Security challenges for IoT

2,472 views

Published on

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,472
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
244
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Security challenges for IoT

  1. 1. Your Thing is pwnd Security Challenges for the Internet of Things   Paul  Fremantle   CTO  and  Co-­‐Founder,  WSO2   @pzfreo  #wso2  #wso2con  
  2. 2. Firstly,  does  it  even  maAer?    
  3. 3. “Google Hacking”
  4. 4. My  three  rules  for  IoT  security   •  1.  Don’t  be  dumb   •  2.  Think  about  what’s  different   •  3.  Do  be  smart  
  5. 5. My  three  rules  for  IoT  security   •  1.  Don’t  be  dumb   –  The  basics  of  Internet  security  haven’t  gone  away   •  2.  Think  about  what’s  different   –  What  are  the  unique  challenges  of  your  device?   •  3.  Do  be  smart   –  Use  the  best  pracQce  from  the  Internet  
  6. 6. http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/
  7. 7. http://freo.me/1pbUmofhttp://freo.me/1pbUmof
  8. 8. So  what  is  different  about  IoT?   •  The  fact  there  is  a  device   –  Yes  –  its  hardware!     –  Ease  of  use  is  almost  always  at  odds  with  security   •  The  longevity  of  the  device   –  Updates  are  harder  (or  impossible)   •  The  size  of  the  device   –  CapabiliQes  are  limited  –  especially  around  crypto   •  The  data   –  OXen  highly  personal   •  The  mindset   –  Appliance  manufacturers  don’t  always  think  like  security  experts   –  Embedded  systems  are  oXen  developed  by  grabbing  exisQng  chips,  designs,  etc  
  9. 9. Physical  Hacks   A Practical Attack on the MIFARE Classic: http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf Karsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity
  10. 10. Or  try  this  at  home?   hAp://freo.me/1g15BiG    
  11. 11. http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.html
  12. 12. Hardware  recommendaQons   •  Don’t  rely  on  obscurity    
  13. 13. Hardware  recommendaQons   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity    
  14. 14. Hardware  RecommendaQon  #2     •  Unlocking  a  single  device  should  risk  only  that   device’s  data  
  15. 15. The  Network  
  16. 16. hAp://ubertooth.sourceforge.net/  hAps://www.usenix.org/conference/woot13/ workshop-­‐program/presentaQon/ryan  
  17. 17. Crypto  on  small  devices   •  PracQcal  ConsideraQons  and  ImplementaQon  Experiences  in   Securing  Smart  Object  Networks   –  hAp://tools.ied.org/html/draX-­‐aks-­‐crypto-­‐sensors-­‐02  
  18. 18. ROM  requirements  
  19. 19. ECC  is  possible     (and  about  fast  enough)  
  20. 20. Crypto   Borrowed from Chris Swan: http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13
  21. 21. Won’t  ARM  just  solve  this  problem?  
  22. 22. Cost  maAers   8 bits $5 retail $1 or less to embed 32 bits $25 retail $?? to embed
  23. 23. Another  opQon?  
  24. 24. SIMON  and  SPECK   https://www.schneier.com/blog/archives/2013/07/simon_and_speck.html
  25. 25. Datagram  Transport  Layer   Security  (DTLS)   •  UDP  based  equivalent  to  TLS   •  hAps://tools.ied.org/html/rfc4347  
  26. 26. Key  distribuQon  
  27. 27. Passwords   •  Passwords  suck  for  humans   •  They  suck  even  more  for  devices    
  28. 28. Why  Federated  IdenQty  for  Things?   •  Enable  a  meaningful  consent  mechanism  for  sharing  of  device  data   •  Giving  a  device  a  token  to  use  on  API  calls  beAer  than  giving  it  a   password   –  Revokable   –  Granular   •  May  be  relevant  for  both   –  Device  to  cloud   –  Cloud  to  app   •  “IdenQty  is  the  new  perimeter”  
  29. 29. MQTT  
  30. 30. MQTT  and  OAuth2    
  31. 31.     An     Open  Source     IdenQty   and     EnQtlement   Management     Server       Apache  Licensed   LDAP,  JDBC,  AcQve  Directory,  SCIM,  SPML   SAML2,  OpenID  Connect,  WS-­‐Trust,  Kerberos   OAuth  1.0/2.0,  XACML  2.0,  XACML  3.0   XDAS,  Web  Console,  SOAP  Admin   MulQ-­‐tenant,  Clusterable,  HA,  24x7  support   39   What  is  WSO2  IdenQty  Server?  
  32. 32. Other  WSO2  technology  to  help  you   •  WSO2  BAM  –  monitoring   •  WSO2  CEP  –  realQme  fraud  detecQon   •  WSO2  API  Manager  –  securing  API  endpoints    
  33. 33. Real  Qme  event  processing  
  34. 34. Are you setting up for the next privacy or security breach?
  35. 35. Exemplars   •  Shields   •  Libraries   •  Server  Frameworks   •  Standards  and  Profiles  
  36. 36. Summary   •  1.  Don’t  be  dumb   •  2.  Think  about  the  differences   •  3.  Be  smart     •  4.  Create  and  publish  exemplars  
  37. 37. WSO2 Reference Architecture for the Internet of Things http://freo.me/iot-ra
  38. 38. Thank  You  

×