Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A New Solution to the IoT Security Problem

24,765 views

Published on

Two-factor authentication can work for the IoT similar to how it works for online commerce. This presentation explores the rationale and provides a range of implementation options. We also explore the use of an IoT "back channel" for applications like a "kill switch".

Published in: Technology

A New Solution to the IoT Security Problem

  1. 1. A New Solution to the IoT Security Problem 1
  2. 2. Agenda 1. The IoT Security Problem 2. Introducing the IoT Back Channel 3. More Back Channel Use Cases 4. How To Implement the IoT Back Channel 2
  3. 3. Introduction • The internet of things (IoT) industry faces a serious, global security threat. • There is no “silver bullet” for IoT security. • We see an opportunity to address IoT security using a relatively conventional method coupled with recent innovations in wireless networking. ! 3
  4. 4. The IoT Security Pandemic • What: Millions of devices that have been or will soon be discovered, hacked, modified, or hijacked • Who is affected: Enterprise, industrial, government, consumer users • Where: Worldwide • How: Poor crypto practices, weak or non-existent firmware update practices, manufacturers in denial, limited regulatory oversight, humans • Risks: Disabled or hijacked physical world objects like Mirai. Modified endpoint data. Ransomware attacks. Spying. Homeland security. Personal safety. 4
  5. 5. WiFi camera streams non-stop video content, creating network congestion and opportunities for unwanted eavesdropping WiFi SSID broadcasts continually, making for easy discovery by hackers Case Study: WiFi Camera Vulnerabilities Ships with factory default password that is easy to discover and hack Some manufacturers rarely or never update firmware One of the target device types of Mirai Botnet attack of Sept 2016 Some IP cameras rely on cloud services via non- HTTPS connections 5
  6. 6. New IoT Security Requirements Traditional IoT Security Requirement Challenges New IoT Security Requirement Single-Factor Authentication Vulnerable to variety of attacks. Outdated authentication convention. Multiple Factor Authentication Key distribution at time of manufacturing Vulnerable to security leaks, customer negligence. Dynamic key distribution Broadcasted Unique Identifier Ease of discovering endpoints helps hackers. Hidden Unique Identifier Single Method of Firmware Update Compromised endpoint may deny attempts to update firmware or restore factory defaults. Multiple Means of Firmware Updates No Kill Switch Requirement Increasingly autonomous endpoints. Artificial Intelligence. Kill Switch Single Means of Configuration, Control, Alerts, Audit. Tasks suited to narrowband or asynchronous comms are instead executed with resource-intensive and easily hacked broadband or other vulnerable wireless comm link Multiple Means of Configuration and Control 6
  7. 7. Agenda 1. The IoT Security Problem 2. Introducing the IoT Back Channel 3. More Back Channel Use Cases 4. How To Implement the IoT Back Channel 7
  8. 8. We Have Online Back Channels • Secondary forms of communication or “back channels” are now widely deployed as an internet security measure • A second authentication credential is shared via a second network that is distinct from the first network 8
  9. 9. So Why No IoT Back Channel? • Network availability. Lack of affordable, low power, long range network technology made a back channel impractical. • Networking protocols. Most wireless protocols cannot execute the requirements of an IoT back channel. Example: LoRaWAN. • Costs. Incremental costs can outweigh the benefits. Paying $10 per year (or even $5) for a cellular-based back channel is a non-starter when the goal is a sub- $20 endpoint. 9
  10. 10. Now Available: A Viable IoT Back Channel • A “companion” wireless connection that enhances endpoint security and adds other valuable features • Utilizes a discrete long range “LPWAN” radio and networking protocol that is inaccessible outside that radio’s local or metropolitan coverage area • Can be implemented at a modest incremental cost and minimal or no impact to form factor • Addresses many IoT security requirements Endpoint Two Radios Default Gateway Back Channel Device Application 10
  11. 11. Two Factor AuthenticationHere’s just one example of how a back channel can help the IoT 11
  12. 12. Two Factor Authentication We use the WiFi camera example throughout this presentation …. but the back channel can be applied to many IoT device types Here’s just one example of how a back channel can help the IoT 12
  13. 13. Two Factor Authentication Endpoint WiFi Router Back Channel Device Application Here’s just one example of how a back channel can help the IoT 13
  14. 14. Two Factor Authentication Endpoint WiFi Router Back Channel Device Application End user seeks to access camera endpoint, via browser (application). 1 Here’s just one example of how a back channel can help the IoT 14
  15. 15. Two Factor Authentication Endpoint WiFi Router Back Channel Device Application Camera endpoint notifies WiFi gateway that a second credential is required and will be sent via the back channel 2 Here’s just one example of how a back channel can help the IoT 15 End user seeks to access camera endpoint, via browser (application). 1
  16. 16. Two Factor Authentication Endpoint WiFi Router Back Channel Device Application Endpoint transmits credential via LoRa-enabled LPWAN back channel and displays information on back channel device screen. Camera endpoint notifies WiFi gateway that a second credential is required and will be sent via the back channel 2 3 Here’s just one example of how a back channel can help the IoT 16 End user seeks to access camera endpoint, via browser (application). 1
  17. 17. Two Factor Authentication via Back Channel Authentication credential is only accessible to a user within the 1-2 mile (average) range of the LoRa-enabled endpoint, t h u s p r o v i d i n g a n additional physical layer/ filter of authentication. 1-2 mile range Endpoint WiFi Router Back Channel Device 17
  18. 18. Two Factor Authentication via Back Channel Alternatively, back channel device can operate in a purely “passive” mode (e.g. using a key fob or other token with no visual display), where endpoint simply confirms that back channel device associated with entity performing a query is within range before authenticating WiFi-based command. Endpoint WiFi Router Back Channel Device 18
  19. 19. Two Factor Authentication via Back Channel Or, a less secure but potentially more convenient approach would use conventional 2-factor techniques like text messaging, email, or voice call authentication, requiring an internet connection from the back channel device. Endpoint WiFi Router Back Channel Device 19
  20. 20. Back Channel Requirements Requirement Description Bi-directional Public key crypto, firmware updates, configuration and control all require a fully bi- directional wireless protocol. Long Range Back channel gateways may be dynamically tuned to validate endpoints within range as far as 10 miles and as short as 100 meters. Low Power Back channel may be embedded in battery-powered endpoints or mobile gateways like smart cards, smartphones, key fobs, and more. Real-Time Back channel must have latency of less than 2 seconds to minimize inconvenience of the additional authentication process and to facilitate real-time queries of the endpoint. For mission-critical or emergency/safety applications, real-time is non-negotiable. Listen-Before-Talk Back channel must remain quiet to maximize privacy and battery life of the endpoint as well as mobile back channel gateways, and also to minimize network congestion. OTA Firmware Back channel involved in any security or authentication task must have the ability to execute over-the-air firmware updates. Public Key Crypto Back channel must support public key encryption, tokenization Low Cost Price-sensitive end users are likely to pay only modestly, we believe, for an IoT back channel, probably <$5.00/unit. 20
  21. 21. Back Channel Technology Options Requirement LoRaWAN Sigfox LTE Cat-M1 NB-IoT Bi-directional ✓ ❌ ❌ ✓ ✓ Long Range ✓ ✓ ✓ ✓ ✓ Low Power ✓ ✓ ✓ ❌ ❌ Real-Time ✓ ❌ ❌ ✓ ✓ Listen-Before-Talk ✓ ❌ ❌ ❌ ✓ OTA Firmware ✓ ❌ ❌ ✓ ✓ Public Key Crypto ✓ ❌ ❌ ✓ ✓ Low Cost ✓ ✓ ✓ ❌ ❌ by 21
  22. 22. Agenda 1. The IoT Security Problem 2. Introducing the IoT Back Channel 3. More Back Channel Use Cases 4. How To Implement the IoT Back Channel 22
  23. 23. This Goes Way Beyond Security Configuration Configure sensor parameters Alerts Receive environmental sensor alerts (e.g. motion, temperature) without invoking broadband connection Maintenance Update firmware, restore factory settings Query Search and query the content stored at the endpoint and avoid unnecessary streaming Security Provide two-factor authentication, perform public key encryption, distribute and refresh keys and tokens Privacy Eliminate traditional SSID, avoid needless broadcasting of unique ID’s Audits Audit inventory of keys and tokens, firmware versions, sensor logs, battery life, maintenance history IoT Back Channel Control Emergency kill switch, turn WiFi On/Off (low power wakeup), set rules, send command to endpoint 23
  24. 24. Endpoint “Kill Switch” • In the event of an endpoint hijack or malfunction, the IoT back channel can be used to disable the endpoint and prevent further spread of a botnet or stop physical harm to humans or property • Kill switches are common. Smartphones, boating, mass transit, and many other examples. • As artificial intelligence enables increasingly autonomous IoT endpoints, we will sleep better knowing there is a IoT kill switch available. 24
  25. 25. Endpoint Kill Switch: How It Works Endpoint WiFi Router Back Channel Device Application 25
  26. 26. Camera endpoint is hijacked by “botnet army” such as Mirai. Endpoint participates in DDoS attacks, etc. Endpoint Kill Switch: How It Works Endpoint WiFi Router Back Channel Device Application 1 26
  27. 27. Endpoint Kill Switch: How It Works Endpoint WiFi Router Back Channel Device Application Application is unable to access camera endpoint via WiFi Camera endpoint is hijacked by “botnet army” such as Mirai. Endpoint participates in DDoS attacks, etc. 2 1 27
  28. 28. Camera endpoint is hijacked by “botnet army” such as Mirai. Endpoint participates in DDoS attacks, etc. Application is unable to access camera endpoint via WiFi Endpoint Kill Switch: How It Works Endpoint WiFi Router Back Channel Device Application Back channel device is invoked to disable or “kill” the endpoint 3 2 1 28
  29. 29. Device Management Firmware updates. Perform more secure firmware updates without using the broadband channel. Does not rely on the use of broadcasting with global keys over the broadband connection, which is easily hacked (see Philips Hue light bulb hack for more) The IoT back channel brings new ways of maintaining and operating endpoints 29
  30. 30. Device Management Configure and control WiFi, Cellular, and Bluetooth devices without invoking those radios, optimizing battery life and privacy. Restore factory settings. Firmware updates. Perform more secure firmware updates without using the broadband channel. Does not rely on the use of broadcasting with global keys over the broadband connection, which is easily hacked (see Philips Hue light bulb hack for more) The IoT back channel brings new ways of maintaining and operating endpoints 30
  31. 31. Device Management Configure and control WiFi, Cellular, and Bluetooth devices without invoking those radios, optimizing battery life and privacy. Restore factory settings. Firmware updates. Perform more secure firmware updates without using the broadband channel. Does not rely on the use of broadcasting with global keys over the broadband connection, which is easily hacked (see Philips Hue light bulb hack for more) The IoT back channel brings new ways of maintaining and operating endpoints Instant handshaking. Complete handshaking with WiFi, Bluetooth and other devices with painfully slow handshaking protocols in under two seconds using a real-time IoT back channel. 31
  32. 32. Device Management Configure and control WiFi, Cellular, and Bluetooth devices without invoking those radios, optimizing battery life and privacy. Restore factory settings. Instant handshaking. Complete handshaking with WiFi, Bluetooth and other devices with painfully slow handshaking protocols in under two seconds using a real-time IoT back channel. Firmware updates. Perform more secure firmware updates without using the broadband channel. Does not rely on the use of broadcasting with global keys over the broadband connection, which is easily hacked (see Philips Hue light bulb hack for more) The IoT back channel brings new ways of maintaining and operating endpoints Alerts. Route environmental sensor- based alerts through the back channel. 32
  33. 33. Device Management Configure and control WiFi, Cellular, and Bluetooth devices without invoking those radios, optimizing battery life and privacy. Restore factory settings. Power + Network Management. Utilize a “wake-on” LPWAN radio to “wake up” an otherwise high powered endpoint running cellular, WiFi, or satcom radios. Radios remain in “sleep” mode until awoken, at which point they can engage in conventional communications and return to sleep mode. Firmware updates. Perform more secure firmware updates without using the broadband channel. Does not rely on the use of broadcasting with global keys over the broadband connection, which is easily hacked (see Philips Hue light bulb hack for more) The IoT back channel brings new ways of maintaining and operating endpoints Alerts. Route environmental sensor- based alerts through the back channel. Instant handshaking. Complete handshaking with WiFi, Bluetooth and other devices with painfully slow handshaking protocols in under two seconds using a real-time IoT back channel. 33
  34. 34. Back Channel = Device Stealth • “Discovery-broadcast” models of WiFi, Bluetooth, ZigBee, and LPWANs expose hackable traffic patterns to listeners. • A stealthy listen-before-talk model eliminates such traffic patterns • Innovation: key distribution (as in WiFi) can be done in co-ordination with stealthy back channel. • Additional Reading (weblink):
 A Simple Proposal To Improve Security for the Internet of Things 34
  35. 35. Agenda 1. The IoT Security Problem 2. Introducing the IoT Back Channel 3. More Back Channel Use Cases 4. How To Implement the IoT Back Channel 35
  36. 36. Endpoint Implementation Example: WiFi Camera Primary Channel Back Channel Standard WiFi 802.11x DASH7 + LoRa Primary Task Stream live video and audio Provide second-factor authentication Other Jobs — Configuration and control of camera, over- the-air firmware updates, key refresh, query endpoint content, enviro sensor alerts Radio Frequency 2.45/5GHz 433/915/868 MHz Max Data Rate up to 54 Mbps 50-200kbps Traffic Pattern Predictable Unpredictable Discovery SSID Broadcast Listen-before-talk Authentication, Encryption WPA, WPA2 variants AES/EAX 128 36
  37. 37. IoT Back Channel: Endpoint and Gateway Designs WiFi Camera Endpoint Shared MCU Back Channel Radio - Narrowband (LoRa, NB-IoT, et al) Broadband Radio - WiFi, Cellular, Satcom Secure Element Conventional WiFi Router MCU WiFi Radio - Broadband Back Channel Gateway MCU Secure Element LPWAN Radio - Narrowband (LoRa, NB-IoT, et al) 37
  38. 38. Easy To Implement Gateways Some examples for implementing back channel gateways Option A: More Secure Less Convenient Option B: Less Secure, Most Convenient Text Message Voice CallEmail USB Stick Wireless Smart Card • Accessible only within range of the endpoint • Conventional form factors and available designs • Estimated cost between $10-20 • Requires internet connection to back channel gateway • Conventional two-factor authentication • Low cost Fixed Display 38
  39. 39. Simplify The Back Channel Deployment Decision Only Haystack Provides a Universal IoT Back Channel Capability That Works Across Multiple LPWAN Technologies OSI Layer 7 Application AllJoyn, Others AllJoyn, Others AllJoyn, Others AllJoyn, Others 6 Presentation 5 Session Partial Definition 4 Transport Partial Definition 3 Network Partial Definition 2 Data Link Partial Definition 1 Physical “PHY” LoRa @ 
 169 - 960 MHz Various @ 
 315 - 930 MHz Various LTE Bands SigFox @ 900, 868 MHz NB-IoT 39
  40. 40. Back Channel Costs Option Generic Approach Endpoint Gateway Comments Per Unit Cost A • Add additional radio • Add new LPWAN radio • Add LPWAN antenna • Add new LPWAN radio, antenna • Semtech LoRa, TI CC 13XX, others. • LoRa is currently expensive ($4/part) but we expect competition from TI and others to drive prices lower. $1.00 - $4.00 B • Re-use existing radio • Re-use existing radio for LPWAN back channel • Add LPWAN antenna • Re-use existing radio for LPWAN back channel, add LPWAN antenna • Back channel is a secondary networking stack over the same radio hardware. • LTE, NFC, Bluetooth, WiFi. • TI CC1350 SoC offers combo Bluetooth + Sub-1GHz LPWAN capability. ~$0.00 C • Re-use existing radio — • Re-use existing LTE or NFC radios for LPWAN back channel • Mainly applicable to smart-phones. • Pre-existing NFC or LTE baseband chipsets may be enhanced for sub-1GHz deployments. ~$0.00 D • Add additional radio N/A • Create dedicated gateway for LPWAN back channel • Example: back channel radio added via USB stick or other peripheral. ~$10.00 Adding a back channel may be more economical than you might expect … 40
  41. 41. Summary 1. Security is the #1 challenge facing the IoT industry and an IoT back channel is one component of an effective IoT security strategy. 2. Two-factor authentication is a widely-used online security convention and will play a similar role for the IoT. 3. An IoT back channel requires a fully bi-directional, low power, wide area networking technology with support for public key cryptography, over-the-air firmware updates, and listen-before-talk operation. 4. Done correctly, an IoT back channel can be low cost, easy to use, and does more than just security. 5. Haystack helps developers deploy IoT back channels. 41
  42. 42. More Information: • Haystack + DASH7 Security Overview • Haystack And A Stealthier IoT • A Unified Networking Stack for LPWAN’s • A Comparison of Haystack and LoRaWAN • Why You Can’t Google the IoT 42
  43. 43. Fin Contact: Patrick Burns pat@haystacktechnologies.com DASH7 LoRa LoRaWAN Sigfox Wi-Sun IPv6 6lowPAN NB-IoT LTE Bluetooth WiFi ZigBee Thread 802.11 NFC Dell EMC Cisco Alcatel Nokia Ericsson General Electric Intel MediaTek NXP Samsung Orange 43

×