Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Privacy and Security in the Internet of Things / Конфиденциальность и безопасность в Интернете вещей


Published on

Ведущий: Джефф Кац

По прогнозам Cisco, в этом году 25 млрд устройств будут подключены к интернету, а к 2020 году число увеличится вдвое. Планируя разработку решения в сфере Интернета вещей (IoT), вы должны подумать о том, что в один прекрасный день к вам нагрянет ФСБ . Вопрос безопасности пользователей нужно продумать заранее, не следует откладывать его на потом. Докладчик расскажет, как использовать преимущества IoT-продуктов, не ущемляя личных прав ваших клиентов. Доклад сопровождается примерами услуг, в которых конфиденциальность и безопасность были обеспечены в начале разработки.

Published in: Technology
  • Be the first to comment

Privacy and Security in the Internet of Things / Конфиденциальность и безопасность в Интернете вещей

  1. 1. Jeff Katz, VP Technology, KIWI.KI GmbH @kraln PRIVACY AND SECURITY IN THE IOT
  2. 2. "What would your feelings be, seriously, if your cat or your dog began to talk to you, and to dispute with you in human accents? You would be overwhelmed with horror. I am sure of it. And if the roses in your garden sang a weird song, you would go mad. And suppose the stones in the road began to swell and grow before your eyes, and if the pebble that you noticed at night had shot out stony blossoms in the morning?" Arthur Machen, 1890 2
  3. 3. Talk Outline Approximate Length: 50 minutes Language: English • Audience • Short Bio • Definitions • Common IoT Architectures • Security Topic • Privacy Topic • Conclusion
  4. 4. Audience Architects and Developers of the IoT You• ’re building a connected device You• ’re designing a system for connected devices You• ’re evaluating technologies or platforms for your connected devices You• ’re buying connected devices Security Researchers You• ’re interested in evaluating the security of IoT devices and networks
  5. 5. About Me • Background in Hardware, Firmware • 2005: Bypassed Copy Protection in Nintendo DS • 2011: Openbeacon Social • 2012: VP Technology of KIWI • Let’s develop an access control system that considers user’s privacy! • Let’s develop an access control system that isn’t trivial to hack
  6. 6. Definitions Security Freedom from risk or danger, doubt or fear, measures adopted to prevent crime, espionage, sabotage, a state of being protected Privacy Of or belonging to one person or group, not the wider population or public… the state of being away from other people’s sight or interest Internet of Things Connecting everything in order to provide amazing user experiences, security and privacy be damned
  7. 7. Three Common Architectures Internet Device Gateway Internet Device Phone Device
  8. 8. Internet Connected Devices • Device is connected directly to the internet, via WiFi or 3G • Less powerful devices have weak microcontrollers, embedded IP stacks • More powerful devices run embedded Linux • Typically consumer devices • Typically connect to cloud services for configuration and management Internet Device
  9. 9. WSN Connected Devices Device connects through Wireless Sensor Network to Gateway• device, which has internet connection Gateway device similar profile to• “Internet Connected Devices” Networking stacks provided by embedded controllers• • B2C, B2B, and B2G devices Typically managed by cloud services• Gateway Internet Device
  10. 10. BTLE “Connected” Devices Device and Phone speak over BTLE• Phone has Native App• Phone acts as internet connection, when needed• No Networking Stack• Typically consumer devices• Usually no Internet required• Phone Device
  11. 11. Side note: Medical Devices • Fu, Jack, Halperin, et al. • Not “Traditional” IoT, yet…
  12. 12. On Security • Consider your adversary • Government? • Well-funded smart people? (University) • Dedicated Hacker? • Script kiddie? • Defense in depth • Plan for failure • Shortcuts hurt in the long term
  13. 13. SimpliSafe Burglar / Fire Alarm System• Unencrypted Radio Transmission (• 433 MHz) No• nonces, handshakes, anything… Five months after vendor notification, no• response Februrary• 2016 Advisory Posted OTP Microcontroller•
  14. 14. LiFX Lightbulbs connected via• WiFi and 802.15.4 6LoWPAN Mesh Network Unprotected firmware read out from• microcontroller AES (Symmetric) Crypto, Key stored in firmware• Same Key on all devices• WiFi• password sent via WSN
  15. 15. “Smart Lock” • Damien Cauquil @virtualabs spoke at CCCamp, despite bad behavior vendor not disclosed • BTLE Connected door lock, sold in EU and US • Auth required in app only, protocol unsecured • Can read out logs without authentication • Can replay door unlocking • Can drain battery without credentials
  16. 16. Samsung SmartThings • Hub & App Ecosystem • Flawed Oauth Implementation • Subject to clickjacking and other web security flaws • Privilege Escalation • More on Samsung in a bit…
  17. 17. ZigBee / ZigBee Pro Wireless protocol used in many• IoT Devices 2004• -2007, slightly older standard Simplicity + Low Cost = Low Security• Locks, Thermostats, HVAC,• IIoT Classic ZigBee uses CCMP, known plaintext issues• OTA Key Delivery• —in plaintext All devices share Key• No replay protection•
  18. 18. Optionally Secure Поспеши́шь--люде́й насмеши́шь – haste makes waste
  19. 19. Attack Surfaces in the IoT • Hardware / Physical Attack • Firmware / Physical Attack • Wireless Communications • Network Implementations • Services running on Devices • Insider Threats • Mobile • Cloud Threat Complexity Scale
  20. 20. Common failings Failure to protect against basics• Replay attacks, unprotected secrets, bad or non• -existent crypto Failure to include secure firmware update mechanism• Failure to authenticate communications• Failure to protect confidentiality of private communications• Failure to protect secrets in firmware• Failure to consider attack surface of wireless devices•
  21. 21. Tools • Signal Monitoring • Injection • Imaging • SDR - $400 • Ubertooth - $120 • ARM Debugger - $70 • Logic Analyzer - $150 Great presentation at RSA by Joe Grand: hardware-hacking-trade
  22. 22. On Privacy • "You have zero privacy anyway. Get over it.” Scott McNealy, Sun Microsystems • "We know where you are. We know where you've been. We can more or less know what you're thinking about;" Eric Schmidt, Google/Alphabet • “No one likes to see a government folder with his name on it.” Stephen King
  23. 23. Security affecting Privacy • Even “Responsible” companies that collect data often fail to secure it • Against data breach • Against government intervention • Against accidental disclosure • The most responsible thing to do with data is not to collect it!
  24. 24. Over-collection Smart Meter - “I need to measure the power consumption in order to charge an accurate bill” Also measures: Correlation between power usage and time of day• Knows when you are home• Knows what show you are watching on TV• Smart Thermostat – “I need to know the temperature to regulate your apartment” Also measures: Humidity, Motion, Light, Weather• Knows when you take a shower• Knows where in your home you are•
  25. 25. Samsung TV Agreement "Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.“ "Samsung takes consumer privacy very seriously. In all of our Smart TVs we employ industry-standard security safeguards and practices, including data encryption, to secure consumers' personal information and prevent unauthorized collection or use."
  26. 26. Amazon Echo • Streamed to the cloud • Processed in the cloud • Saved in the cloud
  27. 27. Ethics
  28. 28. Ubiquity, Then Sign up for service, Ignore T&C• Use service, your data is gathered• Relationship between you and service is clear, even if• usage is not Tracked everywhere you use service• Regulated•
  29. 29. Ubiquity, Now • Walk down the street
  30. 30. False Dichotomy • Do we really have to choose?
  31. 31. In Numbers Cisco Says, By 2019: • nearly 3.9 billion global Internet users (>51% world’s population) • 24 billion networked devices and connections globally • Worth $19 trillion • 10.5 billion M2M Connections • The connected home, including smart appliances, home security and network devices such as printers will make up 50% of M2M Connections
  32. 32. What kind of world are we building?
  33. 33. Jeff Katz, VP Technology, KIWI.KI GmbH @kraln PRIVACY AND SECURITY IN THE IOT