IoT Mashup - Security for internet connected devices - LylePresentation Transcript
Security for Internet-
John Lyle, University of Oxford
ResearchAssistant at the University of Oxford
Member of the webinos project
going to say
1. Internet ofThings security is hard!
2. There are some good reasons for this.
3. There are new (ish) threats.
4. There are some new technologies to play with.
What I’m not
going to say
1. Security is really important.
2. This is how to exploit [ insert popular technology product ]
3. I have the following silver bullets…
4. Anything about privacy
Why is IOT security
And is there anything we can do about it?
1. Wireless communication
2. Physical insecurity
3. Constrained devices
4. Potentially sensitive data
5. Lack of standards
6. Heterogeneity: weakest link problem
7. A systems, not software problem
8. Classic web / internet threats
9. Identity management & dynamism
10. Inconvenience and cost
It’s because we don’t know how to do it.
Threats to IOT systems
Adapted from "Security Considerations in the IP-based Internet of
Things“ - Garcia-Morchon et al.
Can be stolen
Can be modified
Can be replaced
Can be cloned
Can be modified (firmware / OS / middleware)
Can be decompiled to extract credentials
Can be exhausted (denial of service)
Theft of bandwidth
Reconfiguration and recovery
Who are the attackers?
And what do they want?
Make assumptions to make progress
Use Attacker Personas for consistency
Realistic attacker models
Curious end users? Modders?
The state of the art
Some of it, at least.
TLS and a device PKI
Attribute-based access control
Web identity and authentication
“Personal zone” model
CoAP:The ConstrainedApplication Protocol
DTLS: DatagramTransport Layer Security
Sizzle – SSL with EllipticCurve Cryptography
HIPS: Host Identity Protocol
Gupta,V.; Millard, M.; Fung, S.; Zhu,Yu; Gura, N.; Eberle, H.; Shantz, S.C.
"Sizzle: a standards-based end-to-end security architecture for the embedded Internet,"
Third IEEE International Conference on PervasiveComputing andCommunications. pp.247,256, 8-12 March 2005
leave you with.
Many new technologies and protocols are being developed
IOT requires systems security
Share your results!