SlideShare a Scribd company logo

AuthentiThings: The Pitfalls and Promises of Authentication in the IoT

TransUnion, profile picture
TransUnion

The document discusses the challenges and advancements in authentication within the Internet of Things (IoT), contrasting consumer and industrial IoT with a focus on security, privacy, and authentication standards. It emphasizes the role of mobile devices as central authentication tools and the importance of a comprehensive framework to address diverse security needs. The document proposes leveraging existing security protocols and encourages a trust model based on device interactions and relationships.

Technology
Related topics:
Internet of Things
1 of 70
Downloaded 64 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
WEBINAR AUTHENTICATING “THINGS” THE PITFALLS AND PROMISES OF AUTHENTICATION IN THE CONSUMER IoT JUNE 2016 MICHAEL THELANDER
2
3 AGENDA 1 2 3 WHAT’S SO REVOLUTIONARY? Industrial vs. Consumer IoT Unexpected risks and rewards AUTHENTICATION IN THE IoT Authentication standards & guidelines “Three from Three” Guidance IF AUTHENTICATION FAILS New and frightening hacks What’s next? 4 YOU ARE YOUR DEVICE Your device as your proxy
WHAT’S SO REVOLUTIONARY… ABOUT THE INTERNET OF THINGS?
5 A MERCANTIL E REVOL UTION Guns, cloth, iron and beer Slaves, gold, spices Slaves, raw sugar, and molasses Whale oil, lumber, cotton, rum and tobacco The crown orchestrated a complex global dance that leveraged the best knowledge and the most favorable terms anywhere in the world.
6 A MERCANTIL E REVOL UTION At the top of the pyramid, Great Britain used these imports to manufacture and distribute complex products that created vast wealth and power.
7 A MERCANTIL E REVOL UTION Closer to the raw materials needed for production Respond immediately to change Intimate understanding ofall parts of a complex process Organize and manage their own markets
8 That’s a bit like what’s happening in the industrial IoT today.
9 MIC H A E L T H E LA N DE R P R O D U C T M A R K E T I N G M A N A G E R , A U T H E N T I C A T I O N n Manages go-to-market, launch and customer education activities for iovation’s authentication products. n 20 years in VP- and director-level product management and marketing roles for technology and information security companies.
10
11
12
13
14
15
16
17
18 What about the consumer IoT?
19 TWO F ACES OF THE Io T K E Y D I F F E R E N C E S B E T W E E N I N D U S T R I A L A N D C O N S U M E R I o T • Security and privacy standards and guidelines are an inherent part of the picture • Device lifespan can be measured in decades • Criticality of RTOS • Continuity of data is a major consideration INDUSTRIAL IoT • Minimal attention to security standards and guidelines, consumers blasé about privacy • Device lifespan can be measured in months • Less-than-critical infrastructure in most current cases • Expected gaps in data flow CONSUMER IoT
20
21
22
23
24
25 “The smartphone will become the foundational banking tool.”
26
27
28
29 Security. Privacy.
30 “B IG DATA” B ECOMES PERSONAL INTERNET-CONNECTED DEVICES 4.9 B in 2015 20.8 B in 2020 450% 10,000 EB in 2015 400% 40,000 EB in 2020 STORAGE REQUIRED FOR THE DATA (One exabyte can hold 500 to 1000 times the entire content of the Library of Congress.)
31 “B IG DATA” B ECOMES PERSONAL 10,000 EB in 2015 40,000 EB in 2020 STORAGE REQUIRED FOR THE DATA (One exabyte can hold 500 to 1000 times the entire content of the Library of Congress.) = 20,800 GB 400%
32
AUTHENTICATION IN THE IoT
34 Authentication.
35 “Hello. It’s me”.
36 “Hello. It’s me”.
37 “Hello. It’s me”.
38 “Hello. It’s me”.
39 “Hello. It’s me”.
40 “Hello. It’s me”.
41
42 “These technical guidelines cover remote digital authentication of human users to IT systems over a network… However do not specifically address machine-to-machine (such as router-to-router) authentication, or establish specific requirements for issuing authentication credentials and authenticators to machines and servers when they are used in authentication protocols with people.” However do not specifically address machine-to-machine (such as router-to-router) authentication, or establish specific requirements for issuing authentication credentials and authenticators to machines and servers when they are used in authentication protocols with people.” New v 63-3 Due Soon
43
44 THREE F ROM THREE G U I D A N C E F R O M T H R E E P I E C E S O F R E C E N T R E S E A R C H
45 “Others have pointed to the need to research methods that provide context-based authentication as a new factor in an authentication process. .”
46 1. Identity Relationship Management (IRM) replaces IAM n Consumers and things over employees n Internet-scale over Enterprise-scale n Borderless over perimeter 2. Use of smartphones as a primary means of authentication in the IoT n Context-based authentication over MFA n Enterprise-level local authentication to IoT devices n Single sensor for multiple authentication methods: THREE F ROM THREE: CSA C L O U D S E C U R I T Y A L L I A N C E – I R M A N D S M A R T P H O N E S
47 3. Leverage the security controls built into standards-based IoT protocols THREE F ROM THREE: CSA I o T S E C U R I T Y F O R C O N S U M E R D E V I C E S Protocol M2M Auth Options MQTT Username / password CoAP preShared Key rawPublicKey XMPP Multiple options DDS x.509 Certificates (PKI) Tokens Protocol M2M Auth Options Zigbee Pre-shared keys Bluetooth Shared key Bluetooth LE Connection signature resolving key HTTP/REST TLS or OAUTH 2
48 3. Leverage the security controls built into standards-based IoT protocols THREE F ROM THREE: CSA C L O U D S E C U R I T Y A L L I A N C E S U M M A R S Y G U I D A N C E O N I o T • Low memory: works on micro- controllers was low as 10 KiB of RAM • Default choice of DTLS parameters is equivalent to 3072-bit RSA keys • CoAP integrates with XML, JSON, CBOR, or data format of choice • REST model integrates with typical sites and applications
49 “No single method for peer authentication and end-to- end data protection meets the Internet of Things (IoT) device security and operational requirements.”
50 1. Mobile devices can be gateways, consumers, or IoT nodes THREE F ROM THREE: GARTNER I T ’ S N O T J U S T A P H O N E
51 2. Understand domains, classes of devices, and “delegation of trust” n Class 1: Simple sensors or actuators n Class 2: Can perform storage or analysis, e.g. hubs, concentrator, gateways n Class 3: Complex devices, servers than can act as aggregators, e.g. security analytics THREE F ROM THREE: GARTNER N O T A L L D E V I C E S A R E C R E A T E D E Q U A L
52 3. Building a trust model based on “hops” n No hop: trust is achieved by device authenticating to local gateway n Single hop: Device authenticates to gateway, and gateway to an IoT service or application n Multihop: Trust achieved by devices authenticating to trust anchors (gateways), and then the trust anchors federate trust across all required domains and trust models THREE F ROM THREE: GARTNER T R U S T M O D E L S M A T T E R
53 “Authentication is the process of verification that an individual, entity or website is who it claims to be.”
54 1. The only guidance using three different perspectives: n Manufacturer IoT Guidance: The goal of this section is help manufacturers build more secure products in the Internet of Things space. n Developer IoT Guidance: The goal of this section is help developers build more secure applications in the Internet of Things space. n Consumer IoT Guidance: The goal of this section is help consumers purchase secure products in the Internet of Things space. THREE F ROM THREE: OWASP I o T S E C U R I T Y G U I D A N C E I N T H R E E C A T E G O R I E S
55 2. A comprehensive framework: n 1 IoT Framework Security Considerations: Definitions n 2 Edge: Framework Considerations for Edge Component n 3 Gateway: Framework Considerations for Gateway Component n 4 Cloud: Framework Considerations for Cloud Component n 5 Mobile: Framework Considerations for Mobile Component THREE F ROM THREE: OWASP M U L T I - P A R T S E C U R I T Y A N D P R I V A C Y F R A M E W O R K • Communications encryption • Storage encryption • Strong logging • Auto updates / versioning • Update verification • Cryptographic ID capabilities • No default passwords • Offline security features • Configurable root trust store • Device and owner authentication • Transitive ownership capabilities • Defensive capabilities • Plugin or ext. verify, report, update • Secure M2M • Secure Web interface • Utilize established protocols • Latest, updated 3rd -party components • Use of hardware device • Support MFA • Temporal and spacial authentication • Tracks data from insecure sources • Features disabled by default • Written in programming languages that possess security countermeasures • Device monitoring and management capabilities 2 Edge: Framework Considerations for Edge Component
56 3. Provides a unique focus on authentication testing THREE F ROM THREE: OWASP F O C U S O N T E S T I N G n Assess the solution for the use of strong passwords where authentication is needed n Assess the solution for multi-user environments and ensure it includes functionality for role separation n Assess the solution for Implementation two-factor authentication where possible n Assess password recovery mechanisms n Assess password recovery mechanisms n Assess the solution for the option to require strong passwords n Assess the solution for the option to force password expiration after a specific period n Assess the solution for the option to change the default username and password
57 9 1. Identity relationship management – not IAM – is key 2. Smartphones will be the primary means of authentication in the IoT 3. Leverage built-in security controls 4. Mobile devices will fill multiple roles in the IoT scheme 5. Domains & classes drive delegation of trust models 6. Build your trust model based on “hops” 7. Multiple perspectives matter 8. Provides a comprehensive framework 9. Provides a unique authentication focus SUMMARIZING THE “THREE F ROM THREE”
AUTHENTICATION FAIL INTRIGUING HACKS IN THE IoT
59
60
61
YOU ARE YOUR DEVICE YOUR TRUSTWORTHY PROXY?
63 “Hello. It’s me”.
64 “Hello. It’s me”.
65
66 BIOMETRICS IP ADDRESS JAILBROKEN OR ROOTED GEO LOCATION ASSOCIATIONSSECURITY RISK
67 n MD5 Hash of the full font list n Random sample of 15 fonts n Flash SharedObjects not writable n Flash socket 843 based ip (real IP) n Boolean indicator: flash took longer than expected to execute n Accepted Char Sets in HTTP header n Accepted languages in HTTP header n Browser user agent comment string n Browser name / OS / Ver / language n Cookie writes excluded n Boolean indicator, javascript enabled n Count of fonts in the full list n Flash 3-part version (16.0.0) n Flash 4-part version (16.0.0.305) n List of browser plugins n JavaScript screen resolution n Simbar toolbar GUID from HTTP hdr n Timezone offset in minutes n ... and more n WiFi (or Bluetooth) MAC Address n Network configuration n iOS Device Model n Battery level / AC mode n Device orientation n File system size n Physical memory n CPU Type / Count /Speed n Number attached accessories n Has proximity sensor? n Screen brightness and resolution n System uptime n iOS Device Name (MD5 Hash) n OS Name and/or version n Device advertising UUID n Kernel version n iCloud Ubiquity Token n Application Vendor UUID /name/vers n Locale language / currency code n … and 100s more n Model and Device Model n Build.DEVICE & Build.HARDWARE n Build.HOST & Build.ID n Manufacturer n Build.PRODUCT & Build.TIME n Network Operator ID & Name n Sim Operator ID & Country n System Uptime in Seconds n Is the device plugged in n CPU Type n Physical memory n Unique build fingerprint of app n Android SDK Level n Android Build Number (DISPLAY) n Android Device System Version n Detected attempt at hiding root detect n Kernel Version (was AKV) n Android Locale Country Code n Desktop Wallpaper Hash n … and 100s more DEVICE-BASED AUTHENTICATION THE USER’S DEVICE AS A ROBUST, INVISIBLE SECOND FACTOR Web Device Print iOS SDK Android SDK
68
Q&A
CONTACT US www.iovation.com twitter.com/iovation

More Related Content

PPTX
Security and Authentication of Internet of Things (IoT) Devices
SanjayKumarYadav58
 
PDF
Identity for IoT: An Authentication Framework for the IoT
AllSeen Alliance
 
PPTX
IDENTITY IN THE WORLD OF IOT
ForgeRock
 
PDF
1 importance of light weight authentication in iot
Chintan Patel
 
PPTX
Internet of Things: Identity & Security with Open Standards
George Fletcher
 
PDF
The Future of Authentication for IoT
FIDO Alliance
 
PPTX
Iot Security
MAITREYA MISRA
 
PPTX
IoT Security: Cases and Methods [CON5446]
Leonardo De Moura Rocha Lima
 
Security and Authentication of Internet of Things (IoT) Devices
SanjayKumarYadav58
 
Identity for IoT: An Authentication Framework for the IoT
AllSeen Alliance
 
IDENTITY IN THE WORLD OF IOT
ForgeRock
 
1 importance of light weight authentication in iot
Chintan Patel
 
Internet of Things: Identity & Security with Open Standards
George Fletcher
 
The Future of Authentication for IoT
FIDO Alliance
 
Iot Security
MAITREYA MISRA
 
IoT Security: Cases and Methods [CON5446]
Leonardo De Moura Rocha Lima
 

What's hot (20)

PDF
IoT security fresh thinking 2017 sep 9
Arvind Tiwary
 
PPTX
Security for iot and cloud aug 25b 2017
Ulf Mattsson
 
PPTX
A survey in privacy and security in Internet of Things IOT
University of Ontario Institute of Technology (UOIT)
 
PDF
IoT Security Challenges and Solutions
Intel® Software
 
PPTX
IoT Security
Peter Waher
 
PPTX
IoT Security Risks and Challenges
OWASP Delhi
 
PPTX
IoT Security: Cases and Methods
Leonardo De Moura Rocha Lima
 
PDF
IRJET - Securing Communication among IoT Devices using Blockchain Proxy
IRJET Journal
 
PPTX
IoT Security Briefing FBI 07 23-2017 final
Frank Siepmann
 
PPTX
security and privacy-Internet of things
sreelekha appakondappagari
 
PPTX
IoT Security Training, IoT Security Awareness 2019
Tonex
 
PPTX
Internet of Things Security
Tutun Juhana
 
PDF
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
CableLabs
 
PDF
IoT security and privacy: main challenges and how ISOC-OTA address them
Radouane Mrabet
 
PDF
Will Internet of Things (IoT) be secure enough?
Ravindra Dastikop
 
PDF
Unauthorized Access Detection in IoT using Canary Token Algorithm
IJSRED
 
PPTX
IoT Security, Threats and Challenges By V.P.Prabhakaran
Koenig Solutions Ltd.
 
PPTX
Microsoft IoT Security @ Xpand:X:ED Meetup Sydney Feb 2016
David Glover
 
PPT
IoT Security by Sanjay Kumar
OWASP Delhi
 
PDF
Security in IoT
SKS
 
IoT security fresh thinking 2017 sep 9
Arvind Tiwary
 
Security for iot and cloud aug 25b 2017
Ulf Mattsson
 
A survey in privacy and security in Internet of Things IOT
University of Ontario Institute of Technology (UOIT)
 
IoT Security Challenges and Solutions
Intel® Software
 
IoT Security
Peter Waher
 
IoT Security Risks and Challenges
OWASP Delhi
 
IoT Security: Cases and Methods
Leonardo De Moura Rocha Lima
 
IRJET - Securing Communication among IoT Devices using Blockchain Proxy
IRJET Journal
 
IoT Security Briefing FBI 07 23-2017 final
Frank Siepmann
 
security and privacy-Internet of things
sreelekha appakondappagari
 
IoT Security Training, IoT Security Awareness 2019
Tonex
 
Internet of Things Security
Tutun Juhana
 
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
CableLabs
 
IoT security and privacy: main challenges and how ISOC-OTA address them
Radouane Mrabet
 
Will Internet of Things (IoT) be secure enough?
Ravindra Dastikop
 
Unauthorized Access Detection in IoT using Canary Token Algorithm
IJSRED
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
Koenig Solutions Ltd.
 
Microsoft IoT Security @ Xpand:X:ED Meetup Sydney Feb 2016
David Glover
 
IoT Security by Sanjay Kumar
OWASP Delhi
 
Security in IoT
SKS
 
Ad

Viewers also liked (10)

PDF
Delegation-based Authentication and Authorization for the IP-based IoT
Joon Young Park
 
PPTX
How to Build the Connectivity Architecture for the Industrial Internet of Thi...
Real-Time Innovations (RTI)
 
PDF
40 IOT Innovations which are changing life
Ram N Kumar
 
PDF
IoT: LoRa and Java on the PI
JWORKS powered by Ordina
 
PDF
Intro Lora - Makers.ID Meetup
Mif Masterz
 
PDF
PEM1: Device Authentication in IIOT ( Predix Transform 2016)
Predix
 
PDF
IoT Security: Problems, Challenges and Solutions
Liwei Ren任力偉
 
PDF
LoRa and NB-IoT
Darshan Patil
 
PPTX
IoT - IT 423 ppt
Mhae Lyn
 
PDF
Internet of Things
Vala Afshar
 
Delegation-based Authentication and Authorization for the IP-based IoT
Joon Young Park
 
How to Build the Connectivity Architecture for the Industrial Internet of Thi...
Real-Time Innovations (RTI)
 
40 IOT Innovations which are changing life
Ram N Kumar
 
IoT: LoRa and Java on the PI
JWORKS powered by Ordina
 
Intro Lora - Makers.ID Meetup
Mif Masterz
 
PEM1: Device Authentication in IIOT ( Predix Transform 2016)
Predix
 
IoT Security: Problems, Challenges and Solutions
Liwei Ren任力偉
 
LoRa and NB-IoT
Darshan Patil
 
IoT - IT 423 ppt
Mhae Lyn
 
Internet of Things
Vala Afshar
 
Ad

Similar to AuthentiThings: The Pitfalls and Promises of Authentication in the IoT (20)

PPTX
Security in IoT
gr9293
 
DOCX
Security and Privacy considerations in Internet of Things
Somasundaram Jambunathan
 
PDF
IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...
IRJET Journal
 
PDF
RISE OF THE MACHINES: IRM IN AN IOT WORLD
ForgeRock
 
DOCX
Addressing security and privacy in io t ecosystem v0.4
Somasundaram Jambunathan
 
PDF
A Review on Privacy and Security Challenges in the Internet of Things (IoT) t...
IJCSIS Research Publications
 
PDF
Securing the Internet of Things
Syam Madanapalli
 
PDF
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
PDF
IoT – Breaking Bad
NUS-ISS
 
PPTX
Security issues and solutions : IoT
Jinia Bhowmik
 
PDF
Security Aspects in IoT - A Review
Asiri Hewage
 
PPTX
Not IN Cybersecurity Connectivity,Cloud Platforms,Security.pptx
PratimanChoubey
 
PPTX
IoT_Implemented
Brandon Walston
 
PDF
Internet of things (IoT) Architecture Security Analysis
Daksh Raj Chopra
 
PDF
A survey on secure communication protocols for io t systems
Vishwesh Nagamalla
 
PDF
IoT Security and Privacy Considerations
Kenny Huang Ph.D.
 
PPTX
Security challenges for internet of things
Monika Keerthi
 
PDF
Technology & Policy Interaction Panel at Inform[ED] IoT Security
CableLabs
 
PDF
March 2021: Top 10 Read Articles in Network Security and Its Applications
IJNSA Journal
 
PDF
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Denim Group
 
Security in IoT
gr9293
 
Security and Privacy considerations in Internet of Things
Somasundaram Jambunathan
 
IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...
IRJET Journal
 
RISE OF THE MACHINES: IRM IN AN IOT WORLD
ForgeRock
 
Addressing security and privacy in io t ecosystem v0.4
Somasundaram Jambunathan
 
A Review on Privacy and Security Challenges in the Internet of Things (IoT) t...
IJCSIS Research Publications
 
Securing the Internet of Things
Syam Madanapalli
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
IoT – Breaking Bad
NUS-ISS
 
Security issues and solutions : IoT
Jinia Bhowmik
 
Security Aspects in IoT - A Review
Asiri Hewage
 
Not IN Cybersecurity Connectivity,Cloud Platforms,Security.pptx
PratimanChoubey
 
IoT_Implemented
Brandon Walston
 
Internet of things (IoT) Architecture Security Analysis
Daksh Raj Chopra
 
A survey on secure communication protocols for io t systems
Vishwesh Nagamalla
 
IoT Security and Privacy Considerations
Kenny Huang Ph.D.
 
Security challenges for internet of things
Monika Keerthi
 
Technology & Policy Interaction Panel at Inform[ED] IoT Security
CableLabs
 
March 2021: Top 10 Read Articles in Network Security and Its Applications
IJNSA Journal
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Denim Group
 

More from TransUnion (20)

PPTX
Leverage Gartner’s Insight for Assessing the Total Cost of Fraud in Your Paym...
TransUnion
 
PPTX
A New Imperative: Global Privacy and Data Strategies
TransUnion
 
PPTX
The Business Imperative for Identity, Trust and Data Stewardship
TransUnion
 
PPTX
2020 i gaming report webinar
TransUnion
 
PPTX
Financial services report webinar v4
TransUnion
 
PPTX
Webinar: Roll Out the VIP Path to Play
TransUnion
 
PPT
PSD2, SCA and the EBA’s Opinion on SCA – Decoded
TransUnion
 
PPT
Combating Social Engineering and Account Takeover by a Former U.S. Cybercriminal
TransUnion
 
PPTX
How Confused.com and iovation Fight Ghost Broking
TransUnion
 
PPTX
Keeping Your Customers Happy and Safe: Authentication and Authorization Strat...
TransUnion
 
PDF
The Insurance Digital Revolution Has a Fraud Problem
TransUnion
 
PPTX
PSD2: The Advent of the New Payments Market in Europe
TransUnion
 
PPTX
How E-Commerce Providers Can Remove ATO from Their Carts
TransUnion
 
PPTX
2019 iovation Gambling Industry Report Highlights
TransUnion
 
PPTX
Nice Try, ATO: Use Customers’ Devices to Transparently Enhance Account Security
TransUnion
 
PPTX
Definitive Guide to Next-generation Fraud Prevention: Techniques for the Mobi...
TransUnion
 
PPTX
Fraud Prevention Strategies to Fight First-Party Fraud and Synthetic Identity...
TransUnion
 
PPTX
Battling Credit Write-Offs by Identifying Synthetic Identity (Gartner Report ...
TransUnion
 
PPTX
Working at the Margins: Change Agents in the Converged World (Gartner Report ...
TransUnion
 
PPTX
Feeding the Beast-How Fraud Tools Bring Context into Authentication (Gartner ...
TransUnion
 
Leverage Gartner’s Insight for Assessing the Total Cost of Fraud in Your Paym...
TransUnion
 
A New Imperative: Global Privacy and Data Strategies
TransUnion
 
The Business Imperative for Identity, Trust and Data Stewardship
TransUnion
 
2020 i gaming report webinar
TransUnion
 
Financial services report webinar v4
TransUnion
 
Webinar: Roll Out the VIP Path to Play
TransUnion
 
PSD2, SCA and the EBA’s Opinion on SCA – Decoded
TransUnion
 
Combating Social Engineering and Account Takeover by a Former U.S. Cybercriminal
TransUnion
 
How Confused.com and iovation Fight Ghost Broking
TransUnion
 
Keeping Your Customers Happy and Safe: Authentication and Authorization Strat...
TransUnion
 
The Insurance Digital Revolution Has a Fraud Problem
TransUnion
 
PSD2: The Advent of the New Payments Market in Europe
TransUnion
 
How E-Commerce Providers Can Remove ATO from Their Carts
TransUnion
 
2019 iovation Gambling Industry Report Highlights
TransUnion
 
Nice Try, ATO: Use Customers’ Devices to Transparently Enhance Account Security
TransUnion
 
Definitive Guide to Next-generation Fraud Prevention: Techniques for the Mobi...
TransUnion
 
Fraud Prevention Strategies to Fight First-Party Fraud and Synthetic Identity...
TransUnion
 
Battling Credit Write-Offs by Identifying Synthetic Identity (Gartner Report ...
TransUnion
 
Working at the Margins: Change Agents in the Converged World (Gartner Report ...
TransUnion
 
Feeding the Beast-How Fraud Tools Bring Context into Authentication (Gartner ...
TransUnion
 

Recently uploaded (20)

PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Approach and Philosophy of On baking technology
30anthuong17
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Cloud computing and distributed systems.
kkkkkhan
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 

AuthentiThings: The Pitfalls and Promises of Authentication in the IoT

  • 1. WEBINAR AUTHENTICATING “THINGS” THE PITFALLS AND PROMISES OF AUTHENTICATION IN THE CONSUMER IoT JUNE 2016 MICHAEL THELANDER
  • 2. 2
  • 3. 3 AGENDA 1 2 3 WHAT’S SO REVOLUTIONARY? Industrial vs. Consumer IoT Unexpected risks and rewards AUTHENTICATION IN THE IoT Authentication standards & guidelines “Three from Three” Guidance IF AUTHENTICATION FAILS New and frightening hacks What’s next? 4 YOU ARE YOUR DEVICE Your device as your proxy
  • 5. 5 A MERCANTIL E REVOL UTION Guns, cloth, iron and beer Slaves, gold, spices Slaves, raw sugar, and molasses Whale oil, lumber, cotton, rum and tobacco The crown orchestrated a complex global dance that leveraged the best knowledge and the most favorable terms anywhere in the world.
  • 6. 6 A MERCANTIL E REVOL UTION At the top of the pyramid, Great Britain used these imports to manufacture and distribute complex products that created vast wealth and power.
  • 7. 7 A MERCANTIL E REVOL UTION Closer to the raw materials needed for production Respond immediately to change Intimate understanding ofall parts of a complex process Organize and manage their own markets
  • 8. 8 That’s a bit like what’s happening in the industrial IoT today.
  • 9. 9 MIC H A E L T H E LA N DE R P R O D U C T M A R K E T I N G M A N A G E R , A U T H E N T I C A T I O N n Manages go-to-market, launch and customer education activities for iovation’s authentication products. n 20 years in VP- and director-level product management and marketing roles for technology and information security companies.
  • 10. 10
  • 11. 11
  • 12. 12
  • 13. 13
  • 14. 14
  • 15. 15
  • 16. 16
  • 17. 17
  • 18. 18 What about the consumer IoT?
  • 19. 19 TWO F ACES OF THE Io T K E Y D I F F E R E N C E S B E T W E E N I N D U S T R I A L A N D C O N S U M E R I o T • Security and privacy standards and guidelines are an inherent part of the picture • Device lifespan can be measured in decades • Criticality of RTOS • Continuity of data is a major consideration INDUSTRIAL IoT • Minimal attention to security standards and guidelines, consumers blasé about privacy • Device lifespan can be measured in months • Less-than-critical infrastructure in most current cases • Expected gaps in data flow CONSUMER IoT
  • 20. 20
  • 21. 21
  • 22. 22
  • 23. 23
  • 24. 24
  • 25. 25 “The smartphone will become the foundational banking tool.”
  • 26. 26
  • 27. 27
  • 28. 28
  • 30. 30 “B IG DATA” B ECOMES PERSONAL INTERNET-CONNECTED DEVICES 4.9 B in 2015 20.8 B in 2020 450% 10,000 EB in 2015 400% 40,000 EB in 2020 STORAGE REQUIRED FOR THE DATA (One exabyte can hold 500 to 1000 times the entire content of the Library of Congress.)
  • 31. 31 “B IG DATA” B ECOMES PERSONAL 10,000 EB in 2015 40,000 EB in 2020 STORAGE REQUIRED FOR THE DATA (One exabyte can hold 500 to 1000 times the entire content of the Library of Congress.) = 20,800 GB 400%
  • 32. 32
  • 41. 41
  • 42. 42 “These technical guidelines cover remote digital authentication of human users to IT systems over a network… However do not specifically address machine-to-machine (such as router-to-router) authentication, or establish specific requirements for issuing authentication credentials and authenticators to machines and servers when they are used in authentication protocols with people.” However do not specifically address machine-to-machine (such as router-to-router) authentication, or establish specific requirements for issuing authentication credentials and authenticators to machines and servers when they are used in authentication protocols with people.” New v 63-3 Due Soon
  • 43. 43
  • 44. 44 THREE F ROM THREE G U I D A N C E F R O M T H R E E P I E C E S O F R E C E N T R E S E A R C H
  • 45. 45 “Others have pointed to the need to research methods that provide context-based authentication as a new factor in an authentication process. .”
  • 46. 46 1. Identity Relationship Management (IRM) replaces IAM n Consumers and things over employees n Internet-scale over Enterprise-scale n Borderless over perimeter 2. Use of smartphones as a primary means of authentication in the IoT n Context-based authentication over MFA n Enterprise-level local authentication to IoT devices n Single sensor for multiple authentication methods: THREE F ROM THREE: CSA C L O U D S E C U R I T Y A L L I A N C E – I R M A N D S M A R T P H O N E S
  • 47. 47 3. Leverage the security controls built into standards-based IoT protocols THREE F ROM THREE: CSA I o T S E C U R I T Y F O R C O N S U M E R D E V I C E S Protocol M2M Auth Options MQTT Username / password CoAP preShared Key rawPublicKey XMPP Multiple options DDS x.509 Certificates (PKI) Tokens Protocol M2M Auth Options Zigbee Pre-shared keys Bluetooth Shared key Bluetooth LE Connection signature resolving key HTTP/REST TLS or OAUTH 2
  • 48. 48 3. Leverage the security controls built into standards-based IoT protocols THREE F ROM THREE: CSA C L O U D S E C U R I T Y A L L I A N C E S U M M A R S Y G U I D A N C E O N I o T • Low memory: works on micro- controllers was low as 10 KiB of RAM • Default choice of DTLS parameters is equivalent to 3072-bit RSA keys • CoAP integrates with XML, JSON, CBOR, or data format of choice • REST model integrates with typical sites and applications
  • 49. 49 “No single method for peer authentication and end-to- end data protection meets the Internet of Things (IoT) device security and operational requirements.”
  • 50. 50 1. Mobile devices can be gateways, consumers, or IoT nodes THREE F ROM THREE: GARTNER I T ’ S N O T J U S T A P H O N E
  • 51. 51 2. Understand domains, classes of devices, and “delegation of trust” n Class 1: Simple sensors or actuators n Class 2: Can perform storage or analysis, e.g. hubs, concentrator, gateways n Class 3: Complex devices, servers than can act as aggregators, e.g. security analytics THREE F ROM THREE: GARTNER N O T A L L D E V I C E S A R E C R E A T E D E Q U A L
  • 52. 52 3. Building a trust model based on “hops” n No hop: trust is achieved by device authenticating to local gateway n Single hop: Device authenticates to gateway, and gateway to an IoT service or application n Multihop: Trust achieved by devices authenticating to trust anchors (gateways), and then the trust anchors federate trust across all required domains and trust models THREE F ROM THREE: GARTNER T R U S T M O D E L S M A T T E R
  • 53. 53 “Authentication is the process of verification that an individual, entity or website is who it claims to be.”
  • 54. 54 1. The only guidance using three different perspectives: n Manufacturer IoT Guidance: The goal of this section is help manufacturers build more secure products in the Internet of Things space. n Developer IoT Guidance: The goal of this section is help developers build more secure applications in the Internet of Things space. n Consumer IoT Guidance: The goal of this section is help consumers purchase secure products in the Internet of Things space. THREE F ROM THREE: OWASP I o T S E C U R I T Y G U I D A N C E I N T H R E E C A T E G O R I E S
  • 55. 55 2. A comprehensive framework: n 1 IoT Framework Security Considerations: Definitions n 2 Edge: Framework Considerations for Edge Component n 3 Gateway: Framework Considerations for Gateway Component n 4 Cloud: Framework Considerations for Cloud Component n 5 Mobile: Framework Considerations for Mobile Component THREE F ROM THREE: OWASP M U L T I - P A R T S E C U R I T Y A N D P R I V A C Y F R A M E W O R K • Communications encryption • Storage encryption • Strong logging • Auto updates / versioning • Update verification • Cryptographic ID capabilities • No default passwords • Offline security features • Configurable root trust store • Device and owner authentication • Transitive ownership capabilities • Defensive capabilities • Plugin or ext. verify, report, update • Secure M2M • Secure Web interface • Utilize established protocols • Latest, updated 3rd -party components • Use of hardware device • Support MFA • Temporal and spacial authentication • Tracks data from insecure sources • Features disabled by default • Written in programming languages that possess security countermeasures • Device monitoring and management capabilities 2 Edge: Framework Considerations for Edge Component
  • 56. 56 3. Provides a unique focus on authentication testing THREE F ROM THREE: OWASP F O C U S O N T E S T I N G n Assess the solution for the use of strong passwords where authentication is needed n Assess the solution for multi-user environments and ensure it includes functionality for role separation n Assess the solution for Implementation two-factor authentication where possible n Assess password recovery mechanisms n Assess password recovery mechanisms n Assess the solution for the option to require strong passwords n Assess the solution for the option to force password expiration after a specific period n Assess the solution for the option to change the default username and password
  • 57. 57 9 1. Identity relationship management – not IAM – is key 2. Smartphones will be the primary means of authentication in the IoT 3. Leverage built-in security controls 4. Mobile devices will fill multiple roles in the IoT scheme 5. Domains & classes drive delegation of trust models 6. Build your trust model based on “hops” 7. Multiple perspectives matter 8. Provides a comprehensive framework 9. Provides a unique authentication focus SUMMARIZING THE “THREE F ROM THREE”
  • 59. 59
  • 60. 60
  • 61. 61
  • 62. YOU ARE YOUR DEVICE YOUR TRUSTWORTHY PROXY?
  • 65. 65
  • 66. 66 BIOMETRICS IP ADDRESS JAILBROKEN OR ROOTED GEO LOCATION ASSOCIATIONSSECURITY RISK
  • 67. 67 n MD5 Hash of the full font list n Random sample of 15 fonts n Flash SharedObjects not writable n Flash socket 843 based ip (real IP) n Boolean indicator: flash took longer than expected to execute n Accepted Char Sets in HTTP header n Accepted languages in HTTP header n Browser user agent comment string n Browser name / OS / Ver / language n Cookie writes excluded n Boolean indicator, javascript enabled n Count of fonts in the full list n Flash 3-part version (16.0.0) n Flash 4-part version (16.0.0.305) n List of browser plugins n JavaScript screen resolution n Simbar toolbar GUID from HTTP hdr n Timezone offset in minutes n ... and more n WiFi (or Bluetooth) MAC Address n Network configuration n iOS Device Model n Battery level / AC mode n Device orientation n File system size n Physical memory n CPU Type / Count /Speed n Number attached accessories n Has proximity sensor? n Screen brightness and resolution n System uptime n iOS Device Name (MD5 Hash) n OS Name and/or version n Device advertising UUID n Kernel version n iCloud Ubiquity Token n Application Vendor UUID /name/vers n Locale language / currency code n … and 100s more n Model and Device Model n Build.DEVICE & Build.HARDWARE n Build.HOST & Build.ID n Manufacturer n Build.PRODUCT & Build.TIME n Network Operator ID & Name n Sim Operator ID & Country n System Uptime in Seconds n Is the device plugged in n CPU Type n Physical memory n Unique build fingerprint of app n Android SDK Level n Android Build Number (DISPLAY) n Android Device System Version n Detected attempt at hiding root detect n Kernel Version (was AKV) n Android Locale Country Code n Desktop Wallpaper Hash n … and 100s more DEVICE-BASED AUTHENTICATION THE USER’S DEVICE AS A ROBUST, INVISIBLE SECOND FACTOR Web Device Print iOS SDK Android SDK
  • 68. 68
  • 69. Q&A