Perception of Security Issues in the Development of Cloud-IoT Systems by a Novice Programmer

Perception of Security Issues in the
Development of Cloud-IoT Systems
by a Novice Programmer
Fulvio CORNO, Luigi DE RUSSIS, and Luca MANNELLA
e-Lite Research Group, Politecnico di Torino, Turin, Italy
WoRIE’21: June 22nd, 2021
10th Workshop On the Reliability of Intelligent Environments

OUTLINE
• Introduction
• Use Case Architecture Analysis
• Amazon Web Services Security Analysis
• Developers’ Perspective on AWS Security
• Conclusions & Discussions
2021-06-22
WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 2

INTRODUCTION
• Research Question:
Is a Cloud-IoT platform secure when is used by a Novice IoT Programmer?
• Novice IoT Programmer
• Software developer novice to the IoT world
• Not novice to programming
• An attractive platform for Novice IoT Programmer: Amazon Web Services
• Very famous and widespread
• One of the most complete cloud platform
• Provides services on demand
2021-06-22

USE CASE ARCHITECTURE ANALYSIS
2021-06-22

A CLOUD-IOT
ARCHITECTURE
• Sensing devices
• Acting devices
• Some front-end devices
• AWS cloud back-end
• Manages the devices
• Store data on a database
• Provides some APIs for the front-end
devices
2021-06-22

MAIN COMMON
ATTACK POINTS
• Back-end
• The developed code inside
the AWS Lambda functions
• The database
2021-06-22

MAIN COMMON
ATTACK POINTS
• Back-end
• The database
• Front-end devices
• Out of the developer control
2021-06-22

MAIN COMMON
ATTACK POINTS
• Back-end
• The database
• Front-end devices
• Out of the developer control
• The data-flows between
• The sensors and the back-end
• The back-end and the actuators
• The APIs’ gateway
and the front-end devices
2021-06-22

AMAZON WEB SERVICES
SECURITY ANALYSIS
2021-06-22

AWS ANALYSIS
• Data Flow Protection
• Data could be eavesdropped, tampered with, and forged
• AWS requires ciphered connections with its backend
• TLS for HTTP connections
• IPsec using Amazon VPC
• Database Protection
• Requests to DB must contain a valid HMAC-SHA256 signature
• DynamoDB is accessible via TLS endpoints
• Data in transit are protected
• By default, DynamoDB data are ciphered at rest
• Fine-grained access control policies (through IAM)
2021-06-22

AWS ACCOUNT PROTECTION
• Two different types of account
• Root user
• Identity and Access Management (IAM) users
• Created by Root user
• An account with customizable privileges
• Weakness in Amazon’s policies
• Users not forced to create IAM accounts
• Password policy is vulnerable to dictionary attacks
• E.g.: a password like “Amaz0nWS” is accepted
2021-06-22

DEVELOPERS’ PERSPECTIVE
ON AWS SECURITY
2021-06-22

OUR NOVICE PROGRAMMERS
• Developers from a consulting engineering company in Italy
• They were starting their first Cloud-IoT professional project
• They have to work on AWS for the first time
• They had just followed a short Cloud-IoT course
• That has a final project to deliver
• After the course we asked to fulfill the survey
• 6 out of 9 attendees from the Cloud-IoT Course (all males)
2021-06-22

DEVELOPER’S PERCEPTION
• They feel to be inexperienced about cybersecurity
• 5 out of 6 answer 1/5; the other answer 2/5
• Who is in charge of the security of what you developed on AWS?
• 2 out of 6 => “Entirely the developer”
• 4 out of 6 => “Both developer and AWS”
• All think the architecture could include security issues
• no one acted to mitigate the security problems in his mind
2021-06-22

DEVELOPER’S PERCEPTION
ABOUT THE ARCHITECTURE SECURITY
• The most secure point
• AWS DynamoDB Database
• The less secure point
• The data flows between back-end
and sensors/actuators
• The most critical points
1. Data flows to the actuators
2. The back-end code on AWS Lambda
3. Data flows from the sensors to the backend
• The worst consequences
1. Cyber-physical attacks
2. A Data Breach
2021-06-22

SECURITY BEST PRACTICES
• They all created “strong” passwords
• Dictionary attacks?
• Only 1 out of 6 created a IAM account
• 2 out of 5 specified they should have
• 4 out of 6 did not check if they were using TLS
• 5 out of 6 did not check if DB data at rest are encrypted or not
• No one used an additional service to improve security
• E.g., AWS IoT Device Defender
2021-06-22

CONCLUSIONS
& FUTURE WORKS
2021-06-22

CONCLUSIONS
• Even professionals does not feel comfortable in cybersecurity
• Novice in IoT, not Novice Programmers
• Knowing that security is important is not enough to act
• 2 out of 6 answer: “security is a responsibility of the developer”
• all thought the architecture could be insecure
• no one acted to mitigate the problem
• AWS is a good choice for implementing a secure Clout-IoT solution
• Even for a novice programmer
• Suggestions for AWS:
• forcing users to create at least one IAM account
• password policy should avoid basic dictionary attack
2021-06-22

FUTURE WORKS
• Having a survey on a larger sample of Novice IoT Programmers
• Analyzing other specifical aspects and platform
• E.g., Arduino devices
• Provide best practices and tools for developing more reliable IoT systems
2021-06-22

THANK YOU FOR YOUR KIND ATTENTION!
ANY QUESTIONS?
2021-06-22
WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA
Fulvio
Corno
Luigi
De Russis
Luca
Mannella
20

Perception of Security Issues in the Development of Cloud-IoT Systems by a Novice Programmer

More Related Content

What's hot (18)

Similar to Perception of Security Issues in the Development of Cloud-IoT Systems by a Novice Programmer (20)

Recently uploaded (20)

Perception of Security Issues in the Development of Cloud-IoT Systems by a Novice Programmer