SlideShare una empresa de Scribd logo

Securing IoT Applications

WSO2
WSO2
TecnologíaEducación
1 de 48
Descargar para leer sin conexión
Securing  the  Internet  of  Things   Paul  Fremantle   CTO,  WSO2  (paul@wso2.com)   PhD  researcher,  Portsmouth  University   (paul.fremantle@port.ac.uk)     @pzfreo  
About  me   •  CTO  and  Co-­‐Founder   WSO2   – Open  Source  Middleware   plaLorm   •  Part-­‐Mme  PhD  looking  at   security   •  Working  in  Apache  for   14  years   •  Working  with  Cloud,   SOA,  APIs,  MQTT,  IoT   2  
Firstly,  does  it  maQer?    
“Google     Hacking”  
hQp://www.forbes.com/sites/kashmirhill/2013/07/26/smart-­‐homes-­‐hack/    
hQp://freo.me/1pbUmof  
So  what  is  different  about  IoT?   •  The  longevity  of  the  device   –  Updates  are  harder  (or  impossible)   •  The  size  of  the  device   –  CapabiliMes  are  limited  –  especially  around  crypto   •  The  fact  there  is  a  device   –  Usually  no  UI  for  entering  userids  and  passwords   •  The  data   –  O_en  highly  personal   •  The  mindset   –  Appliance  manufacturers  don’t  think  like  security  experts   –  Embedded  systems  are  o_en  developed  by  grabbing  exisMng   chips,  designs,  etc  
Physical  Hacks   A  PracMcal  AQack  on  the  MIFARE  Classic:     hQp://www.cs.ru.nl/~flaviog/publicaMons/AQack.MIFARE.pdf     Karsten  Nohl  and  Henryk  Plotz.  MIFARE,  LiQle  Security,  Despite  Obscurity  
Or  try  this  at  home?   hQp://freo.me/1g15BiG    
hQp://www.cl.cam.ac.uk/techreports/UCAM-­‐CL-­‐TR-­‐630.html    
Hardware  recommendaMons   •  Don’t  rely  on  obscurity    
Hardware  recommendaMons   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity    
Hardware  RecommendaMon  #2     •  Unlocking  a  single  device  should  risk  only  that   device’s  data  
The  Network  
Crypto  on  small  devices   •  PracMcal  ConsideraMons  and  ImplementaMon   Experiences  in  Securing  Smart  Object  Networks   –  hQp://tools.ieL.org/html/dra_-­‐aks-­‐crypto-­‐sensors-­‐02  
ROM  requirements  
ECC  is  possible     (and  about  fast  enough)  
Crypto   Borrowed  from  Chris  Swan:    hQp://www.slideshare.net/cpswan/security-­‐protocols-­‐in-­‐constrained-­‐environments/13    
Won’t  ARM  just  solve  this  problem?  
Cost  maQers   8  bits   $5  retail   $1  or  less  to  embed   32  bits   $25  retail   $??  to  embed  
Another  opMon?  
SIMON  and  SPECK   hQps://www.schneier.com/blog/archives/2013/07/simon_and_speck.html    
Datagram  Transport  Layer  Security   (DTLS)   •  UDP  based  equivalent  to  TLS   •  hQps://tools.ieL.org/html/rfc4347  
Key  distribuMon  
CoAP   •  Constrained  ApplicaMon  Protocol   – hQp://tools.ieL.org/html/dra_-­‐ieL-­‐core-­‐coap-­‐18     – REST-­‐like  model  built  on  UDP   – Californium  project  coming  soon  to  Eclipse  IoT   •  No  authenMcaMon  or  authorizaMon   – Relies  on  DLTS  or  data  in  the  body      
MQTT  
MQTT   •  Very  lightweight  messaging  protocol   –  Designed  for  8-­‐bit  controllers,  SCADA,  etc   –  Low  power,  low  bandwidth   –  Binary  header  of  2  bytes   –  Lots  of  implementaMons   •  MosquiQo,  Paho,  RSMB  and  MoqueQe  from  Eclipse   –  Clients:   •  Arduino,  Perl,  Python,  PHP,  C,  Java,  JS/Node.js,  .Net,  etc   •  Plus  an  even  lighter-­‐weight  version  for  Zigbee   –  MQTT-­‐SN  (Sensor  Network)  
MQTT   •  Relies  on  TLS  for  confidenMality   •  Username/Password  field  
Passwords   •  Passwords  suck  for  humans   •  They  suck  even  more  for  devices    
Tokens  
Why  OAuth2?   •  Widely  implemented   •  PreQy  good     – Of  course  there  is  never  100%  agreement   – Or  certainty  with  security  protocols   •  Not  just  HTTP:   – hQp://tools.ieL.org/html/dra_-­‐ieL-­‐kiQen-­‐sasl-­‐ oauth-­‐12   – OAuth2  used  with  SSL      
Why  FIAM  for  IoT?   •  Can  enable  a  meaningful  consent  mechanism   for  sharing  of  device  data   •  Giving  a  device  a  token  to  use  on  API  calls   beQer  than  giving  it  a  password   – Revokable   – Granular   •  May  be  relevant  for  both   – Device  to  cloud   – Cloud  to  app  
Two  aspects  using  OAuth  with  IoT     •  On  the  device   – Tokens  are  good   – LimiMng  the  access  of  the  device   •  On  the  cloud   – Puvng  users  in  control  of  their  data   – Just  good  current  pracMce   •  Demo  with  MQTT     – But  not  just  for  MQTT   – Also  for  the  cloud,  CoAP,  and  other  protocols  too  
Demo  components     MosquiQo   (Open  Source  MQTT   Broker)     AcMng  as  “Resource   Server”     MosquiQo_py_auth     mqQ-­‐oauth2.py   IdP     WSO2  IdenMty   Server   ESB   IntrospecMon   API   Refresher.py   Arduino   CreateToken.py   1 2 3 4 5 6
WSO2  IdenMty  Server    
Lessons  learnt   •  MQTT  and  MPU  /  I2C  code  is  97%  of  Duemilanove   –  Adding  the  final  logic  to  do  OAuth2  flow  pushed  it  to  99%   –  No  TLS  in  this  demo  is  a  big  issue   •  Different  Oauth2  implementaMons  behave  differently   (e.g.  changing  the  refresh  token  every  Mme  you  refresh)   •  Need  to  be  able  to  update  the  scope  of  token  if  this  will   work  for  long  term  embedded  devices   •  The  refresh  flow  should  not  really  go  via  the  Resource   server   –  Easy  fix     •  MQTT  should  have  a  well  defined  model  for  sending  a   message  to  just  one  client  (securely)  
What  I  haven’t  covered  enough  of  
Summary   •  Think  about  security  with  your  next  device   •  We  as  a  community  need  to  make  sure  that   the  next  generaMon  of  IoT  devices  are  secure   •  We  need  to  create  exemplars   – Shields   – Libraries   – Server  so_ware   – Standards  
QuesMons?  

Recomendados

Securing Internet of Things
Securing Internet of ThingsSecuring Internet of Things
Securing Internet of Things
Rishabh Sharma
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoT
WSO2
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 
IOT privacy and Security
IOT privacy and SecurityIOT privacy and Security
IOT privacy and Security
noornabi16
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
Yogesh Ojha
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoT
WSO2
 
Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of Things
Bryan Len
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 

Recomendados

Securing Internet of Things
Securing Internet of ThingsSecuring Internet of Things
Securing Internet of Things
Rishabh Sharma
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoT
WSO2
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 
IOT privacy and Security
IOT privacy and SecurityIOT privacy and Security
IOT privacy and Security
noornabi16
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
Yogesh Ojha
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoT
WSO2
 
Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of Things
Bryan Len
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
Week2 fundamental of IoT
Week2 fundamental of IoTWeek2 fundamental of IoT
Week2 fundamental of IoT
somphongt
 
IoT Security by Sanjay Kumar
IoT Security by Sanjay KumarIoT Security by Sanjay Kumar
IoT Security by Sanjay Kumar
OWASP Delhi
 
Internet of things security "Hardware Security"
Internet of things security "Hardware Security"Internet of things security "Hardware Security"
Internet of things security "Hardware Security"
Ahmed Mohamed Mahmoud
 
IoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security ControlsIoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security Controls
Jay Nagar
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
veerababu penugonda(Mr-IoT)
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT Security
CAS
 
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsMark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Stanford School of Engineering
 
Hack one iot device, break them all!
Hack one iot device, break them all!Hack one iot device, break them all!
Hack one iot device, break them all!
Justin Black
 
Iot with azure | Yogesh Ojha | Global Azure BootCamp
Iot with azure | Yogesh Ojha | Global Azure BootCampIot with azure | Yogesh Ojha | Global Azure BootCamp
Iot with azure | Yogesh Ojha | Global Azure BootCamp
Yogesh Ojha
 
Iot Security
Iot SecurityIot Security
Iot Security
MAITREYA MISRA
 
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Positive Hack Days
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of Things
Christopher Frenz
 
Internet of Things: Challenges and Issues
Internet of Things: Challenges and IssuesInternet of Things: Challenges and Issues
Internet of Things: Challenges and Issues
rjain51
 
Iot security amar prusty
Iot security amar prustyIot security amar prusty
Iot security amar prusty
amarprusty
 
IoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you SpamIoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you Spam
Amit Rohatgi
 
Presentation on IOT SECURITY
Presentation on IOT SECURITYPresentation on IOT SECURITY
Presentation on IOT SECURITY
The Avi Sharma
 
Internet of things(1)pdf BY ifshal zahid
Internet of things(1)pdf BY ifshal zahidInternet of things(1)pdf BY ifshal zahid
Internet of things(1)pdf BY ifshal zahid
ifshalzahid
 
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
Security Fundamental for IoT Devices; Creating the Internet of Secure ThingsSecurity Fundamental for IoT Devices; Creating the Internet of Secure Things
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
Design World
 
IoT Security Training, IoT Security Awareness 2019
IoT Security Training, IoT Security Awareness 2019 IoT Security Training, IoT Security Awareness 2019
IoT Security Training, IoT Security Awareness 2019
Tonex
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
IoT Security Elements
IoT Security ElementsIoT Security Elements
IoT Security Elements
Eurotech
 
February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
February 2016 Webinar Series - Best Practices for IoT Security in the CloudFebruary 2016 Webinar Series - Best Practices for IoT Security in the Cloud
February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
Amazon Web Services
 

Más contenido relacionado

La actualidad más candente

IoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security ControlsIoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security Controls
Jay Nagar
 
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsMark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Stanford School of Engineering
 
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Positive Hack Days
 
Internet of Things: Challenges and Issues
Internet of Things: Challenges and IssuesInternet of Things: Challenges and Issues
Internet of Things: Challenges and Issues
rjain51
 
IoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you SpamIoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you Spam
Amit Rohatgi
 
IoT Security Training, IoT Security Awareness 2019
IoT Security Training, IoT Security Awareness 2019 IoT Security Training, IoT Security Awareness 2019
IoT Security Training, IoT Security Awareness 2019
Tonex
 

La actualidad más candente (20)

Week2 fundamental of IoT
Week2 fundamental of IoTWeek2 fundamental of IoT
Week2 fundamental of IoT
 
IoT Security by Sanjay Kumar
IoT Security by Sanjay KumarIoT Security by Sanjay Kumar
IoT Security by Sanjay Kumar
 
Internet of things security "Hardware Security"
Internet of things security "Hardware Security"Internet of things security "Hardware Security"
Internet of things security "Hardware Security"
 
IoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security ControlsIoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security Controls
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT Security
 
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsMark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
 
Hack one iot device, break them all!
Hack one iot device, break them all!Hack one iot device, break them all!
Hack one iot device, break them all!
 
Iot with azure | Yogesh Ojha | Global Azure BootCamp
Iot with azure | Yogesh Ojha | Global Azure BootCampIot with azure | Yogesh Ojha | Global Azure BootCamp
Iot with azure | Yogesh Ojha | Global Azure BootCamp
 
Iot Security
Iot SecurityIot Security
Iot Security
 
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of Things
 
Internet of Things: Challenges and Issues
Internet of Things: Challenges and IssuesInternet of Things: Challenges and Issues
Internet of Things: Challenges and Issues
 
Iot security amar prusty
Iot security amar prustyIot security amar prusty
Iot security amar prusty
 
IoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you SpamIoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you Spam
 
Presentation on IOT SECURITY
Presentation on IOT SECURITYPresentation on IOT SECURITY
Presentation on IOT SECURITY
 
Internet of things(1)pdf BY ifshal zahid
Internet of things(1)pdf BY ifshal zahidInternet of things(1)pdf BY ifshal zahid
Internet of things(1)pdf BY ifshal zahid
 
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
Security Fundamental for IoT Devices; Creating the Internet of Secure ThingsSecurity Fundamental for IoT Devices; Creating the Internet of Secure Things
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
 
IoT Security Training, IoT Security Awareness 2019
IoT Security Training, IoT Security Awareness 2019 IoT Security Training, IoT Security Awareness 2019
IoT Security Training, IoT Security Awareness 2019
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 

Destacado

February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
February 2016 Webinar Series - Best Practices for IoT Security in the CloudFebruary 2016 Webinar Series - Best Practices for IoT Security in the Cloud
February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
Amazon Web Services
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
Julien Vermillard
 

Destacado (6)

IoT Security Elements
IoT Security ElementsIoT Security Elements
IoT Security Elements
 
February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
February 2016 Webinar Series - Best Practices for IoT Security in the CloudFebruary 2016 Webinar Series - Best Practices for IoT Security in the Cloud
February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issues
 
Internet of Things and its applications
Internet of Things and its applicationsInternet of Things and its applications
Internet of Things and its applications
 
Internet-of-things- (IOT) - a-seminar - ppt - by- mohan-kumar-g
Internet-of-things- (IOT) - a-seminar - ppt - by- mohan-kumar-gInternet-of-things- (IOT) - a-seminar - ppt - by- mohan-kumar-g
Internet-of-things- (IOT) - a-seminar - ppt - by- mohan-kumar-g
 

Similar a Securing IoT Applications

Open source building blocks for the Internet of Things - Jfokus 2013
Open source building blocks for the Internet of Things - Jfokus 2013Open source building blocks for the Internet of Things - Jfokus 2013
Open source building blocks for the Internet of Things - Jfokus 2013
Benjamin Cabé
 
Using Eclipse and Lua for the Internet of Things - EclipseDay Googleplex 2012
Using Eclipse and Lua for the Internet of Things - EclipseDay Googleplex 2012Using Eclipse and Lua for the Internet of Things - EclipseDay Googleplex 2012
Using Eclipse and Lua for the Internet of Things - EclipseDay Googleplex 2012
Benjamin Cabé
 
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptxProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
Vivek Kumar
 
End-to-end IoT solutions with Java and Eclipse IoT
End-to-end IoT solutions with Java and Eclipse IoTEnd-to-end IoT solutions with Java and Eclipse IoT
End-to-end IoT solutions with Java and Eclipse IoT
Benjamin Cabé
 
Srikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latest
Srikanth Pilli
 
Using Eclipse and Lua for the Internet of Things with Eclipse Koneki, Mihini ...
Using Eclipse and Lua for the Internet of Things with Eclipse Koneki, Mihini ...Using Eclipse and Lua for the Internet of Things with Eclipse Koneki, Mihini ...
Using Eclipse and Lua for the Internet of Things with Eclipse Koneki, Mihini ...
Benjamin Cabé
 
The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017
Jian-Hong Pan
 

Similar a Securing IoT Applications (20)

Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of Things
 
Open source building blocks for the Internet of Things - Jfokus 2013
Open source building blocks for the Internet of Things - Jfokus 2013Open source building blocks for the Internet of Things - Jfokus 2013
Open source building blocks for the Internet of Things - Jfokus 2013
 
Using Eclipse and Lua for the Internet of Things - EclipseDay Googleplex 2012
Using Eclipse and Lua for the Internet of Things - EclipseDay Googleplex 2012Using Eclipse and Lua for the Internet of Things - EclipseDay Googleplex 2012
Using Eclipse and Lua for the Internet of Things - EclipseDay Googleplex 2012
 
Building the Internet of Things with Eclipse IoT - IoTBE meetup
Building the Internet of Things with Eclipse IoT - IoTBE meetupBuilding the Internet of Things with Eclipse IoT - IoTBE meetup
Building the Internet of Things with Eclipse IoT - IoTBE meetup
 
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...
 
Null mumbai-iot-workshop
Null mumbai-iot-workshopNull mumbai-iot-workshop
Null mumbai-iot-workshop
 
Building the Internet of Things with Thingsquare and Contiki - day 1, part 3
Building the Internet of Things with Thingsquare and Contiki - day 1, part 3Building the Internet of Things with Thingsquare and Contiki - day 1, part 3
Building the Internet of Things with Thingsquare and Contiki - day 1, part 3
 
Building the Internet of Things with Thingsquare and Contiki - day 2 part 1
Building the Internet of Things with Thingsquare and Contiki - day 2 part 1Building the Internet of Things with Thingsquare and Contiki - day 2 part 1
Building the Internet of Things with Thingsquare and Contiki - day 2 part 1
 
Network-Connected Development with ZeroMQ
Network-Connected Development with ZeroMQNetwork-Connected Development with ZeroMQ
Network-Connected Development with ZeroMQ
 
Supercharge your IOT toolbox with MQTT and Node-RED
Supercharge your IOT toolbox with MQTT and Node-REDSupercharge your IOT toolbox with MQTT and Node-RED
Supercharge your IOT toolbox with MQTT and Node-RED
 
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptxProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
 
DevCon 5 (July 2013) - WebSockets
DevCon 5 (July 2013) - WebSocketsDevCon 5 (July 2013) - WebSockets
DevCon 5 (July 2013) - WebSockets
 
IPv4 to IPv6 network transformation
IPv4 to IPv6 network transformationIPv4 to IPv6 network transformation
IPv4 to IPv6 network transformation
 
End-to-end IoT solutions with Java and Eclipse IoT
End-to-end IoT solutions with Java and Eclipse IoTEnd-to-end IoT solutions with Java and Eclipse IoT
End-to-end IoT solutions with Java and Eclipse IoT
 
Test Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysisTest Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysis
 
Federated Identity for IoT with OAuth2
Federated Identity for IoT with OAuth2Federated Identity for IoT with OAuth2
Federated Identity for IoT with OAuth2
 
Realtime traffic analyser
Realtime traffic analyserRealtime traffic analyser
Realtime traffic analyser
 
Srikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latest
 
Using Eclipse and Lua for the Internet of Things with Eclipse Koneki, Mihini ...
Using Eclipse and Lua for the Internet of Things with Eclipse Koneki, Mihini ...Using Eclipse and Lua for the Internet of Things with Eclipse Koneki, Mihini ...
Using Eclipse and Lua for the Internet of Things with Eclipse Koneki, Mihini ...
 
The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017
 

Más de WSO2

Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 

Más de WSO2 (20)

Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AI
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
WSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the CloudWSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the Cloud
 
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & InnovationWSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
 
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital Businesses
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
 
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 

Último

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Último (20)

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 

Securing IoT Applications

  • 1. Securing  the  Internet  of  Things   Paul  Fremantle   CTO,  WSO2  (paul@wso2.com)   PhD  researcher,  Portsmouth  University   (paul.fremantle@port.ac.uk)     @pzfreo  
  • 2. About  me   •  CTO  and  Co-­‐Founder   WSO2   – Open  Source  Middleware   plaLorm   •  Part-­‐Mme  PhD  looking  at   security   •  Working  in  Apache  for   14  years   •  Working  with  Cloud,   SOA,  APIs,  MQTT,  IoT   2  
  • 3. Firstly,  does  it  maQer?    
  • 4.
  • 5.
  • 8.
  • 10. So  what  is  different  about  IoT?   •  The  longevity  of  the  device   –  Updates  are  harder  (or  impossible)   •  The  size  of  the  device   –  CapabiliMes  are  limited  –  especially  around  crypto   •  The  fact  there  is  a  device   –  Usually  no  UI  for  entering  userids  and  passwords   •  The  data   –  O_en  highly  personal   •  The  mindset   –  Appliance  manufacturers  don’t  think  like  security  experts   –  Embedded  systems  are  o_en  developed  by  grabbing  exisMng   chips,  designs,  etc  
  • 11. Physical  Hacks   A  PracMcal  AQack  on  the  MIFARE  Classic:     hQp://www.cs.ru.nl/~flaviog/publicaMons/AQack.MIFARE.pdf     Karsten  Nohl  and  Henryk  Plotz.  MIFARE,  LiQle  Security,  Despite  Obscurity  
  • 12.
  • 13. Or  try  this  at  home?   hQp://freo.me/1g15BiG    
  • 15. Hardware  recommendaMons   •  Don’t  rely  on  obscurity    
  • 16. Hardware  recommendaMons   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity   •  Don’t  rely  on  obscurity    
  • 17. Hardware  RecommendaMon  #2     •  Unlocking  a  single  device  should  risk  only  that   device’s  data  
  • 19. Crypto  on  small  devices   •  PracMcal  ConsideraMons  and  ImplementaMon   Experiences  in  Securing  Smart  Object  Networks   –  hQp://tools.ieL.org/html/dra_-­‐aks-­‐crypto-­‐sensors-­‐02  
  • 21. ECC  is  possible     (and  about  fast  enough)  
  • 22.
  • 23. Crypto   Borrowed  from  Chris  Swan:    hQp://www.slideshare.net/cpswan/security-­‐protocols-­‐in-­‐constrained-­‐environments/13    
  • 24. Won’t  ARM  just  solve  this  problem?  
  • 25. Cost  maQers   8  bits   $5  retail   $1  or  less  to  embed   32  bits   $25  retail   $??  to  embed  
  • 27. SIMON  and  SPECK   hQps://www.schneier.com/blog/archives/2013/07/simon_and_speck.html    
  • 28. Datagram  Transport  Layer  Security   (DTLS)   •  UDP  based  equivalent  to  TLS   •  hQps://tools.ieL.org/html/rfc4347  
  • 30.
  • 31. CoAP   •  Constrained  ApplicaMon  Protocol   – hQp://tools.ieL.org/html/dra_-­‐ieL-­‐core-­‐coap-­‐18     – REST-­‐like  model  built  on  UDP   – Californium  project  coming  soon  to  Eclipse  IoT   •  No  authenMcaMon  or  authorizaMon   – Relies  on  DLTS  or  data  in  the  body      
  • 33. MQTT   •  Very  lightweight  messaging  protocol   –  Designed  for  8-­‐bit  controllers,  SCADA,  etc   –  Low  power,  low  bandwidth   –  Binary  header  of  2  bytes   –  Lots  of  implementaMons   •  MosquiQo,  Paho,  RSMB  and  MoqueQe  from  Eclipse   –  Clients:   •  Arduino,  Perl,  Python,  PHP,  C,  Java,  JS/Node.js,  .Net,  etc   •  Plus  an  even  lighter-­‐weight  version  for  Zigbee   –  MQTT-­‐SN  (Sensor  Network)  
  • 34. MQTT   •  Relies  on  TLS  for  confidenMality   •  Username/Password  field  
  • 35. Passwords   •  Passwords  suck  for  humans   •  They  suck  even  more  for  devices    
  • 37.
  • 38. Why  OAuth2?   •  Widely  implemented   •  PreQy  good     – Of  course  there  is  never  100%  agreement   – Or  certainty  with  security  protocols   •  Not  just  HTTP:   – hQp://tools.ieL.org/html/dra_-­‐ieL-­‐kiQen-­‐sasl-­‐ oauth-­‐12   – OAuth2  used  with  SSL      
  • 39.
  • 40.
  • 41. Why  FIAM  for  IoT?   •  Can  enable  a  meaningful  consent  mechanism   for  sharing  of  device  data   •  Giving  a  device  a  token  to  use  on  API  calls   beQer  than  giving  it  a  password   – Revokable   – Granular   •  May  be  relevant  for  both   – Device  to  cloud   – Cloud  to  app  
  • 42. Two  aspects  using  OAuth  with  IoT     •  On  the  device   – Tokens  are  good   – LimiMng  the  access  of  the  device   •  On  the  cloud   – Puvng  users  in  control  of  their  data   – Just  good  current  pracMce   •  Demo  with  MQTT     – But  not  just  for  MQTT   – Also  for  the  cloud,  CoAP,  and  other  protocols  too  
  • 43. Demo  components     MosquiQo   (Open  Source  MQTT   Broker)     AcMng  as  “Resource   Server”     MosquiQo_py_auth     mqQ-­‐oauth2.py   IdP     WSO2  IdenMty   Server   ESB   IntrospecMon   API   Refresher.py   Arduino   CreateToken.py   1 2 3 4 5 6
  • 45. Lessons  learnt   •  MQTT  and  MPU  /  I2C  code  is  97%  of  Duemilanove   –  Adding  the  final  logic  to  do  OAuth2  flow  pushed  it  to  99%   –  No  TLS  in  this  demo  is  a  big  issue   •  Different  Oauth2  implementaMons  behave  differently   (e.g.  changing  the  refresh  token  every  Mme  you  refresh)   •  Need  to  be  able  to  update  the  scope  of  token  if  this  will   work  for  long  term  embedded  devices   •  The  refresh  flow  should  not  really  go  via  the  Resource   server   –  Easy  fix     •  MQTT  should  have  a  well  defined  model  for  sending  a   message  to  just  one  client  (securely)  
  • 46. What  I  haven’t  covered  enough  of  
  • 47. Summary   •  Think  about  security  with  your  next  device   •  We  as  a  community  need  to  make  sure  that   the  next  generaMon  of  IoT  devices  are  secure   •  We  need  to  create  exemplars   – Shields   – Libraries   – Server  so_ware   – Standards