SlideShare a Scribd company logo
1 of 28
Download to read offline
Mirza Krak
Embedded Solutions Architect
Mender.io
Integrate IoT cloud analytics and over-the-air (OTA) updates with Google and Mender.io
● Over-the-air software updates for IoT and Mender introduction
● Yocto Project introduction
● Google IoT Core and Cloud IoT introduction
● Device authentication integration between Cloud IoT and Mender
Session overview
● Mirza Krak
○ 8 years in Embedded Linux
■ U-boot and Linux kernel
■ Yocto/Buildroot
○ mirza.krak@northern.tech
About me
● mender.io
○ Open-source update manager for
embedded devices
○ Open source (Apache License, v2)
○ Supports a variation of update styles
■ Dual A/B rootfs layout
■ Update Modules (beta)
○ Remote deployment management (server)
○ Under active development
https://northern.tech/careers
We are hiring
Internet of Things (IoT)
The Internet of things (IoT) is the extension of
Internet connectivity into physical devices
and everyday objects. Embedded with
electronics, Internet connectivity, and other
forms of hardware (such as sensors), these
devices can communicate and interact with
others over the Internet, and they can be
remotely monitored and controlled
Source: WikipediaIt means taking all the things in the world and
connecting them to the internet
Connected devices must be remotely updatable
● There will be bugs, vulnerabilities
○ 1-25 per 1000 lines of code*
○ Botnets w/ millions of devices:
Mirai, Hajime, Brickerbot
● … and new features
● … after device is deployed to the field
*Source: Steve McConnell, Code Complete
Source: Ars Technica
IoT devices are in a harsh environment
● Remote
○ Expensive to reach physically
● Long expected lifetime
○ 5 - 10 years
● Unreliable power
○ Battery
○ Suddenly unplugged
● Unreliable network
○ Intermittent connectivity
○ Low bandwidth
○ Insecure
What can
go wrong?
Criteria for IoT software update management
● Robust and secure
● Atomic installation & consistent across
devices
● Secure transport and codesigning
● Integrates with existing development
environment
● Easy to get started
● Bandwidth consumption
● Downtime during update
What can
go wrong?
General IoT update manager workflow
Detect update
(secure channel)
Download
(secure channel)
Integrity
(e.g. checksum)
Authenticate
(e.g. signature)
DecryptExtract
Install Failure recovery
(e.g. roll back)
Compatibility
check
Sanity checks
Post-install
actions
Pre-install
actions
Must-have
Environment-specific
(Re)Start*
*E.g. reboot, restart service, start container
Mender provides both client and server
● Client-server model
○ Apache 2.0
○ Mender provides both, including web UI
○ No need to “glue” several projects
○ Server can integrate with 3rd party
clients through its REST API
● Supports updating
○ File system images
○ Update Modules (beta)
■ Application updates
■ Containers
■ nd more
Mender uses a dual A/B system layout
● Very robust
○ Fully atomic and consistent
● Integrates well
○ OS, kernel, apps unchanged
○ Needs bootloader “flip” support
○ Partition layout, requires 2x
rootfs storage
● Fairly short downtime (minute)
○ 1 reboot
OS A
(active)
Bootloader
Device/System
OS B
(inactive)
Kernel Kernel
● Mender deploys to inactive partition, then
reboots into it
○ Common design for IoT
○ Used in newer Androids (‘N’ and later)
Mender - server
Mender Devices
Users
API Gateway
TCP 443
DeviceAdm
DeviceAuth
UserAdm
Inventory
Deployments
GUI
Conductor
Storage
Proxy
TCP 9000
Minio
MongoDB
ElasticSearch
Redis
Filesystem
external clients stateless application layer persistent storage
● Microservices
● Only port 433 and 9000
● RESTful API
○ Device API
○ Management API
/api/management/v1/deployments
/api/management/v1/admission
/api/management/v1/devauth/
….
https://docs.mender.io/apis/overview
Yocto Project is a Linux build system
“It's not an embedded Linux
Distribution, It creates a custom one
for you.”
● Structured way to build a Linux
distribution from source, using
software “meta layers”
● Flexible and very portable
between hardware
○ Requires some learning
● Probably the most popular Linux “OS” for
IoT devices
○ Major board manufacturers provide
BSPs as Yocto meta layers
● Mender provides meta-mender for
integrating the Mender client
● Google provides meta-gcp-iot for integrating
Mender and MQTT telemetry application
Google IoT Core
“Cloud IoT Core is a fully managed service that allows you to easily and securely
connect, manage, and ingest data from millions of globally dispersed devices”
● MQTT and HTTP protocols
● scales automatically in response to real-time changes
● industry-standard security protocols protect your data.
Google Cloud IoT (example)
Google IoT Core
Protocol bridge
MQTT protocol endpoint
Automatic load balancing
Global data access with
Pub/Sub
Device manager
Configure individual devices
Update and control devices
Role level access control
Console and APIs for device
deployment and monitoring
Device authentication is complex
● To securely authenticate to cloud services, devices need an identity and credential
tuple
○ Typically a serial number and public/private keypair
● Different cloud services use different identity and credential tuples
● Result: Identity and key management becomes very complex and error-prone
Device authentication in Google IoT Core
Device identity is based on an asymmetric key-pair of
two supported formats:
○ RSA 256 public key wrapped in a X.509v3
certificate
○ Elliptic curve (ECDSA) algorithm using
P-256 and SHA-256 [more efficient,
better suited for small devices]
Credentials may optionally have an expiration
timestamp
A device can have up to 3 credentials associated with
it at a time, allowing for rotation
The service should never need the private key
The sequence shown here is only one way to handle
device provisioning
Device authentication in Google IoT Core
MQTT/HTTP
broker
Verify JWT signature with
public key
Run API Script with
public key files
Create JWT
Secure Sign
JWT
Save device
public key
association
Device Key pair securely
generated in
Microchip ATECC608A or NXP
A71CH
Provisioner Device manager
OK
Create device (deviceid, public key)
OK
Connect (device id, signed JWT)
Connected
Secure element w/
private keys soldered
to the device
Public keys
passed as file
Device authentication in Mender
Unique
client
identity
Unique
client
key pair
Mender
client
IoT device
Trusted
server
cert
Root
certs
Mender server
Mender
config Trusted
server
cert
API
gateway
(nginx)
RSA key unique to this client. Used to sign client
identity in auth requests. Will be tied to client
identity in server.
TLS (https)
1. Auth request:
client identity, signed(client identity)
2. Reject (if client unknown/pending) or issue
JWT auth token to client.
Clients get JWT auth token if:
A. They are preauthorized, or
B. Accepted (once pending) by user/script
Identity attributes (key-value). Identity scheme is
customizable, typically serial number or MAC
address is used. More info: Identity in Mender
Device authentication integration workflow
Device authentication integration workflow
Device authentication integration workflow
Device authentication integration workflow
Device authentication integration workflow
Integration based on common private key
Identity tied to Private Key
(secure on disk or in secure element)
MQTT Client Mender Agent
Mender OTA
Server
Google Cloud
IoT Core
OTA and Firmware ManagementTelemetry and Data plane
Reference integration
Step-by-step tutorial available
bit.ly/mender-google
Thank you
Questions?

More Related Content

What's hot

Software update for embedded systems - elce2014
Software update for embedded systems - elce2014Software update for embedded systems - elce2014
Software update for embedded systems - elce2014Stefano Babic
 
Userspace drivers-2016
Userspace drivers-2016Userspace drivers-2016
Userspace drivers-2016Chris Simmonds
 
Build your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectBuild your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectYen-Chin Lee
 
Claudio Scordino - Handling mixed criticality on embedded multi-core systems
Claudio Scordino - Handling mixed criticality on embedded multi-core systemsClaudio Scordino - Handling mixed criticality on embedded multi-core systems
Claudio Scordino - Handling mixed criticality on embedded multi-core systemslinuxlab_conf
 
Emanuele Faranda - Creating network overlays with IoT devices using N2N
Emanuele Faranda - Creating network overlays with IoT devices using N2NEmanuele Faranda - Creating network overlays with IoT devices using N2N
Emanuele Faranda - Creating network overlays with IoT devices using N2Nlinuxlab_conf
 
Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727csirac2
 
libreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistrolibreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistroAll Things Open
 
Eclipse IDE Yocto Plugin
Eclipse IDE Yocto PluginEclipse IDE Yocto Plugin
Eclipse IDE Yocto Plugincudma
 
The Yocto Project
The Yocto ProjectThe Yocto Project
The Yocto Projectrossburton
 
Automotive Grade Linux and systemd
Automotive Grade Linux and systemdAutomotive Grade Linux and systemd
Automotive Grade Linux and systemdAlison Chaiken
 
MikroTik User Guide
MikroTik User GuideMikroTik User Guide
MikroTik User Guideseolangit4
 
Software update for IoT: the current state of play
Software update for IoT: the current state of playSoftware update for IoT: the current state of play
Software update for IoT: the current state of playChris Simmonds
 
Yocto project and open embedded training
Yocto project and open embedded trainingYocto project and open embedded training
Yocto project and open embedded trainingH Ming
 
Kernel Recipes 2013 - Viewing real time ltt trace using gtkwave
Kernel Recipes 2013 - Viewing real time  ltt trace using gtkwaveKernel Recipes 2013 - Viewing real time  ltt trace using gtkwave
Kernel Recipes 2013 - Viewing real time ltt trace using gtkwaveAnne Nicolas
 
Linux field-update-2015
Linux field-update-2015Linux field-update-2015
Linux field-update-2015Chris Simmonds
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)Security Bootcamp
 
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Nicolas Collery
 
Embedded Android: Android beyond the smartphone
Embedded Android: Android beyond the smartphoneEmbedded Android: Android beyond the smartphone
Embedded Android: Android beyond the smartphoneChris Simmonds
 
Run Qt on Linux embedded systems using Yocto
Run Qt on Linux embedded systems using YoctoRun Qt on Linux embedded systems using Yocto
Run Qt on Linux embedded systems using YoctoMarco Cavallini
 

What's hot (20)

Software update for embedded systems - elce2014
Software update for embedded systems - elce2014Software update for embedded systems - elce2014
Software update for embedded systems - elce2014
 
Userspace drivers-2016
Userspace drivers-2016Userspace drivers-2016
Userspace drivers-2016
 
Build your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectBuild your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto project
 
Claudio Scordino - Handling mixed criticality on embedded multi-core systems
Claudio Scordino - Handling mixed criticality on embedded multi-core systemsClaudio Scordino - Handling mixed criticality on embedded multi-core systems
Claudio Scordino - Handling mixed criticality on embedded multi-core systems
 
Emanuele Faranda - Creating network overlays with IoT devices using N2N
Emanuele Faranda - Creating network overlays with IoT devices using N2NEmanuele Faranda - Creating network overlays with IoT devices using N2N
Emanuele Faranda - Creating network overlays with IoT devices using N2N
 
Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727
 
libreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistrolibreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux Distro
 
Eclipse IDE Yocto Plugin
Eclipse IDE Yocto PluginEclipse IDE Yocto Plugin
Eclipse IDE Yocto Plugin
 
The Yocto Project
The Yocto ProjectThe Yocto Project
The Yocto Project
 
Automotive Grade Linux and systemd
Automotive Grade Linux and systemdAutomotive Grade Linux and systemd
Automotive Grade Linux and systemd
 
MikroTik User Guide
MikroTik User GuideMikroTik User Guide
MikroTik User Guide
 
Software update for IoT: the current state of play
Software update for IoT: the current state of playSoftware update for IoT: the current state of play
Software update for IoT: the current state of play
 
Yocto project and open embedded training
Yocto project and open embedded trainingYocto project and open embedded training
Yocto project and open embedded training
 
Embedded Android : System Development - Part III
Embedded Android : System Development - Part IIIEmbedded Android : System Development - Part III
Embedded Android : System Development - Part III
 
Kernel Recipes 2013 - Viewing real time ltt trace using gtkwave
Kernel Recipes 2013 - Viewing real time  ltt trace using gtkwaveKernel Recipes 2013 - Viewing real time  ltt trace using gtkwave
Kernel Recipes 2013 - Viewing real time ltt trace using gtkwave
 
Linux field-update-2015
Linux field-update-2015Linux field-update-2015
Linux field-update-2015
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
 
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
 
Embedded Android: Android beyond the smartphone
Embedded Android: Android beyond the smartphoneEmbedded Android: Android beyond the smartphone
Embedded Android: Android beyond the smartphone
 
Run Qt on Linux embedded systems using Yocto
Run Qt on Linux embedded systems using YoctoRun Qt on Linux embedded systems using Yocto
Run Qt on Linux embedded systems using Yocto
 

Similar to Integrate IoT cloud analytics and over the-air (ota) updates with google and mender.io

BKK16-500K2 CTO talk - The End to End Story
BKK16-500K2 CTO talk - The End to End StoryBKK16-500K2 CTO talk - The End to End Story
BKK16-500K2 CTO talk - The End to End StoryLinaro
 
Internet of things at the Edge with Azure IoT Edge by sonujose
Internet of things at the Edge with Azure IoT Edge by sonujoseInternet of things at the Edge with Azure IoT Edge by sonujose
Internet of things at the Edge with Azure IoT Edge by sonujoseSonu Jose
 
WSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemInductive Automation
 
Integration of Things (Sam Vanhoutte @Iglooconf 2017)
Integration of Things (Sam Vanhoutte @Iglooconf 2017) Integration of Things (Sam Vanhoutte @Iglooconf 2017)
Integration of Things (Sam Vanhoutte @Iglooconf 2017) Codit
 
DeviceHive overview, Tatyana Matvienko
DeviceHive overview, Tatyana MatvienkoDeviceHive overview, Tatyana Matvienko
DeviceHive overview, Tatyana MatvienkoDataArt
 
The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017Jian-Hong Pan
 
Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)
Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)
Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)Codit
 
apidays LIVE LONDON - Architecting Scalable Software Platforms for IoT Applic...
apidays LIVE LONDON - Architecting Scalable Software Platforms for IoT Applic...apidays LIVE LONDON - Architecting Scalable Software Platforms for IoT Applic...
apidays LIVE LONDON - Architecting Scalable Software Platforms for IoT Applic...apidays
 
Azure IoT Edge: a breakthrough platform and service running cloud intelligenc...
Azure IoT Edge: a breakthrough platform and service running cloud intelligenc...Azure IoT Edge: a breakthrough platform and service running cloud intelligenc...
Azure IoT Edge: a breakthrough platform and service running cloud intelligenc...Microsoft Tech Community
 
Iot development from prototype to production
Iot development from prototype to productionIot development from prototype to production
Iot development from prototype to productionMender.io
 
Workshop AWS IoT @ IoT World Paris
Workshop AWS IoT @ IoT World ParisWorkshop AWS IoT @ IoT World Paris
Workshop AWS IoT @ IoT World ParisJulien SIMON
 
apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...
apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...
apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...apidays
 
Workshop AWS IoT @ SIDO
Workshop AWS IoT @ SIDOWorkshop AWS IoT @ SIDO
Workshop AWS IoT @ SIDOJulien SIMON
 

Similar to Integrate IoT cloud analytics and over the-air (ota) updates with google and mender.io (20)

Intel_IoT_gateway.pdf
Intel_IoT_gateway.pdfIntel_IoT_gateway.pdf
Intel_IoT_gateway.pdf
 
BKK16-500K2 CTO talk - The End to End Story
BKK16-500K2 CTO talk - The End to End StoryBKK16-500K2 CTO talk - The End to End Story
BKK16-500K2 CTO talk - The End to End Story
 
Internet of things at the Edge with Azure IoT Edge by sonujose
Internet of things at the Edge with Azure IoT Edge by sonujoseInternet of things at the Edge with Azure IoT Edge by sonujose
Internet of things at the Edge with Azure IoT Edge by sonujose
 
IoT on azure
IoT on azureIoT on azure
IoT on azure
 
IoT on Azure
IoT on AzureIoT on Azure
IoT on Azure
 
WSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2 IoT Server - Product Overview
WSO2 IoT Server - Product Overview
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition System
 
Integration of Things (Sam Vanhoutte @Iglooconf 2017)
Integration of Things (Sam Vanhoutte @Iglooconf 2017) Integration of Things (Sam Vanhoutte @Iglooconf 2017)
Integration of Things (Sam Vanhoutte @Iglooconf 2017)
 
DeviceHive overview, Tatyana Matvienko
DeviceHive overview, Tatyana MatvienkoDeviceHive overview, Tatyana Matvienko
DeviceHive overview, Tatyana Matvienko
 
Fluent Bit
Fluent BitFluent Bit
Fluent Bit
 
The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017
 
Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)
Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)
Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)
 
apidays LIVE LONDON - Architecting Scalable Software Platforms for IoT Applic...
apidays LIVE LONDON - Architecting Scalable Software Platforms for IoT Applic...apidays LIVE LONDON - Architecting Scalable Software Platforms for IoT Applic...
apidays LIVE LONDON - Architecting Scalable Software Platforms for IoT Applic...
 
Azure IoT Edge: a breakthrough platform and service running cloud intelligenc...
Azure IoT Edge: a breakthrough platform and service running cloud intelligenc...Azure IoT Edge: a breakthrough platform and service running cloud intelligenc...
Azure IoT Edge: a breakthrough platform and service running cloud intelligenc...
 
Iot development from prototype to production
Iot development from prototype to productionIot development from prototype to production
Iot development from prototype to production
 
Workshop AWS IoT @ IoT World Paris
Workshop AWS IoT @ IoT World ParisWorkshop AWS IoT @ IoT World Paris
Workshop AWS IoT @ IoT World Paris
 
apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...
apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...
apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...
 
End to end IoT Solution using Mongoose OS.
End to end IoT Solution using Mongoose OS.End to end IoT Solution using Mongoose OS.
End to end IoT Solution using Mongoose OS.
 
Fluent-bit
Fluent-bitFluent-bit
Fluent-bit
 
Workshop AWS IoT @ SIDO
Workshop AWS IoT @ SIDOWorkshop AWS IoT @ SIDO
Workshop AWS IoT @ SIDO
 

More from Mender.io

IoT Prototyping using BBB and Debian
IoT Prototyping using BBB and DebianIoT Prototyping using BBB and Debian
IoT Prototyping using BBB and DebianMender.io
 
Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018Mender.io
 
Strategies for developing and deploying your embedded applications and images
Strategies for developing and deploying your embedded applications and imagesStrategies for developing and deploying your embedded applications and images
Strategies for developing and deploying your embedded applications and imagesMender.io
 
IoT Development from Prototype to Production
IoT Development from Prototype to ProductionIoT Development from Prototype to Production
IoT Development from Prototype to ProductionMender.io
 
Software Updates for Connected Devices - OSCON 2018
Software Updates for Connected Devices - OSCON 2018Software Updates for Connected Devices - OSCON 2018
Software Updates for Connected Devices - OSCON 2018Mender.io
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Mender.io
 
Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018Mender.io
 
Linux IoT Botnet Wars - ESC Boston 2018
Linux IoT Botnet Wars - ESC Boston 2018Linux IoT Botnet Wars - ESC Boston 2018
Linux IoT Botnet Wars - ESC Boston 2018Mender.io
 
Securing the Connected Car - SCaLE 2018
Securing the Connected Car - SCaLE 2018Securing the Connected Car - SCaLE 2018
Securing the Connected Car - SCaLE 2018Mender.io
 
Mender.io | Securing the Connected Car
Mender.io | Securing the Connected CarMender.io | Securing the Connected Car
Mender.io | Securing the Connected CarMender.io
 
Linux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardeningLinux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardeningMender.io
 

More from Mender.io (11)

IoT Prototyping using BBB and Debian
IoT Prototyping using BBB and DebianIoT Prototyping using BBB and Debian
IoT Prototyping using BBB and Debian
 
Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018
 
Strategies for developing and deploying your embedded applications and images
Strategies for developing and deploying your embedded applications and imagesStrategies for developing and deploying your embedded applications and images
Strategies for developing and deploying your embedded applications and images
 
IoT Development from Prototype to Production
IoT Development from Prototype to ProductionIoT Development from Prototype to Production
IoT Development from Prototype to Production
 
Software Updates for Connected Devices - OSCON 2018
Software Updates for Connected Devices - OSCON 2018Software Updates for Connected Devices - OSCON 2018
Software Updates for Connected Devices - OSCON 2018
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
 
Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018
 
Linux IoT Botnet Wars - ESC Boston 2018
Linux IoT Botnet Wars - ESC Boston 2018Linux IoT Botnet Wars - ESC Boston 2018
Linux IoT Botnet Wars - ESC Boston 2018
 
Securing the Connected Car - SCaLE 2018
Securing the Connected Car - SCaLE 2018Securing the Connected Car - SCaLE 2018
Securing the Connected Car - SCaLE 2018
 
Mender.io | Securing the Connected Car
Mender.io | Securing the Connected CarMender.io | Securing the Connected Car
Mender.io | Securing the Connected Car
 
Linux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardeningLinux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardening
 

Recently uploaded

Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Lisi Hocke
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT  - Security and Governance for Generative AIBusinessGPT  - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AIAGATSoftware
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfkalichargn70th171
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanNeo4j
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024MulesoftMunichMeetup
 
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Clinic
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIInflectra
 
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with GraphGraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with GraphNeo4j
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfSrushith Repakula
 
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaUNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaNeo4j
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Andreas Granig
 
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdfAzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdfryanfarris8
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Eraconfluent
 
[GRCPP] Introduction to concepts (C++20)
[GRCPP] Introduction to concepts (C++20)[GRCPP] Introduction to concepts (C++20)
[GRCPP] Introduction to concepts (C++20)Dimitrios Platis
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Conceptsthomashtkim
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio, Inc.
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Henry Schreiner
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConNatan Silnitsky
 

Recently uploaded (20)

Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT  - Security and Governance for Generative AIBusinessGPT  - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AI
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdf
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
 
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
 
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with GraphGraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdf
 
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaUNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdfAzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
 
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
[GRCPP] Introduction to concepts (C++20)
[GRCPP] Introduction to concepts (C++20)[GRCPP] Introduction to concepts (C++20)
[GRCPP] Introduction to concepts (C++20)
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Concepts
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
 

Integrate IoT cloud analytics and over the-air (ota) updates with google and mender.io

  • 1. Mirza Krak Embedded Solutions Architect Mender.io Integrate IoT cloud analytics and over-the-air (OTA) updates with Google and Mender.io
  • 2. ● Over-the-air software updates for IoT and Mender introduction ● Yocto Project introduction ● Google IoT Core and Cloud IoT introduction ● Device authentication integration between Cloud IoT and Mender Session overview
  • 3. ● Mirza Krak ○ 8 years in Embedded Linux ■ U-boot and Linux kernel ■ Yocto/Buildroot ○ mirza.krak@northern.tech About me ● mender.io ○ Open-source update manager for embedded devices ○ Open source (Apache License, v2) ○ Supports a variation of update styles ■ Dual A/B rootfs layout ■ Update Modules (beta) ○ Remote deployment management (server) ○ Under active development
  • 5. Internet of Things (IoT) The Internet of things (IoT) is the extension of Internet connectivity into physical devices and everyday objects. Embedded with electronics, Internet connectivity, and other forms of hardware (such as sensors), these devices can communicate and interact with others over the Internet, and they can be remotely monitored and controlled Source: WikipediaIt means taking all the things in the world and connecting them to the internet
  • 6. Connected devices must be remotely updatable ● There will be bugs, vulnerabilities ○ 1-25 per 1000 lines of code* ○ Botnets w/ millions of devices: Mirai, Hajime, Brickerbot ● … and new features ● … after device is deployed to the field *Source: Steve McConnell, Code Complete Source: Ars Technica
  • 7. IoT devices are in a harsh environment ● Remote ○ Expensive to reach physically ● Long expected lifetime ○ 5 - 10 years ● Unreliable power ○ Battery ○ Suddenly unplugged ● Unreliable network ○ Intermittent connectivity ○ Low bandwidth ○ Insecure What can go wrong?
  • 8. Criteria for IoT software update management ● Robust and secure ● Atomic installation & consistent across devices ● Secure transport and codesigning ● Integrates with existing development environment ● Easy to get started ● Bandwidth consumption ● Downtime during update What can go wrong?
  • 9. General IoT update manager workflow Detect update (secure channel) Download (secure channel) Integrity (e.g. checksum) Authenticate (e.g. signature) DecryptExtract Install Failure recovery (e.g. roll back) Compatibility check Sanity checks Post-install actions Pre-install actions Must-have Environment-specific (Re)Start* *E.g. reboot, restart service, start container
  • 10. Mender provides both client and server ● Client-server model ○ Apache 2.0 ○ Mender provides both, including web UI ○ No need to “glue” several projects ○ Server can integrate with 3rd party clients through its REST API ● Supports updating ○ File system images ○ Update Modules (beta) ■ Application updates ■ Containers ■ nd more
  • 11. Mender uses a dual A/B system layout ● Very robust ○ Fully atomic and consistent ● Integrates well ○ OS, kernel, apps unchanged ○ Needs bootloader “flip” support ○ Partition layout, requires 2x rootfs storage ● Fairly short downtime (minute) ○ 1 reboot OS A (active) Bootloader Device/System OS B (inactive) Kernel Kernel ● Mender deploys to inactive partition, then reboots into it ○ Common design for IoT ○ Used in newer Androids (‘N’ and later)
  • 12. Mender - server Mender Devices Users API Gateway TCP 443 DeviceAdm DeviceAuth UserAdm Inventory Deployments GUI Conductor Storage Proxy TCP 9000 Minio MongoDB ElasticSearch Redis Filesystem external clients stateless application layer persistent storage ● Microservices ● Only port 433 and 9000 ● RESTful API ○ Device API ○ Management API /api/management/v1/deployments /api/management/v1/admission /api/management/v1/devauth/ …. https://docs.mender.io/apis/overview
  • 13. Yocto Project is a Linux build system “It's not an embedded Linux Distribution, It creates a custom one for you.” ● Structured way to build a Linux distribution from source, using software “meta layers” ● Flexible and very portable between hardware ○ Requires some learning ● Probably the most popular Linux “OS” for IoT devices ○ Major board manufacturers provide BSPs as Yocto meta layers ● Mender provides meta-mender for integrating the Mender client ● Google provides meta-gcp-iot for integrating Mender and MQTT telemetry application
  • 14. Google IoT Core “Cloud IoT Core is a fully managed service that allows you to easily and securely connect, manage, and ingest data from millions of globally dispersed devices” ● MQTT and HTTP protocols ● scales automatically in response to real-time changes ● industry-standard security protocols protect your data.
  • 15. Google Cloud IoT (example)
  • 16. Google IoT Core Protocol bridge MQTT protocol endpoint Automatic load balancing Global data access with Pub/Sub Device manager Configure individual devices Update and control devices Role level access control Console and APIs for device deployment and monitoring
  • 17. Device authentication is complex ● To securely authenticate to cloud services, devices need an identity and credential tuple ○ Typically a serial number and public/private keypair ● Different cloud services use different identity and credential tuples ● Result: Identity and key management becomes very complex and error-prone
  • 18. Device authentication in Google IoT Core Device identity is based on an asymmetric key-pair of two supported formats: ○ RSA 256 public key wrapped in a X.509v3 certificate ○ Elliptic curve (ECDSA) algorithm using P-256 and SHA-256 [more efficient, better suited for small devices] Credentials may optionally have an expiration timestamp A device can have up to 3 credentials associated with it at a time, allowing for rotation The service should never need the private key The sequence shown here is only one way to handle device provisioning
  • 19. Device authentication in Google IoT Core MQTT/HTTP broker Verify JWT signature with public key Run API Script with public key files Create JWT Secure Sign JWT Save device public key association Device Key pair securely generated in Microchip ATECC608A or NXP A71CH Provisioner Device manager OK Create device (deviceid, public key) OK Connect (device id, signed JWT) Connected Secure element w/ private keys soldered to the device Public keys passed as file
  • 20. Device authentication in Mender Unique client identity Unique client key pair Mender client IoT device Trusted server cert Root certs Mender server Mender config Trusted server cert API gateway (nginx) RSA key unique to this client. Used to sign client identity in auth requests. Will be tied to client identity in server. TLS (https) 1. Auth request: client identity, signed(client identity) 2. Reject (if client unknown/pending) or issue JWT auth token to client. Clients get JWT auth token if: A. They are preauthorized, or B. Accepted (once pending) by user/script Identity attributes (key-value). Identity scheme is customizable, typically serial number or MAC address is used. More info: Identity in Mender
  • 26. Integration based on common private key Identity tied to Private Key (secure on disk or in secure element) MQTT Client Mender Agent Mender OTA Server Google Cloud IoT Core OTA and Firmware ManagementTelemetry and Data plane
  • 27. Reference integration Step-by-step tutorial available bit.ly/mender-google