Paul Fremantle, profile picture
Uploaded byPaul Fremantle
PPTX, PDF9,540 views

Securing the Internet of Things

The document discusses the security challenges in the Internet of Things (IoT), highlighting issues such as device longevity, limited capabilities, and the lack of security expertise among appliance manufacturers. It recommends using secure hardware practices, cryptography, and the OAuth2 mechanism for authentication to improve device security. The author emphasizes the need for the community to ensure the next generation of IoT devices is designed with security as a priority.

Technology
Related topics:
Internet of Things

Embed presentation

Downloaded 616 times
Securing the Internet of Things Paul Fremantle CTO, WSO2 (paul@wso2.com) PhD researcher, Portsmouth University (paul.fremantle@port.ac.uk) @pzfreo Paul Madsen* Technical Architect, PingIdentity (pmadsen@pingidentity.com) @paulmadsen *Paul M helped me with the initial content, but I take responsibility for anything you don’t like in this slide deck.
About me • CTO and Co-Founder WSO2 – Open Source Middleware platform • Part-time PhD looking at security • Working in Apache for 14 years • Working with Cloud, SOA, APIs, MQTT, IoT 3
Firstly, does it matter?
“Google Hacking”
http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/
http://freo.me/1pbUmof
So what is different about IoT? • The longevity of the device – Updates are harder (or impossible) • The size of the device – Capabilities are limited – especially around crypto • The fact there is a device – Usually no UI for entering userids and passwords • The data – Often highly personal • The mindset – Appliance manufacturers don’t think like security experts – Embedded systems are often developed by grabbing existing chips, designs, etc
Physical Hacks A Practical Attack on the MIFARE Classic: http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf Karsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity
Or try this at home? http://freo.me/1g15BiG
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.html
Hardware recommendations • Don’t rely on obscurity
Hardware recommendations • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity
Hardware Recommendation #2 • Unlocking a single device should risk only that device’s data
The Network
Crypto on small devices • Practical Considerations and Implementation Experiences in Securing Smart Object Networks – http://tools.ietf.org/html/draft-aks-crypto-sensors-02
ROM requirements
ECC is possible (and about fast enough)
Crypto Borrowed from Chris Swan: http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13
Won’t ARM just solve this problem?
Cost matters 8 bits $5 retail $1 or less to embed 32 bits $25 retail $?? to embed
Another option?
SIMON and SPECK https://www.schneier.com/blog/archives/2013/07/simon_and_speck.html
Datagram Transport Layer Security (DTLS) • UDP based equivalent to TLS • https://tools.ietf.org/html/rfc4347
Key distribution
CoAP • Constrained Application Protocol – http://tools.ietf.org/html/draft-ietf-core-coap-18 – REST-like model built on UDP – Californium project coming soon to Eclipse IoT • No authentication or authorization – Relies on DLTS or data in the body
MQTT
MQTT • Very lightweight messaging protocol – Designed for 8-bit controllers, SCADA, etc – Low power, low bandwidth – Binary header of 2 bytes – Lots of implementations • Mosquitto, Paho, RSMB and Moquette from Eclipse – Clients: • Arduino, Perl, Python, PHP, C, Java, JS/Node.js, .Net, etc • Plus an even lighter-weight version for Zigbee – MQTT-SN (Sensor Network)
MQTT • Relies on TLS for confidentiality • Username/Password field
Passwords • Passwords suck for humans • They suck even more for devices
Tokens
Why OAuth2? • Widely implemented • Pretty good – Of course there is never 100% agreement – Or certainty with security protocols • Not just HTTP: – http://tools.ietf.org/html/draft-ietf-kitten-sasl- oauth-12 – OAuth2 used with SSL
Why FIAM for IoT? • Can enable a meaningful consent mechanism for sharing of device data • Giving a device a token to use on API calls better than giving it a password – Revokable – Granular • May be relevant for both – Device to cloud – Cloud to app
Two aspects using OAuth with IoT • On the device – Tokens are good – Limiting the access of the device • On the cloud – Putting users in control of their data – Just good current practice • Demo with MQTT – But not just for MQTT – Also for the cloud, CoAP, and other protocols too
Demo components Mosquitto (Open Source MQTT Broker) Acting as “Resource Server” Mosquitto_py_auth mqtt-oauth2.py IdP WSO2 Identity Server ESB Introspection API Refresher.py Arduino CreateToken.py 1 2 3 4 5 6
WSO2 Identity Server
Lessons learnt • MQTT and MPU / I2C code is 97% of Duemilanove – Adding the final logic to do OAuth2 flow pushed it to 99% – No TLS in this demo is a big issue • Different Oauth2 implementations behave differently (e.g. changing the refresh token every time you refresh) • Need to be able to update the scope of token if this will work for long term embedded devices • The refresh flow should not really go via the Resource server – Easy fix • MQTT should have a well defined model for sending a message to just one client (securely)
What I haven’t covered enough of
Summary • Think about security with your next device • We as a community need to make sure that the next generation of IoT devices are secure • We need to create exemplars – Shields – Libraries – Server software – Standards
Questions?

More Related Content

PPTX
Internet of Things Security
byTutun Juhana
 
PDF
The 5 elements of IoT security
byJulien Vermillard
 
PPTX
IoT Security Imperative: Stop your Fridge from Sending you Spam
byAmit Rohatgi
 
PPTX
Your Thing is Pwned - Security Challenges for the IoT
byWSO2
 
PDF
Internet of Things Security Patterns
byMark Benson
 
PPTX
IoT World - creating a secure robust IoT reference architecture
byPaul Fremantle
 
PPTX
IoT Security: Cases and Methods [CON5446]
byLeonardo De Moura Rocha Lima
 
PPT
IoT Security by Sanjay Kumar
byOWASP Delhi
 
Internet of Things Security
byTutun Juhana
 
The 5 elements of IoT security
byJulien Vermillard
 
IoT Security Imperative: Stop your Fridge from Sending you Spam
byAmit Rohatgi
 
Your Thing is Pwned - Security Challenges for the IoT
byWSO2
 
Internet of Things Security Patterns
byMark Benson
 
IoT World - creating a secure robust IoT reference architecture
byPaul Fremantle
 
IoT Security: Cases and Methods [CON5446]
byLeonardo De Moura Rocha Lima
 
IoT Security by Sanjay Kumar
byOWASP Delhi
 

What's hot

PDF
Federated Identity for IoT with OAuth2
byPaul Fremantle
 
PPTX
Application layer Security in IoT: A Survey
byAdeel Ahmed
 
PPTX
Introduction to the Internet of Things
byAlexandru Radovici
 
PDF
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
byDesign World
 
PDF
Owasp top 10
byveerababu penugonda(Mr-IoT)
 
PPTX
Iot Security
byMAITREYA MISRA
 
PDF
Security challenges for IoT
byWSO2
 
PPTX
IoT Security: Cases and Methods
byLeonardo De Moura Rocha Lima
 
PPTX
Iot top 10 vulnerabilities and misconceptions 2016
byErez Metula
 
PDF
IoT Security, Mirai Revisited
byClare Nelson, CISSP, CIPP-E
 
PDF
IoT security zigbee -- Null Meet bangalore
byveerababu penugonda(Mr-IoT)
 
PPTX
IoT Security Briefing FBI 07 23-2017 final
byFrank Siepmann
 
PPTX
Automatski - The Internet of Things - Security in IoT
byautomatskicorporation
 
PDF
Security in the Internet of Things
byForgeRock
 
PPT
IoT Security – Executing an Effective Security Testing Process
byEC-Council
 
PPTX
Iot Security, Internet of Things
byBryan Len
 
PPTX
Enabling Data Protection through PKI encryption in IoT m-Health Devices
byCharalampos Doukas
 
PDF
IoT Security in Action - Boston Sept 2015
byEurotech
 
PPTX
IOT privacy and Security
bynoornabi16
 
PPTX
Internet of Things: Identity & Security with Open Standards
byGeorge Fletcher
 
Federated Identity for IoT with OAuth2
byPaul Fremantle
 
Application layer Security in IoT: A Survey
byAdeel Ahmed
 
Introduction to the Internet of Things
byAlexandru Radovici
 
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
byDesign World
 
Owasp top 10
byveerababu penugonda(Mr-IoT)
 
Iot Security
byMAITREYA MISRA
 
Security challenges for IoT
byWSO2
 
IoT Security: Cases and Methods
byLeonardo De Moura Rocha Lima
 
Iot top 10 vulnerabilities and misconceptions 2016
byErez Metula
 
IoT Security, Mirai Revisited
byClare Nelson, CISSP, CIPP-E
 
IoT security zigbee -- Null Meet bangalore
byveerababu penugonda(Mr-IoT)
 
IoT Security Briefing FBI 07 23-2017 final
byFrank Siepmann
 
Automatski - The Internet of Things - Security in IoT
byautomatskicorporation
 
Security in the Internet of Things
byForgeRock
 
IoT Security – Executing an Effective Security Testing Process
byEC-Council
 
Iot Security, Internet of Things
byBryan Len
 
Enabling Data Protection through PKI encryption in IoT m-Health Devices
byCharalampos Doukas
 
IoT Security in Action - Boston Sept 2015
byEurotech
 
IOT privacy and Security
bynoornabi16
 
Internet of Things: Identity & Security with Open Standards
byGeorge Fletcher
 

Viewers also liked

PPTX
A military perspective on cyber security
byJoey Hernandez
 
PPTX
Practical Security with MQTT and Mosquitto
bynbarendt
 
PDF
MQTT Hacks for Fun and... Fun!
byAndy Piper
 
PDF
Securing MQTT - BuildingIoT 2016 slides
byDominik Obermaier
 
PDF
MQTT - MQ Telemetry Transport for Message Queueing
byPeter R. Egli
 
PPT
Military Robots
bynsapre
 
PPTX
Indian Army
bySridhar Srinivas
 
PPTX
Indian army
byakash_metaliya
 
PPT
Network security
byGichelle Amon
 
PPTX
Civil – military relations in india a perspective
byUmong Sethi
 
PPTX
Cyber security
bySiblu28
 
PPT
Network Security Threats and Solutions
byColin058
 
PPTX
IoT - IT 423 ppt
byMhae Lyn
 
A military perspective on cyber security
byJoey Hernandez
 
Practical Security with MQTT and Mosquitto
bynbarendt
 
MQTT Hacks for Fun and... Fun!
byAndy Piper
 
Securing MQTT - BuildingIoT 2016 slides
byDominik Obermaier
 
MQTT - MQ Telemetry Transport for Message Queueing
byPeter R. Egli
 
Military Robots
bynsapre
 
Indian Army
bySridhar Srinivas
 
Indian army
byakash_metaliya
 
Network security
byGichelle Amon
 
Civil – military relations in india a perspective
byUmong Sethi
 
Cyber security
bySiblu28
 
Network Security Threats and Solutions
byColin058
 
IoT - IT 423 ppt
byMhae Lyn
 

Similar to Securing the Internet of Things

PDF
Securing IoT Applications
byWSO2
 
PPTX
Your Thing is pwnd - Security Challenges for the Internet of Things
byWSO2
 
PDF
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
byWSO2
 
PPTX
A Reference Architecture for IoT: How to create a resilient, secure IoT cloud
byWSO2
 
PPTX
Security issues and solutions : IoT
byJinia Bhowmik
 
PPTX
Seminar V2
byMoustafa Najm
 
PDF
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
byCloudIDSummit
 
PDF
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
byBrian Knopf
 
PDF
The Considerations for Internet of Things @ 2017
byJian-Hong Pan
 
PDF
Security in Cyber-Physical Systems
byBob Marcus
 
PDF
February 2025 - Top 10 Read Articles in Network Security & Its Applications.pdf
byIJNSA Journal
 
PDF
January 2025 - Top 10 Read Articles in Network Security & Its Applications.pdf
byIJNSA Journal
 
PDF
April 2025 - Top 10 Read Articles in Network Security & Its Applications.pdf
byIJNSA Journal
 
PDF
December 2021: Top 10 Read Articles in Network Security and Its Applications
byIJNSA Journal
 
PDF
April 2022 - Top 10 Read Articles in Network Security and Its Applications
byIJNSA Journal
 
PDF
March 2022 - Top 10 Read Articles in Network Security and Its Applications
byIJNSA Journal
 
PDF
August 2025 - Top 10 Read Articles in Network Security & Its Applications
byIJNSA Journal
 
PDF
May 2025 - Top 10 Read Articles in Network Security and Its Applications
byIJNSA Journal
 
PDF
June 2023: Top 10 Read Articles in Network Security and Its Applications
byIJNSA Journal
 
PDF
May 2024 - Top 10 Read Articles in Network Security & Its Applications.pdf
byIJNSA Journal
 
Securing IoT Applications
byWSO2
 
Your Thing is pwnd - Security Challenges for the Internet of Things
byWSO2
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
byWSO2
 
A Reference Architecture for IoT: How to create a resilient, secure IoT cloud
byWSO2
 
Security issues and solutions : IoT
byJinia Bhowmik
 
Seminar V2
byMoustafa Najm
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
byCloudIDSummit
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
byBrian Knopf
 
The Considerations for Internet of Things @ 2017
byJian-Hong Pan
 
Security in Cyber-Physical Systems
byBob Marcus
 
February 2025 - Top 10 Read Articles in Network Security & Its Applications.pdf
byIJNSA Journal
 
January 2025 - Top 10 Read Articles in Network Security & Its Applications.pdf
byIJNSA Journal
 
April 2025 - Top 10 Read Articles in Network Security & Its Applications.pdf
byIJNSA Journal
 
December 2021: Top 10 Read Articles in Network Security and Its Applications
byIJNSA Journal
 
April 2022 - Top 10 Read Articles in Network Security and Its Applications
byIJNSA Journal
 
March 2022 - Top 10 Read Articles in Network Security and Its Applications
byIJNSA Journal
 
August 2025 - Top 10 Read Articles in Network Security & Its Applications
byIJNSA Journal
 
May 2025 - Top 10 Read Articles in Network Security and Its Applications
byIJNSA Journal
 
June 2023: Top 10 Read Articles in Network Security and Its Applications
byIJNSA Journal
 
May 2024 - Top 10 Read Articles in Network Security & Its Applications.pdf
byIJNSA Journal
 

More from Paul Fremantle

PDF
IoT and Blockchains - enhancing security and privacy
byPaul Fremantle
 
PPTX
Anonymous Individual Integration for IoT
byPaul Fremantle
 
PPTX
Web API Management meets the Internet of Things
byPaul Fremantle
 
PPTX
Apache Stratos - Building a PaaS using OSGi and Equinox
byPaul Fremantle
 
PDF
Beyond Economics - Cloud as a Business Enabler
byPaul Fremantle
 
PDF
Evolution of PaaS
byPaul Fremantle
 
PDF
The Evolution of Integration
byPaul Fremantle
 
PPTX
High Volume Web API Management with the WSO2 ESB
byPaul Fremantle
 
PDF
Stratos Open PaaS OSCON 2011
byPaul Fremantle
 
PPT
Stratos and PaaS for London Java Community
byPaul Fremantle
 
PPT
Understanding Platform as a Service
byPaul Fremantle
 
PPT
Making Apache Tomcat Multi-tenant, Elastic and Metered
byPaul Fremantle
 
PPT
Building Cloud Native Software
byPaul Fremantle
 
PPT
Building Innovation with Open Source Approaches
byPaul Fremantle
 
PPT
Three SOA Case Studies
byPaul Fremantle
 
PPT
Fast SOA with Apache Synapse
byPaul Fremantle
 
PPT
REST vs WS-*: Myths Facts and Lies
byPaul Fremantle
 
IoT and Blockchains - enhancing security and privacy
byPaul Fremantle
 
Anonymous Individual Integration for IoT
byPaul Fremantle
 
Web API Management meets the Internet of Things
byPaul Fremantle
 
Apache Stratos - Building a PaaS using OSGi and Equinox
byPaul Fremantle
 
Beyond Economics - Cloud as a Business Enabler
byPaul Fremantle
 
Evolution of PaaS
byPaul Fremantle
 
The Evolution of Integration
byPaul Fremantle
 
High Volume Web API Management with the WSO2 ESB
byPaul Fremantle
 
Stratos Open PaaS OSCON 2011
byPaul Fremantle
 
Stratos and PaaS for London Java Community
byPaul Fremantle
 
Understanding Platform as a Service
byPaul Fremantle
 
Making Apache Tomcat Multi-tenant, Elastic and Metered
byPaul Fremantle
 
Building Cloud Native Software
byPaul Fremantle
 
Building Innovation with Open Source Approaches
byPaul Fremantle
 
Three SOA Case Studies
byPaul Fremantle
 
Fast SOA with Apache Synapse
byPaul Fremantle
 
REST vs WS-*: Myths Facts and Lies
byPaul Fremantle
 

Recently uploaded

PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
December Patch Tuesday
byIvanti
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
The year in review - MarvelClient in 2025
bypanagenda
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
December Patch Tuesday
byIvanti
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 

Securing the Internet of Things

  • 1.
    Securing the Internetof Things Paul Fremantle CTO, WSO2 (paul@wso2.com) PhD researcher, Portsmouth University (paul.fremantle@port.ac.uk) @pzfreo Paul Madsen* Technical Architect, PingIdentity (pmadsen@pingidentity.com) @paulmadsen *Paul M helped me with the initial content, but I take responsibility for anything you don’t like in this slide deck.
  • 3.
    About me • CTOand Co-Founder WSO2 – Open Source Middleware platform • Part-time PhD looking at security • Working in Apache for 14 years • Working with Cloud, SOA, APIs, MQTT, IoT 3
  • 4.
  • 7.
  • 8.
  • 10.
  • 11.
    So what isdifferent about IoT? • The longevity of the device – Updates are harder (or impossible) • The size of the device – Capabilities are limited – especially around crypto • The fact there is a device – Usually no UI for entering userids and passwords • The data – Often highly personal • The mindset – Appliance manufacturers don’t think like security experts – Embedded systems are often developed by grabbing existing chips, designs, etc
  • 12.
    Physical Hacks A PracticalAttack on the MIFARE Classic: http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf Karsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity
  • 14.
    Or try thisat home? http://freo.me/1g15BiG
  • 15.
  • 16.
  • 17.
    Hardware recommendations • Don’trely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity
  • 18.
    Hardware Recommendation #2 •Unlocking a single device should risk only that device’s data
  • 19.
  • 20.
    Crypto on smalldevices • Practical Considerations and Implementation Experiences in Securing Smart Object Networks – http://tools.ietf.org/html/draft-aks-crypto-sensors-02
  • 21.
  • 22.
    ECC is possible (andabout fast enough)
  • 24.
    Crypto Borrowed from ChrisSwan: http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13
  • 25.
    Won’t ARM justsolve this problem?
  • 26.
    Cost matters 8 bits $5retail $1 or less to embed 32 bits $25 retail $?? to embed
  • 27.
  • 28.
  • 29.
    Datagram Transport LayerSecurity (DTLS) • UDP based equivalent to TLS • https://tools.ietf.org/html/rfc4347
  • 30.
  • 32.
    CoAP • Constrained ApplicationProtocol – http://tools.ietf.org/html/draft-ietf-core-coap-18 – REST-like model built on UDP – Californium project coming soon to Eclipse IoT • No authentication or authorization – Relies on DLTS or data in the body
  • 33.
  • 34.
    MQTT • Very lightweightmessaging protocol – Designed for 8-bit controllers, SCADA, etc – Low power, low bandwidth – Binary header of 2 bytes – Lots of implementations • Mosquitto, Paho, RSMB and Moquette from Eclipse – Clients: • Arduino, Perl, Python, PHP, C, Java, JS/Node.js, .Net, etc • Plus an even lighter-weight version for Zigbee – MQTT-SN (Sensor Network)
  • 35.
    MQTT • Relies onTLS for confidentiality • Username/Password field
  • 36.
    Passwords • Passwords suckfor humans • They suck even more for devices
  • 37.
  • 39.
    Why OAuth2? • Widelyimplemented • Pretty good – Of course there is never 100% agreement – Or certainty with security protocols • Not just HTTP: – http://tools.ietf.org/html/draft-ietf-kitten-sasl- oauth-12 – OAuth2 used with SSL
  • 42.
    Why FIAM forIoT? • Can enable a meaningful consent mechanism for sharing of device data • Giving a device a token to use on API calls better than giving it a password – Revokable – Granular • May be relevant for both – Device to cloud – Cloud to app
  • 43.
    Two aspects usingOAuth with IoT • On the device – Tokens are good – Limiting the access of the device • On the cloud – Putting users in control of their data – Just good current practice • Demo with MQTT – But not just for MQTT – Also for the cloud, CoAP, and other protocols too
  • 44.
    Demo components Mosquitto (Open SourceMQTT Broker) Acting as “Resource Server” Mosquitto_py_auth mqtt-oauth2.py IdP WSO2 Identity Server ESB Introspection API Refresher.py Arduino CreateToken.py 1 2 3 4 5 6
  • 45.
  • 46.
    Lessons learnt • MQTTand MPU / I2C code is 97% of Duemilanove – Adding the final logic to do OAuth2 flow pushed it to 99% – No TLS in this demo is a big issue • Different Oauth2 implementations behave differently (e.g. changing the refresh token every time you refresh) • Need to be able to update the scope of token if this will work for long term embedded devices • The refresh flow should not really go via the Resource server – Easy fix • MQTT should have a well defined model for sending a message to just one client (securely)
  • 47.
    What I haven’tcovered enough of
  • 48.
    Summary • Think aboutsecurity with your next device • We as a community need to make sure that the next generation of IoT devices are secure • We need to create exemplars – Shields – Libraries – Server software – Standards
  • 49.