AutoAdd: A Study of Bootstrapping of an IoT Device on a Network
Anoop Kumar Pandey, Balaji Rajendran, Kumari Roshni V S Centre for Development of Advanced Computing 68, Electronics City Bangalore, India {anoop, balaji, roshnivs}@cdac.in
a smart home system designed to control lights and other
Abstract electrical devices from an app, started giving error messages leading to disruption of services lasting 12 hours. IoT devices are fast getting embedded into our lives, and Owners were not able to control their devices with the when put together they have the potential to generate a Wink app, and any scheduled or other automated processes precise and detailed history of our lives and store them didn’t work. While the problem, according to the company, forever. Their networking and communicational power can was “misconfiguration” of a “security measure”; Engadget be unleashed for malicious and sabotage purposes, by a reported [4] that the blame should be put on an expired motivated attacker sitting in the far corner of the world. security certificate. Attacks on Industrial IoT systems can cause greater disasters. It is therefore essential to inculcate the security 2. Introduction aspect, right from design to development to operations. The Let’s put together all the smart devices, home appliances, first operation of an IoT device is to bootstrap itself, and vehicles, sensors and similar electronic gadgets on a due importance should be placed to ensure that this network and we get Internet of Things (IoT). Kevin Ashton operation is carried out securely and with due diligence. coined the term "Internet of Things (IoT)" and defined it as However, it’s easier said than done, and this paper outlines a system where the internet is connected to the physical several approaches for secure automated bootstrapping world via ubiquitous sensors. It creates a method for and also proposes a new method, which is compared transformation of the physical world into computer-based against the existing mechanisms for several qualitative factors. systems, resulting in performance and efficiency enhancement, financial gains, and reduces human involvement. The number of IoT devices increased 31% 1. Prologue year-over-year to 8.4 billion in 2017 [5] and it is estimated to have 30 billion IoT devices by 2020 [6]. Many more Amazon launched “Amazon Alexa” [1] in November 2014. devices are/will be connected through serial link. While, Alexa is a virtual assistant which comes with Echo line of the scale of IoT is going pretty bigger day by day, the task smart speakers. It is capable of voice interaction, control of of adding new devices and bootstrapping it at such a large smart home devices, music playback, setting alarms, scale, remains at large. However IoT is turning from making calls, checking weather and news and much more. Internet of Things to Internet of Hackable Things [7]. Google Home [2] series smart speakers were launched in Classic information security has been all about November 2016. Google Assistant can be used to control confidentiality, integrity and availability. Someone thousands of smart-home products from several brands like shouldn’t steal my data (confidentiality), or modify it LG, GE, Whirlpool, Nest etc... Google Home can be asked (integrity), or prevent us from obtaining it (availability). to change the temperature, dim the lights, turn on a Confidentiality attacks have been targeting internet world microwave or kettle, and also start Roomba (robotic for most of the instances. They are expensive, embarrassing vacuum cleaners). It can also turn the TV on/off using and harmful. In August 2014, a large collection of private Chromecast. pictures of celebrities (largely women) was posts on The concept of smart home and devices is taking off very imageboards like 4chan and later disseminated to other fast. It appears to make our lives quite easy and websites and social media. The images were initially comfortable. But turning your home into a computer means believed to have been obtained through a vulnerability of facing computer-like problems. The security and Apple's cloud services suite iCloud, but later it was performance issues associated are much scary. Let’s go revealed that access was gained through targeted phishing back to 2015 [3], when smart hubs from Wink, the maker of attacks [8].
In July 2015, "The Impact Team" group stole the user data n*(n-1)/2 interactions, so 100 systems mean 5000 of a commercial website ‘Ashley Madison’ known for interactions and apparently 5,000 potential vulnerable enabling extramarital affairs. The group made copies of the points resulting from those interactions. It can increase to website’s user database and all their personal information 45K interactions with just 300 systems and half a million and threatened to release it if the website would not stop with 1K systems. their operations. Later in August 2015, they released more than 25 GBs of company data and user details [9]. 2.3. Autonomous Systems While confidentiality attack seems more pertinent, integrity We are moving towards autonomous systems. and availability attacks pose graver risks. While threats like Autonomous network, driverless cars, self-regulating manipulated counts in EVM (Electronic Voting Machine), electricity grids, automatic payment systems, auto breaking into a house or house arresting someone by selling/buying of stocks are few, setting early examples. hacking smart door lock, remote murder through hacked Autonomy might be great, however it also implies that the medical devices, denying someone access of his own car or impact of attacks can also run automatically, immediately allowing stranger access to the car, freezing water pipes and ubiquitously. The less human in loop of an attack, the through hacked thermostat, shutting down electric grid faster will it propagate. remotely, releasing toxic chemicals or gas in air through hacked robots or machinery, crashing an aeroplane and While security experts and engineers are toiling hard to many more, may seem overhyped, they may turn as real as mitigate these risks, we propose a system AutoAdd (work they can be. in progress), which ensures automatic addition and initial These increases risks or threats may be attributed to bootstrapping of an IoT device while it is put on the following factors [13]: network. While manual bootstrapping requires a human to add a device to a network (network discovery), connect to 2.1. Turning everything into computer and registrar (system where device can be registered), setting allowing software control up the key for future secure communication and finally all configuration of the device for its functioning in the As time is passing, more devices are undergoing network domain; AutoAdd will automate all of these software control thereby making them prone to be processes. vulnerable to all the attacks we witness against computers. There are billions of devices and at least thousands of Though it gives us lots of flexibility and ease of use, but it manufacturers. So how do we identify and trust a device? also brings insecurities and vulnerabilities with it. Consider Similarly there are many networks, how does the device the example of mobiles: while new mobile device models know that I am working only with my owner and not with are getting released every few days from one or the other some imposter network? OEM, the monthly security patch updated are limited, leave Remember, there are hostile devices on the network, and apart major updates. Also because many of these devices there are hostile networks that might attempt to take over are expensive and lasts long, we don’t replace them as the device. Basically, we need to establish the frequent as we can replace a feature phone. Even though identity/authenticity of the device; Check if device is some devices get their updates for lifetime, their compromised or not; establish the identity of the performance decrease as they become older and we need to network/domain; and finally check if the domain is the make a choice between performance and a new update [19]. correct one? A recent Princeton survey [18] found more than 500,000 insecure devices on the internet. 3. Study of Current Approaches
2.2. Connectivity 3.1. TOFU (Trust on First Use) As systems become interconnected, vulnerabilities in TOFU (Trust on First Use) [14] calls for accepting and one system, lead to attacks against others. The recent storing a public key or credential associated with an WannaCry [10] ransomware attack in May 2017 might asserted identity, without authenticating that assertion. open eyes of enterprises, which included a "transport" Subsequent communication that is authenticated using the mechanism to automatically spread itself. This transport cached key or credential is secure against an MiTM attack, code scans for vulnerable systems, then uses the if such an attack did not succeed during the vulnerable EternalBlue [11] exploit to gain access, and the initial communication. DoublePulsar [12] tool to install and execute a copy of itself. With the Internet of Things exploitable 3.2. Resurrecting Duckling vulnerabilities will be exploited more often. Quantitatively, if n systems are all interacting with each other, that's about In ‘resurrecting duckling’ [17], a device recognises as its
owner the first entity that sends it a secret key and will stay manufacturers during bootstrapping. Moreover BRSKI is a loyal to its owner for the rest of the life. It may come to EoL one-time process. It is not automatically restarted when the (end of life), or may be reset. The ownership of the device pledge detects change in ownership or network which may also be transferred. It is analogous to imprinting in should be mandatory, given that device may get stolen and ducks, where duckling emerging from its egg will put in some other network after initial bootstrapping. recognise as its mother the first moving object it sees that makes a sound, regardless of what it looks like. 3.5. EAP-NooB EAP-NooB (Extensible Authentication Protocol Nimble 3.3. Enrollment over Secure Transport (EST) out of Band) [20] method is intended for bootstrapping all In Enrollment over Secure Transport (EST) [15], the kinds of Internet-of-Things (IoT) devices that have a client starts a TLS based HTTPS session with an EST minimal user interface and no pre-configured server. Through a part of URI, a specific EST service is authentication credentials. The method makes use of a requested during the session. The client authenticates the user-assisted one-directional OOB (out of band) channel server and the server authenticates the client. The server between the peer device and authentication server. verifies if the client is authorized to use the requested service. Similarly the client verifies if the server has proper The secure bootstrapping in this specification makes use authorization to serve this client. Upon complete of a user-assisted out-of-band (OOB) channel. The security authentication and authorization check of both the parties, is based on the assumption that attackers are not able to the server responds to the client request. observe or modify the messages conveyed through the OOB channel. EAP-NooB follows the common approach 3.4. Bootstrapping Remote Secure Key of performing a Diffie-Hellman key exchange over the Infrastructures (BRSKI) insecure network and authenticating the established key with the help of the OOB channel in order to prevent An ongoing internet draft BRSKI (Bootstrapping impersonation and man-in-the-middle (MiTM) attacks. Remote Secure Key Infrastructures) [16] lists steps for auto bootstrapping as follow: 3.6. AutoAdd (Work in Progress) • Pledge discovers a communication channel to a Registrar. When a device is purchased in real world, usually an • Pledge identifies itself. This is done by presenting an invoice is issued in the name of the purchaser with stamp of X.509 IDevID credential to the discovered Registrar (via vendor/manufacturer. We propose that similarly, a digital the Proxy) in a TLS (Transport Layer Security) handshake. invoice can be issued which will contain the public key(s) (The Registrar credentials are only provisionally accepted of the
VerifyDigSignRegistrar (Acceptance_Note, References PublicKeyFromDigInvoiceRi) [1] Amazon Alexa, https://developer.amazon.com/alexa This process will eliminate all the communication [2] Google Home, https://assistant.google.com/platforms/speakers/ overhead with MASA and multiple level verification [3] Wink smart home hub goes stupid in security certificate (voucher request, voucher, telemetry etc. at Registrar/ snafu, MASA/ Pledge). From security point of view, we can claim https://www.geekwire.com/2015/wink-smart-home-hub-goe that given that the digital invoice is digitally signed by s-stupid-in-security-certificate-snafu/ manufacturer, the public key of domain owner embedded in [4] Wink smart home hubs knocked out by security certificate, the digital invoice can’t be changed, otherwise verification https://www.engadget.com/2015/04/19/wink-home-automat of digital signature of manufacturer at Registrar end will ion-hub-bricked/ fail. [5] http://www.faz.net/aktuell/wirtschaft/diginomics/grosse-inte rnationale-allianz-gegen-cyber-attacken-15451953-p2.html? printPagedArticle=true#pageIndex_1 4. Comparison Chart [6] Nordrum, Amy (18 August 2016). "Popular Internet of Table 1. Comparison of different Bootstrapping Methods. Things Forecast of 50 Billion Devices by 2020 Is Outdated". Approach Security Constraints IEEE. https://spectrum.ieee.org/tech-talk/telecom/internet/popular- internet-of-things-forecast-of-50-billion-devices-by-2020-is Vulnerable initial No authentication TOFU -outdated communication of initial assertion [7] https://motherboard.vice.com/en_us/topic/The-Internet-of-H ackable-Things Resurrecting No owner [8] iCloud leaks of celebrity photos, Anyone can be the owner. Duckling authentication. https://en.wikipedia.org/wiki/ICloud_leaks_of_celebrity_ph otos TLS secured HTTP [9] Ashley Madison data breach, EST session between client https://en.wikipedia.org/wiki/Ashley_Madison_data_breach and Server [10] WannaCry ransomware attack, Online service https://en.wikipedia.org/wiki/WannaCry_ransomware_attac authenticating k both device and [11] EternalBlue, https://en.wikipedia.org/wiki/EternalBlue Online service domain & MASA [12] DoublePulsar, https://en.wikipedia.org/wiki/DoublePulsar BRSKI authenticating both should be always [13] The Internet of Things Will Turn Large-Scale Hacks into device and domain online; No auto Real World Disasters, run of BRSKI on https://motherboard.vice.com/en_us/article/qkjzwp/the-inter network or net-of-things-will-cause-the-first-ever-large-scale-internet-d ownership change isaster Security dependent on Manual [14] Opportunistic Security: Some Protection Most of the Time, Ephemeral Elliptic intervention for https://tools.ietf.org/html/rfc7435 EAP-NooB Curve Diffie-Hellman OOB [15] Enrollment over Secure Transport, (ECDHE) key exchange authentication; https://tools.ietf.org/html/rfc7030 and manual assistance Not Scalable [16] Bootstrapping Remote Secure Key Infrastructures (BRSKI), Easy offline https://tools.ietf.org/html/draft-ietf-anima-bootstrapping-key AutoAdd authentication of both NA infra-15 device and domain [17] The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks, https://www.cl.cam.ac.uk/~fms27/papers/1999-StajanoAnd- duckling.pdf 5. Conclusion [18] Princeton Survey, We have outlined a number of approaches that are https://freedom-to-tinker.com/2016/01/19/who-will-secure-t currently followed for bootstrapping of IoT devices along he-internet-of-things/ with their merits and de-merits. We have also highlighted [19] Message from Apple, https://www.apple.com/in/iphone-battery-and-performance/ several security concerns that would have to be addressed [20] Aura, Tuomas, and Mohit Sethi. "Nimble out-of-band for booting up and bringing an IoT device for operations. authentication for EAP (EAP-NOOB)." We have also presented our own approach and have done a draft-aura-eap-noob-01 (work in progress) (2016). qualitative comparison against the existing methods in terms of security and ease-of-use. AutoAdd can serve as a secure automatic bootstrapping method for IoT devices.