iot security - cap'tronic · global connections, 2020 internet of things 23 billion m2m...

June 2016

[email protected]

Iot Security

M2M overview

• What are IoT & M2M ?

• Main actors

• Market Segmentation

M2M Markets : Use Cases & Challenges

Deployment, operations & support of M2M solutions

Some actual MNO offers on M2M

What’s next ?

Seminaire Cybersécurité - Captronic 2 June 20, 2016

What is Internet of Things (IoT) ?

A possible definition of IoT

“The Internet of Things (IoT) is an environment in which objects, animals or people are

provided with unique identifiers and the ability to transfer data over a network without

requiring human-to-human or human-to-computer interaction. ” Source: http://whatis.techtarget.com/

Examples of IoT segments or solutions

Connected wearables iBeacon


What is Machine-to-Machine?

A possible definition of M2M

“We define machine to machine (M2M) as the concept of autonomous, two-way

communications between a modem or a wireless radio module and a server or computer“

More precisely… …using a device (such as a sensor or meter) to capture an event (such as temperature, inventory

level, location, etc.),

which is relayed through a network (wireless, wired or hybrid) to a SW application, that translates the captured event into meaningful information (for example, items need to be restocked).

M2M is a subset of IoT where the device embed the communication module

Connected cars are M2M solutions Shoe with sensors sending data on

mobile through Bluetooth is part of

IoT but not M2M


Few figures regarding the IoT forecasts…

SOURCES:

IDC, SCOTIABANK, BI INTELLIGENCE, GARTNER, FORRESTER, IHS TECHNOLOGY

Connected cars

BY 2020 – representing

75% of yearly passenger

car production

54 M

Number of Apple

watches shipped

last quarter

4 M

INDIVIDUAL

SMARTPHONE USERS BY

2019, REPRESENTING 59%

OF THE GLOBAL

POPULATION

3.5 BN

228 M

Connected wearables to be

shipped in 2020

Number of smart homes

next year

339 M

34BN

CONNECTED

‘THINGS’ BY 2020

5 June 20, 2016 Seminaire Cybersécurité - Captronic

…showing a significant revenue opportunity FOR MNO in

being able to connect them

6 June 20, 2016 Seminaire Cybersécurité - Captronic

Global connections, 2020

Internet

of

Things

23 billion

M2M

Source: GSMA Intelligence

Fixed network

Short-range

Powerline

Satellite etc.

LPWA

Cellular

1,4 billion

1 billion

~10 billion

Cisco predicts that the global IoT market

will reach USD 14.4 trillion by 2022[1]. Seminaire Cybersécurité - Captronic 7 June 20, 2016

9 Major M2M Markets

Remote

Monitoring and

Control

Fraud detection, remote configuration change, remote consumption reading

– Copier Industry

– Info displays and lighting

– Pumps and valves

Automotive Cars and intelligent traffic systems

– On-board diagnostic equipment

– Navigational devices

– Emergency and breakdown call

– Tolling and traffic control

Router/

Gateway / WLL

Wireless hub for data or voice, especially in regions with under-developed fixed-line infrastructure or behind firewalls

– Wireless access to data

– Fixed telephone substitution

Tracking and

Tracing

Combining GPS/ GSM receiver

– Insurers – “Pay as you drive”

– Container tracking

– Fleet mgmt

– Stolen vehicle tracking

– Person and wildlife tracking

Payment Payment transactions and verification

– Point of Sale devices

– Vending machines and cash registers

– Automated teller machines

– Parking meters

Metering Reading consumption remotely

– Electricity

– Gas

– Water

– District heating

– Grid control

Security Communication for automated alarm systems

– Alarm systems

– Video surveillance

– Car security

– Access control

– Landline backu

Health Care mHealth solutions with cellular connectivity

– Sleep Therapy Solutions

– Medication Compliance Monitoring

– Chronic Care Management

– Cardiac Care

– Independent Living

Mobile

Computing

Ruggedized and robust terminals for specialized applications

– Industrial PDAs

– Logistic Scanners

– Field Diagnostic Devices


Security By Design for IoT: a new set

of constraints

June 20, 2016 Seminaire Cybersécurité - Captronic 9

Authentication &

Privacy is Critical

Consumers and Enterprises

only want authorized entities

to have access to their devices

or data

Secure components and

solutions must be embedded

into “things” to protect data at

rest and data in motion

Hackers will take advantage,

whenever there is a security

loophole

Seminaire Cybersécurité - Captronic 10

15 seconds

Time required by

a hacker to

backdoor a smart

thermostat device

75,000 spam emails sent

by an internet

connected fridge

during holiday

break

471,000 connected vehicles

found vulnerable to

cyber attacks

June 20, 2016

BIG DATA AT REST

DATA LIFECYCLE

DATA IN MOTION DATA IN MOTION

DATA AT REST IN THE DEVICE

DATA IN MOTION DATA IN MOTION

Influx of Data in Connected Ecosystems

Data is at rest in the device

and in the cloud

Or in motion between devices

and the cloud

The nature of data varies,

such as vehicle location data

or streamed media

Which requires different levels

of privacy and security



The Hacker Marks The Target

NEW-WORLD INTRUDER

Hack into cloud

infrastructure and

steal driver identity

By exploiting application

or data security holes

Sniff data from the network

By exploiting weak communication

encryption

Hack into car ICE (In-Car Entertainment) unit Through physical access to the vehicle

Hack into car

computer (ECU)

By remotely accessing the IP

address, and exploiting weak

authentication mechanisms

POSSIBLE ATTACK VECTORS – HOW AN INTRUDER COULD ATTACK A CONNECTED VEHICLE

June 20, 2016

Example 1: 2015 Charlie Miller’s Attack

13

Presented at Black Hat 2015 https://www.blackhat.com/us-15/briefings.html#remote-exploitation-of-

an-unaltered-passenger-vehicle

Present a remote exploitation on Jeep Cheerokee car Attacker is able to remotely take the control of the car

Done through GSM / 3G network

Based on a set of different vulnerabilities at different level Most of the important vulnerabilities will be covered in this training

Seminaire Cybersécurité - Captronic

https://www.blackhat.com/us-15/briefings.html















Jeep Cheerokee Architecture

14

CAN-IHS

CAN-C

Renesas

v850

OMAP

DM3730

GATEWAY Applicative

Processor


Charlie Miller’s Attack

15

Identify Target Find the IP address of a target vehicle to attack

Exploit the OMAP chip of the head unit

Use some vulnerabilities existing on the chip in order to do remote control

Control the Uconnect System Flash the gateway controler with modified firmware

Flash the chip firmware in order to remove its control on CAN packets

Perform cyber physical actions

Send CAN messages to make physical things happen on the vehicle


Example 2: With a physical hardware access

16

Head Unit TCU Network Back-End Data


Schematic Identification

17

Attacker Objective Rebuild the schematic of a board and identify connectors and pads

First step can be done without equipement, just inspecting carefully the board Deeper analysis can be done thanks to X-Ray machine

available at low cost inside university labs



18

Example of a Flash memory pad identification



19

Combining X-Ray picture and component specification

One can retrieve the pads accessible directly on the board (rather than

trying to access the BGA pads)

This allows to spy the data exchanges between the flash memory and

the main chip

Ultimately we can dump the full flash content for offline analysis


Memory Content Extraction

20

Example of a flash unsoldering process using a dedicated machine


Memory Content Extraction

21

Unsoldered components can then be resoldered on dev board


Interfaces Identification: JTAG

22

Thanks to the schematic re-building, one can identify potential JTAG pads Using soldered wires, one can reuse a removed JTAG connection (connection for tests/debug)


Advanced JTAG probes are able to disassemble code in memory In the example hereunder, an attacker uses a JTAG probe to patch a syscall inside the kernel of a linux system He is then able to gain root privileges

Hardware Debugging: JTAG example

June 20, 2016 23 Seminaire Cybersécurité - Captronic

Interfaces Identification – OBD

24

Embedded in all today’s vehicles

Used for diagnosis and failures purposes

Allows to have direct access to the ECUs of the vehicle Example: communicating using CAN buses (or other technologies)

Is used to control several actions Example: Lights, window opening, acceleration, brake.


Interfaces Identification – USB Port

25

Example of a modem providing TCP/IP over USB

If no security is used to ensure authentication of the devices, it is

easy to spoof one of the device of the chain Just plug a rogue device on the USB bridge and shutdown the target

device to the spoofing attack

Spoofing of the modem: allows to redirect all traffic to a completely

controlled network

Spoofing of the device using the modem: abuse of the network

bandwidth,


Bus Data Interception – Wire Soldering

26

Once basic schematics have been identified, attacker can solder

wires to probe bus between components Probe serial link between two controllers


Bus Data Interception - Analysis

27

Thanks to an oscilloscope or a logical analyzer, it is possible then

to analyse the protocol passing through the bus


Security By Design: implementation


IoT Endpoints have specific challenges

Characteristics

Low power

consumption

Low cost

Long lived

Physically

accessible

Simple Endpoint

Complex Endpoint

Gateway or Hub


IoT ecosystem


Devices Gateways IoT Cloud / Apps

June 20, 2016

Route to Safeguarding Trust in IoT

Gemalto’s approach to security

closes the loop, managing the

complete security lifecycle of

the connected object together

with data at rest and in motion

from the network to the cloud.


> Software Activation & Licensing

> Dynamic Key Management

(for Authentication & Encryption)

> Secure Provisioning of

Key Credentials & Tokens

> Big Data Encryption

> Server Protection

> Cloud Application Security

> Secure Device Access

> Sensitive Data Security

> Communication Encryption

> Protect Software Integrity

IOT SECURITY

CONSULTING &

CERTIFICATION

SERVICES

SECURITY

LIFECYCLE

MANAGEMENT

SECURE

THE DEVICE

SECURE

THE CLOUD

June 20, 2016

Protect a connected vehicle’s

software integrity and

Intellectual Property

Download of car firmware

upgrades through validated

source

Sentinel

Securely lock/unlock a vehicle

through a smartphone,

safeguarding car keys inside a

Secure Element

Encrypt sensitive car telematic

data, in motion or at rest

Secure Element

Use an embedded SIM (eSIM)

for secure transmission of data

over cellular networks and

connectivity flexibility

Use a Secure Element for

LPWAN (LoRa Device)

eSIM

Secure the device


SECURE

THE DEVICE

SECURE DEVICE

ACCESS

SENSITIVE DATA

SECURITY

COMMUNICATION

ENCRYPTION

PROTECT

SOFTWARE

INTEGRITY

June 20, 2016

Ensure security of data

transmission from one enterprise

business application to the other.

E.g sharing sensitive vehicle

diagnostic data securely over the

cloud

SafeNet ProtectApp

Use web-based entitlement to

grant access only to authorized

users, devices and applications

Sentinel EMS

Ensure protection of intellectual

property of your software in the

cloud

Securely enable multiple and

flexible business models such as

“product as a service”

Sentinel Cloud

Secure instances of virtual

machines in the cloud for your

enterprise or partner servers

SafeNet ProtectV

Encrypt all your Data at rest in

the cloud using Data Protection

solutions, such as sensitive

vehicle engine data, media files

or vehicle tracking history

SafeNet Data Encryption

SECURE

THE CLOUD

Secure the cloud


BIG DATA

ENCRYPTION

SERVER

PROTECTION

CLOUD

APPLICATION

SECURITY

June 20, 2016

Manage and secure encryption

keys for different components

within the infrastructure,

including databases, file

servers, application servers, and

hardware security modules

Manage lifecycle of tokens

SafeNet Crypto

Management

Manage the lifecycle of licenses

on the cloud or device

Flexibly manage evolving

business models

Securely manage connected

devices’ features remotely

Sentinel Software

Monetization

Manage the lifecycle of

encryption and authentication

keys of multiple devices: LoRa

Trusted Key Manager

Ensure secure provisioning and

administration of keys on the

device

Allynis Trusted

Services Hub

Security Lifecycle Management


SOFTWARE

ACTIVATION

& LICENSING

DYNAMIC KEY

MANAGEMENT

SECURE

PROVISIONING

OF KEY

CREDENTIALS

& TOKENS

SECURITY

LIFECYCLE

MANAGEMENT

June 20, 2016

> Out-of-the-box

connectivity

> Multiple form factors

> Quality of Service

> Subscription Management


How Gemalto brings trust to IoT

> Secure the device

> Secure the cloud

> Security lifecycle

management

Monetize Connect

Secure

> Flexible monetization

> Licensing and entitlement

software

> IoT application upgrades

> Application Development

June 20, 2016

Building a Secure IoT E2E Security


Assess the security needs of the infrastructure

through a risk evaluation Security by design

Secure the breaches from the edge to the core

• Each component is uniquely identified

• Encrypt data

• Store and manage keys

• Control user access

Make your security evolving

• Life cycle management of security credential

• Control new entrant in the eco-system

1

2

3

June 20, 2016

How to deliver security?

Protect the data at rest and in motion



June 20, 2016

How to deliver security?

E2E Authentication and device identification



June 20, 2016

Protected environment Trusted users Direct access to data

Where security matters most?

Unprotected environment

Non trusted users

No direct access to data

Tamper resistant devices


Software Hardware

June 20, 2016

Gemalto Embedded Security Choices


Tamper resistant hardware on dedicated chip.

Dedicated hardware on generic

processor

Software

based

Software

TEE

Hardware

TEE

Dedicated

Secure

Element

+

0 on BOM ++

0 on BOM

Dedicated software on

processor

+++

BOM

impact

++++

BOM

impact

Security

Difficulty &

costs

Minimum

security on

generic

processor

40

TEE: Trusted Execution

Environment

BOM: Bill Of Materials

LOGO

LOGO IN BLACK

LOGO COLOR VERSIONS

LOGO ON BLACK

GTO

June 20, 2016

What’s inside a secure element (secure computing

environment)?


Client software embedded in a secure element protects the identity of the user/device and

the authentication process

Identity certificates of the user/device

Cryptographic keys for online data exchange

-Data exchange ciphering

-Verifies the authenticity of a credential

-Performs user/device authentication

-Checks server identity

Application and cryptographic software that

checks the ID and communicates externally

Provides Root of Trust for external communication

June 20, 2016

42

What is a HSM?

SafeNet Network HSM (Luna SA)

(1700 & 7000)

Network Attached and Scalable

SafeNet PCIe HSM

(Luna PCI-E)

(1700 & 7000)

High Performance Cryptographic Processor

SafeNet USB HSM

(Luna G5)

Offline Key Archive/Starter

HSM

Seminaire Cybersécurité - Captronic June 20, 2016

Detailed study:

LoRa Security Mechanism



LoRaWAN architecture

Devices Gateways LoRa network

server Application

servers

June 20, 2016 44


LoRaWAN security


server Application

servers

Each device is provisioned with a unique AES 128 key : AppKey

June 20, 2016 45


LoRaWAN security: network connection


server Application

servers

Joint request (DevEUI,…, MIC)

A cryptogram (MIC) is computed with AppKey

June 20, 2016 46




server Application

servers

Joint accept (…, MIC)

A cryptogram (MIC) is also computed with AppKey

June 20, 2016 47




server Application

servers

AppSKey

NwkSKey

Two session keys are derived : AppSKey and NwkSKey

June 20, 2016 48




server Application

servers

NwkSkey is used for network layer security

June 20, 2016 49




server Application

servers

AppSkey is used for application layer end to end security

& confidentiality

June 20, 2016 50


Background links for security deployment Switching to logical view

Device

manufacturers Gateways LoRa network

server

Application

servers

Devices

Join Server


Device provisioning

Device


server

Application

servers

Devices

AppKey generation Join Server


Device provisioning

Device


server

Application

servers

Devices

Join Server


Network connection

Device


server

Application

servers

Devices

Joint request (…, MIC)

Joint request (…, MIC) Joint accept (…, MIC)

Joint accept (…, MIC)

Join Server


Key derivation

Device


server

Application

servers

Devices

Join Server


Key distribution

Device


server

Application

servers

Devices

Join Server


Deployment example 1

Device


server

Application

servers

Devices

Join

server

Device

manufacturers

Devices Gateways Network

server

Application

servers

Join

server

Join

server





Device

manufacturers


server Application

servers

Join

server Join

server

Device

manufacturers


server

Application

servers

Join

server

Join

server




Secure Element Provisioning

Device

manufacturers


server

Application

servers

Join

server

Key provisionning

SE manufacturer

CPU

EEPROM RO

M

RA

M

A Tamper resistance at chip level

Blocks can be easily identified No shield No glue logic Buses clearly visible

Shield Glue logic No Buses visible Memories and buses encryption Sensors

• Single-component chip design

• Active shielding

• Glue logic design – mixed functional blocks on silicon

• Encrypted buses and memories

• Layered production – buried buses, scrambled memories

• Reduced power signal and electromagnetic emissions

• Analogical Sensors – monitor environment variations (voltage, frequency,

light, temperature)

• Logical sensors – detection of inconsistent processing

• Error correction code and memory integrity

SE

TPM TEE

62 Seminaire Cybersécurité - Captronic June 20, 2016

SE MCU Radio

LoRa module

Architecture

LoRa device

63 Seminaire Cybersécurité - Captronic 17/06/2016

Java Card VM

Operating System

Java Card API 3.0.1

LoR

a

apple

t

Oth

er

apple

t

Glo

bal P

latfo

rm

2.2

APDU

Secure Element

MCU

Secure Chip

LoRa Secure Element


LoRa SE functionalities

Stores DevEUI, AppEUI and AppKey

MIC generation

MIC check

Session key generation (AppSKey, NwkSKey)

Payload encryption / decryption


Thanks for your attention!

June 20, 2016 66 Seminaire Cybersécurité - Captronic

iot security - cap'tronic · global connections, 2020 internet of things 23 billion m2m...

Documents