IoT Security: Cases and Methods [CON5446]

@leomrlima#J1IoTSeC

IoT Security: Cases and Methods [CON5446]

Leonardo Lima@leomrlima http://v2com.mobi

@leomrlima#J1IoTSeC

About meLeonardo Lima

•Computer engineer, server & embedded SW developer•From São Paulo, Brasil, now in Austin, TX•CTO at

•Spec Lead – JSR363•V2COM’s Representative at JCP Executive Committee

[www.linkedin.com/in/leomrlima]

@leomrlima#J1IoTSeC

ASPECTS OF IOT SECURITY

@leomrlima#J1IoTSeC

On connecting thingsThe buzz of IoT is connecting things

Does everything needs to be connected?

The implications of connectivity

@leomrlima#J1IoTSeC

In a study…Attacks on Internet of Things devices will increase rapidly

due to hypergrowth in the number of connected objects, poor security hygiene, and the high value of data on IoT devices.

@leomrlima#J1IoTSeC

RECENT ATTACKS AND EXPOSURES

@leomrlima#J1IoTSeC

Cameras“Every camera [out of 9 models] had one hidden account that a

consumer can’t change because it’s hard coded or not easily accessible. Whether intended for admin or support, it gives an outsider backdoor access to the camera.”

@leomrlima#J1IoTSeC

Barbies”On the service side, ToyTalk’s server domain was susceptible to a

known SSL encryption flaw called POODLE, which could allow attackers to steal communications and other data. A credentialing issue could also let attackers probe for further vulnerabilities.”

@leomrlima#J1IoTSeC

CarsAs the two hackers remotely toyed with the

air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.

Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.

@leomrlima#J1IoTSeC

Electrical gridHe watched as [the mouse] navigated

purposefully toward buttons controlling the circuit breakers at a substation in the region and then clicked on a box to open the breakers and take the substation offline. A dialogue window popped up on screen asking to confirm the action, and the operator stared dumbfounded as the cursor glided to the box and clicked to affirm. Somewhere in a region outside the city he knew that thousands of residents had just lost their lights and heaters.

@leomrlima#J1IoTSeC

IoT Security is ”messy”…

@leomrlima#J1IoTSeC

IoT SecurityThe Industrial Internet of Things Volume G4: Security Framework

Many different aspects, like IT/OT convergence

@leomrlima#J1IoTSeC

Security, Trust & Privacy • Endpoint security

• Communication security between the endpoints

• Data distribution and secure storage

• Management and monitoring security of both the endpoints and the communication mechanism

@leomrlima#J1IoTSeC

USING JAVA FOR A (MORE) SECURE IOT

@leomrlima#J1IoTSeC

Java Cryptography ArchitectureProvides Cryptography pluggable

support for many different providers and capacities.

Supports standards like PKCS#11, TLS and many others

Standard implementations in Java SE VMs

https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html

@leomrlima#J1IoTSeC

Secure ElementProvides a safe place to execute sensitive code

and store hardware identity and private keys

Hardware protection to prevent tampering

Many form factors

@leomrlima#J1IoTSeC

Secure ElementEasy to use code to enable security:// Create a PKCS#11 cryptographic provider which uses the Secure Element Provider myPKCS11Provider = new

sun.security.pkcs11.SunPKCS11(PKCS11_CONFIG);

// The PIN code protecting the Security Element char [] myPIN = {'0','0','0','0'};

// Create a KeyStore corresponding to the Secure Element KeyStore.PasswordProtection pinProtection = new

KeyStore.PasswordProtection(myPIN); KeyStore.Builder ksb = KeyStore.Builder.newInstance("PKCS11", myPKCS11Provider, pinProtection);

KeyStore ks = ksb.getKeyStore();

// Add the SE as a cryptographic provider (useful when it is not possible to pass a provider explicitly)

Security.addProvider(myPKCS11Provider);

@leomrlima#J1IoTSeC

Secure Element// We sign with ECDSA Signature ecSign = Signature.getInstance("SHA256withECDSA");

// Retrieve the signature key in keystore by it’s alias PrivateKey privKey = (PrivateKey) ks.getKey("SignKey", myPassword);

// And we sign ! ecSign.initSign(privKey); ecSign.update(s1.getBytes());byte[] signature = ecSignCard.sign();

@leomrlima#J1IoTSeC

JavaCardMini-Java for Secure Elements and Trusted Execution Envionments

Led by the JavaCard forum (it’s not JCP related)

@leomrlima#J1IoTSeC

Q & A

@leomrlima#J1IoTSeC

Thanks!