The Internet of Things is here, and has begun transforming society at every level. For consumers, it brings the promise of non-stop seamless connectivity to a host of useful things, including smart cars, smart refrigerators and smart meters in homes, as well as keyless hotels, automated health and fitness tools, and internet-enabled toys.
But with this unfettered access comes the unique challenge of authentication in this new IoT world: How do we determine that someone or something is, indeed, who or what it claims to be? How do we insure strong (and accurate) authentication in an interfaceless, machine-to-machine world?
Five Things to Know About Authentication for Consumer IoT Products:
In this webinar Michael Thelander, iovation’s’ product marketing manager for authentication products solutions, will walk us through the current state of authentication in the everyday world of consumer-centric, non-industrial IoT technologies.
* What about privacy?
* What standards or frameworks are available to guide authentication in this new age?
* Is a password even necessary any more?
* How long before mobile devices become your primary proxy in the consumer IoT?
* What pitfalls might come with the burgeoning IoT? (Other than Skynet, of course)
Michael will review recent research, cite experts in the field, and give recommendations on how your and your customers can “stay ahead of the power curve” as the number of consumers with IoT devices begins its hockey-stick growth.
3. 3
AGENDA
1
2
3
WHAT’S SO
REVOLUTIONARY?
Industrial vs. Consumer IoT
Unexpected risks and rewards
AUTHENTICATION IN THE IoT
Authentication standards & guidelines
“Three from Three” Guidance
IF AUTHENTICATION FAILS
New and frightening hacks
What’s next?
4 YOU ARE YOUR DEVICE Your device as your proxy
5. 5
A MERCANTIL E REVOL UTION
Guns, cloth, iron
and beer
Slaves, gold, spices
Slaves, raw sugar,
and molasses
Whale oil, lumber, cotton,
rum and tobacco
The crown
orchestrated a
complex
global dance
that leveraged
the best
knowledge
and the most
favorable
terms
anywhere in
the world.
6. 6
A MERCANTIL E REVOL UTION
At the top of the
pyramid, Great Britain
used these imports to
manufacture and
distribute complex
products that created
vast wealth and
power.
7. 7
A MERCANTIL E REVOL UTION
Closer to the raw materials needed for production
Respond immediately to change
Intimate understanding ofall parts of a complex process
Organize and manage their own markets
8. 8
That’s a bit like what’s happening
in the industrial IoT today.
9. 9
MIC H A E L T H E LA N DE R
P R O D U C T M A R K E T I N G M A N A G E R , A U T H E N T I C A T I O N
n Manages go-to-market, launch and customer education activities for
iovation’s authentication products.
n 20 years in VP- and director-level product management and
marketing roles for technology and information security companies.
19. 19
TWO F ACES OF THE Io T
K E Y D I F F E R E N C E S B E T W E E N I N D U S T R I A L A N D C O N S U M E R I o T
• Security and privacy standards
and guidelines are an inherent
part of the picture
• Device lifespan can be
measured in decades
• Criticality of RTOS
• Continuity of data is a major
consideration
INDUSTRIAL IoT
• Minimal attention to security
standards and guidelines,
consumers blasé about privacy
• Device lifespan can be
measured in months
• Less-than-critical infrastructure in
most current cases
• Expected gaps in data flow
CONSUMER IoT
30. 30
“B IG DATA” B ECOMES PERSONAL
INTERNET-CONNECTED DEVICES
4.9 B in 2015
20.8 B in 2020
450%
10,000 EB in 2015
400%
40,000 EB in 2020
STORAGE REQUIRED FOR THE DATA
(One exabyte can hold 500 to 1000 times
the entire content of the Library of Congress.)
31. 31
“B IG DATA” B ECOMES PERSONAL
10,000 EB in 2015
40,000 EB in 2020
STORAGE REQUIRED FOR THE DATA
(One exabyte can hold 500 to 1000 times
the entire content of the Library of Congress.)
= 20,800 GB
400%
42. 42
“These technical guidelines cover remote digital authentication of human users to IT systems
over a network… However do not specifically address machine-to-machine
(such as router-to-router) authentication, or establish specific requirements for issuing
authentication credentials and authenticators to machines and servers when
they are used in authentication protocols with people.”
However do not specifically address machine-to-machine
(such as router-to-router) authentication, or establish specific requirements for issuing
authentication credentials and authenticators to machines and servers when
they are used in authentication protocols with people.”
New
v 63-3
Due
Soon
44. 44
THREE F ROM THREE
G U I D A N C E F R O M T H R E E P I E C E S O F R E C E N T R E S E A R C H
45. 45
“Others have pointed to the need to research
methods that provide context-based authentication
as a new factor in an authentication process. .”
46. 46
1. Identity Relationship Management (IRM) replaces IAM
n Consumers and things over employees
n Internet-scale over Enterprise-scale
n Borderless over perimeter
2. Use of smartphones as a primary means of authentication in the IoT
n Context-based authentication over MFA
n Enterprise-level local authentication to IoT devices
n Single sensor for multiple authentication methods:
THREE F ROM THREE: CSA
C L O U D S E C U R I T Y A L L I A N C E – I R M A N D S M A R T P H O N E S
47. 47
3. Leverage the security controls built into standards-based IoT protocols
THREE F ROM THREE: CSA
I o T S E C U R I T Y F O R C O N S U M E R D E V I C E S
Protocol M2M Auth Options
MQTT Username / password
CoAP
preShared Key
rawPublicKey
XMPP Multiple options
DDS
x.509 Certificates (PKI)
Tokens
Protocol M2M Auth Options
Zigbee Pre-shared keys
Bluetooth Shared key
Bluetooth LE
Connection signature
resolving key
HTTP/REST TLS or OAUTH 2
48. 48
3. Leverage the security controls built into standards-based IoT protocols
THREE F ROM THREE: CSA
C L O U D S E C U R I T Y A L L I A N C E S U M M A R S Y G U I D A N C E O N I o T
• Low memory: works on micro-
controllers was low as 10 KiB of RAM
• Default choice of DTLS parameters
is equivalent to 3072-bit RSA keys
• CoAP integrates with XML, JSON,
CBOR, or data format of choice
• REST model integrates with typical
sites and applications
49. 49
“No single method for peer authentication and end-to-
end data protection meets the Internet of Things (IoT)
device security and operational requirements.”
50. 50
1. Mobile devices can be
gateways, consumers, or
IoT nodes
THREE F ROM THREE: GARTNER
I T ’ S N O T J U S T A P H O N E
51. 51
2. Understand domains, classes of
devices, and “delegation of trust”
n Class 1: Simple sensors or actuators
n Class 2: Can perform storage or analysis,
e.g. hubs, concentrator, gateways
n Class 3: Complex devices, servers than
can act as aggregators, e.g. security
analytics
THREE F ROM THREE: GARTNER
N O T A L L D E V I C E S A R E C R E A T E D E Q U A L
52. 52
3. Building a trust model based
on “hops”
n No hop: trust is achieved by device
authenticating to local gateway
n Single hop: Device authenticates to
gateway, and gateway to an IoT service
or application
n Multihop: Trust achieved by devices
authenticating to trust anchors
(gateways), and then the trust anchors
federate trust across all required
domains and trust models
THREE F ROM THREE: GARTNER
T R U S T M O D E L S M A T T E R
53. 53
“Authentication is the process of verification that an
individual, entity or website is who it claims to be.”
54. 54
1. The only guidance using three different perspectives:
n Manufacturer IoT Guidance: The goal of this section is help
manufacturers build more secure products in the Internet of Things
space.
n Developer IoT Guidance: The goal of this section is help developers
build more secure applications in the Internet of Things space.
n Consumer IoT Guidance: The goal of this section is help consumers
purchase secure products in the Internet of Things space.
THREE F ROM THREE: OWASP
I o T S E C U R I T Y G U I D A N C E I N T H R E E C A T E G O R I E S
55. 55
2. A comprehensive framework:
n 1 IoT Framework Security
Considerations: Definitions
n 2 Edge: Framework Considerations
for Edge Component
n 3 Gateway: Framework
Considerations for Gateway
Component
n 4 Cloud: Framework Considerations
for Cloud Component
n 5 Mobile: Framework Considerations
for Mobile Component
THREE F ROM THREE: OWASP
M U L T I - P A R T S E C U R I T Y A N D P R I V A C Y F R A M E W O R K
• Communications encryption
• Storage encryption
• Strong logging
• Auto updates / versioning
• Update verification
• Cryptographic ID capabilities
• No default passwords
• Offline security features
• Configurable root trust store
• Device and owner
authentication
• Transitive ownership
capabilities
• Defensive capabilities
• Plugin or ext. verify, report,
update
• Secure M2M
• Secure Web interface
• Utilize established protocols
• Latest, updated 3rd
-party
components
• Use of hardware device
• Support MFA
• Temporal and spacial
authentication
• Tracks data from insecure
sources
• Features disabled by default
• Written in programming
languages that possess
security countermeasures
• Device monitoring and
management capabilities
2 Edge: Framework Considerations
for Edge Component
56. 56
3. Provides a unique focus on authentication testing
THREE F ROM THREE: OWASP
F O C U S O N T E S T I N G
n Assess the solution for the use of
strong passwords where authentication
is needed
n Assess the solution for multi-user
environments and ensure it includes
functionality for role separation
n Assess the solution for Implementation
two-factor authentication where
possible
n Assess password recovery mechanisms
n Assess password recovery mechanisms
n Assess the solution for the option to
require strong passwords
n Assess the solution for the option to
force password expiration after a
specific period
n Assess the solution for the option to
change the default username and
password
57. 57
9
1. Identity relationship
management – not
IAM – is key
2. Smartphones will be
the primary means
of authentication in
the IoT
3. Leverage built-in
security controls
4. Mobile devices will
fill multiple roles in
the IoT scheme
5. Domains & classes
drive delegation of
trust models
6. Build your trust
model based on
“hops”
7. Multiple perspectives
matter
8. Provides a
comprehensive
framework
9. Provides a unique
authentication
focus
SUMMARIZING THE “THREE F ROM THREE”
67. 67
n MD5 Hash of the full font list
n Random sample of 15 fonts
n Flash SharedObjects not writable
n Flash socket 843 based ip (real IP)
n Boolean indicator: flash took longer
than expected to execute
n Accepted Char Sets in HTTP header
n Accepted languages in HTTP header
n Browser user agent comment string
n Browser name / OS / Ver / language
n Cookie writes excluded
n Boolean indicator, javascript enabled
n Count of fonts in the full list
n Flash 3-part version (16.0.0)
n Flash 4-part version (16.0.0.305)
n List of browser plugins
n JavaScript screen resolution
n Simbar toolbar GUID from HTTP hdr
n Timezone offset in minutes
n ... and more
n WiFi (or Bluetooth) MAC Address
n Network configuration
n iOS Device Model
n Battery level / AC mode
n Device orientation
n File system size
n Physical memory
n CPU Type / Count /Speed
n Number attached accessories
n Has proximity sensor?
n Screen brightness and resolution
n System uptime
n iOS Device Name (MD5 Hash)
n OS Name and/or version
n Device advertising UUID
n Kernel version
n iCloud Ubiquity Token
n Application Vendor UUID /name/vers
n Locale language / currency code
n … and 100s more
n Model and Device Model
n Build.DEVICE & Build.HARDWARE
n Build.HOST & Build.ID
n Manufacturer
n Build.PRODUCT & Build.TIME
n Network Operator ID & Name
n Sim Operator ID & Country
n System Uptime in Seconds
n Is the device plugged in
n CPU Type
n Physical memory
n Unique build fingerprint of app
n Android SDK Level
n Android Build Number (DISPLAY)
n Android Device System Version
n Detected attempt at hiding root detect
n Kernel Version (was AKV)
n Android Locale Country Code
n Desktop Wallpaper Hash
n … and 100s more
DEVICE-BASED AUTHENTICATION
THE USER’S DEVICE AS A ROBUST, INVISIBLE SECOND FACTOR
Web Device Print iOS SDK Android SDK