#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
0 likes•161 views
Gianluca Varisco discusses the challenges of securing IoT applications at the Arduino Paris Open Source Summit, highlighting the fragmented landscape and various security risks faced by devices. Key issues include weak data protection, insufficient security training, and the lack of firmware updates, leading to vulnerabilities and potential breaches. Varisco emphasizes the importance of a robust cybersecurity strategy and the need for manufacturers to ensure secure device management and communication protocols.
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
- 1. Gianluca Varisco, CISO Arduino Paris Open Source Summit - 10/12/2019 The evolving (IoT) security landscape @gvarisco
- 2. TODAY FORMERLY Who am I? @gvarisco
- 3. Enabling anyone to innovate by making complex technologies simple to use.
- 4. Developing secure and reliable IoT applications can be hard
- 5. Hardware Nodes (Devices, Sensors) Constrained devices Require C/C++ firmware skills Effective Power Management depends on Firmware Gateways Remote connections, SSH Device management Radio / Networks Long range / Low Power Source: https://makezine.com/2017/06/27/state-boards-platforms-pro ducts-purposes-current-crop-microcontrollers-vies-attention/
- 6. Cloud Software Many different languages, protocols, libraries, security standards, etc.
- 7. Data & persistence Different data formats make data manipulation and interpretation difficult
- 8. 8 The IoT Landscape is quite fragmented
- 9. 9 The IoT “Line of Insanity”™
- 10. We are drowning in technology. We are not becoming more secure.
- 11. 11 − Not realizing to be potential targets − Treating cybersecurity as an IT problem − Thinking threats are only external rather than internal or accidental − Thinking the cloud provider is in charge of data/infra security (oh, and backups!) − Not using properly their e-mail infrastructure, especially if managed by 3rd parties We are wasting billions to “defend ourselves” from APTs. Buying Next-Gen appliances. Following predictions and hypes. Don't be scared to go back to basics with your cybersecurity strategy. Many of us are still making the same, old mistakes
- 12. 12 − PERVASIVENESS: You won’t have one IoT device, you’ll have ten. − That’s a lot of new attack surface to your life and/or business − UNIQUENESS: IoT devices are a wild-west of mixed technologies. − How do I patch firmware on these dozen devices? − Which random vendor made the HW inside the device? So? What’s wrong in IoT?
- 13. 13 − ECOSYSTEM: Your vendor may be leveraging six other vendors − Where’s your data going once it enters that IoT device? − Who has access to your network via proxy connections? So? What’s wrong in IoT?
- 14. 14 Why does it matter?
- 15. 15 IoT vs Web Stack
- 16. 16 IoT attack surface identification Source: Security Innovation
- 17. 17 IoT: assessing the risks Source: Security Innovation
- 18. 18 − Insufficient Security training − Humans #1 weak point: building, deploying, using − Weak Physical Security − Debug interfaces (JTAG, UART, etc.) and USB ports allow unintended device or data access − Infrequent updates − Firmware, device apps, admin apps/interfaces − Expensive and/or remote IoT devices long lifespan (difficult to update) TOP 4 IoT Security Risks
- 19. 19 − Weak Data Protection − Data at rest/transit uses weak encryption techniques − Lack of dedicated security chips and modules to store sensitive data. TOP 4 IoT Security Risks
- 20. 20 − Privacy − PII leakage − Mass surveillance − Stalking − Theft − Data breaches − Liability − Reputation − Botnets, e.g. Mirai, for mass hacking End-user risks
- 21. IoT Security Excuses (aka #YOLOSEC)
- 22. 22 − Vulnerabilities bypassing password protection: − Memory corruption issues (Buffer Overflow, Format String, etc.) − CSRF − Backdoor accounts − Lack of brute-force protection I am safe, I changed all my passwords
- 23. 23 − Patches are often late by years − Many IoT devices do not get a patch, ever I am safe, I regularly patch all of my IoT devices
- 24. 24 − If your IoT device has an Internet routable IPv4(/v6) address, without any firewall port filtering: − Just prepare for apocalypse − Seriously, don’t do that − CCTV is OCTV today Problems with direct IPv4(/v6) connection
- 25. 25 The IoT device is only available in a closed network
- 26. 26 The device is only exposed in my area (physically)
- 27. 27 − NAT is sneaky evil − Users believe they are safe behind home router NAT − Developers created ways to connect devices behind NAT, seamless I am safe, home network, behind NAT
- 28. 28 Think again: − UPNP − IPv6 − Teredo (encapsulates IPv6 packets within UDP/IPv4 datagrams) − Cloud I am safe, home network, behind NAT
- 30. For the next 5-10 years, assume your IoT device has horrible security holes it won’t receive patches for, ever.
- 31. Lack of visibility is in fact the main precursor to security incidents.
- 32. Many of us don’t have IR capabilities. They all immediately PANIC! Organizations are still getting breached due to poor key/credentials management, unpatched applications and misconfigured services (eg. cloud databases).
- 33. 33 − It’s very hard to report vulnerabilities − Often vendors do not have a Coordinated Vulnerability Disclosure (CVD) policy − FTC and/or ENISA recommendations for customers’ safety are not always followed − Just few of the EU member states do have a CVD framework in place at national level − CEPS’ report on «Software Vulnerability Disclosure in Europe» aims at helping member states with the technology, the policies and legal challenges ahead. Reporting vulnerabilities
- 35. Our strategy
- 37. 37
- 38. 38 WHAT ARDUINO PROVIDES Sensors Data + Device Interaction Automatic Code Generation Arduino Hardware Secure Cloud Connection Device Management OTA Updates Firmware Changes Business Logic Firmware Upload Certificate or Password Provisioning Dashboards Third Parties IoT SaaS Arduino IoT Cloud
- 39. 39 Security Secure in every layer Hardware Software Data
- 40. 40 Core to the future and success of IoT is the “security of things” Device Identity Anti-tampering Key Management Encrypted Transport and Data Confidentiality
- 42. 42 Hardware Security ATECC508A/ATECC608A Cryptographic Co-Processor from Microchip Technology What we use it for? – Secure Hardware-Based Key Storage up to 16 keys, certificates or data – Hardware Support for Asymmetric Sign, Verify, Key Agreement ECDSA, ECDH, NIST P256 Elliptic Curve Support – Internal high-quality FIPS Random Number Generator (RNG)
- 43. 43 Data encryption and secure authentication – All traffic to/from Arduino IoT Cloud is encrypted using Transport Layer Security (TLS) – Device authentication using X.509 certificates – Initial support for JSON Web Tokens (ECDSA P-256 SHA-256) in ArduinoECCX08 library – AES-128 (for LoRaWAN™), AES-CMAC for messages exchange, which includes encryption and integrity.
- 44. THAT’S A WRAP, THANK YOU! Gianluca Varisco <[email protected]> @gvarisco