iot security in action
play

IoT Security in Action! Julien Vermillard , Sierra Wireless @vrmvrm - PowerPoint PPT Presentation

IoT Security in Action! Julien Vermillard , Sierra Wireless @vrmvrm - jvermillard@sierrawireless.com EclipseCON EU 2016 Introduction Managing connected devices Why it is simple to exploit non-secured systems How simple to have the minimum


  1. IoT Security in Action! Julien Vermillard , Sierra Wireless @vrmvrm - jvermillard@sierrawireless.com EclipseCON EU 2016

  2. Introduction

  3. Managing connected devices Why it is simple to exploit non-secured systems How simple to have the minimum security

  4. Network security

  5. Deep dive: demo setup Internet IoT Device Internet Gateway (MangOH) (Linux PC) Local network Attacker

  6. Man-in-the-Middle? Internet IoT Device Internet Gateway (MangOH) (Linux PC) Local network Attacker PC Linux Ettercap

  7. Before attack Internet IoT Device Internet Gateway (RaspberryPI) (Linux PC) Traffic to Internet Local network Attacker PC Linux Ettercap

  8. ARP poisoning Internet Traffic to Internet IoT Device Internet Gateway (MangOH) (Linux PC) I’m the gateway! Local network Route everything to the gateway Attacker PC Linux Ettercap

  9. DNS spoofing Internet IoT Device (MangOH) DNS query iot.eclipse.org Internet Gateway (Linux PC) LWM2M connection Local network Fake DNS response Attacker PC Linux Ettercap

  10. With TLS/DTLS? Internet IoT Device (RaspberryPI) DNS query iot.eclipse.org Internet Gateway (Linux PC) DTLS handshake failure Local network Fake DNS response Attacker PC Linux Ettercap

  11. Security with gateways public network cable, 4G, etc.. Sensor network (ex: Zigbee) Gateway: collect data and push to cloud Low or no security Secure transport

  12. Security with gateways public network cable, 4G, etc.. Sensor network (ex: Zigbee) Attack gateway get access to all the network Local wireless sniffing

  13. End-to-end security public network cable, 4G, etc.. Sensor network (ex: Thread) Router See only encrypted communication Low power nodes: Not your Achilles’ heel security starts here

  14. Other benefits of IP to the edge device Simplicity: only IP networks Topology flexibility compared to gateway Scaling IP routing is something well known

  15. Can we trust wireless network? Wifi password? GPRS encryption? 3G/4G femtocell? Zigbee? Bluetooth? Not talking of plain text wireless network :)

  16. Example: GPRS https://discourse.criticalengineering.org/t/howto-gsm-base-station-with-the-bea glebone-black-debian-gnu-linux-and-a-usrp/56

  17. Example: 3G/4G femtocell http://www. ioactive .com/ pdf s/ IOActive _Remote_Car_Hacking. pdf

  18. Key Management

  19. Key management You will have a fleet of device They needs secrets (key, password, etc..) Unique across devices You need to be able to change those secrets You will probably don’t trust your factory

  20. Lightweight M2M Bootstrap Flash bootstrap credentials

  21. Lightweight M2M Bootstrap I only have bootstrap credentials or I can’t reach final server

  22. Lightweight M2M Bootstrap Give me key and my server(s) Bootstrap Server

  23. Lightweight M2M Bootstrap New keys and server(s) URLs and ACL Bootstrap Server

  24. Lightweight M2M Bootstrap Registration Home Automation Server Registration Device Manag. Server Bootstrap Server

  25. Secret key rotation using bootstrap? Renew or upgrade your secret: 1 - Device authenticate with the bootstrap server 2 - Bootstrap server rewrite the bootstrap secret Next bootstrap the device use the new bootstrap secrets

  26. Public Key Infrastructure? Root CA Intermediate CA End entity 1 End entity 2 End entity3

  27. How to verify a certificate Identity Expiration ~3 y Identity Public Key Find Expiration ~5 y Issuer Identity Issuer Signature Public Key Verify Find Issuer Identity Root CA Identity Issuer Signature Root Public Key Root Signature Verify Identity to verify Intermediate Root trust

  28. Enrollment with PKI Generate Private Public

  29. Enrollment with PKI Certification Authority Private Public Certificate Request

  30. Enrollment with PKI Certificate Generate Certification Authority Private Public Sign using CA private key a X.509 certificate CA Private

  31. Enrollment with PKI Sign using certificate for authentication Generate Service Private Public CA Public

  32. Still not IoT friendly A lot of enterprise protocols: IKE: Internet Key Exchange RFC2409 CMP: Certificate Management Protocol RFC4210 SCEP: Simple Certificate Enrollment Protocol draft-gutmann-scep-02 EST: Enrollment Over Secure Transport RFC7030 IEEE 802.1AR: Secure Device Identity 802.1AR But still nothing ready to use for constrained networks & devices

  33. Firmware download

  34. Firmware download Internet HTTP GET IoT Device Internet Gateway (RaspberryPI) (Linux PC) Local network Send firmware with backdoor Attacker PC Linux Ettercap

  35. CMS (Cryptograpic Message Syntax) See RFC5652 (replaces PKCS #7) Used to digitally sign, digest, authenticate, or encrypt arbitrary message content. Supported by OpenSSL (CLI: openssl cms )

  36. Secure boot Hardware (ROM) enforces booting only correctly signed code Often based on ECDSA signature Hardware based ⇒ no algorithm agility

  37. Open-source solutions are there Eclipse IoT : Leshan, Wakaama, TinyDTLS, Scandium, Paho, Mosquitto, Hono OpenSSL , Mbed TLS CFSSL GnuPG U-Boot

  38. Thanks! Twitter: @vrmvrm Mail: jvermillard@sierrawireless.com

  39. Credits Tom Medley - The Noun Project Guilhem - The Noun Project Giuditta Valentina Gentile - The Noun Project Sergey Krivoy - The Noun Project Jon Anderson - The Noun Project Ryan Beck - The Noun Project Edward Boatman - The Noun Project

Recommend


More recommend