Security, Privacy and Dependability in Mobile Networks

  • 333 views
Uploaded on

This keynote has the focus on measurable security as a core element of the sensor-driven future Internet. Security is measured through a metrics approach, identifying both potential attack scenarios …

This keynote has the focus on measurable security as a core element of the sensor-driven future Internet. Security is measured through a metrics approach, identifying both potential attack scenarios and the security components of the system.
The keynote was given at the The Second International Conference on Mobile Services, Resources, and Users. MOBILITY 2012, 21.-25. October 2012, Venice, Italy

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
333
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
7
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Center for Wireless Innovation Norway cwin.noCWI Norway Int. Conference on Mobility 2012, Venice, Oct2012 Security, Privacy and Dependability in Mobile Networks Josef Noll, Sarfraz Alam, Zahid Iqbal, Mohammad M. R. Chowdhury Prof. at University of Oslo/UNIK Member of CWI Norway josef@unik.no1
  • 2. Outline Josef Noll, Oslo - CTO! About the author Steering board member, Norway section at MobileMonday Chief technologist at Movation AS, Prof. at University Graduate! Security in Mobile Networks Studies (UNIK), University of Oslo (UiO) IARIA Fellow, Chairman of IARIA’s Intern. Conf. on Mobility – Privacy Past: Research Manager/Researcher at Telenor R&I (R&D) Staff member at ESA ESTEC Chip designer at SIEMENS – Dependability! The way ahead: Internet of Things – connection of sensors to mobile – business decisions based on information! Security Challenges – BYOD “bring your own device” – Be aware of the value of information – Measurable security! Use case for – From Entertainment to Socialtainment – Sensor data fusion! Conclusions Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 2
  • 3. Center for Wireless Innovation CWI A facilitator for industry and seven research institutions to form strategic partnerships in wireless R&D B3G BS Sensor Networks Sensor Network Aggregation Abstraction & Home/Office Monitoring Sensor Networks Car Offshore Sensor Networks Sensor Networks Oct 2012, Josef Noll
  • 4. Center for Wireless Innovation CWI A facilitator for industry and seven research institutions to form strategic partnerships in wireless R&D n to t io o ra arc h B3G BS Sensor ab ese Networks Aggregation ll Sensor Network Abstraction & Home/Office Monitoring c o e r r o m at iv Sensor Networks F b o r Car la Offshore co l Sensor Networks Sensor Networks Oct 2012, Josef Noll
  • 5. Innovation through Collaboration Statoil ... Nets Opera Inner Circle eBAN Telenor Members Business Angels NFR NorBAN Strategic NICe Partners Innovation IIP Artemisia Stock Exchange Int. Innov. Communities InnoBoerse.eu Prog. MoMo ETSIMobileMonday Academia Entrepreneurs MIT CWI CTIF 4 Providing the infrastructure for open collaboration Oct2012 Josef Noll
  • 6. Outline! About the author! Security in Mobile Networks – Privacy – Dependability! The way ahead: Internet of Things – connection of sensors to mobile – business decisions based on information! Security Challenges – BYOD “bring your own device” – Be aware of the value of information – Measurable security! Use case for – From Entertainment to Socialtainment – Sensor data fusion! Conclusions Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 5
  • 7. Generations of Mobile Networks Service view Personalised broadband 4G? LTE wireless services 3G: UMTS Multimedia communication 2G: GSM Mobile telephony, SMS, FAX, Data1G: NMT Mobile telephony 1970 1980 1990 2000 2010 [adapted from Per Hjalmar Lehne, Telenor, 2000] Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 6
  • 8. Generations of Mobile Networks Service view Security view IP security with Personalised broadband heterogeneous access, 4G? LTE wireless services sensors 3G: UMTS Multimedia communication Open, modular security architecture - force 2G 2G: GSM Mobile telephony, SMS, One way authentication, FAX, Data encryption visibility, “obscurity”1G: NMT Mobile telephony tap the line, connect in 1970 1980 1990 2000 2010 [adapted from Per Hjalmar Lehne, Telenor, 2000] Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 6
  • 9. Security in Mobile Networks! NMT – tap the line! GSM – No authentication of network: IMSI catcher pretend to be BTS and request IMSI – Undisclosed crypto algorithms! UMTS – adds integrity and freshness checks on signalling data from network to MS – forced attack to 2G! LTE – full IP security package – heterogeneous access networks [Source: Lars Strand: “Security Architecture for Mobile Telephony Systems”, PhD presentation, UiO, 2011]] Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 7
  • 10. Summary of Mobile Security Threats/attacks Security services Security mechanisms GSMCloning Authentication Authentication mechanism (challenge-response with a shared secret)Eavesdropping Confidentiality Encryption of call content(voice sent in clear) (A5/1, A5/2, A5/3)Spying (identity tracking) Confidentiality Location security (TMSI) [adopted from: Lars Strand: “Security Architecture for Mobile Telephony Systems”, PhD presentation, UiO, 2011]] Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 8
  • 11. Summary of Mobile Security Threats/attacks Security services Security mechanisms GSM Threats/attacks Security services Cloning Security mechanisms Authentication Authentication mechanism (challenge-response with a shared secret) UMTS Eavesdropping (voice sent in clear) Confidentiality Encryption of call content (A5/1, A5/2, A5/3)False BST Mutual authentication mechanism Authentication (challenge-response with a Spying (identity tracking) Confidentiality Location security (TMSI) shared secret) Encryption of signaling and callEavesdropping Confidentiality content(Poor GSM encryption)Data sent in clear in the Encryption and integrity protection Confidentiality of data, to also cover operatoroperator network network [adopted from: Lars Strand: “Security Architecture for Mobile Telephony Systems”, PhD presentation, UiO, 2011]] Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 8
  • 12. Summary of Mobile Security LTE Threats/attacks Security services Security mechanisms GSM Threats/attacks Security services Cloning Security mechanisms AuthenticationAuthentication mechanism (challenge-response with a shared secret) Eavesdropping Confidentiality Encryption of call content Eavesdropping Data confidentiality (voice sent in clear) IPSec (A5/1, A5/2, A5/3) Spying (identity tracking) Confidentiality Location security (TMSI) Modification of content Data integrity Threats/attacks Security services Security mechanisms IPSec UMTSFalse BST Mutual authentication mechanism Authentication (challenge-response with a Impersonation Authentication shared secret) Encryption of signaling and call EAP-AKAEavesdropping Confidentiality content(Poor GSM encryption) Denial of service,Data sent in clear in theoperator network Confidentiality Availability service Encryption and integrity protection of data, to also cover operator network fast re-authentication? roaming, performance different access network? [adopted from: Lars Strand: “Security Architecture for Mobile Telephony Systems”, PhD presentation, UiO, 2011]] Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 8
  • 13. Summary of Mobile Security Threats/attacks Security services Security mechanisms GSM Cloning Authentication Authentication mechanism (challenge-response with a shared secret) Eavesdropping Confidentiality Encryption of call content (voice sent in clear) (A5/1, A5/2, A5/3) Spying (identity tracking) Confidentiality Location security (TMSI) Threats/attacks Security services Security mechanisms UMTSFalse BST Mutual authentication mechanism Authentication (challenge-response with a shared secret) Encryption of signaling and callEavesdropping Confidentiality content(Poor GSM encryption) Encryption and integrity protection LTEData sent in clear in the Confidentiality of data, to also cover operatoroperator network network Threats/attacks Security services Security mechanisms Eavesdropping Data confidentiality IPSec Modification of content Data integrity IPSec Impersonation Authentication EAP-AKA Denial of service, Availability service fast re-authentication? roaming, performance different access network? [adopted from: Lars Strand: “Security Architecture for Mobile Telephony Systems”, PhD presentation, UiO, 2011]] Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 8
  • 14. Security in Mobile Networks! Main focus so far on accountability (for billing)! End-to-end encryption is a challenge – Interoperability: variety of access networks, coding – key handling in TLS – application specific solutions: SIP! Privacy – personal privacy – business value privacy! Dependability, reliability – infrastructures – systems of systems [Source: Lars Strand: “Security Architecture for Mobile Telephony Systems”, PhD presentation, UiO, 2011]] Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 9
  • 15. Physical vs Organisational privacy! don’t touch me! don’t invade! preferences! locations Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 10
  • 16. Physical vs Organisational privacy! don’t touch me ! What is in Coca Cola?! don’t invade! preferences ! When will VW launch the new Golf?! locations Value of Information ! Access to fingerprints of all people Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 10
  • 17. Protecting the identity?! 8 million US residents victims of identity theft in 2006 (4% of adults)! US total (known) cost of identity theft was $49 billion – ~10% was paid by customers – remaining by merchants and financial institutions! Average victim spent $531 and 25 hours to repair for damages Source: Lasse Øverlier & California Office of Privacy Protection ID theft in seconds http://itpro.no/art/11501.html Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 11
  • 18. Outline! About the author! Security in Mobile Networks – Privacy – Dependability! The way ahead: Internet of Things – connection of sensors to mobile – business decisions based on information! Security Challenges – BYOD “bring your own device” – Be aware of the value of information – Measurable security! Use case for – From Entertainment to Socialtainment – Sensor data fusion! Conclusions Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 12
  • 19. IoT paradigm • The present "Internet of PCs" will move towards an "Internet of Things" in which 50 to 100 billion devices will be connected to the Internet by 2020. [CERP-IoT, 03.2010] • “We are entering a new paradigm where things have their own identity and enter into dialogue with both other things and humans mediated through processes that are being formed today. [IoT Europe 2010 conf., 06.2010] "Now subs we have c 30...5 ribers. I roughly 0 n 5! The speed of development – H Mio de some ye .2 Mio m ans C vices ar w obile 2010 hristi o e an H n the m will hav augli o e , CEO bile net “In 201 , Tele work 2 there nor O ”storage on single chip people were m bject on the ore dev s – Han mobile ic s Chris networ es than tian Ha k of Te ugli, CE lenor”. O, Tele nor Ob jects source: Gerhard Fettweis, TU Dresden Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll
  • 20. [Source: J. Schaper, FI PPP Constituency Event Nice, March 2010] Josef Noll Oct 2012, 14Security, Privacy and Dependability in Mobile Networks
  • 21. The IoT technology andapplication domainbusiness reliabilitydecisions privacy Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 15
  • 22. Outline! About the author! Security in Mobile Networks – Privacy – Dependability! The way ahead: Internet of Things – connection of sensors to mobile – business decisions based on information! Security Challenges – BYOD “bring your own device” – Be aware of the value of information – Measurable security! Use case for – From Entertainment to Socialtainment – Sensor data fusion! Conclusions Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 16
  • 23. The security challenge of the Internet How come these guys didn’t think of that? 1973 Kjeller ave ld h rnet wou Inte we ow “If n h ed, ...” k now elop Steve Crocker dev Jon Postel 1972 Vinton CerfExpo Berlin 2007 Source: http://www.michaelkaul.de/History/history.html ©2007 Deloitte & Touche GmbH Wirtschaftsprüfungsgesellschaft Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 17
  • 24. Security in the Internet of Things? Source: L. Atzori et al., The Internet of Things: A survey, Comput. Netw. (2010), doi: 10.1016/ j.comnet.2010.05.010 Text Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 18
  • 25. Security in the Internet of Things? Source: L. Atzori et al., The Internet of Things: A survey, Comput. Netw. (2010), doi: 10.1016/ j.comnet.2010.05.010 Trust Text * context-aware, * “privacy” * personalised Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 18
  • 26. Security challenges! Sensors everywhere Request Semantic layer Semantic layer – SOA based Mobile, Internet Proximity, Service e, Sensor hom ors al, ens Service Registry edic al s Mobile/Proximity/ Sensor services m stri i ndu sensors sensors! Bring your own device (BYOD) – 30-100 devices/employee tab, Contacts – “phone in the cloud” e, Calendar hon ed... SMS, ... C, p bedd MA em C, ad, P po d, p Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 19
  • 27. Measurable Security! Value of information is & lys na nt – Identify k A sme Ris ses – Analyse As – Evaluate Risk Measurable security sis! analy fit – “Banks are secure” -B ene – IETF working group: Better C ost than nothing security – Cardinal numbers? Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 20
  • 28. Security Challenges in sensor- enabled clouds! Security, here – security (S) Cloud services – privacy (P) Intelligence challenge: Overlay physics – dependability (D) Network! across the value chain challenge: – from sensors to physics Sensors, services Embedded Systems! measurable security? can be Could be composed Is made by Components and SPD Components, System SPD functionalities functionalities Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 21
  • 29. Measuring Security, Privacy and Dependability (SPD) in the IoTOntology logical representation: each concept is modelled and the relations areidentified in order to have the logical chains that enables the SPD-awarecomposability can be Could be composed Is made by Components SPD Components, System and SPD functionalities functionalities realise SPD Means Are counter measured by Is mapped are into affected by SPD level SPD Attributes SPD Threats [source: Andrea Fiaschetti, pSHIELD project, Sep 2011] Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 22
  • 30. SPD Metrics specification Factor Value Elapsed Time <= one day 0 Minimum attack potential value to <= one week <= one month 1 4 exploit a vulnerability <= two months 7 <= three months 10 = SPD value <= four months 13 Factors to be <= five months 15 considered <= six months 17 > six months 19 Expertise where •Elapsed Time Layman 0 Calculated attack •Expertise Proficient Expert 3*(1) 6 potential •Knowledge of Multiple experts 8 functionality Knowledge of functionality •Window of opportunity Public 0 with •Equipment Attack scenarios Restricted Sensitive 3 7 Critical 11 SPD SPD SPD Window of level attributes threats Unnecessary / unlimited 0 access Easy 1Essential to build Moderate 4 Difficult 10 Base of knowledge Unfeasible 25**(2) Equipment Functio Standard 0 SPD System nality system Specialised 4(3) Bespoke 7 Multiple bespoke 9 [source: Andrea Fiaschetti, pSHIELD project, Sep 2011] Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 23
  • 31. Outline! About the author! Security in Mobile Networks – Privacy – Dependability! The way ahead: Internet of Things – connection of sensors to mobile – business decisions based on information! Security Challenges – BYOD “bring your own device” – Be aware of the value of information – Measurable security! Use case for – From Entertainment to Socialtainment – Sensor data fusion! Conclusions Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 24
  • 32. Use case: SPD in heterogeneous systems! Nano-Micro-Personal-M2M Platform – identity, cryptography, dependability! SPD levels through overlay functionality – answering threat level – composing services! Policy-based management – composable security! Integration into Telecom Platform – from information to business decisions Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 25
  • 33. Application Example: Socialtainment (eMobility)! From Entertainment to Socialtainment Pool! Social mobility vehicles people through inclusion of traffic micro- social networks charging coordination warning social parking tour CO2 consumption 6 % 31 % Corporate travel 33 % Corporate cars Social CO2 25 %6 % Commuting Flights Mobility Energy & Logistics info energy music control maps! answering the need for CO2 reduction in transport www IoT ! SAP 45% (2009) smart grid Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 26
  • 34. Semantic RepresentationCloud service representation through semantic integration Overlay Policy-based Core Services Trust Composition Discovery Policy System Cloud services Suggested Desired Intelligence service service Overlay Network Overlay “Embedded Intelligence” Sensors, Embedded Systems s OWL OWL goals integration OWL integration Semantic Technologies Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 27
  • 35. The IoT ecosystem Trust ?! Creating business – openness, competitive infrastructure: Consumers broadband, – climate for innovation adaptation mobile Business! Public authorities climate: market – trust, confidence Public Creative Authorities – demand demand IoT - Business programmers Ecosystem software! Consumers Academia – (early) adapters research, – education Entrepreneurs Sensor education ideas! Infrastructure providers – broadband, mobile – competition Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 28
  • 36. Internet usage across Europe [Robert Madelin, Directorate-General for Information Society and Media, EU commission, Aug 2010] * “use of IT in a proper way can increase effectiveness with 30-40%” IS * “we are good in technology development. But access to venture 95,1% capital is bad in Europe as compared to the USA”. [Aftenposten, 3. October 2011] gunhild@aftenposten.no NO 94,8% SE % of people used the Internet DK 93,2%100 90,7% IT EU90 HE 58,8% 73,7%80 47,5%70605040 Tyrkia Romania Hellas Bulgaria l Kypros Kroatia Italia Malta Litauen Polen Ungarn Spania Latvia Slovenia Tsjekkia Irland EU snitt Østerike Estland e Belgia Slovenia Tyskland nia Finland k ourg nd Sverige Norge Island Portuga Danmar Frankrik Nederla Storbrita Luxemb Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 29
  • 37. Internet service usage 90 83 84 77 Greece 71 60 Norway 61 EU-average 41 39 41 40 30 36 13 16 12 0 3 6 g t ce in db es d e es gh er rv t nk oa m se ac m an ic ou m Ba br ho ho ic nt - b om bl co ith te et of ts C eC w iva rn pu e ou s P e to nlin id te Pr ed les In O us ire W Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 30
  • 38. Conclusions• The mobile system is secure, but... – evolvement to provable security – bring your own devices, heterogeneity – from sensors to business decisions• Building the IoT architecture – Cross-layer intelligence & knowledge – Accounting for security• Measurable security – Metrics describing threats – Overlay description for system of systems• Building the Ecosystem – Human perspective: trust, privacy, context The wo – Security based on measures of components, rld is w attacks and human interaction i reless Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 31
  • 39. CWIMy special thanks to• JU Artemis and the Research • Sarfraz Alam (UNIK) and Geir Councils of the participating Harald Ingvaldsen (JBV) for the countries (IT, HE, PT, SL, NO, ES) train demo• Andrea Fiaschetti for the semantic • Zahid Iqbal and Mushfiq middleware and ideas Chowdhury for the semantics• Inaki Eguia Elejabarrieta,Andrea • Hans Christian Haugli and Juan Morgagni, Francesco Flammini, Carlos Lopez Calvet for the Renato Baldelli, Vincenzo Suraci Shepherd ® interfaces for the Metrices • and all those I have forgotten to• Przemyslaw Osocha for running mention the pSHIELD project, Luigi Trono for running nSHIELD Oct 2012, Josef Noll 32