0
Your Thing is pwnd
Security Challenges for the Internet
of Things	
  
Paul	
  Fremantle	
  
CTO	
  and	
  Co-­‐Founder,	
 ...
Firstly,	
  does	
  it	
  even	
  maAer?	
  
	
  
“Google
Hacking”
My	
  three	
  rules	
  for	
  IoT	
  security	
  
•  1.	
  Don’t	
  be	
  dumb	
  
•  2.	
  Think	
  about	
  what’s	
  d...
My	
  three	
  rules	
  for	
  IoT	
  security	
  
•  1.	
  Don’t	
  be	
  dumb	
  
–  The	
  basics	
  of	
  Internet	
  ...
http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/
http://freo.me/1pbUmofhttp://freo.me/1pbUmof
So	
  what	
  is	
  different	
  about	
  IoT?	
  
•  The	
  fact	
  there	
  is	
  a	
  device	
  
–  Yes	
  –	
  its	
  h...
Physical	
  Hacks	
  
A Practical Attack on the MIFARE Classic:
http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pd...
Or	
  try	
  this	
  at	
  home?	
  
hAp://freo.me/1g15BiG	
  	
  
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.html
Hardware	
  recommendaQons	
  
•  Don’t	
  rely	
  on	
  obscurity	
  
	
  
Hardware	
  recommendaQons	
  
•  Don’t	
  rely	
  on	
  obscurity	
  
•  Don’t	
  rely	
  on	
  obscurity	
  
•  Don’t	
 ...
Hardware	
  RecommendaQon	
  #2	
  	
  
•  Unlocking	
  a	
  single	
  device	
  should	
  risk	
  only	
  that	
  
device...
The	
  Network	
  
hAp://ubertooth.sourceforge.net/	
  hAps://www.usenix.org/conference/woot13/
workshop-­‐program/presentaQon/ryan	
  
Crypto	
  on	
  small	
  devices	
  
•  PracQcal	
  ConsideraQons	
  and	
  ImplementaQon	
  Experiences	
  in	
  
Securin...
ROM	
  requirements	
  
ECC	
  is	
  possible	
  	
  
(and	
  about	
  fast	
  enough)	
  
Crypto	
  
Borrowed from Chris Swan:
http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13
Won’t	
  ARM	
  just	
  solve	
  this	
  problem?	
  
Cost	
  maAers	
  
8 bits
$5 retail
$1 or less to embed
32 bits
$25 retail
$?? to embed
Another	
  opQon?	
  
SIMON	
  and	
  SPECK	
  
https://www.schneier.com/blog/archives/2013/07/simon_and_speck.html
Datagram	
  Transport	
  Layer	
  
Security	
  (DTLS)	
  
•  UDP	
  based	
  equivalent	
  to	
  TLS	
  
•  hAps://tools.i...
Key	
  distribuQon	
  
Passwords	
  
•  Passwords	
  suck	
  for	
  humans	
  
•  They	
  suck	
  even	
  more	
  for	
  devices	
  
	
  
Why	
  Federated	
  IdenQty	
  for	
  Things?	
  
•  Enable	
  a	
  meaningful	
  consent	
  mechanism	
  for	
  sharing	
...
MQTT	
  
MQTT	
  and	
  OAuth2	
  
	
  
 	
  
An	
  	
  
Open	
  Source	
  	
  
IdenQty	
  
and	
  	
  
EnQtlement	
  
Management	
  	
  
Server	
  
	
  	
  
Apac...
Other	
  WSO2	
  technology	
  to	
  help	
  you	
  
•  WSO2	
  BAM	
  –	
  monitoring	
  
•  WSO2	
  CEP	
  –	
  realQme	...
Real	
  Qme	
  event	
  processing	
  
Are you setting up for
the next privacy or
security breach?
Exemplars	
  
•  Shields	
  
•  Libraries	
  
•  Server	
  Frameworks	
  
•  Standards	
  and	
  Profiles	
  
Summary	
  
•  1.	
  Don’t	
  be	
  dumb	
  
•  2.	
  Think	
  about	
  the	
  differences	
  
•  3.	
  Be	
  smart	
  	
  ...
WSO2 Reference Architecture for the Internet of Things http://freo.me/iot-ra
Thank	
  You	
  
Security challenges for IoT
Security challenges for IoT
Security challenges for IoT
Security challenges for IoT
Security challenges for IoT
Security challenges for IoT
Security challenges for IoT
Security challenges for IoT
Security challenges for IoT
Upcoming SlideShare
Loading in...5
×

Security challenges for IoT

1,521

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,521
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
140
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "Security challenges for IoT"

  1. 1. Your Thing is pwnd Security Challenges for the Internet of Things   Paul  Fremantle   CTO  and  Co-­‐Founder,  WSO2   @pzfreo  #wso2  #wso2con  
  2. 2. Firstly,  does  it  even  maAer?    
  3. 3. “Google Hacking”
  4. 4. My  three  rules  for  IoT  security   •  1.  Don’t  be  dumb   •  2.  Think  about  what’s  different   •  3.  Do  be  smart  
  5. 5. My  three  rules  for  IoT  security   •  1.  Don’t  be  dumb   –  The  basics  of  Internet  security  haven’t  gone  away   •  2.  Think  about  what’s  different   –  What  are  the  unique  challenges  of  your  device?   •  3.  Do  be  smart   –  Use  the  best  pracQce  from  the  Internet  
  6. 6. http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/
  7. 7. http://freo.me/1pbUmofhttp://freo.me/1pbUmof
  8. 8. So  what  is  different  about  IoT?   •  The  fact  there  is  a  device   –  Yes  –  its  hardware!     –  Ease  of  use  is  almost  always  at  odds  with  security   •  The  longevity  of  the  device   –  Updates  are  harder  (or  impossible)   •  The  size  of  the  device   –  CapabiliQes  are  limited  –  especially  around  crypto   •  The  data   –  OXen  highly  personal   •  The  mindset   –  Appliance  manufacturers  don’t  always  think  like  security  experts   –  Embedded  systems  are  oXen  developed  by  grabbing  exisQng  chips,  designs,  etc  
  9. 9. Physical  Hacks   A Practical Attack on the MIFARE Classic: http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf Karsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity
  10. 10. Or  try  this  at  home?   hAp://freo.me/1g15BiG    
  11. 11. http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.html
  12. 12. Hardware  recommendaQons   •  Don’t  rely  on  obscurity    
  13. 13. Hardware  recommendaQons   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity    
  14. 14. Hardware  RecommendaQon  #2     •  Unlocking  a  single  device  should  risk  only  that   device’s  data  
  15. 15. The  Network  
  16. 16. hAp://ubertooth.sourceforge.net/  hAps://www.usenix.org/conference/woot13/ workshop-­‐program/presentaQon/ryan  
  17. 17. Crypto  on  small  devices   •  PracQcal  ConsideraQons  and  ImplementaQon  Experiences  in   Securing  Smart  Object  Networks   –  hAp://tools.ied.org/html/draX-­‐aks-­‐crypto-­‐sensors-­‐02  
  18. 18. ROM  requirements  
  19. 19. ECC  is  possible     (and  about  fast  enough)  
  20. 20. Crypto   Borrowed from Chris Swan: http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13
  21. 21. Won’t  ARM  just  solve  this  problem?  
  22. 22. Cost  maAers   8 bits $5 retail $1 or less to embed 32 bits $25 retail $?? to embed
  23. 23. Another  opQon?  
  24. 24. SIMON  and  SPECK   https://www.schneier.com/blog/archives/2013/07/simon_and_speck.html
  25. 25. Datagram  Transport  Layer   Security  (DTLS)   •  UDP  based  equivalent  to  TLS   •  hAps://tools.ied.org/html/rfc4347  
  26. 26. Key  distribuQon  
  27. 27. Passwords   •  Passwords  suck  for  humans   •  They  suck  even  more  for  devices    
  28. 28. Why  Federated  IdenQty  for  Things?   •  Enable  a  meaningful  consent  mechanism  for  sharing  of  device  data   •  Giving  a  device  a  token  to  use  on  API  calls  beAer  than  giving  it  a   password   –  Revokable   –  Granular   •  May  be  relevant  for  both   –  Device  to  cloud   –  Cloud  to  app   •  “IdenQty  is  the  new  perimeter”  
  29. 29. MQTT  
  30. 30. MQTT  and  OAuth2    
  31. 31.     An     Open  Source     IdenQty   and     EnQtlement   Management     Server       Apache  Licensed   LDAP,  JDBC,  AcQve  Directory,  SCIM,  SPML   SAML2,  OpenID  Connect,  WS-­‐Trust,  Kerberos   OAuth  1.0/2.0,  XACML  2.0,  XACML  3.0   XDAS,  Web  Console,  SOAP  Admin   MulQ-­‐tenant,  Clusterable,  HA,  24x7  support   39   What  is  WSO2  IdenQty  Server?  
  32. 32. Other  WSO2  technology  to  help  you   •  WSO2  BAM  –  monitoring   •  WSO2  CEP  –  realQme  fraud  detecQon   •  WSO2  API  Manager  –  securing  API  endpoints    
  33. 33. Real  Qme  event  processing  
  34. 34. Are you setting up for the next privacy or security breach?
  35. 35. Exemplars   •  Shields   •  Libraries   •  Server  Frameworks   •  Standards  and  Profiles  
  36. 36. Summary   •  1.  Don’t  be  dumb   •  2.  Think  about  the  differences   •  3.  Be  smart     •  4.  Create  and  publish  exemplars  
  37. 37. WSO2 Reference Architecture for the Internet of Things http://freo.me/iot-ra
  38. 38. Thank  You  
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×