Securing the Internet of Things

7 min read Original article ↗

More Related Content

AI Agents and their implications for Enterprise AI Use-cases

Computational intelligence in wireless sensor network

Machine Learning and Internet of Things

NLP for Biomedical Applications

AI in IoT: Use Cases and Challenges

AI in Insurance: How to Automate Insurance Claim Processing with Machine Lear...

Future of AI - 2023 07 25.pptx

What's hot

Unlocking the Future of AI Agents with Large Language Models

Generative AI Masterclass - Model Risk Management.pptx

AI in Software Development.pptx

Understanding GenAI/LLM and What is Google Offering - Felix Goh

AI and the Financial Service Segment

Agentic AI: The 2025 Next-Gen Automation Guide

Multi-Agent AI Systems: Architectures & Communication (MCP and A2A)

Large Language Models - Chat AI.pdf

Generative AI & Large Language Models Agents

Lecture 6: IoT Data Processing

Introduction to Arduino & Raspberry Pi

Cavalry Ventures | Deep Dive: Generative AI

Abhishek Kumar - Resume - Software Engineer

Transformers in Vision: From Zero to Hero

How I Developed My First MCP Server? & How You Can Develop It Too?

Types of AI Agents | Presentation | PPT

AI for Everyone: Master the Basics

Agentic AI vs Generative AI Key Differences and Use Cases.pdf

generative-ai-fundamentals and Large language models

Viewers also liked

A military perspective on cyber security

Practical Security with MQTT and Mosquitto

MQTT Hacks for Fun and... Fun!

Securing MQTT - BuildingIoT 2016 slides

MQTT - MQ Telemetry Transport for Message Queueing

Security in the Internet of Things

Civil – military relations in india a perspective

Network Security Threats and Solutions

Similar to Securing the Internet of Things

Securing IoT Applications

Your Thing is Pwned - Security Challenges for the IoT

Security challenges for IoT

Federated Identity for IoT with OAuth2

Your Thing is pwnd - Security Challenges for the Internet of Things

WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge

IoT World - creating a secure robust IoT reference architecture

A Reference Architecture for IoT: How to create a resilient, secure IoT cloud

Security issues and solutions : IoT

CIS 2015 How to secure the Internet of Things? Hannes Tschofenig

IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014

The Considerations for Internet of Things @ 2017

Security in Cyber-Physical Systems

Internet of Things Security

February 2025 - Top 10 Read Articles in Network Security & Its Applications.pdf

January 2025 - Top 10 Read Articles in Network Security & Its Applications.pdf

April 2025 - Top 10 Read Articles in Network Security & Its Applications.pdf

December 2021: Top 10 Read Articles in Network Security and Its Applications

April 2022 - Top 10 Read Articles in Network Security and Its Applications

More from Paul Fremantle

IoT and Blockchains - enhancing security and privacy

Anonymous Individual Integration for IoT

Web API Management meets the Internet of Things

Apache Stratos - Building a PaaS using OSGi and Equinox

Beyond Economics - Cloud as a Business Enabler

The Evolution of Integration

High Volume Web API Management with the WSO2 ESB

Stratos Open PaaS OSCON 2011

Stratos and PaaS for London Java Community

Understanding Platform as a Service

Making Apache Tomcat Multi-tenant, Elastic and Metered

Building Cloud Native Software

Building Innovation with Open Source Approaches

Fast SOA with Apache Synapse

REST vs WS-*: Myths Facts and Lies

Recently uploaded

operationa research chapter 3 PowerPoint

Zac Brown - A Cybersecurity Professional

GDG Cloud Southlake #48: Goutham Rao: Building Agentic Systems for SRE's

Introduction to cybersecurity and pentesting

Apresentação Secure boot e Bitlocker.pptx

Two UX Patterns We Don’t Talk About Enough

Top 10 .NET Development Companies in Italy

RaaS™ — Research as a Service | Sovereign-Grade Energy & Infrastructure

Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx

AI, Energy & Sovereign Capital: The $1 Trillion Opportunity”

RaaS™ — Research as a Service | Sovereign-Grade Energy & Infrastructure

TechSprint Hackathon | Info & Launch Session

Most Inspiring TEDx Speakers to Follow in 2026

Advent of Cyber 2025 TryHackMe Certificate

Ephemeral Environments: Accelerating Reliability & Developer Velocity in Mode...

01Chapter_One_Introduction_to_Automata_Theory_and_Formal_Language.pdf

Mexico E-Commerce Market Report To 2026-2034

Splunk Knowledge Manager 101 Certificate

Copy of AI in Pharma Sector by Dhairya.pptx

cold plasma technology for Waste water treatment.pptx

Securing the Internet of Things

  • 1.

    Securing the Internetof Things Paul Fremantle CTO, WSO2 (paul@wso2.com) PhD researcher, Portsmouth University (paul.fremantle@port.ac.uk) @pzfreo Paul Madsen* Technical Architect, PingIdentity (pmadsen@pingidentity.com) @paulmadsen *Paul M helped me with the initial content, but I take responsibility for anything you don’t like in this slide deck.

  • 3.

    About me • CTOand Co-Founder WSO2 – Open Source Middleware platform • Part-time PhD looking at security • Working in Apache for 14 years • Working with Cloud, SOA, APIs, MQTT, IoT 3

  • 4.
  • 7.
  • 8.
  • 10.
  • 11.

    So what isdifferent about IoT? • The longevity of the device – Updates are harder (or impossible) • The size of the device – Capabilities are limited – especially around crypto • The fact there is a device – Usually no UI for entering userids and passwords • The data – Often highly personal • The mindset – Appliance manufacturers don’t think like security experts – Embedded systems are often developed by grabbing existing chips, designs, etc

  • 12.

    Physical Hacks A PracticalAttack on the MIFARE Classic: http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf Karsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity

  • 14.
  • 15.
  • 16.
  • 17.

    Hardware recommendations • Don’trely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity

  • 18.
  • 19.
  • 20.

    Crypto on smalldevices • Practical Considerations and Implementation Experiences in Securing Smart Object Networks – http://tools.ietf.org/html/draft-aks-crypto-sensors-02

  • 21.
  • 22.
  • 24.

    Crypto Borrowed from ChrisSwan: http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13

  • 25.
  • 26.
  • 27.
  • 28.
  • 29.

    Datagram Transport LayerSecurity (DTLS) • UDP based equivalent to TLS • https://tools.ietf.org/html/rfc4347

  • 30.
  • 32.

    CoAP • Constrained ApplicationProtocol – http://tools.ietf.org/html/draft-ietf-core-coap-18 – REST-like model built on UDP – Californium project coming soon to Eclipse IoT • No authentication or authorization – Relies on DLTS or data in the body

  • 33.
  • 34.

    MQTT • Very lightweightmessaging protocol – Designed for 8-bit controllers, SCADA, etc – Low power, low bandwidth – Binary header of 2 bytes – Lots of implementations • Mosquitto, Paho, RSMB and Moquette from Eclipse – Clients: • Arduino, Perl, Python, PHP, C, Java, JS/Node.js, .Net, etc • Plus an even lighter-weight version for Zigbee – MQTT-SN (Sensor Network)

  • 35.

    MQTT • Relies onTLS for confidentiality • Username/Password field

  • 36.
  • 37.
  • 39.

    Why OAuth2? • Widelyimplemented • Pretty good – Of course there is never 100% agreement – Or certainty with security protocols • Not just HTTP: – http://tools.ietf.org/html/draft-ietf-kitten-sasl- oauth-12 – OAuth2 used with SSL

  • 42.

    Why FIAM forIoT? • Can enable a meaningful consent mechanism for sharing of device data • Giving a device a token to use on API calls better than giving it a password – Revokable – Granular • May be relevant for both – Device to cloud – Cloud to app

  • 43.

    Two aspects usingOAuth with IoT • On the device – Tokens are good – Limiting the access of the device • On the cloud – Putting users in control of their data – Just good current practice • Demo with MQTT – But not just for MQTT – Also for the cloud, CoAP, and other protocols too

  • 44.

    Demo components Mosquitto (Open SourceMQTT Broker) Acting as “Resource Server” Mosquitto_py_auth mqtt-oauth2.py IdP WSO2 Identity Server ESB Introspection API Refresher.py Arduino CreateToken.py 1 2 3 4 5 6

  • 45.
  • 46.

    Lessons learnt • MQTTand MPU / I2C code is 97% of Duemilanove – Adding the final logic to do OAuth2 flow pushed it to 99% – No TLS in this demo is a big issue • Different Oauth2 implementations behave differently (e.g. changing the refresh token every time you refresh) • Need to be able to update the scope of token if this will work for long term embedded devices • The refresh flow should not really go via the Resource server – Easy fix • MQTT should have a well defined model for sending a message to just one client (securely)

  • 47.
  • 48.

    Summary • Think aboutsecurity with your next device • We as a community need to make sure that the next generation of IoT devices are secure • We need to create exemplars – Shields – Libraries – Server software – Standards

  • 49.