Convincing my SmartLock that it's really me!

Security BSides Athens 2018 (Sat, 23/Jun/2018) Convincing my SmartLock that it’s really me! - Gema Fernandez, Christina Skouloudi Abstract: This talk presents a generic and customisable tool, which allows us to evaluate the implementation of authentication measures within IoT mobile applications. Given the wide penetration of IoT and its cyber-physical nature, both safety and security risks emerge and need to be addressed. An important element in this direction is the use of strong authentication and authorisation processes in IoT environments, since they remain key to protect communications, privacy and access to resources. Smartphones being the means by which users interact with IoT environment (e.g. smart devices, cloud), the need for secure implementation of IoT mobile applications becomes crucial. Two examples of using this tool will be presented, namely OAuth 2.0 in combination with Open ID Connect, a very popular framework for delegated authentication, and Bluetooth Low Energy pairing mechanisms, as BLE is one of the most widely used protocols for smartphone-to-smart thing communication. The use-case of authentication is indicative and has been chosen for this talk due to its significance; nevertheless, the tool can be applied to the evaluation of any other security measure in mobile applications. Providing as input the API calls in bytecode form implementing authentication measures, the tool identifies instances among a given set of applications, and provides as output how many and which ones have implemented such measures, as well as the classes where they reside. This tool is adaptable and configurable, depending on the specific security measure to be investigated. It automates the process of evaluating and checking for the implementation of security by design principles, providing in addition meaningful statistics and insights. These results allow us to draw the big picture of the state of authentication concerning IoT mobile applications, and help us to identify the main gaps to tackle. By means of IoT mobile apps, users can not only access information, but also command and control smart devices that can influence the physical world. Consequently, authentication implementation is a must for app developers and designers. This tool will help them not only to evaluate the security of their existent applications, but also to apply security by design principles in the future. Bio Gema Fernandez: I am a passionate and enthusiastic trainee at ENISA in Athens. Even though she looks Greek, she comes from the centre of Spain; precisely from the city Doménikos Theotokópoulos / El Greco chose to spend half of his life, Toledo (coincidence?). Given her restless character, she first went to Madrid to become an engineer in telecommunications, and quickly jumped further north to study an MSc on cybersecurity in Tallinn, where she discovered the fun of forensics and specialised in file manipulation detection. Realising the ice-cold climate was not for her, she ran away back south to find new experiences, sunrays and the top cybersecurity experts to be surrounded with (and hopefully start looking like them). Always out and about, playing basketball and beach volley, and now diving head into IoT security, keeps looking for new challenges to grow professionally and as a person; in other words, to never stop moving. Bio Christina Skouloudi: I have a background on computer science and hold a master’s degree on Digital Systems Security. At the early stage of her career, she worked for several years as a Full stack developer and moved to the Information Security area working as a Network and Information Officer at ENISA. Combining the two things she is passionate about, namely Software development and Information security, she likes to offer smart and innovative solutions through her work. A maker and breaker, who loves to contribute to both development and security community. Her main research interests focus on Internet of Things, Wireless Sensor Networks, Cloud Security, Incident Reporting and technical development of Cyber Security Exercises. She has published various papers on these topics and has also presented pieces of her work and developments in conferences like BSides.