a bunch of problems no
play

A bunch of problems, no solutions Wade Trappe WHAT DO YOU THINK OF - PowerPoint PPT Presentation

Jul 14, 2023 •101 likes •388 views

IoT Security Challenges: A bunch of problems, no solutions Wade Trappe WHAT DO YOU THINK OF WHEN YOU HEAR INTERNET OF THINGS ? WINLAB Fitbit WINLAB Zeo sleep manager WINLAB Smart home Nest, WallyHome, Dropcam, Ivee, Rachio

  1. IoT Security Challenges: A bunch of problems, no solutions… Wade Trappe

  2. WHAT DO YOU THINK OF WHEN YOU HEAR “ INTERNET OF THINGS ” ? WINLAB

  3. Fitbit WINLAB

  4. Zeo – sleep manager WINLAB

  5. Smart home – Nest, WallyHome, Dropcam, Ivee, Rachio WINLAB

  6. UAV WINLAB

  7. Smartphone, laptop, tablet WINLAB

  8. Low- end devices: RFID tags, small sensors … WINLAB

  9. Smart vehicle & Self-driving cars WINLAB

  10. The IoT is really about “ DATA ”  SMART is about the DATA and closing the loop!!! Needs… + We need security to protect the loop! WINLAB

  11. IoT Architecture  Context-ware Middleware IoT Middleware Context World Search Model Application Plane Solver Computational Plane Devices Apps Aggregator Edge Router/ Network Plane Gateway Physical Plane Info. Future Internet Infrastructure WINLAB

  12. IoT Architecture  Four-plane Context – Physical (Device) Plane  Context determined by devices physical attribute such as:  Device Name, Device Type, Device Value, Device Location , etc. – Networking Plane  Context determined by the network attribute such as: Network Service Type (Stream, Linked-data), Bandwidth,  Connectivity, etc. – Computational/Middleware Plane  Filtering, processing, grouping, presentation, etc.  Lives to serve the Application Plane – Application Plane  Context determined by attributes mentioned above and application requirement such as : “Find the nearest cap”, “Find all the WINLAB rooms with temperature above 25 ° C”’ WINLAB

  13. BEING EVIL IS GOOD LET US LOOK AT SECURITY WINLAB

  14. It is important to examine the security problem according to the information flows and potential adversarial points of control Adversary acts as a false Adversary attacks application attempting communication conduit to access information between server and not intended for it applications Subscribing Publishing IoT Server Publishing IoT IoT Applications Publishing Gateway Internet API IoT Smart Homes Routers Gateway API IoT Smart Healthcare Sensors Gateway API Smart Grid Sensors Adversary alters Sensors a sensor to report Adversary creates a spoofing false readings sensor to the system Adversary monitors sensor readings to track customer usage WINLAB

  15. Can ’ t we just call TLS and go home? HTTP FTP SMTP S/MIME PGP SET HTTP FTP SMTP SSL/TLS Kerberos SMTP HTTP TCP TCP UDP TCP IP/IPSEC IP IP At the Network Level At the Transport Level At the Application Level  Unfortunately no… – Many devices won ’ t have the resources needed to support cryptographic mechanisms (I ’ m sorry, you want an X.509 what?)  We ’ re not too worried about securing your well-resourced Tablet, etc! – Many communication flows will be one-directional (how can you complete TLS Handshake without a hand to shake?) – Many of the attacks exist “ outside ” the network (Here is an encrypted 10000 degree Kelvin reading…)  Perhaps you can use IPSEC/TLS between the gateway and the server, but what about the sensor to the gateway? WINLAB

  16. More IoT Security Challenges  New security challenges brought by IoT – Extending the virtual network to the real world brings many legal and security/privacy issues.  Ubiquitous devices monitor everything causing privacy concerns.  Data is everywhere, acting upon that data is dangerous since you don’t know its source! – Highly distributed nature:  It is difficult to manage the large number of distributed devices.  Sensors and devices may be distributed in public areas unprotected, thus are vulnerable to physical attacks. – Limited-function embedded devices  Constraints: power, computation capability, storage etc.  Most of the communications are wireless, which makes attacks (e.g. eavesdropping, jamming) simple.  Some types of devices (e.g. passive RFID tags) are unable to provide authentication or data integrity. WINLAB [21]

  17. There is a low- end to the IoT… it will be hard to secure!  Let’s compare a Samsung S5  With a low-end IoT Tag – 2.5GHz quadcore processor – 16-bit processor – 2 GB of RAM – Running at 6MHz – 128GB SD card – 512 bytes storage – 38kJ battery that is recharged – 16KB flash for program daily – Must run for about 10000 – Can run 10 hours of web hours on a coin cell battery with less than 1/15 th the browsing before being recharged energy of the phone Take-away: Don ’ t worry about (some aspects) the high- end of the IoT… WINLAB

  18. But I don ’ t believe you, what about the Green Whatever movement… pg 1.  Let’s take a minute and talk energy, technology advancement and the green movement… – Our devices have limitations… – Much better batteries are not coming  (Aka, bond energy is not a Moore’s Law phenomena!) – Energy harvesting is being touted as a solution to our energy problems… but how much can they really harvest? – Lightweight crypto is either questionable or not light enough…  Next few slides, I’ll attempt to make the case… Take-away: Please don ’ t believe the hype… WINLAB

  19. There ’ s plenty of energy and computing available… not true!  Lifecycle of a typical IoT device – Sense and read data from memory – Frame data into a packet – Move packet from processor to radio – Power up radio – Stabilize and calibrate radio to meet frequency regulations – Transmit! TI MSP430 16-bit microcontroller, CC1150  Radio – The MSP430 requires 1mA to operate – The radio requires 23mA to broadcast at 6dBm – Example: 14byte packet at 250kbps requires 448 m sec, requires 32.3 m J – Coin cell battery has about 2-3 kJ of stored energy – Lightweight TLS needs 16M operations Allows only about 20000 operations to perform non-essential (security) operations WINLAB

  20. Green Batteries? Not going to happen… this ain ’ t your typical Moore ’ s Law phenomena, pg 3.  Batteries are a mature technology with centuries of engineering behind them.  Over past several decades, improvement at about 7% per year  There are only a limited number of elements in the periodic table and their potentials have long been known  We are already using some of the highest energy density materials available WINLAB

  21. Green Harvesting? Maybe in an ideal world, but the world is not ideal!, pg 4.  Harvest energy from the environment – manmade or natural  RF energy harvesting (e.g. passive RFID) – Tag collects the energy, converts it to DC to power microprocessor and RF – Fundamental constraint: radio energy decreases in density by 1 – Example: 4Watts of power emitted by a basestation can support distances of 2 r 3 3meters for an IoT tag in a environment 1 r /  100W gives 10 meters… far in excess of safe and legal exposure!  Photovoltaics – At high noon on a clear (summer) day, 100 mW/cm2 provided by the sun – Photovoltaic cells have an efficiency of (roughly) 1% to 25% – Practical limitations: shadows, clouds, nighttime, dust accumulation, etc… – Example: NYC average solar energy in winter is 12 mW/cm2 for a cell aimed at sun – Reality check: IoT devices will experience shadows, will not be kept clean, will have rechargeable battery leakage, etc… WINLAB

  22. OK, no Green Panacea… so where can we secure the IoT? Three Plane Approach IoT Middleware Security Things IoT Middleware Applications Device-level Future Internet Security Network Security We can introduce security here… and here… and here… WINLAB

  23. Three Planes for Security  Device-level: – To prevent data modification (while it is stored in the device), memory is protected in most RFID tags, such as EPCglobal Class-1 Generation-2 and ISO/IEC 18000 – 3 tags – Lightweight cryptography between devices and the aggregator:  CLEFIA (ISO/IEC 29192) is a 128-bit blockcipher or SIMON/SPECK: NSA recent recommendation for lightweight crypto  Caveat Emptor!!! – Reuse functionality and other information for security (anomaly detection) purposes: Physical layer, traffic statistics, etc. Network:  New forms of security can exist outside of the – Between gateways and servers, utilize conventional network security protocols (TLS!) crypto!!! This is Forensics! – Future Internet semantic/content-centric networking can provide privacy – In-network caching can ride out DoS. Middleware, or “the data computation layer”:  – Analyze the data you get, look for outliers and suspicious data, send warnings! For the sake of the discussion, I won’t worry about where you put these modes…  some will be at device to gateway, some will be in the backend cloud WINLAB

  24. Hard problem, case study: Thwarting an Indiana Jones Attack… still research to be done!  So lets put it together in a story/case-study  Call it the “Indiana Jones Attack!” BACK-END NETWORK ` BASE-STATION TAGGED ASSETS WINLAB

  25. Thwarting an Indiana Jones Attack: Mobility Detection Using Active IOT Tags Localization turned out to be hard, but detecting movement was not! 8.00 7.00 Tag 3B Mobile 6.00 Mobility Score 5.00 Tag 8e Mobile 4.00 3.00 Threshold 2.00 1.00 Tag 77 Stationary 0.00 0 20 40 60 80 100 120 140 160 Seconds WINLAB

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

End - to-end simulation of Bunch merge Yu Bao UC

End - to-end simulation of Bunch merge Yu Bao UC

End - to-end simulation of Bunch merge Yu Bao UC Riverside MAP Collaboration meeting Dec. 4, 2014 1 overview October,2013: Longitudinal merge

190 views • 15 slides
Longitudinal Single Bunch Instability by Coherent Synchrotron Radiation T. Agoh (KEK)

Longitudinal Single Bunch Instability by Coherent Synchrotron Radiation T. Agoh (KEK)

Longitudinal Single Bunch Instability by Coherent Synchrotron Radiation T. Agoh (KEK) Motivation Short bunch length for a high luminosity Topics 1. Introduction 2. CSR in KEKB and SuperKEKB 3. Longitudinal Instability in SuperKEKB LER 4.

702 views • 14 slides
Bunch Length Measurements at SPEAR3 Jeff Corbett for the SPEAR3 Accelerator Group Outline 1.

Bunch Length Measurements at SPEAR3 Jeff Corbett for the SPEAR3 Accelerator Group Outline 1.

Bunch Length Measurements at SPEAR3 Jeff Corbett for the SPEAR3 Accelerator Group Outline 1. SLAC, LCLS, SPEAR3 and short bunch operation (low- ) 2. Streak camera measurements 3. Cross-correlation measurements 4. Summary Second DITANET

329 views • 29 slides
80 bunch scheme in the LHC R. Tom as and X. Buffat Thanks to F. Antoniou, G. Arduini, H.

80 bunch scheme in the LHC R. Tom as and X. Buffat Thanks to F. Antoniou, G. Arduini, H.

80 bunch scheme in the LHC R. Tom as and X. Buffat Thanks to F. Antoniou, G. Arduini, H. Bartosik, O. Br uning, H. Damerau, S. Gilardoni, M. Giovannozzi, B. Goddard, V. Kain, R. de Maria, Y. Papaphilippou, G. Papotti, T. Pieloni, G.

290 views • 14 slides
MODERN WEB APPLICATION DEVELOPMENT WORKFLOW FIRST, LETS LOOK AT THE PAST THROW A BUNCH OF

MODERN WEB APPLICATION DEVELOPMENT WORKFLOW FIRST, LETS LOOK AT THE PAST THROW A BUNCH OF

MODERN WEB APPLICATION DEVELOPMENT WORKFLOW FIRST, LETS LOOK AT THE PAST THROW A BUNCH OF HTML FILES THROW A BUNCH OF HTML FILES ADD A COUPLE OF CSS FILES THROW A BUNCH OF HTML FILES ADD A COUPLE OF CSS FILES PUT SOME JAVASCRIPT IN ALL THIS

1.97k views • 147 slides
1 Loss Classes Loss Classes Irregular (uncontrolled, fast) losses : Regular (controlled, slow)

1 Loss Classes Loss Classes Irregular (uncontrolled, fast) losses : Regular (controlled, slow)

1 f Discussing Wire = 0 C / bunch [ ] T C dE dx n Beam Loss Monitors Scanner heat load: h bunch 2 v c p v By Kay Wittenburg, 3. Wire heat load Deutsches Elektronen Synchrotron DESY,

556 views • 10 slides
It's just a %$#@ing BOOK!!! A bunch of ancient myths! You believe in fairy tales,

It's just a %$#@ing BOOK!!! A bunch of ancient myths! You believe in fairy tales,

It's just a %$#@ing BOOK!!! A bunch of ancient myths! You believe in fairy tales, huh? For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a

1.21k views • 107 slides
Job searching today How to conduct a job search during COVID without throwing a bunch ff

Job searching today How to conduct a job search during COVID without throwing a bunch ff

Job searching today How to conduct a job search during COVID without throwing a bunch ff at the wall to of sh. sh... st stuff see what sticks. Tom Brouchoud Looking for answers? Me too. A resume should: Be relevant to the job you

419 views • 9 slides
Implementing AES on a Bunch of Processors ECRYPT AES Day Bruges, Belgium Tim Gneysu

Implementing AES on a Bunch of Processors ECRYPT AES Day Bruges, Belgium Tim Gneysu

Implementing AES on a Bunch of Processors ECRYPT AES Day Bruges, Belgium Tim Gneysu Hardware Security Group 10/23/2012 Horst Grtz Institute for IT-Security Outline Introduction Processor Platforms Tricks, Tweaks and Codes

674 views • 32 slides
Bunch compression at the SPring-8 linac for successive generation of THz pulse train in the

Bunch compression at the SPring-8 linac for successive generation of THz pulse train in the

Bunch compression at the SPring-8 linac for successive generation of THz pulse train in the isochronous ring T. Asaka, H. Hanaki, Y. Shoji, H. Dewa, T. Kobayashi, T. Matsubara, A. Mizuno, T. Taniuchi, Y. Hisaoka, S. Suzuki, H. Tomizawa,

439 views • 23 slides
A snapshot, a stream, and a bunch of deltas Applying Lambda Architectures in a

A snapshot, a stream, and a bunch of deltas Applying Lambda Architectures in a

A snapshot, a stream, and a bunch of deltas Applying Lambda Architectures in a post-Microservice World Q-Con London March 6th 2018 Ade Trenaman, SVP Engineering, Raconteur, HBC Tech t: @adrian_trenaman http://tech.hbc.com t: @hbcdigital

845 views • 48 slides
The Bunch Arrival Time Monitor (BAM) at PSI PSI, PSI, June 10, 2013 PSI, June 10, 2013 PSI,

The Bunch Arrival Time Monitor (BAM) at PSI PSI, PSI, June 10, 2013 PSI, June 10, 2013 PSI,

Wir schaffen Wissen heute fr morgen Paul Scherrer Institut Vladimir Arsov, M. Dehler, S. Hunziker, M. Kaiser, V. Schlott The Bunch Arrival Time Monitor (BAM) at PSI PSI, PSI, June 10, 2013 PSI, June 10, 2013 PSI, Overview

506 views • 21 slides
Scholars at work Adscholars is a digital 360 company based out of UAE, INDIA. We are a bunch of

Scholars at work Adscholars is a digital 360 company based out of UAE, INDIA. We are a bunch of

1 Scholars at work Adscholars is a digital 360 company based out of UAE, INDIA. We are a bunch of digital enthusiasts with varied skills in advertising and marketing that help our clients grow their business by adapting to the constantly shifting

338 views • 14 slides
Principles of Everything is an object Computer Science II Program is a bunch of objects

Principles of Everything is an object Computer Science II Program is a bunch of objects

Object-Oriented Programming Principles of Everything is an object Computer Science II Program is a bunch of objects Tell each other what to do by sending messages (calling methods) Each object has its own memory made up of other

319 views • 4 slides
A COMPARISON OF DIFFERENT TREATMENT TO REMOVE RESIDUAL OIL IN OIL PALM EMPTY FRUIT BUNCH (OPEFB)

A COMPARISON OF DIFFERENT TREATMENT TO REMOVE RESIDUAL OIL IN OIL PALM EMPTY FRUIT BUNCH (OPEFB)

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS A COMPARISON OF DIFFERENT TREATMENT TO REMOVE RESIDUAL OIL IN OIL PALM EMPTY FRUIT BUNCH (OPEFB) FOR MDF PERFORMANCES M.A Norul Izani 1 *, M.T. Paridah 1 , M.Y. Mohd Nor 2 and U.M.K, Anwar 1,2

252 views • 4 slides
Low-level RF fine Tuning for two-bunch Operation at SwissFEL LLRF2019 Workshop, Chicago, USA

Low-level RF fine Tuning for two-bunch Operation at SwissFEL LLRF2019 Workshop, Chicago, USA

WIR SCHAFFEN WISSEN HEUTE FR MORGEN Roger Kalt & Zheqiao Geng ( on behalf of the SwissFEL RF team ) :: Paul Scherrer Institut Low-level RF fine Tuning for two-bunch Operation at SwissFEL LLRF2019 Workshop, Chicago, USA September 29

470 views • 29 slides
Voice for the Voiceless Cameron Purdy @cpurdy Software Developer 1989: Tiananmen When I

Voice for the Voiceless Cameron Purdy @cpurdy Software Developer 1989: Tiananmen When I

Voice for the Voiceless Cameron Purdy @cpurdy Software Developer 1989: Tiananmen When I started grade school and opened my text book, the first page Before Internet (BI) had the following sentence: I love Tiananmen in Beijing. [..] If

659 views • 39 slides
Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17 1 Agenda Distributed system security Introduction to Kerberos Kerberos Version 4 Authentication Protocol Authentication with Kerberos

494 views • 28 slides
Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Akademska in raziskovalna mrea Slovenije Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES aaa-podpora@arnes.si Cork Institute of Technology Cork, Ireland, 19.5.2009 Kerberos Kerberos Akademska in

353 views • 16 slides
The past, present, and future of artificial life Article review MSIIS 2014 Krisztin Kos

The past, present, and future of artificial life Article review MSIIS 2014 Krisztin Kos

Wendy Aguilar, Guillermo Santamara-Bonfil, Tom Froese and Carlos Gershenson The past, present, and future of artificial life Article review MSIIS 2014 Krisztin Kos Emergence of artificial life What makes the living different from the

363 views • 21 slides
From Manufacturing Led Export Growth to a 21st Century Inclusive Growth Strategy: Explaining the

From Manufacturing Led Export Growth to a 21st Century Inclusive Growth Strategy: Explaining the

From Manufacturing Led Export Growth to a 21st Century Inclusive Growth Strategy: Explaining the Demise of a Successful Growth Model and What to Do About It Joseph E. Stiglitz WIDER Conference September 2018 I. Export-led growth model behind

460 views • 42 slides
The coming of age of statistics education in New Zealand Adjunct Professor Sharleen Forbes

The coming of age of statistics education in New Zealand Adjunct Professor Sharleen Forbes

The coming of age of statistics education in New Zealand Adjunct Professor Sharleen Forbes Statistics New Zealand & School of Government, Victoria University 1 Overview 1. The influencers a. Academics b. New Zealand Statistical

308 views • 19 slides
Word order variation in Mby Guaran Angelika Kiss Guillaume Thomas August 30, 2019

Word order variation in Mby Guaran Angelika Kiss Guillaume Thomas August 30, 2019

Word order variation in Mby Guaran Angelika Kiss Guillaume Thomas August 30, 2019 Department of Linguistics University of Toronto Word Order in Mby Tupi-Guaran language About 30,000 speakers: Argentina, Brazil, Paraguay

735 views • 37 slides
Universal Dependencies for Mby Guaran Guillaume Thomas August 30, 2019 Department of

Universal Dependencies for Mby Guaran Guillaume Thomas August 30, 2019 Department of

Universal Dependencies for Mby Guaran Guillaume Thomas August 30, 2019 Department of Linguistics University of Toronto Mby Guaran Tupi-Guaran language About 30,000 speakers: Argentina, Brazil, Paraguay (Dietrich 2010) 1

475 views • 31 slides

More recommend