Popular IoT applications

• Home automation, Smart cities.
• Wearables, Healthcare, Automotive...

Popular IoT protocols and standards

• Application level: MQTT, XMPP, AMQP. CoAP.
• Networking level: 6LoWPAN, RPL. DTLS.

Focus of this talk

Home automation using MQTT

Architecture basics

• Sensors: room/temperature, outside/humidity.
• Commands: room/radiator, garage/door.
• All devices are using a MQTT broker connected to Internet.

Privacy requirements

• Some data may be shared publicly: outside/humidity.
• Some data may be shared to a trusted set of people or systems: garage/door, room/temperature.
• Some commands need to be protected: room/radiator.
• Some commands need to be secure: garage/door. A 2FA would be a good thing.

Connecting our home to the IoT

• Naming: my_home.domain.name/<location>/<device>.
• Security: SSL/TLS required for MQTT requests from Internet.

Threats on DNS

• DDoS on root servers (2002, 2007).
• Verisign (2003), ISPs and governements abuses.
• Protocol weakness: spoofing, cache poisoning...

Issues with SSL/TLS

• Implementation issues: Heartbleed, Poodle.
• Lenovo's SuperFish abuse.
• Cryptography: Debian RNG bug (2008), RSA key backdoor.

Hierarchical

Trust Model

The Blockchain

• Made famous by cryptocurrencies, especially Bitcoin.
• In cryptocurrencies, acts as a ledger for transactions.
• Integrity is ensured by the network. No SPOF.

Why does it work?

• The mining process rewards people for maintaining the ledger's integrity. Mining is computational power-hungry.
• In cryptocurrencies, everyone in the network is motivated by the same incentive, i.e. getting money.
• It works because everyone is a bit greedy and that the "silent majority" outperforms the "few villains".

January 2015 - IBM and Samsung unveil ADEPT

Autonomous Decentralized Peer-to-Peer Telemetry

However, nearly 8 months ago... Mosquitto-Twister

The Twister platorm

Twister is a fully decentralized Twitter clone.

• A Blockchain stores the full list of User Handles.
• User profiles are stored in a DHT (Kademlia).
• Posts are stored within BitTorrent swarms.
• DMs are encrypted, other messages are not.

Mapping into MQTT concepts

• A Handle is used instead of a Domain Name.
• MQTT's pub/sub model fits nicely with Twi[st]ter's one.

Here is some food for thought (and the Q & A session):

• Secret sharing.

  Secret keys are hard to protect. Storing a key into a device makes it a SPOF, so let's split the key into parts and store those parts across multiple devices... Hint: ssss.

• Adaptive security.

  NFC payments are prone to errors, but limited to a maximum amount. It's a matter of risk versus consequences. Let's extend this principle to give a proper response to a given situation, using a Quorum.