iot security: cases and methods [con5446]
TRANSCRIPT
![Page 1: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/1.jpg)
@leomrlima#J1IoTSeC
IoT Security: Cases and Methods [CON5446]
Leonardo Lima@leomrlima http://v2com.mobi
![Page 2: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/2.jpg)
@leomrlima#J1IoTSeC
About meLeonardo Lima
•Computer engineer, server & embedded SW developer•From São Paulo, Brasil, now in Austin, TX•CTO at
•Spec Lead – JSR363•V2COM’s Representative at JCP Executive Committee
[www.linkedin.com/in/leomrlima]
![Page 3: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/3.jpg)
@leomrlima#J1IoTSeC
ASPECTS OF IOT SECURITY
![Page 4: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/4.jpg)
@leomrlima#J1IoTSeC
On connecting thingsThe buzz of IoT is connecting things
Does everything needs to be connected?
The implications of connectivity
![Page 5: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/5.jpg)
@leomrlima#J1IoTSeC
In a study…Attacks on Internet of Things devices will increase rapidly
due to hypergrowth in the number of connected objects, poor security hygiene, and the high value of data on IoT devices.
![Page 6: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/6.jpg)
@leomrlima#J1IoTSeC
RECENT ATTACKS AND EXPOSURES
![Page 7: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/7.jpg)
@leomrlima#J1IoTSeC
Cameras“Every camera [out of 9 models] had one hidden account that a
consumer can’t change because it’s hard coded or not easily accessible. Whether intended for admin or support, it gives an outsider backdoor access to the camera.”
![Page 8: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/8.jpg)
@leomrlima#J1IoTSeC
Barbies”On the service side, ToyTalk’s server domain was susceptible to a
known SSL encryption flaw called POODLE, which could allow attackers to steal communications and other data. A credentialing issue could also let attackers probe for further vulnerabilities.”
![Page 9: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/9.jpg)
@leomrlima#J1IoTSeC
CarsAs the two hackers remotely toyed with the
air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.
Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.
![Page 10: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/10.jpg)
@leomrlima#J1IoTSeC
Electrical gridHe watched as [the mouse] navigated
purposefully toward buttons controlling the circuit breakers at a substation in the region and then clicked on a box to open the breakers and take the substation offline. A dialogue window popped up on screen asking to confirm the action, and the operator stared dumbfounded as the cursor glided to the box and clicked to affirm. Somewhere in a region outside the city he knew that thousands of residents had just lost their lights and heaters.
![Page 11: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/11.jpg)
@leomrlima#J1IoTSeC
IoT Security is ”messy”…
![Page 12: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/12.jpg)
@leomrlima#J1IoTSeC
IoT SecurityThe Industrial Internet of Things Volume G4: Security Framework
Many different aspects, like IT/OT convergence
![Page 13: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/13.jpg)
@leomrlima#J1IoTSeC
Security, Trust & Privacy • Endpoint security
• Communication security between the endpoints
• Data distribution and secure storage
• Management and monitoring security of both the endpoints and the communication mechanism
![Page 14: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/14.jpg)
@leomrlima#J1IoTSeC
USING JAVA FOR A (MORE) SECURE IOT
![Page 15: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/15.jpg)
@leomrlima#J1IoTSeC
Java Cryptography ArchitectureProvides Cryptography pluggable
support for many different providers and capacities.
Supports standards like PKCS#11, TLS and many others
Standard implementations in Java SE VMs
https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html
![Page 16: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/16.jpg)
@leomrlima#J1IoTSeC
Secure ElementProvides a safe place to execute sensitive code
and store hardware identity and private keys
Hardware protection to prevent tampering
Many form factors
![Page 17: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/17.jpg)
@leomrlima#J1IoTSeC
Secure ElementEasy to use code to enable security:// Create a PKCS#11 cryptographic provider which uses the Secure Element Provider myPKCS11Provider = new
sun.security.pkcs11.SunPKCS11(PKCS11_CONFIG);
// The PIN code protecting the Security Element char [] myPIN = {'0','0','0','0'};
// Create a KeyStore corresponding to the Secure Element KeyStore.PasswordProtection pinProtection = new
KeyStore.PasswordProtection(myPIN); KeyStore.Builder ksb = KeyStore.Builder.newInstance("PKCS11", myPKCS11Provider, pinProtection);
KeyStore ks = ksb.getKeyStore();
// Add the SE as a cryptographic provider (useful when it is not possible to pass a provider explicitly)
Security.addProvider(myPKCS11Provider);
![Page 18: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/18.jpg)
@leomrlima#J1IoTSeC
Secure Element// We sign with ECDSA Signature ecSign = Signature.getInstance("SHA256withECDSA");
// Retrieve the signature key in keystore by it’s alias PrivateKey privKey = (PrivateKey) ks.getKey("SignKey", myPassword);
// And we sign ! ecSign.initSign(privKey); ecSign.update(s1.getBytes());byte[] signature = ecSignCard.sign();
![Page 19: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/19.jpg)
@leomrlima#J1IoTSeC
JavaCardMini-Java for Secure Elements and Trusted Execution Envionments
Led by the JavaCard forum (it’s not JCP related)
![Page 20: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/20.jpg)
@leomrlima#J1IoTSeC
Q & A
![Page 21: IoT Security: Cases and Methods [CON5446]](https://reader036.vdocuments.net/reader036/viewer/2022070602/58743ad71a28ab0e6c8b5571/html5/thumbnails/21.jpg)
@leomrlima#J1IoTSeC
Thanks!