Iot Security - Challenges n coutermeasures

1. DEPT. OF ELECTRONICS AND INSTRUMENTATION
TECHNOLOGY
2016-17
TECHNICAL SEMINAR
GUIDE : SMT. S S VIDYA
HOD : DR. M B
MEENAVATHI
PRESENTED BY :
MAITREYA

2. IOT SECURITY
CHALLENGES IN IOT SECURITY AND ITS COUNTER
MEASURES.

3. INDEX
• Basics of IOT and Sensors.
• Internet and IOT.
• Securing the IOT.
• Exploiting the IOT(Challenges).
• Practical Exploit (example) – Optional.
• Conclusion.
• References.

4. IOT (INTERNET OF THINGS)
IOT: The term was first coined in 1999 by Kevin Ashton .The Internet of
things is the inter - networking of physical devices, vehicles (also
referred to as "connected devices" and "smart devices“), buildings and
other items - with electronics, software, sensors, actuators, and network
connectivity that enable these objects to collect and exchange data .

5. IOT AND SENSORS
The communication part can be handled by the API of
connected device and the predefined RFC protocols (Internet),
but the sensing needs to be still done and from Instrumentation
Point of view we need sensors and actuators to get “smart”
results. Different types of sensors are available in the market for
different purposes in an unbelievable range . Basic sensing and
actuation logic is shown in the side diagram. Some famous
sensors are :
Proximity sensors , Ultrasonic sensors , Accelerometer and
Webcam etc.

6. HOME SECURITY (WITH OBJECT SENSOR)
Object
Object Sensor(IR,
Ultrasonic &
Webcam)
Node McU (SMTP
server) with PI
Internet
Root(mail)
Exploring the many ways of Object
Detection:
The basic diagram aside explains how
to detect the object in an Iot
connected room . The
Basic IR and ultrasonic sensors can be
used in
conjunction with the NodeMcu
(esp826) to construct an Iot home
security system to send message via

7. IOT SECURITY
The IOT Security can be divided
into following propaganda:
1. Restricted Access
2. Encryption (network and
data)
3. Default API
4. Human Element (as usual)
5. Defensive Dark Arts
(DEFCON 22)

8. RESTRICTED ACCESS !
This is probably what will be the most
basic and first step in securing your
IOT device.
(KEEP IT IN A ISOLATED NETWORK)
If you can ,you should always keep
your IOT devices in a restricted
isolated network away from the
devices that you keep normally
connected to the internet.
What this will achieve will be a way of
isolation for your Iot devices which

9. ENCRYPTION
Encryption:
The Iot Security relies upon the encryption of two basic
separate aspects i.e. first the encryption of network access
(especially IOT network and the other the encryption of data
send via the internet).
Some Basic encryption for IOT involves SSL , Public Key
Cryptography, Hash Functions (SHA -3), Block Ciphers and
Stream Ciphers. The network encryption involves AES,
WPA/WPA-2 and WEP etc. Some of the basic communication
encryption methods are discussed further.

10. BLOCK CIPHERS
A block cipher is a deterministic and
computable function of k-bit keys and n-bit
(plaintext) blocks to n-bit (cipher text) blocks.
(More generally, the blocks don't have to be
bit-sized, n-character-blocks would fit here,
too). This means, when you encrypt the same
plaintext block with the same key, you'll get
the same result. (We normally also want that
the function is invertible, i.e. that given the key
and the cipher text block we can compute the
plaintext.)
To actually encrypt or decrypt a message (of
any size), you don't use the block cipher
directly, but put it into a mode of operation.
The simplest such mode would be electronic
code book mode (ECB), which simply cuts the
message in blocks, applies the cipher to each
block and outputs the resulting blocks. (This is
generally not a secure mode, though.)

11. STREAM CIPHERS
A stream cipher is a symmetric key
cipher where plaintext digits are
combined with a pseudorandom cipher
digit stream (keystream). In a stream
cipher, each plaintext digit is encrypted
one at a time with the corresponding
digit of the keystream, to give a digit of
the cipher text stream. Since encryption
of each digit is dependent on the current
state of the cipher, it is also known as
state cipher. In practice, a digit is
typically a bit and the combining

12. PUBLIC KEY CRYPTOGRAPHY
In a public key encryption system, any
person can encrypt a message using the
public key of the receiver, but such a
message can be decrypted only with the
receiver's private key. For this to work it
must be computationally easy for a user to
generate a public and private key-pair to
be used for encryption and decryption. The
strength of a public key cryptography
system relies on the degree of difficulty
(computational impracticality) for a
properly generated private key to be
determined from its corresponding public
key. Security then depends only on

13. SSL (SECURE SOCKETS LAYER)
SSL (Secure Sockets Layer) is the standard security
technology for establishing an encrypted link between a
web server and a browser. This link ensures that all
data passed between the web server and browsers
remain private and integral. SSL is an industry standard
and is used by millions of websites in the protection of
their online transactions with their customers.
To be able to create an SSL connection a web server
requires an SSL Certificate. When you choose to activate
SSL on your web server you will be prompted to
complete a number of questions about the identity of
your website and your company. Your web server then
creates two cryptographic keys - a Private Key and a
Public Key.
The Public Key does not need to be secret and is placed
into a Certificate Signing Request (CSR) - a data file also
containing your details. You should then submit the
CSR. During the SSL Certificate application process, the
Certification Authority will validate your details and
issue an SSL Certificate containing your details and

14. LIGHTWEIGHT CRYPTOGRAPHY & HASH
(FUTURE RESEARCH)
Basically the ciphers having smaller digital
print and most apt for the IOT devices . It`s a
good trade-off for security , cost and
performance.
Ex- DES (X/L) based on AES (Advanced
Encryption Standard) being used in RFID and
other IOT lightweight applications since it
processes 4bit/6 bit words rather than 32/48
bits. Ciphers discussed earlier are used in
development of lightweight cryptography.
HASH - MD5 hash functions / SHA-3 are a
topic of research . Since the memory footprints
are quite larger to be implemented for IOT

15. API MANAGEMENT (DEVELOPER`S SIDE)
Application Programming Interface is
responsible for everything in your IOT
device– gateways, security and access
management as well as the API key
control.
On the IoT, data is everywhere — flowing
from devices to the cloud, from the cloud
to your back-end systems, from users
back to their devices — all enabled by
APIs. API Management enables you to
govern this flow of data with the security
you need to protect sensitive
information, and the performance
required to support connected cars,

16. HUMAN ELEMENT
This vulnerability has been since the
beginning of the technology and same
holds true for IOT devices. The
fundamentals here are the same
everywhere ,some of which can be listed
as:
1. Change default passwords. !!!!
2. Don`t share your PGP private keys.
3. Restricted access for your LAN.
4. Regular updated patches.

17. IOT EXPLOITATION (CHALLENGES)
The some of the most basic limitations of IOT devices
and attacks can be comprised as:
1. Device Limitations.
2. MITM .
3. DOS/DDOS (most common)
4. Botnet
5. Data and Identity theft
6. Brute force/Dictionary (authentication attacks)

18. DEVICE LIMITATIONS
The first and foremost challenge
we face in securing the IOT devices
is the devices limitations itself.
The typical IOT device with 8-bit
processor and 2-4 MB flash
memory is not able to process the
different HASH functions and
encryption algorithms and being a
relatively new concept , the
methods are still under research
(ex-DESL) to use the functions on
typical IOT devices.
But nonetheless lightweight
cryptography is still an option here.

19. BOTNET
A botnet is a network of systems combined
together with the purpose of remotely taking
control and distributing malware. Controlled by
botnet operators via Command-and-Control-
Servers (C&C Server), they are used by criminals
on a grand scale for many things: stealing
private information, exploiting online-banking
data, DDos-attacks or for spam and phishing
emails.
With the rise of the IoT, many objects and
devices are in danger of, or are already being
part of, so called thingbots – a botnet that
incorporates independent connected objects.
Ex- It is easy for a smtp filter to stop malicious
request from one client but not from a dozens
or hundreds of client sending the malicious

20. DOS/DDOS(DENIAL OF SERVICE)
A denial of service (DoS) attack happens
when a service that would usually work is
unavailable. There can be many reasons for
unavailability, but it usually refers to
infrastructure that cannot cope due to
capacity overload.
In a Distributed Denial of Service (DDoS)
attack, a large number of systems
maliciously attack one target. This is often
done through a botnet, where many devices
are programmed (often unbeknownst to the
owner) to request a service at the same time.
(Often a DoS attack lends itself to hacktivists

21. (MITM) ATTACK/ DATA AND IDENTITY
THEFT
The man-in-the-middle concept is where
an attacker or hacker is looking to interrupt
and breach communications between two
separate systems. It can be a dangerous
attack because it is one where the attacker
secretly intercepts and transmits messages
between two parties when they are under
the belief that they are communicating
directly with each other. As the attacker
has the original communication, they can
trick the recipient into thinking they are
still getting a legitimate message.
These attacks can be extremely dangerous
in the IoT, because of the nature of the
“things” being hacked.
Ex- Many cases have already been reported

22. BRUTE FORCE/DICTIONARY ATTACK
(CLASSICS)
These are probably the oldest type
of automated attacks still used
widely.
Brute-force - Basically, the attempt
to uncover the password is done by
trying a wide variety of
letter/number combinations to
figure out what a password is so that
an account can be taken over.
Dictionary -On the flipside of things,
dictionary attacks involve the hacker
trying to determine your password
by trying hundreds or sometimes

23. CONCLUSION
To conclude I would say that we still have a far way to go in
securing the IOT infrastructure but some of the key things can
be generalized for securing the IOT devices are:
1. IOT security design should enable an open, pervasive and
interoperable yet secure infrastructure .
2. For the sake of privacy and security, IOT or smart devices
must be capable of implementing indivual user set policies.
3. Infrastructural security services should be accessible
transparently and regardless of the connection uses by
nomadic smart IOT objects.
“SECURITY IS A MYTH” – DEFCON 22

24. REFERENCES:
• DEFCON 22 : https://www.defcon.org/html/defcon-22/dc-22-
index.html
• LIGHTWEIGHT CRYPTOGRAPHY white paper :
https://www.iab.org/wp-content/IAB-
uploads/2011/03/Kaftan.pdf
• IOT SECURITY :
https://www.forbes.com/sites/gilpress/2017/03/20/6-hot-
internet-of-things-iot-security-technologies/#7e7ad1c51b49
• HASH and ENCRYPTION white paper : http://repository.root-
me.org/RFC/EN%20-%20rfc1321.txt (rfc1321)
• SHA -1/2/3 white paper : http://repository.root-
me.org/RFC/EN%20-%20rfc5754.txt (rfc5754)