IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not...
Transcript of IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not...
![Page 1: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/1.jpg)
IoT TLS: Why It Is HardDavid Brown
![Page 2: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/2.jpg)
What is IoT“The internet of things, or IoT, is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.”
— TechTarget
![Page 3: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/3.jpg)
![Page 4: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/4.jpg)
![Page 5: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/5.jpg)
![Page 6: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/6.jpg)
![Page 7: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/7.jpg)
![Page 8: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/8.jpg)
5 Worst Examples● The Mirai Botnet● The Hackable Cardiac Devices from St. Jude● The Owlet WiFi Baby Heart Monitor Vulnerabilities● The TRENDnet Webcam Hack● The Jeep Hack
![Page 9: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/9.jpg)
“IoT Security is not Interesting”
— James MickensHarvard University,Associate Professor,Authority on All Things
![Page 10: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/10.jpg)
“TLS is the only good thing we have”
— James MickensHarvard University,Associate Professor,Authority on All Things
![Page 11: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/11.jpg)
Raspberry Pi● Memory: GBs● Flash: GBs● CPU: GHz
![Page 12: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/12.jpg)
![Page 13: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/13.jpg)
Tiny devices● Memory: 10s KB● Flash: 100s KB● CPU: 10s MHz
![Page 14: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/14.jpg)
Middle Devices● Memory: 100s Kb● Flash: 1Mb● CPU: 10-100 MHz
![Page 15: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/15.jpg)
How Does TLS?
![Page 16: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/16.jpg)
![Page 17: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/17.jpg)
![Page 18: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/18.jpg)
TLS Handshake
![Page 19: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/19.jpg)
Handshake Requirements● Ciphersuite agreement● Verification of certificate, not optional
“TLS done incorrectly is worse than not using it at all. At least with no TLS you know that the communication is insecure.” — hallway talk at ICMC18
![Page 20: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/20.jpg)
Implementation Requirements● Memory● Time● Randomness
![Page 21: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/21.jpg)
Traditional TLS API
![Page 22: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/22.jpg)
Improving Layering● Stream abstraction
○ Common in higher level languages○ Same API for TLS and non-TLS
● Put under Socket API○ Not really done in Linux (really, not done in Linux)○ Keeps same API○ The layering is wrong, though
![Page 23: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/23.jpg)
Zephyr’s Approach● Second approach● Already offloading support, including one that has TLS● Abstractions are “scary”
![Page 24: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/24.jpg)
API Mismatch
![Page 25: IoT TLS: Why It Is Hard...The TRENDnet Webcam Hack The Jeep Hack “IoT Security is not Interesting” — James Mickens Harvard University, Associate Professor, Authority on All Things](https://reader033.fdocuments.in/reader033/viewer/2022042011/5e726a23ac77486c595d614b/html5/thumbnails/25.jpg)
Where are we now?● Video of a demo?● Zephyr network API changes● JWT, time, MQTT