Security in the Internet Of Things.
Every IoT project must be designed with security in mind. Identity Relationship Management is a must for a successful IoT implementation.
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
Security in the Internet of Things
1. Security IN
the Internet of Things
Victor Ake
Victor.Ake@ForgeRock.com
CTO Office/Co-Founder
2. 2
About me
! 26 years experience in the IT Industry.
! As a System Engineer, Networking,
Security, Identity Relationship
Management. Ericsson, IBM, 3Com,
Sun Microsystems, ForgeRock
! Co-Founder of FORGEROCK
! CTO Office
http://www.forgerock.com
3. 3
World Wide Web
Mobile Internet
Internet of things
Image Source: Kelsey Austin. https://www.flickr.com/photos/kelseyrage/15362515989
4. 4
Despite the wave
Information is the common key deliverable
Telemetry (Health, Rockets,
Energy, Aviation, etc)
Device Identification
Sensed Information
Metered information
Forget the HONEY!
Source: Meadows R (2012) Understanding the Flight of the Bumblebee. PLoS Biol 10(9)
6. 6
Top barriers to iot and m2m adoption
Source: Infonetics, January 2014.
7. 7
Security and privacy
Data in Transit
Data
Access
ACCESS
Access
Data
Things MOBILE/
gateway
CLOUD ENterprise
Data
Data
ACCESS
8. 8
challenges
Low friction human interaction
Unique device identification
Device Authenticity
Device-user association
Nature of the data
Security vs Comfort / RISK vs REWARD
Image Source: Sharkawi Che Din. https://www.flickr.com/photos/sharkawi3d/15374262331/
9. 9
More challenges
Limited encryption capabilities
Limited resources (RAM/ROM)
Limited clock synchronization
Firmware must be upgraded from time to time
Image Soruce: Massimo Piccoli. https://www.flickr.com/photos/massimo_piccoli/12680390774/
10. 10
IoT security design rules
" Build Security in, it can not be added later
" Keep security mechanisms simple
" Use existing standards
" Obscurity does not provide security
Image source: http://cdn.blickers.com/wp-content/uploads/2013/12/Leonardo-da-vinci2.jpg
11. 11
IoT security design rules
" Encrypt sensitive data at rest and in transit
" Use well-studied cryptographic building blocks
" Identity and Access Management must be part
of the design
" Develop a realistic threat model
Image source: http://cdn.blickers.com/wp-content/uploads/2013/12/Leonardo-da-vinci2.jpg
13. 13
secure Web, Mobile and Cloud
Interface
" Do not allow default credentials
" Assume device accessed Internally and Externally
" Credentials should not be stored in plain text nor
travel in unencrypted channels
" Protect against account enumeration & implement
account lockout
" Protect against XSS, CSRF, SQLi
" Implement an IAM/IRM system
14. 14
Implement an IAM/IRM System
Identity creation,
Authentication
&
Authorization
15. 15
Provisioning Device Identity
IDM System
I’m an Authentic device
I’m unique (D) Verify authenticity
Register me and registers device
PKI (SE)
16. Register user, AuthN, claim ownership
16
Register me
I own device D
I allow device D to
send data on my
behalf to service S1
for 1 day
Verify identity of user,
Register user,
Authenticate user
Proof possession of
Device
Create Relationship
User-device
Generates OAuth2 Token
Provision Refresh and
Access Token to device
Authenticate
Store R & A
Tokens
AM System
PKI (SE)
17. 17
Device send data on behalf of user
AM System
Send Data (OAuth2 Token)
Verify Device, OAuth2
Access Token validity and
Scope (authorization)
PKI (SE)
Refresh Token
Associate data to Alice
…. Token expired
Negotiate new Access token
Store A.Token New Access Token
18. 18
User shares data, revokes tokens
AM with UMA
System
Authenticate
I want to Share my data
with My Insurance Company
…. Lost my device
Revoke token
HTTP, MQTT, SASL
PKI (SE)
19. 19
Network Services
" Ensure only necessary ports are open
" Ensure services are not vulnerable to buffer
overflow and fuzzing attacks
" Ensure services are not vulnerable to DoS attacks
20. 20
Transport encryption
" Ensure data and credentials are encrypted while in
transit
" Use secure encrypted channels
" Use good key lengths and good algorithms
(Elliptic Curve provides efficient encrypting)
" Protect against replay attacks
21. 21
Privacy as part of the design
" Collect only the minimum necessary data for the
functionality of the device
" Ensure any sensitive data collected is properly
protected with encryption
" Ensure the device properly protects personal data
Photo Source: Brian M (OCDBri): https://www.flickr.com/photos/ocdbri/14438661513
22. 22
Software/Firmware
" Ensure your firmware does not contain hardcoded
credentials or sensitive data
" Use a secure channel to transmit the firmware during
upgrades
" Ensure the update is signed and verified before
allowing the update
" Do not send the public key with the firmware, use a
hash
" Ensure your SVN/GIT repositories do not contain the
private keys
23. 23
Physical Security
" Ensure physical access to your device is
controlled
" Accessible USB or SD ports can be a weakness
" Can it be easily disassembled to access the
internal storage (RAM/ROM)
" If local data is sensitive, consider encrypting the
data
Image Source: http://conflictresearchgroupintl.com/wp-content/uploads/2014/03/How-to-Look-Like-a-Bouncer1.jpg
24. 24
Thank You!
Security in the Internet of
Things
FORGEROCK.COM | LEGAL INFORMATION
Victor Ake
Victor.Ake@ForgeRock.com
CTO Office