iot and heart: security aspects · É 1975, x-10 protocol: first protocol to be used for...
TRANSCRIPT
IoT and HEART: Security aspects
Jago Cocco
Eurac ResearchInstitute for Renewable Energy
Summary
IoT: past, present and future
IoT security issues
Some actual smart home devices
Addressing IoT Sec in HEART
Internet of Things: past
Just an historical remark...É 1975, X-10 protocol: first protocol to be used for
communication among electronic devices in homeautomation (domotics)É 1989: Tim Berners-Lee proposes the World Wide
WebÉ 1989, the first IoT device: John Romkey’s Internet
ToasterÉ 1999, official birth of IoT: the Internet of Things
term is coined by Kevin Ashton executive director ofthe Auto-ID Center
... Basics of IoT technology are not fresh ideas!
Internet of Things: present
An actual definition from the European Parliament:
The Internet of Things (IoT) refers to a dis-tributed network connecting physical objectsthat are capable of sensing or acting on their en-vironment and able to communicate with eachother, other machines or computers. The datathese devices report can be collected and an-alyzed in order to reveal insights and suggestactions that will produce cost savings, increaseefficiency or improve products and services.
Internet of Things: future
The Internet of Things is converging to a new paradigmcalled Internet of Everything (IoE), which contains itselfIoT definition. From Cisco (2013):
IoE is bringing together people, process, data,and things to make networked connectionsmore relevant and valuable than ever beforeturning information into actions that create newcapabilities, richer experiences, and unprece-dented economic opportunity for businesses, in-dividuals, and countries.
In few words: ubiquitous computing and massive bigdata analysis, with human being a part of it.
IoT: what about SECURITY?
Discarding fancy definitions, what is really IoT? IoT isessentially cheap, easy hackable constrained devicesin your homes and workplaces (and even worse SCADAunprotected devices in your cities criticalinfrastructures) with access to the Web: ChristmasDay for the bad guys.
From weird IoT enabled teddies...
... to Mirai botnet and massive DDOS
Passing through IoT APT...
... used for Cyberwarfare
Four points on "smart housing" IoT Sec
1. To make secure constrained devices: with lowcomputational power and low memory capacity theimplementation of classic mitigation techniquescan be from hard to impossible;
2. To make secure constrained devices work with lowpower consumption;
3. To make constrained devices secure withoutmaking it economically disadvantageous;
4. To make possible the isolation of a compromisednetwork: an attack on your local network cannot bean issue for all the Internet.
Still in doubt about IoT Sec?
Shodan, a cybersecurity tool for professionals whichbasically is a search engine for connected objects,makes easy to find things like private IP cameras oreven weird and creepy stuff like crematoriums, all ofthat in most cases is accessible from your office desksdue to lack of security: just judge for yourself what theyfind in 2015 in the next slide...
Yup, Internet of BIG Things!
In case you are wondering, this is an interface to thecyclotron at the Lawrence Berkeley NationalLaboratory!
Creepy but real IoT Smart Home devices
The real weird thing in that: if you check the websitesof this products... There is from little to no attention forsecurity!É Prophix smart toothbrush with 10 MP CAMERA (!)
inside;É Kinsa smart stick thermometer, just: WHY? This
device is connected to a mobile app... And mobileapp in this case probably means software with nosecurity at all;É GenieCan smart can... With WiFi connection,
obiviously.
Useful IoT Smart Home devices but...
... are costly or just vulnerable, an average user simplybuy cheaper and less secure devices!É Netgear Arlo IP Cameras have a decent security
maintenance but at the price of 200 $ each for thecheaper models (and are not immune to humanfails);É Belkin Wemo smart light switches costs about 50 $
each and have a recently discovered bufferoverflow vulnerability;É Amazon Echo is a notorious smart home assistant
witch was recently hacked to become an eavesdropmachine, although in not-so-easy manner.
HEART Network
HEART network has to be easy deployable withminimum aesthetic impact on tenant building; thenetwork have to be also maintained with minimumin-building human intervention: that makesimplementation of the network and technical choicesalready challenging even ignoring security aspects.
HEART Network and IoT Sec
The network proposed for the project fits perfectly allthe four points of security presented:1. Sensors deployed are low power devices with no
original security;2. More hardware for security means higher power
consumption in devices;3. Add security layers means more hardware and
more implementation costs, also due to morehuman intervention for maintenance;
4. Connection to the Internet makes clear that thenetwork not only have to be safe against functionalfailure but also against improper usage.
Conclusions
ICT experts in HEART project have to work on a easydeployable network with minimum aesthetic impact intenant building, making it secure to system failure andimproper usage, all of this with minimum maintenanceintervention on site and also minimum overall costs:not an easy to do task!
Thanks for the attention!
... and here, our first nineties Internet Toaster!