security in the internet of things (november 2014)

Security IN the Internet of Things

Victor Ake Victor.Ake@ForgeRock.com

CTO Office/Co-Founder November 2014

2

About me !  26 years experience in the IT Industry.

!  Ericsson, IBM, 3Com, Sun Microsystems & ForgeRock

!  Co-Founder of ForgeRock

!  CTO Office

http://www.forgerock.com

3

World Wide Web

Mobile Internet

Internet of things Image Source: Kelsey Austin. https://www.flickr.com/photos/kelseyrage/15362515989

4

Despite the wave Information is the common key deliverable

Telemetry (Health, Rockets, Energy, Aviation, etc)

Device Identification Sensed Information

Metered information

Forget the HONEY!

Source: Meadows R (2012) Understanding the Flight of the Bumblebee. PLoS Biol 10(9)

5

Increasing Amount OF

Security, Privacy & Safety

Concerns

6

Top barriers to iot and m2m adoption

Source: Infonetics, January 2014.

7

Data in Transit

Data

Access

ACCESS

Access

Data

Security and privacy Things MOBILE/

gateway CLOUD ENterprise

Data

ACCESS

Data

8

Security vs Comfort / RISK vs REWARD

Low friction human interaction Unique device identification Device Authenticity

Nature of the data

challenges

Device-user association

Image Source: Sharkawi Che Din. https://www.flickr.com/photos/sharkawi3d/15374262331/

9

More challenges

Limited encryption capabilities Limited resources (RAM/ROM)

Firmware must be upgraded from time to time Limited clock synchronization

Image Soruce: Massimo Piccoli. https://www.flickr.com/photos/massimo_piccoli/12680390774/

10

IoT security design rules "  Build Security in, it can not be added later

"  Keep security mechanisms simple

"  Use existing standards

"  Obscurity does not provide security

Image source: http://cdn.blickers.com/wp-content/uploads/2013/12/Leonardo-da-vinci2.jpg

11

IoT security design rules "  Encrypt sensitive data at rest and in transit

"  Use well-studied cryptographic building blocks

"  Identity and Access Management must be part of the design

"  Develop a realistic threat model

Image source: http://cdn.blickers.com/wp-content/uploads/2013/12/Leonardo-da-vinci2.jpg

12

Common Security Issues

13

Web, mobile & cloud interfaces "  Do not allow default credentials

"  Assume device accessed from everywhere

"  Credentials should not be stored in plain text nor travel in unencrypted channels

"  Protect against account enumeration & implement account lockout

"  Protect against XSS, CSRF, SQLi

"  Implement Identity and Access Management Image source: http://cdn.blickers.com/wp-content/uploads/2013/12/Leonardo-da-vinci2.jpg

14

Identity Relationship Management for

the Internet of things

15

I’m an Authentic device I’m unique (Device D) Verify authenticity

and registers device Register me

OpenIDM

PKI (SE)

Provisioning Device Identity

16

Register me

I own device D

Verify identity of user, Register user

Authenticate

OpenIDM & OpenAM

PKI (SE)

Register user, AuthN, claim ownership

Authenticate user

Proof possession of Device. Create Relationship User-device

17

I allow device D to send data on my behalf to service S1 for 1 day Generates OAuth2 Token

Provision Refresh and Access Token to device

Authenticate

Store R & A Tokens

OpenAM

PKI (SE)

Allow to send data on user’s behalf

Authenticate user

18

Send Data (OAuth2 Token) Verify Device, OAuth2 Access Token validity and Scope (authorization)

Refresh Token

Associate data to Alice

Negotiate new Access token

…. Token expired

New Access Token Store A.Token

PKI (SE)

Device send data on behalf of user

OpenAM

19

Authenticate

Revoke token

I want to Share my data with My Insurance Company

…. Lost my device

OpenAM with UMA

HTTP, MQTT, SASL

PKI (SE)

User shares data, revokes tokens

20

Network Services

"  Ensure only necessary ports are open

"  Ensure services are not vulnerable to buffer overflow and fuzzing attacks

"  Ensure services are not vulnerable to DoS attacks

21

Transport encryption

"  Ensure data and credentials are encrypted while in transit

"  Use secure encrypted channels

"  Use good key lengths and good algorithms (Elliptic Curve provides efficient encrypting)

"  Protect against replay attacks

22

Privacy as part of the design

"  Collect only the minimum necessary data for the functionality of the device

"  Ensure any sensitive data collected is properly protected with encryption

"  Ensure the device properly protects personal data

Photo Source: Brian M (OCDBri): https://www.flickr.com/photos/ocdbri/14438661513

23

Software/Firmware "  Ensure your firmware does not contain hardcoded

credentials or sensitive data

"  Use a secure channel to transmit the firmware during upgrades

"  Ensure the update is signed and verified before allowing the update

"  Do not send the public key with the firmware, use a hash

"  Ensure your SVN/GIT repositories do not contain the private keys

24

Physical Security

"  Ensure physical access to your device is controlled

"  Accessible USB or SD ports can be a weakness

"  Can it be easily disassembled to access the internal storage (RAM/ROM)

"  If local data is sensitive, consider encrypting the data

Image Source: http://conflictresearchgroupintl.com/wp-content/uploads/2014/03/How-to-Look-Like-a-Bouncer1.jpg

25

Thank You!

Security in the Internet of Things

FORGEROCK.COM | LEGAL INFORMATION

Victor Ake Victor.Ake@ForgeRock.com

CTO Office