Presented by Aditya Nalge About the paper Authors Rodrigo Roman Pablo Najera and Javier Lopez NICS Lab Publications httpswwwnicsumaespublications FORETHOUGHT ID: 596250
Download Presentation The PPT/PDF document "SECURING THE INTERNET OF THINGS" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
SECURING THE INTERNET OF THINGS
Presented by – Aditya NalgeSlide3
About the paper
Authors –
Rodrigo
Roman
, Pablo
Najera
, and
Javier
Lopez
NICS Lab. Publications -
https://www.nics.uma.es/publicationsSlide4
FORETHOUGHT
In the Internet of Things vision, every physical object has a
Virtual component that can produce and consume services.
Such extreme interconnection will bring
unprecedented convenience and economy,
but it will also require
novel approaches to ensure its safe and ethical use. Slide5
What is the “Internet of Things” ?
The Internet of Things is
the inter-networking of physical devices
embedded with
softwares, sensors, actuators, and network connectivity
that enable these objects to collect and exchange dataSlide6
In the Internet of Things (IoT) :
Everything real becomes virtual
Each person and thing has a locatable, addressable, and readable counterpart on the Internet
These virtual entities can produce and consume services and collaborate toward a common goal. Slide7
ExamplesSlide8
HOW DOES I(o)T WORK?Slide9
1
.)
Sensors & Sensor technology
2.)
IoT Gateways
3.)
Cloud/server infrastructure & Big Data
4.)
End-user Mobile apps
Slide10
Track his location based on GPS position of his car/phone
Infer end of his office timing based on past analytics
Remember the heater performance using historic data
Read the current temperature of the Smart heater
Start the heater at an optimal timeSlide11
IoT’s are a daunting task for security.
What protection measures are possible as billions of intelligent things cooperate with other real and virtual entities in random and unpredictable ways?!?!? Slide12
Malicious entities can exploit weak links such as :
- Highly distributed nature
- Use of fragile technologies
- Limited-function embedded devices in public areas
Easily accessible objects in unprotected zones, such as city streets, are vulnerable to physical harm.
Like compromising botnets, some objects would try to hinder services from the inside.
Additional threats include the existence of a domino effect between intertwined services and user profiling through data collection and other methods.Slide13
To avoid these threats -
IoT must have strong security foundations built on a holistic view of security for all IoT elements at all stages.
From the identification of objects to the provisioning of services, from the acquisition of data to the governance of the whole infrastructure.
All security mechanisms must consider each object’s lifecycle and services from the very beginning of that object’s existence Slide14
Protocol and Network SecuritySlide15
Heterogeneity greatly affects the protection of the network infrastructure
Highly constrained devices that use low-bandwidth standards, must open a secure communication channel with more powerful devices.
For example, sensor nodes scattered in a smart city communicate with smart phones or PDAs.
Although it is not clear how many resources will be available to such constrained devices once the IoT truly takes off, it is safe to optimize security as much as possible to improve the provision of future services.Slide16
Securing this channel requires
Optimal Cryptography algorithms
Adequate key management systems
Security protocolsSlide17
Bottom – Up Approach
In this approach, cryptography is the bricks and the mortar is the key-management infrastructures that establish keying material.
Although it is possible to implement existing standards, such as AES, some IoT devices, such as passive
Radio-frequency identification (
RFID) tags, might be extremely constrained.
Cryptographic mechanisms must be smaller and faster but with little or no reduction in security level.
Mechanisms could include symmetric algorithms, hash functions, and random number generators.Slide18
Data and PrivacySlide19
Why is privacy the main concern?
Data availability explosion has created Big-Brother like entities that profile and track users without their consent.
The IoT’s anywhere, anything, anytime nature could easily turn such practices into a dystopia.
A dystopia is a community or society that is undesirable or frightening.Slide20
Privacy by design - One viable solution is privacy by design, in which users would have the tools they need to manage their own data.
Transparency – It is essential, since users should know which entities are managing their data and how and when those entities are using it.
Data management - A huge issue is deciding who manages the secrets. Technically, cryptographic mechanisms and protocols protect data throughout the service’s life cycle, but some entities might lack the resources to manage such mechanisms. In other words, one data management policy will not fit all situations. Slide21
Identity ManagementSlide22
Identity management requires considering a staggering variety of identity and relationship types
An object’s identity is not the same as the identity of its underlying
mechanisms.
The x-ray machine in the radiology department might have an IP address, but it should also have its own identity to distinguish it from other machines.
An object can have one core identity and several temporary identities.
A hospital can become a meeting place for a health conference or a shelter after a fire.
An object can identify itself using its identity or its specific features.
A virtual food identifies itself by its ingredients and quantity.
Objects know the identity of their owners.
The device that controls a user’s glucose level should know how that information fits in that user’s overall health
. Slide23
Fault ToleranceSlide24
Achieving fault tolerance in the IoT will require three cooperative efforts
The first is to make all objects secure by default.
The second effort is to give all IoT objects the ability to know the state of the network and its services.
Finally, objects should be able to defend themselves against network failures and attacksSlide25
Slide26
Manipulation of Connected Cars
The Dangers of the Smart Grid
Case StudiesSlide27
Security experts Chris
Valasek
and Charlie Miller grabbed headlines with their research on the vulnerability of connected car.
Like many thousands of jeeps around the world it can be remotely hacked over the internet through a cellular connection to its internet system that would allow someone to take over its steering, its transmission and even its brake.
1. Manipulation of Connected CarsSlide28
They say 100’s and 1000’s of Chrysler vehicles maybe vulnerable through a feature called
Uconnect
.
Uconnect
is an internet connected computer in the dashboard know as the head unit.
These cars’ head units exposed to services they probably didn’t want to.
It lets you do things like query it for information like the GPS but also lets you run commands.
You have to break into the car remotely over the cell network and then you can send ken messages which can be used to control things like steering, windshield vipers, braking. Slide29
How did they do it?
Sitting on a leather couch in Miller’s living
room,
the two researchers scan the Internet for victims.
Uconnect
computers are linked to the Internet by Sprint’s cellular network, and only other Sprint devices can talk to them.
So Miller has a cheap
Android
phone connected to his
MacBook
. He’s using the burner phone as a Wi-Fi hot spot, scouring for targets using its thin 3G bandwidth.
A set of GPS coordinates, along with a vehicle identification number, make, model, and IP address, appears on the laptop screen. It’s a Dodge Ram. Miller plugs its GPS coordinates into Google Maps to reveal that it’s cruising down a highway in Texarkana, Texas.Slide30
In 2013 they did Wired attack
and did this wireless attack in 2015
They turned the fans and AC on.
Displayed a picture.
Turned up the music way too loud.
Activated Windshield & wiper fluid.
Engine killed.
Below a certain speed they can control the steering, as long as the car’s in reverse
And they can “disable the brake” !Slide31
Did Chrysler fix it?
They alerted Chrysler which issued a security patch.
But they say a lot more needs to be done to protect the new generation of cars which are increasingly connected to the internet and potentially
hackable
.
Miller cautions that the same automakers have been more focused on competing with each other to install new Internet-connected cellular services for entertainment, navigation, and safety. (Payments for those services also provide a nice monthly revenue stream.)
The result is that the companies have an incentive to add Internet-enabled features—but not to secure them from digital attacks. “They’re getting worse faster than they’re getting better,” he says.
“If it takes a year to introduce a new
hackable
feature, then it takes them four to five years to protect it.”Slide32
In
2010,
a
researcher
Justin W. Clarke found a SSL vulnerability in Siemens’ RuggedCom network equipment.
In
2012, the Department of Homeland Security investigated a flaw in hardened grid and router provider
RuggedCom’s
devices.
By decrypting the traffic between an end user and the RuggedCom device, an attacker could launch attacks to compromise the energy grid
.
The
security hole could reportedly be exploited by hackers to compromise the networks of critical infrastructure such as power plants.
2. The Dangers of the Smart GridSlide33
Industrial
Control Systems Cyber
Emergency Response Team (ICS-CERT),
reported
that:
The RSA Private PKI key for SSL communication between a client/user and a RuggedCom switch can be identified in the
ROS (Rugged Operating System).
An attacker may use the key to create malicious communication to a RuggedCom network
device.Slide34
Flaw presented to delegates at a research conference in Los AngelesSlide35
What had happened?
Siemens used a single SSL key to decode all traffic encrypted across its network.
"If you can get to the inside, there is almost no authentication, there are almost no checks and balances to stop you“.
Once a hacker has identified the private key it's possible to eavesdrop on all communications.
I
t would enable a hacker to remotely administer industrial control systems (ICS) as well as supervisory control and data acquisition systems (SCADA), which manipulate machinery in industrial settings. These include functions such as flipping switches or operating pumps and valves.Slide36
Possible Severe Consequences
What was even more alarming was that
RuggedCom’s
routers were deployed extensively worldwide for mission-critical networks using ICS and SCADA(Supervisory control and data acquisition) equipment.
They
were
used by electric sub-stations, railroad switches, the US Navy, Chevron and other authorities such as the Department of Transportation, opening up countless avenues of attack for hackers wishing to target such services.Slide37
How did Siemens fix it?
Siemens released critical security patches for the firmware in its
Ruggedcom
WIN (Wireless Information Network)products which are used as broadband wireless base stations in industrial environments.
Ruggedcom
WIN products were compliant with the IEEE 802.16e wireless communications standard, also known WiMAX.
The updates fixed three vulnerabilities, two of which had the maximum severity score in the Common Vulnerability Scoring System (CVSS) and could allow attackers to perform administrative functions or to execute arbitrary code on the affected systems without authentication.
Slide38
Cryptographic Solution
for
Internet of Things
Slide39
IoTAS
Internet of Things Advanced Security
It is a purpose-built advanced security solution for IoT developers enabling them to encrypt and compress all IoT data in transit and at rest.
Simple to deploy.
Designed for IoT developers in mind with simple replacement of insufficient Open Source tools such as SSL/TLS or AES
Get to market faster.
Today’s IoT market is a race. IoTAS is turnkey so you don’t waste time getting it to work. More time in market, happier product teams and customers
Take the risk out of IoT.
Stop piecing together separate security tools for data in motion and data at rest that can leave you exposed. IoTAS provides complete protection of your data in all states to reduce your risk
Purpose-Built for IoT.
Small footprint. Low resource requirements. Provides complete data and device integrity. Designed for the trusted endpoints of IoT.Slide40
How is IoTAS Different from
SSL/TLS or AES Encryption Tools?
IoTAS features a high-speed, state-of-the-art, stream cipher and an efficient cryptographic key-to-hash function.
This allows it to outperform virtually any block-based cipher suite in terms of cipher speed, and CPU performance.
IoTAS encryption technology offers unique “vault-less” technology for data at rest to ease the burden of key management.
With IoTAS encryption, the public key is stored in the header of the file that is secured, while the private key resides on the device. No key vault to manage or lose.Slide41
Summary
The IoT is already more than a concept.
By complying with security requirements, it can fully bloom into a paradigm that will improve many aspects of daily life.
Open problems remain in many areas, such as cryptographic mechanisms, network protocols, data and identity management, user privacy, self-management, and trusted architectures.
Future research must also carefully consider the balance of governance and legal frameworks with innovation.
Governance can sometimes hinder innovation, but innovation in turn can inadvertently ignore human rights. Slide42
The right balance between Governance and Innovation will ensure stable progress toward realizing and securing the IoT as envisioned, and the benefits to humanity will be well worth the effort.Slide43
Thank YouSlide44
References
https://www.embitel.com/blog/ecommerce-blog/how-iot-works-an-overview-of-the-technology-architecture-2
http://skycase-iot.com/platform-for-internet-of-things-working
https://www.youtube.com/watch?v=MK0SrxBC1xs
http://www.techspot.com/news/49893-homeland-security-probes-ssl-flaw-in-ruggedcom-gear-securing-critical-infrastructure.html
https://safenet.gemalto.com/data-protection/securing-internet-of-things-iot/
http://www.pcworld.com/article/2880492/siemens-patches-critical-flaws-in-industrial-wireless-gear.html
https://www.centritechnology.com/overview/