your thing is pwnd
play

Your Thing is pwnd Security Challenges for the Internet of Things - PowerPoint PPT Presentation

Aug 25, 2022 •424 likes •1.01k views

Your Thing is pwnd Security Challenges for the Internet of Things Paul Fremantle @pzfreo PhD researcher Portsmouth University (paul.fremantle@port.ac.uk) Co-Founder, WSO2 Firstly, does it even matter? My three rules for IoT security 1.

  1. Your Thing is pwnd Security Challenges for the Internet of Things Paul Fremantle @pzfreo PhD researcher Portsmouth University (paul.fremantle@port.ac.uk) Co-Founder, WSO2

  2. Firstly, does it even matter?

  5. My three rules for IoT security • 1. Don’t be stupid • 2. Be smart • 3. Think about what’s different

  6. My three rules for IoT security • 1. Don’t be stupid – The basics of Internet security haven’t gone away • 2. Be smart – Use the best practice from the Internet • 3. Think about what’s different – What are the unique challenges of your device?

  8. “Google Hacking”

  9. http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/

  10. 1998 • Realized that session cookies needed to be tied to user sessions – Scenario: Attacker has a valid login, but changes their cookie – Gets access to another user’s account

  11. February 2015 Mosquitto 1.4 Release Notes • When a durable client reconnects, its queued messages are now checked against ACLs in case of a change in username/ACL state since it last connected.

  13. So what is different about IoT? • The longevity of the device – Updates are harder (or impossible) • The size of the device – Capabilities are limited – especially around crypto • The fact there is a device – Usually no UI for entering userids and passwords • The data – Often highly personal • The mindset – Appliance manufacturers don’t think like security experts – Embedded systems are often developed by grabbing existing chips, designs, etc

  14. Physical Hacks A Practical Attack on the MIFARE Classic: http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf Karsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity

  15. UltraReset https://intrepidusgroup.com/insight/2012/09/ultrareset-bypassing-nfc-access-control-with-your-smartphone/

  18. Or try this at home? http://freo.me/1g15BiG

  19. http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.html

  20. Hardware recommendations • Don’t rely on obscurity

  21. Hardware recommendations • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity

  22. Hardware Recommendation #2 • Unlocking a single device should risk only that device’s data

  23. The Network

  24. Crypto on small devices • Practical Considerations and Implementation Experiences in Securing Smart Object Networks – http://tools.ietf.org/html/draft-aks-crypto-sensors-02

  25. ROM requirements

  26. ECC is possible (and about fast enough)

  27. Crypto Borrowed from Chris Swan: http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13

  28. Won’t ARM just solve this problem?

  29. Cost matters 8 bits 32 bits $5 retail $25 retail $1 or less to embed $?? to embed

  30. Another option?

  31. SIMON and SPECK https://www.schneier.com/blog/archives/2013/07/simon_and_speck.html

  32. Datagram Transport Layer Security (DTLS) • UDP based equivalent to TLS • https://tools.ietf.org/html/rfc4347

  33. Key distribution

  34. How do you distribute keys to devices? • Usually at manufacture time • Complex to update • What about expiration?

  36. Passwords • Passwords suck for humans • They suck even more for devices

  39. MQTT

  41. Why Federated Identity for IoT? • Can enable a meaningful consent mechanism for sharing of device data • Giving a device a token to use on API calls better than giving it a password – Revokable – Granular • May be relevant for both – Device to cloud – Cloud to app

  42. Why really? Your IoT data privacy should not rely on the maker of a specific device

  43. Relying on the maker of your device?

  47. Device to Cloud • Put an OAuth2 token on the device • Set the “scope” to be limited – This device can publish to this topic • Support refresh model

  49. Cloud to App • The same technology can be used to enable some app to subscribe to a specific topic • Much easier than with Arduino!

  50. Lessons learnt • OAuth2 Token lengths are usually ok (no promise though) – OpenId Connect much larger • Registration is hard • MQTT and MPU / I2C code is 97% of Duemilanove – Adding the final logic to do OAuth2 flow pushed it to 99% – No TLS in this demo is a big issue • Different OAuth2 implementations behave differently – Need to disable updating the refresh token with every refresh • Need to be able to update the scope of token if this will work for long term embedded devices • MQTT needs some better designed patterns for RPC – Standardised

  51. More information http://pzf.fremantle.org/2013/11/using- http://siot-workshop.org/ oauth-20-with-mqtt.html

  52. OpenId Connect

  54. Are you creating the next privacy breach?

  56. Summary • Think about security with your next device • We as a community need to make sure that the next generation of IoT devices are secure • We need to create exemplars – Shields – Libraries – Server software – Standards

  57. http://upload.wikimedia.org/wikipedia/commons/c/c8/Thank_you_001.jpg

Recommend

Thing Twelve. Government can pick winners. Thing Thirteen. Making rich people richer doesnt make

Thing Twelve. Government can pick winners. Thing Thirteen. Making rich people richer doesnt make

Thing One. There is really no such thing as a free market. Thing Two. Companies should not be run in the interest of their owners. Thing Three. Most people in rich countries get paid more than they should. Thing Four. The washing machine has

503 views • 23 slides
Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP Introduction Deral

Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP Introduction Deral

Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP Introduction Deral Heiland Matthew Kienow deral_heiland@rapid7.com mkienow@inokii.com dh@layereddefense.com @HacksForProfit @Percent_X Why ? Add value ?

939 views • 66 slides
and does not do it, to him it is sin. James 4:17 Do the Next Right Thing Do the Next Right Thing

and does not do it, to him it is sin. James 4:17 Do the Next Right Thing Do the Next Right Thing

Therefore, to him who knows to do good and does not do it, to him it is sin. James 4:17 Do the Next Right Thing Do the Next Right Thing Often we become paralyzed with indecision, apathy, frustration and fear because we tend to take a long

1.77k views • 134 slides
COMPANY PRESENTATION MAY 2019 Next to doing the right thing, the most important thing is to let

COMPANY PRESENTATION MAY 2019 Next to doing the right thing, the most important thing is to let

ARWIN & PARTNERS Strategic Investor Relations and Financial Communication COMPANY PRESENTATION MAY 2019 Next to doing the right thing, the most important thing is to let people know you are doing the right thing J.D. Rockefeller

540 views • 16 slides
Group Sustainability Manager doing the RIGHT thing Agenda doing the RIGHT thing Government

Group Sustainability Manager doing the RIGHT thing Agenda doing the RIGHT thing Government

Group Sustainability Manager doing the RIGHT thing Agenda doing the RIGHT thing Government Planning doing the RIGHT thing Measuring Tool for Environmental performance of New Build homes Sits above current building regulations Applied at

1.01k views • 38 slides
Class Two c++ is a typed language what a thing is matters. A thing is a variable in

Class Two c++ is a typed language what a thing is matters. A thing is a variable in

The Code Liberation Foundation Lecture 2 : Loops, Strings, Arrays + std Class Two c++ is a typed language what a thing is matters. A thing is a variable in programing terms. there are several basic types of variables: strings (a

743 views • 24 slides
What is This Thing Called Swing? And other kinds of jazz for that matter? What is This Thing

What is This Thing Called Swing? And other kinds of jazz for that matter? What is This Thing

What is This Thing Called Swing? And other kinds of jazz for that matter? What is This Thing Called Swing - Lunceford Key vocabulary Met eter, er, or t r time me signa gnatu ture: re: This refers to the number of beats in one concise

456 views • 31 slides
Love Is A Many Splendored Thing It Is A Many Splendored Thing There Is Nothing Broken

Love Is A Many Splendored Thing It Is A Many Splendored Thing There Is Nothing Broken

Love Is A Many Splendored Thing It Is A Many Splendored Thing There Is Nothing Broken Here But What Love Cant Fix Pride Critical Spirit Idolatry Outreach Purpose Tradition

337 views • 18 slides
Virtual-Thing: Thing Description based Virtualization Second W3C Workshop on the Web of Things

Virtual-Thing: Thing Description based Virtualization Second W3C Workshop on the Web of Things

Virtual-Thing: Thing Description based Virtualization Second W3C Workshop on the Web of Things 3-5 June 2019, Munich, Germany Hassib Belhaj Ege Korkan Sebastian Steinhorst Technical University of Munich Introduction Any W3C WoT device

462 views • 9 slides
Questions: One thing that would make this morning a success? and/or One thing that must change in

Questions: One thing that would make this morning a success? and/or One thing that must change in

Consolidated Notes Dr. William Bell s Presentation Bosco Homes, May 30, 2012 Every child need s a community of hope quote by Dr. William Bell Questions: One thing that would make this morning a success? and/or One thing that must change

90 views • 5 slides
JSON-LD Joint Session Lyon, France, October 2018 DEFINING @ID OF THING Defining @id of Thing

JSON-LD Joint Session Lyon, France, October 2018 DEFINING @ID OF THING Defining @id of Thing

JSON-LD Joint Session Lyon, France, October 2018 DEFINING @ID OF THING Defining @id of Thing without @context in TD "id" field in TD should define the unique identifier of the Thing Goal: It should set the @id of the top-level

505 views • 15 slides
Women in Agriculture Stereotypes Are A Thing Of The Past - Spousal Succession Is A Thing Of The

Women in Agriculture Stereotypes Are A Thing Of The Past - Spousal Succession Is A Thing Of The

Women in Agriculture Stereotypes Are A Thing Of The Past - Spousal Succession Is A Thing Of The Future! Merle Good ~ GRS Consulting Ltd. The Farm The farm is more than property - it is a set of values A way of being and the sense that

938 views • 38 slides
Stop building the wrong thing righter, build the right thing

Stop building the wrong thing righter, build the right thing

Stop building the wrong thing righter, build the right thing The state of software So2ware used a2er changes, 3% So2ware paid for but not delivered, 29%

557 views • 45 slides
Part II Nothing New Under the Sun The thing that hath been, is that which shall be, and that

Part II Nothing New Under the Sun The thing that hath been, is that which shall be, and that

Part II Nothing New Under the Sun The thing that hath been, is that which shall be, and that which is done is that which shall be done: and there is no new thing under the sun. Ecclesiastes 1:9 And I saw three unclean spirits like frogs

1.22k views • 89 slides
on Operation Function of a thing as having one predetermined meaning. Ex a column acting as a

on Operation Function of a thing as having one predetermined meaning. Ex a column acting as a

on Operation Function of a thing as having one predetermined meaning. Ex a column acting as a structural element Operation of a thing as how the thing actually is used and by interpretation being able to have multiple/any meanings. For R&U

330 views • 11 slides
God Is a) The only uncreated thing in all of existence b) The only self-determined thing in all

God Is a) The only uncreated thing in all of existence b) The only self-determined thing in all

God Is a) The only uncreated thing in all of existence b) The only self-determined thing in all of existence Holy 1. Other than 2. Perfectly pure 3. Anything called holy by the Holy One CHOICE God is God is love Love is relational

289 views • 6 slides
T2TRG: Thing-to-Thing Research Group IETF 103, November 6, 2018, Bangkok, TH Chairs: Carsten

T2TRG: Thing-to-Thing Research Group IETF 103, November 6, 2018, Bangkok, TH Chairs: Carsten

T2TRG: Thing-to-Thing Research Group IETF 103, November 6, 2018, Bangkok, TH Chairs: Carsten Bormann & Ari Kernen 1 Note Well You may be recorded The IPR guidelines of the IETF apply: see http://irtf.org/ipr for details. 2

798 views • 67 slides
Thing Description Recipes Linked Data & Semantic Processing TF F2F Meeting, 13.07.2017

Thing Description Recipes Linked Data & Semantic Processing TF F2F Meeting, 13.07.2017

Web of Things Thing Description Recipes Linked Data & Semantic Processing TF F2F Meeting, 13.07.2017 Dsseldrof Darko Anicic Thing Description Recipes (Darko, Koster, Aparna, Danh) Problem Statement How to easily enable thing

282 views • 11 slides
The First Thing to Build: Trust on The First Thing to Build: Trust on Agile Teams Agile Teams

The First Thing to Build: Trust on The First Thing to Build: Trust on Agile Teams Agile Teams

W8 Concurrent Session Wednesday 12/05/2007 12:45 PM The First Thing to Build: Trust on The First Thing to Build: Trust on Agile Teams Agile Teams Presented by: Diana Larsen FutureWorks Consulting Presented at: Agile Development Practices

469 views • 16 slides
The Next Big Thing in NRM? Andrew Johnson March 2015 Prediction is very difficult, especially

The Next Big Thing in NRM? Andrew Johnson March 2015 Prediction is very difficult, especially

The Next Big Thing in NRM? Andrew Johnson March 2015 Prediction is very difficult, especially if it's about the future! Niels Bohr Nobel Prize in Physics 1922 NRM - The Next Big Thing! 2 A changing world........ Source: Reuters NRM - The

808 views • 22 slides
Studie ies Massimo Reconditi PhysioLab University of Florence, Italy Just look at the thing!

Studie ies Massimo Reconditi PhysioLab University of Florence, Italy Just look at the thing!

Striated Muscle: Structural Studie ies Massimo Reconditi PhysioLab University of Florence, Italy Just look at the thing! It is very easy to answer many [ ] fundamental biological questions; you just look at the thing! [ ]

941 views • 67 slides
Conflict of Interest: Normal Business Courtesies. Is there such a thing? Courtesies. Is

Conflict of Interest: Normal Business Courtesies. Is there such a thing? Courtesies. Is

Conflict of Interest: Normal Business Courtesies. Is there such a thing? Courtesies. Is there such a thing? Lorraine DAngelo, Ethics & Corporate Compliance Officer/ Counsel, Dragados USA, Inc. J an Gillespie, Associate Counsel,

620 views • 21 slides
Whats that Bloomin thing? Presentation by Sohleong Lim (Sol Leon) So what is THIS

Whats that Bloomin thing? Presentation by Sohleong Lim (Sol Leon) So what is THIS

Whats that Bloomin thing? Presentation by Sohleong Lim (Sol Leon) So what is THIS bloomin thing? Tecoma capensis (Cape honeysuckle) Family: Bignoniaceae (big-no-nih-AY-see-ee) Genus: Tecoma (tek-OH-muh) Tecoma stans (Yellow bells)

795 views • 18 slides
Is friction good or bad? Look at the photos. Where is friction a good thing and where is it a bad

Is friction good or bad? Look at the photos. Where is friction a good thing and where is it a bad

Is friction good or bad? Look at the photos. Where is friction a good thing and where is it a bad thing? Look at the labels - should these objects have lots of friction or not much friction? Can you see any other examples? Rope Gloves Sledge

205 views • 6 slides

More recommend