Our Road to Iot: Secure Device Grid

OUR ROAD TO IOT: SECURE DEVICE GRID

5 October 2015 Kresten Krab Thorup @drkrab Introduction IoT and SSL/TLS landscape Secure Device Grid design Lessons Learned ABOUT THE SPEAKER

Kresten Krab Thorup, Ph.D. Trifork CTO - since 1999 JAOO, QCon, YOW!, GOTO Conferences Language Hacker HOW TO REMOTE CONTROL YOUR IOT DEVICES? IOT REMOTE CONTROL

ACCESS Device/Mobile behind NAT

SECURITY Secure Traffic (Secrecy, Integrity) Authentication Privacy DESIGN #1

TRUSTED? GATEWAY MAN IN THE MIDDLE

FIREWALL FIREWALL

MOBILE DEVICE DESIGN #2

END-TO-END GATEWAY TRUST

FIREWALL FIREWALL

MOBILE DEVICE DESIGN #2

GATEWAY

PAIRING MOBILE DEVICE KEY EXCHANGE DESIGN #2

GATEWAY

Secure

MOBILE Authenticated DEVICE Private HOW TO SECURE THIS? PUBLIC KEY CRYPTOGRAPHY

I’m Home! Alice Bob

SecretKey SecretKey PublicKey PublicKey ENCRYPTION

Eve

ciphertext Alice Bob

encode(“I’m Home!”, PublicKey)

decode(ciphertext, SecretKey)

Only Bob can decode it SIGNING

Eve

signed Alice Bob

sign(“I’m Home!”, SecretKey)

verify(signed, PublicKey)

Only Alice could have created the signed message TRUST

Eve

Alice Bob

PublicKey PublicKey

sign(PublicKey, Carl sign(PublicKey, SecretKey) SecretKey) SSL/TLS SSL/TLS

Standardized approach to Public Key Crypto Public Key Infrastructure (CA’s) Standard Protocols 15+ years of history SSL/TLS

OpenSSL iOS ARM Android GATEWAY Broadcom Windows WinCE SSL/TLS WOES

Many platforms ⇒ weakest link deﬁnes level

PROBLEMS

Implementation errors / limitations

Protocol errors

Conﬁguration/use errors NATIVE STACK LIMITATIONS

Client certificate capability Validate/control connection status? Who are you connected to? Support proper (modern) ciphers WELL KNOWN SSL/TLS BUGS

FREAK - downgrade to ‘export grade’ crypto POODLE - downgrade makes keys guessable HeartBleed (OpenSSL)- expose contents of server memory Logjam - Exploits standard config (DH) params Many individual implementation bugs

TLS VULNERABILITIES SSL VULNERABILITIES LESSON #1

IMPLEMENT UPGRADE OF SOFTWARE IN THE FIELD LESSON #2

OPENSSL IS A ATTACK TARGET BECAUSE IT IS POPULAR (Just like Windows) COMPLEXITY TLS COMPLEXITY

Creeps in as standards develop 15+ years backwards compatible ASN.1, X509 Certificates, Revocations, … Protocol negotiation (and renegotiations) Diversity of features available on platforms Diversity of configurations DIVERSITY

OpenSSL iOS ARM Android Broadcom Windows WinCE OUR TLS SOLUTION

OpenSSL OpenSSL OpenSSL OpenSSL OpenSSL OpenSSL OpenSSL ONE CONFIGURATION: TLS 1.2 ECC BrainPool P384 One cipher ECDH_ECDSA_AES LESSON #3

ANY SSL/TLS IMPLEMENTATION IS LARGE AND COMPLEX

(ARM JUST OPEN SOURCED A NEW STACK ‘mbed TLS’) A NEW START: GOING SMALL A NEW START: NACL (CURVE 25519)

Crypto library from Daniel Bernstein (of qmail fame) Used in ZeroMQ, Tor, SSH, HomeKit, AirPlay, Chrome/QUIC, countless open source tools.

“An attacker who spends a billion dollars on special- purpose chips to attack Curve25519, using the best attacks available today, has about 1 chance in 1027 of breaking Curve25519 after a year of computation.”

NACL: CRYPTO SIMPLIFIED

One way to do things ECC crypto (Curve25519) Stream cipher (Salsa20) SHA25 CurveCP: Control Protocol (like SSL/TLS) NACL: CRYPTO SIMPLIFIED

Multiple implementations NaCl, the original (compiles to ~30k ARM code) libsodium (with fast ASM for popular platforms) TweetNacl, compiles to 10k ARM code Java, .NET, JavaScript, … you name it. NACL: WHAT’S NOT THERE?

Key Management Certificate Chains / X509 / ASN.1 Protocol negotiation, downgrade, … Many ciphers, hashes, … RANDOM SOURCE LESSON #4

WHEN YOU CONTROL BOTH ENDS, CONSIDER SIMPLIFYING RANDOM

LESSON #5

RANDOMNESS IS HARD IN EMBEDDED DEVICES RANDOM IS HARD

Initialize when product is ‘installed’ at factory product’s public key entropy data file

Recent JEEP hack was lack of entropy Android also had a serious random bug in 2013 PRIVACY PRIVACY

GATEWAY

MOBILE DEVICE NEED-TO-KNOW

Gateway/router has no knowledge of peer identity — It only knows that they trust each other A break-in of cloud infrastructure does not compromise peers Individual peers being compromised will not compromise other peers. LESSON #6

SAVE ONLY WHAT’S NECESSARY (PRIVACY BY DESIGN) TRUST SCHEMES?

Establish trust by means of a 3rd party SMS 3rd party SSO Certificate authority Trust direct between devices TRUST

Alice Eve Bob

PublicKey PublicKey sign(PublicKey, Carl sign(PublicKey, SecretKey) SecretKey) sign(PublicKey, Carl2 sign(PublicKey, SecretKey) SecretKey) sign(PublicKey, Carl3 sign(PublicKey, SecretKey) SecretKey) TRUST

OTP OTP

Alice Bob

SecretKey SecretKey PublicKey PublicKey LESSON #7

AVOID CERTIFICATE AUTHORITIES (CA’S) WHEN POSSIBLE TRUST ON FIRST USE

SSH shows a fingerprint to verify on first use Our product you enter a PIN to verify the peer Henceforth, trust the holder of that key END-TO-END LIMITATIONS

Sometimes you want an OPEN API - Most web-enabled IOT devices do that

IFTTT (open programmable interation platform) - Holds on to all your credentials - Email, google, facebook, devices, … - Ideal targt for a hacker

Make this a special case, not the default. SUMMARY SUMMARY

SSL/TLS is more complex than you think CA’s introduce trust in 3rd parties Implement software upgrade Control both ends? Consider a simpler solution. Randomness is hard Remember (log/store) only what’s necessary our product securedevicegrid.com

Aarhus Copenhagen Zurich Amsterdam Berlin Budapest Buenos Aires Krakow Leeds London San Francisco Seattle Stockholm Kresten Krab Thorup [email protected] @drkrab

Aarhus Copenhagen Zurich Amsterdam Berlin Budapest Buenos Aires Krakow Leeds London San Francisco Seattle Stockholm