The document discusses the security implications of various incidents related to embedded systems, emphasizing the ease of hacking due to unpatched software. It outlines different encryption algorithms and security methods used in AllJoyn, a framework for building IoT applications, including asymmetric and symmetric key encryption techniques. The content highlights the importance of secure connections and the need for regular software updates in embedded systems to prevent vulnerabilities.

1. Identity & Security In AllJoyn 14.06
Tim Kellogg
Saturday, July 19 2014

2. https://github.com/tkellogg/alljoyn-examples
https://github.com/tkellogg/alljoyn-
core/tree/master/alljoyn_core/src

3. Embedded Security

4. Mitsubishi EMI Incident (2003)
• Brakes disabled when given 1000-10000x legal
levels of EMI radiation
• Car thinks brakes are locked, so it releases
• All within limits required by law

5. Slammer Worm (2003)
• Nuclear plant safety monitoring disabled for 5
hours
• “The business value of access to the data
within the control center worth the risk of
open connections between the control center
and the corporate network”
• Unpatched MSSQL Server

6. Hello, my name is Bruce Schneier and I
think routers are super duper easy to
hack, mostly because you nerds never
patch the software
https://www.schneier.com/essays/archives/2014/01/the
_internet_of_thin.html

7. University of Washington Study (2010)
“We demonstrate that an attacker who is able to
infiltrate virtually any Electronic Control Unit
(ECU) can leverage this ability to completely
circumvent a broad array of safety-critical
systems”
http://www.autosec.org/pubs/cars-
oakland2010.pdf

8. Hey, check it out! I
made my own
encryption algorithm

10. Embedded Needs “Rails”
• Software Updates
• Security & Identity
• Communication
• Media Streaming
• User Interfaces

11. Distributed Bus

12. Distributed Bus

13. Security

14. Auth Listeners
• ALLJOYN_RSA_KEYX – X.509 certificates
• ALLJOYN_SRP_KEYX – Show Random PIN
• ALLJOYN_SRP_LOGON – preset U/P table
• ALLJOYN_ECDHE_NULL
• ALLJOYN_ECDHE_PSK
• ALLJOYN_ECDHE_ECDSA – DSA

15. ALLJOYN_RSA_KEYX
• RSA = Asymmetric key encryption
• X.509 certificates
– Trusted Certificate Authority

16. SRP_KEYX & SRP_LOGON
• Threshold Cryptography
• No trust required to establish a secure
connection
• LOGON = Username & Password
• KEYX = A PIN is displayed

17. ALLJOYN_SRP_KEYX

18. ECDHE
• Elliptic Curve (EC) Cryptography
• DHE = Diffie-Hellman key Exchange
– Symmetric key encryption

19. ALLJOYN_ECDHE_NULL
• Elliptic Curve Encryption
• No verification of identity

20. ALLJOYN_ECDHE_PSK
• PSK = Pre-Shared Key
• Service already has the client’s public key
• A password may also be used

21. ALLJOYN_ECDHE_ECDSA
• ECDSA – Elliptic Curve Digital Signature
Algorithm
• Certificate shows identity

23. Questions?
@kellogh
Practical Internet of Things