IOT

Neo Jou

WHAT IS IOT
The internet working of physical devices, vehicles (also referred to as
"connected devices" and "smart devices"), buildings and other items
embedded with electronics, software, sensors, actuators, and network
connectivity that enable these objects to collect and exchange data.
Ref: wiki IoT


90s : Internet
SUN - JAVA (Oak)
1995 - -
Motorola - 50 / 66
IoE ( Internet of Everything ) - Cisco / Qualcomm

M2M : machine to machine

Web of Things
===> SkyNet?

IOT GROW

* Massive IoT - LPWAN

WHERE - EVERY

SMART HOME
- smart lighting
- smart door
- smart coffee machine
- smart air conditioner
- smart weight meter
- smart vacuum cleaner
- smart water heater

IOT SCOPE

Big Data
ASIC / HW design
SW ( HAL / driver/ RTOS / communication protocol / )
multimedia : video / audio / .. :
AI : / / / ..
Security

WHY SECURITY
?

IOT
Server

IoT device

IOT ATTACKS
Program
coding errors like buffer overflow - secure coding
random number - TRNG
System
unnecessary open ports
firmware rollback / firmware update
Device Attack
: e.g. flash, steal code
DOS/DDOS/wifi jammer/ :
Cloud Server Connection Attack
SQL injection / XSS


: MD5/SHA1/SHA2

AES-128/AES-256

/
?


/ ( side channel attack )
, ,

RSA4096 / SIM card (AES-128) /

flash / LDPPR
steal code / confidential data
insertion / destroy the code
JTAG
efuse : ,

DDOS
Distributed
Deny of Service

- ICMP flood
- ping flood
- UDP flood
- TCP SYNC flood
- HTTP flood
-
CPU / Network Resource

WEB ATTACK
1. https port 443
2. XOR-based firmware encryption

3. found buffer overflow vulnerability

in the CGI script
4. sending a very long session cookie to
the script
5. full control over the device
Ref:
http://126kr.com/article/8fer1xbx1
m9

* Howard - HyperC OS
* Linker script -

http://njiot.blogspot.tw/2016/03/arduino-ameba-100-textdatabssheapstack.html

stack-based
buffer overflow

Ref: http://pws.niu.edu.tw/~hbc/StackBO.pdf

TCP 3WHS
Why not 2 ways?

SYNC FLOOD

Timeout : 1 sec
/ /....
SYNC COOKIE
SYNC PROXY

TCP FAST OPEN

RFC7413 - TCP Fast Open :
Linux 3.13 , IPv4 TCP fast open

SYNC PROXY
sync cookie

SEC PROG
strcpy -> strncpy -> strlcpy
strncpy : NUL ,
strlcpy OpenBSD 2.4, ANSI C
compiler option : -fstack-protector-strong

SEC CODE
static code analysis

HW Improve - ARM v8m StackLimit

Improve OS
can not run code in stack
malfunction -> Program DOS

SEC POLICY
,
secure / non-secure :
secure ,
secure

ACL

secure / non-secure

WHAT TO DO

HW solutions - ARM
ARM v8m TrustZone
RTOS security solutions -
Communication Security

ARM ARCH

ARM V8M

ARM V7M

privileged
thread / handler
handler only have
privileged mode

ARM MPU
ARM11
ARMv7m , mbed MPU
uvisor
ARM V8M , size 2

0x3BC00

PMSAv
7
PMSAv
8

1kB

0x80400
16kB

256kB

SINGLE 274kB REGION

1kB

MBED UVISOR - V7M

MBED UVISOR - V7M

privilege + MPU uvisor, overhead
interrupt forwarding - ISR privilege mode , MPU

ARM V8M SAU

MPU , SAU

memory SAU
secure / no-secure
IRQ secure / non-secure

Request from CPU

Security
Attribution
Unit (SAU)
Non-Secure
MPU

Request to
System

System
Level
Control

Secure
MPU

TRUSTZONE

ARM TRUSTZONE
v8m , v8A

ARM V8M

SEC RTOS


wifi WPA2 , protocol

RC4->AES;
PSK: DK = PBKDF2(HMACSHA1,
passphrase, ssid, 4096, 256)
HTTPS
SSL -> TLS
DTLS : UDP

SEC INFO

BugTraq


IoT market and architecture
Why Security
Attacks
Solutions
HW based security solution - ARM v8M
RTOS security
Communication Security

AMEBA

AMEBA

Q&A

THANK YOU