iot security: cases and methods [con5446]
TRANSCRIPT
@leomrlima#J1IoTSeC
IoT Security: Cases and Methods [CON5446]
Leonardo Lima@leomrlima http://v2com.mobi
@leomrlima#J1IoTSeC
About meLeonardo Lima
•Computer engineer, server & embedded SW developer•From São Paulo, Brasil, now in Austin, TX•CTO at
•Spec Lead – JSR363•V2COM’s Representative at JCP Executive Committee
[www.linkedin.com/in/leomrlima]
@leomrlima#J1IoTSeC
ASPECTS OF IOT SECURITY
@leomrlima#J1IoTSeC
On connecting thingsThe buzz of IoT is connecting things
Does everything needs to be connected?
The implications of connectivity
@leomrlima#J1IoTSeC
In a study…Attacks on Internet of Things devices will increase rapidly
due to hypergrowth in the number of connected objects, poor security hygiene, and the high value of data on IoT devices.
@leomrlima#J1IoTSeC
RECENT ATTACKS AND EXPOSURES
@leomrlima#J1IoTSeC
Cameras“Every camera [out of 9 models] had one hidden account that a
consumer can’t change because it’s hard coded or not easily accessible. Whether intended for admin or support, it gives an outsider backdoor access to the camera.”
@leomrlima#J1IoTSeC
Barbies”On the service side, ToyTalk’s server domain was susceptible to a
known SSL encryption flaw called POODLE, which could allow attackers to steal communications and other data. A credentialing issue could also let attackers probe for further vulnerabilities.”
@leomrlima#J1IoTSeC
CarsAs the two hackers remotely toyed with the
air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.
Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.
@leomrlima#J1IoTSeC
Electrical gridHe watched as [the mouse] navigated
purposefully toward buttons controlling the circuit breakers at a substation in the region and then clicked on a box to open the breakers and take the substation offline. A dialogue window popped up on screen asking to confirm the action, and the operator stared dumbfounded as the cursor glided to the box and clicked to affirm. Somewhere in a region outside the city he knew that thousands of residents had just lost their lights and heaters.
@leomrlima#J1IoTSeC
IoT Security is ”messy”…
@leomrlima#J1IoTSeC
IoT SecurityThe Industrial Internet of Things Volume G4: Security Framework
Many different aspects, like IT/OT convergence
@leomrlima#J1IoTSeC
Security, Trust & Privacy • Endpoint security
• Communication security between the endpoints
• Data distribution and secure storage
• Management and monitoring security of both the endpoints and the communication mechanism
@leomrlima#J1IoTSeC
USING JAVA FOR A (MORE) SECURE IOT
@leomrlima#J1IoTSeC
Java Cryptography ArchitectureProvides Cryptography pluggable
support for many different providers and capacities.
Supports standards like PKCS#11, TLS and many others
Standard implementations in Java SE VMs
https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html
@leomrlima#J1IoTSeC
Secure ElementProvides a safe place to execute sensitive code
and store hardware identity and private keys
Hardware protection to prevent tampering
Many form factors
@leomrlima#J1IoTSeC
Secure ElementEasy to use code to enable security:// Create a PKCS#11 cryptographic provider which uses the Secure Element Provider myPKCS11Provider = new
sun.security.pkcs11.SunPKCS11(PKCS11_CONFIG);
// The PIN code protecting the Security Element char [] myPIN = {'0','0','0','0'};
// Create a KeyStore corresponding to the Secure Element KeyStore.PasswordProtection pinProtection = new
KeyStore.PasswordProtection(myPIN); KeyStore.Builder ksb = KeyStore.Builder.newInstance("PKCS11", myPKCS11Provider, pinProtection);
KeyStore ks = ksb.getKeyStore();
// Add the SE as a cryptographic provider (useful when it is not possible to pass a provider explicitly)
Security.addProvider(myPKCS11Provider);
@leomrlima#J1IoTSeC
Secure Element// We sign with ECDSA Signature ecSign = Signature.getInstance("SHA256withECDSA");
// Retrieve the signature key in keystore by it’s alias PrivateKey privKey = (PrivateKey) ks.getKey("SignKey", myPassword);
// And we sign ! ecSign.initSign(privKey); ecSign.update(s1.getBytes());byte[] signature = ecSignCard.sign();
@leomrlima#J1IoTSeC
JavaCardMini-Java for Secure Elements and Trusted Execution Envionments
Led by the JavaCard forum (it’s not JCP related)
@leomrlima#J1IoTSeC
Q & A
@leomrlima#J1IoTSeC
Thanks!