1. The document discusses the convergence of the physical and digital worlds through sensors, cloud computing, and machine-to-machine communication.
2. It notes security challenges like ransomware infecting smart devices and the need to design security into connected systems from the start.
3. The author advocates approaches like decentralization, trustworthy distribution, immutability, and public verification to build security and privacy into Internet of Things technologies from the early stages.
2. http://AbhinavBiswas.github.io@Abhinav_BIswas
Electronics Corporation of India Limited
A Govt. of India (Dept. of Atomic Energy) Enterprise
Security Leader of the Year Award - 2016
by DSCI, NASSCOM
Playing with Dark-Side of IOT
NCSS Summit, 2017
IBM Blue Scholar, 2012CISCO Certified CyberOps,
EHCE by US-Council
& more…
Cybernetic modeling of ICS
IEEE Journal, 2015
Top 100 InfoSec Maestros 2016,
DynamicCISO Security Excellence
Awards etc.
15. “Hey Siri, What is Ransomeware?”
A type of malware designed to block access to a computer system until a
sum of money is paid.
Smart PacemakersSmart Thermostats
28. We tend to Over-estimate the effect of a technology in the short run
and Under-estimate the effect in the long run.
- Amara’s Law
29.
30. “It ain't what you don't know that gets you into trouble.
It's what you know for sure that just ain't so.”
AbhinavBiswas@ecil.gov.in
@Abhinav_BIswas
Editor's Notes
A very good morning to all of you Gentlemen.
It’s a great pleasure and delight to be here at EFY Conference this morning.
There’s a lot of energy, lot of vibrance and a lot of dynamism here.
First of all I would like to thank the whole EFY team for inviting me here & giving me this platform to share my views on the Dark-Side of IOT with a specific focus on Security & Privacy Challenges.
So, Before I begin…
I am Abhinav Biswas, Currently, working in a Public Sector Enterprise, called the Electronics Corporation of India limited (ECIL), under Department of Atomic Energy (DAE), Government of India.
Talking about ECIL we make strategic electronic products for the Indian Defense & Nuclear establishments. We have our own indigenously made routers, mass encryptors, missile fuzes, the famous EVMs etc. Recently we celebrated our Golden Jubilee year.
I myself have been specialising in diverse security areas like private TOR networks, Security of Industrial Control Systems (ICS) & IOT, Virtualization & Hardware security, Cloud & Enterprise Network Security etc.
I have been a recipient of the prestigious ‘Security Leader of the Year Award - 2016’ by Data Security Council of India (DSCI), and have won other national accolades like Top 100 InfoSec Maestros, Dynamic CISO Security Excellence Awards etc. I also posses a couple of Certifications. I can be reached on this Twitter handle.
So, without further adieu, lets begin..
With the advent of IOT, we are drifting into an era of smart things.
We started with smart phones, smart watches…then moving on to smart TVs, smart refrigerators, smart bulbs, smart electric meters, and combining them all together we have smart home.
We are also talking about smart traffic management, smart car parking, smart retail, smart healthcare, smart energy, smart industries and finally we are building a smart planet I suppose....
But why is every ‘thing’ getting smarter? Is it just a marketing gimmick for publicity of existing products. Or the things are really getting smarter.
If yes, what is making things smart…
Is it because of some small things which are getting smaller and smaller.
The sensors
We now have accelerometers, gyroscopes, proximity sensors, humidity sensors, gps location sensors
in the size range of millimeters.
Your typical smartphone itself has about 10 sensors on an average.
So, Is this proliferation of small small sensors is what making things smart.
Or is it because of these big things, the servers, the cloud..
Computing is becoming incredibly powerful day by day….and its growing exponentially - Moore’s law.
With more capacity, more performance, more capability and more change in the next 10 years than the last 50.
Big Data Analytics, Machine Learning, Deep Learning, Artificial Intelligence (AI), Predictive & Prescriptive Intelligence all are possible because of these big machines.
So can we say The Cloud is making everything smart.
Or it is because of the rise of M2M
IOT devices are getting ubiquitously connected…50 billion devices connected by 2020 as per Gartner.
Devices can talk to each other without human intervention even. And can take decision themselves.
Gone are the days when you would use an app on ur phone to order milk from a grocery store.
Smart refrigerators have automatd this. It can sense the unavailability of milk n order by itself.
So is M2M & Connectivity making things smart.
I believe it’s the combination of all three.
These are the 3 things which is making every thing smart.
When we combine these 3 we get the power of innovating interesting IOT systems, applications and services.
Let it be the wearables, the implantables, the injectables…every smart thing is leveraging these 3 technologies.
And if we give a closer look, all smart things are doing this.
They are enabling us to bridge the gap btwn the physical world where we all live in and the digital world where we get the power of data-driven decisions.
The tiny computers of physical world, the sensors are getting connected to these massive computers that exist in the digital world, call it the cloud, hpc watever.
Where we can optimise at the pace of moore’s law.
They are connected in ways that allows the physical to become digital.
To sample the world, to turn it into something that those massive big computers can ingest
And then in return we are able to take the digital and make it physical
And when digital things become physical, digital threats also become physical threats. And that’s where smart things can go bad n reveal the dark side.
Consider this car by Chrysler…The Jeep Cherokee
An awesome SUV with smart features like hands-free voice command control for dashboard funtions, smart infotainment system with capabilities of integration with your icloud & google drive.
You can easily create a wifi hotspot using 4G LTE module embedded into the car.
So a pretty nice car with cool smart features…bt it was hacked. It was demonstated in Blackhat Conf a couple of years back.
These guys Reverse Engineered Car Firmware & Communications Protocol,
And took over Dashboard functions, Steering, Transmission and Brakes
They Remotely controlled the car & showed how they can crash the car without the knowledge of the driver.
This is World’s First Interactive Doll by a company called Mattel.
It uses Uses Voice Recognition technology & Progressive Machine Learning to Play interactive games & tells jokes to your kid, read a book & do language translations.
It can also tailor conversations based on history.
Note intelligence is not put into the doll….it’s connected to those massive computers of digital world.
This seems a very interesting proposition in terms of IOT.
But, this was hacked.
The doll failed to validate SSL Certificates and hence the hacker quite cunningly crafted a MITM Attack to get control over the doll.
He got access to the all audio files recorded by the doll. He could penetrate into the home wifi network and was able to sniff user credentials for regular internet traffic.
But is this the only threat.
Just imagine, what can happen if this doll teaches offensive things to your kid.
What if someone is eavesdropping on our children without our knowledge.
Now, Eavesdropping can also happen through other smart devices.. Like smart TVs..
Smart TVs are coming with intuitive voice command & control these days.. We are becoming lazy enough to even use the wireless remote.
What if that same microphone in the TV can be used to listen to the private communications in your bed room.
Smart TVs have also been reported to be hacked & infected by malware for automated Ad Clicks and cryptocurrency mining.
About 10% of the World’s Population suffer from Diabetes and India being the Diabetic capital of the world around 70 million people suffer from diabetes in India itself.
This device is a wonder for them. There’s a small glucose sensor, which detects the blood sugar level in near real-time and sends the data to the pump which decides the right dose of insulin to be injected. The sensor communicates with the electronic pump using infrared waves. Also it can connect to home Wi-Fi netwok and send you updates on the mobile app.
But even these were reported to be hacked.
Milli Meter Square MM2 from university of Michigan
Fully autonomous computing system… Smaller than the size of a grain of rice. Less than a half a centimeter
Small computers have sensors, a processor and a radio in it to transmit data.
Solar cells power the battery with ambient light
Sensing temperature, pressure, and taking images.
Collective Swarm…Fog Computing – Micro Cloud....Putting it into soil for smart Agricultures..
Lot of interesting prposition in terems of IOT at essentialy zero cost.
But dark side..
These device have no security built-in. All collected sensor data is published in open air using radio waves. Don’t even think of WPA2 encryption at milimetere level.
Now, We are not able to secure one Iot device...Imagine how difficult it would be to secure a cluster of these small small devices.
Ransomeware have been quite popular in the Cyber Security Space since past few years where the hacker will put a malware in your system that will encrypt you hard disk and will prevent u to access ur data until u pay a ransom...
Ransomeware has also started penetrating into the IOT sector.
Take the case of Nest Thermostats, the home owner went for a vacation and got a message that his room temperature has been increased to 100^C. His room is going to burn soon. To unlock the thermostat please pay xyz bitcoins.
Now, just predict…How much do you think someone would pay to remove ransomware from a pacemaker? The scenario is not too far-fetched; in fact, it is much more deadly.
Of course, anyone launching an IoT ransomware attack will need to consider just *how* they will inform the device’s owner of their financial demands. That’s obvious on a laptop, but presents more of a challenge on a pacemaker unless the attacker has also managed to determine, say, their victim’s email address.
And, I believe the days have come where one would not come out of surprise if he sees this on his iPhone…
And also, it’s time to WannaCry with our Smart TVs…
If you remember WannaCry was the largest Ransomware attack last year to hit Windows Operating Systems.
DOS is one more problem in IOT.
Imagine one fine morning you are ready to go to office, you start your car & you see this.
There’s a critical firmware update for your Tesla Dashboard system, plz don’t drive up to 45 minutes.
May be nothing.
May be the hacker gets to know how many eggs u have, or how much milk u drink.
Or simply gets to know that are not home.
But think it like this, what if one day the Police comes knocking at ur door telling that ur fridge is being used for sending threatening emails to the Prime Minister’s Office.
We all know about bots & botnets…what if the attacker turns ur fridge into a bot to do DDOS Attacks on other networks.
So, A compromised fridge is not just the problem, the use of these devices for carrying out a massive DDOS attack is a much bigger problem.
Companies like Twitter, Netflix have already been attacked with these. Remember the famous Mirai Botnet of 2016, which took down millions of Security cameras to DDOS the DNS Servers of these big companies.
Now why is all this happening….can’t we make these smart devices smart enough to be secure. What is stopping us to make IOT Secure. It’s the Resource Constraints.
Any typical IOT deployment would look like this.
Sensors in field,
Aggregators & gateways in premise
Then IoT data platform which can be both in-premise or in cloud.
& finally the Analytics platform in cloud…
But as we move from the cloud to the fog to the field...the first iot security challenge we face is the resource contraint problem...
And by resources i mean, limited CPU, limited memory in KBs, limited power, etc. And because of that,
Implementing Crytographic encryption..Impmenting AV on field devices is a big challenge.
Like implementing a light encryption scheme on a pacemaker could decrease its battery life from about a decade to as little as a few years because the device is not designed to sustain those operations. The more resource intensive the encryption, the more dire the situation.
The 2nd IOT Security Challenge the rapidly expanding IOT Attack Surface, The STRIDE Threat Vectors
Attacks are getting innovatve day by day, bt they can be classified amon these 6 buckets.
S - Hoc can we kno we are talking to the right device. PKI, In EVMs.
T – Data is not tampered before it is sent to the aggregator or the cloud. Re calibrated by replacing with firmware.
R - No logs are stored. How can we verify later if something malicious is done from some device. Cyber forensics on IoT
I – Data Sent through radio waves without encryption..who know’s whos collecting this data.
D – IOT is all about The right data at the right time.
E – Target Hack - Forward facing from internet only
Security is not the only challenge in IOT. Privacy & Anonymity concerns are much more scary.
There’s a very subtle difference between Privacy & Anonymity.
The sensors of the digital world are fuelled with our data…personal data..PII..Personally identifiable information. Data being the new Oil of 21st century.
Our purchasing patterns, browsing patterns, driving habits, eating habits, health indicators like heartbeat, blood pressure, places we visit, social data, friends, contacts, every data is being collected by these Smart devices
And they are sent here. To these huge server farms of the digital world right. But have you ever asked yourself what is it we are farming in these server farms. Because if you do you will quickly reach to conclusion that it’s us. That we are the product that the data crunching companies like Google, Facebook etc. sell to their customers.
And there’s a lack of transparency between data being collected n what it is being used for.
You want the smart refrigerator to sense you are out of butter n hence remind you to pick more up when u r in a grocery store but you don’t want it to tell this to our health insurance company…you want your house to sense when you are home so it can turn on/of the lights n play our favourite music but you don’t want it to tell other people when you come n when you go.
So We are drifting into an era ubiquitous surveillance where anonymity may help resolve some of the privacy challenges. You may think what about TOR in embedded IOT.
But is TOR network trustworthy. After the revealations of Edward Snowden can we trust on anything. Even Hacking Team the Italian startup got hacked. Lot of their zero day exploits were targeted on field devices of Industrial Control Systems…The famous Apple vs FBI case…whom can we trust. We can’t even trust hardware.. You see apple devices.. Designed in California, Made in China & sold in india…who knows hardware trojans are not embedded at fpga level.
For instance, at ECIL while testing one of the defence routers at our Hardware Sanitization Lab, we found that the router was emitting the root password through the LED bulbs of the Ethernet ports. You can simply take a Photo-Opto reader and capture the blinking pattern to get the root password.
Such Side-Channel Attacks & Hardware trojans are amazing and very difficult to detect. At ECIL, we really believe that this is the next big challenge to solve.
Can’t we make smart devices smart enough to be secure.
We need to understand, that there’s no silver bullet that can effectively mitigate all IOT threats.
We can’t apply Security by Obscurity principles in IOT. We can’t say our IOT product is secure because it uses propreitary protocols, indigenous hardware or air-gapped networks. We need to think security by design.
And security can not be an afterthought. It has to considered & implemented in all of theses stages.
Lot of research is going on in various parts of the world regarding.
How to bootstrap trust and security, from the very basic Design stage.
Powerful Systems on a Chip (SOC) with embedding hardware security support l Elliptic Curve Cryptography with reduced computational demands
Also,
We need to implement new design topologies to adrress the privacy challenges...Decentralisation...
We need to implement technologies like Blockchain so that we can have IOT systems which are Distributed, Immutable, Trust-worthy & Publically verifiable.
In this era of Idustry 4.0, we are unknowingly & inherently getting attached to a Hyperconnected Global SensorNet. And this amazing disruptive change is very different from any other technological megatrendz. Coz in this era an active adversary is always trying to change and create value out of what we do. So, if we want to make IOT a success we need to be smarter than our smart devices. And awareness is the key to this.
Next, We need to understand the delicate balance of speed to market and the appropriate level of security.
We should atleast pick two.
One more thing I would like to highlight here is:
To Address IOT threats, IOT Business Model has to change…Earlier we used to build product, ship them and forget about them until we had to service them, but now in the world of IOT we have to ship and remember. Remember where are our devices and wat they doing that they shouldn’t.
Regular firmware updates like in laptops n smart phones. OTA vs Recall back to factory for patching
I believe in Amara’s law,
We tend to Overstimate technology in the short run and Understimate the impact of it on the long run.
We never estimated that Facebook can show these lights on the global map.
We have entered into an era of assumption which is starting to drive n change what we see. The assumption is that we are all quiet, unprepared and actually with absolutely due respect internally extrernally the reason we are all here is we don't have the answers n we don't understand all of the implications of this amazing world that is about to take place.
And before I conclude, One last thing...
I want to show you a video of where we are heading.
Stay tuned..
With that I would like to conclude my presentation…Thank you all.
And if I’m not running out of time…I can take some questions from the audience.