View
8
Download
0
Category
Preview:
Citation preview
@pzfreo #hypworld
THE IDENTITY OF THINGSPaul FremantleCo-Founder, WSO2Researcherpaul.fremantle@port.ac.uk@pzfreo
@pzfreo #hypworld
Firstly, does it even matter?
@pzfreo #hypworld
@pzfreo #hypworld
Three rules for IoT security• 1. Don’t be stupid
• 2. Be smart
• 3. Think about what’s different
@pzfreo #hypworld
Three rules for IoT security• 1. Don’t be stupid
• The basics of Internet security haven’t gone away• 2. Be smart
• Use the best practice from the Internet• 3. Think about what’s different
• What are the unique challenges of your device?
@pzfreo #hypworld
@pzfreo #hypworld
http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/
@pzfreo #hypworld
1998• Realized that session cookies needed to be tied to user
sessions• Scenario: Attacker has a valid login, but changes their cookie• Gets access to another user’s account
@pzfreo #hypworld
February 2015Mosquitto MQTT Server 1.4 Release Notes• When a durable client reconnects, its queued messages
are now checked against ACLs in case of a change in username/ACL state since it last connected.
@pzfreo #hypworld
@pzfreo #hypworld
So what is different about IoT?• The longevity of the device
• Updates are harder (or impossible)• The size of the device
• Capabilities are limited – especially around crypto• The fact there is a device
• Usually no UI for entering userids and passwords• The data
• Often highly personal• The mindset
• Appliance manufacturers don’t think like security experts• Embedded systems are often developed by grabbing existing
chips, designs, etc
@pzfreo #hypworld
Physical Hacks
A Practical Attack on the MIFARE Classic: http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdfKarsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity
@pzfreo #hypworld
@pzfreo #hypworld
Or try this at home?http://freo.me/1g15BiG
@pzfreo #hypworldhttp://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.html
@pzfreo #hypworld
Sensor Fingerprints
@pzfreo #hypworld
Ubertooth
http://ubertooth.sourceforge.net/https://www.usenix.org/conference/woot13/workshop-program/presentation/ryan
@pzfreo #hypworld
Hardware recommendations• Don’t rely on obscurity
@pzfreo #hypworld
Hardware recommendations• Don’t rely on obscurity• Don’t rely on obscurity• Don’t rely on obscurity• Don’t rely on obscurity• Don’t rely on obscurity• Don’t rely on obscurity• Don’t rely on obscurity
@pzfreo #hypworld
Hardware Recommendation #2• Unlocking a single device should risk only that device’s
data
@pzfreo #hypworld
SecurityCharacteristic
Device / Hardware Network Cloud / Server-Side
Confidentiality Hardware attacks Encryption with low capability devices
Privacy concerns
Integrity Spoofing;Lack of attestation
Signatures with low capability devices
As usual
Availability Physical attacks;Radio jamming
Unreliable networks
As normal
Authentication Lack of user input;Hardware retrieval of keys
Challenges of using federated identity
Lack of standards around DeviceIdentity
Access Control Physical access;Lack of local authentication
As usual User managed access controls needed
Non-Repudiation No secure localstorage; Low capability devices
Signatures with low capability devices
As normal
@pzfreo #hypworld
Problem statement• “Consumers, not companies, own the data collected by Internet of
Things devices.” Limor Fried• Privacy: “Users must be empowered to execute effective controls
over their personal information” Cavoukian
https://www.flickr.com/photos/opensourceway
@pzfreo #hypworld
PRIVACY BY DESIGN• Proactive not Reactive; Preventative not Remedial• Privacy as the Default Setting• Privacy Embedded into Design• Full Functionality – Positive-Sum, not Zero-Sum• End-to-End Security – Full Lifecycle Protection• Visibility and Transparency – Keep it Open• Respect for User Privacy – Keep it User-Centric
@pzfreo #hypworld
IDENTITY IS THE NEW PERIMETER
@pzfreo #hypworld
@pzfreo #hypworld
Identity as a perimeter• Security controls based on identity
• Not location• Not IP address• Not VPN
• However, this raises questions of anonymity and tracking
@pzfreo #hypworld
Requirements for Identity and Privacy of Things• Federated
• Your choice of provider
• Scalable• Capable of coping with billions of devices
• User Managed• Users get to control what data is shared and with whom
• Secure• Not broken yet!
@pzfreo #hypworld
Passwords• Passwords suck for humans• They suck even more for devices
@pzfreo #hypworld
@pzfreo #hypworld
@pzfreo #hypworld
Why Federated Identity for IoT?• Can enable a meaningful consent mechanism for sharing
of device data• Giving a device a token to use on API calls better than
giving it a password• Revokable• Granular
• May be relevant for both• Device to cloud• Cloud to app
@pzfreo #hypworld
Dynamic Client Registration• Solves the problem of “Breaking one device breaks them
all”• A RESTful API (part of OpenID Connect)• Allows a manufacturing process to get fresh credentials
for each device• https://openid.net/specs/openid-connect-registration-
1_0.html
@pzfreo #hypworld
More information
https://www.researchgate.net/publication/264347555_Federated_Identity_and_Access_Management_for_the_Inernet_of_Things
https://www.researchgate.net/publication/274897865_Web_API_Management_Meets_the_Internet_of_Things
@pzfreo #hypworld
Why really?
Your IoT data privacy should not rely on the maker of a specific device
@pzfreo #hypworld
Uber, the taxi-ordering app, can use more sophisticated technology to track people than the police, according to Britain’s top officer.
@pzfreo #hypworld
Uber admitted employees abused God View
@pzfreo #hypworld
What is the value of connection?
@pzfreo #hypworld
The current situation
Majority of IoT networks today
Private API
Device
Web systems:Ecosystems, On-demand signup,rich set of clients
@pzfreo #hypworld
Hyperconnected• My definition
• When each device is potentially linked to every other device
@pzfreo #hypworld
De-anonymization
@pzfreo #hypworldhttps://firstlook.org/theintercept/2015/07/01/nsas-google-worlds-private-communications/
@pzfreo #hypworld
Are you creating the next privacy breach?
@pzfreo #hypworld
@pzfreo #hypworld
@pzfreo #hypworld
The IoT Dog Collar - Whistle
@pzfreo #hypworld
https://www.flickr.com/photos/themacinator/On the Internet of Things,
no-one knows you are a dog-collar.
@pzfreo #hypworld
Thank you!
https://www.flickr.com/photos/nateone
Recommended