Internet of Things: Threats and counter measures with Java

Size: px

Start display at page:

Download "Internet of Things: Threats and counter measures with Java"

Mitchell Boyd
5 years ago
Views:

3 Internet of Things: Threats and counter measures with Java Florian Tournier Director, IoT Product Management Oracle Patrick Van Haver Principal Engineer, Internet of Things Oracle

4 Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.

5 Program Agenda Introduction to IoT Security Concerns and threats How Java can help to implement countermeasures Considerations on IoT Infrastructure Conclusion 5

6 Program Agenda Introduction to IoT Security Concerns and threats How Java can help to implement countermeasures Considerations on IoT Infrastructure Conclusion 6

7 IoT security in the Press Some car-related headlines BMW ConnectedDrive hack sees 2.2 million cars exposed to remote unlocking (02/02) DARPA Hacks GM's OnStar To Remote Control A Chevrolet Impala (02/08) US Senate Report: Automakers fail to fully protect against hacking (02/09) Hackers take control of Jeep on the highway (August) Medical devices, industry automation, and other things Hackers had struck an unnamed steel mill in Germany (Jan) U.S. government probes medical devices for possible cyber flaws (Oct 14) Privacy Remote Control Spying Theft Physical damage Murder? 7

Security Use Case : Industrial / Home Alarm System Today : Alarm components vulnerabilities weaken the system Hackers aim at modifying the behavior of alarm components Credentials can be

8 Security Use Case : Industrial / Home Alarm System Today : Alarm components vulnerabilities weaken the system Hackers aim at modifying the behavior of alarm components Credentials can be reverse-engineered Compromised devices can be inserted and weaken the system Poor communication encryption enables man in the middle attacks Best Case False positive alarms Worse Case Physical security breach Damage to equipment / industrial accident Sensors Alarms Controls Gateways Monitoring Scheduling Notifications Access control

Security Use Case : Connected Car Today : Multiple

car head unit or telematics remotely Credentials accessible

protocols Poor credential management and provisioning

entertainment Loss of confidential owner data/privacy Worse

of life Head-end Unit Telematics module Car OEM back-end

9 Security Use Case : Connected Car Today : Multiple vulnerabilities in a car stack Hackers aim at controlling a car head unit or telematics remotely Credentials accessible in plaintext Poor crypto implementations Poorly implemented protocols Poor credential management and provisioning process Best Case Disruption of in-car information / entertainment Loss of confidential owner data/privacy Worse Case Car unlock / theft Disruption of car mechanics / loss of life Head-end Unit Telematics module Car OEM back-end Billing 3 rd party services Analytics Big Data OEM Applications Diagnostics /Maintenance

10 In Practice: A recent Car Hack A lab has been able to remotely open a (high-end brand) car Reverse engineering the Remote Access features to identify vulnerabilities Exploiting the vulnerabilities identified through an attack path The list of vulnerabilities is rather long The same keys are used in all vehicles Some messages are not encrypted Configuration data is not tamper-proof The crypto algorithm used (DES) is outdated and broken The software does not include protection against replay attacks One fix: The communication is now encrypted using HTTPS 10

11 Safety vs. Security Safety Protects against malfunction Focus on quality Principles Coverage analysis Detection, mitigation, reaction Simplicity is better Redundancy helps Security Protects against attackers Focus on robustness Several defence layers Principles Coverage analysis Detection, mitigation, reaction Simplicity is better Redundancy helps 11

12 Car Hack: Poor Decisions Poor decision Safety reasoning Security reasoning Using the same keys Simple process No complex infrastructure Keys need to be diversified A key needs to be broken on every car No systematic encryption Only critical messages are encrypted A secure channel protects against reverse engineering Configuration data no tamper-proof Configuration data integrity is protected by a checksum Configuration data authenticity is protected by a cryptographic checksum The vehicle ID is in error messages Simplify diagnosis by having the data A remote attacker doesn t have the ID, so let s protect it Using DES Well-known, fast algorithm DES is broken, let s mandate AES No protection against replay attacks Same message, same action A recorded message cannot have the same effect when replayed 12

13 Threat Analysis Thinking like an attacker Very important to validate a design Identify the key assets and their flows Analyze how security protections can be bypassed Consider vulnerabilities as opportunities Identify countermeasures to be added to the design And loop again on the analysis 13

14 Program Agenda Introduction to IoT Security Concerns and threats How Java can help to implement countermeasures Considerations on IoT Infrastructure Conclusion 14

15 Attack surface 15

16 IoT Infrastructure Attack surface Devices IoT Cloud Service Enterprise Apps Operators 16

Is there any device authentication mechanism? What about devices connected via a gateway? Can I steal devices and reverse engineer?

17 IoT Infrastructure Attack surface Attacking the device Devices Thinking like an attacker Is the software stack up-to-date? Is there any software update IoT mechanism? Cloud Service How robust? Can I block-it? Use-it? Can I install my software? Is there any device authentication mechanism? What about devices connected via a gateway? Can I steal devices and reverse engineer? extract credentials? Are these credentials diversified or can be reused on other devices? Renewed? Need for RTC? Can I abuse RTC? Effects? What about physical attacks? Operators Enterprise Apps 17

IoT Infrastructure Attack surface Attacking the network traffic Devices

Can I spy messages? Can I send fake messages (data, signaling, )?

Can I do buffer overflow? code injection? Can I perform MITM attack? DoS?

18 IoT Infrastructure Attack surface Attacking the network traffic Devices Thinking like an attacker IoT Service Enterprise Apps Can I replay messages? Can I spy messages? Can I send fake messages (data, signaling, )? Can I modify messages? Modify priority? Timestamp? Payload? Can I do buffer overflow? code injection? Can I perform MITM attack? DoS? Can I insert a fake device to abuse the server? A fake server? How does it behaves if I simulate network contentions? Operators 18

What operations are authorized? Type IoT of workstation Service used? Dedicated?

19 IoT Infrastructure Attack surface Attacking the users Devices Thinking like an attacker How the system is configured & managed? Which authentication mechanism? What operations are authorized? Type IoT of workstation Service used? Dedicated? Can I install software on these machines? What about social engineering attacks? Enterprise Apps Operators 19

20 Attack surface VERY large attack surface Local or remote attacks Logical or physical attacks Multiple targets (client device, client applications, server, users, operators, ) Requires a consistent and global approach 20

21 Example Attacking the authentication credentials used by a device 21

22 Compromising a Device Compromise a device Add a compromised device Replace an existing device Modify an existing device Duplicate registration of a device Activate without registering Insert device in supply chain Add device record in the cloud Replace device physically Replace device in cloud Modify the device s software Modify the device s hardware Tamper with memory Tamper with data Tamper with applications Tamper with system 22

Compromising a Device Tamper with persistent memory Tamper with application data 1 Modify buffered messages Tamper with data 2 Modify application data Tamper with authentication data 3 Modify server

23 Compromising a Device Tamper with persistent memory Tamper with application data 1 Modify buffered messages Tamper with data 2 Modify application data Tamper with authentication data 3 Modify server verification data 4 Modify device registration data 5 Modify device identity 6 Modify device authentication data Tamper with applications 7 Modify a stored application s code 8 Modify a stored app s meta-data 9 Add an application Tamper with native software 10 Modify system software 23

registration data 5 Modify device identity 6 Modify device authentication data Tamper with applications 7 Modify a stored

24 Compromising a Device Tamper with persistent memory Tamper with application data 1 Modify buffered messages Tamper with data 2 Modify application data Tamper with authentication data 3 Modify server verification data 4 Modify device registration data 5 Modify device identity 6 Modify device authentication data Tamper with applications 7 Modify a stored application s code 8 Modify a stored app s meta-data 9 Add an application Tamper with native software 10 Modify system software 24

25 Scenario and Assets involved Typical scenario The device connects to the IoT server and authenticate it The device post data to the IoT server (requires authentication & authorization) Assets on the device: Trust Anchors: used by device to authenticate the server Key Pair: used by the device to get authenticated by the server 25

26 Counter measures to protect these assets Do the best to protect assets on device Integrity, confidentiality, access control Device side Detect suspicious behavior Observe behavior in regards to lifecycle state, RBAC policy React in case of attack Black list the device, revoke current credentials, Server side 26

27 Program Agenda Introduction to IoT Security Concerns and threats How Java can help to implement countermeasures Considerations on IoT Infrastructure Conclusion 27

28 Example: Protecting IoT Authentication Assets on a Device Security Design goals Separation of concerns Do not expose application developers to the handling of credentials Encapsulation of the credentials and operations using them Protection of trust material and credentials Ensure secure storage (integrity, confidentiality) of Trusted Anchors and device KeyPair Extensibility to adopt different strategies when hardware allows Ability to use hardware security when available on a device 28

29 Encapsulation of credentials public interface TrustedAssetsManager extends javax.net.ssl.x509trustmanager { } // encapsulation of the trust anchors void checkservertrusted(x509certificate[] chain, String authtype) throws CertificateException; void checkclienttrusted(x509certificate[] chain, String authtype) throws CertificateException; public X509Certificate[] getacceptedissuers(); // encapsulation of the Private Key void generatekeypair(string algorithm, int size) throws GeneralSecurityException; PublicKey getpublickey(); public byte[] signwithprivatekey(byte[] data, String algorithm) throws GeneralSecurityException; How does it address design goals? Private key is not exposed to the application to avoid unexpected leaks Trust Anchors are checked internally during authentication process 29

30 Generation of the KeyPair import java.security.keypairgenerator; void generatekeypair(string algorithm, int size) throws GeneralSecurityException { [ ] // create a key generator using the specified Provider KeyPairGenerator kpg = KeyPairGenerator.getInstance(algorithm, this.getprovider()); } // generate the keypair kpg.initialize(keysize); this.keypair = kpg.generatekeypair(); How does it address design goals? Private key never extracted from the device, only public key exported Key is unique per device & renewable (time before expiration can be configured in server policy) 30

31 Store the Private Key in a KeyStore import java.security.keystore; private void store(keypair kp, String alias, KeyStore.Builder builder) throws GeneralSecurityException { // create a key store KeyStore ks = builder.getkeystore(); } // create an entry for the private key KeyStore.PrivateKeyEntry entry = new KeyStore.PrivateKeyEntry( kp.getprivate(), this.getcertificate(kp.getpublic())); // store private key ks.setentry(alias, entry, builder.getprotectionparameter(alias)); How does it address design goals? KeyStore provides integrity and confidentiality Use of KeyStore.Builder allows to compute a unique password to access KS (not hardcoded in the application) 31

32 Sign data import java.security.signature; public byte[] signwithprivatekey(byte[] data, String algorithm) { [ ] Signature s; // create a Signature object using the specified Provider s = Signature.getInstance(algorithm, this.getprovider()); } // sign s.initsign(this.keypair.getprivate()); s.update(data); return s.sign(); How does it address design goals? Here the example is simplified (sign everything: might expose the key to unexpected use) Could be improved by generating and signing the authorization/token request 32

33 Making use of Hardware Security when available Goal: Delegate operations to a security token Security token is a dedicated hardware to securely perform crypto operations Could be embedded Secure Element (ese) or a Trusted Execution Environment (TEE) Provides physical isolation from applications running on the device ese provides tamper resistance against physical attacks TEE protects against logical attacks and offers more processing power (e.g. could process the whole TLS flow) How to do that? Using a specific security JCE Provider 33

Making use of Hardware Security when available IoT device IoT

configure PKCS#11 Provider Java SE crypto framework Sun JCE

(Additional package to Java SE Embedded compact profiles) PKCS#11

application Include library (& drivers) to access the PKCS#11

34 Making use of Hardware Security when available IoT device IoT Application TrustedAssetsManager Code need to select and configure PKCS#11 Provider Java SE crypto framework Sun JCE provider Sun PKCS#11 JCE provider JCE SPI Include SunPKCS#11 jar (Additional package to Java SE Embedded compact profiles) PKCS#11 library Secure Element or Trusted Executed Environment PKCS#11 application Include library (& drivers) to access the PKCS#11 hardware token Processing and storage of credential performed in an isolated environment 34

35 Making use of Hardware Security when available IoT device IoT Application TrustedAssetsManager Crypto objects (KeyPair, Certificate) are proxies redirecting calls to Java SE crypto framework Sun JCE provider Sun PKCS#11 JCE provider JCE SPI PKCS#11 library Secure Element or Trusted Executed Environment PKCS#11 application Real credentials are stored and processed in the secure hardware 35

36 Impacts on the code? // Use PKCS11 provider instead of default Provider getprovider() { String conf = "library = my.lib "; // PKCS11 configuration parameters return new sun.security.pkcs11.sunpkcs11(new ByteArrayInputStream(conf.getBytes())); } // The key generator will use this provider and redirect generation into the hardware token KeyPairGenerator kpg = KeyPairGenerator.getInstance(algorithm, this.getprovider()); // The KeyStore.Builder must create a PKCS11 key store, from PKCS#11 provider: // storage into this KS will be redirected o the hardware token KeyStore.Builder ksb = KeyStore.Builder.newInstance("PKCS11", this.getprovider(), pwdprotection); // The signature will then be performed in the token Signature s = Signature.getInstance(algorithm, this.getprovider()); 36

37 Program Agenda Introduction to IoT Security Concerns and threats How Java can help to implement countermeasures Considerations on IoT Infrastructure Conclusion 37

38 Beyond the Device (Some) IoT Infrastructure Requirements for IoT Security Protocol security Implementing the protocols securely, with proper options Managing the credentials appropriately Device lifecycle management Ensuring that the infrastructure cannot be abused by fake/compromised devices Principal authentication and authorization Applying adequate authentication for both devices and users Strictly control access of sensitive operations to authorized principals 38

An Example of IoT Infrastructure Oracle IoT

Mgmt, Sales, Service Connect Analyze Integrate

39 An Example of IoT Infrastructure Oracle IoT Cloud Service IoT Devices Oracle IoT Cloud Service Business Applications Manufacturing, Supply Chain, Asset Mgmt Customer Relationship Mgmt, Sales, Service Connect Analyze Integrate & Act Vertical Apps Utilities, Healthcare, Retail 39

Oracle Internet of Things Cloud Service - Architecture IoT Cloud

Services Enterprise Apps Cloud or On Premise Indirectly connected

Processing Enterprise Connectivity BI & Big Data Cloud Service

Client Library Firewall High Speed Messaging Data Enrichment REST

Endpoint Management Event Store Control Mobile Cloud Service

40 Oracle Internet of Things Cloud Service - Architecture IoT Cloud Service Client Libraries & Gateway IoT Cloud Service Oracle Cloud Services Enterprise Apps Cloud or On Premise Indirectly connected Devices Oracle IoT CS Gateway s/w Device Virtualization Stream Processing Enterprise Connectivity BI & Big Data Cloud Service Manufacturing 3 rd party apps 3 rd party gateway s/w with Oracle IoT Client Library Firewall High Speed Messaging Data Enrichment REST APIs Integration Cloud Service Service Mgmt Industry Vertical Apps Endpoint Management Event Store Control Mobile Cloud Service Transportation Asset Mgmt Directly connected device Oracle Confidential Internal/Restricted/Highly Restricted 40

Oracle IoT Cloud Service Approach to security TRUSTED DEVICES Security

OAuth2 Uniquely assigned device identities disallows reuse of security

communication with any device or enterprise software, enabling proof of

integrity SECURITY LIFECYCLE Secure, managed state transitions to control

41 Oracle IoT Cloud Service Approach to security TRUSTED DEVICES Security mechanism provisions and manages trust relationships with devices uses OAuth2 Uniquely assigned device identities disallows reuse of security credentials across devices NON REPUDIATION Enforces authentication prior to communication with any device or enterprise software, enabling proof of origin of data Transport level security for all communication to ensure data integrity SECURITY LIFECYCLE Secure, managed state transitions to control access from devices Restricts types of IoT CS operations that device can perform in a given state

42 Program Agenda Introduction to IoT Security Concerns and threats How Java can help to implement countermeasures Considerations on IoT Infrastructure Conclusion 42

43 Conclusion Internet of Things is growing fast, new products Lot of interest from hackers scale & visibility Very large attack surface requiring consistent approach and methodology Security is a dynamic process needs to be continuously improved through threat analysis, code checking and countermeasure implementation Implementing a security roadmap is an important step to stay ahead of the attackers There is an ecosystem of providers looking to provide infrastructure and components to strengthen system security Java technologies can help securing the Internet of Things Oracle IoT CS can provide security foundations for the IoT infrastructure 43

44 Safe Harbor Statement The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 44

45 45

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications Enabling and Securing Digital Business in Economy Protect s Serving Business Critical Applications 40 percent of the world s web applications will use an interface Most enterprises today rely on customers