WEBINAR AUTHENTICATING “THINGS” THE PITFALLS AND PROMISES OF AUTHENTICATION IN THE CONSUMER IoT JUNE 2016 MICHAEL THELANDER
Apr 13, 2017
WEBINAR
AUTHENTICATING “THINGS”THE PITFALLS AND PROMISES
OF AUTHENTICATION IN THE CONSUMER IoT
JUNE 2016
MICHAEL THELANDER
3
AGENDA
123
WHAT’S SO REVOLUTIONARY?
Industrial vs. Consumer IoT
Unexpected risks and rewards
AUTHENTICATION IN THE IoTAuthentication standards & guidelines
“Three from Three” Guidance
IF AUTHENTICATION FAILSNew and frightening hacks
What’s next?
4 YOU ARE YOUR DEVICE Your device as your proxy
5
A M E R C A N T I L E R E V O L U T I O N
Guns, cloth, iron and beer
Slaves, gold, spices
Slaves, raw sugar, and molasses
Whale oil, lumber, cotton,rum and tobacco
The crown orchestrated a
complex global dance
that leveraged the best
knowledge and the most
favorable terms
anywhere in the world.
6
A M E R C A N T I L E R E V O L U T I O N
At the top of the pyramid, Great Britain used these imports to
manufacture and distribute complex
products that created vast wealth and
power.
7
A M E R C A N T I L E R E V O L U T I O N
Closer to the raw materials needed for production
Respond immediately to change
Intimate understanding of all parts of a complex process
Organize and manage their own markets
9
M IC H A E L T H E LA N D E RP R O D U C T M A R K E T I N G M A N A G E R , A U T H E N T I C A T I O N
n Manages go-to-market, launch and customer education activities for iovation’s authentication products.
n 20 years in VP- and director-level product management and marketing roles for technology and information security companies.
19
T WO F A C E S O F T H E I o TK E Y D I F F E R E N C E S B E T W E E N I N D U S T R I A L A N D C O N S U M E R I o T
• Security and privacy standards and guidelines are an inherent part of the picture
• Device lifespan can be measured in decades
• Criticality of RTOS
• Continuity of data is a major consideration
INDUSTRIAL IoT
• Minimal attention to security standards and guidelines, consumers blasé about privacy
• Device lifespan can be measured in months
• Less-than-critical infrastructure in
most current cases
• Expected gaps in data flow
CONSUMER IoT
30
“ B I G D A T A ” B E C O M E S P E R SO N A L
INTERNET-CONNECTED DEVICES
4.9 B in 2015
20.8 B in 2020
450%
10,000 EB in 2015
400%
40,000 EB in 2020
STORAGE REQUIRED FOR THE DATA
(One exabyte can hold 500 to 1000 times the entire content of the Library of Congress.)
31
“ B I G D A T A ” B E C O M E S P E R SO N A L
10,000 EB in 2015
40,000 EB in 2020
STORAGE REQUIRED FOR THE DATA
(One exabyte can hold 500 to 1000 times the entire content of the Library of Congress.)
= 20,800 GB400%
42
“These technical guidelines cover remote digital authentication of human users to IT systems
over a network… However do not specifically address machine-to-machine (such as router-to-router) authentication, or establish specific requirements for issuing
authentication credentials and authenticators to machines and servers when they are used in authentication protocols with people.”
However do not specifically address machine-to-machine (such as router-to-router) authentication, or establish specific requirements for issuing
authentication credentials and authenticators to machines and servers when they are used in authentication protocols with people.”
New v 63-3
Due Soon
44
T H R E E F R O M T H R E EG U I D A N C E F R O M T H R E E P I E C E S O F R E C E N T R E S E A R C H
45
“Others have pointed to the need to research
methods that provide context-based authentication
as a new factor in an authentication process. .”
46
1. Identity Relationship Management (IRM) replaces IAMn Consumers and things over employeesn Internet-scale over Enterprise-scalen Borderless over perimeter
2. Use of smartphones as a primary means of authentication in the IoTn Context-based authentication over MFAn Enterprise-level local authentication to IoT devicesn Single sensor for multiple authentication methods:
T H R E E F R O M T H R E E : C SAC L O U D S E C U R I T Y A L L I A N C E – I R M A N D S M A R T P H O N E S
47
3. Leverage the security controls built into standards-based IoT protocols
T H R E E F R O M T H R E E : C SAI o T S E C U R I T Y F O R C O N S U M E R D E V I C E S
Protocol M2M Auth Options
MQTT Username / password
CoAPpreShared KeyrawPublicKey
XMPP Multiple options
DDSx.509 Certificates (PKI)
Tokens
Protocol M2M Auth Options
Zigbee Pre-shared keys
Bluetooth Shared key
Bluetooth LE Connection signature
resolving key
HTTP/REST TLS or OAUTH 2
48
3. Leverage the security controls built into standards-based IoT protocols
T H R E E F R O M T H R E E : C SAC L O U D S E C U R I T Y A L L I A N C E S U M M A R S Y G U I D A N C E O N I o T
• Low memory: works on micro-controllers was low as 10 KiB of RAM
• Default choice of DTLS parameters is equivalent to 3072-bit RSA keys
• CoAP integrates with XML, JSON, CBOR, or data format of choice
• REST model integrates with typical sites and applications
49
“No single method for peer authentication and end-to-
end data protection meets the Internet of Things (IoT)
device security and operational requirements.”
50
1. Mobile devices can be gateways, consumers, or IoT nodes
T H R E E F R O M T H R E E : G A R T N E RI T ’ S N O T J U S T A P H O N E
51
2. Understand domains, classes of devices, and “delegation of trust”n Class 1: Simple sensors or actuators
n Class 2: Can perform storage or analysis, e.g. hubs, concentrator, gateways
n Class 3: Complex devices, servers than can act as aggregators, e.g. security analytics
T H R E E F R O M T H R E E : G A R T N E RN O T A L L D E V I C E S A R E C R E A T E D E Q U A L
52
3. Building a trust model based on “hops”
n No hop: trust is achieved by device authenticating to local gateway
n Single hop: Device authenticates to gateway, and gateway to an IoT service or application
n Multihop: Trust achieved by devices authenticating to trust anchors (gateways), and then the trust anchors federate trust across all required domains and trust models
T H R E E F R O M T H R E E : G A R T N E RT R U S T M O D E L S M A T T E R
53
“Authentication is the process of verification that an
individual, entity or website is who it claims to be.”
54
1. The only guidance using three different perspectives: n Manufacturer IoT Guidance: The goal of this section is help
manufacturers build more secure products in the Internet of Things space.
n Developer IoT Guidance: The goal of this section is help developers build more secure applications in the Internet of Things space.
n Consumer IoT Guidance: The goal of this section is help consumers purchase secure products in the Internet of Things space.
T H R E E F R O M T H R E E : O WA SPI o T S E C U R I T Y G U I D A N C E I N T H R E E C A T E G O R I E S
55
2. A comprehensive framework:
n 1 IoT Framework Security Considerations: Definitions
n 2 Edge: Framework Considerations for Edge Component
n 3 Gateway: Framework Considerations for Gateway Component
n 4 Cloud: Framework Considerations for Cloud Component
n 5 Mobile: Framework Considerations for Mobile Component
T H R E E F R O M T H R E E : O WA SPM U L T I - P A R T S E C U R I T Y A N D P R I V A C Y F R A M E W O R K
• Communications encryption
• Storage encryption
• Strong logging
• Auto updates / versioning
• Update verification
• Cryptographic ID capabilities
• No default passwords
• Offline security features
• Configurable root trust store
• Device and owner authentication
• Transitive ownership capabilities
• Defensive capabilities
• Plugin or ext. verify, report, update
• Secure M2M
• Secure Web interface
• Utilize established protocols
• Latest, updated 3rd-party components
• Use of hardware device
• Support MFA
• Temporal and spacialauthentication
• Tracks data from insecure sources
• Features disabled by default
• Written in programming languages that possess security countermeasures
• Device monitoring and management capabilities
2 Edge: Framework Considerations for Edge Component
56
3. Provides a unique focus on authentication testing
T H R E E F R O M T H R E E : O WA SPF O C U S O N T E S T I N G
n Assess the solution for the use of strong passwords where authentication is needed
n Assess the solution for multi-user environments and ensure it includes functionality for role separation
n Assess the solution for Implementation two-factor authentication where possible
n Assess password recovery mechanisms
n Assess password recovery mechanisms
n Assess the solution for the option to require strong passwords
n Assess the solution for the option to force password expiration after a specific period
n Assess the solution for the option to change the default username and password
57
91. Identity relationship
management – not IAM – is key
2. Smartphones will be the primary means of authentication in the IoT
3. Leverage built-in security controls
4. Mobile devices will fill multiple roles in the IoT scheme
5. Domains & classes drive delegation of trust models
6. Build your trust model based on “hops”
7. Multiple perspectives matter
8. Provides a comprehensive framework
9. Provides a unique authentication focus
SU M M A R I Z I N G T H E “ T H R E E F R O M T H R E E ”
67
n MD5 Hash of the full font list n Random sample of 15 fonts
n Flash SharedObjects not writable n Flash socket 843 based ip (real IP)
n Boolean indicator: flash took longer than expected to execute
n Accepted Char Sets in HTTP headern Accepted languages in HTTP header
n Browser user agent comment string n Browser name / OS / Ver / language
n Cookie writes excluded n Boolean indicator, javascript enabled n Count of fonts in the full list
n Flash 3-part version (16.0.0) n Flash 4-part version (16.0.0.305)
n List of browser plugins n JavaScript screen resolutionn Simbar toolbar GUID from HTTP hdr
n Timezone offset in minutes n ... and more
n WiFi (or Bluetooth) MAC Addressn Network configuration
n iOS Device Modeln Battery level / AC mode
n Device orientationn File system sizen Physical memory
n CPU Type / Count /Speedn Number attached accessories
n Has proximity sensor?n Screen brightness and resolutionn System uptime
n iOS Device Name (MD5 Hash) n OS Name and/or version
n Device advertising UUIDn Kernel versionn iCloud Ubiquity Token
n Application Vendor UUID /name/versn Locale language / currency code
n … and 100s more
n Model and Device Modeln Build.DEVICE & Build.HARDWARE
n Build.HOST & Build.IDn Manufacturer
n Build.PRODUCT & Build.TIMEn Network Operator ID & Name n Sim Operator ID & Country
n System Uptime in Secondsn Is the device plugged in
n CPU Typen Physical memoryn Unique build fingerprint of app
n Android SDK Leveln Android Build Number (DISPLAY)
n Android Device System Versionn Detected attempt at hiding root detect n Kernel Version (was AKV)
n Android Locale Country Code n Desktop Wallpaper Hash
n … and 100s more
DEVICE-BASED AUTHENTICATIONTHE USER’S DEVICE AS A ROBUST, INVISIBLE SECOND FACTOR
Web Device Print iOS SDK Android SDK