WebRTC Global Summit, IoT workshop, Tim Panton

The (in)Security of ThingsTim Panton - Protocol Droid - westhawk Ltd@steely_glint

@steely_glint - Westhawk Ltd








https://www.shodan.io/explore








Security isn’t what it was.


Some common factorsWeak or no encryption

Poor Auth

Open ports

Centralised proprietary services

Unsuitable network topology

Inability to patch once shippedWe in the Telephony world have made all these mistakeslet’s help our IoT friends avoid them


RTCweb Protocol is Standardized

Secure

Widely deployed

Decentralised (?)

Realtime

Strong on Identity management

Mobile capable (and smaller) ?

User-centric


Components we need

WebRTC (datachannel) app in my smartphone

WebRTC (datachannel) embedded in a device

WebRTC service for rendevous

Some sort of pairing


Components we will use

Chrome on android (well Mac - for easy AV)

Lightweight stack on device

Simple websockets message hub (https://github.com/steely-glint/fingersmith)

QRcode pairing


Duckling protocol Described by Ross Anderson in 1990s

Device trusts first thing it sees

We flip this and the device shows QRcode

Smartphone then calls this address

First to connect claims ownership

https://www.flickr.com/photos/bunnygoth/14021732859/

https://www.flickr.com/photos/bunnygoth/14021732859/


By using webRTC data channel we have

Standardized

Secure

Widely deployed

Peer-to-Peer (NAT traversal)

Realtime

Strong on Identity management

Mobile capable (and smaller)

User-centric

tldr;WebRTC isn’t just for video calls - it can solve Internet of Everything problems too.

Tim Panton - Protocol Droid - Westhawk Ltd@steely_glint

WebRTC Global Summit, IoT workshop, Tim Panton

Technology