iot security in action
play

IoT Security in Action! Julien Vermillard , Sierra Wireless @vrmvrm - PowerPoint PPT Presentation

Apr 18, 2023 •726 likes •1.14k views

IoT Security in Action! Julien Vermillard , Sierra Wireless @vrmvrm - jvermillard@sierrawireless.com EclipseCON EU 2016 Introduction Managing connected devices Why it is simple to exploit non-secured systems How simple to have the minimum

  1. IoT Security in Action! Julien Vermillard , Sierra Wireless @vrmvrm - jvermillard@sierrawireless.com EclipseCON EU 2016

  2. Introduction

  3. Managing connected devices Why it is simple to exploit non-secured systems How simple to have the minimum security

  4. Network security

  5. Deep dive: demo setup Internet IoT Device Internet Gateway (MangOH) (Linux PC) Local network Attacker

  6. Man-in-the-Middle? Internet IoT Device Internet Gateway (MangOH) (Linux PC) Local network Attacker PC Linux Ettercap

  7. Before attack Internet IoT Device Internet Gateway (RaspberryPI) (Linux PC) Traffic to Internet Local network Attacker PC Linux Ettercap

  8. ARP poisoning Internet Traffic to Internet IoT Device Internet Gateway (MangOH) (Linux PC) I’m the gateway! Local network Route everything to the gateway Attacker PC Linux Ettercap

  9. DNS spoofing Internet IoT Device (MangOH) DNS query iot.eclipse.org Internet Gateway (Linux PC) LWM2M connection Local network Fake DNS response Attacker PC Linux Ettercap

  10. With TLS/DTLS? Internet IoT Device (RaspberryPI) DNS query iot.eclipse.org Internet Gateway (Linux PC) DTLS handshake failure Local network Fake DNS response Attacker PC Linux Ettercap

  11. Security with gateways public network cable, 4G, etc.. Sensor network (ex: Zigbee) Gateway: collect data and push to cloud Low or no security Secure transport

  12. Security with gateways public network cable, 4G, etc.. Sensor network (ex: Zigbee) Attack gateway get access to all the network Local wireless sniffing

  13. End-to-end security public network cable, 4G, etc.. Sensor network (ex: Thread) Router See only encrypted communication Low power nodes: Not your Achilles’ heel security starts here

  14. Other benefits of IP to the edge device Simplicity: only IP networks Topology flexibility compared to gateway Scaling IP routing is something well known

  15. Can we trust wireless network? Wifi password? GPRS encryption? 3G/4G femtocell? Zigbee? Bluetooth? Not talking of plain text wireless network :)

  16. Example: GPRS https://discourse.criticalengineering.org/t/howto-gsm-base-station-with-the-bea glebone-black-debian-gnu-linux-and-a-usrp/56

  17. Example: 3G/4G femtocell http://www. ioactive .com/ pdf s/ IOActive _Remote_Car_Hacking. pdf

  18. Key Management

  19. Key management You will have a fleet of device They needs secrets (key, password, etc..) Unique across devices You need to be able to change those secrets You will probably don’t trust your factory

  20. Lightweight M2M Bootstrap Flash bootstrap credentials

  21. Lightweight M2M Bootstrap I only have bootstrap credentials or I can’t reach final server

  22. Lightweight M2M Bootstrap Give me key and my server(s) Bootstrap Server

  23. Lightweight M2M Bootstrap New keys and server(s) URLs and ACL Bootstrap Server

  24. Lightweight M2M Bootstrap Registration Home Automation Server Registration Device Manag. Server Bootstrap Server

  25. Secret key rotation using bootstrap? Renew or upgrade your secret: 1 - Device authenticate with the bootstrap server 2 - Bootstrap server rewrite the bootstrap secret Next bootstrap the device use the new bootstrap secrets

  26. Public Key Infrastructure? Root CA Intermediate CA End entity 1 End entity 2 End entity3

  27. How to verify a certificate Identity Expiration ~3 y Identity Public Key Find Expiration ~5 y Issuer Identity Issuer Signature Public Key Verify Find Issuer Identity Root CA Identity Issuer Signature Root Public Key Root Signature Verify Identity to verify Intermediate Root trust

  28. Enrollment with PKI Generate Private Public

  29. Enrollment with PKI Certification Authority Private Public Certificate Request

  30. Enrollment with PKI Certificate Generate Certification Authority Private Public Sign using CA private key a X.509 certificate CA Private

  31. Enrollment with PKI Sign using certificate for authentication Generate Service Private Public CA Public

  32. Still not IoT friendly A lot of enterprise protocols: IKE: Internet Key Exchange RFC2409 CMP: Certificate Management Protocol RFC4210 SCEP: Simple Certificate Enrollment Protocol draft-gutmann-scep-02 EST: Enrollment Over Secure Transport RFC7030 IEEE 802.1AR: Secure Device Identity 802.1AR But still nothing ready to use for constrained networks & devices

  33. Firmware download

  34. Firmware download Internet HTTP GET IoT Device Internet Gateway (RaspberryPI) (Linux PC) Local network Send firmware with backdoor Attacker PC Linux Ettercap

  35. CMS (Cryptograpic Message Syntax) See RFC5652 (replaces PKCS #7) Used to digitally sign, digest, authenticate, or encrypt arbitrary message content. Supported by OpenSSL (CLI: openssl cms )

  36. Secure boot Hardware (ROM) enforces booting only correctly signed code Often based on ECDSA signature Hardware based ⇒ no algorithm agility

  37. Open-source solutions are there Eclipse IoT : Leshan, Wakaama, TinyDTLS, Scandium, Paho, Mosquitto, Hono OpenSSL , Mbed TLS CFSSL GnuPG U-Boot

  38. Thanks! Twitter: @vrmvrm Mail: jvermillard@sierrawireless.com

  39. Credits Tom Medley - The Noun Project Guilhem - The Noun Project Giuditta Valentina Gentile - The Noun Project Sergey Krivoy - The Noun Project Jon Anderson - The Noun Project Ryan Beck - The Noun Project Edward Boatman - The Noun Project

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security Security Action Action Plan Plan Pr Prof ofession essional al Ag Agree eemen

Security Security Action Action Plan Plan Pr Prof ofession essional al Ag Agree eemen

Compr Comprehensiv ehensive e Air Airpor port t Security Security Action Action Plan Plan Pr Prof ofession essional al Ag Agree eemen ment A t AVN VN RFP 1 RFP 18-025 025 Pr Pre-Resp sponse se Mee Meeting ting May May

252 views • 23 slides
W SI S Action Lines C2 , C5 & C6 : Com m unication I nfrastructure, Security & Enabling

W SI S Action Lines C2 , C5 & C6 : Com m unication I nfrastructure, Security & Enabling

W SI S Action Lines C2 , C5 & C6 : Com m unication I nfrastructure, Security & Enabling Environm ent Presented at the Expert Group Meeting on Regional Cooperation Tow ards Building an I nform ation Society in Asia and the Pacific

498 views • 25 slides
Launch of National Social Security Strategy (NSSS) Action Plan and Inauguration of Social

Launch of National Social Security Strategy (NSSS) Action Plan and Inauguration of Social

Launch of National Social Security Strategy (NSSS) Action Plan and Inauguration of Social Security Programme Review Conference Organized by Social Security Policy Support (SSPS) Programme Cabinet Division and General Economics Division Basic

162 views • 13 slides
USF National Security February 2019 General Business Overview The Case for Immediate Action

USF National Security February 2019 General Business Overview The Case for Immediate Action

USF National Security February 2019 General Business Overview The Case for Immediate Action A Narrowly-Tailored Approach TIAs Proposal Mitigating the Costs Legal Authority The FCCs Role in Context Procedural

464 views • 10 slides
Innovation Inaction or In Action? The Role of User Experience in the Security and Privacy Design

Innovation Inaction or In Action? The Role of User Experience in the Security and Privacy Design

Department of Computer Science, University of Oxford Innovation Inaction or In Action? The Role of User Experience in the Security and Privacy Design of Smart Home Cameras George Chalhoub, Ivan Flechais, Norbert Nthala, Ruba Abu-Salma Sixteenth

1.1k views • 12 slides
3 rd Facilitation Meeting for WSIS Action Line C5 Building confidence and security in the use

3 rd Facilitation Meeting for WSIS Action Line C5 Building confidence and security in the use

3 rd Facilitation Meeting for WSIS Action Line C5 Building confidence and security in the use of ICTs 22nd May 2008 GENEVA VOICE OVER IP (VoIP) Presented by Graham Butler President & C.E.O Bitek International Inc www.bitek.com

191 views • 17 slides
Action Plan of Social Security Dr. Md. Shamsul Arefin Senior Secretary, Coordination and Reforms

Action Plan of Social Security Dr. Md. Shamsul Arefin Senior Secretary, Coordination and Reforms

Role of Ministries/Divisions in implementing Action Plan of Social Security Dr. Md. Shamsul Arefin Senior Secretary, Coordination and Reforms Cabinet Division Government of the Peoples Republic of Bangladesh Alignment with Multiple

913 views • 42 slides
National Implementation Action Plans National Implementation Action Plans WORKSHOP ON THE

National Implementation Action Plans National Implementation Action Plans WORKSHOP ON THE

National Implementation Action Plans National Implementation Action Plans WORKSHOP ON THE IMPLEMENTATION OF UNITED NATIONS SECURITY COUNCIL WORKSHOP ON THE IMPLEMENTATION OF UNITED NATIONS SECURITY COUNCI L RESOLUTION 1540 (2004) RESOLUTION

229 views • 11 slides
The NHS belongs to everyone: A Call to Action What is Call to Action? A Call to Action is an

The NHS belongs to everyone: A Call to Action What is Call to Action? A Call to Action is an

The NHS belongs to everyone: A Call to Action What is Call to Action? A Call to Action is an opportunity for everyone to contribute to the debate about the future of health and care provision in England The aim is to gather views, data

532 views • 17 slides
A Call to Action What is Call to Action? A Call to Action is an opportunity for everyone to

A Call to Action What is Call to Action? A Call to Action is an opportunity for everyone to

The NHS belongs to everyone: A Call to Action What is Call to Action? A Call to Action is an opportunity for everyone to contribute to the debate about the future of health and care provision in England The aim is to gather views, data

534 views • 17 slides
3i Capital Markets Seminar Action 8 June 2016 Agenda 3is investment in Action 1 2 Action

3i Capital Markets Seminar Action 8 June 2016 Agenda 3is investment in Action 1 2 Action

3i Capital Markets Seminar Action 8 June 2016 Agenda 3is investment in Action 1 2 Action presentation Sander van der Laan, CEO Action Frederik Lotz, CFO Action 2 3i acquired Action in September 2011 Acquired from founders

445 views • 42 slides
RISC-V Foundation Security Standing Committee Call to action !! Helena Handschuh, Rambus, SSC

RISC-V Foundation Security Standing Committee Call to action !! Helena Handschuh, Rambus, SSC

RISC-V Foundation Security Standing Committee Call to action !! Helena Handschuh, Rambus, SSC Chair CHES 2018 Rump Session, Amsterdam, September 10 th 2018 A security standing committee for the RISC-V Foundation RISC-V Foundation; a

211 views • 4 slides
A Semantic Model For Action-Based Adaptive Security Sara Sartoli, Akbar S. Namin Texas Tech

A Semantic Model For Action-Based Adaptive Security Sara Sartoli, Akbar S. Namin Texas Tech

A Semantic Model For Action-Based Adaptive Security Sara Sartoli, Akbar S. Namin Texas Tech University April 2017 Contents Motivation Introduction Contributions Why Answer Set Programming ? Running Example

449 views • 30 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Detect Known Violations of Policy Goal: does a specific action and/or state that is known to

Detect Known Violations of Policy Goal: does a specific action and/or state that is known to

Detect Known Violations of Policy Goal: does a specific action and/or state that is known to violate security policy occur? Assume that action automatically violates policy Policy may be implicit, not explicit Used to look for

546 views • 27 slides
Global Health Security Agenda GHSA in a Broader Context: Linkages to the Global Partnership,

Global Health Security Agenda GHSA in a Broader Context: Linkages to the Global Partnership,

Global Health Security Agenda GHSA in a Broader Context: Linkages to the Global Partnership, BWC, and UNSCR 1540 Overview of Action Package Prevent 3 Action Package Prevent 3 (APP3) aims to promote national biosafety and biosecurity by

518 views • 10 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 3 Network Protocol Attacks Roadmap Network security The basic objectives: CIA

1.68k views • 39 slides
IP and ARP Security, Earlence Fernandes UW Madison CS 642 1 Todays agenda IP Spoofing

IP and ARP Security, Earlence Fernandes UW Madison CS 642 1 Todays agenda IP Spoofing

IP and ARP Security, Earlence Fernandes UW Madison CS 642 1 Todays agenda IP Spoofing Denial of Service attack (DoS) Distributed DoS (DoS) Source address validation Link layer security Address resolution protocol (ARP)

1.72k views • 35 slides
Multi6 Threats draft-nordmark-multi6-threats-00.txt Design Team Members (alphabetical order):

Multi6 Threats draft-nordmark-multi6-threats-00.txt Design Team Members (alphabetical order):

Multi6 Threats draft-nordmark-multi6-threats-00.txt Design Team Members (alphabetical order): Iljitsch van Beijnum, Steve Bellovin, Brian Carpenter, Mike O'Dell, Sean Doran, Dave Katz, Tony Li, Erik Nordmark, and Pekka Savola Why? Allowing

612 views • 11 slides
1 Connection Establishment Data Exchange Clients connect to an SSH server on port Once

1 Connection Establishment Data Exchange Clients connect to an SSH server on port Once

Where in the stack is security? Attacks can be targeted at any layer of the 16: protocol stack Application layer: Password and data sniffing, Forged Exploits and Defenses Up and transactions, Security holes, Buffer Overflows?

1.15k views • 9 slides
New developments on BREACH Dimitris Karakostas, Dionysis Zindros Stanford, Real World Crypto

New developments on BREACH Dimitris Karakostas, Dionysis Zindros Stanford, Real World Crypto

New developments on BREACH Dimitris Karakostas, Dionysis Zindros Stanford, Real World Crypto 2016 Overview BREACH review Our contributions Statistical attacks Attacking block ciphers Attacking noise Optimization

477 views • 33 slides
The Dark Side of Operational Wi-Fi Calling Services Tian Xie 1 , Guan-Hua Tu 1 , Chi-Yu Li 2 ,

The Dark Side of Operational Wi-Fi Calling Services Tian Xie 1 , Guan-Hua Tu 1 , Chi-Yu Li 2 ,

The Dark Side of Operational Wi-Fi Calling Services Tian Xie 1 , Guan-Hua Tu 1 , Chi-Yu Li 2 , Chunyi Peng, Mi Zhang 1 1 Michigan State University 2 National Chiao Tung University 3 Purdue University Wi-Fi Calling Services Wi-Fi Calling

621 views • 31 slides
A Strategy for Security Testing Industrial Firewalls Thuy D. Nguyen Steve C. Austin Cynthia E.

A Strategy for Security Testing Industrial Firewalls Thuy D. Nguyen Steve C. Austin Cynthia E.

A Strategy for Security Testing Industrial Firewalls Thuy D. Nguyen Steve C. Austin Cynthia E. Irvine Department of Computer Science Naval Postgraduate School December 10, 2019 Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 1

643 views • 35 slides
CNT5410 - Computer and Network Security Review/Wrapup Professor Kevin Butler Fall 2015 Florida

CNT5410 - Computer and Network Security Review/Wrapup Professor Kevin Butler Fall 2015 Florida

CNT5410 - Computer and Network Security Review/Wrapup Professor Kevin Butler Fall 2015 Florida Institute for Cyber Security (FICS) Review What did we talk about this semester? Cryptography secret vs public-key key exchange

828 views • 18 slides

More recommend