Hands on IoT
@sachinkmr_
Sachin Kumar
“If you spend more on tea than on IT security, you will be hacked. What’s more, you deserve to be hacked”
Sagar Pasrija
@thesagarpasrija
Outline
-
Recap
-
What Is IoT ?
-
MQTT
-
Why HTTP Is Not Enough ?
-
MQTT.fx
-
Why Be Concerned About IoT ?
-
Wireshark
-
Summary
Recap
HTTP
-
HTTP is a client-server protocol: requests are sent by one entity, the user-agent (or a proxy on behalf of it)
-
Most of the time the user-agent is a Web browser, but it can be anything, for example a bot that crawls the Web to populate and maintain a search engine index
-
It is document centric
-
It is one to one
Web Sockets
-
WebSockets are evolution in client/server web technology. They allow a long-held single TCP socket connection to be established between the client and server
-
Allows bi-directional, full duplex, data transmission with little overhead
-
Thus very low latency connection
What Is IoT ?
The Internet of Things (IoT) is the network of physical devices, vehicles, home appliances and other items embedded with electronics, software, sensors, actuators, and connectivity which enables these objects to connect and exchange data
Where is IoT ?
Everything about IoT
Various Names, One Concept!
- M2M (Machine to Machine)
- “Internet of Everything” (Cisco Systems)
- “World Size Web” (Bruce Schneier)
- “Skynet” (Terminator movie)
MQTT
-
MQTT stands for Message Queuing Telemetry Transport
-
MQTT is a lightweight event and message-oriented protocol
-
MQTT works on a publish/subscribe architecture
-
A client subscribes to a channel on a server, and when a server receives new information for that channel, it pushes it out to that device
Working of MQTT
MQTT Standard Messages
MQTT QoS Levels
MQTT vs HTTP
Why HTTP Is Not Enough ?
HTTP is not really ideal for many of its special needs, such as:
- Emitting information from one to many
- Listening for events whenever they may happen
- Distributing small packets of data in huge volumes
-
High sensitivity to
- Volume (cost) of data being transmitted
- Power consumption (battery-powered devices)
- Responsiveness (near real-time delivery of information)
Why HTTP is not enough ?
Lucy Zhang, the engineer in charge was experienced enough to know that the 3 key issues were going to be:
-
latency – how to get faster phone-to-phone communications
-
battery – and do that without killing batteries
-
bandwidth – or sucking up the user’s available bandwidth
Why HTTP is not enough ?
Stephen Nicholas did a fascinating comparison of MQTT vs HTTPS on 3G and WiFi
MQTT.fx
Why Be Concerned About IoT ?
It’s just another computer, right?
-
All of the same issues we have with access control, vulnerability management, patching, monitoring, etc.
-
Default, weak, and hardcoded credentials
-
Vulnerable web interfaces (SQL injection, XSS)
-
Clear text protocols and unnecessary open ports
-
DoS / DDoS
Why Be Concerned About IoT ?
Wireshark
Wireshark is a network packet analyzer.
Summary
If misunderstood and misconfigured, IoT poses risk to our data, privacy, and safety
If understood and secured, IoT will enhance communications, lifestyle, and delivery of services
Threat V/S Opportunity
Thank you!
Any Questions?
Hands on IOT
By Sachin Kumar
Hands on IOT
- 996