ON-BOARDING IN THE IOT – A REPORT CARD

Paul MadsenSenior Technical ArchitectPing Identity (The Identity Division of Vista Equity)

Copyright © 2014 Ping Identity Corp. All rights reserved. 1

Onboarding, process of provisioning a client with credentials for accessing a network resource and assigning appropriate permissions

Copyright © 2014 Ping Identity Corp. All rights reserved. 2

Flavours of onboarding in Smart Home

•Device to Device– E.g Getting a device onto home wifi

•User(Device) to Device – E.g. Getting house guest onto home wifi

•Device to Application– Binding a device to a cloud account

• Application to Application– Assigning a web app permissions to

access API dataCopyright © 2014 Ping Identity Corp. All rights

reserved. 3

Copyright © 2014 Ping Identity Corp. All rights reserved. 4

Desired qualities

•Security – must not leak credentials nor create opportunity for MITM to insert themselves into process •Usable – intuitive, learnable & consistent•Granularity – associated permissions should be constrained beyond y/n•Interoperability – proprietary doesn’t scale (nor enable consistency)

Copyright © 2014 Ping Identity Corp. All rights reserved. 5

Device to Device

Copyright © 2014 Ping Identity Corp. All rights reserved. 6

Copyright © 2014 Ping Identity Corp. All rights reserved. 7

Copyright © 2014 Ping Identity Corp. All rights reserved. 8

WiFi Provisioning mechanisms

•Device hotspot•WPS Push Button• Apple Wireless Accessory Configuration (WAC)• TI SmartConfig•OOB, eg BLE, BlinkUp, NFC

Copyright © 2014 Ping Identity Corp. All rights reserved. 9

Insecure

• Lifx bulb creates its own WiFi AP in order to collect creds of house WiFi

• If turned on/off 5 times, bulb resets & creates a new hotspot

• If attacker creates their own hotspot at same time, user can be phished into providing wifi creds

Proprietary

Copyright © 2014 Ping Identity Corp. All rights reserved. 11

• TI SmartConfig app provisions SSID credentials to specialized CC3000 chip

• App encodes credentials as length of UDP packets

• CC3000 can see the encrypted packets and their sizes.

• Chip can decode SSID & pwd– even from encrypted packets

Weird….

Copyright © 2014 Ping Identity Corp. All rights reserved. 12

• ElectricImp BlinkUp app transmits wifi creds by rapidly flashing light pulses on the device’s screen

• Light flashes picked up by optical sensor on device

• Wifi creds decoded and network joined

Report card

Copyright © 2014 Ping Identity Corp. All rights reserved. 13

Security Usability Granularity

Interoperability

Device to Device

C- B- D D

User(Device) to DeviceDevice to ApplicationApplication to Application

User (Device) to Device

Copyright © 2014 Ping Identity Corp. All rights reserved. 14

Copyright © 2014 Ping Identity Corp. All rights reserved. 15

Copyright © 2014 Ping Identity Corp. All rights reserved. 16

Google OnHub password sharing

Copyright © 2014 Ping Identity Corp. All rights reserved. 17

Authorization features

Copyright © 2014 Ping Identity Corp. All rights reserved. 18

But

•Current authz constraint & automation mechanisms are defined in terms of the device•Doesn’t adequately account for shared devices•Should instead manage the combination of the user & the device (ie relationship)

Copyright © 2014 Ping Identity Corp. All rights reserved. 19

Copyright © 2014 Ping Identity Corp. All rights reserved. 20

Password anti-pattern (in the small)

•Discourages strong wifi passwords•No granularity of authorizations•Phishable•Difficult to revoke permissions

Copyright © 2014 Ping Identity Corp. All rights reserved. 21

Copyright © 2014 Ping Identity Corp. All rights reserved. 22

Report card

Copyright © 2014 Ping Identity Corp. All rights reserved. 23

Security Usability Granularity

Interoperability

Device to Device

C- B- D D

User(Device) to Device

C- B+ C B-

Device to ApplicationApplication to Application

Device to Application

Copyright © 2014 Ping Identity Corp. All rights reserved. 24

Two fold•How to– bind a specific device to

an existing account at an IoT provider

– Issue that device with a credential that can be used to authenticate to a cloud endpoint

Copyright © 2014 Ping Identity Corp. All rights reserved. 25

Current model

Copyright © 2014 Ping Identity Corp. All rights reserved. 26

Device

Server

Server

x.509 (or key pair)

pwd

A new anti-pattern?

•Normal challenges of lifecycle management of certs, ie PKI•Can’t support shared devices•Doesn’t inhibit correlation

Copyright © 2014 Ping Identity Corp. All rights reserved. 27

Authentication Chain

Copyright © 2014 Ping Identity Corp. All rights reserved. 28

Attestation keys

Device generatedkeys

Signed device keys

User creds

Tokens

Report card

Copyright © 2014 Ping Identity Corp. All rights reserved. 29

Security Usability Granularity

Interoperability

Device to Device

C- B- D D

User(Device) to Device

C- B+ C B

Device to Application

C B D D

Application to Application

Application to Application

Copyright © 2014 Ping Identity Corp. All rights reserved. 30

Good news

Copyright © 2014 Ping Identity Corp. All rights reserved. 31

Cautionary tale

•OAuth 2.0 is not a silver bullet•Doesn’t guarantee appropriate permissions/scopes• Authz to ‘close’ door should not necessarily mean authz to ‘open door’

Copyright © 2014 Ping Identity Corp. All rights reserved. 32

Report card

Copyright © 2014 Ping Identity Corp. All rights reserved. 33

Security Usability Granularity

Interoperability

Device to Device

C- B- D D

User(Device) to Device

C- B+ C B

Device to Application

C B D D

Application to Application

B+ B+ B- A-

Copyright © 2014 Ping Identity Corp. All rights reserved. 34

Time to graduate

Problem is using primary credentials (certs, device keys, passwords) where secondary (tokens) are more appropriate

Copyright © 2014 Ping Identity Corp. All rights reserved. 35

Copyright © 2014 Ping Identity Corp. All rights reserved. 36

Need to apply delegated authz model to all flavours of Smart Home onboarding (and not just app to app)

Copyright © 2014 Ping Identity Corp. All rights reserved. 37

What do we need

• OAuth AS capabilities in routers/hubs– Emerging authz features in routers a first step?

• Bindings of delegated authz model to constrained IoT protocols– a la IEF ACE WG– NAPPS TA?

• Intuitive & usable authz ceremonies– App-based– Voice? Amazon Echo et al

Copyright © 2014 Ping Identity Corp. All rights reserved. 38

Copyright © 2014 Ping Identity Corp. All rights reserved. 39

Thing

THANKS@paulmadsen

Copyright © 2014 Ping Identity Corp. All rights reserved. 40