Eliot Lear

Improving IoT Security: the role of the manufacturer

Introduction

• Connected Spaces is a big deal• Automated and efficient lighting• Room assignment and

scheduling• Changing of conditions for

different customer profiles

A View Through a Light Bulb

A non-networked light bulb

On/Off

Dim(Power)

Color(R,G,B,W) %

A networked lightbulbOn/Off

Dim(Power)Color

(R,G,B,W) %

Enterprise+

Internet

IdentityCrypto

Data model

DiscoveryS/W

managementNetwork

$

• Entire house Internet-enabled

• A single lightbulb took down his IoT house.

• It was an SNMP bug.

Introducing Raul Rohas

From Fusion.net (3 March 2015)

What do manufacturers wish to avoid

• Attacker causes device to not perform its function or to malfunction

• Attacker uses device to attack other systems

General Threats To Defend Against

By AMIR MARINE (Wikimedia) - Own work, CC BY-SA 3.0,

The Network Administrator’s Problem: Number of Types of Things

$

$

Cost of configuration

Static environments Dynamic systems

– +

What access should a device have?

Clouds offer-• A rendezvous point• Substantial processing

power

Cloud capabilities will continue to expand.

A common design pattern: the cloud

Understanding the attack surfaceMobile phone

Controllers

Internet

Understanding the attack surfaceMobile phone

Controllers

Internet

Manufacturer Usage Descriptions

Assumptions and AssertionsAssumptions Assertions

Because a Thing has a single or a small number of intended uses, it all other uses must be unintended

Any intended use can be clearly identified by the manufacturer

All other uses can be warned against in a statement by the manufacturer

Manufacturers are in a generally good position to make the distinction

A Thing has a single use or a small number of uses.

Things are tightly constrained. Very VERY dumb. Resource constraints are tight.

Even those Things that can protect themselves today may not be able to do so tomorrow

Network administrators are the ultimate arbiters of how their networks will be used

Translating intent into config

access-list 10 permit host controller.mfg.example.com

Any intended use can be clearly identified by the manufacturer

All other uses can be warned againstin a statement by the manufacturer

access-list 10 deny any any

Router or firewall queries connected.example.com for policy associated with that URI

Device emits a URI using DHCP, LLDP, or through 802.1ar

Expressing Manufacturer Usage Descriptions

https://example.com/.well-known/mud/…

…

MUD File Server

DeviceMUD

Controller

Internet

Access Switch

How to locate the policy? A URL

https://mud.mfg.example.com/.well-known/mud/v1/CAS11LCDLversion2.12

“Manufacturer” Model

{"ietf-acl:access-lists": {

"ietf-acl:access-list": [{"acl-name": "mud-10387-v4in","acl-type": "ipv4-acl","ietf-mud:packet-direction": "to-device","access-list-entries": {"ace": [{"rule-name": "clout0-in","matches" : {

"ietf-mud:direction-initiated" : "from-device"},

"actions": {"permit": [null

]}

},{"rule-name": "entin0-in","matches": {

"ietf-mud:controller":"http://dvr264.example.com/controller",

"ietf-mud:direction-initiated" : "to-device"},"actions": {

"permit": [null

]

}}

]}

},{"acl-name": "mud-10387-v4out","acl-type": "ipv4-acl","ietf-mud:packet-direction": "from-device",

….

The MUD File

Expressing Manufacturer Usage Descriptions

https://example.com/.well-known/mud/…

…

MUD File Server

DeviceMUD

Controller

Internet

Allow access to justcontroller.connected.example.com

Site returns abstractedXML (based on

YANG) to device or firewall

More precise configis instantiated

Access Switch

BenefitsCustomer

• Reduces target surface of exploding number of devices

• No additional CAPEX

• Helps to reduce OPEX through efficiency gains

• Standards-based approach uses existing equipment

Manufacturer • Reduces product risk at almost no cost

• Will increase customer satisfaction and reduce support costs

• Avoids the front page

• Standards-based approach

• Reduces risk of government technology mandates

What does it mean to be connected?

Open Access Limited Access

Open Innovation Only published uses to authorized devices

?

• (same) manufacturer

• controller

In search of that happy middle: MUD Classes

• A URI• Use of {dhcp, EAP-TLS, lldp} to get it out• Retrieval of a MUD file from a server• Instantiation of class information onto the router

Summary: Manufacturer Usage Descriptions

What is this Thing on my network?

802.1AR with EAP-TLS: a scalable approach, but…

Luminaire

Thermostat

Intranet

Registrar

• EAP-TLS makes use of certificates to identify new elements

• Assertion about device is initially from manufacturer, and then from administrator. • NOT from the device!

• Requires a common trust anchor

• Constrained devices lack capacity for common trust anchors

ANIMA Flow: ActorsNew Entity Proxy Domain Vendor

Service

Factory Default for all settings/configuration

Enrolled in the domainLogical entity or physical after 1st hop

Handles fragmentation issues

The domain Registration Authority, Certificate Authority, Authorization Database etc

Cloud Service

Problems to solveNew Entity Domain Vendor

Service

Authentication

Imprint

Authentication

Enroll

Data StorageAuthzmodel

Authorization

handles fragmentationProxy

Connectivity & Discovery

Discovery, ConnectivityNew Entity Proxy Domain Vendor

Service

Connectivity & Discovery

New entity boots in CLEAN STATERFC3927 IPv4 Link-Local AddressRFC4862 IPv6 Stateless Address Autoconfiguraion <— design for this

RFC6763/RFC6762 mDNS query (or ietf-anima-grasp-02 GRASP query) using unsolicited broadcasts.

New Entity AuthenticationNew Entity Proxy Domain Vendor

Service

Connectivity & Discovery

Authentication

(d)TLS established. This is to-be RFC7030 EST with a bootstrapping extension.The New Entity authenticates with IEEE 802.1AR credentials

The Domain authenticates with current Domain credentials which the new entity *PROVISIONALLY* accepts. This is to support (d)TLS model and is EST compatible.

Authorization by the DomainNew Entity Proxy Domain Vendor

Service

Connectivity & Discovery

AuthenticationAuthorization

<Verify 802.1AR credential against white list?>Extract MASA server information from 802.1AR credential extensions (via MUD extensions) else the registrar needs to be configured appropriately

Logging or Decision by the VendorNew Entity Proxy Domain Vendor

Service

Connectivity & Discovery

Authentication Logging

Authzmodel

Authorization

OPTIONAL: MASA *or* NETCONF ownership voucher flowNOTE: Can occur in advance!!

MASA: Manufacturer Authorized Signing AuthorityA certified log mechanism: “Append Only, Cryptographically Assured, Publically Auditable” - CTAll decisions made within the Domain. The MASA only facilitates logging.

EST extensionsNETCONF: Vendor service “knows” which Domain owns which device

Transmit back to deviceNew Entity Proxy Domain Vendor

Service

Connectivity & Discovery

Authentication

Provisional authentication now replaced with vendor authorized message(Verify then forward the Vendor Service response)

Authentication

Logging

Authzmodel

Authorization

ImprintNew Entity Proxy Domain Vendor

Service

Connectivity & Discovery

Authentication

Imprint

Authentication

Logging

Authzmodel

Authorization

Device verifies Logging proof or signed Vendor authorization.At this point the Device has key material of the Domain

Device Enrolls: Joins domainNew Entity Proxy Domain Vendor

Service

Connectivity & Discovery

Authentication

Imprint

Authentication

Enroll

Logging

Authzmodel

Authorization

• What you get• Device gets a trust root and a certificate for the local deployment• Local deployment now has authenticated the device• Device can connect to network using certificate

• What you don’t get• Automated selection of network (working on that)• Automated profiling of the device (MUD)• Application-specific authorization model

(but you have an identity anchor to build such a thing)

What you get and don’t with all of that…

Parting Thoughts

• What do Thing manufacturers need to do?

• What do home routers and firewalls need to do?

• What do service providers need to do?• What do consumers need to do?• What do governments need to do?

We need something broader than BCP 38Who Needs to do what?

1. Recognize that they have to do some stuff2. Make use of good coding practices (like turning off

unused services)3. Establish an incident response capability4. Establish appropriate software management processes5. Identify device and its profile to the network

So… what should manufacturers do?

(Nearly) all of this has been done by others!

• WPA Personal in the home is suboptimal

(shared keys)

Future work: the heavy lifting

By Cwawebber - Own work, CC BY 3.0

• mud-interest@cisco.com• lear@lear.ch• draft-ietf-opsawg-mud-01• draft-ietf-anima-bootstrap-keyinfra-04• draft-lear-network-helps-01

More information