IoT Security is Hard: Here’s What You Need to Know

Security for anything you connect to the internet is important. Think of these devices as doorways. They either allow access to services or provides services for someone else. Doorways need to be secure — you wouldn’t leave your door unlocked if you lived in the bad part of a busy city, would you? Every internet connection is the bad part of a busy city. The thing is, building hardware that is connected to the internet is the new hotness these days. So let’s walk through the basics you need to know to start thinking security with your projects.

If you have ever run a server and checked your logs you have probably noticed that there is a lot of automated traffic trying to gain access to your server on a nearly constant basis. An insecure device on a network doesn’t just compromise itself, it┬ápresents a risk to all other networked devices too.

The easiest way to secure a device is to turn it off, but lets presume you want it on. There are many things you can do to protect your IoT device. It may seem daunting to begin with but as you start becoming more security conscious things begin to click together a bit like a jigsaw and it becomes a lot easier.

Continue reading “IoT Security is Hard: Here’s What You Need to Know”

Your Unhashable Fingerprints Secure Nothing

Passwords are crap. Nobody picks good ones, when they do they re-use them across sites, and if you use even a trustworthy password manager, they’ll get hacked too. But you know what’s worse than a password? A fingerprint. Fingerprints have enough problems with them that they should never be used anywhere a password would be.

Passwords are supposed to be secret, like the name of your childhood pet. In contrast, you carry your fingers around with you out in the open nearly everywhere you go. Passwords also need to be revocable. In the case that your password does get revealed, it’s great to be able to simply pick another one. You don’t want to have to revoke your fingers. Finally, and this is the kicker, you want your password to be hashable, in order to protect the password database itself from theft.

In the rest of the article, I’ll make each of these three cases, and hopefully convince you that using fingerprints in place of a password is even more broken than using a password in the first place. (You listening Apple and Google? No, I didn’t think you were.)

Continue reading “Your Unhashable Fingerprints Secure Nothing”

Towards the Perfect Coin Flip: The NIST Randomness Beacon

Since early evening on September 5th, 2013 the US National Institute of Standards and Technology (NIST) has been publishing a 512-bit, full-entropy random number every minute of every day. What’s more, each number is cryptographically signed so that you can easily verify that it was generated by the NIST. A date stamp is included in the process, so that you can tell when the random values were created. And finally, all of the values are linked to the previous value in a chain so that you can detect if any of the past numbers in the series have been altered after the next number is published. This is quite an extensive list of features for a list of random values, and we’ll get into the rationale, methods, and uses behind this scheme in the next section, so stick around.

Continue reading “Towards the Perfect Coin Flip: The NIST Randomness Beacon”

Mining Bitcoins with Pencil and Paper

Right now there are thousands of computers connected to the Internet, dutifully calculating SHA-256 hashes and sending their results to other peers on the Bitcoin network. There’s a tremendous amount of computing power in this network, but [Ken] is doing it with a pencil and paper. Doing the math by hand isn’t exactly hard, but it does take an extraordinary amount of time; [Ken] can calculate about two-thirds of a hash per day.

The SHA-256 hash function used for Bitcoin isn’t really that hard to work out by hand.┬áThe problem, though, is that it takes a 64 byte value, sends it through an algorithm, and repeats that sixty-four times. There are a few 32-bit additions, but the rest of the work is just choosing the majority value in a set of three bits, rotating bits, and performing a mod 2.

Completing one round of a SHA-256 hash took [Ken] sixteen minutes and forty-five seconds. There are sixty-four steps in calculating the hash, this means a single hash would take about 18 hours to complete. Since Bitcoin uses a double SHA-256 algorithm, doing the calculations on a complete bitcoin block and submitting them to the network manually would take the better part of two days. If you’re only doing this as your daily 9-5, this is an entire weeks worth of work.

Just for fun, [Ken] tried to figure out how energy-efficient the bitcoin mining rig stored in his skull is. He can’t live on electricity, but donuts are a cheap source of calories, at about $0.23 per 200 kcalories. Assuming a metabolic rate of 1500 kcal/day, this means his energy cost is about 67 quadrillion times that of an ASIC miner.

Video below.

Continue reading “Mining Bitcoins with Pencil and Paper”