10 challenges to securing iot communications
TRANSCRIPT
![Page 1: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/1.jpg)
10 Challenges of Securing IoT Communications
PubNub © 2015
Rohini Pandhi, PubNub @rohinip
![Page 2: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/2.jpg)
PubNub © 2015
The Things
Sensors
So Many Categories!
Smart Home
Wearables
TransportationMedical
Manufacturing
![Page 3: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/3.jpg)
PubNub © 2015
The Internet
Sensors
Smart Home
Wearables
TransportationMedical
Manufacturing
![Page 4: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/4.jpg)
PubNub © 2015
Secure
Data Streamsto/from every device in the world
is a Global Network for
High-Speed Reliable
![Page 7: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/7.jpg)
PubNub © 2015
![Page 8: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/8.jpg)
PubNub © 2015
To secure IoT, we must define the IoT
Unprotected devices on the Internet will be attacked
Encryption is needed throughout the data lifecycle
Single security model for all IoT communications
Data stream access controls
Tracking device metadata
Secure provisioning in the field
Firmware updates in the field
Compliance with global regulations
Leaving security up to each IoT project team
The Top 10 ListChallenges:
![Page 9: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/9.jpg)
PubNub © 2015
1. Defining the “IoT”
IoT is computing devices that send data, receive data, or do both on the Internet
One-Way DataTwo-Way DataReal-Time DataOccasional DataOne-to-OneOne-to-ManyMany-to-ManyMany-to-One
Device Device Device
![Page 10: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/10.jpg)
PubNub © 2015
Create a Common Vocabulary
1. Defining the “IoT”
Publish
Device
Subscribe
Device
Presence
Device Online
Device Offline
Channel
Sports
Message Data StreamsSports
Finance
Politics
![Page 11: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/11.jpg)
PubNub © 2015
2. Protecting Devices on the Internet
Data Access ControlEncryption
Firmware Updates
Nonrepudiation Legislative Compliance
Data Retention & Privacy
Device Physical Vulnerabilities
Device Network Vulnerabilities
![Page 12: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/12.jpg)
PubNub © 2015
Offload as much Security into the Network as possible
2. Protecting Devices on the Internet
![Page 13: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/13.jpg)
PubNub © 2015
IoT needs a Data Stream Network
HTTP/Content Delivery Networks
CachingQoS
SecurityRedundancy
VPN
HTTPHTTPSSPDY
Services Protocols
Internet Backbone Networks
PeeringRoutingPOPs
TCPUDP
IP
Services Protocols
Data StreamsAccess Control Caching
PresenceReplicationProcessing
Data Stream NetworksServices
MQTTWEBSOCKETS
HTTP 2.0COAP
Protocols
IoT needs a Data Stream Network
![Page 14: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/14.jpg)
PubNub © 2015
3. Encryption and Processing
TLS/SSL doesn’t cut it
![Page 15: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/15.jpg)
PubNub © 2015
You’ve only encrypted the first hop}
3. Encryption and Processing
![Page 16: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/16.jpg)
PubNub © 2015
AES is a good choice
Message
But often we need to inspect and process the message along the way
Encrypted Message
3. Encryption and Processing
![Page 17: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/17.jpg)
PubNub © 2015
Message = Body + Envelope
Encrypt the Message Body with AES, put actionable data on the Envelope and encrypt with TLS
3. Encryption and Processing
Temp = 31
AES
TLS
![Page 18: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/18.jpg)
PubNub © 2015
4. Single Comprehensive Security Model
Prevent Open Ports at ALL Costs!
![Page 19: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/19.jpg)
PubNub © 2015
4. Single Comprehensive Security Model
If we still struggle to secure corporate networks, how
can inbound ports on devices ever be protected?
![Page 20: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/20.jpg)
PubNub © 2015
4. Single Comprehensive Security Model
Prevent Open Ports at ALL Costs!
Device
TCP/UDPNo “listeners”
Network Node
![Page 21: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/21.jpg)
PubNub © 2015
4. Single Comprehensive Security Model
How about a standard outbound TCP connection?
On the Internet, connections fail
constantly!
Device
TCP/UDPNo “listeners”
Network Node
![Page 22: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/22.jpg)
PubNub © 2015
4. Single Comprehensive Security Model
What about Polling?
“Polling” is often the first
attempt
Network Node
Device
PollingNo “listeners”
![Page 23: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/23.jpg)
PubNub © 2015
4. Single Comprehensive Security Model
Polling doesn’t Scale
Device
Network Node
Device Device Device Device Device Device
Device Device Device Device Device Device Device
![Page 24: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/24.jpg)
PubNub © 2015
4. Single Comprehensive Security Model
Secure, Reliable, Fast Communication
TCP/UDP
Device
No “listeners”
Network Node
Subscribe
PublishMQTT CoAP
WebSockets Steaming HTTP
Device
We really need a tunneled, fault-
tolerant streaming protocol
Offload Security to the Data Stream Network
![Page 25: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/25.jpg)
PubNub © 2015
5. Data Stream Access Controls
Access Controls with Tokens
channel“A”
Publish
Device
channel“A”
Device
Subscribe
writetoken
readtoken
• Access tokens that allow Publish/Subscribe privileges • Support token expiry (timeout) • Allow tokens to be revoked at any time
![Page 26: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/26.jpg)
PubNub © 2015
5. Data Stream Access Controls
Data Stream Network handles Authorization
Stre
amDevice
![Page 27: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/27.jpg)
6. Tracking Device Metadata
Realtime Device State
• “Perimeter” nodes must support token authorization
• Know when a device has been taken offline
• Track power drain, tampering of sensors, etc.
Presence Stream
Device
Perimeter
Stre
am
![Page 28: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/28.jpg)
7. Secure Provisioning in the Field
Provisioning is just another Design Pattern
Device Provisioning Server
1New device subscribes to “announce” channel
2Server returns private channel and sets access rules
Server always subscribed to “announce-presence”
channel
3Device subscribes private channel with secret+salt
4Server checks secret & decides to provision
![Page 29: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/29.jpg)
8. Firmware Updates at Scale
Device Firmware Server
1Server broadcasts “firmware alert” message
2Online devices respond & download immediately
3Offline devices pull data from channel cache on boot
![Page 30: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/30.jpg)
PubNub © 2015
9. Compliance with Global Regulations
![Page 31: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/31.jpg)
PubNub © 2015
9. Compliance with Global Regulations
Data routing to avoid specific geographies
Storage of data, regions and co-mingling
Retention requirements, mandatory disclosures
![Page 32: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/32.jpg)
PubNub © 2015
10. Leaving Security up to Each IoT Project Team
Oct 2010Craig Heffner discovers attack vector via common chipsets embedded in millions of home routers (DEFCON 18)
Nov 2013Target (retailer) data breach reportedly originated thru HVAC Vendor
Sep 2014Hundreds of TrendNet “Secure” Camera Feeds for Home Security, Baby Monitoring Were Hacked, Posted Online
![Page 33: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/33.jpg)
PubNub © 2015
10. Leaving Security up to Each IoT Project Team
Nov 2014Various reports pointed to a high-profile, [Sony] studio-wide cyberattack
Jan 2015CENTCOM’s Twitter and YouTube accounts were eventually taken offline, but not before a string of tweets and the release of military documents
Jan 2015Anthem discovered that cyber attackers executed a sophisticated attack to gain unauthorized access to Anthem's IT system and obtained personal information.
![Page 34: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/34.jpg)
PubNub © 2015
10. Leaving Security up to Each IoT Project Team
Yes we need standards…
But Standards are Not Enough!
![Page 35: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/35.jpg)
PubNub © 2015
10. Leaving Security up to Each IoT Project Team
It’s unrealistic to expect hardened security if each team has to design, build,
and test from scratch
![Page 36: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/36.jpg)
PubNub © 2015
We need a Global Communication Network for the Internet of Secure Things
![Page 37: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/37.jpg)
PubNub © 2015
IoT Deployments need an existing proven infrastructure
a communication layer specifically for IoT
a Secure Data Stream Network
![Page 38: 10 Challenges to Securing IoT Communications](https://reader031.vdocuments.mx/reader031/viewer/2022032617/55a9b3e81a28abe4698b4680/html5/thumbnails/38.jpg)
10 Challenges of Securing IoT Communications
PubNub © 2015
Rohini Pandhi, PubNub @rohinip
http://bit.ly/pubnub-iot-security (page 19)