Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security in the Internet of Things

13,725 views

Published on

Security in the Internet Of Things.
Every IoT project must be designed with security in mind. Identity Relationship Management is a must for a successful IoT implementation.

Published in: Technology
  • Login to see the comments

Security in the Internet of Things

  1. 1. Security IN the Internet of Things Victor Ake Victor.Ake@ForgeRock.com CTO Office/Co-Founder
  2. 2. 2 About me ! 26 years experience in the IT Industry. ! As a System Engineer, Networking, Security, Identity Relationship Management. Ericsson, IBM, 3Com, Sun Microsystems, ForgeRock ! Co-Founder of FORGEROCK ! CTO Office http://www.forgerock.com
  3. 3. 3 World Wide Web Mobile Internet Internet of things Image Source: Kelsey Austin. https://www.flickr.com/photos/kelseyrage/15362515989
  4. 4. 4 Despite the wave Information is the common key deliverable Telemetry (Health, Rockets, Energy, Aviation, etc) Device Identification Sensed Information Metered information Forget the HONEY! Source: Meadows R (2012) Understanding the Flight of the Bumblebee. PLoS Biol 10(9)
  5. 5. 5 Increasing Amount OF Security, Privacy & Safety Concerns
  6. 6. 6 Top barriers to iot and m2m adoption Source: Infonetics, January 2014.
  7. 7. 7 Security and privacy Data in Transit Data Access ACCESS Access Data Things MOBILE/ gateway CLOUD ENterprise Data Data ACCESS
  8. 8. 8 challenges Low friction human interaction Unique device identification Device Authenticity Device-user association Nature of the data Security vs Comfort / RISK vs REWARD Image Source: Sharkawi Che Din. https://www.flickr.com/photos/sharkawi3d/15374262331/
  9. 9. 9 More challenges Limited encryption capabilities Limited resources (RAM/ROM) Limited clock synchronization Firmware must be upgraded from time to time Image Soruce: Massimo Piccoli. https://www.flickr.com/photos/massimo_piccoli/12680390774/
  10. 10. 10 IoT security design rules " Build Security in, it can not be added later " Keep security mechanisms simple " Use existing standards " Obscurity does not provide security Image source: http://cdn.blickers.com/wp-content/uploads/2013/12/Leonardo-da-vinci2.jpg
  11. 11. 11 IoT security design rules " Encrypt sensitive data at rest and in transit " Use well-studied cryptographic building blocks " Identity and Access Management must be part of the design " Develop a realistic threat model Image source: http://cdn.blickers.com/wp-content/uploads/2013/12/Leonardo-da-vinci2.jpg
  12. 12. 12 Common Security Issues
  13. 13. 13 secure Web, Mobile and Cloud Interface " Do not allow default credentials " Assume device accessed Internally and Externally " Credentials should not be stored in plain text nor travel in unencrypted channels " Protect against account enumeration & implement account lockout " Protect against XSS, CSRF, SQLi " Implement an IAM/IRM system
  14. 14. 14 Implement an IAM/IRM System Identity creation, Authentication & Authorization
  15. 15. 15 Provisioning Device Identity IDM System I’m an Authentic device I’m unique (D) Verify authenticity Register me and registers device PKI (SE)
  16. 16. Register user, AuthN, claim ownership 16 Register me I own device D I allow device D to send data on my behalf to service S1 for 1 day Verify identity of user, Register user, Authenticate user Proof possession of Device Create Relationship User-device Generates OAuth2 Token Provision Refresh and Access Token to device Authenticate Store R & A Tokens AM System PKI (SE)
  17. 17. 17 Device send data on behalf of user AM System Send Data (OAuth2 Token) Verify Device, OAuth2 Access Token validity and Scope (authorization) PKI (SE) Refresh Token Associate data to Alice …. Token expired Negotiate new Access token Store A.Token New Access Token
  18. 18. 18 User shares data, revokes tokens AM with UMA System Authenticate I want to Share my data with My Insurance Company …. Lost my device Revoke token HTTP, MQTT, SASL PKI (SE)
  19. 19. 19 Network Services " Ensure only necessary ports are open " Ensure services are not vulnerable to buffer overflow and fuzzing attacks " Ensure services are not vulnerable to DoS attacks
  20. 20. 20 Transport encryption " Ensure data and credentials are encrypted while in transit " Use secure encrypted channels " Use good key lengths and good algorithms (Elliptic Curve provides efficient encrypting) " Protect against replay attacks
  21. 21. 21 Privacy as part of the design " Collect only the minimum necessary data for the functionality of the device " Ensure any sensitive data collected is properly protected with encryption " Ensure the device properly protects personal data Photo Source: Brian M (OCDBri): https://www.flickr.com/photos/ocdbri/14438661513
  22. 22. 22 Software/Firmware " Ensure your firmware does not contain hardcoded credentials or sensitive data " Use a secure channel to transmit the firmware during upgrades " Ensure the update is signed and verified before allowing the update " Do not send the public key with the firmware, use a hash " Ensure your SVN/GIT repositories do not contain the private keys
  23. 23. 23 Physical Security " Ensure physical access to your device is controlled " Accessible USB or SD ports can be a weakness " Can it be easily disassembled to access the internal storage (RAM/ROM) " If local data is sensitive, consider encrypting the data Image Source: http://conflictresearchgroupintl.com/wp-content/uploads/2014/03/How-to-Look-Like-a-Bouncer1.jpg
  24. 24. 24 Thank You! Security in the Internet of Things FORGEROCK.COM | LEGAL INFORMATION Victor Ake Victor.Ake@ForgeRock.com CTO Office

×