• Share
  • Email
  • Embed
  • Like
  • Private Content
Your Thing is pwnd - Security Challenges for the Internet of Things
 

Your Thing is pwnd - Security Challenges for the Internet of Things

on

  • 295 views

The growth of Internet connected devices is hard to comprehend. From health monitoring gadgets to Home Automation systems. The real world is getting Internet connected. ...

The growth of Internet connected devices is hard to comprehend. From health monitoring gadgets to Home Automation systems. The real world is getting Internet connected.

Lots of these devices are built on 8-bit microcontrollers. Often they use unencrypted radio comms or networking, and default passwords. Do we care? Maybe they are too simple, too uninteresting to hack?
Visit examples of hacking Things, why we should care and how to fix it.

If you are building a Thing, using an internet connected Thing, or working with data from Things, come along to find out what you should know about securing them.

Statistics

Views

Total Views
295
Views on SlideShare
260
Embed Views
35

Actions

Likes
2
Downloads
18
Comments
0

3 Embeds 35

http://wso2.com 21
http://mangastorytelling.tistory.com 13
http://www.hanrss.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • “Lots of people are emailing me and joking about what they’d do if they hacked the device,” said Way. “We believe this device is not hackable. But even if somebody managed to get in, the worst consequence would be lots of women having orgasms in unusual places.” <br />

Your Thing is pwnd - Security Challenges for the Internet of Things Your Thing is pwnd - Security Challenges for the Internet of Things Presentation Transcript

  • Your Thing is pwnd Security Challenges for the Internet of Things Paul Fremantle CTO, WSO2 (paul@wso2.com) PhD researcher, Portsmouth University (paul.fremantle@port.ac.uk) @pzfreo #wso2 #solidcon @oreillysolid
  • Firstly, does it even matter?
  • “Google Hacking”
  • My three rules for IoT security • 1. Don’t be dumb • 2. Think about what’s different • 3. Do be smart
  • My three rules for IoT security • 1. Don’t be dumb – The basics of Internet security haven’t gone away • 2. Think about what’s different – What are the unique challenges of your device? • 3. Do be smart – Use the best practice from the Internet
  • http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/
  • http://freo.me/1pbUmofhttp://freo.me/1pbUmof
  • So what is different about IoT? • The fact there is a device – Yes – its hardware! – Ease of use is almost always at odds with security • The longevity of the device – Updates are harder (or impossible) • The size of the device – Capabilities are limited – especially around crypto • The data – Often highly personal • The mindset – Appliance manufacturers don’t always think like security experts – Embedded systems are often developed by grabbing existing chips, designs, etc
  • Physical Hacks A Practical Attack on the MIFARE Classic: http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf Karsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity
  • Or try this at home? http://freo.me/1g15BiG
  • http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.html
  • Hardware recommendations • Don’t rely on obscurity
  • Hardware recommendations • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity
  • Hardware Recommendation #2 • Unlocking a single device should risk only that device’s data
  • The Network
  • Ubertooth http://ubertooth.sourceforge.net/ https://www.usenix.org/conference/woot13/ workshop-program/presentation/ryan
  • Crypto on small devices • Practical Considerations and Implementation Experiences in Securing Smart Object Networks – http://tools.ietf.org/html/draft-aks-crypto-sensors-02
  • ROM requirements
  • ECC is possible (and about fast enough)
  • Crypto Borrowed from Chris Swan: http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13
  • Won’t ARM just solve this problem?
  • Cost matters 8 bits $5 retail $1 or less to embed 32 bits $25 retail $?? to embed
  • Another option?
  • SIMON and SPECK https://www.schneier.com/blog/archives/2013/07/simon_and_speck.html
  • Datagram Transport Layer Security (DTLS) • UDP based equivalent to TLS • https://tools.ietf.org/html/rfc4347
  • Key distribution
  • Passwords • Passwords suck for humans • They suck even more for devices
  • Why Federated Identity for Things? • Enable a meaningful consent mechanism for sharing of device data • Giving a device a token to use on API calls better than giving it a password – Revokable – Granular • May be relevant for both – Device to cloud – Cloud to app • “Identity is the new perimeter”
  • MQTT
  • MQTT and OAuth2 (demo at the WSO2 booth)
  • What I haven’t covered enough of
  • Are you setting up for the next privacy or security breach?
  • Exemplars • Shields • Libraries • Server Frameworks • Standards and Profiles
  • Summary • 1. Don’t be dumb • 2. Think about the differences • 3. Be smart • 4. Create and publish exemplars
  • WSO2 Reference Architecture for the Internet of Things http://freo.me/iot-ra