New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Smart Home Security IoT Devices
1. by Paolo Patierno
Smart or ... haunted home ?
LinuxDay Napoli 2017
Senior Software Engineer at Red Hat
Messaging & IoT team
@ppatierno
2. Perché sono cosi forti:Smart or ... haunted home ?Smart or ... haunted home ?
● the alarm rings two hours before ...
● the garage door opens when I’m still at office ...
● the irrigation system starts even if it’s raining ...
● the thermostat starts heating, but it’s August ...
3. ● Senior Software Engineer @ Red Hat
– Messaging & IoT team
● Lead/Committer @ Eclipse Foundation
– Hono, Paho & Vert.x projects
● Microsoft MVP Azure/IoT
● @ppatierno
Perché sono cosi forti:Who am I ?Who am I ?
4. Perché sono cosi forti:
● Is IoT secure ?
● What’s wrong today ?
● Advices & technologies
for improving it !
AgendaAgenda
5. Perché sono cosi forti:Cruel reality ?Cruel reality ?
... On Friday, October 20th ... chatting with my colleague Jens ...
Me : “Jens ... I’ll have a session about IoT security
at Linux Day 2017 next Saturday in Naples ...”
Jens : “Cool ! ... it will be a short one, you know,
IoT ... no security at all”
6. Perché sono cosi forti:One year ago ...One year ago ...
● October 21st, 2016
● few days before the
Linux Day 2016
● Mirai malware
● DDoS attack with hacked
devices
● victim Dyn servers (DNS)
● down Twitter, Netflix,
CNN, ...
7. Perché sono cosi forti:Something like this happenedSomething like this happened
https://www.youtube.com/watch?v=RKd5A4oJByY
8. Perché sono cosi forti:... so I tweeted this... so I tweeted this
● why you should change
default passwords !
● having a web server on
a device with a public
IP is not a good thing !
9. Perché sono cosi forti:I can see you !I can see you !
● CCTV cameras
– don’t have locked feature on brute force
username/password attack
– just an IP scanner (i.e. angryIP) for finding them
– get control !
11. Perché sono cosi forti:Web of ThingsWeb of Things
use modern Web standards directly on
embedded devices ...
... HTTP, WebSockets, JSON, HTTP/2 ...
12. Perché sono cosi forti:Web of ThingsWeb of Things
interacting with Things via Web browsers and
explore them just as you would surf the Web
IoT *IS NOT* Web
13. Perché sono cosi forti:Protect yourselfProtect yourself
● no public IP
● no open ports
● no web server listening for
incoming connections
– at least not exposed outside of
your network ...
– ... but now WPA2 was cracked !
● don’t trust only on security at
network level ... it could be risky
14. Perché sono cosi forti:Hollywood principleHollywood principle
Don’t call us ... We’ll call you !!
15. Perché sono cosi forti:Service Assisted CommunicationService Assisted Communication
16. Perché sono cosi forti:Device - IoT - ApplicationsDevice - IoT - Applications
device
IoT
platform
app
● Device and application initiated connection
● Secure connection (i.e. SSL/TLS)
● Channel needs to be bidirectional
17. Perché sono cosi forti:Security on deviceSecurity on device
● Private key protection
● Software
– SELinux
– OTP fuses (One Time Programmable)
● Hardware
– TPM (Trusted Platform Module)
– Smart card
https://www.youtube.com/watch?v=E6jmMp9N6bs
18. ● DTLS (Datagram TLS)
● https://tools.ietf.org/html/draft-ietf-lwig-tls-minimal-01
Perché sono cosi forti:... but it’s not so cheap !... but it’s not so cheap !
19. Perché sono cosi forti:Security on hardwareSecurity on hardware
● latest updates for fixing vulnerabilities ...
● ... but upgrading isn’t so simple :
– errors on firmware checksum and signature
– NAND flash errors
– power loss
– network issues
20. Perché sono cosi forti:Security on communicationSecurity on communication
● data encryption
● pre-shared key
– client and server share an encryption key
● X.509 certificates
– used with SSL/TLS protocol
– certificates revocation list
21. Perché sono cosi forti:Security in CloudSecurity in Cloud
● a service can be hacked as a device
● all services have to trust each other
● “internal” security ... not only the “external” one
22. Perché sono cosi forti:Take care of ...Take care of ...
● authentication
– the process of ascertaining that somebody really is
who he claims to be
– username/password, SSL/TLS client certificates, ...
23. Perché sono cosi forti:Take care of ...Take care of ...
● authorization
– refers to rules that determine who is allowed to do
what
– user, group, roles
– claims (i.e Jason Web Token)
24. Perché sono cosi forti:IoT platform securityIoT platform security
● device has an identity
● IoT platform internal components have their
own identities
● mutual authentication (i.e. X.509, SSL/TLS, ...)
● encrypted channel (i.e. SSL/TLS)
● signed messages
● roles for authorization
● secure software distribution
25. Perché sono cosi forti:IoT protocols securityIoT protocols security
● SSL/TLS
– For authentication and encryption
● Payload encryption
● HTTP : basic & digest authentication
● CoAP : Datagram TLS (DTLS)
● AMQP : SASL for authentication
● MQTT : username/password on connection
26. Perché sono cosi forti:ConclusionsConclusions
● IoT security is not so simple
● a lot of different solutions can be used
● most of the times more technologies together
● device, communication and cloud are involved
27. Perché sono cosi forti:ConclusionsConclusions
Now ? Let’s go home to change the default
password that we still have on our routers !!
28. Perché sono cosi forti:IoT Day ItalyIoT Day Italy
www.iotday.it - @iotdayit