Security and the Internet of Things Jordan Stone Notion
IoT Security - Boulder Startup Week 2015
Jul 28, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Security and the Internet of Things
Jordan Stone Notion
What is Notion?
Sound
Temperature
Light
OrientationNatural Frequency
Proximity
Acceleration
Water
@notion
4.9 BillionConnected devices by 2020
*http://www.gartner.com/newsroom/id/2905717@notion
5.9 millionAverage cost in USD of a data breach
http://www.accudatasystems.com/assets/2014-cost-of-a-data-breach-study.pdf@notion
So who cares about security for the Internet of
Things?
Everyone!
…including hackers
Defcon 2015• Not all hackers are bad hackers
• Examples:
• Angelina Jolie in the movie Hackers
• Defcon
• IoT Village
• Focused solely on hacking IoT devices
• Flaws must be presented to manufacturer before being entered in the contest
But some hackers are bad hackers
Like this guy
And this guy
Was he a ninja?
Why you care
• Bad hackers want your personal information
• More connected devices means more data
• More connected devices means more insecure connected devices
• Do you really want a hacker to know when you leave for work every day, or where your kids go to school?
Why you care Business version
• It costs a lot of money. A lot. Of. Money.
• Consumer trust is harder to gain and almost impossible to win back
• It will happen, even if you didn’t know it happened
What happens if your fridge gets hacked?
• Maybe nothing
• Maybe hackers know how much milk you drink
• Or that you’re not home
• Or they trigger your smart lock to unlock
Who’s been hacked?
• Refrigerators
• Thermostats
• Light bulbs
• You, probably. Just kidding.
What needs to be encrypted?
• M2M communication
• M2* communication
• User information
• Firmware files
• Databases
• Passwords/Keys
What kinds of security are available for IoT?
Symmetric Key Encryption
• Involves the use of a shared set of keys, typically with the same key used for encryption and decryption
• Advanced Encryption Standard (AES)
• Difficult to share keys securely, especially if you don’t own the whole supply chain
Asymmetric Key Encryption
• Involves a public/private key pair
• Also known as public key encryption
• This is how most of the internet works (e.g. SSL, TLS)
• Still susceptible to Man-in-the-Middle attacks
Blockchains
• Most famously used to record and verify Bitcoin transactions
• Track the history of devices via transactions
• Operates independently and is trustless
Private/Proprietary Encryption
• Don’t do this
• Don’t trust a product whose company does this
• Don’t recommend to your friend to do this
• Maybe recommend it to your competition
• On second thought, don’t
• Open Smart Grid Protocol did this and failed
https://threatpost.com/weak-homegrown-crypto-dooms-open-smart-grid-protocol/112680
“This function has been found to be extremely weak, and cannot be
assumed to provide any authenticity guarantee whatsoever.”
“Dumb Crypto in Smart Grids” authors
https://threatpost.com/weak-homegrown-crypto-dooms-open-smart-grid-protocol/112680
Security of Popular IoT Communication Platforms
ZigBee• Uses a MIC and shared private key to encrypt/
decrypt data
• Coordinator is considered the “trust center”
• Establishes keys
• Frame protection
• Key management
• OTA Key Setup is unsecured
Thread
• Devices join the network through your smartphone
• Leverages AES encryption for communication
• Uses product install codes to ensure only authorized devices join the network
• Supports public-key encryption
• Encrypted at network and application layers
AllSeen Alliance• Provides end-to-end application security
• No authentication at the routing layer
• Authentication and encryption keys are stored in a key store managed by the Security module
• Uses the Simple Authentication and Security Layer (SASL) to secure communication
• Uses a master secret and session key to authenticate and encrypt communication
How Does Notion do Security?
Notion’s Security Architecture
• Unique AES-256 bit private keys for each individual product
• Sensors encrypt their own data
• Bridge is just a proxy
• Backend decrypts and processes data
• Firmware and other backend messages happen in reverse
Notion’s Security Architecture
• All communication from our mobile apps is over HTTPS
• No sensitive information is stored in apps
• Communication between services in backend is also authenticated
• Working towards compliance with a NIST standard
Related Documents
