SlideShare a Scribd company logo

Smart Home Security IoT Devices

NaLUG
NaLUG

Linux Day Napoli 2017 - Credits to Paolo Patierno - www.nalug.net

Technology
1 of 29
Download to read offline
by Paolo Patierno Smart or ... haunted home ? LinuxDay Napoli 2017 Senior Software Engineer at Red Hat Messaging & IoT team @ppatierno
Perché sono cosi forti:Smart or ... haunted home ?Smart or ... haunted home ? ● the alarm rings two hours before ... ● the garage door opens when I’m still at office ... ● the irrigation system starts even if it’s raining ... ● the thermostat starts heating, but it’s August ...
● Senior Software Engineer @ Red Hat – Messaging & IoT team ● Lead/Committer @ Eclipse Foundation – Hono, Paho & Vert.x projects ● Microsoft MVP Azure/IoT ● @ppatierno Perché sono cosi forti:Who am I ?Who am I ?
Perché sono cosi forti: ● Is IoT secure ? ● What’s wrong today ? ● Advices & technologies for improving it ! AgendaAgenda
Perché sono cosi forti:Cruel reality ?Cruel reality ? ... On Friday, October 20th ... chatting with my colleague Jens ... Me : “Jens ... I’ll have a session about IoT security at Linux Day 2017 next Saturday in Naples ...” Jens : “Cool ! ... it will be a short one, you know, IoT ... no security at all”
Perché sono cosi forti:One year ago ...One year ago ... ● October 21st, 2016 ● few days before the Linux Day 2016 ● Mirai malware ● DDoS attack with hacked devices ● victim Dyn servers (DNS) ● down Twitter, Netflix, CNN, ...
Perché sono cosi forti:Something like this happenedSomething like this happened https://www.youtube.com/watch?v=RKd5A4oJByY
Perché sono cosi forti:... so I tweeted this... so I tweeted this ● why you should change default passwords ! ● having a web server on a device with a public IP is not a good thing !
Perché sono cosi forti:I can see you !I can see you ! ● CCTV cameras – don’t have locked feature on brute force username/password attack – just an IP scanner (i.e. angryIP) for finding them – get control !
Perché sono cosi forti:Web of ThingsWeb of Things
Perché sono cosi forti:Web of ThingsWeb of Things use modern Web standards directly on embedded devices ... ... HTTP, WebSockets, JSON, HTTP/2 ...
Perché sono cosi forti:Web of ThingsWeb of Things interacting with Things via Web browsers and explore them just as you would surf the Web IoT *IS NOT* Web
Perché sono cosi forti:Protect yourselfProtect yourself ● no public IP ● no open ports ● no web server listening for incoming connections – at least not exposed outside of your network ... – ... but now WPA2 was cracked ! ● don’t trust only on security at network level ... it could be risky
Perché sono cosi forti:Hollywood principleHollywood principle Don’t call us ... We’ll call you !!
Perché sono cosi forti:Service Assisted CommunicationService Assisted Communication
Perché sono cosi forti:Device - IoT - ApplicationsDevice - IoT - Applications device IoT platform app ● Device and application initiated connection ● Secure connection (i.e. SSL/TLS) ● Channel needs to be bidirectional
Perché sono cosi forti:Security on deviceSecurity on device ● Private key protection ● Software – SELinux – OTP fuses (One Time Programmable) ● Hardware – TPM (Trusted Platform Module) – Smart card https://www.youtube.com/watch?v=E6jmMp9N6bs
● DTLS (Datagram TLS) ● https://tools.ietf.org/html/draft-ietf-lwig-tls-minimal-01 Perché sono cosi forti:... but it’s not so cheap !... but it’s not so cheap !
Perché sono cosi forti:Security on hardwareSecurity on hardware ● latest updates for fixing vulnerabilities ... ● ... but upgrading isn’t so simple : – errors on firmware checksum and signature – NAND flash errors – power loss – network issues
Perché sono cosi forti:Security on communicationSecurity on communication ● data encryption ● pre-shared key – client and server share an encryption key ● X.509 certificates – used with SSL/TLS protocol – certificates revocation list
Perché sono cosi forti:Security in CloudSecurity in Cloud ● a service can be hacked as a device ● all services have to trust each other ● “internal” security ... not only the “external” one
Perché sono cosi forti:Take care of ...Take care of ... ● authentication – the process of ascertaining that somebody really is who he claims to be – username/password, SSL/TLS client certificates, ...
Perché sono cosi forti:Take care of ...Take care of ... ● authorization – refers to rules that determine who is allowed to do what – user, group, roles – claims (i.e Jason Web Token)
Perché sono cosi forti:IoT platform securityIoT platform security ● device has an identity ● IoT platform internal components have their own identities ● mutual authentication (i.e. X.509, SSL/TLS, ...) ● encrypted channel (i.e. SSL/TLS) ● signed messages ● roles for authorization ● secure software distribution
Perché sono cosi forti:IoT protocols securityIoT protocols security ● SSL/TLS – For authentication and encryption ● Payload encryption ● HTTP : basic & digest authentication ● CoAP : Datagram TLS (DTLS) ● AMQP : SASL for authentication ● MQTT : username/password on connection
Perché sono cosi forti:ConclusionsConclusions ● IoT security is not so simple ● a lot of different solutions can be used ● most of the times more technologies together ● device, communication and cloud are involved
Perché sono cosi forti:ConclusionsConclusions Now ? Let’s go home to change the default password that we still have on our routers !!
Perché sono cosi forti:IoT Day ItalyIoT Day Italy www.iotday.it - @iotdayit
Perché sono cosi forti:Q & AQ & A Thanks ! @ppatierno

Recommended

VenkaSure Total Security+
VenkaSure Total Security+VenkaSure Total Security+
VenkaSure Total Security+Venkasys Technologies Pvt. Ltd.
 
Konica Arora
Konica AroraKonica Arora
Konica AroraKonica Arora
 
Free Course - Infrastructure Security Consultant course by Carlo Dapino
Free Course - Infrastructure Security Consultant course by Carlo DapinoFree Course - Infrastructure Security Consultant course by Carlo Dapino
Free Course - Infrastructure Security Consultant course by Carlo DapinoCarlo Dapino
 
CryptoParty Tor Relay Workshop
CryptoParty Tor Relay WorkshopCryptoParty Tor Relay Workshop
CryptoParty Tor Relay WorkshopGabor Szathmari
 
Chapter 1 - Lesson 2 - Web stack error response Vs. security and discovery
Chapter 1 - Lesson 2 - Web stack error response Vs. security and discoveryChapter 1 - Lesson 2 - Web stack error response Vs. security and discovery
Chapter 1 - Lesson 2 - Web stack error response Vs. security and discoveryCarlo Dapino
 
How encryption works
How encryption worksHow encryption works
How encryption workss1180012
 
Chapter 1 - Lesson 1 - Overview Infrastructure Design
Chapter 1 - Lesson 1 - Overview Infrastructure DesignChapter 1 - Lesson 1 - Overview Infrastructure Design
Chapter 1 - Lesson 1 - Overview Infrastructure DesignCarlo Dapino
 
Gwp Week13
Gwp Week13Gwp Week13
Gwp Week13I M
 

Recommended

VenkaSure Total Security+
VenkaSure Total Security+VenkaSure Total Security+
VenkaSure Total Security+Venkasys Technologies Pvt. Ltd.
 
Konica Arora
Konica AroraKonica Arora
Konica AroraKonica Arora
 
Free Course - Infrastructure Security Consultant course by Carlo Dapino
Free Course - Infrastructure Security Consultant course by Carlo DapinoFree Course - Infrastructure Security Consultant course by Carlo Dapino
Free Course - Infrastructure Security Consultant course by Carlo DapinoCarlo Dapino
 
CryptoParty Tor Relay Workshop
CryptoParty Tor Relay WorkshopCryptoParty Tor Relay Workshop
CryptoParty Tor Relay WorkshopGabor Szathmari
 
Chapter 1 - Lesson 2 - Web stack error response Vs. security and discovery
Chapter 1 - Lesson 2 - Web stack error response Vs. security and discoveryChapter 1 - Lesson 2 - Web stack error response Vs. security and discovery
Chapter 1 - Lesson 2 - Web stack error response Vs. security and discoveryCarlo Dapino
 
How encryption works
How encryption worksHow encryption works
How encryption workss1180012
 
Chapter 1 - Lesson 1 - Overview Infrastructure Design
Chapter 1 - Lesson 1 - Overview Infrastructure DesignChapter 1 - Lesson 1 - Overview Infrastructure Design
Chapter 1 - Lesson 1 - Overview Infrastructure DesignCarlo Dapino
 
Gwp Week13
Gwp Week13Gwp Week13
Gwp Week13I M
 
Week13
Week13Week13
Week13kbmn731
 
Eng12
Eng12Eng12
Eng12s1170029
 
OpenKM Professional Extension: Cryptography
OpenKM Professional Extension: CryptographyOpenKM Professional Extension: Cryptography
OpenKM Professional Extension: CryptographyOpenKM
 
How encryption work
How encryption workHow encryption work
How encryption workYosuke Takabatake
 
Chapter 1 - Lesson 3 - SSL end-points
Chapter 1 - Lesson 3 - SSL end-pointsChapter 1 - Lesson 3 - SSL end-points
Chapter 1 - Lesson 3 - SSL end-pointsCarlo Dapino
 
Lockpicking and Lockpsort - Bsides Ljubljana (2019)
Lockpicking and Lockpsort - Bsides Ljubljana (2019)Lockpicking and Lockpsort - Bsides Ljubljana (2019)
Lockpicking and Lockpsort - Bsides Ljubljana (2019)Jovan Šikanja
 
Control cloud data access privilege and anonymity with fully anonymous attrib...
Control cloud data access privilege and anonymity with fully anonymous attrib...Control cloud data access privilege and anonymity with fully anonymous attrib...
Control cloud data access privilege and anonymity with fully anonymous attrib...LeMeniz Infotech
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2Olle E Johansson
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillageagmoneyy
 
IoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architectureIoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architecturePaul Fremantle
 
A Reference Architecture for IoT: How to create a resilient, secure IoT cloud
A Reference Architecture for IoT: How to create a resilient, secure IoT cloudA Reference Architecture for IoT: How to create a resilient, secure IoT cloud
A Reference Architecture for IoT: How to create a resilient, secure IoT cloudWSO2
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 
IoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation TrackIoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation TrackPriyanka Aash
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreveerababu penugonda(Mr-IoT)
 
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerProduct of Things
 
End to end IoT Solution using Mongoose OS.
End to end IoT Solution using Mongoose OS.End to end IoT Solution using Mongoose OS.
End to end IoT Solution using Mongoose OS.Emertxe Information Technologies Pvt Ltd
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
 
Internet of things (IoT) Architecture Security Analysis
Internet of things (IoT) Architecture Security AnalysisInternet of things (IoT) Architecture Security Analysis
Internet of things (IoT) Architecture Security AnalysisDaksh Raj Chopra
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoTVasco Veloso
 
Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT SecurityOliver Pfaff
 
IoT Security: Cases and Methods
IoT Security: Cases and MethodsIoT Security: Cases and Methods
IoT Security: Cases and MethodsLeonardo De Moura Rocha Lima
 
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)Amazon Web Services
 

More Related Content

What's hot

OpenKM Professional Extension: Cryptography
OpenKM Professional Extension: CryptographyOpenKM Professional Extension: Cryptography
OpenKM Professional Extension: CryptographyOpenKM
 
Chapter 1 - Lesson 3 - SSL end-points
Chapter 1 - Lesson 3 - SSL end-pointsChapter 1 - Lesson 3 - SSL end-points
Chapter 1 - Lesson 3 - SSL end-pointsCarlo Dapino
 
Lockpicking and Lockpsort - Bsides Ljubljana (2019)
Lockpicking and Lockpsort - Bsides Ljubljana (2019)Lockpicking and Lockpsort - Bsides Ljubljana (2019)
Lockpicking and Lockpsort - Bsides Ljubljana (2019)Jovan Šikanja
 
Control cloud data access privilege and anonymity with fully anonymous attrib...
Control cloud data access privilege and anonymity with fully anonymous attrib...Control cloud data access privilege and anonymity with fully anonymous attrib...
Control cloud data access privilege and anonymity with fully anonymous attrib...LeMeniz Infotech
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2Olle E Johansson
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillageagmoneyy
 

What's hot (9)

Week13
Week13Week13
Week13
 
Eng12
Eng12Eng12
Eng12
 
OpenKM Professional Extension: Cryptography
OpenKM Professional Extension: CryptographyOpenKM Professional Extension: Cryptography
OpenKM Professional Extension: Cryptography
 
How encryption work
How encryption workHow encryption work
How encryption work
 
Chapter 1 - Lesson 3 - SSL end-points
Chapter 1 - Lesson 3 - SSL end-pointsChapter 1 - Lesson 3 - SSL end-points
Chapter 1 - Lesson 3 - SSL end-points
 
Lockpicking and Lockpsort - Bsides Ljubljana (2019)
Lockpicking and Lockpsort - Bsides Ljubljana (2019)Lockpicking and Lockpsort - Bsides Ljubljana (2019)
Lockpicking and Lockpsort - Bsides Ljubljana (2019)
 
Control cloud data access privilege and anonymity with fully anonymous attrib...
Control cloud data access privilege and anonymity with fully anonymous attrib...Control cloud data access privilege and anonymity with fully anonymous attrib...
Control cloud data access privilege and anonymity with fully anonymous attrib...
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillage
 

Similar to Smart Home Security IoT Devices

IoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architectureIoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architecturePaul Fremantle
 
A Reference Architecture for IoT: How to create a resilient, secure IoT cloud
A Reference Architecture for IoT: How to create a resilient, secure IoT cloudA Reference Architecture for IoT: How to create a resilient, secure IoT cloud
A Reference Architecture for IoT: How to create a resilient, secure IoT cloudWSO2
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 
IoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation TrackIoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation TrackPriyanka Aash
 
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerProduct of Things
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
 
Internet of things (IoT) Architecture Security Analysis
Internet of things (IoT) Architecture Security AnalysisInternet of things (IoT) Architecture Security Analysis
Internet of things (IoT) Architecture Security AnalysisDaksh Raj Chopra
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoTVasco Veloso
 
Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT SecurityOliver Pfaff
 
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)Amazon Web Services
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To ProtectGuy Podjarny
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksCiNPA Security SIG
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTWSO2
 
Introducing IoT Crusher (Open Source Version)
Introducing IoT Crusher (Open Source Version)Introducing IoT Crusher (Open Source Version)
Introducing IoT Crusher (Open Source Version)Ken Belva
 

Similar to Smart Home Security IoT Devices (20)

IoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architectureIoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architecture
 
A Reference Architecture for IoT: How to create a resilient, secure IoT cloud
A Reference Architecture for IoT: How to create a resilient, secure IoT cloudA Reference Architecture for IoT: How to create a resilient, secure IoT cloud
A Reference Architecture for IoT: How to create a resilient, secure IoT cloud
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
IoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation TrackIoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation Track
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
 
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
 
End to end IoT Solution using Mongoose OS.
End to end IoT Solution using Mongoose OS.End to end IoT Solution using Mongoose OS.
End to end IoT Solution using Mongoose OS.
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to Chat
 
Internet of things (IoT) Architecture Security Analysis
Internet of things (IoT) Architecture Security AnalysisInternet of things (IoT) Architecture Security Analysis
Internet of things (IoT) Architecture Security Analysis
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoT
 
Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT Security
 
IoT Security: Cases and Methods
IoT Security: Cases and MethodsIoT Security: Cases and Methods
IoT Security: Cases and Methods
 
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
 
Security in 10 slides
Security in 10 slidesSecurity in 10 slides
Security in 10 slides
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
Security Issues in Internet of Things
Security Issues in Internet of ThingsSecurity Issues in Internet of Things
Security Issues in Internet of Things
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoT
 
Introducing IoT Crusher (Open Source Version)
Introducing IoT Crusher (Open Source Version)Introducing IoT Crusher (Open Source Version)
Introducing IoT Crusher (Open Source Version)
 
Security awareness training
Security awareness trainingSecurity awareness training
Security awareness training
 

More from NaLUG

Grid System
Grid SystemGrid System
Grid SystemNaLUG
 
Cyber Forensic
Cyber ForensicCyber Forensic
Cyber ForensicNaLUG
 
Digital Divide
Digital DivideDigital Divide
Digital DivideNaLUG
 
Drupal
DrupalDrupal
DrupalNaLUG
 
Digital Forensic
Digital ForensicDigital Forensic
Digital ForensicNaLUG
 
Open Source: strumento per l'e-democracy
Open Source: strumento per l'e-democracyOpen Source: strumento per l'e-democracy
Open Source: strumento per l'e-democracyNaLUG
 
OpenHardware : Arduino
OpenHardware : ArduinoOpenHardware : Arduino
OpenHardware : ArduinoNaLUG
 
Understanding Linux
Understanding LinuxUnderstanding Linux
Understanding LinuxNaLUG
 
Net Neutrality: HoBBIT
Net Neutrality: HoBBITNet Neutrality: HoBBIT
Net Neutrality: HoBBITNaLUG
 
Opensource per un Sistema Informativo Territoriale
Opensource per un Sistema Informativo TerritorialeOpensource per un Sistema Informativo Territoriale
Opensource per un Sistema Informativo TerritorialeNaLUG
 
Knomos
Knomos Knomos
Knomos NaLUG
 
App comunicazione comune di Napoli
App comunicazione comune di NapoliApp comunicazione comune di Napoli
App comunicazione comune di NapoliNaLUG
 
BISmark : the broadband internet service benchmark
BISmark : the broadband internet service benchmarkBISmark : the broadband internet service benchmark
BISmark : the broadband internet service benchmarkNaLUG
 
ClearOS
ClearOSClearOS
ClearOSNaLUG
 
Security and hacking Engineering
Security and hacking EngineeringSecurity and hacking Engineering
Security and hacking EngineeringNaLUG
 
Software libero at ENEA
Software libero at ENEASoftware libero at ENEA
Software libero at ENEANaLUG
 
Una nuova crittografia frattale: Crypt fna
Una nuova crittografia frattale: Crypt fnaUna nuova crittografia frattale: Crypt fna
Una nuova crittografia frattale: Crypt fnaNaLUG
 
ROS@Unina
ROS@Unina ROS@Unina
ROS@Unina NaLUG
 
Python@Unina - Exercises
Python@Unina - ExercisesPython@Unina - Exercises
Python@Unina - ExercisesNaLUG
 
Python@Unina - Theory
Python@Unina - TheoryPython@Unina - Theory
Python@Unina - TheoryNaLUG
 

More from NaLUG (20)

Grid System
Grid SystemGrid System
Grid System
 
Cyber Forensic
Cyber ForensicCyber Forensic
Cyber Forensic
 
Digital Divide
Digital DivideDigital Divide
Digital Divide
 
Drupal
DrupalDrupal
Drupal
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
 
Open Source: strumento per l'e-democracy
Open Source: strumento per l'e-democracyOpen Source: strumento per l'e-democracy
Open Source: strumento per l'e-democracy
 
OpenHardware : Arduino
OpenHardware : ArduinoOpenHardware : Arduino
OpenHardware : Arduino
 
Understanding Linux
Understanding LinuxUnderstanding Linux
Understanding Linux
 
Net Neutrality: HoBBIT
Net Neutrality: HoBBITNet Neutrality: HoBBIT
Net Neutrality: HoBBIT
 
Opensource per un Sistema Informativo Territoriale
Opensource per un Sistema Informativo TerritorialeOpensource per un Sistema Informativo Territoriale
Opensource per un Sistema Informativo Territoriale
 
Knomos
Knomos Knomos
Knomos
 
App comunicazione comune di Napoli
App comunicazione comune di NapoliApp comunicazione comune di Napoli
App comunicazione comune di Napoli
 
BISmark : the broadband internet service benchmark
BISmark : the broadband internet service benchmarkBISmark : the broadband internet service benchmark
BISmark : the broadband internet service benchmark
 
ClearOS
ClearOSClearOS
ClearOS
 
Security and hacking Engineering
Security and hacking EngineeringSecurity and hacking Engineering
Security and hacking Engineering
 
Software libero at ENEA
Software libero at ENEASoftware libero at ENEA
Software libero at ENEA
 
Una nuova crittografia frattale: Crypt fna
Una nuova crittografia frattale: Crypt fnaUna nuova crittografia frattale: Crypt fna
Una nuova crittografia frattale: Crypt fna
 
ROS@Unina
ROS@Unina ROS@Unina
ROS@Unina
 
Python@Unina - Exercises
Python@Unina - ExercisesPython@Unina - Exercises
Python@Unina - Exercises
 
Python@Unina - Theory
Python@Unina - TheoryPython@Unina - Theory
Python@Unina - Theory
 

Recently uploaded

Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 

Smart Home Security IoT Devices

  • 1. by Paolo Patierno Smart or ... haunted home ? LinuxDay Napoli 2017 Senior Software Engineer at Red Hat Messaging & IoT team @ppatierno
  • 2. Perché sono cosi forti:Smart or ... haunted home ?Smart or ... haunted home ? ● the alarm rings two hours before ... ● the garage door opens when I’m still at office ... ● the irrigation system starts even if it’s raining ... ● the thermostat starts heating, but it’s August ...
  • 3. ● Senior Software Engineer @ Red Hat – Messaging & IoT team ● Lead/Committer @ Eclipse Foundation – Hono, Paho & Vert.x projects ● Microsoft MVP Azure/IoT ● @ppatierno Perché sono cosi forti:Who am I ?Who am I ?
  • 4. Perché sono cosi forti: ● Is IoT secure ? ● What’s wrong today ? ● Advices & technologies for improving it ! AgendaAgenda
  • 5. Perché sono cosi forti:Cruel reality ?Cruel reality ? ... On Friday, October 20th ... chatting with my colleague Jens ... Me : “Jens ... I’ll have a session about IoT security at Linux Day 2017 next Saturday in Naples ...” Jens : “Cool ! ... it will be a short one, you know, IoT ... no security at all”
  • 6. Perché sono cosi forti:One year ago ...One year ago ... ● October 21st, 2016 ● few days before the Linux Day 2016 ● Mirai malware ● DDoS attack with hacked devices ● victim Dyn servers (DNS) ● down Twitter, Netflix, CNN, ...
  • 7. Perché sono cosi forti:Something like this happenedSomething like this happened https://www.youtube.com/watch?v=RKd5A4oJByY
  • 8. Perché sono cosi forti:... so I tweeted this... so I tweeted this ● why you should change default passwords ! ● having a web server on a device with a public IP is not a good thing !
  • 9. Perché sono cosi forti:I can see you !I can see you ! ● CCTV cameras – don’t have locked feature on brute force username/password attack – just an IP scanner (i.e. angryIP) for finding them – get control !
  • 10. Perché sono cosi forti:Web of ThingsWeb of Things
  • 11. Perché sono cosi forti:Web of ThingsWeb of Things use modern Web standards directly on embedded devices ... ... HTTP, WebSockets, JSON, HTTP/2 ...
  • 12. Perché sono cosi forti:Web of ThingsWeb of Things interacting with Things via Web browsers and explore them just as you would surf the Web IoT *IS NOT* Web
  • 13. Perché sono cosi forti:Protect yourselfProtect yourself ● no public IP ● no open ports ● no web server listening for incoming connections – at least not exposed outside of your network ... – ... but now WPA2 was cracked ! ● don’t trust only on security at network level ... it could be risky
  • 14. Perché sono cosi forti:Hollywood principleHollywood principle Don’t call us ... We’ll call you !!
  • 15. Perché sono cosi forti:Service Assisted CommunicationService Assisted Communication
  • 16. Perché sono cosi forti:Device - IoT - ApplicationsDevice - IoT - Applications device IoT platform app ● Device and application initiated connection ● Secure connection (i.e. SSL/TLS) ● Channel needs to be bidirectional
  • 17. Perché sono cosi forti:Security on deviceSecurity on device ● Private key protection ● Software – SELinux – OTP fuses (One Time Programmable) ● Hardware – TPM (Trusted Platform Module) – Smart card https://www.youtube.com/watch?v=E6jmMp9N6bs
  • 18. ● DTLS (Datagram TLS) ● https://tools.ietf.org/html/draft-ietf-lwig-tls-minimal-01 Perché sono cosi forti:... but it’s not so cheap !... but it’s not so cheap !
  • 19. Perché sono cosi forti:Security on hardwareSecurity on hardware ● latest updates for fixing vulnerabilities ... ● ... but upgrading isn’t so simple : – errors on firmware checksum and signature – NAND flash errors – power loss – network issues
  • 20. Perché sono cosi forti:Security on communicationSecurity on communication ● data encryption ● pre-shared key – client and server share an encryption key ● X.509 certificates – used with SSL/TLS protocol – certificates revocation list
  • 21. Perché sono cosi forti:Security in CloudSecurity in Cloud ● a service can be hacked as a device ● all services have to trust each other ● “internal” security ... not only the “external” one
  • 22. Perché sono cosi forti:Take care of ...Take care of ... ● authentication – the process of ascertaining that somebody really is who he claims to be – username/password, SSL/TLS client certificates, ...
  • 23. Perché sono cosi forti:Take care of ...Take care of ... ● authorization – refers to rules that determine who is allowed to do what – user, group, roles – claims (i.e Jason Web Token)
  • 24. Perché sono cosi forti:IoT platform securityIoT platform security ● device has an identity ● IoT platform internal components have their own identities ● mutual authentication (i.e. X.509, SSL/TLS, ...) ● encrypted channel (i.e. SSL/TLS) ● signed messages ● roles for authorization ● secure software distribution
  • 25. Perché sono cosi forti:IoT protocols securityIoT protocols security ● SSL/TLS – For authentication and encryption ● Payload encryption ● HTTP : basic & digest authentication ● CoAP : Datagram TLS (DTLS) ● AMQP : SASL for authentication ● MQTT : username/password on connection
  • 26. Perché sono cosi forti:ConclusionsConclusions ● IoT security is not so simple ● a lot of different solutions can be used ● most of the times more technologies together ● device, communication and cloud are involved
  • 27. Perché sono cosi forti:ConclusionsConclusions Now ? Let’s go home to change the default password that we still have on our routers !!
  • 28. Perché sono cosi forti:IoT Day ItalyIoT Day Italy www.iotday.it - @iotdayit
  • 29. Perché sono cosi forti:Q & AQ & A Thanks ! @ppatierno