2. Welcome!
Monika Keerthi
III B.Tech , InformationTechnology
Sree Vidyanikethan Engineering College
Email: monikakeerthi95@gmail.com
3. What I’m
going to say
1. Internet ofThings
2. State of the Art of IOT
3. Applications of IOT
4. Internet of Things security is Hard!
5. There are some challenges.
6. There are new threats.
7. There are some new technologies to play with.
8. Future of IOT
4. What is Internet of
Things?
IOT means…A PlaceWhere Machines talk to Machines
5. Internet of
Things
A network of Physical Objects that can interact with
each other to share information and take Action.
The term was first proposed by Kevin Ashton in 1999.
The concept of IOT first became popular at the Auto-
ID center, MIT.
IOT can also be pronounced as Machine to Machine
(M2M) Technology.
6. The state of the art
Some of it, enabling technologies.
7. Enabling
Technologies
RFID Sensor SmartTech NanoTech
To identify
and track
the data of
things
To collect
and process
the data to
detect the
changes in
the physical
status of
things
To enhance the
power of the
network by
evolving
processing
capabilities to
different part
of the network.
To make the
smaller and
smaller things
have the
ability to
connect and
interact.
14. Why is IOT security
difficult?
And is there anything we can do about it?
15. Because…
1. Wireless communication
2. Physical insecurity
3. Constrained devices
4. Potentially sensitive data
5. Lack of standards
6. Heterogeneity: weakest link problem
7. A systems, not software problem
8. Classic web / internet threats
9. Identity management & dynamism
10. Inconvenience and cost
17. Threats to IOT systems
Adapted from "Security Considerations in the IP-based Internet of
Things“ - Garcia-Morchon et al.
http://tools.ietf.org/html/draft-garcia-core-security-05
18. Threats • Can be modified (firmware / OS / middleware)
• Can be decompiled to extract credentials
• Can be exhausted (denial of service)
• Eavesdropping
• Man-in-the-middle attacks
• Rerouting traffic
• Theft of bandwidth
• Can be stolen
• Can be modified
• Can be replaced
• Can be cloned
The physical devices
The software
The network
19. The Insecurity
ofThings
Easy way to crack into IOT networks
• Hackers can find the system they want to attack via Shodan,
a search engine for scada systems and connected devices
• Then they can target the laptop of staff, via phishing emails to inject
malware and take control of the machine that talks to the scada system.
• Use XSS-cross site scripting-infecting a legitimate web page with
malicious client-side Script.
• Go to portforward.com and look up the default username and passwords.
• Possible points of entry for a hacker are through bluetooth, a cellular
network, the monitor and even music files
25. TheWebinos approach
An open source, cross device, browser based
web platform for running applications on and across
multiple devices
26. What does it
give you
Open Web Application Platform
Cross Device Communication Protocols
A privacy framework
27. 27
Internet
PZH
(Personal Zone Hub)
Security Policy
PZH
(Personal Zone Hub)
Security Policy
Hub: Zone
gateway,
24x7 avail.
Inter-zone comm
peer to peer
Getting the most out of personal devices
Multi-screen/multi-device apps
“Getting gadgets talking”
PZP
PZP
PZP
PZP
PZP
PZP
PZP
PZP
PZP
PZP
PZP
Personal Zone
Proxy:
simultaneously
client and server
How it works
Personal zones - Interconnecting devices, apps and resources
• TLS and a device PKI
• Attribute-based access control
• Web identity and authentication
• “Personal zone” model
29. Webinos
Security
Central administration and recovery
Device authentication
Identity management
OpenID and web login mechanisms used
for identity
Secure communication
Mutually authentication & encrypted
communication
Privacy policies to specify data usage
controls
31. Some Important Links
IEEE World Forum
http://sites.ieee.org/wf-iot/
Cisco World Forum
http://blogs.cisco.com/ioe/
http://internetofthings.electronicsforu.com
Google’s IoT Projects
Google Glass : Wearable computer
Waze : An intelligent GPS navigation
and traffic management tool
Nest : Smart Thermostat and Smoke
alarm
Open Automotive Alliance(OAA) :
An android operating system for
automobiles
32. Case study-
VeraLite
• VeraLite is an embedded device that sits on a home network and can
be used to control other systems connected to it.
• It doesn’t require a username and password. Any one on the local
network can access it.
• Even if the device owner does create a username and password, the
device can still be controlled using the Universal Plug and Play(UPnP)
protocol,which doesn’t have built-in support for authentication.
• If someone has a VeraLite on their home network and they are at
home , they can be tricked into visiting a web page that instructs their
browser to set up a backdoor on theirVeraLite device using UPnP.
• VeraLite’s UPnP functionality allows one to execute arbitrary code on
the device as root,the highest-privileged account type,giving them
complete control over the system
33. Case study-
Stuxnet-worm
An infected USB stick is plugged into a system.
It then infects all the windows machines. A fake digital certificate
is used to avoid detection.
A check is made to see if a machine is part of the targeted
industrial control system made by siemens.(High speed
centriguges in iran)
The worm compromises the target systems logic controllers,
exploiting zero day vulnerabilities.
The worm collects data on the operations of the targeted system.
This data is used to then take over control of the centrifuges
making them spin endlessly and fail.
At the same time it provides false information to the monitoring
systems ,so on one suspects something.
34. My three rules
for IoT security
1. Don’t be dumb
The basics of Internet security haven’t gone away
2.Think about what’s different
What are the unique challenges of your device?
3. Do be smart
Use the best practice from the Internet
35. Basic
precautions
• Change the default password of the router .Select a password which is
not easy to guess.
• Install trusted and well known anti-virus and spyware’.
• Check your router if any unknown services are running.
• Avoid downloading strange or suspicious files.
• Update your OS and anti-virus regularly.
• Install all patches as provided by the manufacturer.
• Check security certificates in case of doubt
36. Thoughts to
leave you with.
Many new technologies and protocols are being developed
IOT requires systems security
37. References
1. Rodrigo Roman, Jianying Zhou, Javier Lopez:”On the features and challenges of
security and privacy in distributed internet of things”.Institute for Infocomm
Research,in Elsevier journal,singapore 2013
2. Chakib Bekera:’Security and challenges for IOT”,center for development and
technologies,in Elsevier journal,Baba Hassen,Alger,Algeria,2014.
3. Antonio Marcos Alberti, Dhananjaysingh: “Internetofthings: perspectives.
challenges and opportunities” Instituto nacional de
telecommunicacoes,MinasGerais,Brazil, Department of Electronics
engineering,south korea
4. Hui Suo,Jiafu Wan,Caifeng Zou,Jianqi Liu:”Security in the Internet of things”
Guangzhou,china
5. Kevin Ashton:That ‘‘Internet of Things’’ Thing. In: RFID Journal, 22. Juli 2009.
Abgerufen am 8. April 2011.
6. Tobias Heer,Oscar Garcia-Morchon,Rene Hummen,Sye Loong Keoh,Sandeep
S.Kumar and Klaus Wehrle:”Security challenges in the IP based Internet of
things”, In sringer journal,Netherlands.
7. Cisco: Over 50 billions of devices connected to Internet
http://blogs.cisco.com/news/the-internet-of-things-infographic/
I’m going to start by telling you what you probably already know.
Indeed, I’m going to start by talking about challenges
Then I’m going to talk about specific IoT threats and attacks.
Then I’m going to drop into a few technologies.
INTERNET-a global computer network providing a variety of information and communication facilities, consisting of interconnected networks using standardized communication protocols. We used to feel that we are dependent on internet but let me interpret the fact is reverse fashion-Today computers—and, therefore, the Internet—are almost wholly dependent on human beings for information. Nearly all of the roughly 50 petabytes (a petabyte is 1,024 terabytes) of data available on the Internet were first captured and created by human beings.
IOT- a proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data
1) Wireless communication – lots of wifi devices in IOT, all broadcasting all communication.
2) Physical insecurity – In many scenarios, the devices are placed in areas where the owner isn’t in physical control or possession. E.g., sensors places in public locations, or in buildings with lots of people nearby.
3) Constrained devices – the “internet connected devices” may be too constrained to enforce security controls or do heavy-weight cryptography. Constrained in terms of power, bandwidth, memory…
4) Healthcare, cameras, etc.
5) No clear standards, so no defence in using a “best practice” solution. Everything is adhoc. Can’t stand on the shoulder of any giants.
6) The fact that you have lots of different devices, means that you have a ‘weakest link’ problem. The weakest device may be an attack surface to compromise the rest of the system
7) IOT involves people, hardware, software, systems, businesses, and more. It isn’t a software problem, and doesn’t have just software solutions.
8) Chances are, your IOT system is also a Web system. At least for control. You’ve therefore got all the classic web threats to deal with – XSS, CSRF, content injection, etc. You’ve also got attackers from across the world.
9) Security would be easier if we could identify all security principles, all the things, ahead of time. But in IOT we can’t.
10) Adding security functionality costs more, and is inconvenient. Buying sensors and constrained devices with encryption coprocessors is expensive and hard. The most secure way is not the default.
We’re going to find out a lot of ways *not* to do it.
We’re going to need to share experiences, experiment, and feed back information. If security isn’t going to be your big selling point, then you need to make it a collective task. That’s a good argument for openness.
We could argue that this is like the 90s, or the dot-com bubble. Lots of great technology, huge potential, but also all the same naivety and lack of security thinking
We needs to apply our current security and privacy attitudes to IOT, not the ones we had 10-20 years ago.
Having talked about why it’s hard, lets think about the threats we’ll have to deal with
These are threats specifically around IOT, largely take from the IETF core working group, and a document written by Garcia-Morchon et al.
Pd:
Anyone could steal or modify a thing
Anyone could replace a particular thing with an alternative model
A manufacturer could “clone the physical characteristics, firmware/software, or security configuration of the thing”.
s/w:
An attacker with physical or remote access could plausibly update or modify firmware
- there’s a proof-of-concept exploit for routers through web browsers for this
The software you deploy to the device could be decompiled to obtain any keys or credentials it holds.
The software is likely to be vulnerable to Denial of Service attacks. These might be used to make it malfunction.
n/w:Rerouting traffic – exploit the network protocol to make the connection via your node look more favourable, thus gathering traffic from all sources. A useful attack if you only control a small part of the network.
To highlight the fun that can be had in this subject, I want to show you what happens when the Internet of Things happens by mistake.
This is *old* now – but essentially this website searches for IP cameras in places like car parks, offices, and so on.
There are security challenges at all of the following stages…
Open framework for developing multi device web applications, using open standards
Web friendly open protocols for discovering and sharing services over cloud, local networks and even proprietary networking schemes
3.Consumer data sovereignty You Own Your Data A universal mechanism for exerting direct control over your data, devices and services
Re-establishing control over your devices and personal data..
Device authentication:
All devices are part of a personal zone key infrastructure
Each device has a unique private key
Personal zone hub is a certification authority
Certificate exchange for connections between zones
Works offline and online
It should be obvious that IOT is current a voyage into the unknown
There’s way too much uncertainty and new technology floating around
Generic solutions wont help that much – it’s a systems problem
The only way progress will be made is through sharing results, making data and reports open, and collaboration. Please take this opportunity.