Major Review

OAUTHING:Anonymous individual integration for IOTPaul Fremantle School of ComputingUniversity of Portsmouth

AgendaMotivation and backgroundPrevious iterationsModel and architecturePrototype and resultsComparison with related work and conclusions

Motivation

Growth of IoT devices

2016 Mirai620Gbps botnet attack based on IoT devices

5 minutesfrom On to Pwned

Problem statementToday many IoT devices are inherently tied to the manufacturerI want to share data under my own control with trustThreats include:Lack of individual credentialsHacking of data and passwordsTrust in the company to behave wellData sharing and privacyGoing out of business

Privacy By Design7 key principlesProactive not Reactive; Preventative not RemedialPrivacy as the Default SettingPrivacy Embedded into DesignFull Functionality Positive-Sum, not Zero-SumEnd-to-End Security Full Lifecycle ProtectionVisibility and Transparency Keep it OpenRespect for User Privacy Keep it User-Centric

Cavoukian, Ann, Scott Taylor, and Martin E. Abrams. "Privacy by Design: essential for organizational accountability and strong business practices."Identity in the Information Society3.2 (2010): 405-413.

Three layer privacy modelJoint SphereSpiekermann, Sarah, and Lorrie Faith Cranor. "Engineering privacy.IEEE Transactions on software engineering35.1 (2009): 67-82.

Overall approach and timelineFirst iteration: FIOTTokens on devices, user consent to data sharingFremantle, Paul, et al. "Federated identity and access management for the internet of things."Secure Internet of Things (SIoT), 2014 International Workshop on. IEEE, 2014.Second iteration - IGNITEUnique identifiers per device, Initial performance dataFremantle, Paul, Jacek Kopeck, and Benjamin Aziz. "Web API management meets the internet of things."European Semantic Web Conference. Springer International Publishing, 2015.Third iteration: OAUTHINGDevice and User Registration processesAnonymous identitiesCloud based personal middlewareImproved testing and performance dataCIOT

Contributions of this workOAuthing: a new model for federated identity, access control and data sharing in IoTA clear manufacturing and user registration process for OAuth2 credentials with IoT devicesAn approach for using anonymous identities in IoT while allowing users to share data effectivelyPersonal Cloud Middleware to ensure trust in the server modelA working prototype of the OAuthing modelExperimental results demonstrating scaling in a cloud environment

Model and Architecture

ScopingIn ScopeDirectly Internet-connected devices Sample device is based on ESP8266 with wifiIoT Hub (e.g. Smart Home gateway, Connected Car)Treat individual sensors as attached to the hubTreat the hub as a DeviceOut of scope in the current modelImplicit Data TransferPrivacy infringement through scanninge.g. MAC scanning attacks, ambient devicesDevices with multiple owners This may be extended in future researchDevices that are not directly connected to the InternetThis may be extended in future research

IoT today

The OAuthing Model

Device Identity Provider (DIdP)Provides secure anonymous identities to devices and issues tokens that authorize devices or services Allows users to register their devicesAllows users to consent to share data or commandsOffers the Identity Broker pattern

Personal Cloud Middleware (PCM)Each user has a server running on their behalfOriginally proposed in Webinos Personal Zone Hub (PZH) and Personal Zone Proxy (PZP)Webinos does not deal with running these in a cloud, locating them, etcA cloud shadow of the users devicesDoes not persistently store dataPerforms summarization and filtering*Only distributes data according to user consentEnhances Trust in the Cloud

* Not yet implemented!

Intelligent Gateway (IG)Validates tokens against the DIdPRoutes requests based on anonymous identitiesApplies dynamic authorization policies As consented by usersInstantiates PCMs in Docker

Device

Device Lifecycleand BootloaderThe device bootloader implements a well-defined lifecycle

Secure device identity is embedded at manufacture time

User registration process based on QR codes

@startumlstart:**Manufacture**(the device is created);:**Client Registration**(the device is registered with OAuThingas a OAuth2 client);:**Purchase**(the device is physicallyin the hands of a user);repeat

:**User Registration**(the user takes ownership of thedevice and allocates it permissions);:**Use**(the device is now publishing data andacting on user commands);

repeat while (reset ownership)@enduml20

Information sharing matrix

User ProfileMACHW IDDevice IDDevice SecretPseudo-nymBearerTokenDevice DataUIdPDIdPManu-facturerDeviceIGDataRecipient

Analysis of the sharing matrixIn order to steal data an attacker needs to attack both the DIdP and IG/PCMThe DIdP doesnt see any device dataThe IG/PCM do not see any real identities Third-party services dont inherently know any identitiesUsers may leak it in other waysThe manufacturer and other services only see data that has consent to shareAll third-party services / data recipients are equal

Addressing the security and privacy problems of IoT Default passwordsEach device is configured at manufacturing with a secure idUser controlClear user registration and ownership modelUsers choice of providerPersonal middlewareFingerprinting and identificationAnonymous IdentitiesDevice/User shadow protects metadata Summarising and filtering ConsentNo data is shared without consent

Implementation

ImplementationOAuthing (DIdP)OAuth2 support, onbound support for popular UIdPs (Google, FB, Twitter), embedded MQTT brokerIGNITE (IG)Performant MQTT gateway, with pluggable intermediation, launching of PCMs in Docker, OAuth2 scope validationRSMB Docker (PCM) Lightweight containers running in DockerDevice Bootloader and Sample DeviceBased on ESP8266 low-cost device chip, implementsMQTT/TLS, Device and User registration flowsThird-Party App (TPA)Simple application to demonstrate consent-based data sharing using MQTT / WebSockets / TLShttps://github.com/pzfreo/oauthinghttps://github.com/pzfreo/ignite

Digital Ocean LON1 region

Device IdP:

OAuthing

DIdP Database:

Cassandraoauthing.io2Gb Droplet

Cloud Service Provider:

IGNITEDockerController: dproxyignite-iot.net2Gb DropletPersonalRSMBBrokersPersonalRSMBBrokersPersonalRSMBBrokersPersonalRSMBBrokersPersonalRSMBBrokersPersonalRSMBBrokersPersonalZone Hub:

RSMB

MQTT collectorTest Manager4Gb DropletStats analyser

Test Load Driver4Gb Droplet50 virtualclientsUp to 10 TLDsper testKey

Datacenter

Droplet/cloudinstanceDocker Container

Test Environment and Harness

Live demo?

2 minute demonstration video

Individual anonymous integrationOn a 2Gb Digital Ocean droplet400 MQTT brokersHandling 10 messages / second eachBased on pseudonymsWith OAuth2 based consent

Memory and code usageon ESP8266

One Second Client results

Stress test results

Introspection performance

Connect latency

Analysis of resultsThe model can be implemented effectively

The additional latency on data messages is ~1msNot noticeable compared to average mobile Internet latencies of 100-1000ms

The first connect performance is also acceptable (it takes the device 3-10 secs to associate to Wifi)

The additional memory usage of the bootloader on the device is acceptable

400 PZH servers can be run on a $20/month cloud server$0.60/year/user cost can be further reduced with optimizationSupporting each user with 100 devices each communicating every 10 seconds

Potential Use CasesWide: Supporting the EU GDPREnsuring full consent for all IoT data sharingSpecific: Connected Medical DevicesOnly sharing specific data or averagesAvoiding sharing all data with the manufacturerBetter compliance with regulatory systemsSpecific: Industrial IoTHigh security and privacy required around smart production lines

Comparison with related workOAuth for DevicesPrevious work offers OAuth2 models for devices:FIOT [8], IGNITE [9], IOT-OAS [1], COMPOSE[14], OAuth1 for MQTT[13], IBM Watson, AWS IoTNone of these provide:Anonymous IdentitiesClear automated registration processes or Personal Cloud MiddlewareWebinosConcept of Personal Zone Hub personal middlewareDoes not address usability of PZH, how to configure and run in a cloudDoes not support federated identity to the deviceIoT@Work [16]A model for anonymous identities for IoTNo separation of identity management and data sharing systemsNo federated identity models[n] References refer to the bibliography in the paper

Further WorkFormal models In one of CSP/Event-B/TamarinImplementation of updated model OAuthing 2Detailed threat analysis and threat modelingIntersection with Blockchains and Distributed LedgersUse of blockchain to validate identity, ownership, manage consent, provide an audit trail of IoT lifecycles

Questions?