Io t privacy and security considerations

681 views

Published on

In this session I discuss some of my thoughts on privacy and security considerations that threathen and are raised by the upcoming internet of things. Warning, you may leave with more questions than answers

Published in: Technology, Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
681
On SlideShare
0
From Embeds
0
Number of Embeds
31
Actions
Shares
0
Downloads
29
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Real time message processing as a service
    Think of it as IFTTT for internet of things

    Solves today’s integration issues
    Scalability, data volume, multitude protocols & platforms, multitude of integration points, saas & social integration, mobile platforms, business ecosystems, ownership & centralized management, …
  • Real and present dangers
    Are a threat to IOT
    Are caused by IOT
  • Investigation and understanding is required
  • Can third parties (ab)use this information?
    ‘Personally wellbeing’: Doctors, physicians, …
    ‘Social purposes’: Government, police, judges, …
    ‘Commercial purposes’: Insurance, lawyers, markting…
    ‘Pure evil’: Identity theft, extortion, …
  • What about the small things in life?
    Occasional white lie <> activity/location tracking
    Socially unacceptable (yet totally normal) behaviour <> Sensors
  • Prevent physical tampering
    Seals, marks
    Alarms, camera’s

    Prevent virtual tampering
    Bootloader in chip or ROM
    Checks firmware origin before loading into RAM
    Updating (incl. security fixes) now just got a lot harder though
  • All this comes at a cost, both in time and money.
    And not just on the producer side
    Is it worth it, do people care enough?
    Or will convenience be more important than privacy?
  • Io t privacy and security considerations

    1. 1. Yves Goeleven #IoT: Privacy and security considerations Thanks to
    2. 2. Yves Goeleven • Founder of MessageHandler.net – Shipping software since 2001 – Windows Azure MVP – Developer on NServiceBus 2
    3. 3. Exhibition theater @ kinepolis
    4. 4. Agenda • Why this talk? • What are the dangers? • Security options • Privacy options 4
    5. 5. Agenda Why this talk? 5
    6. 6. 6
    7. 7. 7
    8. 8. You might just leave this session with more questions than answers
    9. 9. Talk! Let’s start a conversation! 11
    10. 10. Challenge! I challenge anyone to do a follow up session with your own questions and ideas. 12
    11. 11. Agenda What are the dangers? 13
    12. 12. 14 Internet of Things
    13. 13. 15
    14. 14. What are the dangers? Personal 17
    15. 15. & invisible
    16. 16. White lies are the common decency holding us together 20
    17. 17. Agenda What can we do? 22
    18. 18. Security options • Prevent physical access – Behind locked doors – Secure casing – Do not expose physical ports (usb, ethernet, ...) 24
    19. 19. Security options • Prevent virtual access – Do not open inbound ports – Design without ’listeners’ or ‘servers’ on the devices – Instead use ‘workers’ or ‘agents’ and remote queues with outbound connections only 25
    20. 20. 26
    21. 21. Security options • Prevent physical tampering – Seals, markers – Alarms – Camera’s 27
    22. 22. Security options • Prevent virtual tampering – Bootloader in chip or ROM, checks firmware origin before loading into RAM – Note: Updating (incl. security fixes) now just got a lot harder though 28
    23. 23. Security options • Keep track of device identity – Let devices register themselves/call home – Do this on boot & periodically 30
    24. 24. Security options • Analyze device behavior – Include device specific & variable information – Analyze it server side to detect hacked or spoofed devices 31
    25. 25. Security options • Block compromised devices – Access control lists – Protocol/package filtering – Signal Jamming – Unplug the power – On the device, or a specialized device 32
    26. 26. Security options • Many low-power devices cannot encrypt data using standard encryption techniques – Not enough memory – Drains battery too fast 34
    27. 27. Security options • Do not store unencrypted data – On publicly accessible devices – Better send it elsewhere, unencrypted if needed, to store it safely 35
    28. 28. Security options • Do not send unencrypted data over long distances – Use a local ‘gateway’, a powerfull local device to encrypt it on behalf of dumb devices 36
    29. 29. Security options • Use alternative encryption & data mangling strategies – Signed at the foundry, if you can live with lock-in – Ciphers, hashes & arithmetic algorithms 37
    30. 30. Security options • Audit your physical environment – Know which devices are ‘smart’ – And how they communicate – Include all technologies (IR, RF, Bluetooth) 39
    31. 31. Security options • Spy on your things – Intercept communication between your ‘things’ – Analyze the communication & detect anomalies 40
    32. 32. Security options • Physical canary – Apply ‘social control’ amongst devices – Let devices report that other devices are talking to them inappropriately 41
    33. 33. Internet of things, reference architecture 42
    34. 34. Privacy options • There are privacy laws – Make sure not to break these! – Do not store, send or process information that you’re not allowed to – http://en.wikipedia.org/wiki/Data_Protection_Directiv e 44
    35. 35. Privacy options • Is it clear what laws apply when? – Multinationals spread across different countries – Difference in laws where data is collected vs data is processed or stored – US vs EU: direct conflict 45
    36. 36. Privacy options • Trust is paramount for adoption of IoT – Make it your policy not to break it – People may choose not to buy products from violators 48
    37. 37. Privacy options • Question is: is this really true? – Facebook is huge, yet no one trusts them (I hope) – Will convenience win over privacy concerns for majority of people? 49
    38. 38. Privacy options • Build trust by asking for user consent – On data collection devices – Oauth great for this!? – But how about devices without a screen? 50
    39. 39. Privacy options • And how about exchanging and correlating information with 3rd parties in backend? – Need for federated authorization? – With context? – F.e. I allow you to analyse my energy consumption, send the results to government, but not to utility? 52
    40. 40. 55 Loyalty plan Give me your address and you'll get 10% off on your next pair of jeans…
    41. 41. Other things we can do? There’s a lot we can do 56
    42. 42. Other things we can do? Also a lot of open questions 57
    43. 43. Other things we can do? But maybe consumers just don’t care (aren’t prepared to pay for it?) 58
    44. 44. Other things we can do? What do you think? 59
    45. 45. 60 A big thank you to our sponsors Gold Partners Silver & Track Partners Platinum Partners

    ×