Upload File

iot tls: why it is hard - linux foundation events · 5 worst examples the mirai botnet the hackable...

  • Home
  • Documents
  • IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities
25
IoT TLS: Why It Is Hard David Brown

Upload: others

Post on 15-Mar-2020

11 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities

IoT TLS: Why It Is HardDavid Brown

Page 2: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities

What is IoT“The internet of things, or IoT, is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.”

— TechTarget

https://internetofthingsagenda.techtarget.com/definition/unique-identifier-UID
https://internetofthingsagenda.techtarget.com/definition/Internet-of-Things-IoT
Page 3: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities
Page 4: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities
Page 5: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities
Page 6: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities
Page 7: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities
Page 8: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities

5 Worst Examples● The Mirai Botnet● The Hackable Cardiac Devices from St. Jude● The Owlet WiFi Baby Heart Monitor Vulnerabilities● The TRENDnet Webcam Hack● The Jeep Hack

Page 9: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities

“IoT Security is not Interesting”

— James MickensHarvard University,Associate Professor,Authority on All Things

Page 10: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities

“TLS is the only good thing we have”

— James MickensHarvard University,Associate Professor,Authority on All Things

Page 11: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities

Raspberry Pi● Memory: GBs● Flash: GBs● CPU: GHz

Page 12: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities
Page 13: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities

Tiny devices● Memory: 10s KB● Flash: 100s KB● CPU: 10s MHz

Page 14: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities

Middle Devices● Memory: 100s Kb● Flash: 1Mb● CPU: 10-100 MHz

Page 15: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities

How Does TLS?

Page 16: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities
Page 17: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities
Page 18: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities

TLS Handshake

Client HelloClient RandomCipher Suites

Server HelloServer Random

Cipher Suite

Server Cert

Server Key Exchange

Server Hello DoneClient Key Exchange

Change Cipher

Encrypted HandshakeChange Cipher

Encrypted Handshake

Page 19: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities

Handshake Requirements● Ciphersuite agreement● Verification of certificate, not optional

“TLS done incorrectly is worse than not using it at all. At least with no TLS you know that the communication is insecure.” — hallway talk at ICMC18

Page 20: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities

Implementation Requirements● Memory● Time● Randomness

Page 21: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities

Traditional TLS API

open socket

set bio

tls_handshake

tx

rx

applicationtls_readtls_write

Init libraryctr_drbg

ssl

ssl_config

x509_crt

entropy

ctr/entropy

setup config

set hostname

Page 22: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities

Improving Layering● Stream abstraction

○ Common in higher level languages○ Same API for TLS and non-TLS

● Put under Socket API○ Not really done in Linux (really, not done in Linux)○ Keeps same API○ The layering is wrong, though

Page 23: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities

Zephyr’s Approach● Second approach● Already offloading support, including one that has TLS● Abstractions are “scary”

Page 24: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities

API MismatchSocket API

connectsend

receive…

tls read

return

available wait for …

would-block

tls write

return

available wait for …

would-block

Network receive wakes all waiters

Page 25: IoT TLS: Why It Is Hard - Linux Foundation Events · 5 Worst Examples The Mirai Botnet The Hackable Cardiac Devices from St. Jude The Owlet WiFi Baby Heart Monitor Vulnerabilities

Where are we now?● Video of a demo?● Zephyr network API changes● JWT, time, MQTT


LPK Mirai Powerpoin

ELECTRONIC VOTING MACHINE(EVM) HACKABLE OR NOT

INFORME SOSTENIBILIDAD - Mirai

Mirai powerpoin

140505 hackable city athens

The Risks & Rewards of Connecting Commercial Kitchens · Mirai Botnet Attack – October 2016 St. Jude Cardiac Devices – 2015 Owlet Wi-Fi Baby Monitor – 2015 TRENDnet Webcam Hacks

MIRAI - Toyota DE

MAXvent Owlet

Owlet IoT inalámbrico para exteriores Ficha técnica

g, - mirai-inc.jp

Occurrence of the Forest Owlet Heteroglaux blewitti in Navsari …indianbirds.in/pdfs/IB_13_3_PatelETAL_ForestOwlet.pdf · 2017-06-27 · T he Forest Owlet Heteroglaux blewitti was

OWLET Wireless Control System for Street and Area Lighting

Outline of the Mirai - Toyota NL Mirai FCV_Posters_LR_tcm... · Outline of the Mirai Key Specifications The Mirai is a fuel cell vehicle (FCV) which uses hydrogen as energy to generate

NOWA TOYOTA MIRAI

Mirai offices

Botnet Mirai IoT - York University · 2017-04-04 · Mirai IoT Botnet "the future", 未来 ... Mirai can now forces device to report to a central control server. Mirai usage in DDoS

mIRAI pOWERpOIN(1)

R/V Mirai “Cruise Report” R/V Mirai Performance check test ......R/V Mirai “Cruise Report” MR19-01 . R/V Mirai Performance check test . Kumano trough, Izu ・Ogasawara Sea

Owlet Wireless Outdoor Lumencontroller and -meter LuCo-NXP

Hackable City Cycling

Hackable Cities: A Toolkit for Re-Imagining Your Neighborhood

Hackable Cities

Mirai botnet

Josh Corman-on-the-hackable-internet-of-things

Instructables.com - MeArm - Build a Small Hackable Robot Arm

Aerolineas Mirai

Minato Mirai 21

Edital Mirai

Minato Mirai

Mirai nikki

Kiroro - Mirai e

Eindhoven Hackable Wereldstad

Outline of the Mirai - Toyota Auto FI Mirai FCV_Posters_LR_tcm... · Outline of the Mirai Key Specifications The Mirai is a fuel cell vehicle (FCV) which uses hydrogen as energy to

Preview of Owlet by Emma Michaels

Hackable IoT devices which are used for connected home