[m2m-iwg] Consumer device security (was: M3DA presentation)

[T-Rob <t.rob.wyatt@xxxxxxxxxx>]

The interesting aspect of the discussions
of late, at least to me, are that they are entirely focused on connection
security.  In the industrial M2M space, there was a heavy reliance
on physical controls and little or no security in the operations side of
the network.  Eventually the Ops network was upgraded to include connection
security but the messages showing up over those secure connections are
usually assumed to be intact and authentic.  This new security architecture
(arguably) works because of a closed network with TLS guarding the perimeter.
 The devices are trusted and inside a perimeter which is itself also
trusted, so the messages are trusted.

But the physical and perimeter controls
present in industry won't be there in the consumer space where it's necessary
to assume that the devices themselves are hostile and the perimeter is
porous.

Industry has also traditionally had
one owner for all the data.  It is collected, correlated, analyzed
and acted on by a single entity.  If not a single legal entity, then
a single entity from a trust perspective.  It goes from the plant
to the control room to the Enterprise.  Possibly it goes to 3rd parties
but there is an inherent trust that the data is assumed to be intact and
authentic because it arrives over an authenticated connection from a trusted
source.

This will also not be true in the consumer
space where data will be used by multiple parties, where the first owner
is not the only one who requires integrity and authenticity, and where
the first owner must be assumed to be untrustworthy by second-tier users
of the device data.  (Not necessarily by untrustworthy character so
much as by virtue of the porous network and lack of physical controls.)
 People will want to be first owners of their data and vendors transacting
business based on device data need to know it is authentic and intact.

Based on these observations, it seems
to me that securing the data is a hard prerequisite to IoT in the consumer
space - homes, autos, many offices.  Connection security remains integral,
especially for administrative connections, but I don't see it as the foundation
of trust for device data in the consumer space.

Has anyone else arrived at that conclusion?
 If I'm wrong, where am I wrong?  The assumptions about how consumer
space differs from industry?  The unwillingness of consumers to use
"smart" devices where they are not the first owner of the data?
 The assumption that device data will drive multi-party financial
transactions?  The assumption that the consumer network is inherently
porous and that legitimately provisioned devices must be assumed hostile?

On the other hand if I'm correct or
even close on the assumptions and conclusion then is there any work being
done on signed data in this group?  I'd like to participate and I'm
keen to get industry participants hooked up with people in the VRM and
pClouds groups who also see this as a requirement and are looking to make
progress on it.  Or does this group see that as the developer's responsibility?
 Because solving this problem in the application creates walled gardens
but solving it in the transport creates an ecosystem.

Cheers -- T.Rob


m2m-iwg-bounces@xxxxxxxxxxx wrote on 03/13/2013 07:25:47
AM:

> From: Fabien Fleutot <fleutot@xxxxxxxxx>
> To: m2m Industry Working Group <m2m-iwg@xxxxxxxxxxx>,

> Date: 03/13/2013 07:26 AM
> Subject: Re: [m2m-iwg] M3DA presentation - Security
> Sent by: m2m-iwg-bounces@xxxxxxxxxxx
> 
> M3DA security addresses another M2M issue: key provisioning. In 
> practice, it's often hard to mass-manufacture devices with 
> individual keys in their firmware. What we see is that more often
> than not, a whole fleet of devices end up sharing the same 
> authentication key, with the results you can imagine if that key is
> compromised.
> 
> M3DA mitigates that risk with two levels of keys: there's a 
> provisioning key, which is shared by several devices, but is only
> used to exchange the actual, unique-per-device authentication key
> (we call them "registration password" and "passsword"
respectively).
> The password provisioning is performed the first time the device 
> connects to the network, possibly in factory during tests; by 
> default, the server will refuse to re-provision a password which has
> already been provisioned, thus thwarting identity theft
attempts.
> 
> A full TLS or SSH tunneling solution, with unique keys provisioned
> during manufacturing, a full PKI to back it, and an effective 
> revocation system, is preferable to M3DA in some cases; but it's 
> hard enough to deploy that in practice, many people simply roll out
> a lousy shared password scheme, optionally with an illusion of 
> security brought by the (mis)use of a TLS stack. M3DA is much better
> than the naive solution, without being harder to deploy.
> _______________________________________________
> m2m-iwg mailing list
> m2m-iwg@xxxxxxxxxxx
> http://dev.eclipse.org/mailman/listinfo/m2m-iwg