FIWARE Wednesday Webinar - How to Secure IoT Devices (22nd April 2020)
Corresponding webinar recording: https://youtu.be/_87IZhrYo3U
Live coding session and commentary, demonstrating various techniques and methods for securing the interactions between Devices, IoT Agents and the Context Broker
Chapter: Security
Difficulty: 3
Audience: Any Technical
Presenter: Jason Fox (Senior Technical Evangelist, FIWARE Foundation)
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
FIWARE Wednesday Webinars - How to Secure IoT Devices
1. How to Secure FIWARE IoT Devices
Jason Fox, Senior Technical Evangelist
FIWARE Foundation
2. Learning Goals
How can insecure systems be attacked?
Why is this a problem for me?
What common actions should be taken
to help to secure systems?
• What options do I have to secure HTTP traffic?
• What options do I have to secure MQTT traffic?
• What options do I have with other protocols?
What is a PEP Proxy and how can I use one to protect
services and devices
1
3. Prerequisites
Docker
Docker Compose
Git
Postman
Cygwin for Windows
2
git clone https://github.com/FIWARE/tutorials.Step-
by-Step.git
cd tutorials.Step-by-Step/
git submodule update --init --recursive
https://www.docker.com/
https://docs.docker.com/compose/install
/
https://git-scm.com/downloads
https://www.getpostman.com/downloads
/
https://www.cygwin.com/install.html
4. FIWARE Catalogue
33
Data/APIManagement
PublicationMonetization
Core Context Management
(Context Broker)
Context
Processing, Analysis, Visualization
Interface to
IoT, Robotics and third party systems
Deploymenttools
3
Development of
Context-aware applications
(Orion, Orion-LD, Scorpio,
STH-Comet, Cygnus,
QuantumLeap, Draco)
Connection to the
Internet of Things
(IDAS, OpenMTC)
Real-time
processing of
context events
(Perseo)
Handling authorization
and access control to
APIs
(Keyrock, Wilma,
AuthZForce, APInf )
Publication and
Monetization of Context
Information
(CKAN extensions, Data/API
Biz Framework, IDRA)
Creation of
Application Dashboards
(Wirecloud)
Real-time
Processing of media
streams
(Kurento)
Business Intelligence
(Knowage)
Connection to robots
(FIROS, Fast RTPS,Micro XRCE-DDS)
Big Data
Context Analysis
(Cosmos)
Cloud Edge
(FogFlow)
Documents exchange
(Domibus)
5. Reminder - Securing an HTTP Microservice
4
Secure services using a PEP Proxy
● To only allow authorized HTTP traffic,
we need to interpose a security
component between the client
application (e.g. the supermarket app)
and the context broker.
● We need an Identity Manager to
provide user accounts and check
passwords
Set up a web server to block insecure
HTTP traffic
● Include a Forwarding instruction with
a 301 - Moved Permanently
● More info https://www.digicert.com/ssl/
6. HTTPS configuration example: NGINX
Need to create domain certificates
• Chain of trust - you are authorised by a
(series) of providers
Need to provide your private key
Plenty of tutorials around- details
will depend on web server used
• e.g. Digital Ocean: How To Secure Nginx
with Let's Encrypt
• https://www.digitalocean.com/communi
ty/tutorial_collections/22
5
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
include snippets/ssl-example.com.conf;
include snippets/ssl-params.conf;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
7. PEP Proxy configuration example: Wilma
Where am I intercepting?
• PEP_PROXY_PORT
What am I protecting? Where do I forward to?
• PEP_PROXY_APP_HOST, PEP_PROXY_APP_PORT
Who is responsible for checking the access token?
• PEP_PROXY_IDM_PORT, PEP_PROXY_IDM_HOST
How does the IDM recognize me?
• PEP_PROXY_APP_ID, PEP_PROXY_USERNAME,PEP_PASSWORD
More Details: https://hub.docker.com/r/fiware/pep-proxy
6
8. Securing HTTP traffic: IoT Devices
7
● Since devices communicate using HTTP,
we can include the PEP proxy between
the client application (e.g. the device) and
the IoT Agent.
● We need an Identity Manager to provide
user accounts and check passwords
● The PEP Proxy is defined using the
following settings:
○ PEP_PROXY_APP_HOST
○ PEP_PROXY_APP_PORT
○ PEP_PROXY_PORT
● Can also secure communications between
microservices using HTTPS as shown
previously of course.
Similar set-up to the microservice use-case, except
that
now each IoT device is itself a (limited) user
● DUMMY_DEVICES_USER, DUMMY_DEVICES_PASSWORD
9. Securing HTTP traffic: IoT Agent
8
The IoT Agent is now a (limited) user - traffic is protected between
the Context broker and IoT Agent
● Provision devices using an additional trust attribute which holds a permanent
token
● HTTPS may also be needed.. This will depend on the architecture used and the
protocol the IoT devices use communicate with the IoT Agent
curl -iX POST
'http://localhost:4041/iot/services'
-H 'Content-Type: application/json'
-H 'fiware-service: openiot'
-H 'fiware-servicepath: /'
-d '{
"services": [ {
"apikey": "4jggokgpepnvsb2uv4s40d59ov",
"cbroker": "http://orion:1026",
"entity_type": "Motion",
"resource": "/iot/d",
"trust": "e37aeef5d48c9c1a3d4adf72626a8745918d4355"
} ]
}'
10. Securing MQTT traffic: IoT Devices
9
Provide a Username and password on
MQTT connect
Create a username/password-hash file for the
MQTT broker e.g. /etc/mosquitto/passwd
e.g. Hackaday example:
https://hackaday.io/project/12482-garage-door-
opener/log/43367-using-a-username-and-password-
for-mqtt
● IOTA_MQTT_USERNAME,IOTA_MQTT_PASSWORD
Use MQTT over SSL
Need to create certificates and set up your MQTT broker appropriately
e.g. ThingsBoard Docs: https://thingsboard.io/docs/user-guide/mqtt-over-
ssl/
● IOTA_MQTT_CA, IOTA_MQTT_CERT, IOTA_MQTT_KEY
11. How to connect an IoT device using secure MQTT
10
const mqtt = require('mqtt');
const options = {
protocol: 'mqtt',
host: 'localhost',
port: 1883,
key: <key>,
ca: <certificate-authority>,
cert: <certificate>,
rejectUnauthorized: true,
username: <device-username>,
password: <device-password>,
keepalive: 0,
connectTimeout: 60 * 60 * 1000
};
const mqttClient = mqtt.connect(
options.protocol + '://' + <host> + ':' + <port>,
options
);
Both IoT Agents and IoT devices connect to
MQTT brokers in the same manner
Plenty of MQTT client libraries available
● https://github.com/mqtt/mqtt.github.io/wiki/librarie
s
IoT Agents use a common Node.js library
● https://github.com/mqttjs/MQTT.js
Further information at:
● http://mqtt.org/
12. Summary: Securing a FIWARE-based System
You need secure systems to ensure the integrity of your product and
your data:
• Only accept readings you can trust
• Only offer data to users you can recognize
First steps in securing your system:
• Use Usernames + Passwords whenever possible to identify actors
• Use SSL - avoid plain text (in messages and in configuration)
• Minimize user access (e.g. no root access, no open ports)
• Log everything
Use a PEP Proxy to act as a gatekeeper for your data.
FIWARE offers a series of components to help secure your system
• Use of the FIWARE catalogue components is not mandatory, but you
should use them or use an equally secure alternative.
11
13. Final Thoughts
The basis of any product’s reputation is trust.
How can users trust you if your system is insecure?
This security presentation has merely been a short
introduction, there is always an opportunity to
look at security in greater depth
12