nick.albo says:34 minutes ago
That's great Nick Sayer! I am one of the students from Pitt who is doing a project. We are reall excited to get all of you guys' input on the subject
mjbraun says:34 minutes ago
Nick Sayer, same here. Who are you with?
M.daSilva says:34 minutes ago
That email was pretty useful last week, wouldn't have been here otherwise :)
34 minutes ago
welcome @nick.albo thanks for coming to share your projects
Nick Sayer says:33 minutes ago
I'm not sure I can mention them out loud or not. But I work for a company that has a very very large deployment of remotely addressable devices.
mjbraun says:32 minutes ago
No worries. I'm with NCC Group, FWIW.
32 minutes ago
@nick.albo is here to talk about maker IoT projects- but ... I'll him intro himself and the team once we get started
themartinm says:31 minutes ago
Silver Spring Networks? :P
Nick Sayer says:31 minutes ago
It's not a big secret or anything. I just am not sure I'm allowed to give the impression of being some sort of spokesman. :D
30 minutes ago
lol
Nick Sayer says:30 minutes ago
Well, I'm pretty sure I'm *not* allowed to do that, actually..
mjbraun says:30 minutes ago
"Your opinions are yours and not your employer's". Got it!
Nick Sayer says:30 minutes ago
:D
30 minutes ago
haha
themartinm says:30 minutes ago
I think it goes without saying that unless specified directly anyone's opinions are like mjbraun said, yours not your employers ;)
30 minutes ago
so it's time to get started
30 minutes ago
we have a sheet: https://docs.google.com/spreadsheets/d/1Y2Gq3zATBvBrVrG51wasoNmGRf97EFXvv94TvZxMR2E/edit#gid=0
30 minutes ago
for discussion questions
steverobillard says:29 minutes ago
@Nick can't say = NSA
29 minutes ago
...and welcome to @nick.albo + team!
j0z0r pwn4tr0n says:27 minutes ago
warm hackaday welcome
nick.albo says:27 minutes ago
thanks @SophiOne. So like Sophi said, our group is doing a semester long project about IoT security. We are all from the University of Pittsburgh and are here today to learn from you guys about what the maker community feels about security in their projects.
Bhavesh Kakwani says:26 minutes ago
@nick.albo This is a great topic! I have pretty much avoided IoT till now because of fears of not being able to implement it securely
Neil Cherry says:26 minutes ago
There is no S in IoT (it's silent) :(
Neil Cherry says:25 minutes ago
I've got ideas but they need a 32b cpu to start (esp8266 seems okay)
Mike D. says:25 minutes ago
It is possible but like every thing in this space, there are some bumps to get over.
Non-ICE says:25 minutes ago
A lot of home security vendors are implementing IoT into their alarm systems these days. Anyone dug into their security measures?
Non-ICE says:25 minutes ago
A lot of home security vendors are implementing IoT into their alarm systems these days. Anyone dug into their security measures?
Nick Sayer says:24 minutes ago
IMHO step 1 is realizing just how hostile the Internet is. All you have to do to see that is expose a listener on TCP port 22 to the Internet and watch how often the doorknob gets rattled.
nick.albo says:24 minutes ago
@Bhavesh Gohel so thats the what we are talking about exaclty. What kind of security measures would you need to have in place to be comfortable with IoT?
Non-ICE says:24 minutes ago
and don't openport 3389 to your winblowsserver
anfractuosity says:23 minutes ago
I was wondering, if you use things like LoRa, are MCUs these days powerful enough for elliptic curve crypto etc. (I think some chips provide acceleration for symmetric)
Neil Cherry says:23 minutes ago
I've only been playing with MQTT (cloud and local)
Mike D. says:23 minutes ago
I think there are some pretty easy ones to consider right off the bat.. No hardcoded credentials in the firmware, don't expose any API keys to the internet or source code repositories right? TLS for any calls to cloud based services....
Nick Sayer says:23 minutes ago
infract: You can get crypto accelerators to do the heavy lifting for you. Highly recommended.
Neil Cherry says:23 minutes ago
It's easy to communicate with MQTT to a cloud service with a Pi
MarkAtMicrochip says:22 minutes ago
@anfractuosity Yep. Some have built in hardware acceleration
nick.albo says:22 minutes ago
So we are actualy looking at IoT security all the way down to 8-bit
anfractuosity says:22 minutes ago
can they accelerate assymetric crypto ?
Nick Sayer says:22 minutes ago
@an: absolutely!
j0z0r pwn4tr0n says:21 minutes ago
@nick.albo: Would open source be out of the question? Because there aren't many independent sources that I feel can be trusted to verify my crypto
Nick Sayer says:21 minutes ago
I don't know the ID offhand, but Atmel has an i2c chip that does ECC and AES. It's also a mini HSM as well - it has a security mesh for secure key storage and the like.
Bhavesh Kakwani says:21 minutes ago
@nick.albo Hmm I've never put it down concretely, but as a start it would be good to have a firewall with sensible defaults, encrypted communications, force user to set up new password at the beginning
anfractuosity says:21 minutes ago
oh interesting, i'll have to investigate that then, Nick, cheers
nick.albo says:20 minutes ago
@j0z0r pwn4tr0n we have thought about building a library but we need to know people will use it
Nick Sayer says:20 minutes ago
@Bhavesh Kakwani: Seconded. Start by excluding all traffic, then figure out the minimum openings to allow the service you need.
themartinm says:19 minutes ago
@Nick Sayer ATSHA204 and AT88SA102S they have eval kits for both of these families
Nick Sayer says:19 minutes ago
@themartinm +1
Shawn Shifflett says:19 minutes ago
As some working in the compliance arena I would like to see more IoT devices actively and accurately logging. Preferably with the ability to send their data to a syslog server.
nick.albo says:19 minutes ago
@Bhavesh Kakwani so if you where going to build a project, how would you start, i.e. where would you go for research?
MarkAtMicrochip says:18 minutes ago
@Nick Sayer The SHA204 is good for keystorage - not encryption
anfractuosity says:18 minutes ago
WRT IoT alarm systems, don't a lot of wireless alarms, not activate the alarm if they're jammed, so you could just jam the sensors
steverobillard says:17 minutes ago
besides the atmel parts mentioned TI has this http://www.ti.com/tool/ek-tm4c129exl
Mike D. says:17 minutes ago
Bruce Schneier had a good list of resources for IoT security https://www.schneier.com/blog/archives/2017/02/security_and_pr.html
Nick Sayer says:16 minutes ago
@nick.albo Always start with complete lock-down, then open up what's necessary. Go the other way and the one thing you forget will be your undoing. :)
Ziyue says:16 minutes ago
Hi, my name is Ziyue, a team member in Big Crypto. Sorry just joined in. Could you guys talk anything about how do you feel like encrypting data and the probable libraries you could come up with?
16 minutes ago
welcome @Ziyue thanks for joining!
Bhavesh Kakwani says:16 minutes ago
@nick.albo If I am doing an electronics project, I would do an online lookup of "good practices" for IoT security, and figure out how to integrate with the other components on the board. If I am looking at using an existing IoT platform and just doing software on top of it, then I have not much choice but to look up which platform is most secure and trust the ratings
16 minutes ago
I'll make a transcript of this chat so you can see what you missed
Nick Sayer says:15 minutes ago
@Ziyue From my perspective, there's kind of two classes of IoT thing... The kind that have a *nix kernel under the covers, and the ones that are too small to do that.
Nick Sayer says:15 minutes ago
For the *nix bearing things, the solutions are relatively mature at this point. For the rest, it's almost completely ad-hoc.
Kevin says:13 minutes ago
It may be helpful for this discussion to define an IoT device as that has become such a buzzword these days that it has lost some of its meaning.
Bhavesh Kakwani says:13 minutes ago
@nick.albo But honestly as a hobbyist making a IoT hardware is very daunting. I don't even know which frequency range to use, how to miniaturize it, do I need an antenna or not. Security is another complication because I feel like I have to put down some ICs or a microprocessor to do the encryption. Again I don't know more details than that, this is my idea of it
Neil Cherry says:13 minutes ago
Actually I'd like to see less *nix under the covers, too much power for abuse
j0z0r pwn4tr0n says:12 minutes ago
@nick.albo: Yeah, I would just google it and then dive deeper down the rabbit hole. I have found a lot of what I currently know from that method. I feel like if you release an open library that works and has plugins for the top X number of home automation devices, people would use it. Basically, If you build it, they will come
nick.albo says:12 minutes ago
We are right now thinking the most valuable thing we can provide is a community forum where people go to learn how to implement security on their projects. This would have tutorials on common platforms, good libraries to use, a forum for discussion, as well as a place for people to share their personal implementations. This would probably be hosted on github, hackaday, etc
MarkAtMicrochip says:11 minutes ago
Security, I thin, means both encryption and authentication. But I find that most engineers don't think about authentication - only encryption.
Nick Sayer says:11 minutes ago
@Neil Cherry *nix doesn't give more power than the hardware has already. The user authorization model isn't what makes *nix useful for embedded gizmos, it's the incredibly mature and robust networking stack and library support.
Kevin says:11 minutes ago
@Nick, yes. if a device is connected to the internet and it is running a full OS (such as Linux) then security isn't as much of a problem as setting the security such a system is more of a known quantity.
nick.albo says:10 minutes ago
@MarkAtMicrochip we have thought about that and we are thinking its something where you can do both if need but authentication is probably more important in hobbyist projects.
Neil Cherry says:9 minutes ago
@Nick Sayer, agreed but when a normal end user is given something I don't like using *nix as they won't do anything additional to secure it. Of course that is my job (technicallY)
MarkAtMicrochip says:9 minutes ago
@nick.albo I couldn't agree more, thx.
j0z0r pwn4tr0n says:9 minutes ago
@nick.albo: Not a bad idea, worst part is visibility. Like how can you make sure the people that need to see it will?
Nick Sayer says:8 minutes ago
@Neil: I posit that *nix makes your job of doing that easier, but that's also my 30 years of being a *nix admin talking. :)
Neil Cherry says:8 minutes ago
I'm doing a DIY Smart Home presentation next month in NJ (TCF). I hope to have some security and authentication for MQTT and Node_red access.
Neil Cherry says:8 minutes ago
've only got 50 minutes to present though
Frédéric Druppel says:8 minutes ago
Would it be possible and safe to use an encryption formula (like viginere or PlayFair) in the microcontroller / processor to encrypt the packets ?
Nick Sayer says:7 minutes ago
@Neil: Keep in mind too that when you embed *nix, that doesn't at all imply that the user will have any ability to administer it.
Neil Cherry says:7 minutes ago
@Nick Sayer, same her (85?) but I've also sone end user support (consumer and office). Can't assume anything there
7 minutes ago
hey @MarkAtMicrochip is here! :)
Neil Cherry says:7 minutes ago
Here's a question, what encryption and secure auth do we have for 8 bit processors?
Nick Sayer says:6 minutes ago
@Neil if I were going to do that, I'd definitely off-load that work onto an enclave chip.
nick.albo says:6 minutes ago
Hey guys, btw, we are alos hoping that some of you would be willing to talk in a more one on one setting after this. We have a google form made that you can fill out and hopefully we can get something set up! https://goo.gl/forms/q4ShNGYhgDKsMvbh2
Neil Cherry says:5 minutes ago
@Nick Sayer, good point, does anyone have some pointer? I like the 32b processorsI'm
Neil Cherry says:5 minutes ago
32 and the ESP8266
Nick Sayer says:5 minutes ago
@Neil Look up ^^ some Atmel chips were mentioned.
nick.albo says:5 minutes ago
@neilcherry there are new algorithms that can run on 8-bit and there is also being work done to protocols like SSL and TLS to put them on 8-bit
Frédéric Druppel says:4 minutes ago
Embedded custom formulas ?
Neil Cherry says:4 minutes ago
PIC32
Neil Cherry says:4 minutes ago
@nick.albo, that I'd like to see (really)
Ziyue says:4 minutes ago
@j0z0r pwn4tr0n Good question, like how to make people be aware of our website and get access to it. We have thought about google ads try to make people find us from keywords searching.
Bhavesh Kakwani says:4 minutes ago
@nick.albo Do you have any insight on why so many Iot products are insecure? I heard there are large high-bandwidth botnets made entirely out of consumer Iot products on people's wifi networks
Neil Cherry says:3 minutes ago
Only my opinion, rush out the door to be first
Nick Sayer says:3 minutes ago
I think the best thing to do for new IoT developers is keep a kind of history list of the missteps.
nick.albo says:3 minutes ago
@Bhavesh Kakwani so we spoke with Bruce Schneier about the topic and we agree with his views that IoT products are most valuable when they get to the shelves first. This makes the deisgn process rushed and security isnt even considered because there is no regulations in the industry to make them secure the devices
Nick Sayer says:2 minutes ago
There were the recent IoT Bottnet incidents, certainly.
Neil Cherry says:2 minutes ago
PVRs and cameras I think
Nick Sayer says:2 minutes ago
But there have also been cases where things like Netgear routers have simply had poor factory default configurations result in things like DDOSing NTP servers.
Bhavesh Kakwani says:2 minutes ago
Hmm ok so there are no laws in this domain yet? Other than the radio spectrum laws
Nick Sayer says:2 minutes ago
Those aren't security issues per se, but they're costly and embarassing.
Matt Lipschutz says:a few seconds ago
There are laws (at least in the US) dealing with "illicitly accessing" digital devices, but no laws/regulation which require the manufacturers to ensure their setup isn't complete garbage.
Nick Sayer says:a few seconds ago
There is product liability
nick.albo says:3 minutes ago
@Bhavesh Kakwani yeah there are currently no laws about security when you put a device on the web,. Bruce wrote a really good article on IoT security a while back that I can try and find
Matt Lipschutz says:3 minutes ago
But what is the liability, exactly? social capital?
Matt Lipschutz says:2 minutes ago
there's no real legal liability...and the financial consequences, at least lately/so far, have been minimal.
bcontino.bc says:2 minutes ago
@Bhavesh Kakwani the report is a couple years old, but check out page 4: https://www.hpe.com/h20195/v2/GetPDF.aspx/4AA5-4759ENN.pdf
Nick Sayer says:a minute ago
@Matt Lipschutz The only thing that needs to change for that would be to educate the ambulance chasers.
nick.albo says:a minute ago
So say you were build a Hobbyist project, how long would you be willing to spend to secure it?
Neil Cherry says:a few seconds ago
hehe, yes lawyers would change a lot quick
mjbraun says:a few seconds ago
Automotive one weird market where IoT type practices collide with crazy legal frameworks and folks are trying to figure it out
Matt Lipschutz says:a few seconds ago
@Nick can you qualify that statement? You want to educate lawyers as to...what, exactly?
Matt Lipschutz says:3 minutes ago
@Nick can you qualify that statement? You want to educate lawyers as to...what, exactly?
NdK says:2 minutes ago
The problem is that too often the user is not competent enough to recognize a secure product from an insecure one. Or even prefers the insecur one "because it's simpler to setup". The same for too many hobby projects.
Neil Cherry says:2 minutes ago
@nick.albo, a lot of time but I'm working with mostly insecure on my home network
Nick Sayer says:2 minutes ago
@nick.albo There are two classes of things, IMHO... If your IoT thing is intended to live behind a proper firewall - say in someone's house - then the bar on it is much lower.
Matt Lipschutz says:2 minutes ago
@mjbraun that's because there are safety standars when dealing with automobiles.
Neil Cherry says:2 minutes ago
Yes, a quick demo can't show a complete setup
Nick Sayer says:2 minutes ago
@nick.albo If your thing needs to be internet exposed, well, that's a whole different kettle of fish.
Bhavesh Kakwani says:a minute ago
@nick.albo I think I wouldn't want to spend more than 10% time on teh security. Security is very important but I (and most hobbyists) are not experts, so we need the heavy-lifting to be done by a reliable person in advance
Neil Cherry says:a few seconds ago
a complete setup is like writing a book
nick.albo says:a few seconds ago
Is anyone here concerned at all about man in the middle attacks? Like say if you had a temperature monitoring system
NdK says:a few seconds ago
Too bad that's often not possible: which security to use depends on the application!
Matt Lipschutz says:a few seconds ago
and I think *THAT* @NdK is the core of the problem.
Nick Sayer says:a few seconds ago
@Matt Lipschutz When a big firm sells tens of thousands of things that wind up with huge security problems later... Well, that's a class action attorney's dream - widespread client class, deep-pocket defendant...
Anyone who is interested in discussing this subject with Big Crypto directly should sign up here: https://docs.google.com/forms/d/e/1FAIpQLScnXHiExCgd3d4-t-5pgw_lqv3nmrfazeDPtQh6IbNm4DGFrA/viewform?c=0&w=1
Neil Cherry says:2 minutes ago
@nick.albo, yes I am
nick.albo says:a few seconds ago
@Neil can you go into why?
Neil Cherry says:a few seconds ago
I'm not normally worried about MIM with my home but with more devices that I have less control over it's a problem
Greg Bushta says:a few seconds ago
@Nick Sayer I keep my IoT devices set up without the gateway to the outside included to keep them from wandering. I don't have any that I want to access without me being on the LAN, yet.
nick.albo says:a few seconds ago
like what would happen if that attack occured
Bhavesh Kakwani says:a few seconds ago
@nick.albo Yeah MITM is the worst nightmare! Imagine someone else controlling your device with nothing you can do
NdK says:a few seconds ago
For home hobby projects you can simply use PSK, assuming the attacker is not targeting your developement environment. But you must at least know how to prevent replay attacks. From PSK, if resources and constraints allow, you can even use asymmetric crypto to exchange keys or authenticate messages.
Neil Cherry says:a few seconds ago
I'm also working on netflow
Nacht Ritter says:4 minutes ago
@NdK Agree with your comment RE: end user of IOT devices. A secure IOT device must be as easy to set up as a non-secure one. And the IOT vendor cannot assume the end user has properly configured their WAN access to limit access.
j0z0r pwn4tr0n says:4 minutes ago
@nick.albo: I wouldn't be that concerned with it, with the exception of if my iot network was LAN only, that would mean the MitM was actually somewhere in my house!!
Nick Sayer says:3 minutes ago
@NdK one of the recent security conferences had a talk where they showed how widespread PSK is in the smart lock business - and how useless it is.
j0z0r pwn4tr0n says:2 minutes ago
although really he need not be physically there. but in all reality if someone is messing with my temp logger, what's the fruit of such an attack?
Neil Cherry says:2 minutes ago
can pretty much do as I like to it (put whatever software ie Linux kernel and software) and own the network
NdK says:2 minutes ago
Only if it's not protected against replay attacks.
(sorry, I still don't know how to cite)
wangwenchen0407 says:a minute ago
@NdK Can you explain more about PSK?
NdK says:a minute ago
Pre Shared Key : evry node uses the same key to access the network
j0z0r pwn4tr0n says:a few seconds ago
@Neil Cherry: Didn't think about that, ie having a trusted node on the network would give you a foothold to mount a stronger attack
Nick Sayer says:a minute ago
PSK *can* be unique keys per node, but the concept is that the keys are not dynamic - they're determined "beforehand" for whatever that means.
NdK says:a minute ago
That's the simplest form of authentication. You can use the PSK as encryption key and include a nonce (or a sequence number) in every packet.
Nick Sayer says:a few seconds ago
The next step up from PSK is pre-shared asymmetric crypto - you have a master *private* key and compile in the public key into the device code.
NdK says:2 minutes ago
Another promising method is identity-based crypto, where the node id is actually its public key
Audi McAvoy says:a minute ago
@Ndk even so, the attacker can't spoof your master
Nick Sayer says:a minute ago
You start with a root key pair. The public key gets compiled into all the devices. The private key exists *solely* on paper. You print out a copy of it and put it in a safe. You use it *once* to sign an intermediate certificate. The private key of *THAT* cert is what you use day-to-day.
Nick Sayer says:a minute ago
You can roll the intermediate certificate frequently without a universal firmware upgrade.
NdK says:a few seconds ago
Asymmetric crypto is unfeasible on very constrained devices
Nick Sayer says:a few seconds ago
@NdK That's why they have crypto accelerator chips.
NdK says:4 minutes ago
that coss more than the rest of the project
Nick Sayer says:4 minutes ago
In designing your device, you have to compare all of the costs - in particular, the cost of hardening it versus the cost of cleaning up after a compromise.
NdK says:4 minutes ago
not to mention power usage during asymmetric crypto ops
Nick Sayer says:3 minutes ago
For hobbyist IoT, perhaps the cost of cleaning up after a compromise is low.
Radomir Dopieralski says:3 minutes ago
the cost of a compromise is 0 for the company that manufactures it
Radomir Dopieralski says:3 minutes ago
all of it is paid by the customer
Nick Sayer says:3 minutes ago
But if I were designing one of those private-branded ATM machines you see at 7-11? You bet I'd harden that!
NdK says:3 minutes ago
If, for start, your nodes don't "speak" TCP. the problem ca be different
Nick Sayer says:2 minutes ago
@Radomir: That's been the case so far, but I don't see that continuing.
Nick Sayer says:2 minutes ago
@NdK the crypto aspects are independent of transport..
BashBits says:2 minutes ago
@Nick Sayer dont they run windows xp or did they upgrade the ATM's
BashBits says:2 minutes ago
@Nick Sayer dont they run windows xp or did they upgrade the ATM's
BashBits says:2 minutes ago
@Nick Sayer dont they run windows xp or did they upgrade the ATM's
BashBits says:2 minutes ago
@Nick Sayer dont they run windows xp or did they upgrade the ATM's
Nick Sayer says:a minute ago
@BashBits If I were going to make one, it wouldn't run Windows. :D
BashBits says:a minute ago
wow sorry guys, chrome lagged on me
a few seconds ago
refresh for lagging
Nick Sayer says:a few seconds ago
We can take it down a notch from ATMs, though... Let's say you wanted to enter the smart lock market. You wanted to do August one better, say.
Nick Sayer says:5 minutes ago
The hardware design is a crypto accelerator chip, a BTLE chip and something like an ATMega328.
wangwenchen0407 says:4 minutes ago
A quick question. Which way do you think is more power consuming? hardware or software encryption solution?
Nick Sayer says:4 minutes ago
That certificate based PKI solution is absolutely what I'd do for that.
NdK says:4 minutes ago
I wouldn't
Nick Sayer says:4 minutes ago
@wang Definitely hardware crypto uses less power in the end - they can design their processor to do exactly what's required as efficiently as possible.
NdK says:3 minutes ago
Useless: it's point-to-point. PSK and (maybe) TOTP
Nick Sayer says:3 minutes ago
@NdK Not at all. The use case is control from a smartphone app with all sorts of delegation ability.
NdK says:2 minutes ago
Unless you have the lock that speaks with an external system
Nick Sayer says:2 minutes ago
The smartphone app is online - it can fetch the signed message from the service and present it over BTLE.
Nick Sayer says:2 minutes ago
The device doesn't have to trust the presenter - it can validate the message the presenter presents.
Neil Cherry says:2 minutes ago
@Sophie, this UI is locking up my FF on Linux
Nick Sayer says:a minute ago
The device's firmware is completely open. Even to the point of including the root public key.
NdK says:a minute ago
Load the PSK on the phone from a QR code. That generates a TOTP code that gets sent to the lock
Nick Sayer says:a minute ago
@NdK Now you have to secure that QR code or else.
Neil Cherry says:a few seconds ago
Can't refresh a lockup, I've had to kill FF 4 times
Ziyue says:a minute ago
Thank you guys for the brilliant ideas which riched our project and we hope we could reach you later. Would you mind filling up the follow up table https://goo.gl/forms/q4ShNGYhgDKsMvbh2 We really appreciate for that
Nick Sayer says:a few seconds ago
And you have to share it with your dog walker. And when you fire them, how do you prevent them from continuing to use it?
Neil Cherry says:2 minutes ago
@ndk, interesting . QR, not thought of that
NdK says:a minute ago
You could even use a small OLED display.... 128x64....
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.