19
Tackling Data Security and Privacy Challenges for the Internet of Things Dave Raggett W3C Tuesday, 14 th June 2016 IoT TechExpo, Berlin
TacklingDataSecurityandPrivacyChallengesfortheInternetofThings
DaveRaggettW3C
Tuesday,14th June2016IoTTechExpo,Berlin
ThePromiseoftheInternetofThings
l Services thatareenriched throughaccesstothephysicalandabstractWorld
l SmartHomes
l SmartCities
l SmartBusinesses
l SmartGovernment
l Environment,healthcare,agriculture,manufacturing,logisticsandmanymore
2/19
SecurityandPrivacyChallengesfortheInternetofThings
l “LackofTrustinInternetPrivacyandSecurityMayDeterEconomicandOtherOnlineActivities”,NTIAMay2016
l HowlongwillconsumersputupwiththeIoT's failures?– IoTsupport panel,CES2016
l IoT“plugandpray”alloveragain,sayssecurityconsultantDavidAlexander,PAConsulting, CRESTcon &IISP2016
l ThreequartersofUK’s informationsecurityprofessionals thinkIoTdevicemanufacturersaren’timplementingenoughsecurityontheirproductsand73%saidthere’sagenerallackofindustry standards– ISACA2015poll
l 72%ofAmericansseecyberattacksasamajorthreat,coming2nd afterISIS– PewResearchpoll, April2016
l “Allofthepotentialweaknesses thatcouldafflictIoTsystems,suchasauthenticationandtrafficencryption,arealreadywellknowntothesecurityindustry...”,InsecurityintheInternetofThings, Symantec,March2015
3/19
4/19
EightInternetofThingsFailsduetosloppypracticesandpoorusability
l Target’sHeatingandCoolingSysteml HackersgainedaccessthroughHVACaccount,and
wereabletoinstallcardskimmings/wonPOSterminals
l Wink’sIoTHubsl ConsumersfoundtheirdevicesbrickedwhentheHub
securitycertificateunexpectedlyexpired
l Insteon connectedhomesl Reporterabletoturn lightsonandoffwhilstchatting
withhomeownersoverthephone
l Homeroutersl Opentomaninthemiddleattackswhenpeopleuse
defaultoreasytoguesspasswords
l Spammyrefrigeratorsl Defaultpasswordsallowedattackertouseconnected
refrigeratorsaspartofa botnet
l TrendNet’s nannycamsl Easyremoteaccessonceyouhavethecamera’sIP
address
l Samsung’ssmartTVsl Easytocommandeertoviewpeople’s livingrooms
l Nestthermostatl Easytohackifyoucangetphysicalaccessforafew
minutes
From:TheObserver,16July2015 Note:theseproductshaveeitherbeenwithdrawn orpatched
IoTSecurityShouldWorryUsAll
l Breachesofprivacy
l Cybercrime
l Physicalsafetyinthehome,acrossthecityandwithinbusinesses
l Threatstonationalinfrastructure
l Loomingrisksofcyberwar
5/19
UniqueChallengesforIoTSecurity
l IoTreliesonmicrocontrollerswithlimitedmemoryandcomputationalpowerl Thisoftenmakesitimpractical toimplementapproachesdesignedforpowerfulcomputersl ThisinturnrequiresconstrainedIoTdevicestobehiddenbehindsecuregateways
l ThreatsbasedupongainingphysicalaccesstoIoTdevices
l Howtobootstraptrustandsecurity,andwaysthatthiscanunravel
l Evolvingtechnologyl MorepowerfulSystemsonaChip(SOC)embeddinghardwaresecuritysupportl EclipticCurveCryptographywithreducedcomputationaldemands
l AnythingthatisexposedtotheInternetmustbesecurelysoftwareupgradable
l Userexperiencemustbegoodenoughtoavoidbecomingaweaklinkinthechain
l Thenecessityofkeepinguptodatewithsecuritybestpractices
6/19
TheChallengesfortheIoTandBigData
l Lotsofsensorswillgenerateavastamountofdatal APIResearchestimated200exabytes in2014and1.6zettabytesin2020l 90%iscurrentlyprocessed locally,althoughthisvariesbydomain
l Thiscreatesagreatervolumeofsensitive data,creatingagreaterriskofl Dataandidentitytheft,l Devicemanipulation,l Datafalsificationl IPtheft,server/networkmanipulation,etc.
l Impactofintroductionofdataconsolidation andanalyticsatnetworkedgel Cisco,HPEandothersl Appplatformsinthecloudoratthenetworkedgewillbetargetsforattacks
7/19
EnablingDataSecurityfortheInternetofThings
l Transportandapplayerencryptionl TLSandDTLSforencryptingdatatransmittedovertheInternetl Applayerencryptionforgreatersecurity(e.g.asinfinancialtransactions)l Securekeyexchangealgorithmsoverunsecuredchannels
l AuthenticationandKeymanagementl IoTdevicesneedtocheckthattheserveriswhoitsaysitisl ServerslikewiseneedtocheckthisforIoTdevicesl AsymmetricPublic/PrivatekeypairsvsSymmetrickeysl Tamperresistantstorageofkeysandcertificatesl Challengesforprovisioningservices
8/19
Authorisation– DeterminingWhoCanDoWhat
l Authorisationrulesl Authentication ofthedatarecipientl Simpleformofrulesasaccesscontrol listsl Moregeneralruleswith complexconditions
l Capabilitybasedsecurityl Acapabilityiscommunicable andunforgeable tokenofauthorityl Thetokenisassociatedwith asetofaccessrights
l IETFworkonACEandJOSEl ACE:accesscontrol inconstrained environmentsl JOSE:JavaScriptObjectSigningandEncryption
l Relationshiptomodelsoftrustl Prior agreementsbetweentwopartiesl Attestations bytrusted third parties
9/19
PrivacyandtheInternetofThings
l TheIoThasthepotentialtoprovidehugeandunprecedentedamountsofpersonalinformationl Thisinformationmaylastindefinitelyl Riskofabusebyindividuals,criminals,companiesandgovernmentsl Senseofintrusionintoyourpersonalspacel Fearofharmduetodisclosureofpersonalinformation
l Stronglyidentifyinginformationl Youraddress,dataofbirth,sexualorientation,…l Principleofdataminimisation– highcosttocompaniesforhandlingpersonaldatasecurelyl Privacypoliciesdeterminingwhatpurposesdatacanbeusedfor,andforhowlong
l Weaklyidentifyinginformationl Whensufficientsuchdataiscombinedthiscanuniquelycharacteriseyoul Companiesneedtoprovideprivacypoliciesonhowtheyhandlesuchdata
l Needforadheringtobestpracticestoavoidreputationaldamagetocompaniesl Includingregulatory requirements
10/19
TheIoTandtheWeb
l WebtechnologiesareincreasinglyimportantfortheIoTl Webprotocols likeHTTPl Semanticdescriptions basedonRDFl HTML5andtheOpenWebPlatform forhumanmachineinterface
l TheWebsecuritymodelanditsrelationshiptotheIoTl Accessrights forwebappsarescopedtoapp’soriginl TheWebismovingtoencrypt allcommunicationl We’repreparing totransition theWebfrompasswordstopublic keycrypto
l Usersauthenticate tothebrowser, andbrowserauthenticates tothewebsite
l FortheIoT,theuser(owner)isn’taroundatthetimethedeviceneedstoauthenticateitselftoaservice
l Wethereforeneedawayforuserstoauthorizethedeviceinadvancel Thisisaformoftrust delegation, andintroduces theneedtoauthenticate users
aswellasserviceproviders
11/19
SomeTakeAwayMessages
l Securityiscrucialandmustnotbeseenasanafterthoughtl Needtoconsider securityandprivacyfromthestartl Needtoadheretoevolvingbestsecuritypracticesl Failuretodosorisksreputational andfinancialdamage
l Recruitexperiencedsecuritystaffl Takeadvantageoftheavailableresources, e.g.
l Internet ofThingsSecurityFoundationl OWASPIoTSecurityGuidancel IABPrivacy&Securitystudies
l RFC7452– Architectural Considerations inSmartObjectNetworking
l RFC7456 – Cryptographic algorithm agility
l EUArticle29DataProtection Workingpartyl Anonymization, privacyandtheIoT
l Tracktheemergingstandards,e.g.l W3CSecurityActivityl IETFACE&JOSE
l SometipsfromMikeTurner@ComputerWeeklyl Setupanintegrated teamofbusinessexecutivesandsecurity
specialistsl Integratesecuritybestpractice withtheIoTproduct development
processl Educateconsumers aswellasfront-line staffinsecuritybestpracticel Addressprivacyconcerns witheasytounderstand privacypolicies
12/19
OvercomingtheFragmentationoftheInternetofThings
l Today,therearemanynon-interoperable platformsandasurfeitoftechnologies andstandards
l Thiscreatessilos, increasesdevelopment costsandreducesthemarketpotential
l W3CistheleadingorganizationforWeb technologystandards
l We’reworkingonapproachestoovercomingfragmentationandenablingopenmarketsofservices
l Analogywithnetworkservices beforeandaftertheInternetwasintroduced
l GetitrightandtherewillbeexponentialgrowthinIoTservices
13/19
TheWebofThings
l Aheterogeneoussetofplatforms,servingdifferentneedsl Nooneplatformandprotocol canbeexpectedtowinout
l TheWebofThingsl “Things”denotingphysicalandabstractentitiesl Crossplatform standardsforapplication accessto“things”
l Richmetadatadescribing“things”l Whatdataandinteraction modelsareexposedtoapplications?l Whatprotocols andcommunication patterns canbeused?l Whatkindofathingisit(semanticmodelsandconstraints)?l Whataretherelationships toother things?
l WebofThingsasinter-platformWebtechnologystandardsl BaseduponW3C’sestablishedstrengths insemantictechnologies,
websecurityandtheopenwebplatform
14/19
WebofThings– KeyChallenges
l Semantic interoperability– ensuringthatcommunicatingpartiessharethesamemeaningfordatal Platformsmayusedifferentprotocolsanddataformats,butwithoutshared
meaning,itwon’tbepossibletobuildservicesthatintegratedataacrossplatforms
l Sharedtrustassumptionsforendtoendsecurityacrossplatformsl Howaretheentitiesinvolvednamedandauthenticated?l Howistrustestablishedacrosstheseentities?l Howareauthorizationpoliciesdescribed?l Doallofthepartiesusehighlevelsofsecurity?
l Enablingresilience ofservicesl Bestpracticesfordealingwithfaultsandattacksl Defence indepthanditsimplicationsl Security,monitoring,machinelearningandpolicies
15/19
WorldWideWebConsortium
Mission: leadtheWebtoitsfullpotentiall TheWebistheworld'slargestvendor-neutraldistributedapplicationplatform
FoundedbySirTimBerners-Lee, inventoroftheWebl 400+Membersl Member-funded internationalorganisation
DevelopsstandardsforWebandsemantic technologiesl HTML,CSS,scriptingAPIs,XML,SVG,VoiceXML,
SemanticWebandLinkedDataetc.l Developeroriented,enablingcooperationbetween
organisationswithverydifferentbackgroundsl W3Cpatentpolicyforroyaltyfreestandardsl W3Cstaffofengineersactivelyparticipatinginstandardisationl Increasinglyinvolvedinverticals:Mobile,TV,Automotive,Digitalpublishing
16/19
W3CWebofThings
l WebofThingsInterestGroup– exploring thepotentialthroughtechnologysurveysandexperimental implementations
l WebofThingsWorkingGroup– plannedforlate2016– willdevelopinitial standards
l WebofThingsBusinessGroup– underdiscussion– toguidetechnicalworkbaseduponanalysis ofbusinessandpolicylevelrequirementsacrossmanyapplicationdomains
WebofThingsInterestGroup,Montreal201617/19
TheBottomLine
TheWebisessentialforrealizingthefullpotentialoftheIoT
TheWebprovidesaunifying frameworkforsemanticinteroperability
TheWebactsasaglobalmarketplaceforsuppliersandconsumersofservices
18/19
19/19
FormoreinformationonW3Csee:
www.w3.org
WorkwithustosecuretheWebofThings!
Thankyou!
