Close

(edited) Transcript for IoT Security HackChat

A event log for Security for IoT HackChat

We'll be talking about adding security features to your IoT project

sophi-kravitzSophi Kravitz 02/24/2017 at 20:330 Comments

nick.albo says:34 minutes ago

That's great Nick Sayer! I am one of the students from Pitt who is doing a project. We are reall excited to get all of you guys' input on the subject

mjbraun says:34 minutes ago

Nick Sayer, same here. Who are you with?

M.daSilva says:34 minutes ago

That email was pretty useful last week, wouldn't have been here otherwise :)

34 minutes ago

welcome @nick.albo thanks for coming to share your projects

Nick Sayer says:33 minutes ago

I'm not sure I can mention them out loud or not. But I work for a company that has a very very large deployment of remotely addressable devices.

mjbraun says:32 minutes ago

No worries. I'm with NCC Group, FWIW.

32 minutes ago

@nick.albo is here to talk about maker IoT projects- but ... I'll him intro himself and the team once we get started

themartinm says:31 minutes ago

Silver Spring Networks? :P

Nick Sayer says:31 minutes ago

It's not a big secret or anything. I just am not sure I'm allowed to give the impression of being some sort of spokesman. :D

30 minutes ago

lol

Nick Sayer says:30 minutes ago

Well, I'm pretty sure I'm *not* allowed to do that, actually..

mjbraun says:30 minutes ago

"Your opinions are yours and not your employer's". Got it!

Nick Sayer says:30 minutes ago

:D

30 minutes ago

haha

themartinm says:30 minutes ago

I think it goes without saying that unless specified directly anyone's opinions are like mjbraun said, yours not your employers ;)

30 minutes ago

so it's time to get started

30 minutes ago

we have a sheet: https://docs.google.com/spreadsheets/d/1Y2Gq3zATBvBrVrG51wasoNmGRf97EFXvv94TvZxMR2E/edit#gid=0

30 minutes ago

for discussion questions

steverobillard says:29 minutes ago

@Nick can't say = NSA

29 minutes ago

...and welcome to @nick.albo + team!

j0z0r pwn4tr0n says:27 minutes ago

warm hackaday welcome

nick.albo says:27 minutes ago

thanks @SophiOne. So like Sophi said, our group is doing a semester long project about IoT security. We are all from the University of Pittsburgh and are here today to learn from you guys about what the maker community feels about security in their projects.

Bhavesh Kakwani says:26 minutes ago

@nick.albo This is a great topic! I have pretty much avoided IoT till now because of fears of not being able to implement it securely

Neil Cherry says:26 minutes ago

There is no S in IoT (it's silent) :(

Neil Cherry says:25 minutes ago

I've got ideas but they need a 32b cpu to start (esp8266 seems okay)

Mike D. says:25 minutes ago

It is possible but like every thing in this space, there are some bumps to get over.

Non-ICE says:25 minutes ago

A lot of home security vendors are implementing IoT into their alarm systems these days. Anyone dug into their security measures?

Non-ICE says:25 minutes ago

A lot of home security vendors are implementing IoT into their alarm systems these days. Anyone dug into their security measures?

Nick Sayer says:24 minutes ago

IMHO step 1 is realizing just how hostile the Internet is. All you have to do to see that is expose a listener on TCP port 22 to the Internet and watch how often the doorknob gets rattled.

nick.albo says:24 minutes ago

@Bhavesh Gohel so thats the what we are talking about exaclty. What kind of security measures would you need to have in place to be comfortable with IoT?

Non-ICE says:24 minutes ago

and don't openport 3389 to your winblowsserver

anfractuosity says:23 minutes ago

I was wondering, if you use things like LoRa, are MCUs these days powerful enough for elliptic curve crypto etc. (I think some chips provide acceleration for symmetric)

Neil Cherry says:23 minutes ago

I've only been playing with MQTT (cloud and local)

Mike D. says:23 minutes ago

I think there are some pretty easy ones to consider right off the bat.. No hardcoded credentials in the firmware, don't expose any API keys to the internet or source code repositories right? TLS for any calls to cloud based services....

Nick Sayer says:23 minutes ago

infract: You can get crypto accelerators to do the heavy lifting for you. Highly recommended.

Neil Cherry says:23 minutes ago

It's easy to communicate with MQTT to a cloud service with a Pi

MarkAtMicrochip says:22 minutes ago

@anfractuosity Yep. Some have built in hardware acceleration

nick.albo says:22 minutes ago

So we are actualy looking at IoT security all the way down to 8-bit

anfractuosity says:22 minutes ago

can they accelerate assymetric crypto ?

Nick Sayer says:22 minutes ago

@an: absolutely!

j0z0r pwn4tr0n says:21 minutes ago

@nick.albo: Would open source be out of the question? Because there aren't many independent sources that I feel can be trusted to verify my crypto

Nick Sayer says:21 minutes ago

I don't know the ID offhand, but Atmel has an i2c chip that does ECC and AES. It's also a mini HSM as well - it has a security mesh for secure key storage and the like.

Bhavesh Kakwani says:21 minutes ago

@nick.albo Hmm I've never put it down concretely, but as a start it would be good to have a firewall with sensible defaults, encrypted communications, force user to set up new password at the beginning

anfractuosity says:21 minutes ago

oh interesting, i'll have to investigate that then, Nick, cheers

nick.albo says:20 minutes ago

@j0z0r pwn4tr0n we have thought about building a library but we need to know people will use it

Nick Sayer says:20 minutes ago

@Bhavesh Kakwani: Seconded. Start by excluding all traffic, then figure out the minimum openings to allow the service you need.

themartinm says:19 minutes ago

@Nick Sayer ATSHA204 and AT88SA102S they have eval kits for both of these families

Nick Sayer says:19 minutes ago

@themartinm +1

Shawn Shifflett says:19 minutes ago

As some working in the compliance arena I would like to see more IoT devices actively and accurately logging. Preferably with the ability to send their data to a syslog server.

nick.albo says:19 minutes ago

@Bhavesh Kakwani so if you where going to build a project, how would you start, i.e. where would you go for research?

MarkAtMicrochip says:18 minutes ago

@Nick Sayer The SHA204 is good for keystorage - not encryption

anfractuosity says:18 minutes ago

WRT IoT alarm systems, don't a lot of wireless alarms, not activate the alarm if they're jammed, so you could just jam the sensors

steverobillard says:17 minutes ago

besides the atmel parts mentioned TI has this http://www.ti.com/tool/ek-tm4c129exl

Mike D. says:17 minutes ago

Bruce Schneier had a good list of resources for IoT security https://www.schneier.com/blog/archives/2017/02/security_and_pr.html

Nick Sayer says:16 minutes ago

@nick.albo Always start with complete lock-down, then open up what's necessary. Go the other way and the one thing you forget will be your undoing. :)

Ziyue says:16 minutes ago

Hi, my name is Ziyue, a team member in Big Crypto. Sorry just joined in. Could you guys talk anything about how do you feel like encrypting data and the probable libraries you could come up with?

16 minutes ago

welcome @Ziyue thanks for joining!

Bhavesh Kakwani says:16 minutes ago

@nick.albo If I am doing an electronics project, I would do an online lookup of "good practices" for IoT security, and figure out how to integrate with the other components on the board. If I am looking at using an existing IoT platform and just doing software on top of it, then I have not much choice but to look up which platform is most secure and trust the ratings

16 minutes ago

I'll make a transcript of this chat so you can see what you missed

Nick Sayer says:15 minutes ago

@Ziyue From my perspective, there's kind of two classes of IoT thing... The kind that have a *nix kernel under the covers, and the ones that are too small to do that.

Nick Sayer says:15 minutes ago

For the *nix bearing things, the solutions are relatively mature at this point. For the rest, it's almost completely ad-hoc.

Kevin says:13 minutes ago

It may be helpful for this discussion to define an IoT device as that has become such a buzzword these days that it has lost some of its meaning.

Bhavesh Kakwani says:13 minutes ago

@nick.albo But honestly as a hobbyist making a IoT hardware is very daunting. I don't even know which frequency range to use, how to miniaturize it, do I need an antenna or not. Security is another complication because I feel like I have to put down some ICs or a microprocessor to do the encryption. Again I don't know more details than that, this is my idea of it

Neil Cherry says:13 minutes ago

Actually I'd like to see less *nix under the covers, too much power for abuse

j0z0r pwn4tr0n says:12 minutes ago

@nick.albo: Yeah, I would just google it and then dive deeper down the rabbit hole. I have found a lot of what I currently know from that method. I feel like if you release an open library that works and has plugins for the top X number of home automation devices, people would use it. Basically, If you build it, they will come

nick.albo says:12 minutes ago

We are right now thinking the most valuable thing we can provide is a community forum where people go to learn how to implement security on their projects. This would have tutorials on common platforms, good libraries to use, a forum for discussion, as well as a place for people to share their personal implementations. This would probably be hosted on github, hackaday, etc

MarkAtMicrochip says:11 minutes ago

Security, I thin, means both encryption and authentication. But I find that most engineers don't think about authentication - only encryption.

Nick Sayer says:11 minutes ago

@Neil Cherry *nix doesn't give more power than the hardware has already. The user authorization model isn't what makes *nix useful for embedded gizmos, it's the incredibly mature and robust networking stack and library support.

Kevin says:11 minutes ago

@Nick, yes. if a device is connected to the internet and it is running a full OS (such as Linux) then security isn't as much of a problem as setting the security such a system is more of a known quantity.

nick.albo says:10 minutes ago

@MarkAtMicrochip we have thought about that and we are thinking its something where you can do both if need but authentication is probably more important in hobbyist projects.

Neil Cherry says:9 minutes ago

@Nick Sayer, agreed but when a normal end user is given something I don't like using *nix as they won't do anything additional to secure it. Of course that is my job (technicallY)

MarkAtMicrochip says:9 minutes ago

@nick.albo I couldn't agree more, thx.

j0z0r pwn4tr0n says:9 minutes ago

@nick.albo: Not a bad idea, worst part is visibility. Like how can you make sure the people that need to see it will?

Nick Sayer says:8 minutes ago

@Neil: I posit that *nix makes your job of doing that easier, but that's also my 30 years of being a *nix admin talking. :)

Neil Cherry says:8 minutes ago

I'm doing a DIY Smart Home presentation next month in NJ (TCF). I hope to have some security and authentication for MQTT and Node_red access.

Neil Cherry says:8 minutes ago

've only got 50 minutes to present though

Frédéric Druppel says:8 minutes ago

Would it be possible and safe to use an encryption formula (like viginere or PlayFair) in the microcontroller / processor to encrypt the packets ?

Nick Sayer says:7 minutes ago

@Neil: Keep in mind too that when you embed *nix, that doesn't at all imply that the user will have any ability to administer it.

Neil Cherry says:7 minutes ago

@Nick Sayer, same her (85?) but I've also sone end user support (consumer and office). Can't assume anything there

7 minutes ago

hey @MarkAtMicrochip is here! :)

Neil Cherry says:7 minutes ago

Here's a question, what encryption and secure auth do we have for 8 bit processors?

Nick Sayer says:6 minutes ago

@Neil if I were going to do that, I'd definitely off-load that work onto an enclave chip.

nick.albo says:6 minutes ago

Hey guys, btw, we are alos hoping that some of you would be willing to talk in a more one on one setting after this. We have a google form made that you can fill out and hopefully we can get something set up! https://goo.gl/forms/q4ShNGYhgDKsMvbh2

Neil Cherry says:5 minutes ago

@Nick Sayer, good point, does anyone have some pointer? I like the 32b processorsI'm

Neil Cherry says:5 minutes ago

32 and the ESP8266

Nick Sayer says:5 minutes ago

@Neil Look up ^^ some Atmel chips were mentioned.

nick.albo says:5 minutes ago

@neilcherry there are new algorithms that can run on 8-bit and there is also being work done to protocols like SSL and TLS to put them on 8-bit

Frédéric Druppel says:4 minutes ago

Embedded custom formulas ?

Neil Cherry says:4 minutes ago

PIC32

Neil Cherry says:4 minutes ago

@nick.albo, that I'd like to see (really)

Ziyue says:4 minutes ago

@j0z0r pwn4tr0n Good question, like how to make people be aware of our website and get access to it. We have thought about google ads try to make people find us from keywords searching.

Bhavesh Kakwani says:4 minutes ago

@nick.albo Do you have any insight on why so many Iot products are insecure? I heard there are large high-bandwidth botnets made entirely out of consumer Iot products on people's wifi networks

Neil Cherry says:3 minutes ago

Only my opinion, rush out the door to be first

Nick Sayer says:3 minutes ago

I think the best thing to do for new IoT developers is keep a kind of history list of the missteps.

nick.albo says:3 minutes ago

@Bhavesh Kakwani so we spoke with Bruce Schneier about the topic and we agree with his views that IoT products are most valuable when they get to the shelves first. This makes the deisgn process rushed and security isnt even considered because there is no regulations in the industry to make them secure the devices

Nick Sayer says:2 minutes ago

There were the recent IoT Bottnet incidents, certainly.

Neil Cherry says:2 minutes ago

PVRs and cameras I think

Nick Sayer says:2 minutes ago

But there have also been cases where things like Netgear routers have simply had poor factory default configurations result in things like DDOSing NTP servers.

Bhavesh Kakwani says:2 minutes ago

Hmm ok so there are no laws in this domain yet? Other than the radio spectrum laws

Nick Sayer says:2 minutes ago

Those aren't security issues per se, but they're costly and embarassing.

Matt Lipschutz says:a few seconds ago

There are laws (at least in the US) dealing with "illicitly accessing" digital devices, but no laws/regulation which require the manufacturers to ensure their setup isn't complete garbage.

Nick Sayer says:a few seconds ago

There is product liability

nick.albo says:3 minutes ago

@Bhavesh Kakwani yeah there are currently no laws about security when you put a device on the web,. Bruce wrote a really good article on IoT security a while back that I can try and find

Matt Lipschutz says:3 minutes ago

But what is the liability, exactly? social capital?

Matt Lipschutz says:2 minutes ago

there's no real legal liability...and the financial consequences, at least lately/so far, have been minimal.

bcontino.bc says:2 minutes ago

@Bhavesh Kakwani the report is a couple years old, but check out page 4: https://www.hpe.com/h20195/v2/GetPDF.aspx/4AA5-4759ENN.pdf

Nick Sayer says:a minute ago

@Matt Lipschutz The only thing that needs to change for that would be to educate the ambulance chasers.

nick.albo says:a minute ago

So say you were build a Hobbyist project, how long would you be willing to spend to secure it?

Neil Cherry says:a few seconds ago

hehe, yes lawyers would change a lot quick

mjbraun says:a few seconds ago

Automotive one weird market where IoT type practices collide with crazy legal frameworks and folks are trying to figure it out

Matt Lipschutz says:a few seconds ago

@Nick can you qualify that statement? You want to educate lawyers as to...what, exactly?

Matt Lipschutz says:3 minutes ago

@Nick can you qualify that statement? You want to educate lawyers as to...what, exactly?

NdK says:2 minutes ago

The problem is that too often the user is not competent enough to recognize a secure product from an insecure one. Or even prefers the insecur one "because it's simpler to setup". The same for too many hobby projects.

Neil Cherry says:2 minutes ago

@nick.albo, a lot of time but I'm working with mostly insecure on my home network

Nick Sayer says:2 minutes ago

@nick.albo There are two classes of things, IMHO... If your IoT thing is intended to live behind a proper firewall - say in someone's house - then the bar on it is much lower.

Matt Lipschutz says:2 minutes ago

@mjbraun that's because there are safety standars when dealing with automobiles.

Neil Cherry says:2 minutes ago

Yes, a quick demo can't show a complete setup

Nick Sayer says:2 minutes ago

@nick.albo If your thing needs to be internet exposed, well, that's a whole different kettle of fish.

Bhavesh Kakwani says:a minute ago

@nick.albo I think I wouldn't want to spend more than 10% time on teh security. Security is very important but I (and most hobbyists) are not experts, so we need the heavy-lifting to be done by a reliable person in advance

Neil Cherry says:a few seconds ago

a complete setup is like writing a book

nick.albo says:a few seconds ago

Is anyone here concerned at all about man in the middle attacks? Like say if you had a temperature monitoring system

NdK says:a few seconds ago

Too bad that's often not possible: which security to use depends on the application!

Matt Lipschutz says:a few seconds ago

and I think *THAT* @NdK is the core of the problem.

Nick Sayer says:a few seconds ago

@Matt Lipschutz When a big firm sells tens of thousands of things that wind up with huge security problems later... Well, that's a class action attorney's dream - widespread client class, deep-pocket defendant...

Anyone who is interested in discussing this subject with Big Crypto directly should sign up here: https://docs.google.com/forms/d/e/1FAIpQLScnXHiExCgd3d4-t-5pgw_lqv3nmrfazeDPtQh6IbNm4DGFrA/viewform?c=0&w=1

Neil Cherry says:2 minutes ago

@nick.albo, yes I am

nick.albo says:a few seconds ago

@Neil can you go into why?

Neil Cherry says:a few seconds ago

I'm not normally worried about MIM with my home but with more devices that I have less control over it's a problem

Greg Bushta says:a few seconds ago

@Nick Sayer I keep my IoT devices set up without the gateway to the outside included to keep them from wandering. I don't have any that I want to access without me being on the LAN, yet.

nick.albo says:a few seconds ago

like what would happen if that attack occured

Bhavesh Kakwani says:a few seconds ago

@nick.albo Yeah MITM is the worst nightmare! Imagine someone else controlling your device with nothing you can do

NdK says:a few seconds ago

For home hobby projects you can simply use PSK, assuming the attacker is not targeting your developement environment. But you must at least know how to prevent replay attacks. From PSK, if resources and constraints allow, you can even use asymmetric crypto to exchange keys or authenticate messages.

Neil Cherry says:a few seconds ago

I'm also working on netflow

Nacht Ritter says:4 minutes ago

@NdK Agree with your comment RE: end user of IOT devices. A secure IOT device must be as easy to set up as a non-secure one. And the IOT vendor cannot assume the end user has properly configured their WAN access to limit access.

j0z0r pwn4tr0n says:4 minutes ago

@nick.albo: I wouldn't be that concerned with it, with the exception of if my iot network was LAN only, that would mean the MitM was actually somewhere in my house!!

Nick Sayer says:3 minutes ago

@NdK one of the recent security conferences had a talk where they showed how widespread PSK is in the smart lock business - and how useless it is.

j0z0r pwn4tr0n says:2 minutes ago

although really he need not be physically there. but in all reality if someone is messing with my temp logger, what's the fruit of such an attack?

Neil Cherry says:2 minutes ago

can pretty much do as I like to it (put whatever software ie Linux kernel and software) and own the network

NdK says:2 minutes ago

Only if it's not protected against replay attacks.

(sorry, I still don't know how to cite)

wangwenchen0407 says:a minute ago

@NdK Can you explain more about PSK?

NdK says:a minute ago

Pre Shared Key : evry node uses the same key to access the network

j0z0r pwn4tr0n says:a few seconds ago

@Neil Cherry: Didn't think about that, ie having a trusted node on the network would give you a foothold to mount a stronger attack

Nick Sayer says:a minute ago

PSK *can* be unique keys per node, but the concept is that the keys are not dynamic - they're determined "beforehand" for whatever that means.

NdK says:a minute ago

That's the simplest form of authentication. You can use the PSK as encryption key and include a nonce (or a sequence number) in every packet.

Nick Sayer says:a few seconds ago

The next step up from PSK is pre-shared asymmetric crypto - you have a master *private* key and compile in the public key into the device code.

NdK says:2 minutes ago

Another promising method is identity-based crypto, where the node id is actually its public key

Audi McAvoy says:a minute ago

@Ndk even so, the attacker can't spoof your master

Nick Sayer says:a minute ago

You start with a root key pair. The public key gets compiled into all the devices. The private key exists *solely* on paper. You print out a copy of it and put it in a safe. You use it *once* to sign an intermediate certificate. The private key of *THAT* cert is what you use day-to-day.

Nick Sayer says:a minute ago

You can roll the intermediate certificate frequently without a universal firmware upgrade.

NdK says:a few seconds ago

Asymmetric crypto is unfeasible on very constrained devices

Nick Sayer says:a few seconds ago

@NdK That's why they have crypto accelerator chips.

NdK says:4 minutes ago

that coss more than the rest of the project

Nick Sayer says:4 minutes ago

In designing your device, you have to compare all of the costs - in particular, the cost of hardening it versus the cost of cleaning up after a compromise.

NdK says:4 minutes ago

not to mention power usage during asymmetric crypto ops

Nick Sayer says:3 minutes ago

For hobbyist IoT, perhaps the cost of cleaning up after a compromise is low.

Radomir Dopieralski says:3 minutes ago

the cost of a compromise is 0 for the company that manufactures it

Radomir Dopieralski says:3 minutes ago

all of it is paid by the customer

Nick Sayer says:3 minutes ago

But if I were designing one of those private-branded ATM machines you see at 7-11? You bet I'd harden that!

NdK says:3 minutes ago

If, for start, your nodes don't "speak" TCP. the problem ca be different

Nick Sayer says:2 minutes ago

@Radomir: That's been the case so far, but I don't see that continuing.

Nick Sayer says:2 minutes ago

@NdK the crypto aspects are independent of transport..

BashBits says:2 minutes ago

@Nick Sayer dont they run windows xp or did they upgrade the ATM's

BashBits says:2 minutes ago

@Nick Sayer dont they run windows xp or did they upgrade the ATM's

BashBits says:2 minutes ago

@Nick Sayer dont they run windows xp or did they upgrade the ATM's

BashBits says:2 minutes ago

@Nick Sayer dont they run windows xp or did they upgrade the ATM's

Nick Sayer says:a minute ago

@BashBits If I were going to make one, it wouldn't run Windows. :D

BashBits says:a minute ago

wow sorry guys, chrome lagged on me

a few seconds ago

refresh for lagging

Nick Sayer says:a few seconds ago

We can take it down a notch from ATMs, though... Let's say you wanted to enter the smart lock market. You wanted to do August one better, say.

Nick Sayer says:5 minutes ago

The hardware design is a crypto accelerator chip, a BTLE chip and something like an ATMega328.

wangwenchen0407 says:4 minutes ago

A quick question. Which way do you think is more power consuming? hardware or software encryption solution?

Nick Sayer says:4 minutes ago

That certificate based PKI solution is absolutely what I'd do for that.

NdK says:4 minutes ago

I wouldn't

Nick Sayer says:4 minutes ago

@wang Definitely hardware crypto uses less power in the end - they can design their processor to do exactly what's required as efficiently as possible.

NdK says:3 minutes ago

Useless: it's point-to-point. PSK and (maybe) TOTP

Nick Sayer says:3 minutes ago

@NdK Not at all. The use case is control from a smartphone app with all sorts of delegation ability.

NdK says:2 minutes ago

Unless you have the lock that speaks with an external system

Nick Sayer says:2 minutes ago

The smartphone app is online - it can fetch the signed message from the service and present it over BTLE.

Nick Sayer says:2 minutes ago

The device doesn't have to trust the presenter - it can validate the message the presenter presents.

Neil Cherry says:2 minutes ago

@Sophie, this UI is locking up my FF on Linux

Nick Sayer says:a minute ago

The device's firmware is completely open. Even to the point of including the root public key.

NdK says:a minute ago

Load the PSK on the phone from a QR code. That generates a TOTP code that gets sent to the lock

Nick Sayer says:a minute ago

@NdK Now you have to secure that QR code or else.

Neil Cherry says:a few seconds ago

Can't refresh a lockup, I've had to kill FF 4 times

Ziyue says:a minute ago

Thank you guys for the brilliant ideas which riched our project and we hope we could reach you later. Would you mind filling up the follow up table https://goo.gl/forms/q4ShNGYhgDKsMvbh2 We really appreciate for that

Nick Sayer says:a few seconds ago

And you have to share it with your dog walker. And when you fire them, how do you prevent them from continuing to use it?

Neil Cherry says:2 minutes ago

@ndk, interesting . QR, not thought of that

NdK says:a minute ago

You could even use a small OLED display.... 128x64....

Discussions