Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Big data, Security, or Privacy in IoT: Choice is Yours

157 views

Published on

Big data, Data Analytics, Security, and Privacy in IoT. Why do they conflict. Threats and solutions in selecting devices, network, and processing

Published in: Internet
  • Be the first to comment

Big data, Security, or Privacy in IoT: Choice is Yours

  1. 1. Dilum Bandara, PhD Dept. of Computer Science & Engineering, University of Moratuwa Mobitel NB-IoT Forum, Mar 23, 2018
  2. 2. 2 Big Data Privacy Security • Huge datasets that we capture, transfer, store, & process to reveal associations, patterns, & trends • Volume, Variety, Velocity, & Veracity • Protection of computing systems & data that they store or access • Confidentiality, Integrity, & Availability (CIA)• Our interest in preventing inappropriate collection, use, & release of PII • Privacy of personal behavior, communications, & data What do I want? Security & Privacy are afterthoughts
  3. 3. 3 Reckless Driving Driving Anomaly Detection Fault Detection & Prediction Tracking & Surveillance Fuel Fraud IoT Data Anal ytics Smart Driving
  4. 4. 4 High-end OBD2 + GPS dongle to send data directly to cloud Dedicated GPS trackers send data directly to cloud Low-end OBD2 dongle + App to send data to cloud & gives real-time alerts
  5. 5. 5
  6. 6.  Real-time Analysis  Driving anomaly detection  Fuel fraud detection  Geo fencing  Vehicle fault detection  Historical Analysis  Driver profiling – UBI  Driver coaching  Predicting sensor failure  Case analysis 6
  7. 7. 7  Driver behavior detection  Change of driver  Driving under influence  Fatigue  Sensor failure detection  Mass Air Flow (MAF) sensor  Emission issues  Check Engine Light
  8. 8.  Long-distance bus fitted with a GPS unit & high-precision fuel sensor  Could you  explain variability in fuel consumption  predict fuel consumption of a journey  give tips to improve fuel consumption 8 ? • 4 months data • Timestamp, Longitude, Latitude, Elevation, Distance, Speed, Acceleration, Ignition status, Battery voltage, Fuel level, Fuel consumption
  9. 9. 9
  10. 10. 10 Actual Consumption : 84.08L Predicted Consumption : 91.77L Error: 9.1% Gradient Boosting Neural NetworkRandom Forest
  11. 11. 11
  12. 12. 12 www.curwsl.org
  13. 13.  Being set up for flood control & water management in Metro Colombo  Initial focus Kelani river basin  Entirely cloud-based  Weather Stations (9  50  100s)  Water-Level Gauges (2  12  34)  Controlling Flood Gates & Pumping Stations  Solar-powered Sensors & Communication  Reports data periodically to WSO2 IoT-Server via HTTP over GSM  Secured via Password or Oauth2 authentication to IoT Server  Plans to use MQTT 13
  14. 14. Security Issues  Disabling & tampering of devices  Unauthorized control of sensors & actuators  Modification of data  Incorrect forecasts/warnings  DoS attacks Privacy Issues  Use of driver profiles against accident claims  Driver tracking  Business sensitive insights  Profiling for UBI  Flood insurance  Exposure of socio-economic data 14
  15. 15.  Massive no of DNS lookups from 10+ millions IoT devices infected with Mirai malware  IP cameras, home gateways, DVRs, & baby monitors  Simple attack 1. Scans for IPs 2. Try known 60 (username, password) pairs via telnet 3. Load malware 4. Wait for commands 15 Source: TheUSBport Credit: Joey Devilla, globalnerdy.com
  16. 16. # Attack Vulnerabilities 1 Insecure Web Interface Weak default credentials & no lockouts, credentials exposed in traffic, XSS, SQL-injection, session management 2 Insufficient Authentication/ Authorization Simple passwords, lack of role-based access control, lack of / by passing separation of roles, no 2-factor authentication 3 Insecure Network Services Vulnerable Services - telnet, Buffer Overflow, Open Ports via UPnP 4 Lack of Transport Encryption Unencrypted Services, Poorly or Misconfigured SSL/TLS 5 Privacy Concerns Collection of Unnecessary (Personal) Data 6 Insecure Cloud Interface Account enumeration, no account lockout, credentials exposed in traffic, weak API keys, weak or no encryption7 Insecure Mobile Interface 8 Insufficient Security Configurability Lack of granular permission & password control, lack of logging & monitoring 9 Insecure Software/Firmware No update possible, Unencrypted & unsigned update files, firmware with sensitive information 10 Poor Physical Security Access via USB/JTAG ports, removal of storage media 16
  17. 17. 17 Devices Network Storage & Processing Image credit: www.ecomm.in/big-data-and-analytics.html
  18. 18. 1. Collect only what is essential to application 2. No defaults – Accounts, passwords, services 3. Use digital certificates for authentication 4. Use role-based access control 5. Use inbuilt & encrypted device storage – No SD cards 6. Web interface / console shouldn’t be susceptible to brute-force, SQLi, XSS, & CSRF attacks 7. Use hardware-level encryption – AES, NB-IoT supports 2048-bit RSA 8. Should support secure boot & over-the-air updates – Encrypted & signed firmware 9. Block USB/JTAG ports 10. Use tamperproof & rugged devices 18
  19. 19. 1. All communication must be secure – Plain text, REST API, MQTT  Use TLS v1.1 & v1.2 (not SSL v2/v3 or TLS V1.0)  Obtain certificates from a reliable CA – No default or self-signed certificates 2. Use secure underlying networks  NB-IoT, LTE-M, & EC-GSM-IoT are relatively better compared to LoRaWAN & SigFox  Wi-Fi with WPA 2.0, ZigBee  Avoid Bluetooth 3. Use VPN – especially for gateways 4. Use VLANs 5. Application-level payload encryption 6. Use standard encryption algorithms 19
  20. 20. 1. Collect, process, & store only what is essential to application 2. No defaults – Accounts, passwords, services 3. Use role-based access control 4. Accounts should lockout 5. Use digital certificates for authentication & secure communication 6. Web interface / REAT API shouldn’t be susceptible to brute-force, SQLi, XSS, & CSRF attacks 7. Use strong API keys & protect those keys 8. Strong encrypted data storage, unencrypt as you process 9. Use OAuth2 & 2-factor Authentication 10. Know your 3rd party tools & libraries 20
  21. 21.  Collection of Big Data is a functional requirement  Security & Privacy are non-functional requirements  They are often in conflict!  Accept the fact that “You will be hacked!”  People are starting to realize “I should worry about my privacy…”  A bad IoT product in an extremely competitive market is a real killer  Choose a good balance from design, development, to deployment  Know, practice, & monitor  Follow OWASP Top 10 attacks & guidelines for Web Applications, Mobile, & IoT 21
  22. 22.  Students  Sandareka Wickramanayake (MSc)  Shashika Muramudalige (MSc, BSc)  Gihan Karunarathne (MSc)  Niranda Perera (MSc)  Thilina Madumal (MSc)  Biman Hettiarachchi (MSc)  Chami Keerthisinghe (MSc)  Lasitha Petthawadu (MSc)  Asiri Liyana Arachchi (BSc)  Malintha Amarasinghe (BSc)  Sasikala Kottegoda (BSc)  Pasindu Upulwan (BSc)  Pubudu Meththananda (BSc)  Amila Karunathilaka (BSc)  Gayathri Kalani (BSc)  Harishanth Thiraviyanathan (BSc)  Sivarajan Balakumaran (BSc)  Sajeevan Alagendirarajah (BSc)  Nirojan Neethirajah (BSc)  Research partners  Mr. Nishal Samarasekera (Dept. of TLM, UoM)  Prof. Srikantha Herath (UNU, Japan)  Data & Exposure  Nimbus Venture (Pvt) Ltd.  TechCERT  VaticHub  Many other drivers who help us collect data 22

×