuth 2.0.

  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici

Your Thing is Pwned - Security Challenges for the IoT

  1. 1. Your Thing is pwnd Security Challenges for the Internet of Things Paul Fremantle CTO, WSO2 (paul@wso2.com) PhD researcher, Portsmouth University (paul.fremantle@port.ac.uk) @pzfreo #wso2 #iotconf @iotconf
  2. 2. Firstly, does it even matter?
  3. 3. My three rules for IoT security • 1. Don’t be stupid • 2. Be smart • 3. Think about what’s different
  4. 4. My three rules for IoT security • 1. Don’t be stupid – The basics of Internet security haven’t gone away • 2. Be smart – Use the best practice from the Internet • 3. Think about what’s different – What are the unique challenges of your device?
  5. 5. “Google Hacking”
  6. 6. http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/
  7. 7. http://freo.me/1pbUmof
  8. 8. So what is different about IoT? • The longevity of the device – Updates are harder (or impossible) • The size of the device – Capabilities are limited – especially around crypto • The fact there is a device – Usually no UI for entering userids and passwords • The data – Often highly personal • The mindset – Appliance manufacturers don’t think like security experts – Embedded systems are often developed by grabbing existing chips, designs, etc
  9. 9. Physical Hacks A Practical Attack on the MIFARE Classic: http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf Karsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity
  10. 10. UltraReset https://intrepidusgroup.com/insight/2012/09/ultrareset-bypassing-nfc-access-control-with-your-smartphone/
  11. 11. Or try this at home? http://freo.me/1g15BiG
  12. 12. http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.html
  13. 13. Hardware recommendations • Don’t rely on obscurity
  14. 14. Hardware recommendations • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity
  15. 15. Hardware Recommendation #2 • Unlocking a single device should risk only that device’s data
  16. 16. The Network
  17. 17. Crypto on small devices • Practical Considerations and Implementation Experiences in Securing Smart Object Networks – http://tools.ietf.org/html/draft-aks-crypto-sensors-02
  18. 18. ROM requirements
  19. 19. ECC is possible (and about fast enough)
  20. 20. Crypto Borrowed from Chris Swan: http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13
  21. 21. Won’t ARM just solve this problem?
  22. 22. Cost matters 8 bits $5 retail $1 or less to embed 32 bits $25 retail $?? to embed
  23. 23. Another option?
  24. 24. SIMON and SPECK https://www.schneier.com/blog/archives/2013/07/simon_and_speck.html
  25. 25. Datagram Transport Layer Security (DTLS) • UDP based equivalent to TLS • https://tools.ietf.org/html/rfc4347
  26. 26. Key distribution
  27. 27. How do you distribute keys to devices? • Usually at manufacture time • Complex to update • What about expiration?
  28. 28. Passwords • Passwords suck for humans • They suck even more for devices
  29. 29. MQTT
  30. 30. Why Federated Identity for IoT? • Can enable a meaningful consent mechanism for sharing of device data • Giving a device a token to use on API calls better than giving it a password – Revokable – Granular • May be relevant for both – Device to cloud – Cloud to app
  31. 31. Device to Cloud • Put an OAuth2 token on the device • Set the “scope” to be limited – This device can publish to this topic • Support refresh model
  32. 32. Quick Demo • Apologies…. This is not a “slick” demo!
  33. 33. Cloud to App • The same technology can be used to enable some app to subscribe to a specific topic • Much easier than with Arduino!
  34. 34. Lessons learnt • OAuth2 Token lengths are usually ok (no promise though) – OpenId Connect much larger • Registration is hard • MQTT and MPU / I2C code is 97% of Duemilanove – Adding the final logic to do OAuth2 flow pushed it to 99% – No TLS in this demo is a big issue • Different OAuth2 implementations behave differently – Need to disable updating the refresh token with every refresh • Need to be able to update the scope of token if this will work for long term embedded devices • MQTT needs some better designed patterns for RPC – Standardised
  35. 35. More information http://pzf.fremantle.org/2013/11/using-oauth- 20-with-mqtt.html http://siot-workshop.org/
  36. 36. OpenId Connect
  37. 37. Are you creating the next privacy breach?
  38. 38. Summary • Think about security with your next device • We as a community need to make sure that the next generation of IoT devices are secure • We need to create exemplars – Shields – Libraries – Server software – Standards
  39. 39. WSO2 Reference Architecture for the Internet of Things http://freo.me/iotra

×