your thing is pwnd
play

Your Thing is pwnd Security Challenges for the Internet of Things - PowerPoint PPT Presentation

Aug 25, 2022 •424 likes •1.01k views

Your Thing is pwnd Security Challenges for the Internet of Things Paul Fremantle @pzfreo PhD researcher Portsmouth University (paul.fremantle@port.ac.uk) Co-Founder, WSO2 Firstly, does it even matter? My three rules for IoT security 1.

  1. Your Thing is pwnd Security Challenges for the Internet of Things Paul Fremantle @pzfreo PhD researcher Portsmouth University (paul.fremantle@port.ac.uk) Co-Founder, WSO2

  2. Firstly, does it even matter?

  5. My three rules for IoT security • 1. Don’t be stupid • 2. Be smart • 3. Think about what’s different

  6. My three rules for IoT security • 1. Don’t be stupid – The basics of Internet security haven’t gone away • 2. Be smart – Use the best practice from the Internet • 3. Think about what’s different – What are the unique challenges of your device?

  8. “Google Hacking”

  9. http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/

  10. 1998 • Realized that session cookies needed to be tied to user sessions – Scenario: Attacker has a valid login, but changes their cookie – Gets access to another user’s account

  11. February 2015 Mosquitto 1.4 Release Notes • When a durable client reconnects, its queued messages are now checked against ACLs in case of a change in username/ACL state since it last connected.

  13. So what is different about IoT? • The longevity of the device – Updates are harder (or impossible) • The size of the device – Capabilities are limited – especially around crypto • The fact there is a device – Usually no UI for entering userids and passwords • The data – Often highly personal • The mindset – Appliance manufacturers don’t think like security experts – Embedded systems are often developed by grabbing existing chips, designs, etc

  14. Physical Hacks A Practical Attack on the MIFARE Classic: http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf Karsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity

  15. UltraReset https://intrepidusgroup.com/insight/2012/09/ultrareset-bypassing-nfc-access-control-with-your-smartphone/

  18. Or try this at home? http://freo.me/1g15BiG

  19. http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.html

  20. Hardware recommendations • Don’t rely on obscurity

  21. Hardware recommendations • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity

  22. Hardware Recommendation #2 • Unlocking a single device should risk only that device’s data

  23. The Network

  24. Crypto on small devices • Practical Considerations and Implementation Experiences in Securing Smart Object Networks – http://tools.ietf.org/html/draft-aks-crypto-sensors-02

  25. ROM requirements

  26. ECC is possible (and about fast enough)

  27. Crypto Borrowed from Chris Swan: http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13

  28. Won’t ARM just solve this problem?

  29. Cost matters 8 bits 32 bits $5 retail $25 retail $1 or less to embed $?? to embed

  30. Another option?

  31. SIMON and SPECK https://www.schneier.com/blog/archives/2013/07/simon_and_speck.html

  32. Datagram Transport Layer Security (DTLS) • UDP based equivalent to TLS • https://tools.ietf.org/html/rfc4347

  33. Key distribution

  34. How do you distribute keys to devices? • Usually at manufacture time • Complex to update • What about expiration?

  36. Passwords • Passwords suck for humans • They suck even more for devices

  39. MQTT

  41. Why Federated Identity for IoT? • Can enable a meaningful consent mechanism for sharing of device data • Giving a device a token to use on API calls better than giving it a password – Revokable – Granular • May be relevant for both – Device to cloud – Cloud to app

  42. Why really? Your IoT data privacy should not rely on the maker of a specific device

  43. Relying on the maker of your device?

  47. Device to Cloud • Put an OAuth2 token on the device • Set the “scope” to be limited – This device can publish to this topic • Support refresh model

  49. Cloud to App • The same technology can be used to enable some app to subscribe to a specific topic • Much easier than with Arduino!

  50. Lessons learnt • OAuth2 Token lengths are usually ok (no promise though) – OpenId Connect much larger • Registration is hard • MQTT and MPU / I2C code is 97% of Duemilanove – Adding the final logic to do OAuth2 flow pushed it to 99% – No TLS in this demo is a big issue • Different OAuth2 implementations behave differently – Need to disable updating the refresh token with every refresh • Need to be able to update the scope of token if this will work for long term embedded devices • MQTT needs some better designed patterns for RPC – Standardised

  51. More information http://pzf.fremantle.org/2013/11/using- http://siot-workshop.org/ oauth-20-with-mqtt.html

  52. OpenId Connect

  54. Are you creating the next privacy breach?

  56. Summary • Think about security with your next device • We as a community need to make sure that the next generation of IoT devices are secure • We need to create exemplars – Shields – Libraries – Server software – Standards

  57. http://upload.wikimedia.org/wikipedia/commons/c/c8/Thank_you_001.jpg

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Thing Twelve. Government can pick winners. Thing Thirteen. Making rich people richer doesnt make

Thing Twelve. Government can pick winners. Thing Thirteen. Making rich people richer doesnt make

Thing One. There is really no such thing as a free market. Thing Two. Companies should not be run in the interest of their owners. Thing Three. Most people in rich countries get paid more than they should. Thing Four. The washing machine has

503 views • 23 slides
Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP Introduction Deral

Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP Introduction Deral

Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP Introduction Deral Heiland Matthew Kienow deral_heiland@rapid7.com mkienow@inokii.com dh@layereddefense.com @HacksForProfit @Percent_X Why ? Add value ?

939 views • 66 slides
and does not do it, to him it is sin. James 4:17 Do the Next Right Thing Do the Next Right Thing

and does not do it, to him it is sin. James 4:17 Do the Next Right Thing Do the Next Right Thing

Therefore, to him who knows to do good and does not do it, to him it is sin. James 4:17 Do the Next Right Thing Do the Next Right Thing Often we become paralyzed with indecision, apathy, frustration and fear because we tend to take a long

1.77k views • 134 slides
COMPANY PRESENTATION MAY 2019 Next to doing the right thing, the most important thing is to let

COMPANY PRESENTATION MAY 2019 Next to doing the right thing, the most important thing is to let

ARWIN & PARTNERS Strategic Investor Relations and Financial Communication COMPANY PRESENTATION MAY 2019 Next to doing the right thing, the most important thing is to let people know you are doing the right thing J.D. Rockefeller

540 views • 16 slides
Group Sustainability Manager doing the RIGHT thing Agenda doing the RIGHT thing Government

Group Sustainability Manager doing the RIGHT thing Agenda doing the RIGHT thing Government

Group Sustainability Manager doing the RIGHT thing Agenda doing the RIGHT thing Government Planning doing the RIGHT thing Measuring Tool for Environmental performance of New Build homes Sits above current building regulations Applied at

1.01k views • 38 slides
Class Two c++ is a typed language what a thing is matters. A thing is a variable in

Class Two c++ is a typed language what a thing is matters. A thing is a variable in

The Code Liberation Foundation Lecture 2 : Loops, Strings, Arrays + std Class Two c++ is a typed language what a thing is matters. A thing is a variable in programing terms. there are several basic types of variables: strings (a

743 views • 24 slides
What is This Thing Called Swing? And other kinds of jazz for that matter? What is This Thing

What is This Thing Called Swing? And other kinds of jazz for that matter? What is This Thing

What is This Thing Called Swing? And other kinds of jazz for that matter? What is This Thing Called Swing - Lunceford Key vocabulary Met eter, er, or t r time me signa gnatu ture: re: This refers to the number of beats in one concise

456 views • 31 slides
Love Is A Many Splendored Thing It Is A Many Splendored Thing There Is Nothing Broken

Love Is A Many Splendored Thing It Is A Many Splendored Thing There Is Nothing Broken

Love Is A Many Splendored Thing It Is A Many Splendored Thing There Is Nothing Broken Here But What Love Cant Fix Pride Critical Spirit Idolatry Outreach Purpose Tradition

335 views • 18 slides
Virtual-Thing: Thing Description based Virtualization Second W3C Workshop on the Web of Things

Virtual-Thing: Thing Description based Virtualization Second W3C Workshop on the Web of Things

Virtual-Thing: Thing Description based Virtualization Second W3C Workshop on the Web of Things 3-5 June 2019, Munich, Germany Hassib Belhaj Ege Korkan Sebastian Steinhorst Technical University of Munich Introduction Any W3C WoT device

462 views • 9 slides
Questions: One thing that would make this morning a success? and/or One thing that must change in

Questions: One thing that would make this morning a success? and/or One thing that must change in

Consolidated Notes Dr. William Bell s Presentation Bosco Homes, May 30, 2012 Every child need s a community of hope quote by Dr. William Bell Questions: One thing that would make this morning a success? and/or One thing that must change

90 views • 5 slides
JSON-LD Joint Session Lyon, France, October 2018 DEFINING @ID OF THING Defining @id of Thing

JSON-LD Joint Session Lyon, France, October 2018 DEFINING @ID OF THING Defining @id of Thing

JSON-LD Joint Session Lyon, France, October 2018 DEFINING @ID OF THING Defining @id of Thing without @context in TD "id" field in TD should define the unique identifier of the Thing Goal: It should set the @id of the top-level

505 views • 15 slides
Women in Agriculture Stereotypes Are A Thing Of The Past - Spousal Succession Is A Thing Of The

Women in Agriculture Stereotypes Are A Thing Of The Past - Spousal Succession Is A Thing Of The

Women in Agriculture Stereotypes Are A Thing Of The Past - Spousal Succession Is A Thing Of The Future! Merle Good ~ GRS Consulting Ltd. The Farm The farm is more than property - it is a set of values A way of being and the sense that

938 views • 38 slides
Stop building the wrong thing righter, build the right thing

Stop building the wrong thing righter, build the right thing

Stop building the wrong thing righter, build the right thing The state of software So2ware used a2er changes, 3% So2ware paid for but not delivered, 29%

557 views • 45 slides
Part II Nothing New Under the Sun The thing that hath been, is that which shall be, and that

Part II Nothing New Under the Sun The thing that hath been, is that which shall be, and that

Part II Nothing New Under the Sun The thing that hath been, is that which shall be, and that which is done is that which shall be done: and there is no new thing under the sun. Ecclesiastes 1:9 And I saw three unclean spirits like frogs

1.22k views • 89 slides
on Operation Function of a thing as having one predetermined meaning. Ex a column acting as a

on Operation Function of a thing as having one predetermined meaning. Ex a column acting as a

on Operation Function of a thing as having one predetermined meaning. Ex a column acting as a structural element Operation of a thing as how the thing actually is used and by interpretation being able to have multiple/any meanings. For R&U

330 views • 11 slides
God Is a) The only uncreated thing in all of existence b) The only self-determined thing in all

God Is a) The only uncreated thing in all of existence b) The only self-determined thing in all

God Is a) The only uncreated thing in all of existence b) The only self-determined thing in all of existence Holy 1. Other than 2. Perfectly pure 3. Anything called holy by the Holy One CHOICE God is God is love Love is relational

289 views • 6 slides
Utilizing and Understanding the Various Methodologies for Evaluating Ionic Cleanliness of Printed

Utilizing and Understanding the Various Methodologies for Evaluating Ionic Cleanliness of Printed

Utilizing and Understanding the Various Methodologies for Evaluating Ionic Cleanliness of Printed Wiring Assemblies Joe Russeau Precision Analytical Laboratory, Inc. jrusseau@precisionanalysts.com 1 Topics Discussed Reasons to Evaluate

494 views • 27 slides
I CANN - - African Group African Group I CANN Presented by: Sophia Bekele Nom Com , GNSO

I CANN - - African Group African Group I CANN Presented by: Sophia Bekele Nom Com , GNSO

I CANN - - African Group African Group I CANN Presented by: Sophia Bekele Nom Com , GNSO Policy Update Lisbon, 2 8 March 2 0 0 7 GNSO is one of ICANNs supporting Org (SO) as a consultative and policy developm ent body responsible

346 views • 9 slides
2014-2018 Capital Plan Key Long Term Financial Policies Use debt for larger projects where

2014-2018 Capital Plan Key Long Term Financial Policies Use debt for larger projects where

2014-2018 Capital Plan Key Long Term Financial Policies Use debt for larger projects where reserves and current revenues will not be sufficient; A project threshold of $300,000 in the short term, increasing up to $1,000,000 over a 5-year

360 views • 33 slides
Integrating SLAM into Gas Distribution Mapping Achim Lilienthal, Amy Loutfi AASS, Dept. of

Integrating SLAM into Gas Distribution Mapping Achim Lilienthal, Amy Loutfi AASS, Dept. of

Integrating SLAM into Gas Distribution Mapping Achim Lilienthal, Amy Loutfi AASS, Dept. of Technology, rebro University Jose Luis Blanco, Cipriano Galindo and Javier Gonzalez System Engineering & Automation Dept., University of Malaga

771 views • 45 slides
Discover Organic Royalty Generation INVESTOR PRESENTATION AUGUST 2020 WWW.OROGENROYALTIES.COM

Discover Organic Royalty Generation INVESTOR PRESENTATION AUGUST 2020 WWW.OROGENROYALTIES.COM

Discover Organic Royalty Generation INVESTOR PRESENTATION AUGUST 2020 WWW.OROGENROYALTIES.COM WWW.OROGENROYALTIES.COM TSX.V:OGN TSX.V:OGN Forward Looking Information This presentation includes certain statem ents that m ay be deem ed

481 views • 16 slides
Gold Finland & Australia Corporate Presentation AUGUST 2020 @mawsongold TSX : MAW; OTCPINK

Gold Finland & Australia Corporate Presentation AUGUST 2020 @mawsongold TSX : MAW; OTCPINK

Gold Finland & Australia Corporate Presentation AUGUST 2020 @mawsongold TSX : MAW; OTCPINK : MWSNF www.mawsongold.com https://www.heathcote.org.au/about-heathcote Disclaimer Accuracy of Information: Readers are directed to the public

781 views • 51 slides
Military Resource Center WELCOME Contact Military Resource Center Congratulations on your

Military Resource Center WELCOME Contact Military Resource Center Congratulations on your

Military Resource Center WELCOME Contact Military Resource Center Congratulations on your decision to begin or continue your educational goals at Rhode Island College. 401.456.8449 mrc@ric.edu Whether you are continuing your education or

431 views • 13 slides
Allocation Plan Capital Projection Transit Service Delivery Advisory Committee October 26, 2016

Allocation Plan Capital Projection Transit Service Delivery Advisory Committee October 26, 2016

Virginia Department of Rail & Public Transportation Transit Resource Allocation Plan Capital Projection Transit Service Delivery Advisory Committee October 26, 2016 TABLE OF CONTENTS Objective Assumptions Presentation of

975 views • 48 slides

More recommend