SECURING THE INTERNET OF THINGS - PowerPoint Presentation

Slide1
Slide2

SECURING THE INTERNET OF THINGS

Presented by – Aditya NalgeSlide3

About the paper

Authors –

Rodrigo

Roman

, Pablo

Najera

, and

Javier

Lopez

NICS Lab. Publications -

https://www.nics.uma.es/publicationsSlide4

FORETHOUGHT

In the Internet of Things vision, every physical object has a

Virtual component that can produce and consume services.

Such extreme interconnection will bring

unprecedented convenience and economy,

but it will also require

novel approaches to ensure its safe and ethical use. Slide5

What is the “Internet of Things” ?

The  Internet of Things is

the inter-networking of physical devices

embedded with 

softwares, sensors, actuators, and network connectivity 

that enable these objects to collect and exchange dataSlide6

In the Internet of Things (IoT) :

Everything real becomes virtual

Each person and thing has a locatable, addressable, and readable counterpart on the Internet

These virtual entities can produce and consume services and collaborate toward a common goal. Slide7

ExamplesSlide8

HOW DOES I(o)T WORK?Slide9

1

.) 

Sensors & Sensor technology

2.) 

IoT Gateways

3.) 

Cloud/server infrastructure & Big Data

4.)

 End-user Mobile apps

 Slide10

Track his location based on GPS position of his car/phone

Infer end of his office timing based on past analytics

Remember the heater performance using historic data

Read the current temperature of the Smart heater

Start the heater at an optimal timeSlide11

IoT’s are a daunting task for security.

What protection measures are possible as billions of intelligent things cooperate with other real and virtual entities in random and unpredictable ways?!?!? Slide12

Malicious entities can exploit weak links such as :

- Highly distributed nature

- Use of fragile technologies

- Limited-function embedded devices in public areas

Easily accessible objects in unprotected zones, such as city streets, are vulnerable to physical harm.

Like compromising botnets, some objects would try to hinder services from the inside.

Additional threats include the existence of a domino effect between intertwined services and user profiling through data collection and other methods.Slide13

To avoid these threats -

IoT must have strong security foundations built on a holistic view of security for all IoT elements at all stages.

From the identification of objects to the provisioning of services, from the acquisition of data to the governance of the whole infrastructure.

All security mechanisms must consider each object’s lifecycle and services from the very beginning of that object’s existence Slide14

Protocol and Network SecuritySlide15

Heterogeneity greatly affects the protection of the network infrastructure

Highly constrained devices that use low-bandwidth standards, must open a secure communication channel with more powerful devices.

For example, sensor nodes scattered in a smart city communicate with smart phones or PDAs.

Although it is not clear how many resources will be available to such constrained devices once the IoT truly takes off, it is safe to optimize security as much as possible to improve the provision of future services.Slide16

Securing this channel requires

Optimal Cryptography algorithms

Adequate key management systems

Security protocolsSlide17

Bottom – Up Approach

In this approach, cryptography is the bricks and the mortar is the key-management infrastructures that establish keying material.

Although it is possible to implement existing standards, such as AES, some IoT devices, such as passive

Radio-frequency identification (

RFID) tags, might be extremely constrained.

Cryptographic mechanisms must be smaller and faster but with little or no reduction in security level.

Mechanisms could include symmetric algorithms, hash functions, and random number generators.Slide18

Data and PrivacySlide19

Why is privacy the main concern?

Data availability explosion has created Big-Brother like entities that profile and track users without their consent.

The IoT’s anywhere, anything, anytime nature could easily turn such practices into a dystopia.

A dystopia is a community or society that is undesirable or frightening.Slide20

Privacy by design - One viable solution is privacy by design, in which users would have the tools they need to manage their own data.

Transparency – It is essential, since users should know which entities are managing their data and how and when those entities are using it.

Data management - A huge issue is deciding who manages the secrets. Technically, cryptographic mechanisms and protocols protect data throughout the service’s life cycle, but some entities might lack the resources to manage such mechanisms. In other words, one data management policy will not fit all situations. Slide21

Identity ManagementSlide22

Identity management requires considering a staggering variety of identity and relationship types

An object’s identity is not the same as the identity of its underlying

mechanisms.

The x-ray machine in the radiology department might have an IP address, but it should also have its own identity to distinguish it from other machines.

An object can have one core identity and several temporary identities.

A hospital can become a meeting place for a health conference or a shelter after a fire.

An object can identify itself using its identity or its specific features.

A virtual food identifies itself by its ingredients and quantity.

Objects know the identity of their owners.

The device that controls a user’s glucose level should know how that information fits in that user’s overall health

. Slide23

Fault ToleranceSlide24

Achieving fault tolerance in the IoT will require three cooperative efforts

The first is to make all objects secure by default.

The second effort is to give all IoT objects the ability to know the state of the network and its services.

Finally, objects should be able to defend themselves against network failures and attacksSlide25

Slide26

Manipulation of Connected Cars

The Dangers of the Smart Grid

Case StudiesSlide27

Security experts Chris

Valasek

and Charlie Miller grabbed headlines with their research on the vulnerability of connected car.

Like many thousands of jeeps around the world it can be remotely hacked over the internet through a cellular connection to its internet system that would allow someone to take over its steering, its transmission and even its brake.

1. Manipulation of Connected CarsSlide28

They say 100’s and 1000’s of Chrysler vehicles maybe vulnerable through a feature called

Uconnect

.

Uconnect

is an internet connected computer in the dashboard know as the head unit.

These cars’ head units exposed to services they probably didn’t want to.

It lets you do things like query it for information like the GPS but also lets you run commands.

You have to break into the car remotely over the cell network and then you can send ken messages which can be used to control things like steering, windshield vipers, braking. Slide29

How did they do it?

Sitting on a leather couch in Miller’s living

room,

the two researchers scan the Internet for victims.

Uconnect

computers are linked to the Internet by Sprint’s cellular network, and only other Sprint devices can talk to them.

So Miller has a cheap

Android

phone connected to his

MacBook

. He’s using the burner phone as a Wi-Fi hot spot, scouring for targets using its thin 3G bandwidth.

A set of GPS coordinates, along with a vehicle identification number, make, model, and IP address, appears on the laptop screen. It’s a Dodge Ram. Miller plugs its GPS coordinates into Google Maps to reveal that it’s cruising down a highway in Texarkana, Texas.Slide30

In 2013 they did Wired attack

and did this wireless attack in 2015

They turned the fans and AC on.

Displayed a picture.

Turned up the music way too loud.

Activated Windshield & wiper fluid.

Engine killed.

Below a certain speed they can control the steering, as long as the car’s in reverse

And they can “disable the brake” !Slide31

Did Chrysler fix it?

They alerted Chrysler which issued a security patch.

But they say a lot more needs to be done to protect the new generation of cars which are increasingly connected to the internet and potentially

hackable

.

Miller cautions that the same automakers have been more focused on competing with each other to install new Internet-connected cellular services for entertainment, navigation, and safety. (Payments for those services also provide a nice monthly revenue stream.)

The result is that the companies have an incentive to add Internet-enabled features—but not to secure them from digital attacks. “They’re getting worse faster than they’re getting better,” he says.

“If it takes a year to introduce a new

hackable

feature, then it takes them four to five years to protect it.”Slide32

In

2010,

a

researcher

Justin W. Clarke found a SSL vulnerability in Siemens’ RuggedCom network equipment.

In

2012, the Department of Homeland Security investigated a flaw in hardened grid and router provider

RuggedCom’s

devices.

By decrypting the traffic between an end user and the RuggedCom device, an attacker could launch attacks to compromise the energy grid

.

The

security hole could reportedly be exploited by hackers to compromise the networks of critical infrastructure such as power plants.

2. The Dangers of the Smart GridSlide33

Industrial

Control Systems Cyber

Emergency Response Team (ICS-CERT),

reported

that:

The RSA Private PKI key for SSL communication between a client/user and a RuggedCom switch can be identified in the

ROS (Rugged Operating System).

An attacker may use the key to create malicious communication to a RuggedCom network

device.Slide34

Flaw presented to delegates at a research conference in Los AngelesSlide35

What had happened?

Siemens used a single SSL key to decode all traffic encrypted across its network.

"If you can get to the inside, there is almost no authentication, there are almost no checks and balances to stop you“.

Once a hacker has identified the private key it's possible to eavesdrop on all communications.

I

t would enable a hacker to remotely administer industrial control systems (ICS) as well as supervisory control and data acquisition systems (SCADA), which manipulate machinery in industrial settings. These include functions such as flipping switches or operating pumps and valves.Slide36

Possible Severe Consequences

What was even more alarming was that

RuggedCom’s

routers were deployed extensively worldwide for mission-critical networks using ICS and SCADA(Supervisory control and data acquisition) equipment.

They

were

used by electric sub-stations, railroad switches, the US Navy, Chevron and other authorities such as the Department of Transportation, opening up countless avenues of attack for hackers wishing to target such services.Slide37

How did Siemens fix it?

Siemens released critical security patches for the firmware in its

Ruggedcom

WIN (Wireless Information Network)products which are used as broadband wireless base stations in industrial environments.

Ruggedcom

WIN products were compliant with the IEEE 802.16e wireless communications standard, also known WiMAX.

The updates fixed three vulnerabilities, two of which had the maximum severity score in the Common Vulnerability Scoring System (CVSS) and could allow attackers to perform administrative functions or to execute arbitrary code on the affected systems without authentication.

Slide38

Cryptographic Solution

for

Internet of Things

Slide39

IoTAS

Internet of Things Advanced Security

It is a purpose-built advanced security solution for IoT developers enabling them to encrypt and compress all IoT data in transit and at rest.

Simple to deploy.

Designed for IoT developers in mind with simple replacement of insufficient Open Source tools such as SSL/TLS or AES

Get to market faster.

Today’s IoT market is a race. IoTAS is turnkey so you don’t waste time getting it to work. More time in market, happier product teams and customers

Take the risk out of IoT.

Stop piecing together separate security tools for data in motion and data at rest that can leave you exposed. IoTAS provides complete protection of your data in all states to reduce your risk

Purpose-Built for IoT.

Small footprint. Low resource requirements. Provides complete data and device integrity. Designed for the trusted endpoints of IoT.Slide40

How is IoTAS Different from

SSL/TLS or AES Encryption Tools?

IoTAS features a high-speed, state-of-the-art, stream cipher and an efficient cryptographic key-to-hash function.

This allows it to outperform virtually any block-based cipher suite in terms of cipher speed, and CPU performance. 

IoTAS encryption technology offers unique “vault-less” technology for data at rest to ease the burden of key management.

With IoTAS encryption, the public key is stored in the header of the file that is secured, while the private key resides on the device. No key vault to manage or lose.Slide41

Summary

The IoT is already more than a concept.

By complying with security requirements, it can fully bloom into a paradigm that will improve many aspects of daily life.

Open problems remain in many areas, such as cryptographic mechanisms, network protocols, data and identity management, user privacy, self-management, and trusted architectures.

Future research must also carefully consider the balance of governance and legal frameworks with innovation.

Governance can sometimes hinder innovation, but innovation in turn can inadvertently ignore human rights. Slide42

The right balance between Governance and Innovation will ensure stable progress toward realizing and securing the IoT as envisioned, and the benefits to humanity will be well worth the effort.Slide43

Thank YouSlide44

References

https://www.embitel.com/blog/ecommerce-blog/how-iot-works-an-overview-of-the-technology-architecture-2

http://skycase-iot.com/platform-for-internet-of-things-working

https://www.youtube.com/watch?v=MK0SrxBC1xs

http://www.techspot.com/news/49893-homeland-security-probes-ssl-flaw-in-ruggedcom-gear-securing-critical-infrastructure.html

https://safenet.gemalto.com/data-protection/securing-internet-of-things-iot/

http://www.pcworld.com/article/2880492/siemens-patches-critical-flaws-in-industrial-wireless-gear.html

https://www.centritechnology.com/overview/