1. Securing the Internet of
Things
Mark Horowitz
Stanford School of Engineering
1

2. It's Worse Than You Think
Secure Internet of Things
3

3. Secure Internet of Things
Our Goal
• Embark on a 5-year research project to secure the
Internet of Things
▶ Collaboration between Stanford, Berkeley, and Michigan
• Rethink building IoT systems from the ground up
▶ Systems, cryptography, applications, analytics, networks,
hardware, software, HCI
• Data security: novel cryptography that enables
analytics on confidential data
• System security: a software framework for safe
and secure IoT applications
4

4. Secure Internet of Things
Outline
• What is the Internet of Things?
• Why IoT security is so hard
• What we plan to do about it
5

5. The Internet of Things
Secure Internet of Things
6

6. Internet(s) of Things
Secure Internet of Things
7
Networked
Devices
Tens/person
Uncontrolled Environment
Unlicensed spectrum
Convenience
Powered
WiFi/802.11
TCP/IP
IEEE/IETF
Personal Area
Networks
Tens/person
Personal environment
Unlicensed spectrum
Instrumentation
Fashion vs. function
Bluetooth, BLE
3G/LTE
3GPP/IEEE
Home Area
Networks
Hundreds/person
Uncontrolled Environment
Unlicensed spectrum
Convenience
Consumer requirements
ZigBee, Z-Wave
6lowpan, RPL
IETF/ZigBee/private
Industrial
Automation
Thousands/person
Controlled Environment
High reliability
Control networks
Industrial requirements
WirelessHART, 802.15.4
6tsch, RPL
IEEE/IIC/IETF

7. Internet(s) of Things
Secure Internet of Things
8
Networked
Devices
Tens/person
Uncontrolled Environment
Unlicensed spectrum
Convenience
Powered
WiFi/802.11
TCP/IP
IEEE/IETF
Personal Area
Networks
Tens/person
Personal environment
Unlicensed spectrum
Instrumentation
Fashion vs. function
Bluetooth, BLE
3G/LTE
3GPP/IEEE
Home Area
Networks
Hundreds/person
Uncontrolled Environment
Unlicensed spectrum
Convenience
Consumer requirements
ZigBee, Z-Wave
6lowpan, RPL
IETF/ZigBee/private
Industrial
Automation
Thousands/person
Controlled Environment
High reliability
Control networks
Industrial requirements
WirelessHART, 802.15.4
6tsch, RPL
IEEE/IIC/IETF

8. IoT: MGC Architecture
Secure Internet of Things 9

9. IoT: MGC Architecture
eMbedded
devices
Secure Internet of Things 10

10. eMbedded
devices
Secure Internet of Things
Gateways
11
IoT: MGC Architecture
ZigBee,
ZWave,
Bluetooth,
WiFi

11. ZigBee,
ZWave,
Bluetooth,
Secure Internet of Things
WiFi
3G/4G,
TCP/IP
Gateways
Cloud
12
IoT: MGC Architecture
eMbedded
devices

12. IoT: MGC Architecture
ZigBee,
ZWave,
Bluetooth,
Secure Internet of Things
WiFi
3G/4G,
TCP/IP
eMbedded
devices
Gateways
Cloud
13 User device

13. IoT: MGC Architecture
embedded C
(ARM, avr, msp430)
Secure Internet of Things
14
ZigBee,
ZWave,
Bluetooth,
WiFi
3G/4G,
TCP/IP

14. IoT: MGC Architecture
embedded C
(ARM, avr, msp430)
ZigBee,
ZWave,
Bluetooth,
WiFi
3G/4G,
TCP/IP
Obj-C/C++, Java,
Swift, Javascript/HTML
Secure Internet of Things 15

15. IoT: MGC Architecture
3G/4G,
TCP/IP
Ruby/Rails,
Python/Django,
J2EE, PHP, Node.js
Obj-C/C++, Java,
Swift, Javascript/HTML
embedded C
(ARM, avr, msp430)
ZigBee,
ZWave,
Bluetooth,
WiFi
Secure Internet of Things 16

16. IoT Security is Hard
Secure Internet of Things
3G/4G,
TCP/IP
Ruby/Rails,
Python/Django,
J2EE, PHP, Node.js
Obj-C/C++, Java,
Swift, Javascript/HTML
embedded C
(ARM, avr, msp430)
ZigBee,
ZWave,
Bluetooth,
WiFi
Secure Internet of Things 23
• Complex, distributed systems
▶ 103-106 differences in resources across tiers
▶ Many languages, OSes, and networks
▶ Specialized hardware
• Just developing applications is hard
• Securing them is even harder
▶ Enormous attack surface
▶ Reasoning across hardware, software, languages, devices, etc.
▶ What are the threats and attack models?
• Valuable data: personal, location, presence
• Rush to development + hard ➔ avoid, deal later
17

17. 18
What We're Going To
Do About it

18. Secure Internet of Things
Two Goals
19
1.Research and define new cryptographic
computational models for secure data analytics
and actuation on enormous streams of real-time
data from embedded systems.
2.Research and implement a secure, open source
hardware/software framework that makes it easy
to quickly build Internet of Things applications that
use these new computational models.

19. Two Kinds of Security
Secure Internet of Things
20
• Data security: data collected and processed by
IoT applications remains safe
▶ Home occupancy
▶ Medical data
▶ Presence/location
• System security: elements of MGC architecture
are hard to compromise
▶ eMbedded devices
▶ Gateways
▶ Cloud systems
▶ End applications

20. Secure Internet of Things
Data Security
• Security limits what you (or an attacker) can do
• What do IoT applications need to do?
▶ Generate data samples
▶ Process/filter these samples
▶ Analytics on streams of data, combined with historical data
▶ Produce results for end applications to view
• Goal: end-to-end security
▶ Embedded devices generate encrypted data
▶ Only end applications can fully decrypt and view data
▶ Gateways and cloud operate on data without knowing what it is
21

21. End-to-End Security
Secure Internet of Things
22
ZigBee,
ZWave,
Bluetooth,
WiFi
3G/4G,
TCP/IP
Data

22. End-to-End Security
ZigBee,
ZWave,
Bluetooth,
WiFi
3G/4G,
TCP/IP
Data
Secure Internet of Things 23

23. End-to-End Security
ZigBee,
ZWave,
Bluetooth,
WiFi
3G/4G,
TCP/IP
Data
Secure Internet of Things 23

24. End-to-End Security
ZigBee,
ZWave,
Bluetooth,
WiFi
3G/4G,
TCP/IP
Data
Secure Internet of Things 23

25. End-to-End Security
ZigBee,
ZWave,
Bluetooth,
WiFi
3G/4G,
TCP/IP
Data
Secure Internet of Things 23

26. End-to-End Security
ZigBee,
ZWave,
Bluetooth,
WiFi
3G/4G,
TCP/IP
Data
Secure Internet of Things 23

27. End-to-End Security
ZigBee,
ZWave,
Bluetooth,
WiFi
3G/4G,
TCP/IP
Data
Secure Internet of Things 23

28. End-to-End Security
ZigBee,
ZWave,
Bluetooth,
WiFi
3G/4G,
TCP/IP
Data
Secure Internet of Things 24

29. End-to-End Security
• Sensing device samples data, encrypts it
• Each processing stage can decrypt or operate on
encrypted data (increases storage requirements,
limits potential operations)
• Possible that only end user can fully view data
data encrypted encrypted data
Secure Internet of Things
25

30. Homomorphic Encryption
Secure Internet of Things
(Gentry, 2009)
• Take a sensor value S, encrypt it to be Se
• It is possible to perform arbitrary computations on Se
▶ But 1,000,000 slower than computations on S
• So confidential analytics possible, but not yet practical
▶ But can be fast for specific computations (e.g., addition)
26

31. New Computational Models
• Is it possible for devices to compute aggregate
statistics without revealing their own data?
▶ You’re in the 85th percentile for saving water today!
▶ Your house consumed 120% of its average energy today
• Is it possible to compute complex analytics?
• Need new cryptographic computation models
▶ Support computations that IoT applications need
•)DFXOWZRUNLQJLQWKLVDUHD
▶ Christopher Ré on analytics
▶ Dan Boneh on cryptographic computational models
Secure Internet of Things
27

32. Secure Internet of Things
Two Goals
28
1.Research and define new cryptographic
computational models for secure data analytics
and actuation on enormous streams of real-time
data from embedded systems.
2.Research and implement a secure, open source
framework that makes it easy to quickly build
Internet of Things applications that use these new
computational models.

33. Building an Application
• Write a data processing pipeline
▶ Consists of a set of Models, describing data as it is stored
▶ Transforms move data between Models
▶ Instances of Models are bound to devices
▶ Views can display Models
▶ Controllers determine how data moves to Transforms
10Hz !
Sampling!
Secure Internet of Things
29
Motion!
Sensor! Gateway! PC/Server! App/Web!
Recent!
History!
Activity!
Long!
History!
Behavior!
Analytics,!
Suggestions!
Health!
Views!
Controllers!
Models and!
Transforms!
Recent!
History!
Activity!
Alarm! Schedule!
security and privacy !

34. Secure Internet of Things
Code Generation
• Framework generates (working) skeleton code for
entire pipeline
▶ All Models, Transforms, and Controllers are written in a
platform-independent language
▶ Views are device specific (although many are HTML/JS)
• Developer can modify this generated code
▶ Framework detects if modifications violate pipeline description
▶ E.g., data types, information leakage, encryption
▶ Generated code compiles down to device OS/system
•)DFXOWZRUNLQJLQWKLVDUHD
▶ David Mazières: software abstractions for security
▶3KLO/HYLV: 5DYHO software VVWHP
30

35. The Internet of Things
• Networking is one of the hardest development
challenges in IoT applications
▶ Ultra-low power protocols
▶ Difficult link layers (4G, BLE)
▶ Protocol stack mismatches
▶ Data packing/unpacking
• Framework handles this automatically
▶ Novel network algorithms
•)DFXOWZRUNLQJLQWKLVDUHD
▶ Keith Winstein, reliability in challenged networks
▶ Prabal Dutta, low power wireless
Secure Internet of Things
31

36. Software-defined Hardware
• Hardware (boards, chips, power) is a daunting
challenge to software developers
▶ It easier to modify something than create it from scratch
• The data processing pipeline is sufficient
information to specify a basic embedded device
▶ Sensors, networking, storage, processing needed
•)DFXOWZRUNLQJLQWKLVDUHD
▶ Mark Horowitz: DXWRPDWLQJFRQVWUDLQHGKDUGZDUHGHVLJQ
▶ Prabal Dutta: embedded device design
▶ Björn Hartmann: prototyping new applications
Secure Internet of Things
32

37. Secure Internet of Things
Making It Easy
• If it's hard to use, people will work around it
▶ Set password to password
▶ Just store data in the clear
• Must understand development model
▶ Embrace modification, incorporation, low barrier to entry
▶ Do so such that prototypes can transition to production
•)DFXOWZRUNLQJLQWKLVDUHD
▶ Björn Hartmann: prototyping new applications
33