iot mashup - security for internet connected devices - lyle
DESCRIPTION
TRANSCRIPT
Security for Internet-connected devicesJohn Lyle, University of Oxford
Welcome!
John Lyle
Research Assistant at the University of Oxford
Member of the webinos project
Email: [email protected]
Twitter: @jplyle
What I’m going to say
1. Internet of Things security is hard!
2. There are some good reasons for this.
3. There are new (ish) threats.
4. There are some new technologies to play with.
The Insecurity of Things
What I’m not going to say
1. Security is really important.
2. This is how to exploit [ insert popular technology product ]
3. I have the following silver bullets…
4. Anything about privacy
Why is IOT security difficult?And is there anything we can do about it?
Because…
1. Wireless communication
2. Physical insecurity
3. Constrained devices
4. Potentially sensitive data
5. Lack of standards
6. Heterogeneity: weakest link problem
7. A systems, not software problem
8. Classic web / internet threats
9. Identity management & dynamism
10. Inconvenience and cost
But really…It’s because we don’t know how to
do it.
Yet.
Threats to IOT systemsAdapted from "Security Considerations in the IP-based Internet of Things“ - Garcia-Morchon et al.
http://tools.ietf.org/html/draft-garcia-core-security-05
The physical devices
Can be stolen
Can be modified
Can be replaced
Can be cloned
The software
Can be modified (firmware / OS / middleware)
Can be decompiled to extract credentials
Can be exhausted (denial of service)
The network
Eavesdropping
Man-in-the-middle attacks
Rerouting traffic
Theft of bandwidth
Securing the wholelifecycle
Design
Production
Bootstrapping
Monitoring
Reconfiguration and recovery
Decommission
Who are the attackers?And what do they want?
We don’t know, but…
Make assumptions to make progress
Use Attacker Personas for consistency
Realistic attacker models
Organised crime?
Curious end users? Modders?
Service providers?
The state of the artSome of it, at least.
The webinos approach
TLS and a device PKI
Attribute-based access control
Web identity and authentication
“Personal zone” model
Protocols and identifiers for constrained devices
CoAP: The Constrained Application Protocol
DTLS: Datagram Transport Layer Security
IPsec
Sizzle – SSL with Elliptic Curve Cryptography[1]
HIPS: Host Identity Protocol
HIPS-DEX
ucode
[1] Gupta, V.; Millard, M.; Fung, S.; Zhu, Yu; Gura, N.; Eberle, H.; Shantz, S.C."Sizzle: a standards-based end-to-end security architecture for the embedded Internet," Third IEEE International Conference on Pervasive Computing and Communications. pp.247,256, 8-12 March 2005
Thoughts to leave you with.
Many new technologies and protocols are being developed
IOT requires systems security
Share your results!
Any questions?
John Lyle / [email protected]