AuthentiThings: The Pitfalls and Promises of Authentication in the IoT

WEBINAR

AUTHENTICATING “THINGS”THE PITFALLS AND PROMISES

OF AUTHENTICATION IN THE CONSUMER IoT

JUNE 2016

MICHAEL THELANDER

2

3

AGENDA

123

WHAT’S SO REVOLUTIONARY?

Industrial vs. Consumer IoT

Unexpected risks and rewards

AUTHENTICATION IN THE IoTAuthentication standards & guidelines

“Three from Three” Guidance

IF AUTHENTICATION FAILSNew and frightening hacks

What’s next?

4 YOU ARE YOUR DEVICE Your device as your proxy

WHAT’S SO REVOLUTIONARY…ABOUT THE INTERNET OF THINGS?

5

A M E R C A N T I L E R E V O L U T I O N

Guns, cloth, iron and beer

Slaves, gold, spices

Slaves, raw sugar, and molasses

Whale oil, lumber, cotton,rum and tobacco

The crown orchestrated a

complex global dance

that leveraged the best

knowledge and the most

favorable terms

anywhere in the world.

6


At the top of the pyramid, Great Britain used these imports to

manufacture and distribute complex

products that created vast wealth and

power.

7


Closer to the raw materials needed for production

Respond immediately to change

Intimate understanding of all parts of a complex process

Organize and manage their own markets

8

That’s a bit like what’s happening in the industrial IoT today.

9

M IC H A E L T H E LA N D E RP R O D U C T M A R K E T I N G M A N A G E R , A U T H E N T I C A T I O N

n Manages go-to-market, launch and customer education activities for iovation’s authentication products.

n 20 years in VP- and director-level product management and marketing roles for technology and information security companies.

10

11

12

13

14

15

16

17

18

What about the consumer IoT?

19

T WO F A C E S O F T H E I o TK E Y D I F F E R E N C E S B E T W E E N I N D U S T R I A L A N D C O N S U M E R I o T

• Security and privacy standards and guidelines are an inherent part of the picture

• Device lifespan can be measured in decades

• Criticality of RTOS

• Continuity of data is a major consideration

INDUSTRIAL IoT

• Minimal attention to security standards and guidelines, consumers blasé about privacy

• Device lifespan can be measured in months

• Less-than-critical infrastructure in

most current cases

• Expected gaps in data flow

CONSUMER IoT

20

21

22

23

24

25

“The smartphone will become the

foundational banking tool.”

26

27

28

29

Security. Privacy.

30

“ B I G D A T A ” B E C O M E S P E R SO N A L

INTERNET-CONNECTED DEVICES

4.9 B in 2015

20.8 B in 2020

450%

10,000 EB in 2015

400%

40,000 EB in 2020

STORAGE REQUIRED FOR THE DATA

(One exabyte can hold 500 to 1000 times the entire content of the Library of Congress.)

31

“ B I G D A T A ” B E C O M E S P E R SO N A L

10,000 EB in 2015

40,000 EB in 2020

STORAGE REQUIRED FOR THE DATA

(One exabyte can hold 500 to 1000 times the entire content of the Library of Congress.)

= 20,800 GB400%

32

AUTHENTICATION IN THE IoT

34

Authentication.

35

“Hello. It’s me”.

36


37


38


39


40


41

42

“These technical guidelines cover remote digital authentication of human users to IT systems

over a network… However do not specifically address machine-to-machine (such as router-to-router) authentication, or establish specific requirements for issuing

authentication credentials and authenticators to machines and servers when they are used in authentication protocols with people.”

However do not specifically address machine-to-machine (such as router-to-router) authentication, or establish specific requirements for issuing

authentication credentials and authenticators to machines and servers when they are used in authentication protocols with people.”

New v 63-3

Due Soon

43

44

T H R E E F R O M T H R E EG U I D A N C E F R O M T H R E E P I E C E S O F R E C E N T R E S E A R C H

45

“Others have pointed to the need to research

methods that provide context-based authentication

as a new factor in an authentication process. .”

46

1. Identity Relationship Management (IRM) replaces IAMn Consumers and things over employeesn Internet-scale over Enterprise-scalen Borderless over perimeter

2. Use of smartphones as a primary means of authentication in the IoTn Context-based authentication over MFAn Enterprise-level local authentication to IoT devicesn Single sensor for multiple authentication methods:

T H R E E F R O M T H R E E : C SAC L O U D S E C U R I T Y A L L I A N C E – I R M A N D S M A R T P H O N E S

47

3. Leverage the security controls built into standards-based IoT protocols

T H R E E F R O M T H R E E : C SAI o T S E C U R I T Y F O R C O N S U M E R D E V I C E S

Protocol M2M Auth Options

MQTT Username / password

CoAPpreShared KeyrawPublicKey

XMPP Multiple options

DDSx.509 Certificates (PKI)

Tokens

Protocol M2M Auth Options

Zigbee Pre-shared keys

Bluetooth Shared key

Bluetooth LE Connection signature

resolving key

HTTP/REST TLS or OAUTH 2

48

3. Leverage the security controls built into standards-based IoT protocols

T H R E E F R O M T H R E E : C SAC L O U D S E C U R I T Y A L L I A N C E S U M M A R S Y G U I D A N C E O N I o T

• Low memory: works on micro-controllers was low as 10 KiB of RAM

• Default choice of DTLS parameters is equivalent to 3072-bit RSA keys

• CoAP integrates with XML, JSON, CBOR, or data format of choice

• REST model integrates with typical sites and applications

49

“No single method for peer authentication and end-to-

end data protection meets the Internet of Things (IoT)

device security and operational requirements.”

50

1. Mobile devices can be gateways, consumers, or IoT nodes

T H R E E F R O M T H R E E : G A R T N E RI T ’ S N O T J U S T A P H O N E

51

2. Understand domains, classes of devices, and “delegation of trust”n Class 1: Simple sensors or actuators

n Class 2: Can perform storage or analysis, e.g. hubs, concentrator, gateways

n Class 3: Complex devices, servers than can act as aggregators, e.g. security analytics

T H R E E F R O M T H R E E : G A R T N E RN O T A L L D E V I C E S A R E C R E A T E D E Q U A L

52

3. Building a trust model based on “hops”

n No hop: trust is achieved by device authenticating to local gateway

n Single hop: Device authenticates to gateway, and gateway to an IoT service or application

n Multihop: Trust achieved by devices authenticating to trust anchors (gateways), and then the trust anchors federate trust across all required domains and trust models

T H R E E F R O M T H R E E : G A R T N E RT R U S T M O D E L S M A T T E R

53

“Authentication is the process of verification that an

individual, entity or website is who it claims to be.”

54

1. The only guidance using three different perspectives: n Manufacturer IoT Guidance: The goal of this section is help

manufacturers build more secure products in the Internet of Things space.

n Developer IoT Guidance: The goal of this section is help developers build more secure applications in the Internet of Things space.

n Consumer IoT Guidance: The goal of this section is help consumers purchase secure products in the Internet of Things space.

T H R E E F R O M T H R E E : O WA SPI o T S E C U R I T Y G U I D A N C E I N T H R E E C A T E G O R I E S

55

2. A comprehensive framework:

n 1 IoT Framework Security Considerations: Definitions

n 2 Edge: Framework Considerations for Edge Component

n 3 Gateway: Framework Considerations for Gateway Component

n 4 Cloud: Framework Considerations for Cloud Component

n 5 Mobile: Framework Considerations for Mobile Component

T H R E E F R O M T H R E E : O WA SPM U L T I - P A R T S E C U R I T Y A N D P R I V A C Y F R A M E W O R K

• Communications encryption

• Storage encryption

• Strong logging

• Auto updates / versioning

• Update verification

• Cryptographic ID capabilities

• No default passwords

• Offline security features

• Configurable root trust store

• Device and owner authentication

• Transitive ownership capabilities

• Defensive capabilities

• Plugin or ext. verify, report, update

• Secure M2M

• Secure Web interface

• Utilize established protocols

• Latest, updated 3rd-party components

• Use of hardware device

• Support MFA

• Temporal and spacialauthentication

• Tracks data from insecure sources

• Features disabled by default

• Written in programming languages that possess security countermeasures

• Device monitoring and management capabilities

2 Edge: Framework Considerations for Edge Component

56

3. Provides a unique focus on authentication testing

T H R E E F R O M T H R E E : O WA SPF O C U S O N T E S T I N G

n Assess the solution for the use of strong passwords where authentication is needed

n Assess the solution for multi-user environments and ensure it includes functionality for role separation

n Assess the solution for Implementation two-factor authentication where possible

n Assess password recovery mechanisms

n Assess password recovery mechanisms

n Assess the solution for the option to require strong passwords

n Assess the solution for the option to force password expiration after a specific period

n Assess the solution for the option to change the default username and password

57

91. Identity relationship

management – not IAM – is key

2. Smartphones will be the primary means of authentication in the IoT

3. Leverage built-in security controls

4. Mobile devices will fill multiple roles in the IoT scheme

5. Domains & classes drive delegation of trust models

6. Build your trust model based on “hops”

7. Multiple perspectives matter

8. Provides a comprehensive framework

9. Provides a unique authentication focus

SU M M A R I Z I N G T H E “ T H R E E F R O M T H R E E ”

AUTHENTICATION FAILINTRIGUING HACKS IN THE IoT

59

60

61

YOU ARE YOUR DEVICEYOUR TRUSTWORTHY PROXY?

63


64


65

66

BIOMETRICS

IP ADDRESS JAILBROKEN OR ROOTED

GEO LOCATION

ASSOCIATIONSSECURITY RISK

67

n MD5 Hash of the full font list n Random sample of 15 fonts

n Flash SharedObjects not writable n Flash socket 843 based ip (real IP)

n Boolean indicator: flash took longer than expected to execute

n Accepted Char Sets in HTTP headern Accepted languages in HTTP header

n Browser user agent comment string n Browser name / OS / Ver / language

n Cookie writes excluded n Boolean indicator, javascript enabled n Count of fonts in the full list

n Flash 3-part version (16.0.0) n Flash 4-part version (16.0.0.305)

n List of browser plugins n JavaScript screen resolutionn Simbar toolbar GUID from HTTP hdr

n Timezone offset in minutes n ... and more

n WiFi (or Bluetooth) MAC Addressn Network configuration

n iOS Device Modeln Battery level / AC mode

n Device orientationn File system sizen Physical memory

n CPU Type / Count /Speedn Number attached accessories

n Has proximity sensor?n Screen brightness and resolutionn System uptime

n iOS Device Name (MD5 Hash) n OS Name and/or version

n Device advertising UUIDn Kernel versionn iCloud Ubiquity Token

n Application Vendor UUID /name/versn Locale language / currency code

n … and 100s more

n Model and Device Modeln Build.DEVICE & Build.HARDWARE

n Build.HOST & Build.IDn Manufacturer

n Build.PRODUCT & Build.TIMEn Network Operator ID & Name n Sim Operator ID & Country

n System Uptime in Secondsn Is the device plugged in

n CPU Typen Physical memoryn Unique build fingerprint of app

n Android SDK Leveln Android Build Number (DISPLAY)

n Android Device System Versionn Detected attempt at hiding root detect n Kernel Version (was AKV)

n Android Locale Country Code n Desktop Wallpaper Hash

n … and 100s more

DEVICE-BASED AUTHENTICATIONTHE USER’S DEVICE AS A ROBUST, INVISIBLE SECOND FACTOR

Web Device Print iOS SDK Android SDK

68

Q&A

CONTACT US

www.iovation.com

twitter.com/iovation

AuthentiThings: The Pitfalls and Promises of Authentication in the IoT

Technology