onboarding in the iot
TRANSCRIPT
ON-BOARDING IN THE IOT – A REPORT CARD
Paul MadsenSenior Technical ArchitectPing Identity (The Identity Division of Vista Equity)
Copyright © 2014 Ping Identity Corp. All rights reserved. 1
Onboarding, process of provisioning a client with credentials for accessing a network resource and assigning appropriate permissions
Copyright © 2014 Ping Identity Corp. All rights reserved. 2
Flavours of onboarding in Smart Home
•Device to Device– E.g Getting a device onto home wifi
•User(Device) to Device – E.g. Getting house guest onto home wifi
•Device to Application– Binding a device to a cloud account
• Application to Application– Assigning a web app permissions to
access API dataCopyright © 2014 Ping Identity Corp. All rights
reserved. 3
Copyright © 2014 Ping Identity Corp. All rights reserved. 4
Desired qualities
•Security – must not leak credentials nor create opportunity for MITM to insert themselves into process •Usable – intuitive, learnable & consistent•Granularity – associated permissions should be constrained beyond y/n•Interoperability – proprietary doesn’t scale (nor enable consistency)
Copyright © 2014 Ping Identity Corp. All rights reserved. 5
Device to Device
Copyright © 2014 Ping Identity Corp. All rights reserved. 6
Copyright © 2014 Ping Identity Corp. All rights reserved. 7
Copyright © 2014 Ping Identity Corp. All rights reserved. 8
WiFi Provisioning mechanisms
•Device hotspot•WPS Push Button• Apple Wireless Accessory Configuration (WAC)• TI SmartConfig•OOB, eg BLE, BlinkUp, NFC
Copyright © 2014 Ping Identity Corp. All rights reserved. 9
Insecure
• Lifx bulb creates its own WiFi AP in order to collect creds of house WiFi
• If turned on/off 5 times, bulb resets & creates a new hotspot
• If attacker creates their own hotspot at same time, user can be phished into providing wifi creds
Proprietary
Copyright © 2014 Ping Identity Corp. All rights reserved. 11
• TI SmartConfig app provisions SSID credentials to specialized CC3000 chip
• App encodes credentials as length of UDP packets
• CC3000 can see the encrypted packets and their sizes.
• Chip can decode SSID & pwd– even from encrypted packets
Weird….
Copyright © 2014 Ping Identity Corp. All rights reserved. 12
• ElectricImp BlinkUp app transmits wifi creds by rapidly flashing light pulses on the device’s screen
• Light flashes picked up by optical sensor on device
• Wifi creds decoded and network joined
Report card
Copyright © 2014 Ping Identity Corp. All rights reserved. 13
Security Usability Granularity
Interoperability
Device to Device
C- B- D D
User(Device) to DeviceDevice to ApplicationApplication to Application
User (Device) to Device
Copyright © 2014 Ping Identity Corp. All rights reserved. 14
Copyright © 2014 Ping Identity Corp. All rights reserved. 15
Copyright © 2014 Ping Identity Corp. All rights reserved. 16
Google OnHub password sharing
Copyright © 2014 Ping Identity Corp. All rights reserved. 17
Authorization features
Copyright © 2014 Ping Identity Corp. All rights reserved. 18
But
•Current authz constraint & automation mechanisms are defined in terms of the device•Doesn’t adequately account for shared devices•Should instead manage the combination of the user & the device (ie relationship)
Copyright © 2014 Ping Identity Corp. All rights reserved. 19
Copyright © 2014 Ping Identity Corp. All rights reserved. 20
Password anti-pattern (in the small)
•Discourages strong wifi passwords•No granularity of authorizations•Phishable•Difficult to revoke permissions
Copyright © 2014 Ping Identity Corp. All rights reserved. 21
Copyright © 2014 Ping Identity Corp. All rights reserved. 22
Report card
Copyright © 2014 Ping Identity Corp. All rights reserved. 23
Security Usability Granularity
Interoperability
Device to Device
C- B- D D
User(Device) to Device
C- B+ C B-
Device to ApplicationApplication to Application
Device to Application
Copyright © 2014 Ping Identity Corp. All rights reserved. 24
Two fold•How to– bind a specific device to
an existing account at an IoT provider
– Issue that device with a credential that can be used to authenticate to a cloud endpoint
Copyright © 2014 Ping Identity Corp. All rights reserved. 25
Current model
Copyright © 2014 Ping Identity Corp. All rights reserved. 26
Device
Server
Server
x.509 (or key pair)
pwd
A new anti-pattern?
•Normal challenges of lifecycle management of certs, ie PKI•Can’t support shared devices•Doesn’t inhibit correlation
Copyright © 2014 Ping Identity Corp. All rights reserved. 27
Authentication Chain
Copyright © 2014 Ping Identity Corp. All rights reserved. 28
Attestation keys
Device generatedkeys
Signed device keys
User creds
Tokens
Report card
Copyright © 2014 Ping Identity Corp. All rights reserved. 29
Security Usability Granularity
Interoperability
Device to Device
C- B- D D
User(Device) to Device
C- B+ C B
Device to Application
C B D D
Application to Application
Application to Application
Copyright © 2014 Ping Identity Corp. All rights reserved. 30
Good news
Copyright © 2014 Ping Identity Corp. All rights reserved. 31
Cautionary tale
•OAuth 2.0 is not a silver bullet•Doesn’t guarantee appropriate permissions/scopes• Authz to ‘close’ door should not necessarily mean authz to ‘open door’
Copyright © 2014 Ping Identity Corp. All rights reserved. 32
Report card
Copyright © 2014 Ping Identity Corp. All rights reserved. 33
Security Usability Granularity
Interoperability
Device to Device
C- B- D D
User(Device) to Device
C- B+ C B
Device to Application
C B D D
Application to Application
B+ B+ B- A-
Copyright © 2014 Ping Identity Corp. All rights reserved. 34
Time to graduate
Problem is using primary credentials (certs, device keys, passwords) where secondary (tokens) are more appropriate
Copyright © 2014 Ping Identity Corp. All rights reserved. 35
Copyright © 2014 Ping Identity Corp. All rights reserved. 36
Need to apply delegated authz model to all flavours of Smart Home onboarding (and not just app to app)
Copyright © 2014 Ping Identity Corp. All rights reserved. 37
What do we need
• OAuth AS capabilities in routers/hubs– Emerging authz features in routers a first step?
• Bindings of delegated authz model to constrained IoT protocols– a la IEF ACE WG– NAPPS TA?
• Intuitive & usable authz ceremonies– App-based– Voice? Amazon Echo et al
Copyright © 2014 Ping Identity Corp. All rights reserved. 38
Copyright © 2014 Ping Identity Corp. All rights reserved. 39
Thing
THANKS@paulmadsen
Copyright © 2014 Ping Identity Corp. All rights reserved. 40