SlideShare uma empresa Scribd logo
1 de 49
Baixar para ler offline
Securing the Internet of Things
Paul Fremantle
CTO, WSO2 (paul@wso2.com)
PhD researcher, Portsmouth University
(paul.fremantle@port.ac.uk)
@pzfreo
Paul Madsen*
Technical Architect, PingIdentity
(pmadsen@pingidentity.com)
@paulmadsen
*Paul M helped me with the initial content, but I take responsibility for anything you don’t like in this slide deck.
Securing the Internet of Things
About me
• CTO and Co-Founder
WSO2
– Open Source Middleware
platform
• Part-time PhD looking at
security
• Working in Apache for
14 years
• Working with Cloud,
SOA, APIs, MQTT, IoT
3
Firstly, does it matter?
Securing the Internet of Things
Securing the Internet of Things
“Google
Hacking”
http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/
Securing the Internet of Things
http://freo.me/1pbUmof
So what is different about IoT?
• The longevity of the device
– Updates are harder (or impossible)
• The size of the device
– Capabilities are limited – especially around crypto
• The fact there is a device
– Usually no UI for entering userids and passwords
• The data
– Often highly personal
• The mindset
– Appliance manufacturers don’t think like security experts
– Embedded systems are often developed by grabbing existing
chips, designs, etc
Physical Hacks
A Practical Attack on the MIFARE Classic:
http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf
Karsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity
Securing the Internet of Things
Or try this at home?
http://freo.me/1g15BiG
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.html
Hardware recommendations
• Don’t rely on obscurity
Hardware recommendations
• Don’t rely on obscurity
• Don’t rely on obscurity
• Don’t rely on obscurity
• Don’t rely on obscurity
• Don’t rely on obscurity
• Don’t rely on obscurity
• Don’t rely on obscurity
Hardware Recommendation #2
• Unlocking a single device should risk only that
device’s data
The Network
Crypto on small devices
• Practical Considerations and Implementation
Experiences in Securing Smart Object Networks
– http://tools.ietf.org/html/draft-aks-crypto-sensors-02
ROM requirements
ECC is possible
(and about fast enough)
Securing the Internet of Things
Crypto
Borrowed from Chris Swan:
http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13
Won’t ARM just solve this problem?
Cost matters
8 bits
$5 retail
$1 or less to embed
32 bits
$25 retail
$?? to embed
Another option?
SIMON and SPECK
https://www.schneier.com/blog/archives/2013/07/simon_and_speck.html
Datagram Transport Layer Security
(DTLS)
• UDP based equivalent to TLS
• https://tools.ietf.org/html/rfc4347
Key distribution
Securing the Internet of Things
CoAP
• Constrained Application Protocol
– http://tools.ietf.org/html/draft-ietf-core-coap-18
– REST-like model built on UDP
– Californium project coming soon to Eclipse IoT
• No authentication or authorization
– Relies on DLTS or data in the body
MQTT
MQTT
• Very lightweight messaging protocol
– Designed for 8-bit controllers, SCADA, etc
– Low power, low bandwidth
– Binary header of 2 bytes
– Lots of implementations
• Mosquitto, Paho, RSMB and Moquette from Eclipse
– Clients:
• Arduino, Perl, Python, PHP, C, Java, JS/Node.js, .Net, etc
• Plus an even lighter-weight version for Zigbee
– MQTT-SN (Sensor Network)
MQTT
• Relies on TLS for confidentiality
• Username/Password field
Passwords
• Passwords suck for humans
• They suck even more for devices
Tokens
Securing the Internet of Things
Why OAuth2?
• Widely implemented
• Pretty good
– Of course there is never 100% agreement
– Or certainty with security protocols
• Not just HTTP:
– http://tools.ietf.org/html/draft-ietf-kitten-sasl-
oauth-12
– OAuth2 used with SSL
Securing the Internet of Things
Securing the Internet of Things
Why FIAM for IoT?
• Can enable a meaningful consent mechanism
for sharing of device data
• Giving a device a token to use on API calls
better than giving it a password
– Revokable
– Granular
• May be relevant for both
– Device to cloud
– Cloud to app
Two aspects using OAuth with IoT
• On the device
– Tokens are good
– Limiting the access of the device
• On the cloud
– Putting users in control of their data
– Just good current practice
• Demo with MQTT
– But not just for MQTT
– Also for the cloud, CoAP, and other protocols too
Demo components
Mosquitto
(Open Source MQTT
Broker)
Acting as “Resource
Server”
Mosquitto_py_auth
mqtt-oauth2.py
IdP
WSO2 Identity
Server
ESB
Introspection
API
Refresher.py
Arduino
CreateToken.py
1
2
3
4
5
6
WSO2 Identity Server
Lessons learnt
• MQTT and MPU / I2C code is 97% of Duemilanove
– Adding the final logic to do OAuth2 flow pushed it to 99%
– No TLS in this demo is a big issue
• Different Oauth2 implementations behave differently
(e.g. changing the refresh token every time you refresh)
• Need to be able to update the scope of token if this will
work for long term embedded devices
• The refresh flow should not really go via the Resource
server
– Easy fix
• MQTT should have a well defined model for sending a
message to just one client (securely)
What I haven’t covered enough of
Summary
• Think about security with your next device
• We as a community need to make sure that
the next generation of IoT devices are secure
• We need to create exemplars
– Shields
– Libraries
– Server software
– Standards
Questions?

Mais conteúdo relacionado

Mais procurados

Federated Identity for IoT with OAuth2
Federated Identity for IoT with OAuth2Federated Identity for IoT with OAuth2
Federated Identity for IoT with OAuth2Paul Fremantle
 
Application layer Security in IoT: A Survey
Application layer Security in IoT: A SurveyApplication layer Security in IoT: A Survey
Application layer Security in IoT: A SurveyAdeel Ahmed
 
Introduction to the Internet of Things
Introduction to the Internet of ThingsIntroduction to the Internet of Things
Introduction to the Internet of ThingsAlexandru Radovici
 
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
Security Fundamental for IoT Devices; Creating the Internet of Secure ThingsSecurity Fundamental for IoT Devices; Creating the Internet of Secure Things
Security Fundamental for IoT Devices; Creating the Internet of Secure ThingsDesign World
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoTWSO2
 
Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016Erez Metula
 
IoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 finalIoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 finalFrank Siepmann
 
Automatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoTAutomatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoTautomatskicorporation
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of ThingsForgeRock
 
IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process EC-Council
 
Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of ThingsBryan Len
 
Enabling Data Protection through PKI encryption in IoT m-Health Devices
Enabling Data Protection through PKI encryption in IoT m-Health DevicesEnabling Data Protection through PKI encryption in IoT m-Health Devices
Enabling Data Protection through PKI encryption in IoT m-Health DevicesCharalampos Doukas
 
IoT Security in Action - Boston Sept 2015
IoT Security in Action - Boston Sept 2015IoT Security in Action - Boston Sept 2015
IoT Security in Action - Boston Sept 2015Eurotech
 
IOT privacy and Security
IOT privacy and SecurityIOT privacy and Security
IOT privacy and Securitynoornabi16
 
Internet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsInternet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsGeorge Fletcher
 

Mais procurados (20)

Federated Identity for IoT with OAuth2
Federated Identity for IoT with OAuth2Federated Identity for IoT with OAuth2
Federated Identity for IoT with OAuth2
 
Application layer Security in IoT: A Survey
Application layer Security in IoT: A SurveyApplication layer Security in IoT: A Survey
Application layer Security in IoT: A Survey
 
Introduction to the Internet of Things
Introduction to the Internet of ThingsIntroduction to the Internet of Things
Introduction to the Internet of Things
 
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
Security Fundamental for IoT Devices; Creating the Internet of Secure ThingsSecurity Fundamental for IoT Devices; Creating the Internet of Secure Things
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10
 
Iot Security
Iot SecurityIot Security
Iot Security
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoT
 
IoT Security: Cases and Methods
IoT Security: Cases and MethodsIoT Security: Cases and Methods
IoT Security: Cases and Methods
 
Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai Revisited
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
 
IoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 finalIoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 final
 
Automatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoTAutomatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoT
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of Things
 
IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process
 
Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of Things
 
Enabling Data Protection through PKI encryption in IoT m-Health Devices
Enabling Data Protection through PKI encryption in IoT m-Health DevicesEnabling Data Protection through PKI encryption in IoT m-Health Devices
Enabling Data Protection through PKI encryption in IoT m-Health Devices
 
IoT Security in Action - Boston Sept 2015
IoT Security in Action - Boston Sept 2015IoT Security in Action - Boston Sept 2015
IoT Security in Action - Boston Sept 2015
 
IOT privacy and Security
IOT privacy and SecurityIOT privacy and Security
IOT privacy and Security
 
Internet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsInternet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open Standards
 

Destaque

A military perspective on cyber security
A military perspective on cyber securityA military perspective on cyber security
A military perspective on cyber securityJoey Hernandez
 
Practical Security with MQTT and Mosquitto
Practical Security with MQTT and MosquittoPractical Security with MQTT and Mosquitto
Practical Security with MQTT and Mosquittonbarendt
 
MQTT Hacks for Fun and... Fun!
MQTT Hacks for Fun and... Fun!MQTT Hacks for Fun and... Fun!
MQTT Hacks for Fun and... Fun!Andy Piper
 
Securing MQTT - BuildingIoT 2016 slides
Securing MQTT - BuildingIoT 2016 slidesSecuring MQTT - BuildingIoT 2016 slides
Securing MQTT - BuildingIoT 2016 slidesDominik Obermaier
 
MQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message QueueingMQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message QueueingPeter R. Egli
 
Military Robots
Military RobotsMilitary Robots
Military Robotsnsapre
 
Civil – military relations in india a perspective
Civil – military relations in india   a perspectiveCivil – military relations in india   a perspective
Civil – military relations in india a perspectiveUmong Sethi
 
Cyber security
Cyber securityCyber security
Cyber securitySiblu28
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and SolutionsColin058
 
IoT - IT 423 ppt
IoT - IT 423 pptIoT - IT 423 ppt
IoT - IT 423 pptMhae Lyn
 

Destaque (13)

A military perspective on cyber security
A military perspective on cyber securityA military perspective on cyber security
A military perspective on cyber security
 
Practical Security with MQTT and Mosquitto
Practical Security with MQTT and MosquittoPractical Security with MQTT and Mosquitto
Practical Security with MQTT and Mosquitto
 
MQTT Hacks for Fun and... Fun!
MQTT Hacks for Fun and... Fun!MQTT Hacks for Fun and... Fun!
MQTT Hacks for Fun and... Fun!
 
Securing MQTT - BuildingIoT 2016 slides
Securing MQTT - BuildingIoT 2016 slidesSecuring MQTT - BuildingIoT 2016 slides
Securing MQTT - BuildingIoT 2016 slides
 
MQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message QueueingMQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message Queueing
 
Military Robots
Military RobotsMilitary Robots
Military Robots
 
Indian Army
Indian ArmyIndian Army
Indian Army
 
Indian army
Indian armyIndian army
Indian army
 
Network security
Network securityNetwork security
Network security
 
Civil – military relations in india a perspective
Civil – military relations in india   a perspectiveCivil – military relations in india   a perspective
Civil – military relations in india a perspective
 
Cyber security
Cyber securityCyber security
Cyber security
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and Solutions
 
IoT - IT 423 ppt
IoT - IT 423 pptIoT - IT 423 ppt
IoT - IT 423 ppt
 

Semelhante a Securing the Internet of Things

Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications WSO2
 
Building the Internet of Things with Eclipse IoT - IoTBE meetup
Building the Internet of Things with Eclipse IoT - IoTBE meetupBuilding the Internet of Things with Eclipse IoT - IoTBE meetup
Building the Internet of Things with Eclipse IoT - IoTBE meetupBenjamin Cabé
 
Supercharge your IOT toolbox with MQTT and Node-RED
Supercharge your IOT toolbox with MQTT and Node-REDSupercharge your IOT toolbox with MQTT and Node-RED
Supercharge your IOT toolbox with MQTT and Node-REDSimen Sommerfeldt
 
The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017Jian-Hong Pan
 
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...Rick G. Garibay
 
IPv4 to IPv6 network transformation
IPv4 to IPv6 network transformationIPv4 to IPv6 network transformation
IPv4 to IPv6 network transformationNikolay Milovanov
 
Industrial IoT Mayhem? Java IoT Gateways to the Rescue
Industrial IoT Mayhem? Java IoT Gateways to the RescueIndustrial IoT Mayhem? Java IoT Gateways to the Rescue
Industrial IoT Mayhem? Java IoT Gateways to the RescueEurotech
 
Open source building blocks for the Internet of Things - Jfokus 2013
Open source building blocks for the Internet of Things - Jfokus 2013Open source building blocks for the Internet of Things - Jfokus 2013
Open source building blocks for the Internet of Things - Jfokus 2013Benjamin Cabé
 
Test Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysisTest Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysisAxel Rennoch
 
Using open source for IoT
Using open source for IoTUsing open source for IoT
Using open source for IoTIan Skerrett
 
Pushing Data from S7-1200 to Cloud
Pushing Data from S7-1200 to CloudPushing Data from S7-1200 to Cloud
Pushing Data from S7-1200 to CloudDMC, Inc.
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Julien Vermillard
 
Building the Internet of Things with Thingsquare and Contiki - day 1, part 3
Building the Internet of Things with Thingsquare and Contiki - day 1, part 3Building the Internet of Things with Thingsquare and Contiki - day 1, part 3
Building the Internet of Things with Thingsquare and Contiki - day 1, part 3Adam Dunkels
 
Io t standard_bis_arpanpal
Io t standard_bis_arpanpalIo t standard_bis_arpanpal
Io t standard_bis_arpanpalArpan Pal
 
Integrating Things and the smart mobile phone capabilities
Integrating Things and the smart mobile phone capabilitiesIntegrating Things and the smart mobile phone capabilities
Integrating Things and the smart mobile phone capabilitiesMarino Linaje Trigueros
 
COMP8045 - Project Report v.1.3
COMP8045 - Project Report v.1.3COMP8045 - Project Report v.1.3
COMP8045 - Project Report v.1.3Soon Zoo Kwon
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT GatewayLF Events
 
Authentication system with Decentralized chat app
Authentication system with Decentralized chat appAuthentication system with Decentralized chat app
Authentication system with Decentralized chat appIRJET Journal
 
Open Source IoT at Eclipse
Open Source IoT at EclipseOpen Source IoT at Eclipse
Open Source IoT at EclipseIan Skerrett
 

Semelhante a Securing the Internet of Things (20)

Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications
 
Building the Internet of Things with Eclipse IoT - IoTBE meetup
Building the Internet of Things with Eclipse IoT - IoTBE meetupBuilding the Internet of Things with Eclipse IoT - IoTBE meetup
Building the Internet of Things with Eclipse IoT - IoTBE meetup
 
Kumar cscl final
Kumar cscl finalKumar cscl final
Kumar cscl final
 
Supercharge your IOT toolbox with MQTT and Node-RED
Supercharge your IOT toolbox with MQTT and Node-REDSupercharge your IOT toolbox with MQTT and Node-RED
Supercharge your IOT toolbox with MQTT and Node-RED
 
The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017
 
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...
 
IPv4 to IPv6 network transformation
IPv4 to IPv6 network transformationIPv4 to IPv6 network transformation
IPv4 to IPv6 network transformation
 
Industrial IoT Mayhem? Java IoT Gateways to the Rescue
Industrial IoT Mayhem? Java IoT Gateways to the RescueIndustrial IoT Mayhem? Java IoT Gateways to the Rescue
Industrial IoT Mayhem? Java IoT Gateways to the Rescue
 
Open source building blocks for the Internet of Things - Jfokus 2013
Open source building blocks for the Internet of Things - Jfokus 2013Open source building blocks for the Internet of Things - Jfokus 2013
Open source building blocks for the Internet of Things - Jfokus 2013
 
Test Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysisTest Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysis
 
Using open source for IoT
Using open source for IoTUsing open source for IoT
Using open source for IoT
 
Pushing Data from S7-1200 to Cloud
Pushing Data from S7-1200 to CloudPushing Data from S7-1200 to Cloud
Pushing Data from S7-1200 to Cloud
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
 
Building the Internet of Things with Thingsquare and Contiki - day 1, part 3
Building the Internet of Things with Thingsquare and Contiki - day 1, part 3Building the Internet of Things with Thingsquare and Contiki - day 1, part 3
Building the Internet of Things with Thingsquare and Contiki - day 1, part 3
 
Io t standard_bis_arpanpal
Io t standard_bis_arpanpalIo t standard_bis_arpanpal
Io t standard_bis_arpanpal
 
Integrating Things and the smart mobile phone capabilities
Integrating Things and the smart mobile phone capabilitiesIntegrating Things and the smart mobile phone capabilities
Integrating Things and the smart mobile phone capabilities
 
COMP8045 - Project Report v.1.3
COMP8045 - Project Report v.1.3COMP8045 - Project Report v.1.3
COMP8045 - Project Report v.1.3
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT Gateway
 
Authentication system with Decentralized chat app
Authentication system with Decentralized chat appAuthentication system with Decentralized chat app
Authentication system with Decentralized chat app
 
Open Source IoT at Eclipse
Open Source IoT at EclipseOpen Source IoT at Eclipse
Open Source IoT at Eclipse
 

Mais de Paul Fremantle

IoT and Blockchains - enhancing security and privacy
IoT and Blockchains - enhancing security and privacyIoT and Blockchains - enhancing security and privacy
IoT and Blockchains - enhancing security and privacyPaul Fremantle
 
Anonymous Individual Integration for IoT
Anonymous Individual Integration for IoTAnonymous Individual Integration for IoT
Anonymous Individual Integration for IoTPaul Fremantle
 
Web API Management meets the Internet of Things
Web API Management meets the Internet of ThingsWeb API Management meets the Internet of Things
Web API Management meets the Internet of ThingsPaul Fremantle
 
Apache Stratos - Building a PaaS using OSGi and Equinox
Apache Stratos - Building a PaaS using OSGi and EquinoxApache Stratos - Building a PaaS using OSGi and Equinox
Apache Stratos - Building a PaaS using OSGi and EquinoxPaul Fremantle
 
Beyond Economics - Cloud as a Business Enabler
Beyond Economics - Cloud as a Business EnablerBeyond Economics - Cloud as a Business Enabler
Beyond Economics - Cloud as a Business EnablerPaul Fremantle
 
The Evolution of Integration
The Evolution of IntegrationThe Evolution of Integration
The Evolution of IntegrationPaul Fremantle
 
High Volume Web API Management with the WSO2 ESB
High Volume Web API Management with the WSO2 ESBHigh Volume Web API Management with the WSO2 ESB
High Volume Web API Management with the WSO2 ESBPaul Fremantle
 
Stratos Open PaaS OSCON 2011
Stratos Open PaaS OSCON 2011Stratos Open PaaS OSCON 2011
Stratos Open PaaS OSCON 2011Paul Fremantle
 
Stratos and PaaS for London Java Community
Stratos and PaaS for London Java CommunityStratos and PaaS for London Java Community
Stratos and PaaS for London Java CommunityPaul Fremantle
 
Understanding Platform as a Service
Understanding Platform as a ServiceUnderstanding Platform as a Service
Understanding Platform as a ServicePaul Fremantle
 
Making Apache Tomcat Multi-tenant, Elastic and Metered
Making Apache Tomcat Multi-tenant, Elastic and MeteredMaking Apache Tomcat Multi-tenant, Elastic and Metered
Making Apache Tomcat Multi-tenant, Elastic and MeteredPaul Fremantle
 
Building Cloud Native Software
Building Cloud Native SoftwareBuilding Cloud Native Software
Building Cloud Native SoftwarePaul Fremantle
 
Building Innovation with Open Source Approaches
Building Innovation with Open Source ApproachesBuilding Innovation with Open Source Approaches
Building Innovation with Open Source ApproachesPaul Fremantle
 
Three SOA Case Studies
Three SOA Case StudiesThree SOA Case Studies
Three SOA Case StudiesPaul Fremantle
 
Fast SOA with Apache Synapse
Fast SOA with Apache SynapseFast SOA with Apache Synapse
Fast SOA with Apache SynapsePaul Fremantle
 
REST vs WS-*: Myths Facts and Lies
REST vs WS-*: Myths Facts and LiesREST vs WS-*: Myths Facts and Lies
REST vs WS-*: Myths Facts and LiesPaul Fremantle
 

Mais de Paul Fremantle (17)

IoT and Blockchains - enhancing security and privacy
IoT and Blockchains - enhancing security and privacyIoT and Blockchains - enhancing security and privacy
IoT and Blockchains - enhancing security and privacy
 
Anonymous Individual Integration for IoT
Anonymous Individual Integration for IoTAnonymous Individual Integration for IoT
Anonymous Individual Integration for IoT
 
Web API Management meets the Internet of Things
Web API Management meets the Internet of ThingsWeb API Management meets the Internet of Things
Web API Management meets the Internet of Things
 
Apache Stratos - Building a PaaS using OSGi and Equinox
Apache Stratos - Building a PaaS using OSGi and EquinoxApache Stratos - Building a PaaS using OSGi and Equinox
Apache Stratos - Building a PaaS using OSGi and Equinox
 
Beyond Economics - Cloud as a Business Enabler
Beyond Economics - Cloud as a Business EnablerBeyond Economics - Cloud as a Business Enabler
Beyond Economics - Cloud as a Business Enabler
 
Evolution of PaaS
Evolution of PaaSEvolution of PaaS
Evolution of PaaS
 
The Evolution of Integration
The Evolution of IntegrationThe Evolution of Integration
The Evolution of Integration
 
High Volume Web API Management with the WSO2 ESB
High Volume Web API Management with the WSO2 ESBHigh Volume Web API Management with the WSO2 ESB
High Volume Web API Management with the WSO2 ESB
 
Stratos Open PaaS OSCON 2011
Stratos Open PaaS OSCON 2011Stratos Open PaaS OSCON 2011
Stratos Open PaaS OSCON 2011
 
Stratos and PaaS for London Java Community
Stratos and PaaS for London Java CommunityStratos and PaaS for London Java Community
Stratos and PaaS for London Java Community
 
Understanding Platform as a Service
Understanding Platform as a ServiceUnderstanding Platform as a Service
Understanding Platform as a Service
 
Making Apache Tomcat Multi-tenant, Elastic and Metered
Making Apache Tomcat Multi-tenant, Elastic and MeteredMaking Apache Tomcat Multi-tenant, Elastic and Metered
Making Apache Tomcat Multi-tenant, Elastic and Metered
 
Building Cloud Native Software
Building Cloud Native SoftwareBuilding Cloud Native Software
Building Cloud Native Software
 
Building Innovation with Open Source Approaches
Building Innovation with Open Source ApproachesBuilding Innovation with Open Source Approaches
Building Innovation with Open Source Approaches
 
Three SOA Case Studies
Three SOA Case StudiesThree SOA Case Studies
Three SOA Case Studies
 
Fast SOA with Apache Synapse
Fast SOA with Apache SynapseFast SOA with Apache Synapse
Fast SOA with Apache Synapse
 
REST vs WS-*: Myths Facts and Lies
REST vs WS-*: Myths Facts and LiesREST vs WS-*: Myths Facts and Lies
REST vs WS-*: Myths Facts and Lies
 

Último

AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 

Último (20)

AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 

Securing the Internet of Things

  • 1. Securing the Internet of Things Paul Fremantle CTO, WSO2 (paul@wso2.com) PhD researcher, Portsmouth University (paul.fremantle@port.ac.uk) @pzfreo Paul Madsen* Technical Architect, PingIdentity (pmadsen@pingidentity.com) @paulmadsen *Paul M helped me with the initial content, but I take responsibility for anything you don’t like in this slide deck.
  • 3. About me • CTO and Co-Founder WSO2 – Open Source Middleware platform • Part-time PhD looking at security • Working in Apache for 14 years • Working with Cloud, SOA, APIs, MQTT, IoT 3
  • 11. So what is different about IoT? • The longevity of the device – Updates are harder (or impossible) • The size of the device – Capabilities are limited – especially around crypto • The fact there is a device – Usually no UI for entering userids and passwords • The data – Often highly personal • The mindset – Appliance manufacturers don’t think like security experts – Embedded systems are often developed by grabbing existing chips, designs, etc
  • 12. Physical Hacks A Practical Attack on the MIFARE Classic: http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf Karsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity
  • 14. Or try this at home? http://freo.me/1g15BiG
  • 17. Hardware recommendations • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity
  • 18. Hardware Recommendation #2 • Unlocking a single device should risk only that device’s data
  • 20. Crypto on small devices • Practical Considerations and Implementation Experiences in Securing Smart Object Networks – http://tools.ietf.org/html/draft-aks-crypto-sensors-02
  • 22. ECC is possible (and about fast enough)
  • 24. Crypto Borrowed from Chris Swan: http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13
  • 25. Won’t ARM just solve this problem?
  • 26. Cost matters 8 bits $5 retail $1 or less to embed 32 bits $25 retail $?? to embed
  • 29. Datagram Transport Layer Security (DTLS) • UDP based equivalent to TLS • https://tools.ietf.org/html/rfc4347
  • 32. CoAP • Constrained Application Protocol – http://tools.ietf.org/html/draft-ietf-core-coap-18 – REST-like model built on UDP – Californium project coming soon to Eclipse IoT • No authentication or authorization – Relies on DLTS or data in the body
  • 33. MQTT
  • 34. MQTT • Very lightweight messaging protocol – Designed for 8-bit controllers, SCADA, etc – Low power, low bandwidth – Binary header of 2 bytes – Lots of implementations • Mosquitto, Paho, RSMB and Moquette from Eclipse – Clients: • Arduino, Perl, Python, PHP, C, Java, JS/Node.js, .Net, etc • Plus an even lighter-weight version for Zigbee – MQTT-SN (Sensor Network)
  • 35. MQTT • Relies on TLS for confidentiality • Username/Password field
  • 36. Passwords • Passwords suck for humans • They suck even more for devices
  • 39. Why OAuth2? • Widely implemented • Pretty good – Of course there is never 100% agreement – Or certainty with security protocols • Not just HTTP: – http://tools.ietf.org/html/draft-ietf-kitten-sasl- oauth-12 – OAuth2 used with SSL
  • 42. Why FIAM for IoT? • Can enable a meaningful consent mechanism for sharing of device data • Giving a device a token to use on API calls better than giving it a password – Revokable – Granular • May be relevant for both – Device to cloud – Cloud to app
  • 43. Two aspects using OAuth with IoT • On the device – Tokens are good – Limiting the access of the device • On the cloud – Putting users in control of their data – Just good current practice • Demo with MQTT – But not just for MQTT – Also for the cloud, CoAP, and other protocols too
  • 44. Demo components Mosquitto (Open Source MQTT Broker) Acting as “Resource Server” Mosquitto_py_auth mqtt-oauth2.py IdP WSO2 Identity Server ESB Introspection API Refresher.py Arduino CreateToken.py 1 2 3 4 5 6
  • 46. Lessons learnt • MQTT and MPU / I2C code is 97% of Duemilanove – Adding the final logic to do OAuth2 flow pushed it to 99% – No TLS in this demo is a big issue • Different Oauth2 implementations behave differently (e.g. changing the refresh token every time you refresh) • Need to be able to update the scope of token if this will work for long term embedded devices • The refresh flow should not really go via the Resource server – Easy fix • MQTT should have a well defined model for sending a message to just one client (securely)
  • 47. What I haven’t covered enough of
  • 48. Summary • Think about security with your next device • We as a community need to make sure that the next generation of IoT devices are secure • We need to create exemplars – Shields – Libraries – Server software – Standards