"IoT Security in AWS" - Chandler Howell, Director of Engineering Services at Nexum Inc
This presentation was given at the AWS Chicago user group event on 22 March 2017 on the Internet of Things (IoT)
https://www.meetup.com/AWS-Chicago/events/237737145/
@chandlerhowell
3. IoT/Security/Background/WhoAmI
I’m Chandler Howell
Director of Engineering at Nexum
chandler@nexuminc.com
@chandlerhowell on Twitter
Nexum is a Network & Security Reseller &
Consultancy
Headquartered in Chicago
Presence East of the Mississippi River
http://nexuminc.com
6. Iot/Security/Precursors/HowToFAIL
What am I hoping you’ll avoid?
FAILURE
Harming people
Being in the news
Device recalls/updates
Getting sued
Corporate bankruptcy
Bringing bad products to market
9. IoT/Security/Precursors/Policies
You’re in the Data Business now
What data do you collect?
How long do you retain it?
Who owns the data you collect?
Do you have a published Privacy Policy?
Have you calibrated your business model with it?
Does it cover both Internal & Third Party Use,
Sharing and Disclosure?
Do you have a published Service Level Agreement?
Do you have Incident Response & Disaster Recovery
Plans?
10. IoT/Security/Precursors/Assumptions
If you must assume, assume things will go wrong.
* Connectivity will fail
* Network
* Device Association
* Vulnerabilities will be found
* Devices will be compromised
* Keys/Credentials will be compromised
* Retail (client)
* Wholesale (server keys)
* Data might be breached or destroyed
How will each of these affect
...your customers?
...your product?
...your company?
11. IoT/Security/Precursors/Challenges
How will you…
* Push updates to Things
* When would you force an update?
* Cryptographically verify those updates
* Track versions
* Deal with version incompatibilities
* Deal with potential downtime
12. IoT/Security/Precursors/Transport
* How much data can you lose to outages?
* How much data can you queue?
* If you can’t publish to a Thing...
* What telemetry is lost?
* What functionality is lost?
* How will you handle network limits
* Blocking MQTT
* Blocking HTTPs
* Blocking un-inspected SSL/TLS
13. IoT/Security/AWS
Expect to use LOTS of services
* Manage access through IAM Policies & Roles
* Segment where it makes sense
* Consider CRUD needs for all access
* (Create, Read, Update, Delete)
AWS Provides some features by default
* DDoS Protection
14. IoT/Security/AWS/EC2
* This is a great place to get pwned
* “Traditional” IT brings Traditional
problems
* ALL SERVERS SHOULD BE EPHEMERAL
* “Pets vs. Cattle”
* Amazon Inspector is your friend
* https://aws.amazon.com/inspector/
* Security Scanning
* Can be automated with Lambda & SNS
* Ticketing, e.g. into Jira
15. IoT/Security/AWS/Monitoring
You can’t find what you
don’t look for
Log & alert changes to:
* Running instances
* Policies
* IAM Roles
* Accounts
* Security Groups
* Billing Events
* Workload spikes
* Errors & Exceptions
16. IoT/Security/AWS/HowToWin
* Harden the environment
* Delete the Root Access Keys
* Enable Multi-Factor/Strong Authentication
* Adhere to the Principle of Least Privilege
* Don’t just hand out Permissions
* RTFM on Policies & Permissions
* AWS Provides Sample Policies
* Don’t forget your processes
* User Management
* IT Inventory & Asset Management
* Vulnerability & Configuration Management
17. IoT/Security/AWS/HowToWin/2
Minimize your Attack Surfaces
* Only expose Public Services to the Internet
* Segment where it makes sense
* Limit internal access to Production
* Make use of AWS’ IAM & RBAC
* RBAC is a de facto inter-service firewall
Use real remote access
* Direct Connect
* Layer 3 VPN
* Bastion Host/Jump Box
* Assuming you absolutely HAVE to access
instances directly
19. IoT/Security/AWS/MultiTenancy
Assume you need multi-tenancy…
* How distinct must the segregation be?
* Separate accounts
* Cumbersome, but most effective
* Separate data stores
* Do-able, but shifts complexity into the
business logic
* Common data stores with key fields
* Best option if it is an option
20. IoT/Security/Multi-Tenancy/IAM
* Not complete or by default in all
services
* Fine-grained access control through AWS
Identity & Access Management (IAM)
But…some Control Plane calls are not (yet)
e.g. “list-things” will show all devices,
not just a tenant’s devices
* Wrap that API to filter to just the
tenant via device registry
21. IoT/Security/Multi-Tenancy/HowToWin
* Define Requirements up front
* How much segregation is enough?
* Review each service’s capabilities
* Make sure you solve before you commit
* Include tests for cross-tenant failure
* Can you CRUD resources you should not be
able to?
22. IoT/Security/AWS/Lambda
* This is where the magic happens
* Good Magic
* like working code
* Bad Magic
* AppSec vulnerabilities
* Resources like OWASP apply here, too
* http://www.owasp.org
* Open Web Application Security Project
* SANS Also has great AppSec training
* http://sans.org
24. IoT/Security/Transport/HTTP
* HTTP
* POST to a RESTful API
* Only scales so far
* Included for completeness
* <AWS IoT Endpoint>/topics/<url_encoded_topic_name>?qos=1
* Uses AWS Signature Version 4
* Add either a Query String param or an
Authorization: header
GET https://iam.amazonaws.com/?Action=ListUsers&Version=2010-05-08 HTTP/1.1
Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-1/iam/aws4_request,
SignedHeaders=content-type;host;x-amz-date,
Signature=5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7
content-type: application/x-www-form-urlencoded; charset=utf-8
host: iam.amazonaws.com
x-amz-date: 20150830T123600Z
25. IoT/Security/Transport/WebSocket
* WebSocket tunnels MQTT over HTTP(s)
* Good for passing firewalls
* Runs over port 443
* Uses the HTTP UPGRADE verb
* Also AWS uses Signature Version 4
* URL Format:
wss://<endpoint>.iot.<region>.amazonaws.com/mqtt
* Best if you have a hub forwarding
traffic
* Either no MQTT allowed
* or older, crypto-incapable devices
27. IoT/Security/Transport/MQTT/QoS
* 3 Quality of Service (QoS) Options
* 0 – At most once
* Best Effort
* No retry, no acknowledgement
* 1 – At least once
* Retry until acknowledgement received
* May result in multiple deliveries
* 2 – Guaranteed single delivery
* Full send-ack transaction & queueing
30. IoT/Security/Transport/MQTT/HowToWin
* Use X.509 Certificates for Authentication
* Always use TLS if possible
* Use AWS IAM to define device roles
* Follow Principle of Least Privilege
* Test for Information Leakage
* e.g. aws iot list-devices in multi-
tenant environments
* If you have insecure legacy devices, use
a broker for secure upstream transport
31. (Yes, that’s the username &
password being sent in the
clear!)
IoT/Security/Transport/MQTT/PSA
Public Service Announcement:
Username & Password are even less of your friend than usual
32. IoT/Security/Clients
* Researcher focus has largely been on clients
* Soft targets
* Riddled with Amateur Hour vulnerabilities
* Weak machines
* Under their physical control
* Fewer legal issues
* Ecosystem testing still the realm of
authorized testers
* They don’t generally publish
* So less data to to assume against
33. IoT/Security/Clients/HowToFail
* A few pitfalls to avoid
* Use of no/default credentials
* Re-use of keys or credentials
* Hard coding credentials
* Assuming a friendly deployment environment
* Running unnecessary services
* Especially network services
* Not using signed/secure images
34. IoT/Security/Clients/HowToWin
* Incorporate security into your design
* Threat Model
* Educate yourself on AppSec
* Scan/Attack your services & device ports
* Dynamic Analysis tools
* Run Static Analysis tools on your source code
* Or at least include failure-mode tests
* Consider credential storage on the client
* How hard is credential (key) compromise?
* What do those keys get you?
* Do you leak credentials, e.g. Wi-Fi?
36. IoT/Security/Resources
* Security & Identity for AWS IoT
* https://docs.aws.amazon.com/iot/latest/developerguide/iot-security-identity.html
* Things I wish I’d known before I started working with AWS
* https://wblinks.com/notes/aws-tips-i-wish-id-known-before-i-started/
* especially this change monitoring script
* https://s3.amazonaws.com/reinvent2013-sec402/SecConfig.py
* AWS Security Blog Post: Automatic Remediation with AWS Inspector
* https://aws.amazon.com/blogs/security/how-to-remediate-amazon-inspector-security-findings-
automatically/
* MQTT Security Fundamentals
* http://www.hivemq.com/mqtt-security-fundamentals/
* AWS IoT Protocols
* https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html
* How to bridge Mosquitto MQTT Broker to AWS IoT
* https://aws.amazon.com/blogs/iot/how-to-bridge-mosquitto-mqtt-broker-to-aws-iot/
* Multi-Tenant Storage with DynamoDB
* https://aws.amazon.com/blogs/apn/multi-tenant-storage-with-amazon-dynamodb/
* AWS Access Management
* https://docs.aws.amazon.com/IAM/latest/UserGuide/access.html