Some ramblings on HTTPS and IoT

[msr]

Hey everyone,

Now that HTTPS is becoming mainstream, I would like to ask you: how the "IoT" can cope with it?
Let me explain. As you know the idea of IoT is having zillions of sensors spreaded along the globe, most of them are likely to be very low power and use very limited hardware which can't run SSL. So, no HTTPs capability. Right?

I'm thinking about this because I recently got a project where I were required to send some data to an API. I picked up an Arduino Leonardo Ethernet totally ignoring the fact that the API was running on a HTTPS server. That board uses the WizNET chip (W5500) and there's no way SSL can fit in a system like this. My next bet, and because I need to get this working as soon as possible, is to use a Raspberry Pi. Low power is not a requirement for this project. But what if that was the case?

Do we really need a full fleged computer everytime we want to send some (IoT) data to the cloud?
Also, I don't feel confortable using a RPI 3 on a new product (availability/suppy chain/NDAs issues)

Any thoughs on this are greatly appreciated

[coppice]

Most current IoT platforms are dead ends. No capacity for SSL. No capacity for IPv6. Very limited ability to deal with updates.

[Dumont]

Systems will have limited capacity, but they'll need to be sized in order to provide enough oomph to meet a security requirement.  However that requirement won't be met with TLS and traditional RSA style public-key encryption.  There's already a move  to focusing on datagram based protocols and adapting tools to work that way.  This reduces processing overhead to perform the security tasks, and also allows for much lower power consumption.

For example using Datagram TLS (DTLS) instead of traditional TLS.  Also, a move to cryptographic systems that can be implemented securely with a lower resource overhead as well through things like Elliptic Curve Cryptography and hardware acceleration to assist that.

As an intermediate step it certainly makes sense in some cases to centralize the processing power locally to something like a gateway node that can have more resources to secure data that might be fine locally before putting it into the wilds of the Internet/cloud.

[mhwlng]

The ESP8266 arduino 'WiFiClientSecure' libraries have SSL/TLS built in :

Code: [Select]

WiFiClientSecure client;
client.connect(host, 443)
source

https://github.com/esp8266/Arduino/blob/master/libraries/ESP8266WiFi/src/WiFiClientSecure.cpp

[Red Squirrel]

The main issue with IoT is that it should not even be on the internet in first place.  It should all be based on a local network and have a central local controller server. If you want remote access then you setup a proper VPN.

Though guess I'm a bit old school too, all my automation/sensor stuff is wired.  The central server actually powers all the sensors.  My software would allow to have wireless nodes too, then it would use normal wifi which is already encrypted. (don't know how good it is, ex: if NSA can crack it, but it's there)

[Ampera]

The main issue with IoT is that it should not even be on the internet in first place.  It should all be based on a local network and have a central local controller server. If you want remote access then you setup a proper VPN.

Though guess I'm a bit old school too, all my automation/sensor stuff is wired.  The central server actually powers all the sensors.  My software would allow to have wireless nodes too, then it would use normal wifi which is already encrypted. (don't know how good it is, ex: if NSA can crack it, but it's there)

I totally agree with you almost on every point.

People don't need a goddamned fridge that can tell them when the ice is running low, or when the milk is out. We have spent millions of years through thousands of distinct species in order to develop highly accurate, and incredibly useful EYES that can do the SAME exact work for NO money at all.

How about the Smart TVs? Because HTPCs and Chromecasts are so hard to use. I mean common.

The story is the same with cable boxes. I mean can't you just throw together a QAM decoder and be done with it? In the US of A we don't have DVB anything. Our only digital broadcasting system for video is ATSC which is TOTALLY useless unless your in some strange place that actually has any channels. I get 3-5 in my house off ATSC. We also don't have consumer non-subscription satellite TV like DVB-S in Europe.

I think IoT should die in a hole. It's another piece of shit on the list of crap that nobody asked for, and is only shiny keys jingling infront of incredibly dumb babies on the market.

[nctnico]

The main issue with IoT is that it should not even be on the internet in first place.  It should all be based on a local network and have a central local controller server. If you want remote access then you setup a proper VPN.

The problem with that is that you'll always need to have the extra box which doesn't add value. Besides that a lot of people already have a box between internet and their local network: a router.

[Neganur]

People don't need a goddamned fridge that can tell them when the ice is running low, or when the milk is out. We have spent millions of years through thousands of distinct species in order to develop highly accurate, and incredibly useful EYES that can do the SAME exact work for NO money at all.

I used to have a similar opinion about a tweeting toilet....until a friend of mine said Oh My God! We can finally do medical statistics on elderly people's 'affairs' and check that they are healthy.
I blinked in disbelief, because why on earth would that be important information, but apparently for some people it is really useful.

It costs money to send people around and check fridge content. This way it is known ahead of time what is still in the fridge and it can be ordered and brought with the care service.
And I do agree that I personally do not need an IoT fridge and would never have sought to develop one either.

There is this thing called translational engineering: http://studyguides.aalto.fi/elec/2015-aee/majors/translational-engineering.html and I can totally see now why some of the weird stuff we shake our heads at can be useful in other ways.

[ebclr]

Very high probability of finishing here

http://mqtt.org/

[Galenbo]

People don't need a goddamned fridge that can tell them when the ice is running low,...

No, but the goverment, and their globalist/corporatist friend, do.
They want to know when and how you are at home, and control your behavour to compensate for their shortcomings.
Nest, "smart" energy meters etc serve the same purpose.

I think IoT should die in a hole. It's another piece of shit on the list of crap that nobody asked for, and is only shiny keys jingling infront of incredibly dumb babies on the market.

It's something I was first happy about, especially the new low-datarate network that allowed all my sensors to communicate to a global network, without every time a GSM unit+ de-facto 120 euro subscription cost per year per card.
But more and more Lora, Sigfox etc show their true nature: Bigstate goverment tools.

[0b01010011]

when some of these devices don't even have (or the manufacturer doesn't bother adding support for) DNS (https://www.eevblog.com/forum/chat/iot-%27sous-vide%27-cooker-device-reverse-engineering-video/) then I fail to see how they would be able to or care to implement SSL.

Let alone any of the other security measures you need to take on a connected system.  Miele's dishwasher webserver bug (https://twitter.com/mikelectricstuf/status/846140267707187201) says it all.

Whilst these guys (as in appliance manufacturers) are great at appliances and appliance firmware, they have no deep understanding of the security side of IOT and simply bolt on what they can guy-in-his-back-shed style.

[SingedFingers]

Can I just add as well that crypto is a cat and mouse game. You don't just flick the TLS switch and all is good. The implementations are volatile and under constant attack and upgrade. TLS implementations two years ago aren't the same today.

The ONLY way you're going to get a TLS implementation that doesn't suck is to use a larger device such as a Pi or embedded PC and run an OS on it which has supported OpenSSL (or equivalent library) packages.

And thus we see the demise of IoT as a good idea some more.

[PlainName]

The problem with that is that you'll always need to have the extra box which doesn't add value.

On the contrary, the value it adds is the ability to talk to localised low-cost, low-power devices, and provide a single point of secuity/interface.

Do you also consider your consumer unit to be an 'extra box which doesn't add value'?

[nctnico]

The problem with that is that you'll always need to have the extra box which doesn't add value.

On the contrary, the value it adds is the ability to talk to localised low-cost, low-power devices, and provide a single point of secuity/interface.

That doesn't add any perceived value to the customer because the customer and the competition don't care about security. A (for example) fridge which connects to internet using Wifi (=the existing router) is way easier.

[PlainName]

Maybe I am not used to the modern world, but I wouldn't call a fridge a "low-cost, low-power device".

[Kjelt]

As long as the device is only transmitting data such as a sensor for instance you do not need tls perse. Just Tx the data, if the data is privacy sensitive or you do not want anyone else to use it you can encrypt it with a PSK and algo of your choice.
When you do want two way traffic you have to open a port on your (first) router and then you need to take precautions such as putting the device between a second router which protects your homelan. This is not different for an Iot device or a $2000 pc a dishwasher, IP camera or NAS. You need a mature DMZ or you be powned in weeks. Only exception mght be if your iot device is so stupid ( no os) that if it is hacked the attacker can still not use it to exploit the rest of your network,in that case a stupid iot device like an single arm cortex m3 is safer than a raspberri pi that runs an known and vulnerable exploitable os that needs regular maintenance and updates to keep secure.

[PlainName]

ust Tx the data

To... where?

If we are talking discrete devices (like the fridge) then it needs to talk to somewhere. Something will have contacted it and asked for data. The alternative, that it sends to some cloudy thing, is simply moving the (unloved and pointless) hub box into the cloud, where it is worse than having it in your  home.

you can encrypt it with a PSK and algo of your choice

You can do lots of things, but perhaps you wouldn't if you had any sense.

Twenty years ago you would probably be right because that's how it was. But this is now, and we DO NOT want a phone app for the fridge, a different phone app for the microwave, another yet again different phone app for the lights, etc. What we want, and need, is a single app that will talk to everything. And to achieve that we do not want 'algo of your choice' infesting everything - it has to be a proper open standard protocol.

[Kjelt]

ust Tx the data

To... where?

To some cloud instance/service with a domain name you registered and a good security solution such as azure or aws s3 or the likes. Not something you have to maintain yourself, i agree.

You can do lots of things, but perhaps you wouldn't if you had any sense.
Twenty years ago you would probably be right because that's how it was. But this is now, and we DO NOT want a phone app for the fridge, a different phone app for the microwave, another yet again different phone app for the lights, etc. What we want, and need, is a single app that will talk to everything. And to achieve that we do not want 'algo of your choice' infesting everything - it has to be a proper open standard protocol.

Yes and we want a lot of things like one single perfect OS on all computers etc.
Reality is that the money is not only in the sale of the product but in the control of the product and the (big) data coming from the product. So all products being controlled from a single standard and app is not going to happen. Each manufacturer wants to keep in control of their devices so the best you can hope for is that they will allow a part of the interface as an open API for 3rd parties.

[PlainName]

a domain name you registered and a good security solution such as azure or aws s3 or

Oh, come on! Just slap that hub in and be done

Yes and we want a lot of things like one single perfect OS on all computers etc.

That's not a good example, I think. We don't want the same OS (perfect or otherwise). We want platform agnostic data, which is what we have for computers and which we don't have for IoT. When you go browsing the interwebs, your specific machine doesn't matter. Use Chrome, Firefox, whatever suits you, but that website will still be accessible (mostly - some dorks do break this). Use ewelink to access a TP-Link light switch? I don't think so

[nctnico]

As long as the device is only transmitting data such as a sensor for instance you do not need tls perse. Just Tx the data, if the data is privacy sensitive or you do not want anyone else to use it you can encrypt it with a PSK and algo of your choice.
When you do want two way traffic you have to open a port on your (first) router

Who is going to configure that port? The best way is to use a 'phone home' system where the device initiates communication to a certain domain name. The router acts as a stateful firewall allowing outgoing connections only. If the user has a functioning DHCP server in the router then this setup needs zero configuration from the user.

[coppice]

As long as the device is only transmitting data such as a sensor for instance you do not need tls perse. Just Tx the data.

The problem here is that people are very bad at figuring out whether data actually leaks something useful to a snooper. When you make some piece if equipment you seldom even know how it will be used, to even try to assess the implications of leakage. I have seen smart people take an enormous amount of convincing to show them how a snooper might make malicious use of data. The idiotic "I have nothing to hide" argument is very strong in many people.

if the data is privacy sensitive or you do not want anyone else to use it you can encrypt it with a PSK and algo of your choice.

A pre-shared key offers no long term security. It will eventually be shared by everyone.

[Vtile]

The main issue with IoT is that it should not even be on the internet in first place.  It should all be based on a local network and have a central local controller server. If you want remote access then you setup a proper VPN.

Though guess I'm a bit old school too, all my automation/sensor stuff is wired.  The central server actually powers all the sensors.  My software would allow to have wireless nodes too, then it would use normal wifi which is already encrypted. (don't know how good it is, ex: if NSA can crack it, but it's there)

This. IoT is in general a dead end, merely a buzz word from software industry (I suppose) and stepping stone to something worth to mention. The idea of this type of decentralised plug&play sensor, data acquisition and control is nice, but too idealistic to survive in real world. Most things now hyped on this field have been around in automation industry in different names with technically more robust implementation if not decades atleast a long time. IoT is something comparable to batteroo.

[Kilrah]

Low power is not a requirement for this project. But what if that was the case?

Then you do like everyone beyond gimmicky gadgets does - sensors with low power local communication to a base station that is mains-powered and is akin to your Pi or router-like hardware and bridges to the online service.

[Kjelt]

A pre-shared key offers no long term security. It will eventually be shared by everyone.

If the key is long enough, the algo still secure, the device is not on the open market for sale and the application not interesting enough for attackers to start bruteforcing, I think you are pretty safe.
I wouldn't recommend it for mass products no, but for individual use. If you are so scared you change the PSK every year or so.

[Kjelt]

This. IoT is in general a dead end, merely a buzz word from software industry (I suppose) and stepping stone to something worth to mention.

You sound like the people ten years ago that said smartphones would never get sold in huge numbers, too expensive and useless.