Mozilla IoT and taking ideas from Google's BeyondCorp

Mozilla IoT
#1

I’m sorry if this is a dumb noob question but…

Recently I read about Google’s BeyondCorp strategy. The TL;DR version is:

Most people/companies separate networks into local (internal) and “internet” (external). Internal everything is trusted. External nothing is trusted. This means if you manage to find a way to get to the internal network then you can do lots of things you couldn’t do from the outside, many of them bad.

Google found this had the potential to lead to lots of exploits so they redesigned their internal network to assume it’s just as untrusted as the external network.

Is that just as important for IoT?

Right now my router “protects” me from the internet but on my local net, behind my router, many things are far more open. Worse, I have 100s or 1000s of apps running on my local net. Every app and game on my phone, my tablet, my laptops, my game consoles, and every IoT device can basically hack the reset of the stuff on my local network.

It seems like maybe all of it should take ideas where possible from Google’s Beyondcorp solution and not be so trusting on local.

Does, should, can Mozilla’s IoT / WebThings take any inspiration from those ideas? Basically that nothing on the local network should be trusted? Is there anything there to do or is it all already totally secure on local?

#2

It looks like BeyondCorp uses a lot of authentication pieces to help secure things. While this is nice, it’s not necessarily practical on a home network.

However, there are a few things that we can do.

  • Native web things, in the near future, will be able to support authentication. This is evolving in the W3C spec, so when that becomes concrete, we will begin to support it. This would help prevent IoT devices from talking to each other.
  • In the router image, we’d like to support separate VLANs, such that untrusted IoT devices can be separated from the trusted devices on your network (e.g. your smart phone).
  • Also in the router image, we’d like to allow users to prevent individual devices from reaching out to the internet. For example, you may not want your security camera to phone home to a server in another country.
  • If/when a good solution for local HTTPS becomes available, native web things could use encrypted connections to prevent people or devices from snooping on the traffic.
#3

With a MQTT broker/server on a LAN one can implement TLS encryption either with self-signed certificates with manual distributions of generated ones to each device, or use a less-resource intensive method of TLS-PSK aka tokens method of authentication and encryption. (Unfortunately python and micropython doesn’t seem to have the crypto ability for TLS-PSK, so one is limited to Arduino and other C-related languages, and perhaps Javascript, if I understand correctly).

Since Webthings is all about everything having a URL and polling instead of using something like MQTT, can’t COAP+DTLS be used in a manner in which everything gets a token key like the COAP+DTLS PSK method used by the Ikea Tradfri bridge? (where the psk is the QR code on the back)
If I understand correctly one can utilize a polling method as well as MQTT-style publish and subscribe to push event with COAP…

I refer to someone who seems to have explored this quite extensively:

Security. Trådfri uses CoAP+DTLS with a random Pre-Shared Key printed on the bottom of the device. You need physical access to the device to get this key and all communication with the gateway is always encrypted
https://daenney.github.io/2019/04/09/emulating-philips-hue-bridge

An addon for this style of security for webthings seems like it would be highly advantageous while waiting for the “If/when a good solution for local HTTPS becomes available”, as you mentioned in your response above.

Also, as far as BeyondCorp at home practicality, while I don’t presume to know what the challenges would be, it seems that some work has been done on this that makes it at least seem like a something practically doable, for an professional developer to auto-implement some variation of it:
https://daenney.github.io/2018/10/27/beyondcorp-at-home
https://daenney.github.io/2018/10/30/beyondcorp-at-home-authz

In the router image, we’d like to support separate VLANs, such that untrusted IoT devices can be separated from the trusted devices on your network (e.g. your smart phone)

Unfortunately while this seems like it would help a little bit, I think we’re getting to the point where no personal computer and no personal phone can normally be simply considered as “trusted” or “untrusted”.
E.g. Must users are completely unaware of the flood of network connections an average iPhone or Andriod makes when connected to wifi on a daily basis, as talked about in e.g., the privacy project at the New York Times newspaper.
Likewise, on both Macs and PC’s even apps bought through the native sandboxed Apple or Windows store leak a lot of information (including info about devices on a wifi network) that many users would strongly object to if they were are of it.
Point being, is that the user does not have control over what his/her device is doing, and he/she is often mislead about the vast degree privacy leakage, which of course affects security too.

There’s more trusted and less trusted, perhaps, but I think we are way beyond the days of trusted and untrusted.