Upload
wso2
View
117
Download
0
Tags:
Embed Size (px)
Citation preview
THE IDENTITY OF THINGS Paul Fremantle Co-Founder, WSO2 Researcher [email protected] @pzfreo
Three rules for IoT security • 1. Don’t be stupid
• The basics of Internet security haven’t gone away
• 2. Be smart • Use the best practice from the Internet
• 3. Think about what’s different • What are the unique challenges of your device?
1998 • Realized that session cookies needed to be tied to user
sessions • Scenario: Attacker has a valid login, but changes their cookie • Gets access to another user’s account
February 2015 Mosquitto 1.4 Release Notes • When a durable client reconnects, its queued messages
are now checked against ACLs in case of a change in username/ACL state since it last connected.
So what is different about IoT? • The longevity of the device
• Updates are harder (or impossible)
• The size of the device • Capabilities are limited – especially around crypto
• The fact there is a device • Usually no UI for entering userids and passwords
• The data • Often highly personal
• The mindset • Appliance manufacturers don’t think like security experts • Embedded systems are often developed by grabbing existing
chips, designs, etc
Physical Hacks
A Practical Attack on the MIFARE Classic: http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf Karsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity
Hardware recommendations • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity
Security Characteristic
Device / Hardware Network Cloud / Server-Side
Confidentiality Hardware attacks
Encryption with low capability devices
Privacy concerns
Integrity Spoofing; Lack of attestation
Signatures with low capability devices
As usual
Availability Physical attacks; Radio jamming
Unreliable networks As normal
Authentication Lack of user input; Hardware retrieval of keys
Challenges of using federated identity
Lack of standards around Device Identity
Access Control Physical access; Lack of local authentication
As usual User managed access controls needed
Non-Repudiation No secure local storage; Low capability devices
Signatures with low capability devices
Lack of secure identity and signatures
Problem statement
• “Consumers, not companies, own the data collected by Internet of Things devices.” Limor Fried
• Privacy: “Users must be empowered to execute effective controls over their personal information” Cavoukian
https://www.flickr.com/photos/opensourceway
PRIVACY BY DESIGN • Proactive not Reactive; Preventative not Remedial • Privacy as the Default Setting • Privacy Embedded into Design • Full Functionality – Positive-Sum, not Zero-Sum • End-to-End Security – Full Lifecycle Protection • Visibility and Transparency – Keep it Open • Respect for User Privacy – Keep it User-Centric
Identity as a perimeter • Security controls based on identity
• Not location • Not IP address • Not VPN
Requirements for Identity and Privacy of Things • Federated
• Your choice of provider
• Scalable • Capable of coping with billions of devices
• User Managed • Users get to control what data is shared and with whom
• Secure • Not broken yet!
Why Federated Identity for IoT? • Can enable a meaningful consent mechanism for sharing
of device data • Giving a device a token to use on API calls better than
giving it a password • Revokable • Granular
• May be relevant for both • Device to cloud • Cloud to app
Dynamic Client Registration • Solves the problem of “Breaking one device breaks them
all” • A RESTful API (part of OpenID Connect) • Allows a manufacturing process to get fresh credentials
for each device • https://openid.net/specs/openid-connect-
registration-1_0.html
The current situation
Majority of IoT networks today
Private API
Device
Web systems: Ecosystems, On-demand signup, rich set of clients
Uber, the taxi-ordering app, can use more sophisticated technology to track people than the police, according to Britain’s top officer.
https://www.flickr.com/photos/themacinator/ On the Internet of Things, no-one knows you are
a dog-collar.