Top Banner
Building Secure IoT Ecosystems With AWS
36

Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

Apr 06, 2017

Download

Technology

AWSChicago
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

Building Secure IoT Ecosystems

With AWS

Page 2: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

Topic: IoT/Security/TOC/#

{{ “Message”:“Background,The Ecosystem,Precursors,AWS Overall,Infrastructure,Multi-Tenancy,Transport,Clients,LWT,Resources”}

}

Page 3: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Background/WhoAmI

I’m Chandler HowellDirector of Engineering at [email protected]@chandlerhowell on Twitter

Nexum is a Network & Security Reseller & Consultancy

Headquartered in ChicagoPresence East of the Mississippi Riverhttp://nexuminc.com

Page 4: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

Iot/Security/Background/Why

Hopefully, to have wasted your time

Started talking IoT Security in 2015How it suckedWhy it suckedWhy it mattered

Page 5: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Ecosystem/#

AWSAWS IoTInfrastructure

TransportRESTful HTTPWebSocketMQTT

ThingsSensorsDevices

ClientsAppsAPI’sWeb portals

Gotta Secure ‘em All!

Page 6: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

Iot/Security/Precursors/HowToFAIL

What am I hoping you’ll avoid?

FAILURE

Harming peopleBeing in the newsDevice recalls/updatesGetting suedCorporate bankruptcyBringing bad products to market

Page 7: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Precursors/BakedIn

Security happens before the Things

Baked in, not painted on

Page 8: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Precursors/Challenge

I’m here to pose questions

It’s up to you to answer them

Page 9: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Precursors/Policies

You’re in the Data Business nowWhat data do you collect?How long do you retain it?Who owns the data you collect?

Do you have a published Privacy Policy?Have you calibrated your business model with it?Does it cover both Internal & Third Party Use, Sharing and Disclosure?

Do you have a published Service Level Agreement?

Do you have Incident Response & Disaster Recovery Plans?

Page 10: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Precursors/Assumptions

If you must assume, assume things will go wrong.

* Connectivity will fail* Network* Device Association

* Vulnerabilities will be found* Devices will be compromised* Keys/Credentials will be compromised* Retail (client)* Wholesale (server keys)

* Data might be breached or destroyed

How will each of these affect...your customers?...your product?...your company?

Page 11: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Precursors/Challenges

How will you…* Push updates to Things

* When would you force an update?* Cryptographically verify those updates

* Track versions* Deal with version incompatibilities

* Deal with potential downtime

Page 12: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Precursors/Transport

* How much data can you lose to outages?* How much data can you queue?

* If you can’t publish to a Thing...* What telemetry is lost?* What functionality is lost?

* How will you handle network limits* Blocking MQTT* Blocking HTTPs* Blocking un-inspected SSL/TLS

Page 13: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/AWS

Expect to use LOTS of services* Manage access through IAM Policies & Roles* Segment where it makes sense* Consider CRUD needs for all access * (Create, Read, Update, Delete)

AWS Provides some features by default* DDoS Protection

Page 14: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/AWS/EC2

* This is a great place to get pwned* “Traditional” IT brings Traditional

problems

* ALL SERVERS SHOULD BE EPHEMERAL* “Pets vs. Cattle”

* Amazon Inspector is your friend* https://aws.amazon.com/inspector/ * Security Scanning* Can be automated with Lambda & SNS* Ticketing, e.g. into Jira

Page 15: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/AWS/Monitoring

You can’t find what you don’t look for

Log & alert changes to:* Running instances* Policies* IAM Roles* Accounts* Security Groups* Billing Events* Workload spikes* Errors & Exceptions

Page 16: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/AWS/HowToWin

* Harden the environment* Delete the Root Access Keys* Enable Multi-Factor/Strong Authentication

* Adhere to the Principle of Least Privilege* Don’t just hand out Permissions* RTFM on Policies & Permissions* AWS Provides Sample Policies

* Don’t forget your processes* User Management* IT Inventory & Asset Management* Vulnerability & Configuration Management

Page 17: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/AWS/HowToWin/2

Minimize your Attack Surfaces* Only expose Public Services to the Internet* Segment where it makes sense* Limit internal access to Production

* Make use of AWS’ IAM & RBAC* RBAC is a de facto inter-service firewall

Use real remote access* Direct Connect* Layer 3 VPN* Bastion Host/Jump Box* Assuming you absolutely HAVE to access

instances directly

Page 18: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/AWS/Infrastructure/PSA

Public Service Announcement:

Don’t put your infrastructure raw on the Internet!

Don’t be a…MongoDB or ElasticSearch

Mass hack victimVtech Hack VictimCloudPets Hack Victim

Page 19: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/AWS/MultiTenancy

Assume you need multi-tenancy…* How distinct must the segregation be?* Separate accounts* Cumbersome, but most effective

* Separate data stores* Do-able, but shifts complexity into the

business logic* Common data stores with key fields* Best option if it is an option

Page 20: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Multi-Tenancy/IAM

* Not complete or by default in all services

* Fine-grained access control through AWS Identity & Access Management (IAM)

But…some Control Plane calls are not (yet)e.g. “list-things” will show all devices,

not just a tenant’s devices* Wrap that API to filter to just the

tenant via device registry

Page 21: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Multi-Tenancy/HowToWin

* Define Requirements up front* How much segregation is enough?

* Review each service’s capabilities* Make sure you solve before you commit

* Include tests for cross-tenant failure* Can you CRUD resources you should not be

able to?

Page 22: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/AWS/Lambda

* This is where the magic happens* Good Magic* like working code

* Bad Magic* AppSec vulnerabilities

* Resources like OWASP apply here, too* http://www.owasp.org* Open Web Application Security Project* SANS Also has great AppSec training* http://sans.org

Page 23: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/AWS/Transport/+

* 3 Options within AWS* HTTP (RESTful)* WebSocket* Message Queue Telemetry Transport (MQTT)

Page 24: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Transport/HTTP

* HTTP* POST to a RESTful API* Only scales so far* Included for completeness

* <AWS IoT Endpoint>/topics/<url_encoded_topic_name>?qos=1* Uses AWS Signature Version 4* Add either a Query String param or an

Authorization: headerGET https://iam.amazonaws.com/?Action=ListUsers&Version=2010-05-08 HTTP/1.1Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7content-type: application/x-www-form-urlencoded; charset=utf-8host: iam.amazonaws.comx-amz-date: 20150830T123600Z

Page 25: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Transport/WebSocket

* WebSocket tunnels MQTT over HTTP(s)* Good for passing firewalls* Runs over port 443* Uses the HTTP UPGRADE verb

* Also AWS uses Signature Version 4* URL Format:

wss://<endpoint>.iot.<region>.amazonaws.com/mqtt

* Best if you have a hub forwarding traffic

* Either no MQTT allowed* or older, crypto-incapable devices

Page 26: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Transport/MQTT

* Publish-Subscribe protocol* 1st implementation 1999* Designed for high-latency, low bandwidth* Lightweight* Bandwidth* CPU

* Can be secure, but can be Not Secure, too

Page 27: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Transport/MQTT/QoS

* 3 Quality of Service (QoS) Options* 0 – At most once * Best Effort* No retry, no acknowledgement

* 1 – At least once* Retry until acknowledgement received* May result in multiple deliveries

* 2 – Guaranteed single delivery* Full send-ack transaction & queueing

Page 28: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Transport/MQTT/Authentication

* Multiple Options* No Authentication (Don’t do this)* Topic-based Pseudo-auth (Another NOPE)* Username/Password (Dont’ do this either)* X.509 Certificates (Do this)* AWS makes this easy

Page 29: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Transport/MQTT/HowToFail

* Authentication* No Authentication* Weak Authentication

* Not encrypting Traffic* MQTT+TLS For The Win* (Unless absolutely necessary)

Page 30: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Transport/MQTT/HowToWin

* Use X.509 Certificates for Authentication* Always use TLS if possible* Use AWS IAM to define device roles* Follow Principle of Least Privilege* Test for Information Leakage* e.g. aws iot list-devices in multi-

tenant environments* If you have insecure legacy devices, use

a broker for secure upstream transport

Page 31: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

(Yes, that’s the username & password being sent in the clear!)

IoT/Security/Transport/MQTT/PSA

Public Service Announcement:

Username & Password are even less of your friend than usual

Page 32: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Clients

* Researcher focus has largely been on clients* Soft targets* Riddled with Amateur Hour vulnerabilities* Weak machines * Under their physical control* Fewer legal issues

* Ecosystem testing still the realm of authorized testers* They don’t generally publish* So less data to to assume against

Page 33: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Clients/HowToFail

* A few pitfalls to avoid* Use of no/default credentials* Re-use of keys or credentials* Hard coding credentials* Assuming a friendly deployment environment* Running unnecessary services* Especially network services

* Not using signed/secure images

Page 34: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Clients/HowToWin

* Incorporate security into your design* Threat Model* Educate yourself on AppSec

* Scan/Attack your services & device ports* Dynamic Analysis tools

* Run Static Analysis tools on your source code* Or at least include failure-mode tests

* Consider credential storage on the client* How hard is credential (key) compromise?* What do those keys get you?* Do you leak credentials, e.g. Wi-Fi?

Page 35: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/LWT

I’ve asked you a lot of questions, so I guess it’s only fair to let you ask me some.

Page 36: Chandler Howell's AWS Chicago user group presentation "IoT Security in AWS"l

IoT/Security/Resources

* Security & Identity for AWS IoT * https://docs.aws.amazon.com/iot/latest/developerguide/iot-security-identity.html

* Things I wish I’d known before I started working with AWS* https://wblinks.com/notes/aws-tips-i-wish-id-known-before-i-started/* especially this change monitoring script

* https://s3.amazonaws.com/reinvent2013-sec402/SecConfig.py

* AWS Security Blog Post: Automatic Remediation with AWS Inspector* https://aws.amazon.com/blogs/security/how-to-remediate-amazon-inspector-security-findings-automatically/

* MQTT Security Fundamentals* http://www.hivemq.com/mqtt-security-fundamentals/

* AWS IoT Protocols* https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html

* How to bridge Mosquitto MQTT Broker to AWS IoT* https://aws.amazon.com/blogs/iot/how-to-bridge-mosquitto-mqtt-broker-to-aws-iot/

* Multi-Tenant Storage with DynamoDB* https://aws.amazon.com/blogs/apn/multi-tenant-storage-with-amazon-dynamodb/

* AWS Access Management* https://docs.aws.amazon.com/IAM/latest/UserGuide/access.html