Security Issues. Our Security Implementation. Design and Development of an Internet of Things. Device with Particular Attention to Device Security. A. Stillman1.
POEM Technology and its Devices Security Issues Our Security Implementation
Design and Development of an Internet of Things Device with Particular Attention to Device Security
A. Stillman1 1
T. Canino1
POEM Technology, LLC Huntington, NY 11743
ENGINEERS WEEK SEMINAR SERIES 2016 Engineers Joint Committee of Long Island
A. Stillman, T. Canino
Design and Development of an Internet of Things Device w
POEM Technology and its Devices Security Issues Our Security Implementation
Outline
1
2
3
POEM Technology and its Devices The iLevel and ψ Level A WiFi Example Security Issues Security Issues in General Security Issues For Connected Devices Security Issues For Business Rules Our Security Implementation Communication Security The Server Interface
A. Stillman, T. Canino
Design and Development of an Internet of Things Device w
POEM Technology and its Devices Security Issues Our Security Implementation
The iLevel and
ψ Level
A WiFi Example
Outline
1
2
3
POEM Technology and its Devices The iLevel and ψ Level A WiFi Example Security Issues Security Issues in General Security Issues For Connected Devices Security Issues For Business Rules Our Security Implementation Communication Security The Server Interface
A. Stillman, T. Canino
Design and Development of an Internet of Things Device w
POEM Technology and its Devices Security Issues Our Security Implementation
The iLevel and
ψ Level
A WiFi Example
POEM Technology, LLC
Poem Technology manufactures two types of internet-connected tank gauges, the iLevel and the ψ Level. Both devices feature internet connectivity by default. These devices transmit fuel oil levels or current readings to www.poemtechnology.com, where they become data accessible to clients as charts of usage.
A. Stillman, T. Canino
Design and Development of an Internet of Things Device w
POEM Technology and its Devices Security Issues Our Security Implementation
The iLevel and
ψ Level
The iLevel and
ψ Level
A WiFi Example
Fluid Gauges (1)
iLevel gauges use Hall e�ect sensors to detect �oat position ψ Level gauges use �uid pressure to measure liquid height (the Greek psi handily is a mnemonic for pounds per square inch)
Both devices use either WiFi (IEEE 802.11) or cellular (LTE) communications
A. Stillman, T. Canino
Design and Development of an Internet of Things Device w
POEM Technology and its Devices Security Issues Our Security Implementation
The iLevel and
ψ Level
The iLevel and
ψ Level
A WiFi Example
Fluid Gauges (1)
iLevel gauges use Hall e�ect sensors to detect �oat position ψ Level gauges use �uid pressure to measure liquid height (the Greek psi handily is a mnemonic for pounds per square inch)
Both devices use either WiFi (IEEE 802.11) or cellular (LTE) communications
A. Stillman, T. Canino
Design and Development of an Internet of Things Device w
POEM Technology and its Devices Security Issues Our Security Implementation
The iLevel and
ψ Level
The iLevel and
ψ Level
A WiFi Example
Fluid Gauges (2)
Figure: The iLevel and
A. Stillman, T. Canino
ψ Level
Devices
Design and Development of an Internet of Things Device w
POEM Technology and its Devices Security Issues Our Security Implementation
The iLevel and
ψ Level
A WiFi Example
Outline
1
2
3
POEM Technology and its Devices The iLevel and ψ Level A WiFi Example Security Issues Security Issues in General Security Issues For Connected Devices Security Issues For Business Rules Our Security Implementation Communication Security The Server Interface
A. Stillman, T. Canino
Design and Development of an Internet of Things Device w
POEM Technology and its Devices Security Issues Our Security Implementation
The iLevel and
ψ Level
A WiFi Example
The Closed Loop Connection (WiFi shown)
Figure: The WiFi Closed Loop Fuel Delivery Cycle
A. Stillman, T. Canino
Design and Development of an Internet of Things Device w
POEM Technology and its Devices Security Issues Our Security Implementation
Security Issues in General Security Issues For Connected Devices Security Issues For Business Rules
Outline
1
2
3
POEM Technology and its Devices The iLevel and ψ Level A WiFi Example Security Issues Security Issues in General Security Issues For Connected Devices Security Issues For Business Rules Our Security Implementation Communication Security The Server Interface
A. Stillman, T. Canino
Design and Development of an Internet of Things Device w
POEM Technology and its Devices Security Issues Our Security Implementation
Security Issues in General Security Issues For Connected Devices Security Issues For Business Rules
Security Issues in General
Di�erent attacks have di�erent strategies for security Data breaches are like bank robberies Stationary Target Breach by Force, Password hacking Breach by Seduction, also known as Social Engineering
Communication channel attacks are like train robberies Connection Disruption, e.g. DDoS attacks Eavesdropping
A. Stillman, T. Canino
Design and Development of an Internet of Things Device w
POEM Technology and its Devices Security Issues Our Security Implementation
Security Issues in General Security Issues For Connected Devices Security Issues For Business Rules
Outline
1
2
3
POEM Technology and its Devices The iLevel and ψ Level A WiFi Example Security Issues Security Issues in General Security Issues For Connected Devices Security Issues For Business Rules Our Security Implementation Communication Security The Server Interface
A. Stillman, T. Canino
Design and Development of an Internet of Things Device w
POEM Technology and its Devices Security Issues Our Security Implementation
Security Issues in General Security Issues For Connected Devices Security Issues For Business Rules
Security Issues For Connected Devices
At the sensor front end, devices access the internet via the IEEE 8082.11 protocol (WiFi) or by cellular connections Using WiFi requires an access point connection and implies that a password is involved Cellular connections require a SIM card or embedded SIM to access telephone networks On the network, secure data transfer requires HTTPS and an SSL certi�cate On the hosting webserver, protections against various attacks are necessary.
A. Stillman, T. Canino
Design and Development of an Internet of Things Device w
POEM Technology and its Devices Security Issues Our Security Implementation
Security Issues in General Security Issues For Connected Devices Security Issues For Business Rules
Outline
1
2
3
POEM Technology and its Devices The iLevel and ψ Level A WiFi Example Security Issues Security Issues in General Security Issues For Connected Devices Security Issues For Business Rules Our Security Implementation Communication Security The Server Interface
A. Stillman, T. Canino
Design and Development of an Internet of Things Device w
POEM Technology and its Devices Security Issues Our Security Implementation
Security Issues in General Security Issues For Connected Devices Security Issues For Business Rules
Security Issues For Business Rules
Fuel suppliers treat client lists as proprietary information Tank gauge location is privileged information WiFi gauges have no GPS capability Cellular gauge modem may or may not support support GPS, so we disconnect GPS antenna
Data base identity is by UUID and serial number The fuel supplier associates the gauge UUID to an account
A. Stillman, T. Canino
Design and Development of an Internet of Things Device w
POEM Technology and its Devices Security Issues
Communication Security The Server Interface
Our Security Implementation
Outline
1
2
3
POEM Technology and its Devices The iLevel and ψ Level A WiFi Example Security Issues Security Issues in General Security Issues For Connected Devices Security Issues For Business Rules Our Security Implementation Communication Security The Server Interface
A. Stillman, T. Canino
Design and Development of an Internet of Things Device w
POEM Technology and its Devices Security Issues
Communication Security The Server Interface
Our Security Implementation
Our Communication Options
Figure: The Transport Pathways
A. Stillman, T. Canino
Design and Development of an Internet of Things Device w
POEM Technology and its Devices Security Issues
Communication Security The Server Interface
Our Security Implementation
Data Flow From Device To Server
Secure POST from device to website The individual tank data is a low value target, tank data is about as prosaic as one can get. Hosted LAMP Environment on web hosting service JSON string data processed by PHP script Database entries under control of PHP script
A. Stillman, T. Canino
Design and Development of an Internet of Things Device w
POEM Technology and its Devices Security Issues
Communication Security The Server Interface
Our Security Implementation
Outline
1
2
3
POEM Technology and its Devices The iLevel and ψ Level A WiFi Example Security Issues Security Issues in General Security Issues For Connected Devices Security Issues For Business Rules Our Security Implementation Communication Security The Server Interface
A. Stillman, T. Canino
Design and Development of an Internet of Things Device w
POEM Technology and its Devices Security Issues
Communication Security The Server Interface
Our Security Implementation
The Server Interface
End user logs in via https Client type determines display single tank multi-tank
multi-tenant data base individual scoping of user data custom login management to change to cloud services environment in ver.2.0 requires cloud services provides data center security provides webserver security provides automatic patching
A. Stillman, T. Canino
Design and Development of an Internet of Things Device w
POEM Technology and its Devices Security Issues
Communication Security The Server Interface
Our Security Implementation
Practical Software Advice for Startups
Lockdown is important An early security plan is essential The most valuable assets get protected �rst Assume hacks and attacks. Here are some requested urls from one month. //muieblackcat /phpmyadmin/scripts/setup.php /myadmin/scripts/setup.php /th1s_1s_a_4o4.html
A. Stillman, T. Canino
10 requests 10 requests 10 requests 64 requests
Design and Development of an Internet of Things Device w
