Group 6
advertisement
Team members:
Nabil Bouamara
Jeroen Delvaux
Anum Masood
Saleha Masood
Djamel Mohamed
Hongjian Peng
Qurrat ul Ain
Syeda Wishal Bokhari
Mingli Wu
Security & Privacy
Group Presentation: Security & Privacy in Internet of Things
Advanced Topics in Internet of Things
Shanghai Jiao Tong University
October 22, 2015
Defense
Attack
Does the Internet of Things need Security?
Smartphone
Pacemakers,
insulin pumps
etc. may be
hacked
Malicious applications
may collect your private
data (photos, messages,
location, etc.)
Can burglars determine whether you are home?
Medical Devices
Broadcast
WiFi
passwords
unencrypted
Smart Kitchen Appliances
Laundry Equipment
Group 6: Internet of Things – Security & Privacy
Introduction
Smart Lights
Slide 02/25
Does the Internet of Things need Security? Yes!
Home Entertainment
System
TVs were found to spy on
not only what channels
were being watched, but
even transmit the names
of files on connected USB
drives
You may be
spied upon in
your own
home
Billing fraud
Refrigerator
Refrigerators
have been
used to send
out malicious
emails (spam)
Group 6: Internet of Things – Security & Privacy
WebCam
Introduction
Hackers may
take control
and record
you
Smart Meter
Slide 03/25
Case Study: Hackers Remotely Kill a Car
• Modern cars are equipped with electronic systems
• Brakes, steering, engine, transmission, locks,
hood and truck releases, horn, heat, dashboard, …
• Internet-connected, enabling remote threats
• An automaker’s nightmare, by Miller & Valasek
• Target: Jeep Cherokees (1000s of vehicles)
• Remote control, via the Internet, from a laptop
• Send commands through the entertainment system
Human lives
are at stake!
Group 6: Internet of Things – Security & Privacy
Introduction
Slide 04/25
Layers of the IoT
Presentation Outline
(1) Security Needs & Mathematical Tools
IoT device
(2) Physical Security
Internet backbone
Local network
(3) Applications
(4) Government
Group 6: Internet of Things – Security & Privacy
Security Needs & Mathematical Tools
Slide 05/25
Attacker Model
Insecure
communication
channel
hi
hi, i am device 85; my sensitive data is 7184
thx, got it, go to mode 6
IoT device
Local network
Protocol Attacks:
- Eavesdropping (Read)
- Manipulation (Write)
- Replay (History)
Physical Attacks:
- Power, electromagnetic, timing, optical, etc.
Group 6: Internet of Things – Security & Privacy
Security Needs & Mathematical Tools
adversary
Slide 06/25
Security Needs (1/2)
To be provided by the cryptographic protocol
• Data Confidentiality & Data Authentication
Transfer 10$ to Bank Account X
\T&-!@[ds$#7rfhrd&)
-
Cannot understand
Modification detected
WiFi access point
Smartphone
• Entity Authentication
Access granted
Genuine card (prover)
Malicious card
(impersonator)
Group 6: Internet of Things – Security & Privacy
Access denied
Security Needs & Mathematical Tools
Hotel room (verifier)
Slide 07/25
Security Needs (2/2)
To be provided by the cryptographic protocol
• Entity Confidentiality (=Privacy)
Shopping card
Track shopping behavior of a
specific customer over time
Shop cashier
• Availability (Resist Denial-of-Service)
RFID tag
Group 6: Internet of Things – Security & Privacy
Disable genuine data flow
temporarily / permanently
Security Needs & Mathematical Tools
RFID reader
Slide 08/25
A Cryptographic Protocol
Protect a “small key” only, which on its turn protects the “big data”
hi
\T&-!@[ds$#
*)”<@x^+{
shared secret key
(e.g., 128 bit)
“Gibberish. They didn’t give
me the key.”
Physical vault
(secure key storage)
Group 6: Internet of Things – Security & Privacy
“I cannot recover the key”
adversary
Security Needs & Mathematical Tools
Slide 09/25
Tricky Trade-Off: Cost versus Security
Low-Cost
ResourceConstrained
IoT Device
-
Secure protocols,
algorithms and
implementations
Energy / Power
Circuit Area
Execution Time
…
Many cryptographic primitives have been broken…
-
WiFi: WEP protocol
GSM: A5/1 algorithm
Windows: MD5 algorithm
…
Group 6: Internet of Things – Security & Privacy
- Don’t design your
own crypto.
- Peer-reviewed crypto
competitions (AES,
Keccak, …)
Security Needs & Mathematical Tools
Slide 10/25
Presentation Outline
(1) Security Needs & Mathematical Tools
IoT device
(2) Physical Security
Internet backbone
Local network
(3) Applications
(4) Government
Group 6: Internet of Things – Security & Privacy
Physical Security
Slide 11/25
Physical Attacks
Microphone
Apply & Collect
Physical Stimuli
Oscilloscope
Scanning Electron
Microscope (SEM)
IoT device
Side-Channel Traces
Signal Processing
(MATLAB, C++)
Temperature
Chamber
Voltage Source
Group 6: Internet of Things – Security & Privacy
Focused Ion
Beam (FIB)
Secret Key Recovery
Physical Security
Slide 12/25
Physical Countermeasures
• Not a fair game
• Protect against all channels; attacker only needs one
weakest link in a chain
• Everything can be broken, given enough time & money
• Countermeasures ($$$)
• Sensors: light, temperature, voltage, EM, …
Goal: render attacks
economically infeasible
Cost attack >> Profit Attack
• Reduce the SNR of side-channel traces: masking, noise generators, …
• Circuit Level: physically unclonable functions (PUFs), special logic styles, …
Group 6: Internet of Things – Security & Privacy
Physical Security
Slide 13/25
Presentation Outline
(1) Security Needs & Mathematical Tools
IoT device
(2) Physical Security
Internet backbone
Local network
(3) Applications
(4) Government
Group 6: Internet of Things – Security & Privacy
Applications
Slide 14/25
Privacy-Enhancing Technologies for the Internet
• Virtual Private Network (VPN)
• Isolated private network for a selected group of users
• E.g., securely distribute data among business partners
• E.g., individuals (bypass the Great Firewall)
• Onion Routing (e.g., TOR)
• Anonymous sender
• Data encapsulated in encryption layers
• Onion routers peel away 1 layer to reveal next destination
Group 6: Internet of Things – Security & Privacy
Applications
Slide 15/25
Secure Communications over the Web
• Cryptographic protocol: SSL/TLS
•
•
•
•
Applications: Web browsing, E-mail, instant messaging, …
End-to-end authentication of client & server
Data confidentiality
Long version history with many security flaws (e.g., Heartbleed bug, 2014)
Web server
(e.g., facebook.com)
Client Web Browser
(e.g., Google Chrome)
Group 6: Internet of Things – Security & Privacy
Applications
Slide 16/25
Domain Name Servers (DNS)
(1) Domain name: www.facebook.com
(2) IP-address: 31.13.77.6
DNS
Client Web Browser
(3)
Facebook
server (IP)
Group 6: Internet of Things – Security & Privacy
• User convenience: remember words instead of
numbers
• Security was an afterthought: DNS Security
Extensions (DNSSEC)
• Ensure that the user connects to a genuine server
and not a malicious one (DNS cache poisoning).
Applications
Slide 20/25
Security of the Cloud
• Many companies & individuals migrate their data to the cloud
• Cheaper than maintaining your own IT infrastructure
• Mixed feelings in terms of security
• Cloud providers have technical (cryptographic) expertise
• Trust issue: rely on the goodness of the cloud providers
Secure storage of and processing on
user / company data
Secure download
Secure upload
Group 6: Internet of Things – Security & Privacy
Applications
Slide 18/25
End-Point Security
• Cryptographic algorithms don’t solve everything
• All efforts are in vain if the end-point (OS) is infected
• Malware, viruses, Trojan horses, key-loggers, …
• One minor flaw and the whole system might collapse
• E.g., hackers released customer names of an on-line dating
service, marketing to married people (2015)
• Protect the end-user against him/her-self
k
• Passwords (too short, dictionary attacks, reuse across services, …)
• Phishing
Group 6: Internet of Things – Security & Privacy
Applications
Slide 19/25
Presentation Outline
(1) Security Needs & Mathematical Tools
IoT device
Internet backbone
Local network
(2) Physical Security
(3) Applications
(4) Government
Group 6: Internet of Things – Security & Privacy
Government
Slide 20/25
Role of the Government
• Both attacker (gather intelligence) and defender (legal system), e.g., USA
NSA
Whistleblower Edward
Snowden (2014)
Federal Trade
Commission (FTC)
FTC Chairwoman
Edith Ramirez,
Goal: “Protecting America’s customers”
Mass-surveillance on
US citizens, escalating
since 9/11 (demand
backdoors in products)
Private user data:
- Facebook,
- GMail,
- AT&T,
-…
Group 6: Internet of Things – Security & Privacy
Government
Recommendations for companies that sell
IoT products (2015):
- physical + algorithmic security
- collect no more user data than needed
- user awareness
Slide 21/25
Legislation in the European Union
• European Commission (EC)
• Single set of rules across Europe
• Data security = a fundamental right
• Basic laws in directives 95/46/EC and 2002/58/EC
•
•
•
•
•
The right of silence (for IT)
The right to be forgotten
Accountability for operators
Transparent: consent of the user before processing data
User has unlimited control over his/her data (includes location)
Group 6: Internet of Things – Security & Privacy
Government
Neelie Kroes, Vice
President of the EC
& Commissioner for
the Digital Agenda
Slide 22/25
Trust
• End-users rely on the ethical behavior of IoT service providers
• No hard mathematical guarantees unfortunately
• Government should enforce this
• Customer privacy often breached
• Facebook, Google, … passed user data to the NSA
• Bell faces $750M lawsuit over allegedly selling customer data to advertisers (2015)
Tim Cook, CEO Apple, 2015
“Our devices do not betray us”
“Our competitors are gobbling up everything they can
learn about you and trying to monetize it”.
Group 6: Internet of Things – Security & Privacy
Government
Slide 23/25
Conclusion
• Security is often an afterthought in the IoT
• Many breaches have been reported
• Not even all data is encrypted
• The IoT is already there, we now have to make it secure
Evolve towards a
healthy immune system
Enforced by technical
(cryptographic) and
legal means
Group 6: Internet of Things – Security & Privacy
Conclusion
Slide 24/25
Thanks you! Questions?
Denial-of-Service
