Download Presentation - The PPT/PDF document "SECURING THE INTERNET OF THINGS" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Presentation on theme: "SECURING THE INTERNET OF THINGS"— Presentation transcript:
SECURING THE INTERNET OF THINGS
Presented by – Aditya Nalge
About the paper
NICS Lab. Publications -
In the Internet of Things vision, every physical object has a
Virtual component that can produce and consume services.
Such extreme interconnection will bring
unprecedented convenience and economy,
but it will also require
novel approaches to ensure its safe and ethical use.
What is the “Internet of Things” ?
The Internet of Things is
the inter-networking of physical devices
softwares, sensors, actuators, and network connectivity
that enable these objects to collect and exchange data
In the Internet of Things (IoT) :
Everything real becomes virtual
Each person and thing has a locatable, addressable, and readable counterpart on the Internet
These virtual entities can produce and consume services and collaborate toward a common goal.
HOW DOES I(o)T WORK?
1.) Sensors & Sensor technology 2.) IoT Gateways3.) Cloud/server infrastructure & Big Data 4.) End-user Mobile apps
Track his location based on GPS position of his car/phone
Infer end of his office timing based on past analytics
Remember the heater performance using historic data
Read the current temperature of the Smart heater
Start the heater at an optimal time
IoT’s are a daunting task for security.
What protection measures are possible as billions of intelligent things cooperate with other real and virtual entities in random and unpredictable ways?!?!?
Malicious entities can exploit weak links such as :
- Highly distributed nature
- Use of fragile technologies
- Limited-function embedded devices in public areas
Easily accessible objects in unprotected zones, such as city streets, are vulnerable to physical harm.
Like compromising botnets, some objects would try to hinder services from the inside.
Additional threats include the existence of a domino effect between intertwined services and user profiling through data collection and other methods.
To avoid these threats -
IoT must have strong security foundations built on a holistic view of security for all IoT elements at all stages.
From the identification of objects to the provisioning of services, from the acquisition of data to the governance of the whole infrastructure.
All security mechanisms must consider each object’s lifecycle and services from the very beginning of that object’s existence
Protocol and Network Security
Heterogeneity greatly affects the protection of the network infrastructure
Highly constrained devices that use low-bandwidth standards, must open a secure communication channel with more powerful devices.
For example, sensor nodes scattered in a smart city communicate with smart phones or PDAs.
Although it is not clear how many resources will be available to such constrained devices once the IoT truly takes off, it is safe to optimize security as much as possible to improve the provision of future services.
Securing this channel requires
Optimal Cryptography algorithms
Adequate key management systems
Bottom – Up Approach
In this approach, cryptography is the bricks and the mortar is the key-management infrastructures that establish keying material.
Although it is possible to implement existing standards, such as AES, some IoT devices, such as passive
Radio-frequency identification (
RFID) tags, might be extremely constrained.
Cryptographic mechanisms must be smaller and faster but with little or no reduction in security level.
Mechanisms could include symmetric algorithms, hash functions, and random number generators.
Data and Privacy
Why is privacy the main concern?
Data availability explosion has created Big-Brother like entities that profile and track users without their consent.The IoT’s anywhere, anything, anytime nature could easily turn such practices into a dystopia. A dystopia is a community or society that is undesirable or frightening.
Privacy by design - One viable solution is privacy by design, in which users would have the tools they need to manage their own data.
Transparency – It is essential, since users should know which entities are managing their data and how and when those entities are using it.
Data management - A huge issue is deciding who manages the secrets. Technically, cryptographic mechanisms and protocols protect data throughout the service’s life cycle, but some entities might lack the resources to manage such mechanisms. In other words, one data management policy will not fit all situations.
Identity management requires considering a staggering variety of identity and relationship types
An object’s identity is not the same as the identity of its underlying
The x-ray machine in the radiology department might have an IP address, but it should also have its own identity to distinguish it from other machines.
An object can have one core identity and several temporary identities.
A hospital can become a meeting place for a health conference or a shelter after a fire.
An object can identify itself using its identity or its specific features.
A virtual food identifies itself by its ingredients and quantity.
Objects know the identity of their owners.
The device that controls a user’s glucose level should know how that information fits in that user’s overall health
Achieving fault tolerance in the IoT will require three cooperative efforts
The first is to make all objects secure by default.
The second effort is to give all IoT objects the ability to know the state of the network and its services.
Finally, objects should be able to defend themselves against network failures and attacks
Manipulation of Connected CarsThe Dangers of the Smart Grid
Security experts Chris Valasek and Charlie Miller grabbed headlines with their research on the vulnerability of connected car. Like many thousands of jeeps around the world it can be remotely hacked over the internet through a cellular connection to its internet system that would allow someone to take over its steering, its transmission and even its brake.
1. Manipulation of Connected Cars
They say 100’s and 1000’s of Chrysler vehicles maybe vulnerable through a feature called
is an internet connected computer in the dashboard know as the head unit.
These cars’ head units exposed to services they probably didn’t want to.
It lets you do things like query it for information like the GPS but also lets you run commands.
You have to break into the car remotely over the cell network and then you can send ken messages which can be used to control things like steering, windshield vipers, braking.
How did they do it?
Sitting on a leather couch in Miller’s living
the two researchers scan the Internet for victims.
computers are linked to the Internet by Sprint’s cellular network, and only other Sprint devices can talk to them.
So Miller has a cheap
phone connected to his
. He’s using the burner phone as a Wi-Fi hot spot, scouring for targets using its thin 3G bandwidth.
A set of GPS coordinates, along with a vehicle identification number, make, model, and IP address, appears on the laptop screen. It’s a Dodge Ram. Miller plugs its GPS coordinates into Google Maps to reveal that it’s cruising down a highway in Texarkana, Texas.
In 2013 they did Wired attack and did this wireless attack in 2015
They turned the fans and AC on.
Displayed a picture.
Turned up the music way too loud.
Activated Windshield & wiper fluid.
Below a certain speed they can control the steering, as long as the car’s in reverse
And they can “disable the brake” !
Did Chrysler fix it?
They alerted Chrysler which issued a security patch.
But they say a lot more needs to be done to protect the new generation of cars which are increasingly connected to the internet and potentially
Miller cautions that the same automakers have been more focused on competing with each other to install new Internet-connected cellular services for entertainment, navigation, and safety. (Payments for those services also provide a nice monthly revenue stream.)
The result is that the companies have an incentive to add Internet-enabled features—but not to secure them from digital attacks. “They’re getting worse faster than they’re getting better,” he says.
“If it takes a year to introduce a new
feature, then it takes them four to five years to protect it.”
In 2010, a researcher Justin W. Clarke found a SSL vulnerability in Siemens’ RuggedCom network equipment. In 2012, the Department of Homeland Security investigated a flaw in hardened grid and router provider RuggedCom’s devices. By decrypting the traffic between an end user and the RuggedCom device, an attacker could launch attacks to compromise the energy grid. The security hole could reportedly be exploited by hackers to compromise the networks of critical infrastructure such as power plants.
2. The Dangers of the Smart Grid
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), reported that:
The RSA Private PKI key for SSL communication between a client/user and a RuggedCom switch can be identified in the
ROS (Rugged Operating System).
An attacker may use the key to create malicious communication to a RuggedCom network
Flaw presented to delegates at a research conference in Los Angeles
What had happened?
Siemens used a single SSL key to decode all traffic encrypted across its network.
"If you can get to the inside, there is almost no authentication, there are almost no checks and balances to stop you“.
Once a hacker has identified the private key it's possible to eavesdrop on all communications.
t would enable a hacker to remotely administer industrial control systems (ICS) as well as supervisory control and data acquisition systems (SCADA), which manipulate machinery in industrial settings. These include functions such as flipping switches or operating pumps and valves.
Possible Severe Consequences
What was even more alarming was that
routers were deployed extensively worldwide for mission-critical networks using ICS and SCADA(Supervisory control and data acquisition) equipment.
used by electric sub-stations, railroad switches, the US Navy, Chevron and other authorities such as the Department of Transportation, opening up countless avenues of attack for hackers wishing to target such services.
How did Siemens fix it?
Siemens released critical security patches for the firmware in its
WIN (Wireless Information Network)products which are used as broadband wireless base stations in industrial environments.
WIN products were compliant with the IEEE 802.16e wireless communications standard, also known WiMAX.
The updates fixed three vulnerabilities, two of which had the maximum severity score in the Common Vulnerability Scoring System (CVSS) and could allow attackers to perform administrative functions or to execute arbitrary code on the affected systems without authentication.
Cryptographic Solutionfor Internet of Things
IoTASInternet of Things Advanced Security
It is a purpose-built advanced security solution for IoT developers enabling them to encrypt and compress all IoT data in transit and at rest.
Simple to deploy.
Designed for IoT developers in mind with simple replacement of insufficient Open Source tools such as SSL/TLS or AES
Get to market faster.
Today’s IoT market is a race. IoTAS is turnkey so you don’t waste time getting it to work. More time in market, happier product teams and customers
Take the risk out of IoT.
Stop piecing together separate security tools for data in motion and data at rest that can leave you exposed. IoTAS provides complete protection of your data in all states to reduce your risk
Purpose-Built for IoT.
Small footprint. Low resource requirements. Provides complete data and device integrity. Designed for the trusted endpoints of IoT.
How is IoTAS Different from SSL/TLS or AES Encryption Tools?
IoTAS features a high-speed, state-of-the-art, stream cipher and an efficient cryptographic key-to-hash function. This allows it to outperform virtually any block-based cipher suite in terms of cipher speed, and CPU performance. IoTAS encryption technology offers unique “vault-less” technology for data at rest to ease the burden of key management. With IoTAS encryption, the public key is stored in the header of the file that is secured, while the private key resides on the device. No key vault to manage or lose.
The IoT is already more than a concept.
By complying with security requirements, it can fully bloom into a paradigm that will improve many aspects of daily life.
Open problems remain in many areas, such as cryptographic mechanisms, network protocols, data and identity management, user privacy, self-management, and trusted architectures.
Future research must also carefully consider the balance of governance and legal frameworks with innovation.
Governance can sometimes hinder innovation, but innovation in turn can inadvertently ignore human rights.
The right balance between Governance and Innovation will ensure stable progress toward realizing and securing the IoT as envisioned, and the benefits to humanity will be well worth the effort.