Securing IoT Connected Device Applications
Ian Massingham Technology Evangelist, AWS
IanMmmm
IoT isn’t a new use-case for AWS
Amazon SNS Mobile Push
and Notifications
Amazon DynamoDB
Predictable and Scalable NoSQL
Data Store
AWS Lambda Run Code in
Response to Events
Amazon Redshift Petabyte-Scale
Data Warehouse
…and more
Amazon API Gateway
Build, Deploy, and Manage APIs
Amazon Kinesis Streaming Analytics
Amazon Cognito User Identity and Data
Synchronization
AWS IoT: simplify and accelerate IoT development
Amazon SNS Mobile Push
and Notifications
Amazon DynamoDB
Predictable and Scalable NoSQL
Data Store
AWS Lambda Run Code in
Response to Events
Amazon Redshift Petabyte-Scale
Data Warehouse
…and more
Amazon API Gateway
Build, Deploy, and Manage APIs
Amazon Kinesis Streaming Analytics
Amazon Cognito User Identity and Data
Synchronization
AWS IoT Connect Devices to
the Cloud
AWS IoT
“Securely connect one or one billion devices to AWS, so they can interact with applications and other devices”
http://192.168.1.200:8080
http://192.168.1.200:8080
http://192.168.1.200:8080 http://a.public.address:8080
http://192.168.1.200:8080 http://a.public.address:8080
http://192.168.1.200:8080 http://a.public.address:8080
http://192.168.1.200:8080 http://a.public.address:8080
http://192.168.1.200:8080 http://a.public.address:8080
http://192.168.1.200:8080 http://a.public.address:8080
http://192.168.1.200:8080 http://a.public.address:8080
http://192.168.1.200:8080 http://a.public.address:8080
http://192.168.1.200:8080 http://a.public.address:8080
DADDY, WHERE DO BOTNETS COME FROM?
It doesn’t have to be this way
http://192.168.1.200:8080
http://192.168.1.200:8080
IoT Security: One Slide Primer
Variably-constrained devices
Variably-constrained environment & networks
Remote locations, variable physical security
Diverse IoT market segments, threat models
Variable criticality of the IoT applications
Start with a threat model
Safety
Bad things can happen in the real
world
How can we defend against these threats?
Secure Communications with Things
Strong Thing Identity
Fine-grained Authorisation for: Thing Management (Control plane) Pub/Sub Data Access (Data plane) Access to Services (To add features)
Secure Communications with Things
Mutual TLS Authentication
TLS/SSL
MUTUAL TLS AUTHENTICATION
Public Key Cryptography Options
For same bits & level of security ECC keys are much smaller that RSA keys
Symmetric Key Size (bits) RSA Key Size (bits) Elliptic Curve Key size (bits)80 1024 160
112 2048 224128 3072 256192 7680 384256 15360 512
https://aws.amazon.com/blogs/iot/elliptic-curve-cryptography-and-forward-secrecy-support-in-aws-iot-3/
Communicating with non-things (Humans)
How we implement this
MQTT + Mutual Authn TLS AWS Authn + HTTPS
Server Authn TLS + Cert TLS + Cert
Client Authn TLS + Cert AWS API Keys
Confidentiality TLS TLS
Protocol MQTT HTTP
Strong Thing Identity
Strong Thing Identity
X.509 Certificates
https://aws.amazon.com/blogs/iot/just-in-time-registration-of-device-certificates-on-aws-iot/
Fine Grained Authorisation
AWS IoT
AWS IoT
Data Plane
Control Plane
Service Access
Data Plane
Applying Permissions to Thing Management
{ "Version": "2012-10-17", "Statement": [ { "Sid": ”ManageCerts", "Action": [ "iot:CreateCertificateAndKeys", "iot:CreateCertificateFromCsr", "iot:DescribeCertificate", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:ListCertificates” ], "Effect": "Allow", "Resource": "*" } ] }
{ "Version": "2012-10-17", "Statement": [ { "Sid": "RevokeOneThing", "Action": [ "iot:UpdateCertificate" ], "Effect": "Allow", "Resource": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "Condition": { "IpAddress": { "aws:SourceIp": "192.168.42.54" } } } ] }
Allowing/Denying Access to MQTT Topics
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update"] }, { "Effect":"Allow", "Action":[ "iot:Subscribe", "iot:Receive" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: topicfilter/$aws/things/MyThing/shadow/*" ] } ] }
Hardware Security (Private Key & Platform Protection)
IoT Gateways
Amtel Zero Touch Secure Provisioning Kit
If you spend a lot of time on securing your IoT applications,
you’re not spending time solving problems for your customers.
So don’t build a platform, unless you’re building a platform. In
which case, fine, build a platform.
Building ‘Hello World’ (for IoT Developers)
Turns out, developers are creative
Sassy Ping PongScore Keeper
Source: https://www.hackster.io/youngd/ping-pong-showdown-eabaed
Slack-powered Doorbell
Source: www.theatlantic.com/notes/2016/07/make-every-week-2-a-silent-slack-powered-doorbell/490880/
Source: http://www.andrewmcgill.me/2016/08/19/make-every-week-sweetgreen-salad-button.html
EmergencySweet Green Ordering
Push a button to get directions to the right meal within your budget. (Integrate time of day, weather, Google Directions, Yelp, and Stripe)
Source: https://medium.com/@_adeel/nerding-out-with-the-amazon-iot-button-84a6e14b6b28#.ekd5hsnez
How does it work?Invoke a Lambda function
Put object in an S3 bucket
Insert, Update, Read from a DynamoDB table
Publish to an SNS Topic or Endpoint
Publish to a Kinesis stream
Kinesis Firehose > Redshift
Republish to AWS IoT
AWS IoT
But wait, I live in Europe and I want to do this. Right now!
HARDWARE YOU WILL (& MIGHT) NEED
• A Raspberry Pi
• Electronics Kit • Try the SunFounder 37 modules Sensor Kit v2.0 for
Raspberry Pi 3, 2, Model B+ with 40-Pin GPIO Extension Board & Jump Wires
• http://www.amazon.co.uk/dp/B014PF05ZA • Example tutorial
• Raspberry Pi Sense Hat (optional fun) • https://www.raspberrypi.org/products/sense-hat/
SETTING UP FOR GPIO/SENSE HAT
Your own electronics/sensor build C (for embedded C)
http://wiringpi.com Python Wrapper Module for WiringPI
https://github.com/WiringPi/WiringPi-Python
For the Sense Hat Python Module
https://github.com/RPi-Distro/python-sense-hat
SETTING UP FOR AWS IOT
Use the AWS Console to create your device
Download the required crypto materials & save the C header file contents with your endpoint, cert, and key details
Download & set up your chosen AWS IoT SDK Get them at : https://aws.amazon.com/iot/sdk/
Building the C SDK on the Raspberry Pi requires the CppUTest library from: https://github.com/cpputest/cpputest/releases/tag/v3.6
Get started with the sample applications that come with the AWS SDKs
EXAMPLES & DEMOS
Emulating the AWS IoT Button (C++) https://github.com/ianmas-aws/iot-button-emulator
Controlling the Sense Hat via AWS IoT Device Shadow (Python) https://github.com/ianmas-aws/PiPyIoT
Go Build, Have Fun
Ian Massingham Technology Evangelist, AWS
IanMmmm
1.
2.
2.
3.
4.
Alert Someone: AWS IoT to AWS Lambda to SNS
Lambda Function
AWS IoT Rules Engine
PolicyPrivate Key & Certificate
Button
RuleSDK
AWS IoT
AWS Services
Execution Role Policy
SNS Topic
PermissionAction
SNS Topic Subscription
Rule: “Select * from ‘iotbutton/+’
Event Source
Function
SMS or Email
Count items or Track Usage: AWS IoT to DynamoDB to Dashboard
DynamoDB
Rules Engine
Dashboard
S3 Website
Lambda Function
PolicyPrivate Key & Certificate
Button
RuleSDK
AWS IoT
AWS Services
Execution Role
PolicyPermissionAction
Rule: “Select * from ‘iotbutton/+’
Event Source
FunctionDynamoDB API Gateway
Start or Stop Something : AWS IoT to AWS Lambda to an External Endpoint
Lambda Function
Rules Engine
PolicyPrivate Key & Certificate
Thing/Device
RuleSDK
AWS IoT AWS Services
Execution Role Policy
External Endpoint
Permission
Rule: Select * from ‘iotbutton/+’
Action
External API
LifX API