Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IoT Mashup - Security for internet connected devices - Lyle

1,529 views

Published on

Published in: Technology, Business
  • Be the first to comment

IoT Mashup - Security for internet connected devices - Lyle

  1. 1. Security for Internet- connected devices John Lyle, University of Oxford
  2. 2. Welcome!  John Lyle  ResearchAssistant at the University of Oxford  Member of the webinos project  Email: me@johnlyle.com  Twitter: @jplyle
  3. 3. What I’m going to say 1. Internet ofThings security is hard! 2. There are some good reasons for this. 3. There are new (ish) threats. 4. There are some new technologies to play with.
  4. 4. The Insecurity ofThings
  5. 5. What I’m not going to say 1. Security is really important. 2. This is how to exploit [ insert popular technology product ] 3. I have the following silver bullets… 4. Anything about privacy
  6. 6. Why is IOT security difficult? And is there anything we can do about it?
  7. 7. Because… 1. Wireless communication 2. Physical insecurity 3. Constrained devices 4. Potentially sensitive data 5. Lack of standards 6. Heterogeneity: weakest link problem 7. A systems, not software problem 8. Classic web / internet threats 9. Identity management & dynamism 10. Inconvenience and cost
  8. 8. But really… It’s because we don’t know how to do it. Yet.
  9. 9. Threats to IOT systems Adapted from "Security Considerations in the IP-based Internet of Things“ - Garcia-Morchon et al. http://tools.ietf.org/html/draft-garcia-core-security-05
  10. 10. The physical devices  Can be stolen  Can be modified  Can be replaced  Can be cloned
  11. 11. The software  Can be modified (firmware / OS / middleware)  Can be decompiled to extract credentials  Can be exhausted (denial of service)
  12. 12. The network  Eavesdropping  Man-in-the-middle attacks  Rerouting traffic  Theft of bandwidth
  13. 13. Securing the whole lifecycle  Design  Production  Bootstrapping  Monitoring  Reconfiguration and recovery  Decommission
  14. 14. Who are the attackers? And what do they want?
  15. 15. We don’t know, but…  Make assumptions to make progress  Use Attacker Personas for consistency  Realistic attacker models  Organised crime?  Curious end users? Modders?  Service providers?
  16. 16. The state of the art Some of it, at least.
  17. 17. The webinos approach  TLS and a device PKI  Attribute-based access control  Web identity and authentication  “Personal zone” model
  18. 18. Protocols and identifiers for constrained devices  CoAP:The ConstrainedApplication Protocol  DTLS: DatagramTransport Layer Security  IPsec  Sizzle – SSL with EllipticCurve Cryptography[1]  HIPS: Host Identity Protocol  HIPS-DEX  ucode [1]Gupta,V.; Millard, M.; Fung, S.; Zhu,Yu; Gura, N.; Eberle, H.; Shantz, S.C. "Sizzle: a standards-based end-to-end security architecture for the embedded Internet," Third IEEE International Conference on PervasiveComputing andCommunications. pp.247,256, 8-12 March 2005
  19. 19. Thoughts to leave you with.  Many new technologies and protocols are being developed  IOT requires systems security Share your results!
  20. 20. Any questions? John Lyle / me@johnlyle.com

×