iot security in action
play

IoT Security in Action! Julien Vermillard , Sierra Wireless @vrmvrm - PowerPoint PPT Presentation

Apr 18, 2023 •726 likes •1.14k views

IoT Security in Action! Julien Vermillard , Sierra Wireless @vrmvrm - jvermillard@sierrawireless.com EclipseCON EU 2016 Introduction Managing connected devices Why it is simple to exploit non-secured systems How simple to have the minimum

  1. IoT Security in Action! Julien Vermillard , Sierra Wireless @vrmvrm - jvermillard@sierrawireless.com EclipseCON EU 2016

  2. Introduction

  3. Managing connected devices Why it is simple to exploit non-secured systems How simple to have the minimum security

  4. Network security

  5. Deep dive: demo setup Internet IoT Device Internet Gateway (MangOH) (Linux PC) Local network Attacker

  6. Man-in-the-Middle? Internet IoT Device Internet Gateway (MangOH) (Linux PC) Local network Attacker PC Linux Ettercap

  7. Before attack Internet IoT Device Internet Gateway (RaspberryPI) (Linux PC) Traffic to Internet Local network Attacker PC Linux Ettercap

  8. ARP poisoning Internet Traffic to Internet IoT Device Internet Gateway (MangOH) (Linux PC) I’m the gateway! Local network Route everything to the gateway Attacker PC Linux Ettercap

  9. DNS spoofing Internet IoT Device (MangOH) DNS query iot.eclipse.org Internet Gateway (Linux PC) LWM2M connection Local network Fake DNS response Attacker PC Linux Ettercap

  10. With TLS/DTLS? Internet IoT Device (RaspberryPI) DNS query iot.eclipse.org Internet Gateway (Linux PC) DTLS handshake failure Local network Fake DNS response Attacker PC Linux Ettercap

  11. Security with gateways public network cable, 4G, etc.. Sensor network (ex: Zigbee) Gateway: collect data and push to cloud Low or no security Secure transport

  12. Security with gateways public network cable, 4G, etc.. Sensor network (ex: Zigbee) Attack gateway get access to all the network Local wireless sniffing

  13. End-to-end security public network cable, 4G, etc.. Sensor network (ex: Thread) Router See only encrypted communication Low power nodes: Not your Achilles’ heel security starts here

  14. Other benefits of IP to the edge device Simplicity: only IP networks Topology flexibility compared to gateway Scaling IP routing is something well known

  15. Can we trust wireless network? Wifi password? GPRS encryption? 3G/4G femtocell? Zigbee? Bluetooth? Not talking of plain text wireless network :)

  16. Example: GPRS https://discourse.criticalengineering.org/t/howto-gsm-base-station-with-the-bea glebone-black-debian-gnu-linux-and-a-usrp/56

  17. Example: 3G/4G femtocell http://www. ioactive .com/ pdf s/ IOActive _Remote_Car_Hacking. pdf

  18. Key Management

  19. Key management You will have a fleet of device They needs secrets (key, password, etc..) Unique across devices You need to be able to change those secrets You will probably don’t trust your factory

  20. Lightweight M2M Bootstrap Flash bootstrap credentials

  21. Lightweight M2M Bootstrap I only have bootstrap credentials or I can’t reach final server

  22. Lightweight M2M Bootstrap Give me key and my server(s) Bootstrap Server

  23. Lightweight M2M Bootstrap New keys and server(s) URLs and ACL Bootstrap Server

  24. Lightweight M2M Bootstrap Registration Home Automation Server Registration Device Manag. Server Bootstrap Server

  25. Secret key rotation using bootstrap? Renew or upgrade your secret: 1 - Device authenticate with the bootstrap server 2 - Bootstrap server rewrite the bootstrap secret Next bootstrap the device use the new bootstrap secrets

  26. Public Key Infrastructure? Root CA Intermediate CA End entity 1 End entity 2 End entity3

  27. How to verify a certificate Identity Expiration ~3 y Identity Public Key Find Expiration ~5 y Issuer Identity Issuer Signature Public Key Verify Find Issuer Identity Root CA Identity Issuer Signature Root Public Key Root Signature Verify Identity to verify Intermediate Root trust

  28. Enrollment with PKI Generate Private Public

  29. Enrollment with PKI Certification Authority Private Public Certificate Request

  30. Enrollment with PKI Certificate Generate Certification Authority Private Public Sign using CA private key a X.509 certificate CA Private

  31. Enrollment with PKI Sign using certificate for authentication Generate Service Private Public CA Public

  32. Still not IoT friendly A lot of enterprise protocols: IKE: Internet Key Exchange RFC2409 CMP: Certificate Management Protocol RFC4210 SCEP: Simple Certificate Enrollment Protocol draft-gutmann-scep-02 EST: Enrollment Over Secure Transport RFC7030 IEEE 802.1AR: Secure Device Identity 802.1AR But still nothing ready to use for constrained networks & devices

  33. Firmware download

  34. Firmware download Internet HTTP GET IoT Device Internet Gateway (RaspberryPI) (Linux PC) Local network Send firmware with backdoor Attacker PC Linux Ettercap

  35. CMS (Cryptograpic Message Syntax) See RFC5652 (replaces PKCS #7) Used to digitally sign, digest, authenticate, or encrypt arbitrary message content. Supported by OpenSSL (CLI: openssl cms )

  36. Secure boot Hardware (ROM) enforces booting only correctly signed code Often based on ECDSA signature Hardware based ⇒ no algorithm agility

  37. Open-source solutions are there Eclipse IoT : Leshan, Wakaama, TinyDTLS, Scandium, Paho, Mosquitto, Hono OpenSSL , Mbed TLS CFSSL GnuPG U-Boot

  38. Thanks! Twitter: @vrmvrm Mail: jvermillard@sierrawireless.com

  39. Credits Tom Medley - The Noun Project Guilhem - The Noun Project Giuditta Valentina Gentile - The Noun Project Sergey Krivoy - The Noun Project Jon Anderson - The Noun Project Ryan Beck - The Noun Project Edward Boatman - The Noun Project

Recommend

Security Security Action Action Plan Plan Pr Prof ofession essional al Ag Agree eemen

Security Security Action Action Plan Plan Pr Prof ofession essional al Ag Agree eemen

Compr Comprehensiv ehensive e Air Airpor port t Security Security Action Action Plan Plan Pr Prof ofession essional al Ag Agree eemen ment A t AVN VN RFP 1 RFP 18-025 025 Pr Pre-Resp sponse se Mee Meeting ting May May

252 views • 23 slides
W SI S Action Lines C2 , C5 & C6 : Com m unication I nfrastructure, Security & Enabling

W SI S Action Lines C2 , C5 & C6 : Com m unication I nfrastructure, Security & Enabling

W SI S Action Lines C2 , C5 & C6 : Com m unication I nfrastructure, Security & Enabling Environm ent Presented at the Expert Group Meeting on Regional Cooperation Tow ards Building an I nform ation Society in Asia and the Pacific

498 views • 25 slides
Launch of National Social Security Strategy (NSSS) Action Plan and Inauguration of Social

Launch of National Social Security Strategy (NSSS) Action Plan and Inauguration of Social

Launch of National Social Security Strategy (NSSS) Action Plan and Inauguration of Social Security Programme Review Conference Organized by Social Security Policy Support (SSPS) Programme Cabinet Division and General Economics Division Basic

162 views • 13 slides
USF National Security February 2019 General Business Overview The Case for Immediate Action

USF National Security February 2019 General Business Overview The Case for Immediate Action

USF National Security February 2019 General Business Overview The Case for Immediate Action A Narrowly-Tailored Approach TIAs Proposal Mitigating the Costs Legal Authority The FCCs Role in Context Procedural

464 views • 10 slides
Innovation Inaction or In Action? The Role of User Experience in the Security and Privacy Design

Innovation Inaction or In Action? The Role of User Experience in the Security and Privacy Design

Department of Computer Science, University of Oxford Innovation Inaction or In Action? The Role of User Experience in the Security and Privacy Design of Smart Home Cameras George Chalhoub, Ivan Flechais, Norbert Nthala, Ruba Abu-Salma Sixteenth

1.1k views • 12 slides
3 rd Facilitation Meeting for WSIS Action Line C5 Building confidence and security in the use

3 rd Facilitation Meeting for WSIS Action Line C5 Building confidence and security in the use

3 rd Facilitation Meeting for WSIS Action Line C5 Building confidence and security in the use of ICTs 22nd May 2008 GENEVA VOICE OVER IP (VoIP) Presented by Graham Butler President & C.E.O Bitek International Inc www.bitek.com

191 views • 17 slides
Action Plan of Social Security Dr. Md. Shamsul Arefin Senior Secretary, Coordination and Reforms

Action Plan of Social Security Dr. Md. Shamsul Arefin Senior Secretary, Coordination and Reforms

Role of Ministries/Divisions in implementing Action Plan of Social Security Dr. Md. Shamsul Arefin Senior Secretary, Coordination and Reforms Cabinet Division Government of the Peoples Republic of Bangladesh Alignment with Multiple

913 views • 42 slides
National Implementation Action Plans National Implementation Action Plans WORKSHOP ON THE

National Implementation Action Plans National Implementation Action Plans WORKSHOP ON THE

National Implementation Action Plans National Implementation Action Plans WORKSHOP ON THE IMPLEMENTATION OF UNITED NATIONS SECURITY COUNCIL WORKSHOP ON THE IMPLEMENTATION OF UNITED NATIONS SECURITY COUNCI L RESOLUTION 1540 (2004) RESOLUTION

229 views • 11 slides
The NHS belongs to everyone: A Call to Action What is Call to Action? A Call to Action is an

The NHS belongs to everyone: A Call to Action What is Call to Action? A Call to Action is an

The NHS belongs to everyone: A Call to Action What is Call to Action? A Call to Action is an opportunity for everyone to contribute to the debate about the future of health and care provision in England The aim is to gather views, data

532 views • 17 slides
A Call to Action What is Call to Action? A Call to Action is an opportunity for everyone to

A Call to Action What is Call to Action? A Call to Action is an opportunity for everyone to

The NHS belongs to everyone: A Call to Action What is Call to Action? A Call to Action is an opportunity for everyone to contribute to the debate about the future of health and care provision in England The aim is to gather views, data

534 views • 17 slides
3i Capital Markets Seminar Action 8 June 2016 Agenda 3is investment in Action 1 2 Action

3i Capital Markets Seminar Action 8 June 2016 Agenda 3is investment in Action 1 2 Action

3i Capital Markets Seminar Action 8 June 2016 Agenda 3is investment in Action 1 2 Action presentation Sander van der Laan, CEO Action Frederik Lotz, CFO Action 2 3i acquired Action in September 2011 Acquired from founders

445 views • 42 slides
RISC-V Foundation Security Standing Committee Call to action !! Helena Handschuh, Rambus, SSC

RISC-V Foundation Security Standing Committee Call to action !! Helena Handschuh, Rambus, SSC

RISC-V Foundation Security Standing Committee Call to action !! Helena Handschuh, Rambus, SSC Chair CHES 2018 Rump Session, Amsterdam, September 10 th 2018 A security standing committee for the RISC-V Foundation RISC-V Foundation; a

211 views • 4 slides
A Semantic Model For Action-Based Adaptive Security Sara Sartoli, Akbar S. Namin Texas Tech

A Semantic Model For Action-Based Adaptive Security Sara Sartoli, Akbar S. Namin Texas Tech

A Semantic Model For Action-Based Adaptive Security Sara Sartoli, Akbar S. Namin Texas Tech University April 2017 Contents Motivation Introduction Contributions Why Answer Set Programming ? Running Example

449 views • 30 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Detect Known Violations of Policy Goal: does a specific action and/or state that is known to

Detect Known Violations of Policy Goal: does a specific action and/or state that is known to

Detect Known Violations of Policy Goal: does a specific action and/or state that is known to violate security policy occur? Assume that action automatically violates policy Policy may be implicit, not explicit Used to look for

546 views • 27 slides
Global Health Security Agenda GHSA in a Broader Context: Linkages to the Global Partnership,

Global Health Security Agenda GHSA in a Broader Context: Linkages to the Global Partnership,

Global Health Security Agenda GHSA in a Broader Context: Linkages to the Global Partnership, BWC, and UNSCR 1540 Overview of Action Package Prevent 3 Action Package Prevent 3 (APP3) aims to promote national biosafety and biosecurity by

518 views • 10 slides
Action Timeline NCRO INSURANCE COMMITTEE PAUL GRITT September 19 th 2019 9/19/19 1 Social

Action Timeline NCRO INSURANCE COMMITTEE PAUL GRITT September 19 th 2019 9/19/19 1 Social

Social Security and Medicare Action Timeline NCRO INSURANCE COMMITTEE PAUL GRITT September 19 th 2019 9/19/19 1 Social Security Milestones & Actions Milestones No increase In benefits After 70 At 62 Earliest you Can start SS Payments

486 views • 26 slides
Psychology 101 Coupling between action and perception Action for perception Action

Psychology 101 Coupling between action and perception Action for perception Action

Master Informatique - Universit Paris-Sud Action-perception coupling Classical psychology (cognitivist approach) Perception <=> Cognition <=> Action Psychology 101 Coupling between action and perception Action for

221 views • 4 slides
Psychology 101 Coupling between action and perception Action for perception Action

Psychology 101 Coupling between action and perception Action for perception Action

Master Informatique - Universit Paris-Sud Action-perception coupling Classical psychology (cognitivist approach) Perception <=> Cognition <=> Action Psychology 101 Coupling between action and perception Action for

91 views • 7 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
Security in the .CO ccTLD Gonzalo Romero CSO - .CO Internet ICANN Meeting # 48 Buenos Aires,

Security in the .CO ccTLD Gonzalo Romero CSO - .CO Internet ICANN Meeting # 48 Buenos Aires,

Security in the .CO ccTLD Gonzalo Romero CSO - .CO Internet ICANN Meeting # 48 Buenos Aires, ARGENTINA, November 17-21, 2.013 Agenda Motivation Security Policies Knowledge Transfer and Cooperation Action Malicious Activities

627 views • 8 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann & Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides

More recommend