Onboarding in the IoT
Download as PPTX, PDF2 likes1,743 views
The document discusses different types of onboarding processes for Internet of Things (IoT) devices and identifies security, usability, granularity, and interoperability issues. It provides report cards grading the different onboarding types and identifies ways to improve the processes, such as applying a delegated authorization model and developing intuitive authorization ceremonies for constraining devices and apps. The ideal solution is to use secondary credentials like tokens instead of primary credentials where possible to improve security.
Onboarding in the IoT
- 1. ON-BOARDING IN THE IOT – A REPORT CARD Paul Madsen Senior Technical Architect Ping Identity (The Identity Division of Vista Equity) Copyright © 2014 Ping Identity Corp. All rights reserved. 1
- 2. Onboarding, process of provisioning a client with credentials for accessing a network resource and assigning appropriate permissions Copyright © 2014 Ping Identity Corp. All rights reserved. 2
- 3. Flavours of onboarding in Smart Home • Device to Device – E.g Getting a device onto home wifi • User(Device) to Device – E.g. Getting house guest onto home wifi • Device to Application – Binding a device to a cloud account • Application to Application – Assigning a web app permissions to access API data Copyright © 2014 Ping Identity Corp. All rights reserved. 3
- 4. Copyright © 2014 Ping Identity Corp. All rights reserved. 4
- 5. Desired qualities •Security – must not leak credentials nor create opportunity for MITM to insert themselves into process •Usable – intuitive, learnable & consistent •Granularity – associated permissions should be constrained beyond y/n •Interoperability – proprietary doesn’t scale (nor enable consistency) Copyright © 2014 Ping Identity Corp. All rights reserved. 5
- 6. Device to Device Copyright © 2014 Ping Identity Corp. All rights reserved. 6
- 7. Copyright © 2014 Ping Identity Corp. All rights reserved. 7
- 8. Copyright © 2014 Ping Identity Corp. All rights reserved. 8
- 9. WiFi Provisioning mechanisms • Device hotspot • WPS Push Button • Apple Wireless Accessory Configuration (WAC) • TI SmartConfig • OOB, eg BLE, BlinkUp, NFC Copyright © 2014 Ping Identity Corp. All rights reserved. 9
- 10. Insecure • Lifx bulb creates its own WiFi AP in order to collect creds of house WiFi • If turned on/off 5 times, bulb resets & creates a new hotspot • If attacker creates their own hotspot at same time, user can be phished into providing wifi creds
- 11. Proprietary Copyright © 2014 Ping Identity Corp. All rights reserved. 11 • TI SmartConfig app provisions SSID credentials to specialized CC3000 chip • App encodes credentials as length of UDP packets • CC3000 can see the encrypted packets and their sizes. • Chip can decode SSID & pwd– even from encrypted packets
- 12. Weird…. Copyright © 2014 Ping Identity Corp. All rights reserved. 12 • ElectricImp BlinkUp app transmits wifi creds by rapidly flashing light pulses on the device’s screen • Light flashes picked up by optical sensor on device • Wifi creds decoded and network joined
- 13. Report card Copyright © 2014 Ping Identity Corp. All rights reserved. 13 Security Usability Granularity Interoperab ility Device to Device C- B- D D User(Devic e) to Device Device to Application Application to Application
- 14. User (Device) to Device Copyright © 2014 Ping Identity Corp. All rights reserved. 14
- 15. Copyright © 2014 Ping Identity Corp. All rights reserved. 15
- 16. Copyright © 2014 Ping Identity Corp. All rights reserved. 16
- 17. Google OnHub password sharing Copyright © 2014 Ping Identity Corp. All rights reserved. 17
- 18. Authorization features Copyright © 2014 Ping Identity Corp. All rights reserved. 18
- 19. But •Current authz constraint & automation mechanisms are defined in terms of the device •Doesn’t adequately account for shared devices •Should instead manage the combination of the user & the device (ie relationship) Copyright © 2014 Ping Identity Corp. All rights reserved. 19
- 20. Copyright © 2014 Ping Identity Corp. All rights reserved. 20
- 21. Password anti-pattern (in the small) •Discourages strong wifi passwords •No granularity of authorizations •Phishable •Difficult to revoke permissions Copyright © 2014 Ping Identity Corp. All rights reserved. 21
- 22. Copyright © 2014 Ping Identity Corp. All rights reserved. 22
- 23. Report card Copyright © 2014 Ping Identity Corp. All rights reserved. 23 Security Usability Granularity Interoperab ility Device to Device C- B- D D User(Devic e) to Device C- B+ C B- Device to Application Application to Application
- 24. Device to Application Copyright © 2014 Ping Identity Corp. All rights reserved. 24
- 25. Two fold• How to – bind a specific device to an existing account at an IoT provider – Issue that device with a credential that can be used to authenticate to a cloud endpoint Copyright © 2014 Ping Identity Corp. All rights reserved. 25
- 26. Current model Copyright © 2014 Ping Identity Corp. All rights reserved. 26 Devi ce Serve r Serve r x.509 (or key pair) pwd
- 27. A new anti-pattern? •Normal challenges of lifecycle management of certs, ie PKI •Can’t support shared devices •Doesn’t inhibit correlation Copyright © 2014 Ping Identity Corp. All rights reserved. 27
- 28. Authentication Chain Copyright © 2014 Ping Identity Corp. All rights reserved. 28 Attestation keys Device generated keys Signed device keys User creds Tokens
- 29. Report card Copyright © 2014 Ping Identity Corp. All rights reserved. 29 Security Usability Granularity Interoperab ility Device to Device C- B- D D User(Devic e) to Device C- B+ C B Device to Application C B D D Application to Application
- 30. Application to Application Copyright © 2014 Ping Identity Corp. All rights reserved. 30
- 31. Good news Copyright © 2014 Ping Identity Corp. All rights reserved. 31
- 32. Cautionary tale • OAuth 2.0 is not a silver bullet • Doesn’t guarantee appropriate permissions/scopes • Authz to ‘close’ door should not necessarily mean authz to ‘open door’ Copyright © 2014 Ping Identity Corp. All rights reserved. 32
- 33. Report card Copyright © 2014 Ping Identity Corp. All rights reserved. 33 Security Usability Granularity Interoperab ility Device to Device C- B- D D User(Devic e) to Device C- B+ C B Device to Application C B D D Application to Application B+ B+ B- A-
- 34. Copyright © 2014 Ping Identity Corp. All rights reserved. 34
- 35. Time to graduate Problem is using primary credentials (certs, device keys, passwords) where secondary (tokens) are more appropriateCopyright © 2014 Ping Identity Corp. All rights reserved. 35
- 36. Copyright © 2014 Ping Identity Corp. All rights reserved. 36
- 37. Need to apply delegated authz model to all flavours of Smart Home onboarding (and not just app to app) Copyright © 2014 Ping Identity Corp. All rights reserved. 37
- 38. What do we need • OAuth AS capabilities in routers/hubs – Emerging authz features in routers a first step? • Bindings of delegated authz model to constrained IoT protocols – a la IEF ACE WG – NAPPS TA? • Intuitive & usable authz ceremonies – App-based – Voice? Amazon Echo et al Copyright © 2014 Ping Identity Corp. All rights reserved. 38
- 39. Copyright © 2014 Ping Identity Corp. All rights reserved. 39
- 40. THANKS @paulmadsen Copyright © 2014 Ping Identity Corp. All rights reserved. 40
Editor's Notes
- #4: What these all share is the concept of 1) provisioning credentials to some client/actor and 2) constraining the privileges assigned to that client/actor
- #37: If you do the authentication piece of onboarding wrong, you can’t do the authorization piece right. Shaky foundation Fundamental problem is relying on primary credentials for authentication to applications/resources instead of secondary credentials