Securing IoT Connected Device Applications Ian Massingham - - PowerPoint PPT Presentation

Securing IoT Connected Device Applications

Ian Massingham Technology Evangelist, AWS IanMmmm

IoT isn’t a new use-case for AWS

Amazon SNS 
 Mobile Push 
 and Notifications Amazon DynamoDB Predictable and Scalable NoSQL Data Store AWS Lambda Run Code in Response to Events Amazon Redshift Petabyte-Scale 
 Data Warehouse

…and more

Amazon API Gateway Build, Deploy, and Manage APIs Amazon Kinesis Streaming Analytics Amazon Cognito User Identity and Data Synchronization

AWS IoT: simplify and accelerate IoT development

Amazon SNS 
 Mobile Push 
 and Notifications Amazon DynamoDB Predictable and Scalable NoSQL Data Store AWS Lambda Run Code in Response to Events Amazon Redshift Petabyte-Scale 
 Data Warehouse

…and more

Amazon API Gateway Build, Deploy, and Manage APIs Amazon Kinesis Streaming Analytics Amazon Cognito User Identity and Data Synchronization AWS IoT Connect Devices to the Cloud

AWS IoT

“Securely connect one or one billion devices to AWS, 
 so they can interact with applications and other devices”

http://192.168.1.200:8080

http://192.168.1.200:8080

http://192.168.1.200:8080 http://a.public.address:8080

http://192.168.1.200:8080 http://a.public.address:8080

http://192.168.1.200:8080 http://a.public.address:8080

http://192.168.1.200:8080 http://a.public.address:8080

http://192.168.1.200:8080 http://a.public.address:8080

http://192.168.1.200:8080 http://a.public.address:8080

http://192.168.1.200:8080 http://a.public.address:8080

http://192.168.1.200:8080 http://a.public.address:8080

http://192.168.1.200:8080 http://a.public.address:8080

DADDY, WHERE DO BOTNETS COME FROM?

It doesn’t have to be this way

http://192.168.1.200:8080

http://192.168.1.200:8080

IoT Security: One Slide Primer

Variably-constrained devices Variably-constrained environment & networks Remote locations, variable physical security Diverse IoT market segments, threat models Variable criticality of the IoT applications

Start with a threat model

Safety

Bad things can happen in the real world

How can we defend against these threats?

Secure Communications with Things Strong Thing Identity Fine-grained Authorisation for: Thing Management (Control plane) Pub/Sub Data Access (Data plane) Access to Services (To add features)

Secure Communications with Things

Mutual TLS Authentication

TLS/SSL MUTUAL TLS AUTHENTICATION

Public Key Cryptography Options

For same bits & level of security ECC keys are much smaller that RSA keys

Symmetric Key Size (bits) RSA Key Size (bits) Elliptic Curve Key size (bits) 80 1024 160 112 2048 224 128 3072 256 192 7680 384 256 15360 512

https://aws.amazon.com/blogs/iot/elliptic-curve-cryptography-and-forward-secrecy-support-in-aws-iot-3/

Communicating with non-things (Humans)

How we implement this

MQTT + Mutual Authn TLS AWS Authn + HTTPS Server Authn TLS + Cert TLS + Cert Client Authn TLS + Cert AWS API Keys Confidentiality TLS TLS Protocol MQTT HTTP

Strong Thing Identity

Strong Thing Identity

X.509 Certificates

https://aws.amazon.com/blogs/iot/just-in-time-registration-of-device-certificates-on-aws-iot/

Fine Grained Authorisation

AWS IoT

AWS IoT

Data Plane Control Plane Service Access Data Plane

Applying Permissions to Thing Management

{ "Version": "2012-10-17", "Statement": [ { "Sid": ”ManageCerts", "Action": [ "iot:CreateCertificateAndKeys", "iot:CreateCertificateFromCsr", "iot:DescribeCertificate", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:ListCertificates” ], "Effect": "Allow", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [ { "Sid": "RevokeOneThing", "Action": [ "iot:UpdateCertificate" ], "Effect": "Allow", "Resource": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "Condition": { "IpAddress": { "aws:SourceIp": "192.168.42.54" } } } ] }

Allowing/Denying Access to MQTT Topics

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update"] }, { "Effect":"Allow", "Action":[ "iot:Subscribe", "iot:Receive" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: topicfilter/$aws/things/MyThing/shadow/*" ] } ] }

Hardware Security (Private Key & Platform Protection)

IoT Gateways

Amtel Zero Touch Secure Provisioning Kit

If you spend a lot of time on securing your IoT applications, you’re not spending time solving problems for your customers.

So don’t build a platform, unless you’re building a platform. In which case, fine, build a platform.

Building ‘Hello World’ (for IoT Developers)

Turns out, developers are creative

Sassy Ping Pong
 Score Keeper

Source: https://www.hackster.io/youngd/ping-pong-showdown-eabaed

Slack-powered Doorbell

Source: www.theatlantic.com/notes/2016/07/make- every-week-2-a-silent-slack-powered-doorbell/ 490880/

Source: http://www.andrewmcgill.me/2016/08/19/make-every-week-sweetgreen-salad-button.html

Emergency
 Sweet Green Ordering

Push a button to get directions to the right meal within your

• budget. (Integrate time of day,

weather, Google Directions, Yelp, and Stripe)

Source: https://medium.com/@_adeel/nerding-out-with-the-amazon-iot- button-84a6e14b6b28#.ekd5hsnez

How does it work?

Invoke a Lambda function Put object in an S3 bucket Insert, Update, Read from a DynamoDB table Publish to an SNS Topic 


• r Endpoint

Publish to a Kinesis stream Kinesis Firehose > Redshift Republish to AWS IoT

AWS IoT

But wait, I live in Europe and I want to do this. Right now!

HARDWARE YOU WILL (& MIGHT) NEED

• A Raspberry Pi

• Electronics Kit
• Try the SunFounder 37 modules Sensor Kit v2.0 for

Raspberry Pi 3, 2, Model B+ with 40-Pin GPIO Extension Board & Jump Wires

• http://www.amazon.co.uk/dp/B014PF05ZA
• Example tutorial
• Raspberry Pi Sense Hat (optional fun)
• https://www.raspberrypi.org/products/sense-hat/

SETTING UP FOR GPIO/SENSE HAT

Your own electronics/sensor build C (for embedded C)

http://wiringpi.com

Python Wrapper Module for WiringPI

https://github.com/WiringPi/WiringPi-Python

For the Sense Hat Python Module

https://github.com/RPi-Distro/python-sense-hat

SETTING UP FOR AWS IOT

Use the AWS Console to create your device Download the required crypto materials & save the C header file contents with your endpoint, cert, and key details Download & set up your chosen AWS IoT SDK Get them at : https://aws.amazon.com/iot/sdk/ Building the C SDK on the Raspberry Pi requires the CppUTest library from: https://github.com/cpputest/cpputest/releases/tag/v3.6 Get started with the sample applications that come with the AWS SDKs

EXAMPLES & DEMOS

Emulating the AWS IoT Button (C++) https://github.com/ianmas-aws/iot-button-emulator Controlling the Sense Hat via AWS IoT Device Shadow (Python) https://github.com/ianmas-aws/PiPyIoT

Go Build, Have Fun

Ian Massingham Technology Evangelist, AWS IanMmmm

1.

2.

2.

3.

4.

Alert Someone: AWS IoT to AWS Lambda to SNS

Lambda Function

AWS IoT Rules Engine

Policy Private Key & Certificate Button Rule SDK AWS IoT AWS Services Execution Role Policy

SNS Topic

Permission Action SNS Topic Subscription

Rule: “Select * from ‘iotbutton/+’

Event Source Function SMS or Email

Count items or Track Usage: AWS IoT to DynamoDB to Dashboard

DynamoDB

Rules Engine

Dashboard

S3 Website

Lambda Function

Policy Private Key & Certificate Button Rule SDK AWS IoT AWS Services Execution Role Policy Permission Action

Rule: “Select * from ‘iotbutton/+’

Event Source Function DynamoDB API Gateway

Start or Stop Something : AWS IoT to AWS Lambda to an External Endpoint

Lambda Function

Rules Engine

Policy Private Key & Certificate Thing/Device Rule SDK AWS IoT AWS Services Execution Role Policy

External Endpoint

Permission

Rule: Select * from ‘iotbutton/+’

Action

External API

LifX API