Only year ago we launched AWS IoT, and at re:Invent we showed how AWS IoT makes it easy to secure millions of connected devices. However, we have learned from our customers that a number of unique security challenges for the Internet of Things (IoT) exist.
2. What to expect from the session
• System, transport and thing security
• Fine-grained authorization
• Thing management
• Pub/sub data access
• AWS services integration
• Incident response
• End-to-end IoT security (demo)
3. Idea for this talk started from the quote …
“ Every IoT security article:
• IoT is big
• IoT security is bad
• Consequences are scary
• Change default settings
• Buy my product
• Problem not solved …“
Dr. Sarah Cooper
June 2, 2016
9. IoT security needs to be effective yet simple
“ … pilots and race car drivers were
willing to put on almost anything to
keep them safe in case of a crash,
but regular people in cars don't want
to be uncomfortable even for a
minute. “
Nils Bohlin
20. Authorization – IAM policies
IAM
unauthenticated
or authenticated
role
Amazon
Cognito
AWS credentials (services)
Temporary AWS credentials (users)
Third-party
service
AWS
service
21. Authorization – IoT policies
Fine-grained access for each device with a single policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "iot:Connect",
"Resource": "arn:aws:iot:eu-west-1:1234567890:client/${iot:Certificate.Subject.CommonName.1}",
"Effect": "Allow”
}, {
"Action": "iot:Publish",
"Resource": [
"arn:aws:iot:eu-west-1:1234567890:topic/sensordata/${iot:Certificate.Subject.CommonName.1}",
"arn:aws:iot:eu-west-1:1234567890:topic/sensordata/${iot:Certificate.Subject.CommonName.1}/*”
],
"Effect": "Allow”
} ]
}
40. Strong device security
Atmel/Microchip AWS-ECC508
Straightforward provisioning
and secure key storage
Crypto-operations offloading
for constrained hardware
41. Live demo
Cesanta Mongoose IoT Firmware (mongoose-iot.com)
• Hardware agnostic: ESP8266, TI CC3200 and other
• Secure: SSL/TLS, Microchip ATECC508A crypto-chip support
• Develop in C, or JavaScript, or both
• Networking: MQTT, WebSocket, COAP, HTTP/ HTTPS and other
• Mongoose Embedded Web Server and Networking Library
Customers: NASA, Dell, Samsung, HP and many others
45. Every device must have a Trustable Identity
Private key can never be revealed!!!
Authenticate every entity with which you communicate
Authentication Process must be trusted
IoT device identity requirements
47. Attackers don’t need physical access!
Rowhammer
Modify DRAM state to gain kernel privileges
Acoustic Cryptanalysis
Listen to component vibration across room, extract keys
http://www.tau.ac.il/~tromer/acoustic/
Timing Attack (First published in 1996)
Extract confidential data based on response delay
48. Root of trust for
secure code
High security
key storage
Less code
= Lower cost
10x-100x faster
than MCU
ATECC508A-AWS
Get critical stuff out of the micro!
49. Advanced Security Circuitry
Active shield, internal
encryption, randomization,
tampers, no JTAG, …
Strong attack defenses
Microprobe, Timing,
Emissions, Faults, Glitches,
Temperature
Standard Devices
Microchip
Security
Devices
What makes ATECC508A a vault?
50. Keys never leave chip - No back
doors!
Software asks for keys to be used -
chip accelerates math using the key
Elliptic curve algorithm in hardware –
can’t exploit software bugs!
Comprehensive thing security
51. Private key generated entirely inside the ATECC508A
• Completely random
• NEVER readable
• NEVER known by anybody
Certificates generated by world-class HSMs at Microchip
• Protected in State-of-the-art Secure Facilities
No special equipment or procedures required in the OEM factory
Secure in the factory
52. Secure Facilities
24/7 camera monitored, locked
cages, network isolation, physical
access control
Hardware Secure Modules (HSM)
Highly secure computers, World
class certifications : FIPS 140-2,
CC EAL 4+, …
Microchip’s factory provisioning
53. Reference design
• ARM® Cortex®-M4 microcontroller
• Wi-Fi® connectivity
• ATECC508A pre-configured for AWS IoT
• I/O module
• Root CA & Intermediate CA demo dongles
• FreeRTOS
• WolfSSL TLS 1.2
• MQTT client
• JSON library
• Example Application with 6 I/Os
Source code & Documentation on GitHub:
https://github.com/MicrochipTech/AWS-Secure-Insight
Easy to get started
54. IoT OEM
Customer-Specific
Production Signers
Root of
Trust
OEM CA
Root CA
OEM’s AWS Account
Customer-Specific
Production Signers
1. OEM creates AWS IoT account, sets up OEM CA
Existing OEM capability, 3rd party Trusted CA, Microchip CA kit
2. OEM creates certificates for Microchip production signers
3. OEM registers production signer certificates into their AWS account
Easy OEM setup
55. IoT OEM
Customer-Specific
Production Signers
Root of
Trust
OEM
Certificate
Root CA
1. Microchip ships ATECC508A
including certificates to board shop
2. IoT provisioning easy : assemble
ATECC508A into IoT product
3. Final product ships with little or no
cloud enrollment instructions or
actions needed
Zero touch provisioning - Manufacture
56. IoT Device #NN
OEM AWS Account
Customer-Specific
Production Signers
Device #NN
Device certificate automatically transferred to
AWS and registered on first connection
Zero touch provisioning - Field
57. IoT OEM
Root of
Trust
Root CA
1. Development kits readily
available from distributors
2. Includes turnkey USB dongles
set up to model the OEM CA and
the Microchip production signers
3. Use to create demonstration
systems and alpha units for
testing and qualification
Signing USB Dongle
OEM Lab
OEM USB Dongle
Easy prototyping
58. Secure Keys - Ultimate protection for keys
to prevent any software attack,
accelerate ECC up to 100x faster
Fast Design - Prototyping kits available now,
complete reference design on the web,
tiny package fits any system
Easy Manufacturing - Secure and seamless
manufacturing logistics. JITR means
Ready-to-Go with AWS out of the box
ATECC508A-AWS
Easily secure your AWS IoT device