iot security
play

IoT Security IoT: Internet of things Hidden Voice Commands, Usenix - PowerPoint PPT Presentation

Feb 26, 2024 •117 likes •470 views

IoT Security IoT: Internet of things Hidden Voice Commands, Usenix Security16 Presented by Jinli Zhong FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild, NDSS17 Presented by Jie Li Protecting Privacy of BLE

  1. IoT Security IoT: Internet of things Hidden Voice Commands, Usenix Security’16 • Presented by Jinli Zhong • FBS-Radar: Uncovering Fake Base Stations at Scale in the • Wild, NDSS’17 Presented by Jie Li • Protecting Privacy of BLE Device Users, Usenix Security’16 • Presented by Wei Zhang • 1

  2. Security'16 Protecting Privacy of BLE Device Users Kassem Fawaz ∗ , Kyu-Han Kim†, Kang G. Shin ∗ ∗ The University of Michigan †Hewlett Packard Labs Presented by Wei Zhang 2

  3. Outline Introduction • BLE Primer • Threats from BLE Devices • BLE-Guardian • Implementation and Evaluation • Summary • 3

  4. Outline Introduction • BLE Primer • Threats from BLE Devices • BLE-Guardian • Implementation and Evaluation • Summary • 4

  5. Internet of Things 5

  6. What is BLE? BLE: Bluetooth Low Energy • Attractive communication protocol in IoT • Short range • Low energy footprint • Supported by most hosts • Popularity • Currently: 74K unique products with BLE support • 2013: 1.2 billion BLE products shipped • 2020: 2.7 billion BLE products expected • 6

  7. Outline Introduction • BLE Primer • Threats from BLE Devices • BLE-Guardian • Implementation and Evaluation • Summary • 7

  8. BLE States Peripheral role • Sensors, fitness trackers, health monitors, etc • Lower capabilities: sleep for most of the time • With the information to advertise • Central role • AP, PC or smartphone • Higher burden: scans for advertisement and initiates • connection 8

  9. BLE Advertisements 3 advertisement channels • 37 (2402MHz) • 38 (2426MHz) • 39 (2480MHz) • 4 advertisement message types • ADV_DIRECT_IND • ADV_IND • ADV_NONCONN_IND • ADV_SCAN_IND • 9

  10. BLE Advertisements Type Description Frequency Connect to a particular device 3.75 ms, but only ADV_DIRECT_IND only for 1.28 seconds General presence known + ADV_IND 20ms – 10.24s connections Don’t accept any scan or ADV_NONCONN_IND 100ms – 10.24s connection requests ADV_SCAN_IND Don’t accept connections but 100ms – 10.24s accept scan requests 10

  11. BLE Security and Privacy Pairing & bonding • Whitelisting: only accept connections from devices it has • been paired with before Prevent unauthorized access to device or secured services • Address randomization • Prevent user tracking • Direct Advertisements • Enable fast and private reconnections. • Prevent user tracking and profiling • 11

  12. Outline Introduction • BLE Primer • Threats from BLE Devices • BLE-Guardian • Implementation and Evaluation • Summary • 12

  13. Threats from BLE Devices Insight: Whether or not manufacturers properly implement • BLE’s privacy provisions is an entirely different story Passively scan for BLE advertisements • <Timestamp, BT Address, advertisement content, RSSI> • Dataset • Site Participants Period Hewlett Packard Labs 1 40 days Ann Arbor 13 2 months Phone LAB/ SUNY Buffalo 86 2 months 13

  14. Threats from BLE Devices Indirect Advertisements • Detected 214 different unique types of devices • Address Randomization • 14

  15. Threats from BLE Devices Device pairing • 15

  16. Potential Attacks Tracking user: consistent addresses, poor randomization, unique identifiers • Profiling user: health situation, user’s behavior, and personal interests • Harming user: fingerprint of and unauthorized access for sensitive devices • 16

  17. Research Questions Can we effectively fend off the threats to BLE-equipped devices (1) in a device-agnostic manner (2) using COTS (Commercial-Off-The-Shelf) hardware only (3) with as little user intervention as possible 17

  18. Outline Introduction • BLE Primer • Threats from BLE Devices • BLE-Guardian • Implementation and Evaluation • Summary • 18

  19. High-level Description Two main modules • Device hiding module and access control module • 19

  20. Device Hiding Goal: jam BLE device advertisements to hide its existence • Need to learn device advertising Sequence • Otherwise jamming will be ineffective or inefficient • Interval t = adv + r • adv is the actual advertisement interval as set by the device • r is a random variable representing the random delay such that r ∈ unif (0, 10 ms ) 20

  21. Device Hiding 21

  22. Device Hiding Detect RSSI (Received Signal Strength Indication) increase • Apply jamming and follow advertising sequence • 22

  23. Access Control Goal: authorize client devices and enable their access to the BLE devices • Device authorization • BLE-Guardian runs in server mode on the gateway waiting for incoming • connections Authenticating devices have BLE-Guardian running in client mode to initiate • connections and ask for authorization Authorization: the Bluetooth address of the user’s gateway as well as the UUID of • the authentication service Connection enabling • BLE-Guardian advertises on behalf of the target BLE device on the same channel • BLE-Guardian ’s app running on the client device uses the address and the • parameters to initiate a connection to the BLE device 23

  24. Access Control Authorization: bluetooth classic as an OOB channel • 24

  25. Access Control Connection Enabling: connection parameters to distinguish • legitimate connection request 25

  26. Outline Introduction • BLE Primer • Threats from BLE Devices • BLE-Guardian • Implementation and Evaluation • Summary • 26

  27. Implementation Hardware: Ubertooth One • Programmable BT radio • Open source firmware • Rx/Tx on each BT channel • Software: user-level app • Control BLE-Guardian • Update firmware seamlessly • 27

  28. Evaluation • Cutoff distance Due to transmission power limitations, there would always be a small area • around the target BLE device where privacy protection can not be enacted Beyond it the adversary can’t scan and connect to the target BLE device • 28

  29. Evaluation • Cutoff distance Adversary has to be within 1 m of BLE device to read its • advertisements 29

  30. Evaluation • Advertisement Hiding • Impact on Advertising Channels 1. Protect single device at advertising intervals: 20 ms, 960 ms, and 10.24 sec 2. Two devices advertising at 20 ms 3. 15 other devices: with varying advertising frequencies The number of unnecessary jamming instance is minimal • 30

  31. Evaluation • Energy Overhead • BLE-device and authorized clients • No overhead • Smartphone as a gateway • Idle power: 1370mW • Overhead: less than 16% 31

  32. Outline Introduction • BLE Primer • Threats from BLE Devices • BLE-Guardian • Implementation and Evaluation • Summary • 32

  33. Summary • BLE-Guardian • Privacy protection for BLE device users • Device agnostic and relies on COTS hardware • Low overhead on advertisement channels • Future work • Explore other M2M protocols such Zigbee • Implement without needing external hardware (need firmware access) 33

  34. Thanks! 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann &amp; Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday &amp; Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
Internet of things Prevailing perspective- opportunities and risks Computer Security Day

Internet of things Prevailing perspective- opportunities and risks Computer Security Day

www.pwc.com/mu Internet of things Prevailing perspective- opportunities and risks Computer Security Day Confidential November, 2016 Agenda PwC IoT Technology Forecast Opportunities and risks Security Consideration for Internet of Things

811 views • 23 slides
SonicWall Security 2.0 Erhhung des IT-Security Levels durch Aufbau einer individuellen,

SonicWall Security 2.0 Erhhung des IT-Security Levels durch Aufbau einer individuellen,

SonicWall Security 2.0 Erhhung des IT-Security Levels durch Aufbau einer individuellen, ganzheitlichen Verteidigungstrategie, bei gleichzeitiger Kosteneinsparung Jan Patrick Schlgell Silvan Noll Regional Director, Central Europe SE

624 views • 37 slides
Management 1 Session Objective By the end of the session, participants will discuss the

Management 1 Session Objective By the end of the session, participants will discuss the

DFS Risk and Fraud Management 1 Session Objective By the end of the session, participants will discuss the potential provider and consumer risks in digital finance and learn how to manage those risks having full awareness of the issues that

882 views • 45 slides
Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE Secappdev 2007 1

Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE Secappdev 2007 1

Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE Secappdev 2007 1 UNIVERSITEIT LEUVEN Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsofts Threat

784 views • 39 slides
The Power to Do More: Accelerating Results Join the conversation. #DoMore AGENDA 1:30 2:30

The Power to Do More: Accelerating Results Join the conversation. #DoMore AGENDA 1:30 2:30

April 24, 2013 Hotel Monaco, San Francisco The Power to Do More: Accelerating Results Join the conversation. #DoMore AGENDA 1:30 2:30 The Power to Do More: Accelerating Results John Swainson, President Dell Software Tom Kendra, VP and GM

348 views • 24 slides
Communication tool classroom CCWG Auction Proceeds 12Jan2017 Your Support staff contacts: for

Communication tool classroom CCWG Auction Proceeds 12Jan2017 Your Support staff contacts: for

Communication tool classroom CCWG Auction Proceeds 12Jan2017 Your Support staff contacts: for content purposes Marika Konings Senior Policy Director &amp; GNSO Team Leader Marika.konings@icann.org Joke Braeken ccNSO Policy Advisor

463 views • 30 slides
This is Rotary In the beginning Rotary Founder Paul Harris First Rotary Club organized in

This is Rotary In the beginning Rotary Founder Paul Harris First Rotary Club organized in

This is Rotary In the beginning Rotary Founder Paul Harris First Rotary Club organized in Chicago in 1905, by Paul P. Harris. The original four member club met for fellowship, in rotation at members offices . . . thus the name Rotary .

550 views • 35 slides
The Suitability of the Asynchronous Remote Communities (ARC) Method for Studying Stigmatized

The Suitability of the Asynchronous Remote Communities (ARC) Method for Studying Stigmatized

The Suitability of the Asynchronous Remote Communities (ARC) Method for Studying Stigmatized Populations March, 2018 Stigma - Illness - Mental health HIV , STDs - - Disability - Eating disorders - Sexual orientation - Homelessness

381 views • 26 slides

More recommend