iot security software solutions danny de cock
play

IOT SECURITY SOFTWARE SOLUTIONS DANNY DE COCK 22 September 2015 - PowerPoint PPT Presentation

Oct 21, 2022 •334 likes •483 views

IOT SECURITY SOFTWARE SOLUTIONS DANNY DE COCK 22 September 2015 SENIOR RESEARCHER HTTP://GODOT.BE/SLIDES STANDARD CRYPTO-TECHNICAL CONSIDERATIONS IOT = big data, focused on functionality, not security Security is afterthought Each

  1. IOT SECURITY SOFTWARE SOLUTIONS DANNY DE COCK 22 September 2015 SENIOR RESEARCHER HTTP://GODOT.BE/SLIDES

  2. STANDARD CRYPTO-TECHNICAL CONSIDERATIONS  IOT = big data, focused on functionality, not security  Security is afterthought  Each family of devices works in its own silo, aggregation rather than integration  User data, preferences, behavior stored in the cloud  Who manages the cloud, who is it and where can you find them?  Devices push data out automatically to meet user expectations and convenience  Location privacy, behavior patterns, backups, contact lists  No transparency to end-user wrt access to company/private data  Authentication, confidentiality and authorization problems  Low power = lightweight communications and security protocols  Silo- based management of keys, preferences, access control settings… 22/09/2015 2

  3. SO, WHAT IS THE PROBLEM?   IoT device not different from any other IT device  Communicates with its surroundings  Firmware, operating system, applications, application data, user data, configurations  What makes IoT different  Restrained resources  Not continuously online  Many different versions in the field  Very short time-to-market  Users are Guiney pigs rather than users of well tested devices  High number of devices compete for limited network resources  Wifi, Bluetooth, ZigBee, Z- Wave…  Operation conditions are complex and fragile  Just too many devices and more are coming  22/09/2015 3

  4. ‘‘OUR SYSTEM IS SECURE: WE USE THE AES’’  What about  Key management & life cycle  ‘‘Random’’ keys?  Authenticated (?) key agreement  Implementation  Modes of encryption, initialization vectors,…  Attacking the implementation  Who holds the keys?  Who can use the keys?  Stored in the clear?  Key archives? 22/09/2015 Slide 4

  5. HIGH-LEVEL RISKS (1/2)  Focus on  Functionality – better & earlier than the competition  Commercial interest – user is no longer owner of its data  Struggle with  Reliability of the devices  Stability of the applications  Interoperability with other devices 22/09/2015 5

  6. HIGH-LEVEL RISKS (2/2)  Forget/ignore/neglect  Privacy related issues  Collecting all possible data without informing users correctly and beforehand  Inappropriate use of information `it is available anyhow, so why not use it?`  Integrity protection of data transferred and stored  Access control to IoT device, online services, user data, configuration data…  Happy when it works  Do not touch/reconfigure a working system   Limited management of keys, algorithms, protocols, credentials…  Backward compatibility constricts deployment of secure environments 22/09/2015 6

  7. IT’S ALIVE! AND WE LOST IT!  Networked devices  Automated data push to the cloud – sensor states, control statuses, user data…  Frequent system updates and upgrades  Flooding off the shelve (home) wireless access points  Lower- power Bluetooth, ZigBee… hubs  Devices get controlled remotely – who controls what?  Botnet-inspired command and controlled push of commands from the Cloud  ET phones home: fetch instructions from mother station 22/09/2015 7

  8. REAL DANGER – OPEN SESAME  Third party’s benefit  Hacking/infecting remote control points  Very similar to botnet activities  Compromised meta-controller, e.g.,  Can provide full access to critical control points  Enables perfect burglary  Break-in & entry without signs of break-in!  Compromised device manufacturer’s control points  Alien firmware, Trojan behavior of *all* devices  Self-benefit  Current state of the art allows fabrication of alibi   Fake presence at home  Mimic normal behavior remotely Disclaimer: not claiming the pictured items/service providers have been compromised already  22/09/2015 8 Images: http://www.sevenoaksart.co.uk

  9. WHAT TO DO ABOUT IT? (DESIGN/DEVELOP VIEW)  During design of IoT devices and services:  Enable & use robust version and update control from the initial start:  Firmware, operating system, application, application modules, device drivers  Key material, set of trusted references: keys, certificates  Avoid transporting and saving plaintext data to the cloud  Enable decent user and system authentication & authorization  Special focus on user friendliness & user convenience  Similar to TPM initialization: master and normal user  Good system design relies on embedded security  Simplifies security issues: no add-on  During use:  Guarantee interoperability with older versions  Discard support of older versions when *ALL* older versions have upgraded  Inform users correctly and completely when changing data collection policy 22/09/2015 9

  10. WHAT TO DO ABOUT IT? (USER VIEW)  Apply well known network segregation:  Demilitarized zones & self-controlled security gateways!  During configuration of intelligent devices  Prepare separate networks from normal network with Internet access  Use different settings to initialize/configure devices/services and to use devices/services  After configuration  Disable Internet access of critical intelligent devices – power consumers, physical & logical entry points  Disable automated update functionality to avoid unwanted/uncontrolled service disruption 22/09/2015 10

  11. CLOSING REMARKS  Use of Today’s IoT devices provide  No privacy guarantees whatsoever  Fake belief you are in control  New business opportunities for  IoT system aggregators  IoT system installers and configurators  About home automation  Not to be used for safety and security critical systems  22/09/2015 11

  12. QUESTIONS?  Contact details:  Email: Danny.DeCock@esat.kuleuven.be  Slides: http://godot.be/slides 22/09/2015 12

  13. GOOD PRACTICES  Centralize security knowledge in software architects and application designers  Implementers should not have to make delicate security decisions  Cryptographic algorithms and protocols should be considered as modular building blocks  Consistent deployment of a security vision saves time and money  Security expertise concentrated in a few of the most trusted members of the development organization  Allows for better depth of knowledge  Results in more effective and secure results  Good initial security design avoids hard to solve security issues  Security patches do not deal with inherent design flaws  Simple design is easily understandable/testable/auditable 22/09/2015 Slide 13

  14. TH@NK YOU! ANY QUESTIONS? 22/09/2015 Slide 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Connecting Academic Security Research to Applied Systems in the Field Dr. Danny De Cock 6

Connecting Academic Security Research to Applied Systems in the Field Dr. Danny De Cock 6

Connecting Academic Security Research to Applied Systems in the Field Dr. Danny De Cock 6 October 2016 COSIC Staff Department Electrical Engineering-ESAT COSIC = COmputer Security and Industrial Cryptography ( o 1978) 5 full-time 90

502 views • 28 slides
Usability Related Observations Practical Security Hints Danny De Cock, PhD, sr. Research Manager

Usability Related Observations Practical Security Hints Danny De Cock, PhD, sr. Research Manager

Usability Related Observations Practical Security Hints Danny De Cock, PhD, sr. Research Manager Applied Cryptography 25 March 2018, #hackatonamring, Nrburg, Germany Slides: http://godot.be/slides While establishing correct location

341 views • 6 slides
K.U.Leuven ESAT/SCD/COSIC Computer Security and Industrial Cryptography Danny De Cock

K.U.Leuven ESAT/SCD/COSIC Computer Security and Industrial Cryptography Danny De Cock

K.U.Leuven ESAT/SCD/COSIC Computer Security and Industrial Cryptography Danny De Cock Danny.DeCock@esat.kuleuven.be Katholieke Universiteit Leuven/Dept. Elektrotechniek (ESAT) Computer Security and Industrial Cryptography (COSIC) Kasteelpark

308 views • 16 slides
IOT LANDSCAPE March 2017 DANNY DE COCK HTTP://GODOT.BE/SLIDES LIMITED SCOPE Security

IOT LANDSCAPE March 2017 DANNY DE COCK HTTP://GODOT.BE/SLIDES LIMITED SCOPE Security

TOWARDS A SECURE IOT LANDSCAPE March 2017 DANNY DE COCK HTTP://GODOT.BE/SLIDES LIMITED SCOPE Security challenges for commonly available and used devices IoT device not different from any other IT device Communicates with its

506 views • 24 slides
CONCERNS & SOLUTION DANNY DE COCK HTTPS://WWW.GODOT.BE/SLIDES Feb 2018 IOT SCOPE Credits:

CONCERNS & SOLUTION DANNY DE COCK HTTPS://WWW.GODOT.BE/SLIDES Feb 2018 IOT SCOPE Credits:

Simply Smart Workshop IOT SECURITY AND PRIVACY CONCERNS & SOLUTION DANNY DE COCK HTTPS://WWW.GODOT.BE/SLIDES Feb 2018 IOT SCOPE Credits: Chragokyberneticks Credits: http://www.greenpeak.com Blue: Networked devices Green: Energy

370 views • 8 slides
THE INTERNET OF THINGS 25 September 2015 DANNY DE COCK SENIOR RESEARCHER HTTP://GODOT.BE/SLIDES

THE INTERNET OF THINGS 25 September 2015 DANNY DE COCK SENIOR RESEARCHER HTTP://GODOT.BE/SLIDES

SECURITY CHALLENGES FOR THE INTERNET OF THINGS 25 September 2015 DANNY DE COCK SENIOR RESEARCHER HTTP://GODOT.BE/SLIDES LIMITED SCOPE Security challenges for commonly available and used devices IoT device not different from any

945 views • 19 slides
Electronic Voting in Belgium: Past and Future Danny De Cock K.U.Leuven ESAT/COSIC Slides

Electronic Voting in Belgium: Past and Future Danny De Cock K.U.Leuven ESAT/COSIC Slides

Electronic Voting in Belgium: Past and Future Danny De Cock K.U.Leuven ESAT/COSIC Slides available from http://godot.be/slides 4 December 2007 eVoting in Belgium: Past and Future 1 Outline Interesting things to know Conceptual view

591 views • 22 slides
Using OSGi for Secure Service Discovery Slides available at http://godot.be/slides Antonio Kung,

Using OSGi for Secure Service Discovery Slides available at http://godot.be/slides Antonio Kung,

Using OSGi for Secure Service Discovery Slides available at http://godot.be/slides Antonio Kung, Founder/Director, Trialog Antonio Kung, Founder/Director, Trialog Danny De Cock, Researcher Applied Cryptography, K.U.Leuven Danny De Cock,

484 views • 31 slides
SP Infrastructure Security Survey & Attack Classification Danny McPherson danny@arbor.net

SP Infrastructure Security Survey & Attack Classification Danny McPherson danny@arbor.net

SP Infrastructure Security Survey & Attack Classification Danny McPherson danny@arbor.net & Ray Hunt ray.hunt@canterbury.ac.nz Apricot 2006 - Perth, Australia 1 Goals Given time constraints, focus will be given to providing

1.03k views • 86 slides
BGP Security Techniques Danny McPherson danny@arbor.net Kyoto, Japan APRICOT 2005 1 Agenda

BGP Security Techniques Danny McPherson danny@arbor.net Kyoto, Japan APRICOT 2005 1 Agenda

BGP Security Techniques Danny McPherson danny@arbor.net Kyoto, Japan APRICOT 2005 1 Agenda Overview & Discussion Context BGP Blackhole Routing BGP Diversion BGP Route Tagging BGP Flow Specification Analyzing

450 views • 28 slides
Xpanda security gates Security solutions Retail security gate solutions Industrial

Xpanda security gates Security solutions Retail security gate solutions Industrial

STOREFRONT PROTECTION Xpanda security gates Security solutions Retail security gate solutions Industrial security gate solutions Institutional security gate solutions Access control security gate solutions Office building

406 views • 13 slides
Retail security gate solutions Industrial security gate solutions Institutional

Retail security gate solutions Industrial security gate solutions Institutional

PHYSICAL SECURITY SOLUTIONS Quantum security gates can help you improve security quickly. Before or after a break-in. Retail security gate solutions Industrial security gate solutions Institutional security gate solutions Office

215 views • 18 slides
PRESENTED BY CYBRAIN SOFTWARE SOLUTIONS ABOUT US Cybrain Software Solutions is an ISO

PRESENTED BY CYBRAIN SOFTWARE SOLUTIONS ABOUT US Cybrain Software Solutions is an ISO

PRESENTED BY CYBRAIN SOFTWARE SOLUTIONS ABOUT US Cybrain Software Solutions is an ISO 9001:2008 certified Software development and Web development Company, Headquartered in Mohali (Punjab). We are providing IT solutions and IT-enabled

754 views • 60 slides
Future Internet of Services Future Internet of Services 3 Perspective From a TAS 3 Perspective

Future Internet of Services Future Internet of Services 3 Perspective From a TAS 3 Perspective

Future Internet of Services Future Internet of Services 3 Perspective From a TAS 3 Perspective From a TAS Danny De Cock TAS 3 Project Coordinator Slides available from http://godot.be/slides Email: Danny.DeCock@esat.kuleuven.be Future

252 views • 12 slides
deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Encrypted SSDs: Self-Encryption Versus Software Solutions Michael Willett Storage Security

Encrypted SSDs: Self-Encryption Versus Software Solutions Michael Willett Storage Security

Encrypted SSDs: Self-Encryption Versus Software Solutions Michael Willett Storage Security Strategist and VP Marketing Bright Plaza Flash Memory Summit 2015 Santa Clara, CA 1 The Problem 2005-2013: over 864,108,052 records

161 views • 15 slides
SAC-PA2 June 15, 2018 Computing Services and Systems Development MINI-DMZ @ PITT USE CASE #2

SAC-PA2 June 15, 2018 Computing Services and Systems Development MINI-DMZ @ PITT USE CASE #2

Computing Services and Systems Development SAC-PA2 June 15, 2018 Computing Services and Systems Development MINI-DMZ @ PITT USE CASE #2 Christopher Keslar Computing Services and Systems Development Background Lab Equipment that can

794 views • 15 slides
Virtualization and CIP-005 Project 2016-02 Project Update Project 2016-02 CIP SDT Members Decemb

Virtualization and CIP-005 Project 2016-02 Project Update Project 2016-02 CIP SDT Members Decemb

Virtualization and CIP-005 Project 2016-02 Project Update Project 2016-02 CIP SDT Members Decemb er 2019 Purpose Virtualization changes to CIP standards are to ENABLE new methods/models NOT REQUIRE Them 2 RELIABILITY | ACCOUNTABILITY Agenda

408 views • 19 slides
CompSci 356: Computer Network Architectures Lecture 24: Network Security Xiaowei Yang

CompSci 356: Computer Network Architectures Lecture 24: Network Security Xiaowei Yang

CompSci 356: Computer Network Architectures Lecture 24: Network Security Xiaowei Yang xwy@cs.duke.edu Overview Why studying network security? The topic itself is worth another class Basic cryptography building blocks

768 views • 49 slides
Ken Birman i Cornell University. CS5410 Fall 2008. Last time: standards We looked mostly at

Ken Birman i Cornell University. CS5410 Fall 2008. Last time: standards We looked mostly at

Ken Birman i Cornell University. CS5410 Fall 2008. Last time: standards We looked mostly at big architectural standards But there are also standard ways to build cloud i f infrastructure support. Today: review many of the things one

549 views • 36 slides
Management of Exceptions in Access Control Policies J. G. Alfaro, F. Cuppens, N. Cuppens ENST

Management of Exceptions in Access Control Policies J. G. Alfaro, F. Cuppens, N. Cuppens ENST

Management of Exceptions in Access Control Policies J. G. Alfaro, F. Cuppens, N. Cuppens ENST Bretagne, Rennes RSM/SERES Outline - 2 - Problem domain Main strategies Use of full expressiveness Conclusions and Perspectives

562 views • 28 slides
The Processing and Archiving Unit of the Javalambre Astrophysical Observatory. A. Ederoclite CE

The Processing and Archiving Unit of the Javalambre Astrophysical Observatory. A. Ederoclite CE

The Processing and Archiving Unit of the Javalambre Astrophysical Observatory. A. Ederoclite CE F CA A. Ederoclite UPAD OAJ Heidelberg, 10 June 2013 1 of 17 J-PAS Expected Beginning: 2015 Expected Duration: 5 7 years A. Ederoclite

397 views • 21 slides
Establishing a Personal Electronic Health Record in the Rhine-Neckar Region Sarajevo 31th of

Establishing a Personal Electronic Health Record in the Rhine-Neckar Region Sarajevo 31th of

Establishing a Personal Electronic Health Record in the Rhine-Neckar Region Sarajevo 31th of August 2009 Oliver HEINZE 1 , Antje BRANDNER 1 , Bjrn BERGH 1 1 Department of Information Technology and Medical Engineering University Hospital

682 views • 19 slides
2. HDF AAI Meeting -- Demo Slides Steinbuch Centre for Computing Marcus Hardt KIT University

2. HDF AAI Meeting -- Demo Slides Steinbuch Centre for Computing Marcus Hardt KIT University

2. HDF AAI Meeting -- Demo Slides Steinbuch Centre for Computing Marcus Hardt KIT University of the State of Baden-Wuerttemberg and www.kit.edu National Research Center of the Helmholtz Association Introduction HDF Proposal: 6 Helmholtz

506 views • 22 slides

More recommend