AuthentiThings: The Pitfalls and Promises of Authentication in the IoT

WEBINAR
AUTHENTICATING “THINGS”
THE PITFALLS AND PROMISES
OF AUTHENTICATION IN THE CONSUMER IoT
JUNE 2016
MICHAEL THELANDER

3
AGENDA
1
2
3
WHAT’S SO
REVOLUTIONARY?
Industrial vs. Consumer IoT
Unexpected risks and rewards
AUTHENTICATION IN THE IoT
Authentication standards & guidelines
“Three from Three” Guidance
IF AUTHENTICATION FAILS
New and frightening hacks
What’s next?
4 YOU ARE YOUR DEVICE Your device as your proxy

WHAT’S SO
REVOLUTIONARY…
ABOUT THE INTERNET OF THINGS?

5
A MERCANTIL E REVOL UTION
Guns, cloth, iron
and beer
Slaves, gold, spices
Slaves, raw sugar,
and molasses
Whale oil, lumber, cotton,
rum and tobacco
The crown
orchestrated a
complex
global dance
that leveraged
the best
knowledge
and the most
favorable
terms
anywhere in
the world.

6
At the top of the
pyramid, Great Britain
used these imports to
manufacture and
distribute complex
products that created
vast wealth and
power.

7
Closer to the raw materials needed for production
Respond immediately to change
Intimate understanding ofall parts of a complex process
Organize and manage their own markets

8
That’s a bit like what’s happening
in the industrial IoT today.

9
MIC H A E L T H E LA N DE R
P R O D U C T M A R K E T I N G M A N A G E R , A U T H E N T I C A T I O N
n Manages go-to-market, launch and customer education activities for
iovation’s authentication products.
n 20 years in VP- and director-level product management and
marketing roles for technology and information security companies.

18
What about the consumer IoT?

19
TWO F ACES OF THE Io T
K E Y D I F F E R E N C E S B E T W E E N I N D U S T R I A L A N D C O N S U M E R I o T
• Security and privacy standards
and guidelines are an inherent
part of the picture
• Device lifespan can be
measured in decades
• Criticality of RTOS
• Continuity of data is a major
consideration
INDUSTRIAL IoT
• Minimal attention to security
standards and guidelines,
consumers blasé about privacy
• Device lifespan can be
measured in months
• Less-than-critical infrastructure in
most current cases
• Expected gaps in data flow
CONSUMER IoT

25
“The smartphone
will become the
foundational banking
tool.”

30
“B IG DATA” B ECOMES PERSONAL
INTERNET-CONNECTED DEVICES
4.9 B in 2015
20.8 B in 2020
450%
10,000 EB in 2015
400%
40,000 EB in 2020
STORAGE REQUIRED FOR THE DATA
(One exabyte can hold 500 to 1000 times
the entire content of the Library of Congress.)

31
“B IG DATA” B ECOMES PERSONAL
10,000 EB in 2015
40,000 EB in 2020
STORAGE REQUIRED FOR THE DATA
(One exabyte can hold 500 to 1000 times
the entire content of the Library of Congress.)
= 20,800 GB
400%

42
“These technical guidelines cover remote digital authentication of human users to IT systems
over a network… However do not specifically address machine-to-machine
(such as router-to-router) authentication, or establish specific requirements for issuing
authentication credentials and authenticators to machines and servers when
they are used in authentication protocols with people.”
However do not specifically address machine-to-machine
(such as router-to-router) authentication, or establish specific requirements for issuing
authentication credentials and authenticators to machines and servers when
they are used in authentication protocols with people.”
New
v 63-3
Due
Soon

44
THREE F ROM THREE
G U I D A N C E F R O M T H R E E P I E C E S O F R E C E N T R E S E A R C H

45
“Others have pointed to the need to research
methods that provide context-based authentication
as a new factor in an authentication process. .”

46
1. Identity Relationship Management (IRM) replaces IAM
n Consumers and things over employees
n Internet-scale over Enterprise-scale
n Borderless over perimeter
2. Use of smartphones as a primary means of authentication in the IoT
n Context-based authentication over MFA
n Enterprise-level local authentication to IoT devices
n Single sensor for multiple authentication methods:
THREE F ROM THREE: CSA
C L O U D S E C U R I T Y A L L I A N C E – I R M A N D S M A R T P H O N E S

47
3. Leverage the security controls built into standards-based IoT protocols
I o T S E C U R I T Y F O R C O N S U M E R D E V I C E S
Protocol M2M Auth Options
MQTT Username / password
CoAP
preShared Key
rawPublicKey
XMPP Multiple options
DDS
x.509 Certificates (PKI)
Tokens
Protocol M2M Auth Options
Zigbee Pre-shared keys
Bluetooth Shared key
Bluetooth LE
Connection signature
resolving key
HTTP/REST TLS or OAUTH 2

48
3. Leverage the security controls built into standards-based IoT protocols
C L O U D S E C U R I T Y A L L I A N C E S U M M A R S Y G U I D A N C E O N I o T
• Low memory: works on micro-
controllers was low as 10 KiB of RAM
• Default choice of DTLS parameters
is equivalent to 3072-bit RSA keys
• CoAP integrates with XML, JSON,
CBOR, or data format of choice
• REST model integrates with typical
sites and applications

49
“No single method for peer authentication and end-to-
end data protection meets the Internet of Things (IoT)
device security and operational requirements.”

50
1. Mobile devices can be
gateways, consumers, or
IoT nodes
THREE F ROM THREE: GARTNER
I T ’ S N O T J U S T A P H O N E

51
2. Understand domains, classes of
devices, and “delegation of trust”
n Class 1: Simple sensors or actuators
n Class 2: Can perform storage or analysis,
e.g. hubs, concentrator, gateways
n Class 3: Complex devices, servers than
can act as aggregators, e.g. security
analytics
N O T A L L D E V I C E S A R E C R E A T E D E Q U A L

52
3. Building a trust model based
on “hops”
n No hop: trust is achieved by device
authenticating to local gateway
n Single hop: Device authenticates to
gateway, and gateway to an IoT service
or application
n Multihop: Trust achieved by devices
authenticating to trust anchors
(gateways), and then the trust anchors
federate trust across all required
domains and trust models
T R U S T M O D E L S M A T T E R

53
“Authentication is the process of verification that an
individual, entity or website is who it claims to be.”

54
1. The only guidance using three different perspectives:
n Manufacturer IoT Guidance: The goal of this section is help
manufacturers build more secure products in the Internet of Things
space.
n Developer IoT Guidance: The goal of this section is help developers
build more secure applications in the Internet of Things space.
n Consumer IoT Guidance: The goal of this section is help consumers
purchase secure products in the Internet of Things space.
THREE F ROM THREE: OWASP
I o T S E C U R I T Y G U I D A N C E I N T H R E E C A T E G O R I E S

55
2. A comprehensive framework:
n 1 IoT Framework Security
Considerations: Definitions
n 2 Edge: Framework Considerations
for Edge Component
n 3 Gateway: Framework
Considerations for Gateway
Component
n 4 Cloud: Framework Considerations
for Cloud Component
n 5 Mobile: Framework Considerations
for Mobile Component
M U L T I - P A R T S E C U R I T Y A N D P R I V A C Y F R A M E W O R K
• Communications encryption
• Storage encryption
• Strong logging
• Auto updates / versioning
• Update verification
• Cryptographic ID capabilities
• No default passwords
• Offline security features
• Configurable root trust store
• Device and owner
authentication
• Transitive ownership
capabilities
• Defensive capabilities
• Plugin or ext. verify, report,
update
• Secure M2M
• Secure Web interface
• Utilize established protocols
• Latest, updated 3rd
-party
components
• Use of hardware device
• Support MFA
• Temporal and spacial
authentication
• Tracks data from insecure
sources
• Features disabled by default
• Written in programming
languages that possess
security countermeasures
• Device monitoring and
management capabilities
2 Edge: Framework Considerations
for Edge Component

56
3. Provides a unique focus on authentication testing
F O C U S O N T E S T I N G
n Assess the solution for the use of
strong passwords where authentication
is needed
n Assess the solution for multi-user
environments and ensure it includes
functionality for role separation
n Assess the solution for Implementation
two-factor authentication where
possible
n Assess password recovery mechanisms
n Assess password recovery mechanisms
n Assess the solution for the option to
require strong passwords
force password expiration after a
specific period
change the default username and
password

57
9
1. Identity relationship
management – not
IAM – is key
2. Smartphones will be
the primary means
of authentication in
the IoT
3. Leverage built-in
security controls
4. Mobile devices will
fill multiple roles in
the IoT scheme
5. Domains & classes
drive delegation of
trust models
6. Build your trust
model based on
“hops”
7. Multiple perspectives
matter
8. Provides a
comprehensive
framework
9. Provides a unique
authentication
focus
SUMMARIZING THE “THREE F ROM THREE”

AUTHENTICATION FAIL
INTRIGUING HACKS IN THE IoT

YOU ARE YOUR DEVICE
YOUR TRUSTWORTHY PROXY?

66
BIOMETRICS
IP ADDRESS JAILBROKEN
OR ROOTED
GEO LOCATION
ASSOCIATIONSSECURITY RISK

67
n MD5 Hash of the full font list
n Random sample of 15 fonts
n Flash SharedObjects not writable
n Flash socket 843 based ip (real IP)
n Boolean indicator: flash took longer
than expected to execute
n Accepted Char Sets in HTTP header
n Accepted languages in HTTP header
n Browser user agent comment string
n Browser name / OS / Ver / language
n Cookie writes excluded
n Boolean indicator, javascript enabled
n Count of fonts in the full list
n Flash 3-part version (16.0.0)
n Flash 4-part version (16.0.0.305)
n List of browser plugins
n JavaScript screen resolution
n Simbar toolbar GUID from HTTP hdr
n Timezone offset in minutes
n ... and more
n WiFi (or Bluetooth) MAC Address
n Network configuration
n iOS Device Model
n Battery level / AC mode
n Device orientation
n File system size
n Physical memory
n CPU Type / Count /Speed
n Number attached accessories
n Has proximity sensor?
n Screen brightness and resolution
n System uptime
n iOS Device Name (MD5 Hash)
n OS Name and/or version
n Device advertising UUID
n Kernel version
n iCloud Ubiquity Token
n Application Vendor UUID /name/vers
n Locale language / currency code
n … and 100s more
n Model and Device Model
n Build.DEVICE & Build.HARDWARE
n Build.HOST & Build.ID
n Manufacturer
n Build.PRODUCT & Build.TIME
n Network Operator ID & Name
n Sim Operator ID & Country
n System Uptime in Seconds
n Is the device plugged in
n CPU Type
n Physical memory
n Unique build fingerprint of app
n Android SDK Level
n Android Build Number (DISPLAY)
n Android Device System Version
n Detected attempt at hiding root detect
n Kernel Version (was AKV)
n Android Locale Country Code
n Desktop Wallpaper Hash
n … and 100s more
DEVICE-BASED AUTHENTICATION
THE USER’S DEVICE AS A ROBUST, INVISIBLE SECOND FACTOR
Web Device Print iOS SDK Android SDK

CONTACT US
www.iovation.com
twitter.com/iovation

AuthentiThings: The Pitfalls and Promises of Authentication in the IoT

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (10)

Ähnlich wie AuthentiThings: The Pitfalls and Promises of Authentication in the IoT

Ähnlich wie AuthentiThings: The Pitfalls and Promises of Authentication in the IoT (20)

Mehr von TransUnion

Mehr von TransUnion (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

AuthentiThings: The Pitfalls and Promises of Authentication in the IoT