Security challenges for Internet of thingsA Place Where Machines talk to Machines

Welcome!

Monika Keerthi

III B.Tech , Information Technology

Sree Vidyanikethan Engineering College

Email: monikakeerthi95@gmail.com

What I’m going to say

1. Internet of Things

2. State of the Art of IOT

3. Applications of IOT

4. Internet of Things security is Hard!

5. There are some challenges.

6. There are new threats.

7. There are some new technologies to play with.

8. Future of IOT

What is Internet of Things?IOT means…A Place Where Machines talk to Machines

Internet of Things

A network of Physical Objects that can interact witheach other to share information and take Action.

The term was first proposed by Kevin Ashton in 1999.

The concept of IOT first became popular at the Auto-ID center, MIT.

IOT can also be pronounced as Machine to Machine(M2M) Technology.

The state of the artSome of it, enabling technologies.

Enabling Technologies

RFID Sensor Smart Tech Nano Tech

To identify and track the data of things

To collect and process the data to detect the changes in the physical status of things

To enhance the power of the network by evolving processing capabilities to different part of the network.

To make the smaller and smaller things have the ability to connect and interact.

Applications of IOTSome of them are…

Application Areas

Smart CitiesSmart

EnvironmentSmart Energy

Smart Agriculture

E-Health Retail LogisticsIndustrial Control

Smart Home

Smart Cars

E-Healthcare

Smart Farms

Why is IOT security difficult?And is there anything we can do about it?

Because…

1. Wireless communication

2. Physical insecurity

3. Constrained devices

4. Potentially sensitive data

5. Lack of standards

6. Heterogeneity: weakest link problem

7. A systems, not software problem

8. Classic web / internet threats

9. Identity management & dynamism

10. Inconvenience and cost

But really…It’s because we don’t know how to do it.

Yet.

Threats to IOT systemsAdapted from "Security Considerations in the IP-based Internet of Things“ - Garcia-Morchon et al.

http://tools.ietf.org/html/draft-garcia-core-security-05

Threats • Can be modified (firmware / OS / middleware)• Can be decompiled to extract credentials• Can be exhausted (denial of service)

• Eavesdropping• Man-in-the-middle attacks• Rerouting traffic• Theft of bandwidth

• Can be stolen• Can be modified• Can be replaced• Can be cloned

The physical devices

The software

The network

The Insecurity of Things

Easy way to crack into IOT networks• Hackers can find the system they want to attack via Shodan,

a search engine for scada systems and connected devices• Then they can target the laptop of staff, via phishing emails to inject

malware and take control of the machine that talks to the scada system.• Use XSS-cross site scripting-infecting a legitimate web page with

malicious client-side Script.• Go to portforward.com and look up the default username and passwords.• Possible points of entry for a hacker are through bluetooth, a cellular

network, the monitor and even music files

Google Hacking

http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/

Securing the wholelifecycle

Design

Production

Bootstrapping

Monitoring

Reconfiguration

and recovery

Decommission

The Webinos approachAn open source, cross device, browser basedweb platform for running applications on and across multiple devices

What does it give you

Open Web Application Platform

Cross Device Communication Protocols

A privacy framework

27

Internet

PZH(Personal Zone Hub)

Security Policy

PZH(Personal Zone Hub)

Security Policy

Hub: Zone gateway,

24x7 avail.Inter-zone comm

peer to peer

Getting the most out of personal devices

Multi-screen/multi-device apps

“Getting gadgets talking”

PZP

PZPPZP

PZP

PZP

PZP

PZP

PZP

PZP

PZP

PZP

Personal Zone Proxy:

simultaneously client and server

How it works Personal zones - Interconnecting devices, apps and resources

• TLS and a device PKI• Attribute-based access control• Web identity and authentication• “Personal zone” model

How it is useful

Webinos Security

Central administration and recovery

Device authentication

Identity management OpenID and web login mechanisms used

for identity

Secure communication Mutually authentication & encrypted

communication

Privacy policies to specify data usage controls

Future of IOT

Some Important Links

IEEE World Forumhttp://sites.ieee.org/wf-iot/

Cisco World Forumhttp://blogs.cisco.com/ioe/

http://internetofthings.electronicsforu.com

Google’s IoT Projects

Google Glass : Wearable computer Waze : An intelligent GPS navigation

and traffic management tool Nest : Smart Thermostat and Smoke

alarm Open Automotive Alliance(OAA) :

An android operating system for automobiles

Case study-VeraLite

• VeraLite is an embedded device that sits on a home network and canbe used to control other systems connected to it.

• It doesn’t require a username and password. Any one on the localnetwork can access it.

• Even if the device owner does create a username and password, thedevice can still be controlled using the Universal Plug and Play(UPnP)protocol,which doesn’t have built-in support for authentication.

• If someone has a VeraLite on their home network and they are athome , they can be tricked into visiting a web page that instructs theirbrowser to set up a backdoor on their VeraLite device using UPnP.

• VeraLite’s UPnP functionality allows one to execute arbitrary code onthe device as root,the highest-privileged account type,giving themcomplete control over the system

Case study-Stuxnet-worm

An infected USB stick is plugged into a system.

It then infects all the windows machines. A fake digital certificateis used to avoid detection.

A check is made to see if a machine is part of the targetedindustrial control system made by siemens.(High speedcentriguges in iran)

The worm compromises the target systems logic controllers,exploiting zero day vulnerabilities.

The worm collects data on the operations of the targeted system.

This data is used to then take over control of the centrifugesmaking them spin endlessly and fail.

At the same time it provides false information to the monitoringsystems ,so on one suspects something.

My three rules for IoT security

1. Don’t be dumb The basics of Internet security haven’t gone away

2. Think about what’s different What are the unique challenges of your device?

3. Do be smart Use the best practice from the Internet

Basic precautions

• Change the default password of the router .Select a password which is not easy to guess.

• Install trusted and well known anti-virus and spyware’.• Check your router if any unknown services are running.• Avoid downloading strange or suspicious files.• Update your OS and anti-virus regularly.• Install all patches as provided by the manufacturer.• Check security certificates in case of doubt

Thoughts to leave you with.

Many new technologies and protocols are being developed

IOT requires systems security

References

1. Rodrigo Roman, Jianying Zhou, Javier Lopez:”On the features and challenges ofsecurity and privacy in distributed internet of things”.Institute for InfocommResearch,in Elsevier journal,singapore 2013

2. Chakib Bekera:’Security and challenges for IOT”,center for development andtechnologies,in Elsevier journal,Baba Hassen,Alger,Algeria,2014.

3. Antonio Marcos Alberti, Dhananjaysingh: “Internetofthings: perspectives.challenges and opportunities” Instituto nacional detelecommunicacoes,MinasGerais,Brazil, Department of Electronicsengineering,south korea

4. Hui Suo,Jiafu Wan,Caifeng Zou,Jianqi Liu:”Security in the Internet of things”Guangzhou,china

5. Kevin Ashton:That ‘‘Internet of Things’’ Thing. In: RFID Journal, 22. Juli 2009.Abgerufen am 8. April 2011.

6. Tobias Heer,Oscar Garcia-Morchon,Rene Hummen,Sye Loong Keoh,SandeepS.Kumar and Klaus Wehrle:”Security challenges in the IP based Internet ofthings”, In sringer journal,Netherlands.

7. Cisco: Over 50 billions of devices connected to Internethttp://blogs.cisco.com/news/the-internet-of-things-infographic/

monikakeerthi95@gmail.com