Internet of Things

IoT

Security

Tutun JuhanaTelecommunication Engineering Department

School of Electrical Engineering & InformaticsInstitut Teknologi Bandung|

Mini Conference , 22 June 2015Computer Science Dept., Faculty of Mathematics and Natural SciencesInstitut Pertanian Bogor

IoT is (will be)…….

2/22

IoT offers comforts

3/22

www.refitsmarthomes.org

Smart Homes

4/22

Health and Activity Monitoring

www.ece.uah.edu

5/22

VANET

Vehicle Ad-Hoc Network

6/22

IoT can also be nightmares

7/22

Pacemaker Attack

8/22

IP camera peeping

https://sites.google.com/site/web1camera/

Google Hacks

9/22

10/22

http://zeecure.com/free-cctv-and-security-tools/complete-list-of-every-ip-camera-default-username-password-and-ip-address/

11/22

Smart refrigerator

• Your fridge is full of spam• www.proofpoint.com

12/22

How vulnerable are we?

13/22

Research findings by HP

Internet of Things Research Study - 2014 report

Privacy concerns

Insufficient authentication and authorization

Lack of transport encryption

Insecure software and firmware

14/22

15/22

Recommended Security Controls

Analyze privacy impacts to stakeholders and adopt a Privacy-by-Design approach to IoT development and deployment

Apply a Secure Systems Engineering approach to architecting and deploying a new IoT System

Implement layered security protections to defend IoT assets

Implement data protection best-practices to protect sensitive information

Define lifecycle controls for IoT devices

Define and implement an authentication/authorization framework for the organization’s IoT Deployments

Define and implement a logging/audit framework for the organization’s IoT ecosystem

Further reading: Security Guidance for Early Adopters of the Internet of Things (IoT), CSA, April 2015

16/22

Cyber Security Pillars for Internet of Things Products

Security of Things: An Implementers’ Guide to Cyber-Security for Internet of Things Devices and Beyond, Prepared by: Ollie Whitehouse 17/22

“Conventional Security” Tech doesn’t applied to IoT• The longevity of the device

• Updates are harder (or impossible)

• The size of the device• Capabilities are limited – especially around crypto

• The fact there is a device• Usually no UI for entering userids and passwords

• The data• Often highly personal

• The mindset• Appliance manufacturers don’t think like security experts

• Embedded systems are often developed by grabbing existing chips, designs, etc

Securing the Internet of Things, Paul Fremantle, Paul Madsen 18/22

Device Classes – IETF RFC 7228 • Class 2: • Data size (memory): 50 KB• Code size (flash, disk): 250 KB • Can interact with Internet nodes. Example protocol: HTTP-over-SSL/TLS

• Class 1: • Data size (memory):10 KB • Code size (flash, disk): 100 KB • May interact with Internet nodes. Example protocol: CoAP-over-DTLS

• Class 0: • Data size (memory): <<10 KB• Code size (flash, disk): <<100 KB • Depend on intermediaries (e.g. class 1 or 2 components) to interact with

Internet nodes 19/22

Crypto

Borrowed from Chris Swan: http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13

20/22

Thank You