© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jan Metzner, Anton Shmagin, AWS
Kerry Maletsky, Microchip/Atmel
November 30, 2016
IOT302
IoT SecurityThe New Frontiers
@janmetzner @y0na75
What to expect from the session
• System, transport and thing security
• Fine-grained authorization
• Thing management
• Pub/sub data access
• AWS services integration
• Incident response
• End-to-end IoT security (demo)
Idea for this talk started from the quote …
“ Every IoT security article:
• IoT is big
• IoT security is bad
• Consequences are scary
• Change default settings
• Buy my product
• Problem not solved …“
Dr. Sarah Cooper
June 2, 2016
All things around us are getting connected
Things will proliferate
2013 2015 2016 2020
Vertical Industry
Generic Industry
Consumer
AutomotiveMany
Some
Lots
Many devices are not enforcing security
Mirai bot default passwords
Connected ≠ smart
Internet 1985 IoT 2015
Gopher HTTP
FTP MQTT
NNTP CoAP
Telnet XMPP
Archie AQMP
Not a typical apocalyptic IoT talk
IoT security needs to be effective yet simple
“ … pilots and race car drivers were
willing to put on almost anything to
keep them safe in case of a crash,
but regular people in cars don't want
to be uncomfortable even for a
minute. “
Nils Bohlin
Multiple attack vectors
System, transport, and thing security
System
Transport
Thing
Ris
k
Typical SoC
SoM
SoC
CPU/MCU
Memory
Baseband
Location
WLAN
BLE
LPWAN
NFCHW
Crypto
Connectivity options
Direct Gateway
Satellite Wi-Fi Cellular LPWAN Bluetooth Other
IEEE 802.15.4
ZigBee
Z-Wave
Thread
AWS IoT
Incident response in AWS IoT
Incident response in AWS IoT
CWE Executes Lambda
Function to invalidate certificate
Time to connect someTHING …
One service, three protocols
MQTT + Mutual
Auth TLS
Websocket + AWS
Auth
HTTPS + AWS
Auth
Server auth TLS + cert TLS + cert TLS + cert
Client auth TLS + cert AWS credentials
(API keys)
AWS credentials
(API keys)
Confidentiality TLS TLS TLS
Protocol MQTT HTTP/WS HTTP
Communication
modelPub/sub Pub/sub REST
Identification AWS ARNs AWS ARNs AWS ARNs
Authorization AWS policy AWS policy AWS policy
Authentication
Certificate/private key
AWS IAM (user/role: API keys)
Amazon Cognito (role: API keys)
AWS IAM (role: API keys)
Things
Users
AWS services
Authorization – IAM policies
IAM
unauthenticated
or authenticated
role
Amazon
Cognito
AWS credentials (services)
Temporary AWS credentials (users)
Third-party
service
AWS
service
Authorization – IoT policies
Fine-grained access for each device with a single policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "iot:Connect",
"Resource": "arn:aws:iot:eu-west-1:1234567890:client/${iot:Certificate.Subject.CommonName.1}",
"Effect": "Allow”
}, {
"Action": "iot:Publish",
"Resource": [
"arn:aws:iot:eu-west-1:1234567890:topic/sensordata/${iot:Certificate.Subject.CommonName.1}",
"arn:aws:iot:eu-west-1:1234567890:topic/sensordata/${iot:Certificate.Subject.CommonName.1}/*”
],
"Effect": "Allow”
} ]
}
Authorization – IoT policies
Fine-grained access with registry variables
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "iot:Connect",
"Resource": ”*",
"Effect": "Allow”,
"Condition":{ "Bool":{ "iot:Connection.Thing.IsAttached ":["true"] } }
}, {
"Action": "iot:Publish",
"Resource": [
"arn:aws:iot:eu-west-1:1234567890:topic/
${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}"
],
"Effect": "Allow”
} ]
}
Birth of a device
Strong thing identity
Manufacturing line
Provisioning of the Identities
retrieved from AWS IoTData connection
Create certificate (from CSR)
Strong thing identity
AWS-generated key pairCreateKeysAndCertificate()
Customer-generated key pairCreateCertificateFromCSR(CSR)
CS
R
CS
R
CS
R
BYOB? Better - BYOC
Customer’s certificate authority
Manufacturing line
Provisioning of the Identities
signed with customer’s CAData connection
async registration
CS
R
Bring your own certificate (BYOC)Customers
Hardware
Security
Module
(HSM)
Demo
Embed Video from https://s3-eu-west-1.amazonaws.com/iot-
security.cloud/screencast/wo-jitr.mov
“Look ma, no hands!”
Just-in-time registration (JITR)
Just-in-time registration
Manufacturing line
Provisioning of the Identities
signed with customer’s CAFirst data connection
JIT registration
Just-in-time registration – ProvisioningCustomers
Hardware
Security
Module
(HSM) CS
R
CS
R
CS
R
Just-in-time registration – CA registration
getRegistrationCode()
Customers
Hardware
Security
Module
(HSM) CS
R
CS
R
CS
R
registerCACertificate(CACert,RegCert)
Just-in-time registration
Customers
Hardware
Security
Module
(HSM)
checkYourCRL()
updateCertificate(Cert, ACTIVE)
attachPrincipalPolicy(Cert, IoTPolicy)
updateERP()
Function handling
PENDING_ACTIVATION
State
Demo
Embed Video from https://s3-eu-west-1.amazonaws.com/iot-
security.cloud/screencast/jitr.mov
“I am better than that THING”
User access
Unauthenticated (anonymous) user access
IAM
unauthenticated
role
Amazon
Cognito
Authenticated user access
IAM
authenticated
role
Amazon
Cognito
IoT policy
per user
Identity
provider
IoT security in the cloud scales
… and real hardware?
Strong device security
Atmel/Microchip AWS-ECC508
Straightforward provisioning
and secure key storage
Crypto-operations offloading
for constrained hardware
Live demo
Cesanta Mongoose IoT Firmware (mongoose-iot.com)
• Hardware agnostic: ESP8266, TI CC3200 and other
• Secure: SSL/TLS, Microchip ATECC508A crypto-chip support
• Develop in C, or JavaScript, or both
• Networking: MQTT, WebSocket, COAP, HTTP/ HTTPS and other
• Mongoose Embedded Web Server and Networking Library
Customers: NASA, Dell, Samsung, HP and many others
Live demo
ATECC508A-AWS
ESP8266
Live demo
Point your browser:
https://iot-security.cloud/demo
Microchip/Atmel
ATECC508A-AWS
Encapsulate the entire provisioning
process into a turnkey IC
Focus design effort on customer
experience
Strong turnkey security
Every device must have a Trustable Identity
Private key can never be revealed!!!
Authenticate every entity with which you communicate
Authentication Process must be trusted
IoT device identity requirements
Perfect software exists in theory only
Never Mix Software
with Keys!
Attackers don’t need physical access!
RowhammerModify DRAM state to gain kernel privileges
Acoustic CryptanalysisListen to component vibration across room, extract keys
http://www.tau.ac.il/~tromer/acoustic/
Timing Attack (First published in 1996)
Extract confidential data based on response delay
Root of trust for
secure code
High security
key storage
Less code
= Lower cost
10x-100x faster
than MCU
ATECC508A-AWS
Get critical stuff out of the micro!
Advanced Security Circuitry
Active shield, internal
encryption, randomization,
tampers, no JTAG, …
Strong attack defenses
Microprobe, Timing,
Emissions, Faults, Glitches,
Temperature
Standard Devices
Microchip
Security
Devices
What makes ATECC508A a vault?
Keys never leave chip - No back
doors!
Software asks for keys to be used -
chip accelerates math using the key
Elliptic curve algorithm in hardware –
can’t exploit software bugs!
Comprehensive thing security
Private key generated entirely inside the ATECC508A
• Completely random
• NEVER readable
• NEVER known by anybody
Certificates generated by world-class HSMs at Microchip
• Protected in State-of-the-art Secure Facilities
No special equipment or procedures required in the OEM factory
Secure in the factory
Secure Facilities
24/7 camera monitored, locked
cages, network isolation, physical
access control
Hardware Secure Modules (HSM)
Highly secure computers, World
class certifications : FIPS 140-2,
CC EAL 4+, …
Microchip’s factory provisioning
Reference design
• ARM® Cortex®-M4 microcontroller
• Wi-Fi® connectivity
• ATECC508A pre-configured for AWS IoT
• I/O module
• Root CA & Intermediate CA demo dongles
• FreeRTOS
• WolfSSL TLS 1.2
• MQTT client
• JSON library
• Example Application with 6 I/Os
Source code & Documentation on GitHub:
https://github.com/MicrochipTech/AWS-Secure-Insight
Easy to get started
IoT OEM
Customer-Specific
Production Signers
Root of
Trust
OEM CA
Root CA
OEM’s AWS Account
Customer-Specific
Production Signers
1. OEM creates AWS IoT account, sets up OEM CA
Existing OEM capability, 3rd party Trusted CA, Microchip CA kit
2. OEM creates certificates for Microchip production signers
3. OEM registers production signer certificates into their AWS account
Easy OEM setup
IoT OEM
Customer-Specific
Production Signers
Root of
Trust
OEM
Certificate
Root CA
1. Microchip ships ATECC508A
including certificates to board shop
2. IoT provisioning easy : assemble
ATECC508A into IoT product
3. Final product ships with little or no
cloud enrollment instructions or
actions needed
Zero touch provisioning - Manufacture
IoT Device #NN
OEM AWS Account
Customer-Specific
Production Signers
Device #NN
Device certificate automatically transferred to
AWS and registered on first connection
Zero touch provisioning - Field
IoT OEM
Root of
Trust
Root CA1. Development kits readily
available from distributors
2. Includes turnkey USB dongles
set up to model the OEM CA and
the Microchip production signers
3. Use to create demonstration
systems and alpha units for
testing and qualification
Signing USB Dongle
OEM Lab
OEM USB Dongle
Easy prototyping
Secure Keys - Ultimate protection for keys
to prevent any software attack,
accelerate ECC up to 100x faster
Fast Design - Prototyping kits available now,
complete reference design on the web,
tiny package fits any system
Easy Manufacturing - Secure and seamless
manufacturing logistics. JITR means
Ready-to-Go with AWS out of the box
ATECC508A-AWS
Easily secure your AWS IoT device
Straightforward off-band certificate
management
• Bring your own certificates
• Just in time registration
• ECC certificate support
Fine-grained authorization at scale
• X.509 certificate policy variables
• Thing policy variables
End-to-end security
• Zero touch secure provisioning
• Mobile carriers secure tunnels to VPC
Now build a secure IoT solution!
Demos/resources from this session:
https://iot-security.cloud
Remember to complete
your evaluations!