iot security: cases and methods
TRANSCRIPT
![Page 1: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/1.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
IoT Security: Cases and Methods
Leonardo Lima@leomrlima http://v2com.mobi
![Page 2: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/2.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
About meLeonardo Lima
•Computer engineer, server & embedded SW developer•From São Paulo, Brasil, now in Austin, TX•CTO at
•Spec Lead – JSR363•V2COM’s Representative at JCP Executive Committee
[www.linkedin.com/in/leomrlima]
![Page 3: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/3.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
INTERMISSION! THE JAVA COMMUNITY PROCESS
![Page 4: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/4.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
What’s the JCP and why should I care?
It’s the way to make Java a healthy, multi-vendor environment
What happens here impacts on your job
YOU can be part of the change you want for the platform
It’s easy for YOU to join and start: just fill a webform!
![Page 5: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/5.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
But… how do I join?1. Go to jcp.org2. Register to use the site
(there’s a button on the left side menu)
3. Use the ”get involved section”
4. Remember to vote on the EC election if you join until tomorrow!
![Page 6: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/6.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
ASPECTS OF IOT SECURITY
![Page 7: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/7.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
On connecting thingsThe buzz of IoT is connecting things
Does everything needs to be connected?
The implications of connectivity
![Page 8: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/8.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
In a study…Attacks on Internet of Things devices will increase rapidly
due to hypergrowth in the number of connected objects, poor security hygiene, and the high value of data on IoT devices.
![Page 9: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/9.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
RECENT ATTACKS AND EXPOSURES
![Page 10: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/10.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
Cameras“Every camera [out of 9 models] had one hidden account that a
consumer can’t change because it’s hard coded or not easily accessible. Whether intended for admin or support, it gives an outsider backdoor access to the camera.”
![Page 11: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/11.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
Barbies”On the service side, ToyTalk’s server domain was susceptible to a
known SSL encryption flaw called POODLE, which could allow attackers to steal communications and other data. A credentialing issue could also let attackers probe for further vulnerabilities.”
![Page 12: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/12.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
CarsAs the two hackers remotely toyed with the
air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.
Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.
![Page 13: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/13.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
Electrical gridHe watched as [the mouse] navigated
purposefully toward buttons controlling the circuit breakers at a substation in the region and then clicked on a box to open the breakers and take the substation offline. A dialogue window popped up on screen asking to confirm the action, and the operator stared dumbfounded as the cursor glided to the box and clicked to affirm. Somewhere in a region outside the city he knew that thousands of residents had just lost their lights and heaters.
![Page 14: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/14.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
Zombie IoT army!Massive DDoS attack – 10s of millions –
in DNS infrastructure (from Dyn) last Friday (October 21, 2016)
Mirai botnet was created exploiting the vulnerabilities just described (default passwords)
The code for ”recruiting” devices was open-sourced, so anyone can take a swing
![Page 15: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/15.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
Zombie IoT army – The attack
![Page 16: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/16.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
Zombie IoT army - the virusMirai’s attack function enables it to
launch HTTP floods and various network (OSI layer 3-4) DDoS attacks.
For network layer assaults, Mirai is capable of launching GRE IP and GRE ETH floods, as well as SYN and ACK floods, STOMP (Simple Text Oriented Message Protocol) floods, DNS floods and UDP flood attacks.
Mirai uses a brute force technique for guessing passwords a.k.a. dictionary attacks based on the following list
Another interesting thing about Mirai is its “territorial” nature. The malware holds several killer scripts meant to eradicate other worms and Trojans, as well as prohibiting remote connection attempts of the hijacked device.
![Page 17: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/17.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
Zombie IoT army - the cure1. Stop using default/generic passwords.
2. Disable all remote (WAN) access to your devices. To verify that your device is not open to remote access, you can scan the following ports: SSH (22), Telnet (23) and HTTP/HTTPS (80/443).
![Page 18: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/18.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
IoT SecurityThe Industrial Internet of Things Volume G4: Security Framework
Many different aspects, like IT/OT convergence
![Page 19: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/19.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
IoT Security is ”messy”…
![Page 20: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/20.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
Security, Trust & Privacy • Endpoint security
• Communication security between the endpoints
• Data distribution and secure storage
• Management and monitoring security of both the endpoints and the communication mechanism
![Page 21: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/21.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
”Broad security”• Trust – data is coming from known device
• Integrity – data was not tampered with since it was sent from the device
• Uniqueness – data is not being ”reused”
• Privacy – data is not being used by unauthorized parties
![Page 22: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/22.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
Security X Easiness X Cost• These 3 variables can’t be maximized at the same
time – if you want to maximize one or two, the third will be minimized
• Many of the attacks mentioned before happened because of ”wrong” maximization.
• Security aspects have to be thought since the beginning – adding security later adds more cost and less security
![Page 23: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/23.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
USING JAVA FOR A (MORE) SECURE IOT
![Page 24: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/24.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
Java Security GuidelinesSecure Coding Guidelines for Java SE helps with the most
effective approach to minimizing vulnerabilities is to have obviously no flaws rather than no obvious flaws
Java Coding Guidelines from CERT is also a good resource to understand how to program more securely
There’s a page from Oracle that covers many aspects of security, such as platform security, cryptography and secure communications
![Page 25: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/25.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
Java Cryptography ArchitectureProvides Cryptography pluggable
support for many different providers and capacities.
Supports standards like PKCS#11, TLS and many others
Standard implementations in Java SE VMs
https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html
![Page 26: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/26.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
JCA Related LibrariesOracle’s JVM already includes an implementation that can help
you get started with security
The Legion of Bouncy Castle, aka, https://www.bouncycastle.org/, has many algorithms for JCA and related, such as X.509 certificates, OpenPGP and Lightweight APIs for TLS and DTLS (RFC 4347)
Security hardware vendors also provide providers for JCA, so you can leverage different levels of security with no change in code
![Page 27: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/27.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
Example of software only encryption
Public/Private Key Infrastructure + Symmetric Shared Secret
Fragility: your keys are still ”hackable”, as they’re in non-protected memory!
![Page 28: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/28.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
Secure ElementProvides a safe place to execute sensitive code
and store hardware identity and private keys
Hardware protection to prevent tampering
Many form factors
![Page 29: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/29.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
Secure Element// Create a PKCS#11 cryptographic provider which uses the Secure Element Provider myPKCS11Provider = new sun.security.pkcs11.SunPKCS11(PKCS11_CONFIG);
// The PIN code protecting the Security Element char [] myPIN = {'0','0','0','0'};
// Create a KeyStore corresponding to the Secure Element KeyStore.PasswordProtection pinProtection = new KeyStore.PasswordProtection(myPIN);
KeyStore.Builder ksb = KeyStore.Builder.newInstance("PKCS11", myPKCS11Provider, pinProtection);
KeyStore ks = ksb.getKeyStore();
// Add the SE as a cryptographic provider Security.addProvider(myPKCS11Provider);
![Page 30: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/30.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
Secure Element// We sign with ECDSA Signature ecSign = Signature.getInstance("SHA256withECDSA");
// Retrieve the signature key in keystore by it’s alias PrivateKey privKey = (PrivateKey) ks.getKey("SignKey", myPassword);
// And we sign ! ecSign.initSign(privKey); ecSign.update(s1.getBytes());byte[] signature = ecSignCard.sign();
![Page 31: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/31.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
JavaCardMini-Java for Secure Elements and Trusted Execution Environments
Led by the JavaCard forum (it’s not JCP related)
![Page 32: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/32.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
Summary• Security is an ever increasing concern
• Security has to be thought from the start of a project
• You can be as secure as you want
• Java has lot of infrastructure for secure IoT devices
![Page 33: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/33.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
Q & A
![Page 34: IoT Security: Cases and Methods](https://reader030.vdocument.in/reader030/viewer/2022012914/586e8b4b1a28aba0038b7f7f/html5/thumbnails/34.jpg)
Copyright ©2016, @leomrlima
Detro
itJUG
Thanks!