Date post: | 07-Aug-2015 |
Category: |
Technology |
Upload: | tutun-juhana |
View: | 111 times |
Download: | 2 times |
Internet of Things
IoT
Security
Tutun JuhanaTelecommunication Engineering Department
School of Electrical Engineering & InformaticsInstitut Teknologi Bandung|
Mini Conference , 22 June 2015Computer Science Dept., Faculty of Mathematics and Natural SciencesInstitut Pertanian Bogor
http://zeecure.com/free-cctv-and-security-tools/complete-list-of-every-ip-camera-default-username-password-and-ip-address/
11/22
Research findings by HP
Internet of Things Research Study - 2014 report
Privacy concerns
Insufficient authentication and authorization
Lack of transport encryption
Insecure software and firmware
14/22
Recommended Security Controls
Analyze privacy impacts to stakeholders and adopt a Privacy-by-Design approach to IoT development and deployment
Apply a Secure Systems Engineering approach to architecting and deploying a new IoT System
Implement layered security protections to defend IoT assets
Implement data protection best-practices to protect sensitive information
Define lifecycle controls for IoT devices
Define and implement an authentication/authorization framework for the organization’s IoT Deployments
Define and implement a logging/audit framework for the organization’s IoT ecosystem
Further reading: Security Guidance for Early Adopters of the Internet of Things (IoT), CSA, April 2015
16/22
Cyber Security Pillars for Internet of Things Products
Security of Things: An Implementers’ Guide to Cyber-Security for Internet of Things Devices and Beyond, Prepared by: Ollie Whitehouse 17/22
“Conventional Security” Tech doesn’t applied to IoT• The longevity of the device
• Updates are harder (or impossible)
• The size of the device• Capabilities are limited – especially around crypto
• The fact there is a device• Usually no UI for entering userids and passwords
• The data• Often highly personal
• The mindset• Appliance manufacturers don’t think like security experts
• Embedded systems are often developed by grabbing existing chips, designs, etc
Securing the Internet of Things, Paul Fremantle, Paul Madsen 18/22
Device Classes – IETF RFC 7228 • Class 2: • Data size (memory): 50 KB• Code size (flash, disk): 250 KB • Can interact with Internet nodes. Example protocol: HTTP-over-SSL/TLS
• Class 1: • Data size (memory):10 KB • Code size (flash, disk): 100 KB • May interact with Internet nodes. Example protocol: CoAP-over-DTLS
• Class 0: • Data size (memory): <<10 KB• Code size (flash, disk): <<100 KB • Depend on intermediaries (e.g. class 1 or 2 components) to interact with
Internet nodes 19/22
Crypto
Borrowed from Chris Swan: http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13
20/22