Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm
IoT isn’t a new use-case for AWS Amazon Amazon Kinesis Amazon AWS Lambda API Gateway Streaming Analytics DynamoDB Run Code in Build, Deploy, and Predictable and Response to Events Manage APIs Scalable NoSQL Data Store … and more Amazon SNS Amazon Cognito Amazon Redshift Mobile Push User Identity and Data Petabyte-Scale and Notifications Synchronization Data Warehouse
AWS IoT: simplify and accelerate IoT development Amazon Amazon Kinesis Amazon AWS Lambda API Gateway Streaming Analytics DynamoDB Run Code in Build, Deploy, and Predictable and Response to Events Manage APIs Scalable NoSQL Data Store AWS IoT … and more Connect Devices to the Cloud Amazon SNS Amazon Cognito Amazon Redshift Mobile Push User Identity and Data Petabyte-Scale and Notifications Synchronization Data Warehouse
AWS IoT “Securely connect one or one billion devices to AWS, so they can interact with applications and other devices”
http://192.168.1.200:8080
http://192.168.1.200:8080
http://192.168.1.200:8080 http://a.public.address:8080
http://192.168.1.200:8080 http://a.public.address:8080
http://192.168.1.200:8080 http://a.public.address:8080
http://192.168.1.200:8080 http://a.public.address:8080
http://192.168.1.200:8080 http://a.public.address:8080
http://192.168.1.200:8080 http://a.public.address:8080
http://192.168.1.200:8080 http://a.public.address:8080
http://192.168.1.200:8080 http://a.public.address:8080
http://192.168.1.200:8080 http://a.public.address:8080
DADDY, WHERE DO BOTNETS COME FROM?
It doesn’t have to be this way
http://192.168.1.200:8080
http://192.168.1.200:8080
IoT Security: One Slide Primer Variably-constrained devices Variably-constrained environment & networks Remote locations, variable physical security Diverse IoT market segments, threat models Variable criticality of the IoT applications
Start with a threat model
Safety
Bad things can happen in the real world
How can we defend against these threats?
Secure Communications with Things Strong Thing Identity Fine-grained Authorisation for: Thing Management (Control plane) Pub/Sub Data Access (Data plane) Access to Services (To add features)
Secure Communications with Things
Mutual TLS Authentication TLS/SSL MUTUAL TLS AUTHENTICATION
Public Key Cryptography Options Symmetric Key Size (bits) RSA Key Size (bits) Elliptic Curve Key size (bits) 80 1024 160 112 2048 224 128 3072 256 192 7680 384 256 15360 512 For same bits & level of security ECC keys are much smaller that RSA keys https://aws.amazon.com/blogs/iot/elliptic-curve-cryptography-and-forward-secrecy-support-in-aws-iot-3/
Communicating with non-things (Humans)
How we implement this MQTT + Mutual Authn TLS AWS Authn + HTTPS Server Authn TLS + Cert TLS + Cert Client Authn TLS + Cert AWS API Keys Confidentiality TLS TLS Protocol MQTT HTTP
Strong Thing Identity
Strong Thing Identity X.509 Certificates https://aws.amazon.com/blogs/iot/just-in-time-registration-of-device-certificates-on-aws-iot/
Fine Grained Authorisation
AWS IoT
AWS IoT Service Access Data Plane Data Plane Control Plane
Applying Permissions to Thing Management { "Version": "2012-10-17", "Statement": [ { "Sid": ”ManageCerts", "Action": [ "iot:CreateCertificateAndKeys", "iot:CreateCertificateFromCsr", "iot:DescribeCertificate", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:ListCertificates” ], "Effect": "Allow", { "Resource": "*" "Version": "2012-10-17", } "Statement": [ ] { } "Sid": "RevokeOneThing", "Action": [ "iot:UpdateCertificate" ], "Effect": "Allow", "Resource": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "Condition": { "IpAddress": { "aws:SourceIp": "192.168.42.54" } } } ] }
Allowing/Denying Access to MQTT Topics { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update"] }, { "Effect":"Allow", "Action":[ "iot:Subscribe", "iot:Receive" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: topicfilter/$aws/things/MyThing/shadow/*" ] } ] }
Hardware Security (Private Key & Platform Protection)
IoT Gateways
Amtel Zero Touch Secure Provisioning Kit
If you spend a lot of time on securing your IoT applications, you’re not spending time solving problems for your customers.
So don’t build a platform, unless you’re building a platform. In which case, fine, build a platform.
Building ‘Hello World’ (for IoT Developers)
Turns out, developers are creative
Sassy Ping Pong Score Keeper Source: https://www.hackster.io/youngd/ping-pong-showdown-eabaed
Slack-powered Doorbell Source: www.theatlantic.com/notes/2016/07/make- every-week-2-a-silent-slack-powered-doorbell/ 490880/
Emergency Sweet Green Ordering Source: http://www.andrewmcgill.me/2016/08/19/make-every-week-sweetgreen-salad-button.html
Push a button to get directions to the right meal within your budget. (Integrate time of day, weather, Google Directions, Yelp, and Stripe) Source: https://medium.com/@_adeel/nerding-out-with-the-amazon-iot- button-84a6e14b6b28#.ekd5hsnez
How does it work? Invoke a Lambda function Put object in an S3 bucket Insert, Update, Read from a DynamoDB table AWS IoT Publish to an SNS Topic or Endpoint Publish to a Kinesis stream Kinesis Firehose > Redshift Republish to AWS IoT
But wait, I live in Europe and I want to do this. Right now!
HARDWARE YOU WILL (& MIGHT) NEED • A Raspberry Pi • Electronics Kit • Try the SunFounder 37 modules Sensor Kit v2.0 for Raspberry Pi 3, 2, Model B+ with 40-Pin GPIO Extension Board & Jump Wires • http://www.amazon.co.uk/dp/B014PF05ZA • Example tutorial • Raspberry Pi Sense Hat (optional fun) • https://www.raspberrypi.org/products/sense-hat/
SETTING UP FOR GPIO/SENSE HAT Your own electronics/sensor build C (for embedded C) http://wiringpi.com Python Wrapper Module for WiringPI https://github.com/WiringPi/WiringPi-Python For the Sense Hat Python Module https://github.com/RPi-Distro/python-sense-hat
SETTING UP FOR AWS IOT Use the AWS Console to create your device Download the required crypto materials & save the C header file contents with your endpoint, cert, and key details Download & set up your chosen AWS IoT SDK Get them at : https://aws.amazon.com/iot/sdk/ Building the C SDK on the Raspberry Pi requires the CppUTest library from: https://github.com/cpputest/cpputest/releases/tag/v3.6 Get started with the sample applications that come with the AWS SDKs
EXAMPLES & DEMOS Emulating the AWS IoT Button (C++) https://github.com/ianmas-aws/iot-button-emulator Controlling the Sense Hat via AWS IoT Device Shadow (Python) https://github.com/ianmas-aws/PiPyIoT
Go Build, Have Fun Ian Massingham Technology Evangelist, AWS IanMmmm
1.
2.
2.
3.
4.
Alert Someone : AWS IoT to AWS Lambda to SNS AWS IoT Rules Engine Lambda Function SNS Topic Private Key Execution Rule Policy Action Permission Event Policy SDK & Certificate Role Source Button AWS IoT SMS or Email Rule: “Select * from ‘iotbutton/+’ Function SNS Topic Subscription AWS Services
Count items or Track Usage: AWS IoT to DynamoDB to Dashboard Rules Engine Lambda Function Dashboard DynamoDB Private Key Rule Policy Action Permission Event Execution Policy SDK & Certificate Source Role Button AWS IoT S3 Website Rule: “Select * from ‘iotbutton/+’ Function API Gateway DynamoDB AWS Services
Recommend
More recommend
