doc

The DNS and the Internet of Things: Opportunities, Risks, and Challenges

Charting the Atack Surface of Trigger-Action IoT Platforms

9 Main Security Challenges for the Future of the Internet Of Things (IoT)

Enhancing-IoT-Security-Report

Hardware or Software Security: Which is right for my IoT Device?

Privacy, Discovery, and Authentication for the Internet of Things

A Privacy-Enhancing Framework for Internet of Things Services

gfce

International IoT Security Initiative

Internet of Things (IoT) Security GFCE Global Good Practices

思路不错,问题点,bcp(设计,实践,认证,基线,标准),challenge(供应链,碎片化,生命周期,rot,监控,人员) 都列了一下。

ietf

rfc8576 : iot security

从威胁讲起:漏洞、隐私、clone of things、替换、监听、MITM、镜像、信息提取、路由攻击(改包、选择性转发、分光、伪装)、提权、ddos。

影响:业务影响、安全风险、隐私风险、安全事件处理

一堆协议。。。

基于IP的安全框架。。。

PSK, Raw Public Key, Cert 安全模式。。。

主要问题点:异构网络、资源受限、DDoS、E2E、初始化、group comm、移动网络状态变换、secure update、update old and insecure cryptographic primitives、end of life (eol)、设备证明、应急响应、quantum-resistance、privacy (idenfication, localization, profiling, interaction, life cycle transitions, inventory attack, linkage)、逆向、可信操作。

iotsf

IoT Security Foundation Publications

Secure Design Best Practice Guides

主要是报菜名:classification of data, physical security, device secure boot, secure os, application security, credential Management, encryption, network connections, securing software updates, logging, software update policy, secure boot, secure update, side channel attack。

IoT Security Assurance Framework

分了几个安全等级,以及对上面的菜名的细化要求。

etsi

ETSI IoT Security WORKSHOP

nist

NISTIR 8228 Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks

主要关注device security, data security, privacy (personally identifiable information, PII)。

NISTIR 8259 Foundational Cybersecurity Activities for IoT Device Manufacturers

8259主要扯厂商可以在iot device的出厂前,出厂后干些什么事。注意出厂后的安全生命周期、升级、过期等等处理。

8259A关注device Cybersecurity的基线: device idenfication, device configuration, data protection, logical access to interface, software update, cybersecurity state awareness。

8259B主要扯要有什么人,应该干什么事。

NIST SP 800-213 IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements

800-213 主要是表态。

800-213A 是针对8259讨论的内容的一些描述与解释,看目录也行。

NIST Cybersecurity for IoT Program

Trusted Internet of Things (IoT) Device 4 Network-Layer Onboarding and Lifecycle 5 Management

arm psa

The PSA Certified 10 Security Goals Explained

Entity Attestation Tokens

arm主要是列了10大安全目标: unique idenfication, security lifecycle, software authorization, secure update, anti-rollback, isolation, interaction, device binding of stored data, cryptographic and trusted services。

基线内容是安全启动、HUK、安全存储等等,扩展内容是eat设备证明。

JSADEN014 Platform Security Model

针对10 security goals的细化要求。

psa Certifying Your Product

认证材料。

PSA Certified Level 1 Questionnaire Version 2.1 REL-02 有与其他标准(例如nist, etsi)的映射

PSA Certified Level 2 Attack Methods 威胁建模

Platform Threat Model and Security Goals

表列得不错

arm

Platform security

Trusted Firmware-M Documentation

initial_attestation

paper

Evaluation of Out-of-Band Channels for IoT Security

Evaluation of Out-of-Band Channels for IoT Security

secure bootstrapping in ad-hot IoT deployment。

Out-of-Band : NFC, QR Code, audio。

Extensible Authentication Protocol (EAP)。

One-time password (OTP): SMS。

group messaging

telegram, whatsapp, signal, support e2e encryption with oob verification, require users to compare information shown on each other’s devices。

telegram: 生成一个图片展示已交换的keys。

whatsapp:

  • 60-bit string = hash (user’s public identity key) 到 30-bit + 30-bit (两个string);用户比较60-bit string
  • 或者扫qr code

Nimble Out-of-Band Authentication for EAP (EAP-NOOB)

dynamic OOB messages, refresh cycle 3600s。

secret nonce (Noob): first authentication, mutually authentication。

cryptographic fingerprint(Hoob): verify the integrity of the key exchange, detect impersonation and mitm on the in-band channel。

OOB mesage url example (60bytes): server domain name (60 characters base64), PeerId (22 characters base64), secret nonce (Noob) 16-byte, fingerprint (Hoob) 16-byte。

attack

firmware

tlstorm : ups, firmware没签名

misbinding

Misbinding Attacks on Secure Device Pairing and Bootstrapping : 标识的脆弱性



Published

04 July 2020

Tags


Share On