SLIDE 1
IoT Security in Action!
Julien Vermillard, Sierra Wireless @vrmvrm - jvermillard@sierrawireless.com EclipseCON EU 2016
IoT Security in Action! Julien Vermillard , Sierra Wireless @vrmvrm - - PowerPoint PPT Presentation
IoT Security in Action! Julien Vermillard , Sierra Wireless @vrmvrm - - PowerPoint PPT Presentation
IoT Security in Action! Julien Vermillard , Sierra Wireless @vrmvrm - jvermillard@sierrawireless.com EclipseCON EU 2016 Introduction Managing connected devices Why it is simple to exploit non-secured systems How simple to have the minimum
SLIDE 2
SLIDE 3
Managing connected devices
Why it is simple to exploit non-secured systems How simple to have the minimum security
SLIDE 4
Network security
SLIDE 5
Deep dive: demo setup
IoT Device (MangOH) Attacker Internet Gateway (Linux PC) Local network Internet
SLIDE 6
Man-in-the-Middle?
IoT Device (MangOH) Attacker PC Linux Ettercap Internet Gateway (Linux PC) Local network Internet
SLIDE 7
Before attack
IoT Device (RaspberryPI) Attacker PC Linux Ettercap Internet Gateway (Linux PC) Local network Internet Traffic to Internet
SLIDE 8
ARP poisoning
IoT Device (MangOH) Attacker PC Linux Ettercap Internet Gateway (Linux PC) Local network Internet
I’m the gateway!
Route everything to the gateway Traffic to Internet
SLIDE 9
DNS spoofing
IoT Device (MangOH) Attacker PC Linux Ettercap Internet Gateway (Linux PC) Local network Internet
Fake DNS response DNS query iot.eclipse.org
LWM2M connection
SLIDE 10
With TLS/DTLS?
IoT Device (RaspberryPI) Attacker PC Linux Ettercap Internet Gateway (Linux PC) Local network Internet
Fake DNS response DNS query iot.eclipse.org
DTLS handshake failure
SLIDE 11
Security with gateways
Sensor network (ex: Zigbee) Gateway: collect data and push to cloud cable, 4G, etc..
Secure transport Low or no security
public network
SLIDE 12
Security with gateways
public network Sensor network (ex: Zigbee) cable, 4G, etc.. Attack gateway get access to all the network Local wireless sniffing
SLIDE 13
End-to-end security
public network
Low power nodes: security starts here
Sensor network (ex: Thread) Router cable, 4G, etc.. See only encrypted communication Not your Achilles’ heel
SLIDE 14
Other benefits of IP to the edge device
Simplicity: only IP networks Topology flexibility compared to gateway Scaling IP routing is something well known
SLIDE 15
Can we trust wireless network?
Wifi password? GPRS encryption? 3G/4G femtocell? Zigbee? Bluetooth? Not talking of plain text wireless network :)
SLIDE 16
Example: GPRS
https://discourse.criticalengineering.org/t/howto-gsm-base-station-with-the-bea glebone-black-debian-gnu-linux-and-a-usrp/56
SLIDE 17
Example: 3G/4G femtocell
http://www.ioactive.com/pdfs/IOActive_Remote_Car_Hacking.pdf
SLIDE 18
Key Management
SLIDE 19
Key management
You will have a fleet of device They needs secrets (key, password, etc..) Unique across devices You need to be able to change those secrets You will probably don’t trust your factory
SLIDE 20
Lightweight M2M Bootstrap
Flash bootstrap credentials
SLIDE 21
I only have bootstrap credentials or I can’t reach final server
Lightweight M2M Bootstrap
SLIDE 22
Lightweight M2M Bootstrap
Give me key and my server(s) Bootstrap Server
SLIDE 23
Lightweight M2M Bootstrap
New keys and server(s) URLs and ACL Bootstrap Server
SLIDE 24
Lightweight M2M Bootstrap
Registration Bootstrap Server Registration Home Automation Server Device Manag. Server
SLIDE 25
Secret key rotation using bootstrap?
Renew or upgrade your secret: 1 - Device authenticate with the bootstrap server 2 - Bootstrap server rewrite the bootstrap secret Next bootstrap the device use the new bootstrap secrets
SLIDE 26
Public Key Infrastructure?
Root CA Intermediate CA End entity 1 End entity 2 End entity3
SLIDE 27
How to verify a certificate
Root trust Identity to verify Intermediate Issuer Signature Expiration ~3 y Public Key Issuer Identity Issuer Signature Expiration ~5 y Public Key Issuer Identity Root Signature Root CA Identity Root Public Key Find Verify Find Verify Identity Identity
SLIDE 28
Enrollment with PKI
Generate Private Public
SLIDE 29
Enrollment with PKI
Private Public Certification Authority Certificate Request
SLIDE 30
Enrollment with PKI
Generate Private Public Certification Authority Certificate CA Private Sign using CA private key a X.509 certificate
SLIDE 31
Enrollment with PKI
Generate Private Public Service CA Public Sign using certificate for authentication
SLIDE 32
Still not IoT friendly
A lot of enterprise protocols: IKE: Internet Key Exchange
RFC2409
CMP: Certificate Management Protocol RFC4210 SCEP: Simple Certificate Enrollment Protocol
draft-gutmann-scep-02
EST: Enrollment Over Secure Transport
RFC7030
IEEE 802.1AR: Secure Device Identity 802.1AR But still nothing ready to use for constrained networks & devices
SLIDE 33
Firmware download
SLIDE 34
Firmware download
IoT Device (RaspberryPI) Attacker PC Linux Ettercap Internet Gateway (Linux PC) Local network Internet
Send firmware with backdoor HTTP GET
SLIDE 35
CMS (Cryptograpic Message Syntax)
See RFC5652 (replaces PKCS #7) Used to digitally sign, digest, authenticate, or encrypt arbitrary message content. Supported by OpenSSL (CLI: openssl cms)
SLIDE 36
Secure boot
Hardware (ROM) enforces booting only correctly signed code Often based on ECDSA signature Hardware based ⇒ no algorithm agility
SLIDE 37
Open-source solutions are there
Eclipse IoT: Leshan, Wakaama, TinyDTLS, Scandium, Paho, Mosquitto, Hono OpenSSL, Mbed TLS CFSSL GnuPG U-Boot
SLIDE 38
Thanks!
Twitter: @vrmvrm Mail: jvermillard@sierrawireless.com
SLIDE 39
Credits
Tom Medley - The Noun Project Guilhem - The Noun Project Giuditta Valentina Gentile - The Noun Project Sergey Krivoy - The Noun Project Jon Anderson - The Noun Project Ryan Beck - The Noun Project Edward Boatman - The Noun Project