@pzfreo #hypworld

THE IDENTITY OF THINGSPaul FremantleCo-Founder, WSO2Researcherpaul.fremantle@port.ac.uk@pzfreo

@pzfreo #hypworld

Firstly, does it even matter?

@pzfreo #hypworld

@pzfreo #hypworld

Three rules for IoT security• 1. Don’t be stupid

• 2. Be smart

• 3. Think about what’s different

@pzfreo #hypworld

Three rules for IoT security• 1. Don’t be stupid

• The basics of Internet security haven’t gone away• 2. Be smart

• Use the best practice from the Internet• 3. Think about what’s different

• What are the unique challenges of your device?

@pzfreo #hypworld

@pzfreo #hypworld

http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/

@pzfreo #hypworld

1998• Realized that session cookies needed to be tied to user

sessions• Scenario: Attacker has a valid login, but changes their cookie• Gets access to another user’s account

@pzfreo #hypworld

February 2015Mosquitto MQTT Server 1.4 Release Notes• When a durable client reconnects, its queued messages

are now checked against ACLs in case of a change in username/ACL state since it last connected.

@pzfreo #hypworld

@pzfreo #hypworld

So what is different about IoT?• The longevity of the device

• Updates are harder (or impossible)• The size of the device

• Capabilities are limited – especially around crypto• The fact there is a device

• Usually no UI for entering userids and passwords• The data

• Often highly personal• The mindset

• Appliance manufacturers don’t think like security experts• Embedded systems are often developed by grabbing existing

chips, designs, etc

@pzfreo #hypworld

Physical Hacks

A Practical Attack on the MIFARE Classic: http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdfKarsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity

@pzfreo #hypworld

@pzfreo #hypworld

Or try this at home?http://freo.me/1g15BiG

@pzfreo #hypworldhttp://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.html

@pzfreo #hypworld

Sensor Fingerprints

@pzfreo #hypworld

Ubertooth

http://ubertooth.sourceforge.net/https://www.usenix.org/conference/woot13/workshop-program/presentation/ryan

@pzfreo #hypworld

Hardware recommendations• Don’t rely on obscurity

@pzfreo #hypworld

Hardware recommendations• Don’t rely on obscurity• Don’t rely on obscurity• Don’t rely on obscurity• Don’t rely on obscurity• Don’t rely on obscurity• Don’t rely on obscurity• Don’t rely on obscurity

@pzfreo #hypworld

Hardware Recommendation #2• Unlocking a single device should risk only that device’s

data

@pzfreo #hypworld

SecurityCharacteristic

Device / Hardware Network Cloud / Server-Side

Confidentiality Hardware attacks Encryption with low capability devices

Privacy concerns

Integrity Spoofing;Lack of attestation

Signatures with low capability devices

As usual

Availability Physical attacks;Radio jamming

Unreliable networks

As normal

Authentication Lack of user input;Hardware retrieval of keys

Challenges of using federated identity

Lack of standards around DeviceIdentity

Access Control Physical access;Lack of local authentication

As usual User managed access controls needed

Non-Repudiation No secure localstorage; Low capability devices

Signatures with low capability devices

As normal

@pzfreo #hypworld

Problem statement• “Consumers, not companies, own the data collected by Internet of

Things devices.” Limor Fried• Privacy: “Users must be empowered to execute effective controls

over their personal information” Cavoukian

https://www.flickr.com/photos/opensourceway

@pzfreo #hypworld

PRIVACY BY DESIGN• Proactive not Reactive; Preventative not Remedial• Privacy as the Default Setting• Privacy Embedded into Design• Full Functionality – Positive-Sum, not Zero-Sum• End-to-End Security – Full Lifecycle Protection• Visibility and Transparency – Keep it Open• Respect for User Privacy – Keep it User-Centric

@pzfreo #hypworld

IDENTITY IS THE NEW PERIMETER

@pzfreo #hypworld

@pzfreo #hypworld

Identity as a perimeter• Security controls based on identity

• Not location• Not IP address• Not VPN

• However, this raises questions of anonymity and tracking

@pzfreo #hypworld

Requirements for Identity and Privacy of Things• Federated

• Your choice of provider

• Scalable• Capable of coping with billions of devices

• User Managed• Users get to control what data is shared and with whom

• Secure• Not broken yet!

@pzfreo #hypworld

Passwords• Passwords suck for humans• They suck even more for devices

@pzfreo #hypworld

@pzfreo #hypworld

@pzfreo #hypworld

Why Federated Identity for IoT?• Can enable a meaningful consent mechanism for sharing

of device data• Giving a device a token to use on API calls better than

giving it a password• Revokable• Granular

• May be relevant for both• Device to cloud• Cloud to app

@pzfreo #hypworld

Dynamic Client Registration• Solves the problem of “Breaking one device breaks them

all”• A RESTful API (part of OpenID Connect)• Allows a manufacturing process to get fresh credentials

for each device• https://openid.net/specs/openid-connect-registration-

1_0.html

@pzfreo #hypworld

More information

https://www.researchgate.net/publication/264347555_Federated_Identity_and_Access_Management_for_the_Inernet_of_Things

https://www.researchgate.net/publication/274897865_Web_API_Management_Meets_the_Internet_of_Things

@pzfreo #hypworld

Why really?

Your IoT data privacy should not rely on the maker of a specific device

@pzfreo #hypworld

Uber, the taxi-ordering app, can use more sophisticated technology to track people than the police, according to Britain’s top officer.

@pzfreo #hypworld

Uber admitted employees abused God View

@pzfreo #hypworld

What is the value of connection?

@pzfreo #hypworld

The current situation

Majority of IoT networks today

Private API

Device

Web systems:Ecosystems, On-demand signup,rich set of clients

@pzfreo #hypworld

Hyperconnected• My definition

• When each device is potentially linked to every other device

@pzfreo #hypworld

De-anonymization

@pzfreo #hypworldhttps://firstlook.org/theintercept/2015/07/01/nsas-google-worlds-private-communications/

@pzfreo #hypworld

Are you creating the next privacy breach?

@pzfreo #hypworld

@pzfreo #hypworld

@pzfreo #hypworld

The IoT Dog Collar - Whistle

@pzfreo #hypworld

https://www.flickr.com/photos/themacinator/On the Internet of Things,

no-one knows you are a dog-collar.

@pzfreo #hypworld

Thank you!

https://www.flickr.com/photos/nateone