SlideShare a Scribd company logo
1 of 63
Download to read offline
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jan Metzner, Anton Shmagin, AWS
Kerry Maletsky, Microchip/Atmel
November 30, 2016
IOT302
IoT Security
The New Frontiers
@janmetzner @y0na75
What to expect from the session
• System, transport and thing security
• Fine-grained authorization
• Thing management
• Pub/sub data access
• AWS services integration
• Incident response
• End-to-end IoT security (demo)
Idea for this talk started from the quote …
“ Every IoT security article:
• IoT is big
• IoT security is bad
• Consequences are scary
• Change default settings
• Buy my product
• Problem not solved …“
Dr. Sarah Cooper
June 2, 2016
All things around us are getting connected
Things will proliferate
2013 2015 2016 2020
Vertical Industry
Generic Industry
Consumer
Automotive
Many
Some
Lots
Many devices are not enforcing security
Mirai bot default passwords
Connected ≠ smart
Internet 1985 IoT 2015
Gopher HTTP
FTP MQTT
NNTP CoAP
Telnet XMPP
Archie AQMP
Not a typical apocalyptic IoT talk
IoT security needs to be effective yet simple
“ … pilots and race car drivers were
willing to put on almost anything to
keep them safe in case of a crash,
but regular people in cars don't want
to be uncomfortable even for a
minute. “
Nils Bohlin
Multiple attack vectors
System, transport, and thing security
System
Transport
Thing
Risk
Typical SoC
SoM
SoC
CPU/MCU
Memory
Baseband
Location
WLAN
BLE
LPWAN
NFC
HW
Crypto
Connectivity options
Direct Gateway
Satellite Wi-Fi Cellular LPWAN Bluetooth Other
IEEE 802.15.4
ZigBee
Z-Wave
Thread
AWS IoT
Incident response in AWS IoT
Incident response in AWS IoT
CWE Executes Lambda
Function to invalidate certificate
Time to connect someTHING …
One service, three protocols
MQTT + Mutual
Auth TLS
Websocket + AWS
Auth
HTTPS + AWS
Auth
Server auth TLS + cert TLS + cert TLS + cert
Client auth TLS + cert AWS credentials
(API keys)
AWS credentials
(API keys)
Confidentiality TLS TLS TLS
Protocol MQTT HTTP/WS HTTP
Communication
model
Pub/sub Pub/sub REST
Identification AWS ARNs AWS ARNs AWS ARNs
Authorization AWS policy AWS policy AWS policy
Authentication
Certificate/private key
AWS IAM (user/role: API keys)
Amazon Cognito (role: API keys)
AWS IAM (role: API keys)
Things
Users
AWS services
Authorization – IAM policies
IAM
unauthenticated
or authenticated
role
Amazon
Cognito
AWS credentials (services)
Temporary AWS credentials (users)
Third-party
service
AWS
service
Authorization – IoT policies
Fine-grained access for each device with a single policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "iot:Connect",
"Resource": "arn:aws:iot:eu-west-1:1234567890:client/${iot:Certificate.Subject.CommonName.1}",
"Effect": "Allow”
}, {
"Action": "iot:Publish",
"Resource": [
"arn:aws:iot:eu-west-1:1234567890:topic/sensordata/${iot:Certificate.Subject.CommonName.1}",
"arn:aws:iot:eu-west-1:1234567890:topic/sensordata/${iot:Certificate.Subject.CommonName.1}/*”
],
"Effect": "Allow”
} ]
}
Authorization – IoT policies
Fine-grained access with registry variables
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "iot:Connect",
"Resource": ”*",
"Effect": "Allow”,
"Condition":{ "Bool":{ "iot:Connection.Thing.IsAttached ":["true"] } }
}, {
"Action": "iot:Publish",
"Resource": [
"arn:aws:iot:eu-west-1:1234567890:topic/
${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}"
],
"Effect": "Allow”
} ]
}
Birth of a device
Strong thing identity
Manufacturing line
Provisioning of the Identities
retrieved from AWS IoT
Data connection
Create certificate (from CSR)
Strong thing identity
AWS-generated key pair
CreateKeysAndCertificate()
Customer-generated key pair
CreateCertificateFromCSR(CSR)
CSR
CSR
CSR
BYOB? Better - BYOC
Customer’s certificate authority
Manufacturing line
Provisioning of the Identities
signed with customer’s CA
Data connection
async registration
CSR
Bring your own certificate (BYOC)
Customers
Hardware
Security
Module
(HSM)
Demo
Embed Video from https://s3-eu-west-1.amazonaws.com/iot-
security.cloud/screencast/wo-jitr.mov
“Look ma, no hands!”
Just-in-time registration (JITR)
Just-in-time registration
Manufacturing line
Provisioning of the Identities
signed with customer’s CA
First data connection
JIT registration
Just-in-time registration – Provisioning
Customers
Hardware
Security
Module
(HSM)
CSR
CSR
CSR
Just-in-time registration – CA registration
getRegistrationCode()
Customers
Hardware
Security
Module
(HSM)
CSR
CSR
CSR
registerCACertificate(CACert,RegCert)
Just-in-time registration
Customers
Hardware
Security
Module
(HSM)
checkYourCRL()
updateCertificate(Cert, ACTIVE)
attachPrincipalPolicy(Cert, IoTPolicy)
updateERP()
Function handling
PENDING_ACTIVATION
State
Demo
Embed Video from https://s3-eu-west-1.amazonaws.com/iot-
security.cloud/screencast/jitr.mov
“I am better than that THING”
User access
Unauthenticated (anonymous) user access
IAM
unauthenticated
role
Amazon
Cognito
Authenticated user access
IAM
authenticated
role
Amazon
Cognito
IoT policy
per user
Identity
provider
IoT security in the cloud scales
… and real hardware?
Strong device security
Atmel/Microchip AWS-ECC508
Straightforward provisioning
and secure key storage
Crypto-operations offloading
for constrained hardware
Live demo
Cesanta Mongoose IoT Firmware (mongoose-iot.com)
• Hardware agnostic: ESP8266, TI CC3200 and other
• Secure: SSL/TLS, Microchip ATECC508A crypto-chip support
• Develop in C, or JavaScript, or both
• Networking: MQTT, WebSocket, COAP, HTTP/ HTTPS and other
• Mongoose Embedded Web Server and Networking Library
Customers: NASA, Dell, Samsung, HP and many others
Live demo
ATECC508A-AWS
ESP8266
Live demo
Point your browser:
https://iot-security.cloud/demo
Microchip/Atmel
ATECC508A-AWS
Encapsulate the entire provisioning
process into a turnkey IC
Focus design effort on customer
experience
Strong turnkey security
Every device must have a Trustable Identity
Private key can never be revealed!!!
Authenticate every entity with which you communicate
Authentication Process must be trusted
IoT device identity requirements
Perfect software exists in theory only
Never Mix Software
with Keys!
Attackers don’t need physical access!
Rowhammer
Modify DRAM state to gain kernel privileges
Acoustic Cryptanalysis
Listen to component vibration across room, extract keys
http://www.tau.ac.il/~tromer/acoustic/
Timing Attack (First published in 1996)
Extract confidential data based on response delay
Root of trust for
secure code
High security
key storage
Less code
= Lower cost
10x-100x faster
than MCU
ATECC508A-AWS
Get critical stuff out of the micro!
Advanced Security Circuitry
Active shield, internal
encryption, randomization,
tampers, no JTAG, …
Strong attack defenses
Microprobe, Timing,
Emissions, Faults, Glitches,
Temperature
Standard Devices
Microchip
Security
Devices
What makes ATECC508A a vault?
Keys never leave chip - No back
doors!
Software asks for keys to be used -
chip accelerates math using the key
Elliptic curve algorithm in hardware –
can’t exploit software bugs!
Comprehensive thing security
Private key generated entirely inside the ATECC508A
• Completely random
• NEVER readable
• NEVER known by anybody
Certificates generated by world-class HSMs at Microchip
• Protected in State-of-the-art Secure Facilities
No special equipment or procedures required in the OEM factory
Secure in the factory
Secure Facilities
24/7 camera monitored, locked
cages, network isolation, physical
access control
Hardware Secure Modules (HSM)
Highly secure computers, World
class certifications : FIPS 140-2,
CC EAL 4+, …
Microchip’s factory provisioning
Reference design
• ARM® Cortex®-M4 microcontroller
• Wi-Fi® connectivity
• ATECC508A pre-configured for AWS IoT
• I/O module
• Root CA & Intermediate CA demo dongles
• FreeRTOS
• WolfSSL TLS 1.2
• MQTT client
• JSON library
• Example Application with 6 I/Os
Source code & Documentation on GitHub:
https://github.com/MicrochipTech/AWS-Secure-Insight
Easy to get started
IoT OEM
Customer-Specific
Production Signers
Root of
Trust
OEM CA
Root CA
OEM’s AWS Account
Customer-Specific
Production Signers
1. OEM creates AWS IoT account, sets up OEM CA
Existing OEM capability, 3rd party Trusted CA, Microchip CA kit
2. OEM creates certificates for Microchip production signers
3. OEM registers production signer certificates into their AWS account
Easy OEM setup
IoT OEM
Customer-Specific
Production Signers
Root of
Trust
OEM
Certificate
Root CA
1. Microchip ships ATECC508A
including certificates to board shop
2. IoT provisioning easy : assemble
ATECC508A into IoT product
3. Final product ships with little or no
cloud enrollment instructions or
actions needed
Zero touch provisioning - Manufacture
IoT Device #NN
OEM AWS Account
Customer-Specific
Production Signers
Device #NN
Device certificate automatically transferred to
AWS and registered on first connection
Zero touch provisioning - Field
IoT OEM
Root of
Trust
Root CA
1. Development kits readily
available from distributors
2. Includes turnkey USB dongles
set up to model the OEM CA and
the Microchip production signers
3. Use to create demonstration
systems and alpha units for
testing and qualification
Signing USB Dongle
OEM Lab
OEM USB Dongle
Easy prototyping
Secure Keys - Ultimate protection for keys
to prevent any software attack,
accelerate ECC up to 100x faster
Fast Design - Prototyping kits available now,
complete reference design on the web,
tiny package fits any system
Easy Manufacturing - Secure and seamless
manufacturing logistics. JITR means
Ready-to-Go with AWS out of the box
ATECC508A-AWS
Easily secure your AWS IoT device
Straightforward off-band certificate
management
• Bring your own certificates
• Just in time registration
• ECC certificate support
Fine-grained authorization at scale
• X.509 certificate policy variables
• Thing policy variables
End-to-end security
• Zero touch secure provisioning
• Mobile carriers secure tunnels to VPC
Now build a secure IoT solution!
Demos/resources from this session:
https://iot-security.cloud
Remember to complete
your evaluations!

More Related Content

What's hot

Developing Connected Applications with AWS IoT - Technical 301
Developing Connected Applications with AWS IoT - Technical 301Developing Connected Applications with AWS IoT - Technical 301
Developing Connected Applications with AWS IoT - Technical 301Amazon Web Services
 
Intro to AWS IoT - Pop-up Loft London
Intro to AWS IoT - Pop-up Loft LondonIntro to AWS IoT - Pop-up Loft London
Intro to AWS IoT - Pop-up Loft LondonBoaz Ziniman
 
Reply Bootcamp Rome - Mastering AWS - IoT Bootcamp
Reply Bootcamp Rome - Mastering AWS - IoT BootcampReply Bootcamp Rome - Mastering AWS - IoT Bootcamp
Reply Bootcamp Rome - Mastering AWS - IoT BootcampAndrea Mercanti
 
AWS re:Invent 2016: Enel E2E Smart Home Solution with Amazon Alexa (IOT308)
AWS re:Invent 2016: Enel E2E Smart Home Solution with Amazon Alexa (IOT308)AWS re:Invent 2016: Enel E2E Smart Home Solution with Amazon Alexa (IOT308)
AWS re:Invent 2016: Enel E2E Smart Home Solution with Amazon Alexa (IOT308)Amazon Web Services
 
(MBL313) NEW! AWS IoT: Understanding Hardware Kits, SDKs, & Protocols
(MBL313) NEW! AWS IoT: Understanding Hardware Kits, SDKs, & Protocols(MBL313) NEW! AWS IoT: Understanding Hardware Kits, SDKs, & Protocols
(MBL313) NEW! AWS IoT: Understanding Hardware Kits, SDKs, & ProtocolsAmazon Web Services
 
The Lifecycle of an AWS IoT Thing
The Lifecycle of an AWS IoT ThingThe Lifecycle of an AWS IoT Thing
The Lifecycle of an AWS IoT ThingAmazon Web Services
 
AWS物聯網基礎架構及連線概覽
AWS物聯網基礎架構及連線概覽AWS物聯網基礎架構及連線概覽
AWS物聯網基礎架構及連線概覽Amazon Web Services
 
AWS IoT - Best of re:Invent Tel Aviv
AWS IoT - Best of re:Invent Tel AvivAWS IoT - Best of re:Invent Tel Aviv
AWS IoT - Best of re:Invent Tel AvivAmazon Web Services
 
(MBL204) State of The Union: IoT Powered by AWS
(MBL204) State of The Union: IoT Powered by AWS(MBL204) State of The Union: IoT Powered by AWS
(MBL204) State of The Union: IoT Powered by AWSAmazon Web Services
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud Amazon Web Services
 
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...Amazon Web Services
 
Azure Internet of Things
Azure Internet of ThingsAzure Internet of Things
Azure Internet of ThingsAlon Fliess
 
Aws IoT and robotics reinvent attendee guide 2021
Aws IoT and robotics reinvent attendee guide 2021Aws IoT and robotics reinvent attendee guide 2021
Aws IoT and robotics reinvent attendee guide 2021Anthony Charbonnier
 
One Click Enterprise IoT Services - March 2017 AWS Online Tech Talks
One Click Enterprise IoT Services - March 2017 AWS Online Tech TalksOne Click Enterprise IoT Services - March 2017 AWS Online Tech Talks
One Click Enterprise IoT Services - March 2017 AWS Online Tech TalksAmazon Web Services
 

What's hot (20)

Developing Connected Applications with AWS IoT - Technical 301
Developing Connected Applications with AWS IoT - Technical 301Developing Connected Applications with AWS IoT - Technical 301
Developing Connected Applications with AWS IoT - Technical 301
 
Mobile apps and iot aws lambda
Mobile apps and iot aws lambdaMobile apps and iot aws lambda
Mobile apps and iot aws lambda
 
Intro to AWS IoT - Pop-up Loft London
Intro to AWS IoT - Pop-up Loft LondonIntro to AWS IoT - Pop-up Loft London
Intro to AWS IoT - Pop-up Loft London
 
Reply Bootcamp Rome - Mastering AWS - IoT Bootcamp
Reply Bootcamp Rome - Mastering AWS - IoT BootcampReply Bootcamp Rome - Mastering AWS - IoT Bootcamp
Reply Bootcamp Rome - Mastering AWS - IoT Bootcamp
 
AWS re:Invent 2016: Enel E2E Smart Home Solution with Amazon Alexa (IOT308)
AWS re:Invent 2016: Enel E2E Smart Home Solution with Amazon Alexa (IOT308)AWS re:Invent 2016: Enel E2E Smart Home Solution with Amazon Alexa (IOT308)
AWS re:Invent 2016: Enel E2E Smart Home Solution with Amazon Alexa (IOT308)
 
Internet of Things on AWS
Internet of Things on AWSInternet of Things on AWS
Internet of Things on AWS
 
iNTRODUCTION TO AWS IOT
iNTRODUCTION TO AWS IOTiNTRODUCTION TO AWS IOT
iNTRODUCTION TO AWS IOT
 
(MBL313) NEW! AWS IoT: Understanding Hardware Kits, SDKs, & Protocols
(MBL313) NEW! AWS IoT: Understanding Hardware Kits, SDKs, & Protocols(MBL313) NEW! AWS IoT: Understanding Hardware Kits, SDKs, & Protocols
(MBL313) NEW! AWS IoT: Understanding Hardware Kits, SDKs, & Protocols
 
The Lifecycle of an AWS IoT Thing
The Lifecycle of an AWS IoT ThingThe Lifecycle of an AWS IoT Thing
The Lifecycle of an AWS IoT Thing
 
AWS物聯網基礎架構及連線概覽
AWS物聯網基礎架構及連線概覽AWS物聯網基礎架構及連線概覽
AWS物聯網基礎架構及連線概覽
 
AWS IoT - Best of re:Invent Tel Aviv
AWS IoT - Best of re:Invent Tel AvivAWS IoT - Best of re:Invent Tel Aviv
AWS IoT - Best of re:Invent Tel Aviv
 
(MBL204) State of The Union: IoT Powered by AWS
(MBL204) State of The Union: IoT Powered by AWS(MBL204) State of The Union: IoT Powered by AWS
(MBL204) State of The Union: IoT Powered by AWS
 
Deep Dive on the IoT at AWS
Deep Dive on the IoT at AWSDeep Dive on the IoT at AWS
Deep Dive on the IoT at AWS
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
AWS for IoT
AWS for IoTAWS for IoT
AWS for IoT
 
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
 
Getting Started with AWS IoT
Getting Started with AWS IoTGetting Started with AWS IoT
Getting Started with AWS IoT
 
Azure Internet of Things
Azure Internet of ThingsAzure Internet of Things
Azure Internet of Things
 
Aws IoT and robotics reinvent attendee guide 2021
Aws IoT and robotics reinvent attendee guide 2021Aws IoT and robotics reinvent attendee guide 2021
Aws IoT and robotics reinvent attendee guide 2021
 
One Click Enterprise IoT Services - March 2017 AWS Online Tech Talks
One Click Enterprise IoT Services - March 2017 AWS Online Tech TalksOne Click Enterprise IoT Services - March 2017 AWS Online Tech Talks
One Click Enterprise IoT Services - March 2017 AWS Online Tech Talks
 

Similar to AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)

Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessMicrosoft Tech Community
 
Introducing the New Features of AWS Greengrass (IOT365) - AWS re:Invent 2018
Introducing the New Features of AWS Greengrass (IOT365) - AWS re:Invent 2018Introducing the New Features of AWS Greengrass (IOT365) - AWS re:Invent 2018
Introducing the New Features of AWS Greengrass (IOT365) - AWS re:Invent 2018Amazon Web Services
 
Creator IoT Framework
Creator IoT FrameworkCreator IoT Framework
Creator IoT FrameworkPaul Evans
 
AWS IoT 및 Mobile Hub 서비스 소개 (김일호) :: re:Invent re:Cap Webinar 2015
AWS IoT 및 Mobile Hub 서비스 소개 (김일호) :: re:Invent re:Cap Webinar 2015AWS IoT 및 Mobile Hub 서비스 소개 (김일호) :: re:Invent re:Cap Webinar 2015
AWS IoT 및 Mobile Hub 서비스 소개 (김일호) :: re:Invent re:Cap Webinar 2015Amazon Web Services Korea
 
Reply Webinar Online - Mastering AWS - IoT Advanced
Reply Webinar Online - Mastering AWS - IoT AdvancedReply Webinar Online - Mastering AWS - IoT Advanced
Reply Webinar Online - Mastering AWS - IoT AdvancedAndrea Mercanti
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsEvident.io
 
AWS Innovate: Building an Internet Connected Camera with AWS IoT- Tim Cruse
AWS Innovate: Building an Internet Connected Camera with AWS IoT- Tim CruseAWS Innovate: Building an Internet Connected Camera with AWS IoT- Tim Cruse
AWS Innovate: Building an Internet Connected Camera with AWS IoT- Tim CruseAmazon Web Services Korea
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsAmazon Web Services
 
사물 인터넷을 위한 AWS FreeRTOS 소개 - 트랙1, Community Day 2018 re:Invent 특집
사물 인터넷을 위한 AWS FreeRTOS 소개 - 트랙1, Community Day 2018 re:Invent 특집사물 인터넷을 위한 AWS FreeRTOS 소개 - 트랙1, Community Day 2018 re:Invent 특집
사물 인터넷을 위한 AWS FreeRTOS 소개 - 트랙1, Community Day 2018 re:Invent 특집AWSKRUG - AWS한국사용자모임
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Amazon Web Services
 
Essential Capabilities of an IoT Cloud Platform - AWS Online Tech Talks
Essential Capabilities of an IoT Cloud Platform - AWS Online Tech TalksEssential Capabilities of an IoT Cloud Platform - AWS Online Tech Talks
Essential Capabilities of an IoT Cloud Platform - AWS Online Tech TalksAmazon Web Services
 
Essential Capabilities of an IoT Cloud Platform - April 2017 AWS Online Tech ...
Essential Capabilities of an IoT Cloud Platform - April 2017 AWS Online Tech ...Essential Capabilities of an IoT Cloud Platform - April 2017 AWS Online Tech ...
Essential Capabilities of an IoT Cloud Platform - April 2017 AWS Online Tech ...Amazon Web Services
 
AmazonRTOS - Antonio Luciano
AmazonRTOS - Antonio LucianoAmazonRTOS - Antonio Luciano
AmazonRTOS - Antonio LucianoAntonio Luciano
 
Essential Capabilities of an IoT Cloud Platform - AWS Online Tech Talks
Essential Capabilities of an IoT Cloud Platform - AWS Online Tech TalksEssential Capabilities of an IoT Cloud Platform - AWS Online Tech Talks
Essential Capabilities of an IoT Cloud Platform - AWS Online Tech TalksAmazon Web Services
 
Monitoring IoT Device Behavior with AWS IoT Device Defender Detect (IOT360) -...
Monitoring IoT Device Behavior with AWS IoT Device Defender Detect (IOT360) -...Monitoring IoT Device Behavior with AWS IoT Device Defender Detect (IOT360) -...
Monitoring IoT Device Behavior with AWS IoT Device Defender Detect (IOT360) -...Amazon Web Services
 
사물 인터넷을 위한 AWS FreeRTOS 소개
사물 인터넷을 위한 AWS FreeRTOS 소개사물 인터넷을 위한 AWS FreeRTOS 소개
사물 인터넷을 위한 AWS FreeRTOS 소개Harry Oh
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudAmazon Web Services
 

Similar to AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302) (20)

Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
 
Introducing the New Features of AWS Greengrass (IOT365) - AWS re:Invent 2018
Introducing the New Features of AWS Greengrass (IOT365) - AWS re:Invent 2018Introducing the New Features of AWS Greengrass (IOT365) - AWS re:Invent 2018
Introducing the New Features of AWS Greengrass (IOT365) - AWS re:Invent 2018
 
Creator IoT Framework
Creator IoT FrameworkCreator IoT Framework
Creator IoT Framework
 
AWS IoT 및 Mobile Hub 서비스 소개 (김일호) :: re:Invent re:Cap Webinar 2015
AWS IoT 및 Mobile Hub 서비스 소개 (김일호) :: re:Invent re:Cap Webinar 2015AWS IoT 및 Mobile Hub 서비스 소개 (김일호) :: re:Invent re:Cap Webinar 2015
AWS IoT 및 Mobile Hub 서비스 소개 (김일호) :: re:Invent re:Cap Webinar 2015
 
Reply Webinar Online - Mastering AWS - IoT Advanced
Reply Webinar Online - Mastering AWS - IoT AdvancedReply Webinar Online - Mastering AWS - IoT Advanced
Reply Webinar Online - Mastering AWS - IoT Advanced
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
IoT on azure
IoT on azureIoT on azure
IoT on azure
 
AWS Innovate: Building an Internet Connected Camera with AWS IoT- Tim Cruse
AWS Innovate: Building an Internet Connected Camera with AWS IoT- Tim CruseAWS Innovate: Building an Internet Connected Camera with AWS IoT- Tim Cruse
AWS Innovate: Building an Internet Connected Camera with AWS IoT- Tim Cruse
 
AWS IoT Security Best Practices
AWS IoT Security Best PracticesAWS IoT Security Best Practices
AWS IoT Security Best Practices
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
사물 인터넷을 위한 AWS FreeRTOS 소개 - 트랙1, Community Day 2018 re:Invent 특집
사물 인터넷을 위한 AWS FreeRTOS 소개 - 트랙1, Community Day 2018 re:Invent 특집사물 인터넷을 위한 AWS FreeRTOS 소개 - 트랙1, Community Day 2018 re:Invent 특집
사물 인터넷을 위한 AWS FreeRTOS 소개 - 트랙1, Community Day 2018 re:Invent 특집
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
 
Essential Capabilities of an IoT Cloud Platform - AWS Online Tech Talks
Essential Capabilities of an IoT Cloud Platform - AWS Online Tech TalksEssential Capabilities of an IoT Cloud Platform - AWS Online Tech Talks
Essential Capabilities of an IoT Cloud Platform - AWS Online Tech Talks
 
Essential Capabilities of an IoT Cloud Platform - April 2017 AWS Online Tech ...
Essential Capabilities of an IoT Cloud Platform - April 2017 AWS Online Tech ...Essential Capabilities of an IoT Cloud Platform - April 2017 AWS Online Tech ...
Essential Capabilities of an IoT Cloud Platform - April 2017 AWS Online Tech ...
 
AmazonRTOS - Antonio Luciano
AmazonRTOS - Antonio LucianoAmazonRTOS - Antonio Luciano
AmazonRTOS - Antonio Luciano
 
Essential Capabilities of an IoT Cloud Platform - AWS Online Tech Talks
Essential Capabilities of an IoT Cloud Platform - AWS Online Tech TalksEssential Capabilities of an IoT Cloud Platform - AWS Online Tech Talks
Essential Capabilities of an IoT Cloud Platform - AWS Online Tech Talks
 
Monitoring IoT Device Behavior with AWS IoT Device Defender Detect (IOT360) -...
Monitoring IoT Device Behavior with AWS IoT Device Defender Detect (IOT360) -...Monitoring IoT Device Behavior with AWS IoT Device Defender Detect (IOT360) -...
Monitoring IoT Device Behavior with AWS IoT Device Defender Detect (IOT360) -...
 
사물 인터넷을 위한 AWS FreeRTOS 소개
사물 인터넷을 위한 AWS FreeRTOS 소개사물 인터넷을 위한 AWS FreeRTOS 소개
사물 인터넷을 위한 AWS FreeRTOS 소개
 
Deep Dive: AWS IOT
Deep Dive: AWS IOTDeep Dive: AWS IOT
Deep Dive: AWS IOT
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 

Recently uploaded (20)

NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 

AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)

  • 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Jan Metzner, Anton Shmagin, AWS Kerry Maletsky, Microchip/Atmel November 30, 2016 IOT302 IoT Security The New Frontiers @janmetzner @y0na75
  • 2. What to expect from the session • System, transport and thing security • Fine-grained authorization • Thing management • Pub/sub data access • AWS services integration • Incident response • End-to-end IoT security (demo)
  • 3. Idea for this talk started from the quote … “ Every IoT security article: • IoT is big • IoT security is bad • Consequences are scary • Change default settings • Buy my product • Problem not solved …“ Dr. Sarah Cooper June 2, 2016
  • 4. All things around us are getting connected
  • 5. Things will proliferate 2013 2015 2016 2020 Vertical Industry Generic Industry Consumer Automotive Many Some Lots
  • 6. Many devices are not enforcing security Mirai bot default passwords
  • 7. Connected ≠ smart Internet 1985 IoT 2015 Gopher HTTP FTP MQTT NNTP CoAP Telnet XMPP Archie AQMP
  • 8. Not a typical apocalyptic IoT talk
  • 9. IoT security needs to be effective yet simple “ … pilots and race car drivers were willing to put on almost anything to keep them safe in case of a crash, but regular people in cars don't want to be uncomfortable even for a minute. “ Nils Bohlin
  • 11. System, transport, and thing security System Transport Thing Risk
  • 13. Connectivity options Direct Gateway Satellite Wi-Fi Cellular LPWAN Bluetooth Other IEEE 802.15.4 ZigBee Z-Wave Thread
  • 16. Incident response in AWS IoT CWE Executes Lambda Function to invalidate certificate
  • 17. Time to connect someTHING …
  • 18. One service, three protocols MQTT + Mutual Auth TLS Websocket + AWS Auth HTTPS + AWS Auth Server auth TLS + cert TLS + cert TLS + cert Client auth TLS + cert AWS credentials (API keys) AWS credentials (API keys) Confidentiality TLS TLS TLS Protocol MQTT HTTP/WS HTTP Communication model Pub/sub Pub/sub REST Identification AWS ARNs AWS ARNs AWS ARNs Authorization AWS policy AWS policy AWS policy
  • 19. Authentication Certificate/private key AWS IAM (user/role: API keys) Amazon Cognito (role: API keys) AWS IAM (role: API keys) Things Users AWS services
  • 20. Authorization – IAM policies IAM unauthenticated or authenticated role Amazon Cognito AWS credentials (services) Temporary AWS credentials (users) Third-party service AWS service
  • 21. Authorization – IoT policies Fine-grained access for each device with a single policy { "Version": "2012-10-17", "Statement": [ { "Action": "iot:Connect", "Resource": "arn:aws:iot:eu-west-1:1234567890:client/${iot:Certificate.Subject.CommonName.1}", "Effect": "Allow” }, { "Action": "iot:Publish", "Resource": [ "arn:aws:iot:eu-west-1:1234567890:topic/sensordata/${iot:Certificate.Subject.CommonName.1}", "arn:aws:iot:eu-west-1:1234567890:topic/sensordata/${iot:Certificate.Subject.CommonName.1}/*” ], "Effect": "Allow” } ] }
  • 22. Authorization – IoT policies Fine-grained access with registry variables { "Version": "2012-10-17", "Statement": [ { "Action": "iot:Connect", "Resource": ”*", "Effect": "Allow”, "Condition":{ "Bool":{ "iot:Connection.Thing.IsAttached ":["true"] } } }, { "Action": "iot:Publish", "Resource": [ "arn:aws:iot:eu-west-1:1234567890:topic/ ${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}" ], "Effect": "Allow” } ] }
  • 23. Birth of a device
  • 24. Strong thing identity Manufacturing line Provisioning of the Identities retrieved from AWS IoT Data connection Create certificate (from CSR)
  • 25. Strong thing identity AWS-generated key pair CreateKeysAndCertificate() Customer-generated key pair CreateCertificateFromCSR(CSR) CSR CSR CSR
  • 27. Customer’s certificate authority Manufacturing line Provisioning of the Identities signed with customer’s CA Data connection async registration
  • 28. CSR Bring your own certificate (BYOC) Customers Hardware Security Module (HSM)
  • 29. Demo Embed Video from https://s3-eu-west-1.amazonaws.com/iot- security.cloud/screencast/wo-jitr.mov
  • 30. “Look ma, no hands!” Just-in-time registration (JITR)
  • 31. Just-in-time registration Manufacturing line Provisioning of the Identities signed with customer’s CA First data connection JIT registration
  • 32. Just-in-time registration – Provisioning Customers Hardware Security Module (HSM) CSR CSR CSR
  • 33. Just-in-time registration – CA registration getRegistrationCode() Customers Hardware Security Module (HSM) CSR CSR CSR registerCACertificate(CACert,RegCert)
  • 35. Demo Embed Video from https://s3-eu-west-1.amazonaws.com/iot- security.cloud/screencast/jitr.mov
  • 36. “I am better than that THING” User access
  • 37. Unauthenticated (anonymous) user access IAM unauthenticated role Amazon Cognito
  • 39. IoT security in the cloud scales … and real hardware?
  • 40. Strong device security Atmel/Microchip AWS-ECC508 Straightforward provisioning and secure key storage Crypto-operations offloading for constrained hardware
  • 41. Live demo Cesanta Mongoose IoT Firmware (mongoose-iot.com) • Hardware agnostic: ESP8266, TI CC3200 and other • Secure: SSL/TLS, Microchip ATECC508A crypto-chip support • Develop in C, or JavaScript, or both • Networking: MQTT, WebSocket, COAP, HTTP/ HTTPS and other • Mongoose Embedded Web Server and Networking Library Customers: NASA, Dell, Samsung, HP and many others
  • 43. Live demo Point your browser: https://iot-security.cloud/demo
  • 44. Microchip/Atmel ATECC508A-AWS Encapsulate the entire provisioning process into a turnkey IC Focus design effort on customer experience Strong turnkey security
  • 45. Every device must have a Trustable Identity Private key can never be revealed!!! Authenticate every entity with which you communicate Authentication Process must be trusted IoT device identity requirements
  • 46. Perfect software exists in theory only Never Mix Software with Keys!
  • 47. Attackers don’t need physical access! Rowhammer Modify DRAM state to gain kernel privileges Acoustic Cryptanalysis Listen to component vibration across room, extract keys http://www.tau.ac.il/~tromer/acoustic/ Timing Attack (First published in 1996) Extract confidential data based on response delay
  • 48. Root of trust for secure code High security key storage Less code = Lower cost 10x-100x faster than MCU ATECC508A-AWS Get critical stuff out of the micro!
  • 49. Advanced Security Circuitry Active shield, internal encryption, randomization, tampers, no JTAG, … Strong attack defenses Microprobe, Timing, Emissions, Faults, Glitches, Temperature Standard Devices Microchip Security Devices What makes ATECC508A a vault?
  • 50. Keys never leave chip - No back doors! Software asks for keys to be used - chip accelerates math using the key Elliptic curve algorithm in hardware – can’t exploit software bugs! Comprehensive thing security
  • 51. Private key generated entirely inside the ATECC508A • Completely random • NEVER readable • NEVER known by anybody Certificates generated by world-class HSMs at Microchip • Protected in State-of-the-art Secure Facilities No special equipment or procedures required in the OEM factory Secure in the factory
  • 52. Secure Facilities 24/7 camera monitored, locked cages, network isolation, physical access control Hardware Secure Modules (HSM) Highly secure computers, World class certifications : FIPS 140-2, CC EAL 4+, … Microchip’s factory provisioning
  • 53. Reference design • ARM® Cortex®-M4 microcontroller • Wi-Fi® connectivity • ATECC508A pre-configured for AWS IoT • I/O module • Root CA & Intermediate CA demo dongles • FreeRTOS • WolfSSL TLS 1.2 • MQTT client • JSON library • Example Application with 6 I/Os Source code & Documentation on GitHub: https://github.com/MicrochipTech/AWS-Secure-Insight Easy to get started
  • 54. IoT OEM Customer-Specific Production Signers Root of Trust OEM CA Root CA OEM’s AWS Account Customer-Specific Production Signers 1. OEM creates AWS IoT account, sets up OEM CA Existing OEM capability, 3rd party Trusted CA, Microchip CA kit 2. OEM creates certificates for Microchip production signers 3. OEM registers production signer certificates into their AWS account Easy OEM setup
  • 55. IoT OEM Customer-Specific Production Signers Root of Trust OEM Certificate Root CA 1. Microchip ships ATECC508A including certificates to board shop 2. IoT provisioning easy : assemble ATECC508A into IoT product 3. Final product ships with little or no cloud enrollment instructions or actions needed Zero touch provisioning - Manufacture
  • 56. IoT Device #NN OEM AWS Account Customer-Specific Production Signers Device #NN Device certificate automatically transferred to AWS and registered on first connection Zero touch provisioning - Field
  • 57. IoT OEM Root of Trust Root CA 1. Development kits readily available from distributors 2. Includes turnkey USB dongles set up to model the OEM CA and the Microchip production signers 3. Use to create demonstration systems and alpha units for testing and qualification Signing USB Dongle OEM Lab OEM USB Dongle Easy prototyping
  • 58. Secure Keys - Ultimate protection for keys to prevent any software attack, accelerate ECC up to 100x faster Fast Design - Prototyping kits available now, complete reference design on the web, tiny package fits any system Easy Manufacturing - Secure and seamless manufacturing logistics. JITR means Ready-to-Go with AWS out of the box ATECC508A-AWS Easily secure your AWS IoT device
  • 59. Straightforward off-band certificate management • Bring your own certificates • Just in time registration • ECC certificate support
  • 60. Fine-grained authorization at scale • X.509 certificate policy variables • Thing policy variables
  • 61. End-to-end security • Zero touch secure provisioning • Mobile carriers secure tunnels to VPC
  • 62. Now build a secure IoT solution! Demos/resources from this session: https://iot-security.cloud