Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Privacy and Security for the Emerging Internet of Things

1,756 views

Published on

Intel iSecCon2016 conference
I talk about the pyramid of IoT devices, sketch out some of the security and privacy issues, and present some of the ongoing work we are doing in this space at Carnegie Mellon University.

Published in: Technology
  • Be the first to comment

Privacy and Security for the Emerging Internet of Things

  1. 1. ©2016CarnegieMellonUniversity:1 Privacy and Security for the Emerging Internet of Things Intel iSecCon 2016 Jason Hong @jas0nh0ng jasonh@cs.cmu.edu Computer Human Interaction: Mobility Privacy Security
  2. 2. ©2016CarnegieMellonUniversity:2
  3. 3. ©2016CarnegieMellonUniversity:3
  4. 4. ©2016CarnegieMellonUniversity:4
  5. 5. ©2016CarnegieMellonUniversity:5 We Are Just Starting to Enter the Third Wave of Computing • First Wave: Computation – Making the basics of computers work • Second Wave: Networking – Connecting computers around the world • Third Wave: Internet of Things (IoT) – Computation, communication, sensing, and actuation woven into our physical world • IoT offers tremendous potential societal benefits – Healthcare, transportation, sustainability, energy, …
  6. 6. ©2016CarnegieMellonUniversity:6 New Privacy and Security Challenges
  7. 7. ©2016CarnegieMellonUniversity:7 My Talk Today • What are frameworks for thinking about the privacy and security problems? • What are some opportunities for improving privacy and security for IoT? – No silver bullet, but lots of room for improvement • What are some of the IoT-related projects we’re doing at Carnegie Mellon University?
  8. 8. ©2016CarnegieMellonUniversity:8 IoT Pyramid Top Tier • A few devices per person • High computational power • Tablets • Glasses • Laptops • Smartphones
  9. 9. ©2016CarnegieMellonUniversity:9 IoT Pyramid Top Tier • A few devices per person • High computational power • Tablets • Glasses Middle Tier • Tens of devices per person • Moderate computational power • TVs • Smart Toys • Laptops • Smartphones • Thermostats • Refrigerators
  10. 10. ©2016CarnegieMellonUniversity:10 IoT Pyramid Top Tier • A few devices per person • High computational power • Tablets • Glasses Middle Tier • Tens of devices per person • Moderate computational power • TVs • Smart Toys Bottom Tier • Hundreds of devices per person • Low computational power • HVAC • RFIDs • Lightbulbs • Laptops • Smartphones • Thermostats • Refrigerators • Smart toilets • Implanted medical devices
  11. 11. ©2016CarnegieMellonUniversity:11 IoT Security Issues Top Tier Security • Cybersecurity good today • Can run endpoint protection • Large corporations developing
  12. 12. ©2016CarnegieMellonUniversity:12 IoT Security Issues Top Tier Security • Cybersecurity good today • Can run endpoint protection • Large corporations developing Middle Tier Security • Cybersecurity weak today • Basic or no endpoint capabilities • Spotty security protections
  13. 13. ©2016CarnegieMellonUniversity:13 IoT Security Issues Top Tier Security • Cybersecurity good today • Can run endpoint protection • Large corporations developing Middle Tier Security • Cybersecurity weak today • Basic or no endpoint protection • Spotty security protections Bottom Tier Security • Cybersecurity very poor today • Weak or no endpoint protection • Low manufacturer experience • High diversity in hw, sw, OS • Many devices never updated • Major scalability challenges
  14. 14. ©2016CarnegieMellonUniversity:14 How is IoT Security Different? 1. Physical Safety and Security • Deliberate attacks – Ex. Crashing drones or autonomous vehicles – Note that most attackers won’t do this
  15. 15. ©2016CarnegieMellonUniversity:15 How is IoT Security Different? 1. Physical Safety and Security • Different classes of attackers, different motives • State-sponsored – State secrets, intellectual property, sow discord • Non-state actors – Terrorism, advocacy for a cause • Organized crime – Repeatable business model, stay under radar • Disgruntled employee / Insider attack • Script kiddies
  16. 16. ©2016CarnegieMellonUniversity:16 How is IoT Security Different? 1. Physical Safety and Security • More likely attack: Ransomware – Lock out of your house unless pay ransom – Make videos of you at home public unless you pay • Just as likely: attacks for the “lulz” – Tripping circuit breakers at office – Remotely adjusting thermostat to make harder sleep (or waste money, or let pipes freeze over) • What kinds of safeguards for physical safety? • Can we build models of normal vs abnormal behaviors for devices and apps, and enforce?
  17. 17. ©2016CarnegieMellonUniversity:17 How is IoT Security Different? 2. Scalability • Billions of devices will need to be secured – Gartner estimates 20B devices by 2020 • Scale transforms easy into hard – Ex. Unique passwords for dozens of devices? – Ex. Security policies, each device having different user interface (most not having a display and keyboard)? – Ex. Physically locking down dozens of devices? – Ex. Installing software updates • What kinds of network protocols, APIs, and middleware to help manage IoT devices at scale?
  18. 18. ©2016CarnegieMellonUniversity:18 How is IoT Security Different? 2. Scalability • Scalability also enables new classes of attacks http://shodan.io
  19. 19. ©2016CarnegieMellonUniversity:19 How is IoT Security Different? 2. Scalability • Possible for attackers to search for and execute vulnerabilities at scale – Ex. Mirai botnet DDoS attack Oct 2016 • Nightmare scenarios – Find vulnerabilities in smartphone-connected blood glucose monitors, inject fake data – Find vulnerable medical implants, hold people hostage • Again, some kind of model or policy – Maybe formal model, maybe big data • Better ways of using proximity for access?
  20. 20. ©2016CarnegieMellonUniversity:20 How is IoT Security Different? 3. Diversity of IoT Devices • Hundreds of different manufacturers for middle and bottom tier – Different operating systems, wireless networking, configuration software, log formats, cloud services – Poor or no I/O capabilities, each UI different too • Result: fragmentation of cybersecurity – More network-based (vs endpoint) approaches • Again, network protocols, APIs, and middleware to help configure and manage • Can we also help people make good decisions? – Ex. Crowdsourcing or AI / Machine Learning
  21. 21. ©2016CarnegieMellonUniversity:21 How is IoT Security Different? 4. Low Manufacturer Experience • Most traditional software companies understand basics of good cybersecurity • But most IoT will be developed by non-traditional hardware companies – Mostly middle and bottom tier – Ex. Lighting, toys, medical equipment, audio, household appliances • And lots of small-scale manufacturers too – Ex. Kickstarter
  22. 22. ©2016CarnegieMellonUniversity:22 106 Projects at Kickstarter for “iot”
  23. 23. ©2016CarnegieMellonUniversity:23 327 Projects at Kickstarter for “sensor”
  24. 24. ©2016CarnegieMellonUniversity:24 605 Projects at Kickstarter for “wireless”
  25. 25. ©2016CarnegieMellonUniversity:25 How is IoT Security Different? 4. Low Manufacturer Experience • Low experience + Lots of small manufacturers • Result: Lots of really basic vulnerabilities – Poor software engineering practices for security – Lack of awareness, knowledge, motivation to be secure • Result: Lots of unsupported devices – Small manufacturers will go out of business – Or end of life from bigger manufacturers • How can we help devs with low experience? • How to offer security for lifespan of decades?
  26. 26. ©2016CarnegieMellonUniversity:26 How is IoT Security Different? 5. Lots of Unexpected Emergent Behaviors
  27. 27. ©2016CarnegieMellonUniversity:27 How is IoT Security Different? 5. Lots of Unexpected Emergent Behaviors • Are there better ways of testing / simulating? • Can we define overall properties for connected systems?
  28. 28. ©2016CarnegieMellonUniversity:28 Why Does IoT Privacy Matter?
  29. 29. ©2016CarnegieMellonUniversity:29 Why Does IoT Privacy Matter?
  30. 30. ©2016CarnegieMellonUniversity:30 Why Does IoT Privacy Matter? • Pew Internet study about smartphones (2012) – 54% did not install app b/c of how much personal information app requested – 30% uninstalled an app after learning about app behaviors • Countless news articles, blog posts, op-ed pieces, books about privacy concerns Privacy may be the greatest barrier to creating a ubiquitously connected world
  31. 31. ©2016CarnegieMellonUniversity:31 Taxonomy of IoT Privacy Device Perspective • Awareness of devices/apps and sensors/logs • Depth of sensing – How rich the sensing and user models are • Temporal scale • Input/Output capabilities • Privacy software • Third-party software – Whether other apps can be run on device
  32. 32. ©2016CarnegieMellonUniversity:32 IoT Privacy Issues Top Tier Privacy • High awareness of devices • Rich depth in sensing • High temporal scale • Rich I/O • Lots of third-party apps (the major privacy problem)
  33. 33. ©2016CarnegieMellonUniversity:33 IoT Privacy Issues Top Tier Privacy • High awareness of devices • Rich depth in sensing • High temporal scale • Rich I/O • Lots of third-party apps (the major privacy problem) Middle Tier Privacy • Hybrid of other tiers Bottom Tier Privacy • Low awareness of devices + apps • Shallow to rich sensing • Low to high temporal scale • Poor I/O • Few if any third-party apps • Scale (major privacy problem)
  34. 34. ©2016CarnegieMellonUniversity:34 IoT Privacy Awareness
  35. 35. ©2016CarnegieMellonUniversity:35 How Can We Make Invisible Information Flows Visible? • For top tier, people will be pretty aware of devices – Stylish form factors meant to get attention • The main privacy challenge for top-tier is understanding what your apps are doing – This is a hard problem but one we are starting to figure it out for smartphones
  36. 36. ©2016CarnegieMellonUniversity:36 Shares your location, gender, unique phone ID, phone# with advertisers Uploads your entire contact list to their server (including phone #s) What Are Your Apps Really Doing?
  37. 37. ©2016CarnegieMellonUniversity:37 Many Smartphone Apps Have “Unusual” Permissions Location Data Unique device ID Location Data Network Access Unique device ID Location Data Microphone Unique device ID
  38. 38. ©2016CarnegieMellonUniversity:38 PrivacyGrade.org • Improve transparency • Assign privacy grades to all 1M+ Android apps
  39. 39. ©2016CarnegieMellonUniversity:39 Privacy as Expectations Use crowdsourcing to compare what people expect an app to do vs what an app actually does • We crowdsourced expectations of 837 apps – Ex. “How comfortable are you with Drag Racing using your location for ads?” • Created a model to predict people’s likely privacy concerns and applied to 1M Android apps App Behavior (What an app actually does) User Expectations (What people think the app does)
  40. 40. ©2016CarnegieMellonUniversity:40 How PrivacyGrade Works
  41. 41. ©2016CarnegieMellonUniversity:41 Impact of this Research • Lots of popular press (NYTimes, CNN, BBC, CBS) • Earlier work helped lead to FTC fines • Google replicated PrivacyGrade internally • Seen improvements in grades over time • Some developers put out press releases about improving their privacy behaviors • Static analysis, dynamic analysis, crowd analysis – To address subjective aspects of privacy • Privacy today places burden on end-users – How can we help other parts of ecosystem do better?
  42. 42. ©2016CarnegieMellonUniversity:42 How Can We Make Invisible Information Flows Visible? • For bottom-tier devices, devices non-obvious • CMU Giotto IoT Expedition Supersensors – Air temp, humidity, pressure, 6-axis IMU, grid eye, … • How to increase awareness of devices like this?
  43. 43. ©2016CarnegieMellonUniversity:43 Signifiers.io • Project by some of our Master’s of HCI students
  44. 44. ©2016CarnegieMellonUniversity:44 Signifiers.io Amazon Alexa and Google Home (Voice)
  45. 45. ©2016CarnegieMellonUniversity:45 Signifiers.io Smart TVs Sensing Video and Audio
  46. 46. ©2016CarnegieMellonUniversity:46 Signifiers.io Webcams Sensing Video and Audio
  47. 47. ©2016CarnegieMellonUniversity:47 Long-Term Privacy and Security Issues 1. Designing For Awareness • What are tradeoffs in notification styles? – Audio, visual, motion, haptic, smartphone • Can we create new conventions? – Ex. Like light switches near doorways • Cost-benefit models of notifications? – Getting lots of notifications is distracting – Getting uninteresting notifications is annoying – Ex. First time, sensitivity of data, identifiability • Can we make it so a person can understand what data is being sensed in a room within 30 seconds?
  48. 48. ©2016CarnegieMellonUniversity:48 Long-Term Privacy and Security Issues 2. Facilitating Privacy and Security on Low-End Devices • What kinds of middleware infrastructure can we build to help with basic privacy and security? – Offer common middleware services to simplify design and deployment of middle and bottom tiers – Ex. Access control, filtering, and software updates – Ex. What sensors a device has, what data collects, what servers it connects to, how concerning
  49. 49. ©2016CarnegieMellonUniversity:49 Long-Term Privacy and Security Issues 3. Useful Defaults for Sharing • Let’s say we have a person locator for a campus – If default is “share nothing”, underutilized and no value – If default is “share everything”, too creepy • Can we figure out useful defaults that balance utility with privacy? – Ex. “On campus” or “not” – Ex. “In office” or “not” – Ex. {“office”, “on campus”, $city}
  50. 50. ©2016CarnegieMellonUniversity:50 Long-Term Privacy and Security Issues 4. Using Big Data for Privacy • Paradox: use more data to improve privacy? • Use data to infer relationships and set defaults – Ex. People are more likely to share data with close friends and family • Use contact list, call log, SMS log, co-location, etc – Ex. Employees are more likely to share data with close teammates • Use floorplan, WiFi co-location, co-authorship, etc Wiese, J. et al. Are you close with me? Are you nearby? Investigating social groups, closeness, and willingness to share. Ubicomp 2011. Cranshaw, J. et al. Bridging the Gap Between Physical Location and Online Social Networks. Ubicomp 2010.
  51. 51. ©2016CarnegieMellonUniversity:51 • Insert graph here • Describe entropy
  52. 52. ©2016CarnegieMellonUniversity:52 Higher Place Entropy -> More Comfort Toch et al, Empirical Models of Privacy in Location Sharing, Ubicomp 2010
  53. 53. ©2016CarnegieMellonUniversity:53 Two Research Projects at Carnegie Mellon University • Giotto IoT Expedition • IoT Hub for Homes
  54. 54. ©2016CarnegieMellonUniversity:54 • Define open hardware and software stack for IoT ecology • Extensible and integrated • Pluggable modules • Security & privacy sensitive • Integrated machine learning • End-user programmable • Widely deployable • Enhance human – human and human-system and human- environment interaction Giotto IoT Stack
  55. 55. ©2016CarnegieMellonUniversity:55 Giotto Privacy Privacy at Physical, Logical, App layers • Better programming abstractions – Ex. “home” vs raw GPS, “loud” vs raw microphone – Make it easier for devs with privacy as side effect • Devs specify purposes in apps and we verify – Ex. “Uses contacts for advertising” – Ex. “Uses location for maps” – Use static, dynamic, and crowd analysis • How do people’s privacy concerns vary? – By kind of data, granularity, who is seeing it, purpose • Useful defaults to balance privacy and utility
  56. 56. ©2016CarnegieMellonUniversity:56 IoT Hub • Open source hub device for connecting devices – Ex. Battery life of devices, connect devices together – Ex. Check for patches, filtering (default passwords), Manufacturer Usage Descriptions, proximity – Ex. Centralize telemetry and learn patterns • How should devices be structured? – Metadata: URL for software updates – APIs: authentication IoT appliancesIoT HubInternet
  57. 57. ©2016CarnegieMellonUniversity:57 What is the Value of IoT? • Security, privacy, and management costs quickly outweigh value of IoT devices Number of Devices Value Today’s IoT trajectory
  58. 58. ©2016CarnegieMellonUniversity:58 What is the Value of IoT? • Can we make it so that value is linear or even superlinear with devices and services? Number of Devices Value Today’s IoT trajectory Desired IoT trajectory
  59. 59. ©2016CarnegieMellonUniversity:59 What Can Intel Do? • Consider more human factors and social factors – Chips, sensors, software dev, data mgt – Policies, UI + understandability, social influences • Better ways of supporting devs – Most devs have no knowledge of privacy + security
  60. 60. ©2016CarnegieMellonUniversity:60 What Can Intel Do? • Consider more human factors and social factors – Chips, sensors, software dev, data mgt – Policies, UI + understandability, social influences • Better ways of supporting devs – Most devs have no knowledge of privacy + security • Support better privacy and security education – Need strong push from industry to make it happen – Go beyond just CompSci too (psych, design, biz) • Join our Giotto Expedition (open source) • Consider ISTC on Privacy or on IoT – Make a big push in cooperation with academia
  61. 61. ©2016CarnegieMellonUniversity:61
  62. 62. ©2016CarnegieMellonUniversity:62 How can we create a connected world we would all want to live in?
  63. 63. ©2016CarnegieMellonUniversity:63 Thanks! More info at cmuchimps.org or email jasonh@cs.cmu.edu Read more: • Towards a Safe and Secure Internet of Things https://www.newamerica.org/cybersecurity-initiative/policy- papers/toward-a-safe-and-secure-internet-of-things/ Special thanks to: • NSF • Alfred P. Sloan • NQ Mobile • DARPA • Google • CMU Cylab • New America
  64. 64. ©2016CarnegieMellonUniversity:64
  65. 65. ©2016CarnegieMellonUniversity:65 IoT offers Tremendous Societal Benefits • Healthcare • Transportation • Sustainability • Education • Energy • More…
  66. 66. ©2016CarnegieMellonUniversity:66 What Can We Do About IoT Security? • Better cybersecurity education • Better collections of best practices • More data sharing • Cybersecurity insurance • Better legal protections • Larger centers for IoT privacy and security https://www.newamerica.org/cybersecurity-initiative/policy- papers/toward-a-safe-and-secure-internet-of-things/
  67. 67. ©2016CarnegieMellonUniversity:67 What Can We Do About IoT Security? Policy Perspective: Better Cybersecurity Education • About half of developers don’t have CS degrees • Can we make security education required in CS? • Can we also expand cybersecurity education? – Ex. Psychology learn about social engineering – Ex. Visual design learn about warnings + compliance
  68. 68. ©2016CarnegieMellonUniversity:68 What Can We Do About IoT Security? Policy Perspective: Better Collections of Best Practices
  69. 69. ©2016CarnegieMellonUniversity:69 What Can We Do About IoT Security? Policy Perspective: Better Collections of Best Practices • We need to go beyond high-level guidelines • What we still need – Better code examples (lots of copy-and-paste) – Better toolchains and stacks – Better automated analysis tools – Simpler ways of distributing patches – Collections of design patterns • Lots of opportunities for big companies – Most breaches are relatively simple – Addressing basic issues means lots of positive impact
  70. 70. ©2016CarnegieMellonUniversity:70 What Can We Do About IoT Security? Policy Perspective: More Data Sharing • Many major data breaches in past few years – Sony, RSA, LinkedIn, Yahoo, Target, OPM, and more • But we have learned very little, no real data – These are our version of Tacoma Narrows bridge
  71. 71. ©2016CarnegieMellonUniversity:71 What Can We Do About IoT Security? Policy Perspective: More Data Sharing • We need organizations that can: – Help investigate the coming IoT failures – Disseminate knowledge to help prevent future failures in design and implementation – While also minimizing blame • Lots of challenges – Lots of proprietary information involved in failures – Who will fund this?
  72. 72. ©2016CarnegieMellonUniversity:72 What Can We Do About IoT Security? Policy Perspective: Better Legal Protections • DMCA limits what researchers can do due to anti-circumvention provisions – Need to get permission from manufacturers – Exceptions: • Consumer devices, motorized land vehicles, medical devices • But slow, triennial reviews from Library of Congress – And consumer devices only one part of IoT
  73. 73. ©2016CarnegieMellonUniversity:73 IoT Privacy Issues Input/Output • Same challenge as for security – Top-tier devices will have really good I/O capabilities – Bottom-tier will not have mouse, keyboard, display – Scalability makes everything harder • Can we develop network protocols and APIs to help configure and manage devices and apps? • Can we also help people make good decisions? – Ex. Crowdsourcing or AI / Machine Learning
  74. 74. ©2016CarnegieMellonUniversity:74 Prognosis for IoT Privacy and Security?

×