1 / 44

SECURING THE INTERNET OF THINGS

SECURING THE INTERNET OF THINGS. Presented by – Aditya Nalge. About the paper. Authors – Rodrigo Roman , Pablo Najera , and Javier Lopez NICS Lab. Publications - https://www.nics.uma.es/publications. FORETHOUGHT. In the Internet of Things vision, every physical object has a

irmah
Download Presentation

SECURING THE INTERNET OF THINGS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SECURING THE INTERNET OF THINGS Presented by – Aditya Nalge

  2. About the paper Authors – Rodrigo Roman, Pablo Najera, and Javier Lopez NICS Lab. Publications - https://www.nics.uma.es/publications

  3. FORETHOUGHT In the Internet of Things vision, every physical object has a Virtual component that can produce and consume services. Such extreme interconnection will bring unprecedented convenience and economy, but it will also require novel approaches to ensure its safe and ethical use.

  4. What is the “Internet of Things” ? The  Internet of Things is the inter-networking of physical devices embedded with  softwares, sensors, actuators, and network connectivity  that enable these objects to collect and exchange data

  5. In the Internet of Things (IoT) : • Everything real becomes virtual • Each person and thing has a locatable, addressable, and readable counterpart on the Internet • These virtual entities can produce and consume services and collaborate toward a common goal.

  6. Examples

  7. HOW DOES I(o)T WORK?

  8. 1.) Sensors & Sensor technology 2.) IoT Gateways 3.) Cloud/server infrastructure & Big Data 4.) End-user Mobile apps

  9. Track his location based on GPS position of his car/phone Infer end of his office timing based on past analytics Remember the heater performance using historic data Read the current temperature of the Smart heater Start the heater at an optimal time

  10. IoT’s are a daunting task for security. What protection measures are possible as billions of intelligent things cooperate with other real and virtual entities in random and unpredictable ways?!?!?

  11. Malicious entities can exploit weak links such as : - Highly distributed nature - Use of fragile technologies - Limited-function embedded devices in public areas • Easily accessible objects in unprotected zones, such as city streets, are vulnerable to physical harm. • Like compromising botnets, some objects would try to hinder services from the inside. • Additional threats include the existence of a domino effect between intertwined services and user profiling through data collection and other methods.

  12. To avoid these threats - • IoT must have strong security foundations built on a holistic view of security for all IoT elements at all stages. • From the identification of objects to the provisioning of services, from the acquisition of data to the governance of the whole infrastructure. • All security mechanisms must consider each object’s lifecycle and services from the very beginning of that object’s existence

  13. Protocol and Network Security

  14. Heterogeneity greatly affects the protection of the network infrastructure • Highly constrained devices that use low-bandwidth standards, must open a secure communication channel with more powerful devices. • For example, sensor nodes scattered in a smart city communicate with smart phones or PDAs. • Although it is not clear how many resources will be available to such constrained devices once the IoT truly takes off, it is safe to optimize security as much as possible to improve the provision of future services.

  15. Securing this channel requires • Optimal Cryptography algorithms • Adequate key management systems • Security protocols

  16. Bottom – Up Approach • In this approach, cryptography is the bricks and the mortar is the key-management infrastructures that establish keying material. • Although it is possible to implement existing standards, such as AES, some IoT devices, such as passive Radio-frequency identification (RFID) tags, might be extremely constrained. • Cryptographic mechanisms must be smaller and faster but with little or no reduction in security level. • Mechanisms could include symmetric algorithms, hash functions, and random number generators.

  17. Data and Privacy

  18. Why is privacy the main concern? • Data availability explosion has created Big-Brother like entities that profile and track users without their consent. • The IoT’s anywhere, anything, anytime nature could easily turn such practices into a dystopia. • A dystopia is a community or society that is undesirable or frightening.

  19. Privacy by design - One viable solution is privacy by design, in which users would have the tools they need to manage their own data. • Transparency – It is essential, since users should know which entities are managing their data and how and when those entities are using it. • Data management - A huge issue is deciding who manages the secrets. Technically, cryptographic mechanisms and protocols protect data throughout the service’s life cycle, but some entities might lack the resources to manage such mechanisms. In other words, one data management policy will not fit all situations.

  20. Identity Management

  21. Identity management requires considering a staggering variety of identity and relationship types • An object’s identity is not the same as the identity of its underlying mechanisms. The x-ray machine in the radiology department might have an IP address, but it should also have its own identity to distinguish it from other machines. • An object can have one core identity and several temporary identities. A hospital can become a meeting place for a health conference or a shelter after a fire. • An object can identify itself using its identity or its specific features. A virtual food identifies itself by its ingredients and quantity. • Objects know the identity of their owners. The device that controls a user’s glucose level should know how that information fits in that user’s overall health.

  22. Fault Tolerance

  23. Achieving fault tolerance in the IoT will require three cooperative efforts • The first is to make all objects secure by default. • The second effort is to give all IoT objects the ability to know the state of the network and its services. • Finally, objects should be able to defend themselves against network failures and attacks

  24. Case Studies • Manipulation of Connected Cars • The Dangers of the Smart Grid

  25. 1. Manipulation of Connected Cars Security experts Chris Valasek and Charlie Miller grabbed headlines with their research on the vulnerability of connected car. Like many thousands of jeeps around the world it can be remotely hacked over the internet through a cellular connection to its internet system that would allow someone to take over its steering, its transmission and even its brake.

  26. They say 100’s and 1000’s of Chrysler vehicles maybe vulnerable through a feature called Uconnect. • Uconnect is an internet connected computer in the dashboard know as the head unit. • These cars’ head units exposed to services they probably didn’t want to. • It lets you do things like query it for information like the GPS but also lets you run commands. • You have to break into the car remotely over the cell network and then you can send ken messages which can be used to control things like steering, windshield vipers, braking.

  27. How did they do it? Sitting on a leather couch in Miller’s living room, the two researchers scan the Internet for victims. Uconnect computers are linked to the Internet by Sprint’s cellular network, and only other Sprint devices can talk to them. So Miller has a cheap Android phone connected to his MacBook. He’s using the burner phone as a Wi-Fi hot spot, scouring for targets using its thin 3G bandwidth. A set of GPS coordinates, along with a vehicle identification number, make, model, and IP address, appears on the laptop screen. It’s a Dodge Ram. Miller plugs its GPS coordinates into Google Maps to reveal that it’s cruising down a highway in Texarkana, Texas.

  28. In 2013 they did Wired attack and did this wireless attack in 2015 • They turned the fans and AC on. • Displayed a picture. • Turned up the music way too loud. • Activated Windshield & wiper fluid. • Engine killed. • Below a certain speed they can control the steering, as long as the car’s in reverse • And they can “disable the brake” !

  29. Did Chrysler fix it? • They alerted Chrysler which issued a security patch. • But they say a lot more needs to be done to protect the new generation of cars which are increasingly connected to the internet and potentially hackable. • Miller cautions that the same automakers have been more focused on competing with each other to install new Internet-connected cellular services for entertainment, navigation, and safety. (Payments for those services also provide a nice monthly revenue stream.) • The result is that the companies have an incentive to add Internet-enabled features—but not to secure them from digital attacks. “They’re getting worse faster than they’re getting better,” he says. “If it takes a year to introduce a new hackable feature, then it takes them four to five years to protect it.”

  30. 2. The Dangers of the Smart Grid In 2010, aresearcher Justin W. Clarke found a SSL vulnerability in Siemens’ RuggedCom network equipment. In 2012, the Department of Homeland Security investigated a flaw in hardened grid and router provider RuggedCom’s devices. By decrypting the traffic between an end user and the RuggedCom device, an attacker could launch attacks to compromise the energy grid. The security hole could reportedly be exploited by hackers to compromise the networks of critical infrastructure such as power plants.

  31. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), reported that: The RSA Private PKI key for SSL communication between a client/user and a RuggedCom switch can be identified in the ROS (Rugged Operating System). An attacker may use the key to create malicious communication to a RuggedCom network device.

  32. Flaw presented to delegates at a research conference in Los Angeles

  33. What had happened? Siemens used a single SSL key to decode all traffic encrypted across its network. "If you can get to the inside, there is almost no authentication, there are almost no checks and balances to stop you“. Once a hacker has identified the private key it's possible to eavesdrop on all communications. It would enable a hacker to remotely administer industrial control systems (ICS) as well as supervisory control and data acquisition systems (SCADA), which manipulate machinery in industrial settings. These include functions such as flipping switches or operating pumps and valves.

  34. Possible Severe Consequences What was even more alarming was that RuggedCom’s routers were deployed extensively worldwide for mission-critical networks using ICS and SCADA(Supervisory control and data acquisition) equipment. They were used by electric sub-stations, railroad switches, the US Navy, Chevron and other authorities such as the Department of Transportation, opening up countless avenues of attack for hackers wishing to target such services.

  35. How did Siemens fix it? Siemens released critical security patches for the firmware in its Ruggedcom WIN (Wireless Information Network)products which are used as broadband wireless base stations in industrial environments. Ruggedcom WIN products were compliant with the IEEE 802.16e wireless communications standard, also known WiMAX. The updates fixed three vulnerabilities, two of which had the maximum severity score in the Common Vulnerability Scoring System (CVSS) and could allow attackers to perform administrative functions or to execute arbitrary code on the affected systems without authentication.

  36. Cryptographic Solutionfor Internet of Things

  37. IoTASInternet of Things Advanced Security It is a purpose-built advanced security solution for IoT developers enabling them to encrypt and compress all IoT data in transit and at rest. • Simple to deploy. Designed for IoT developers in mind with simple replacement of insufficient Open Source tools such as SSL/TLS or AES • Get to market faster. Today’s IoT market is a race. IoTAS is turnkey so you don’t waste time getting it to work. More time in market, happier product teams and customers • Take the risk out of IoT. Stop piecing together separate security tools for data in motion and data at rest that can leave you exposed. IoTAS provides complete protection of your data in all states to reduce your risk • Purpose-Built for IoT. Small footprint. Low resource requirements. Provides complete data and device integrity. Designed for the trusted endpoints of IoT.

  38. How is IoTAS Different from SSL/TLS or AES Encryption Tools? • IoTAS features a high-speed, state-of-the-art, stream cipher and an efficient cryptographic key-to-hash function. • This allows it to outperform virtually any block-based cipher suite in terms of cipher speed, and CPU performance.  • IoTAS encryption technology offers unique “vault-less” technology for data at rest to ease the burden of key management. • With IoTAS encryption, the public key is stored in the header of the file that is secured, while the private key resides on the device. No key vault to manage or lose.

  39. Summary • The IoT is already more than a concept. • By complying with security requirements, it can fully bloom into a paradigm that will improve many aspects of daily life. • Open problems remain in many areas, such as cryptographic mechanisms, network protocols, data and identity management, user privacy, self-management, and trusted architectures. • Future research must also carefully consider the balance of governance and legal frameworks with innovation. • Governance can sometimes hinder innovation, but innovation in turn can inadvertently ignore human rights.

  40. The right balance between Governance and Innovation will ensure stable progress toward realizing and securing the IoT as envisioned, and the benefits to humanity will be well worth the effort.

  41. Thank You

  42. References • https://www.embitel.com/blog/ecommerce-blog/how-iot-works-an-overview-of-the-technology-architecture-2 • http://skycase-iot.com/platform-for-internet-of-things-working • https://www.youtube.com/watch?v=MK0SrxBC1xs • http://www.techspot.com/news/49893-homeland-security-probes-ssl-flaw-in-ruggedcom-gear-securing-critical-infrastructure.html • https://safenet.gemalto.com/data-protection/securing-internet-of-things-iot/ • http://www.pcworld.com/article/2880492/siemens-patches-critical-flaws-in-industrial-wireless-gear.html • https://www.centritechnology.com/overview/

More Related