Improving IoT Security: the role of the manufacturer. Eliot Lear

Transcription

1 Improving IoT Security: the role of the manufacturer Eliot Lear

2 Introduction

3 A View Through a Light Bulb Connected Spaces is a big deal Automated and efficient lighting Room assignment and scheduling Changing of conditions for different customer profiles

4 A non-networked light bulb On/Off Dim (Power) Color (R,G,B,W) %

5 A networked lightbulb On/Off Dim (Power) Color (R,G,B,W) % Identity Crypto $ Data model Discovery S/W management Network Enterprise + Internet

6 Introducing Raul Rohas Entire house Internetenabled A single lightbulb took down his IoT house. It was an SNMP bug. From Fusion.net (3 March 2015)

7 What do manufacturers wish to avoid

8

9 General Threats To Defend Against Attacker causes device to not perform its function or to malfunction Attacker uses device to attack other systems By AMIR MARINE (Wikimedia) - Own work, CC BY-SA 3.0,

10 The Network Administrator s Problem: Number of Types of Things $ $

11 Cost of configuration Static environments Dynamic systems +

12 What access should a device have?

13 A common design pattern: the cloud Clouds offer- A rendezvous point Substantial processing power Cloud capabilities will continue to expand.

14 Understanding the attack surface Mobile phone Controllers Internet

15 Understanding the attack surface Mobile phone Controllers Internet Manufacturer Usage Descriptions

16 Assumptions and Assertions Assumptions A Thing has a single use or a small number of uses. Things are tightly constrained. Very VERY dumb. Resource constraints are tight. Even those Things that can protect themselves today may not be able to do so tomorrow Network administrators are the ultimate arbiters of how their networks will be used Assertions Because a Thing has a single or a small number of intended uses, it all other uses must be unintended Any intended use can be clearly identified by the manufacturer All other uses can be warned against in a statement by the manufacturer Manufacturers are in a generally good position to make the distinction

17 Translating intent into config Any intended use can be clearly identified by the manufacturer All other uses can be warned against in a statement by the manufacturer access-list 10 permit host controller.mfg.example.com access-list 10 deny any any

18 Expressing Manufacturer Usage Descriptions Device emits a URI using DHCP, LLDP, or through 802.1ar Router or firewall queries connected.example.com for policy associated with that URI Internet Device Access Switch MUD Controller MUD File Server

19 How to locate the policy? A URL Manufacturer Model

20 The MUD File { "ietf-acl:access-lists": { "ietf-acl:access-list": [ { "acl-name": "mud v4in", "acl-type": "ipv4-acl", "ietf-mud:packet-direction": "to-device", "access-list-entries": { "ace": [ { "rule-name": "clout0-in", "matches" : { "ietf-mud:direction-initiated" : "from-device" }, "actions": { "permit": [ null ] } }, { "rule-name": "entin0-in", "matches": { "ietf-mud:controller": " "ietf-mud:direction-initiated" : "to-device" }, "actions": { "permit": [ null ] } } ] } }, { "acl-name": "mud v4out", "acl-type": "ipv4-acl", "ietf-mud:packet-direction": "from-device",.

21 Expressing Manufacturer Usage Descriptions More precise config is instantiated Site returns abstracted XML (based on YANG) to device or firewall Internet Device Access Switch MUD Controller Allow access to just controller.connected.example.com MUD File Server

22 Benefits Customer Reduces target surface of exploding number of devices No additional CAPEX Helps to reduce OPEX through efficiency gains Standards-based approach uses existing equipment Manufacturer Reduces product risk at almost no cost Will increase customer satisfaction and reduce support costs Avoids the front page Standards-based approach Reduces risk of government technology mandates

23 What does it mean to be connected?? Open Innovation Open Access Limited Access Only published uses to authorized devices

24 In search of that happy middle: MUD Classes (same) manufacturer controller

25 Summary: Manufacturer Usage Descriptions A URI Use of {dhcp, EAP-TLS, lldp} to get it out Retrieval of a MUD file from a server Instantiation of class information onto the router

26 What is this Thing on my network?

27 802.1AR with EAP-TLS: a scalable approach, but Luminaire EAP-TLS makes use of certificates to identify new elements Intranet Assertion about device is initially from manufacturer, and then from administrator. NOT from the device! Requires a common trust anchor Thermostat Constrained devices lack capacity for common trust anchors Registrar

28 ANIMA Flow: Actors Cloud Service New Entity Proxy Domain Vendor Service Enrolled in the domain Logical entity or physical after 1 st hop Handles fragmentation issues Factory Default for all settings/configuration The domain Registration Authority, Certificate Authority, Authorization Database etc

29 Problems to solve New Entity Connectivity & Discovery Proxy handles fragmentation Authentication Authentication Domain Authorization Vendor Service Data Storage Authz model Imprint Enroll

30 Discovery, Connectivity New Entity Proxy Domain Vendor Service Connectivity & Discovery New entity boots in CLEAN STATE RFC3927 IPv4 Link-Local Address RFC4862 IPv6 Stateless Address Autoconfiguraion < design for this RFC6763/RFC6762 mdns query (or ietf-anima-grasp-02 GRASP query) using unsolicited broadcasts.

31 New Entity Authentication New Entity Proxy Domain Vendor Service Connectivity & Discovery Authentication (d)tls established. This is to-be RFC7030 EST with a bootstrapping extension. The New Entity authenticates with IEEE 802.1AR credentials The Domain authenticates with current Domain credentials which the new entity *PROVISIONALLY* accepts. This is to support (d)tls model and is EST compatible.

32 Authorization by the Domain New Entity Proxy Domain Vendor Service Connectivity & Discovery Authentication Authorization <Verify 802.1AR credential against white list?> Extract MASA server information from 802.1AR credential extensions (via MUD extensions) else the registrar needs to be configured appropriately

33 Logging or Decision by the Vendor New Entity Proxy Domain Vendor Service Connectivity & Discovery Authentication Authorization Logging Authz model OPTIONAL: MASA *or* NETCONF ownership voucher flow NOTE: Can occur in advance!! MASA: Manufacturer Authorized Signing Authority A certified log mechanism: Append Only, Cryptographically Assured, Publically Auditable - CT All decisions made within the Domain. The MASA only facilitates logging. EST extensions NETCONF: Vendor service knows which Domain owns which device

34 Transmit back to device New Entity Proxy Domain Vendor Service Connectivity & Discovery Authentication Authentication Authorization Logging Authz model Provisional authentication now replaced with vendor authorized message (Verify then forward the Vendor Service response)

35 Imprint New Entity Proxy Domain Vendor Service Connectivity & Discovery Authentication Authentication Authorization Logging Authz model Imprint Device verifies Logging proof or signed Vendor authorization. At this point the Device has key material of the Domain

36 Device Enrolls: Joins domain New Entity Proxy Domain Vendor Service Connectivity & Discovery Authentication Authentication Authorization Logging Authz model Imprint Enroll

37 What you get and don t with all of that What you get Device gets a trust root and a certificate for the local deployment Local deployment now has authenticated the device Device can connect to network using certificate What you don t get Automated selection of network (working on that) Automated profiling of the device (MUD) Application-specific authorization model (but you have an identity anchor to build such a thing)

38 Parting Thoughts

39 We need something broader than BCP 38 Who Needs to do what? What do Thing manufacturers need to do? What do home routers and firewalls need to do? What do service providers need to do? What do consumers need to do? What do governments need to do?

40 So what should manufacturers do? 1. Recognize that they have to do some stuff 2. Make use of good coding practices (like turning off unused services) 3. Establish an incident response capability 4. Establish appropriate software management processes 5. Identify device and its profile to the network (Nearly) all of this has been done by others!

41 Future work: the heavy lifting WPA Personal in the home is suboptimal (shared keys) By Cwawebber - Own work, CC BY 3.0

42 More information draft-ietf-opsawg-mud-01 draft-ietf-anima-bootstrap-keyinfra-04 draft-lear-network-helps-01

43