Security challenges for internet of things
-
Upload
monika-keerthi -
Category
Internet
-
view
67 -
download
1
Transcript of Security challenges for internet of things
Welcome!
Monika Keerthi
III B.Tech , Information Technology
Sree Vidyanikethan Engineering College
Email: [email protected]
What I’m going to say
1. Internet of Things
2. State of the Art of IOT
3. Applications of IOT
4. Internet of Things security is Hard!
5. There are some challenges.
6. There are new threats.
7. There are some new technologies to play with.
8. Future of IOT
Internet of Things
A network of Physical Objects that can interact witheach other to share information and take Action.
The term was first proposed by Kevin Ashton in 1999.
The concept of IOT first became popular at the Auto-ID center, MIT.
IOT can also be pronounced as Machine to Machine(M2M) Technology.
Enabling Technologies
RFID Sensor Smart Tech Nano Tech
To identify and track the data of things
To collect and process the data to detect the changes in the physical status of things
To enhance the power of the network by evolving processing capabilities to different part of the network.
To make the smaller and smaller things have the ability to connect and interact.
Application Areas
Smart CitiesSmart
EnvironmentSmart Energy
Smart Agriculture
E-Health Retail LogisticsIndustrial Control
Because…
1. Wireless communication
2. Physical insecurity
3. Constrained devices
4. Potentially sensitive data
5. Lack of standards
6. Heterogeneity: weakest link problem
7. A systems, not software problem
8. Classic web / internet threats
9. Identity management & dynamism
10. Inconvenience and cost
Threats to IOT systemsAdapted from "Security Considerations in the IP-based Internet of Things“ - Garcia-Morchon et al.
http://tools.ietf.org/html/draft-garcia-core-security-05
Threats • Can be modified (firmware / OS / middleware)• Can be decompiled to extract credentials• Can be exhausted (denial of service)
• Eavesdropping• Man-in-the-middle attacks• Rerouting traffic• Theft of bandwidth
• Can be stolen• Can be modified• Can be replaced• Can be cloned
The physical devices
The software
The network
The Insecurity of Things
Easy way to crack into IOT networks• Hackers can find the system they want to attack via Shodan,
a search engine for scada systems and connected devices• Then they can target the laptop of staff, via phishing emails to inject
malware and take control of the machine that talks to the scada system.• Use XSS-cross site scripting-infecting a legitimate web page with
malicious client-side Script.• Go to portforward.com and look up the default username and passwords.• Possible points of entry for a hacker are through bluetooth, a cellular
network, the monitor and even music files
http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/
Securing the wholelifecycle
Design
Production
Bootstrapping
Monitoring
Reconfiguration
and recovery
Decommission
The Webinos approachAn open source, cross device, browser basedweb platform for running applications on and across multiple devices
What does it give you
Open Web Application Platform
Cross Device Communication Protocols
A privacy framework
27
Internet
PZH(Personal Zone Hub)
Security Policy
PZH(Personal Zone Hub)
Security Policy
Hub: Zone gateway,
24x7 avail.Inter-zone comm
peer to peer
Getting the most out of personal devices
Multi-screen/multi-device apps
“Getting gadgets talking”
PZP
PZPPZP
PZP
PZP
PZP
PZP
PZP
PZP
PZP
PZP
Personal Zone Proxy:
simultaneously client and server
How it works Personal zones - Interconnecting devices, apps and resources
• TLS and a device PKI• Attribute-based access control• Web identity and authentication• “Personal zone” model
Webinos Security
Central administration and recovery
Device authentication
Identity management OpenID and web login mechanisms used
for identity
Secure communication Mutually authentication & encrypted
communication
Privacy policies to specify data usage controls
Some Important Links
IEEE World Forumhttp://sites.ieee.org/wf-iot/
Cisco World Forumhttp://blogs.cisco.com/ioe/
http://internetofthings.electronicsforu.com
Google’s IoT Projects
Google Glass : Wearable computer Waze : An intelligent GPS navigation
and traffic management tool Nest : Smart Thermostat and Smoke
alarm Open Automotive Alliance(OAA) :
An android operating system for automobiles
Case study-VeraLite
• VeraLite is an embedded device that sits on a home network and canbe used to control other systems connected to it.
• It doesn’t require a username and password. Any one on the localnetwork can access it.
• Even if the device owner does create a username and password, thedevice can still be controlled using the Universal Plug and Play(UPnP)protocol,which doesn’t have built-in support for authentication.
• If someone has a VeraLite on their home network and they are athome , they can be tricked into visiting a web page that instructs theirbrowser to set up a backdoor on their VeraLite device using UPnP.
• VeraLite’s UPnP functionality allows one to execute arbitrary code onthe device as root,the highest-privileged account type,giving themcomplete control over the system
Case study-Stuxnet-worm
An infected USB stick is plugged into a system.
It then infects all the windows machines. A fake digital certificateis used to avoid detection.
A check is made to see if a machine is part of the targetedindustrial control system made by siemens.(High speedcentriguges in iran)
The worm compromises the target systems logic controllers,exploiting zero day vulnerabilities.
The worm collects data on the operations of the targeted system.
This data is used to then take over control of the centrifugesmaking them spin endlessly and fail.
At the same time it provides false information to the monitoringsystems ,so on one suspects something.
My three rules for IoT security
1. Don’t be dumb The basics of Internet security haven’t gone away
2. Think about what’s different What are the unique challenges of your device?
3. Do be smart Use the best practice from the Internet
Basic precautions
• Change the default password of the router .Select a password which is not easy to guess.
• Install trusted and well known anti-virus and spyware’.• Check your router if any unknown services are running.• Avoid downloading strange or suspicious files.• Update your OS and anti-virus regularly.• Install all patches as provided by the manufacturer.• Check security certificates in case of doubt
Thoughts to leave you with.
Many new technologies and protocols are being developed
IOT requires systems security
References
1. Rodrigo Roman, Jianying Zhou, Javier Lopez:”On the features and challenges ofsecurity and privacy in distributed internet of things”.Institute for InfocommResearch,in Elsevier journal,singapore 2013
2. Chakib Bekera:’Security and challenges for IOT”,center for development andtechnologies,in Elsevier journal,Baba Hassen,Alger,Algeria,2014.
3. Antonio Marcos Alberti, Dhananjaysingh: “Internetofthings: perspectives.challenges and opportunities” Instituto nacional detelecommunicacoes,MinasGerais,Brazil, Department of Electronicsengineering,south korea
4. Hui Suo,Jiafu Wan,Caifeng Zou,Jianqi Liu:”Security in the Internet of things”Guangzhou,china
5. Kevin Ashton:That ‘‘Internet of Things’’ Thing. In: RFID Journal, 22. Juli 2009.Abgerufen am 8. April 2011.
6. Tobias Heer,Oscar Garcia-Morchon,Rene Hummen,Sye Loong Keoh,SandeepS.Kumar and Klaus Wehrle:”Security challenges in the IP based Internet ofthings”, In sringer journal,Netherlands.
7. Cisco: Over 50 billions of devices connected to Internethttp://blogs.cisco.com/news/the-internet-of-things-infographic/