Ok let us start #NerdHour

So to recap, I've got a load of components and I want to put them into a weatherproof box outside our house so we can monitor the pollution.

London's pollution isn't bad but we also have a lot of ugly dirty diesels still driving around.
I need to take data recorded by my box and push it to a service. That service is https://io.adafruit.com/ .
Once I have my bill of materials (BOM), I can start to make my threat model.

Waht? Threat who?
Basically a threat model is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritised.

What's the worst that could happen and what should you do?
I'm using @IriusRisk here as I find it one of the best. First up is for me to draw my architecture, and the data flows and how they are processed. But before we do that, let's chat about Internet of Things (IoT) and threats.

They have not paid me for this!
You probably have heard many cry 'IoT of Shit' or 'I hacked my bluetooth dildo' and whilst they are valid vulnerabilities, many don't understand the cycle of manufacturing of such components.

Security is expensive, so a 10 quid part might not be as secure as a 50 quid one.
For example, my Adafruit M4 express is the heart of all of this. https://www.adafruit.com/product/3857 
It costs £20 and makes use of a Cortex M4. It's powerful but also very cheap. It doesn't use EEPROM but has SPI flash, which you could read if you had access to the board.
It isn't a secure IoT board and doesn't have TrustZone's or other modern security controls, like firmware isolation, boot control (secure boot), secure firmware updates and restricted access to keys.

This is important to know at the start: know what you are working with
So what does it have?

Does not having the above make it really bad? No and this is where *you*, yes you, need to work out what your risk profile is. The M4 does support JTAG and Serial Wire debugs (if available)
so if someone did get access to the unit, they *could* get access to $stuffs

This is where your threat model comes into play. Which Cortex is right for you?
At what price point does the project make sense?

Am I storing state secrets on the device as well as transmitting stuff deemed Official Secret or actually, stuff that can be secured further up the chain. Am I target or am I boring af and live in the suburbs?
To recap: the threats could be,

- Physical theft of device and extraction of keys
- use of extracted keys to auth into endpoints
- Personally identifiable information (PII) exposure (address, password, underpant size)
- Ability to burn your house down (STUXNET)
This is where FUD often gets in the way of reality. Yes someone could come to the house, unscrew it and start extracting data from the SPI flash but what would that give them?
This is where you need to understand the data flows, chokepoints and other key security controls that could thwart such an attack.

I've looked at the various components, both hardware and software endpoints and drawn the following architecture.
Now before anyone @'s me, I could go a lot deeper but I'm adopting the KISS approach here so as to not muddy the waters. Now I have a choice here to use either a HTTP POST API or MQTT to send the data.

I can self-host or use Software as a Service (someone else does it)
Both are useful, but MQTT has been designed to be the lightweight standard messaging protocol for IoT and does come with default security and uses TLS and OAuth

Each have pros and cons, so let's see what components we have
One of the biggest problems faced by many doing a threat model is working out the threat. Not everyone has offensive experience or mindsets, so how do you work out what will hurt you if you don't know?

Is that large man with an axe actually bad or a woodchuck?
This is where a tool actually helps, one that has a continually updated dataset of threats and remediations.

You will notice a lot of things you have no control over here as a customer. Take account creation, be inquisitive and look at what is happening behind the scenes
I create an account, choose a suitable password (passphrase, stored in a password manager) and then automatically see how I can secure this vital part of the data flow.

2FA is available, HELO sign me up. Ok I've done all I can to make my account secure for me.
Next up, what about the broker (if I'm using it?)

Adafruit control that and don't explain how they handle this, so right now it's finger sucking. What you can do is look at the bits *you* do control, such as the client and your data
Here you need to trust but verify. Now you are in your rights to reach out to @adafruit and ask them or look at their site to see how they might be securing this.

Good security has transparency. Trust goes both ways.
Ok back to what I *can* control: my stuff.

Authorisation attacks are still valid. I've already added 2FA and chosen a strong passphrase.
Also I've noticed Adafruit offer a few other key security controls, such as account activity notification, sessions in use etc.

This goes a long way for me to work out if something untoward is up. This helps with OAuth2 but what about my actual MQTT or API key?
#define IO_USERNAME "bobbytables"
#define IO_KEY "aio_hRXA85ja8974hjewhrwkj89s67d8sd7cX"

This is important as if an attacker gets access to the device, they could extract this from the SPI flash. A valid attack but made better by say physical controls (better location etc
At this stage, I have a pretty good understanding of what each component does, the data flow and what that data entails and what threats exist and how I can remediate some of them and how others should be.

Some threats might have to be 'risk accepted'
A big bad hacker could come to my home, use different tools to take the box off the wall and hopefully do it when i wasnt there otherwise said hacker will get a remodeling of their facial structure.

If they did get access to my API keys, I should be able to see this in the UI
Risk accepted but noted.

Yes, IoT is insecure but let's be adult about this, the sky isn't falling and this is where understanding and acting for threats that are possible is so vital for all tech we built
Now I appreciate this is a dance that many need to join in. I like to think of it as a Soul Train Security Party©
So you are a manufacturer of affordable IoT devices for people in London who want to check pollution, what's you to do?

Well the threat model works for you too. It helps you design your product to be more robust and security shouldn't cost the earth. Use @owasp
For example, @DanielMiessler and co's amazing IoT framework https://owasp.org/www-project-internet-of-things/
And that concludes todays Nerd Hour. I managed to get Soul Train into a thread about threat modeling and security.

AND PEOPLE SAY SECURITY PEOPLE ARE BORING AF!!!

hah, what ever
You can follow @dcuthbert.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: