-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Promoting an approach where every thing is a server is a security nightmare #197
Comments
Thank you for your comments. We also looked at the similar issues you posted and linked above, and acknowledge your concerns. We have been discussing your input in our Security meeting and while we don't yet have a complete response, here are some points of discussion which came up:
We can certainly discuss updates to the WoT Architecture and WoT Security and Privacy Guidelines documents to better capture and discuss the above points. We could, for example, point out in the security documents that implementing devices as clients and running the Thing services in a gateway may allow for more centralized security implementations. |
Great reply @mmccool. Everything that you mentioned makes sense. You see a need to support existing technology and you do see the need for Things to connect as clients to a server. If existing technology can be supported through plugins on a gateway there is no concern. Also true and the reference implementation of the gateway supports this. Sofar all is good. However I haven't seen anything that discourages a Thing to expose a server. This is about new devices that implement the Thing WoT protocols to support an interoperable web of things (a superb vision!), not legacy devices. Where in the spec does it define the APIs needed to let Things update their status with a gateway or intermediary. Right now all I see is examples that require the Thing to run a server and have a gateway or intermediaries connect to a Thing to get a status. This is the insecure and flawed approach I'm referring to and my main concern. Right now it is promoted. Set an example and others will follow. Why can't it be stated that 'Things' (new devices) don't run a server and should connect to a gateway to announce themselves and push their status updates. (I'm aware of the directory service but it isn't enforced). Leaving it open leads to two incompatible approaches. Reference to the insecure approach: I'm happy to elaborate if these examples are not clear. In the interim I'm working on an extension that defines how Things connect to a gateway to push their status updates. I was hoping the API's for this would be defined somewhere but haven't found them (yet). |
We understand the concerns you are raising and we'll review your suggestions carefully. We see also that you wrote up more details on your proposed approach here: https://wostzone.github.io/ You might want to look into the "profiles" work. This is taking a more "prescriptive" approach than our original work (which was descriptive) and as such is meant to constrain "new" devices designed from the outset to work with WoT. However, I think we probably need to have a lot of discussion of security tradeoffs (the gateway approach is not without its own risks, so what are the pros and cons) before we would incorporate strong recommendations one way or the other in the specs or notes. Would you be willing to join the Security call? We can also just keep discussing things in this issue, but a live meeting might be faster. |
Got it, thank you for reviewing my concerns. Yes I would like to take the opportunity to join the security call if I'm able to. I hadn't seen the profiles before and they are very interesting. They constraints the scope of implementation with the assurance of interoperability, very useful. It does raise a few more questions (of course 😄). If I interpret it correctly, the core profile data model seems to apply to the TD content, regardless where it lives (Thing, Gateway, Intermediary). It also seems that the protocol binding applies to that which serves the TD, regardless who that is. Must the (greenfield) Thing serve a TD in order to be called a Thing or is there a provision that it can proxy through a gateway and still be called a Thing and WoT compliant? I'd love to hear your thoughts on whether the WoT team is open to exploring the idea that a Thing is proxied through a gateway without the Thing running a server. It might require a dedicated protocol binding for Thing to gateway communication. Would a Thing that is designed this way still be considered a Thing? |
So, there is a PR against Architecture now that adds definitions for Gateway, Edge Device (a general category that includes the others), Hub, and Edge Computer. Architecture now needs to refine the discussion of the "Hub" architecture to make clear to people this is an acceptable architectural choice for a WoT system (it is). After we close on the pre-CR drafts of the normative documents (prob 1 May) we'll be updating the Security and Privacy Guidelines and can discuss when a hub architecture is most appropriate and the security tradeoffs against a peer-to-peer/Smart Objects approach. You are , of course, still more than welcome to join our Security call to discuss in person, but please check for cancellations due to our F2F next week. See https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Cancellations |
Thanks for the update and the link @mmccool. Unfortunately joining the call is a challenge with being on Pacific time and having a job. If it is not too much of a hassle I can comment with issues or maybe it is possible to open the discussion feature on github? I've tried Stack overflow but discussion/brainstorm type questions are downvoted. I read the PR and am excited to see the terminology of Hub and Shadow devices. This fits nicely with I'm progressing with the WoST |
I think it would be useful to add a security consideration point to the Architecture document. See w3c/wot-architecture#672. In general I think we probably need to think about how to better support "client" devices in WoT. |
FYI, I've been working on a Hub that follows the hub-and-spokes architecture. IoT devices do not run servers in this setup and are clients that discover the hub to connect to. A provisioning service establishes trust between IoT device and hub. Communication takes place over a message bus that the IoT device connects to, using the credentials given during provisioning. A diagram of the security aspects can be found here. The repo of the hub with core services can be found here: https://github.com/wostzone/hub. Some of the challenges I ran into were:
|
Note: this issue might be somewhat strongly worded but considering what is at stake it is best to be clear.
The architecture sections on common patterns describe many cases as if the gateways and edge device need to connect to the appliance. This means the IoT device (appliance) acts as a server. Libraries such as webthing-node create a server that the gateway discovers and connects to.
There are a few drawbacks to this approach, but by far the worst is that it increases the attack footprint to never seen before proportions. Imagine that the majority of IoT devices can be connected to. Who wants to be responsible to ensure that every single manufacturer creates bomb proof security on their servers? Most likely the same thing will happen as what happened to cameras. One day someone finds a vulnerability and the next day the internet burns down, or your identity gets stolen. Point in case are the DDOS reflection attacks facilitated by the CoAP protocol. This is not imaginary as explained in this article on IoT vulnerabilities
There are two steps that the WoT specification can do to mitigate this potential disaster (and hopefully more):
The most secure server is the one that doesn't exist. Rather than including a server in every IoT device, define that gateways or edge devices receive connections from IoT devices and aggregate the data. There are far fewer edge devices/gateways than IoT devices so this approach significantly reduces the footprint. The moment an appliance 'joins a gateway' its server must be off.
Second, provide a secure reference implementation of this gateway that has had thorough reviews of its security aspects and receives regular updates.
If you put out a specification like WoT you also bear responsibility for its weaknesses. Yes it requires some rethinking of the data flow and security best practices, but the high level abstract architecture does not have to change much. WoT already has gateways and edge devices, which is fine, but it just need to be clear that the role of the thing is to connect to a gateway or edge device, not the other way around. Ignoring this problem is simply irresponsible.
It is not my intention to offend anyone. It is clear that a lot of hard work went into the WoT specification and I sincerely hope it will be a massive success. But please reconsider the servers aspect of it and don't create the proverbial skynet.
The text was updated successfully, but these errors were encountered: