IoT and HEART: Security aspects

Jago Cocco

Eurac ResearchInstitute for Renewable Energy

Summary

IoT: past, present and future

IoT security issues

Some actual smart home devices

Addressing IoT Sec in HEART

Internet of Things: past

Just an historical remark...É 1975, X-10 protocol: first protocol to be used for

communication among electronic devices in homeautomation (domotics)É 1989: Tim Berners-Lee proposes the World Wide

WebÉ 1989, the first IoT device: John Romkey’s Internet

ToasterÉ 1999, official birth of IoT: the Internet of Things

term is coined by Kevin Ashton executive director ofthe Auto-ID Center

... Basics of IoT technology are not fresh ideas!

Internet of Things: present

An actual definition from the European Parliament:

The Internet of Things (IoT) refers to a dis-tributed network connecting physical objectsthat are capable of sensing or acting on their en-vironment and able to communicate with eachother, other machines or computers. The datathese devices report can be collected and an-alyzed in order to reveal insights and suggestactions that will produce cost savings, increaseefficiency or improve products and services.

Internet of Things: future

The Internet of Things is converging to a new paradigmcalled Internet of Everything (IoE), which contains itselfIoT definition. From Cisco (2013):

IoE is bringing together people, process, data,and things to make networked connectionsmore relevant and valuable than ever beforeturning information into actions that create newcapabilities, richer experiences, and unprece-dented economic opportunity for businesses, in-dividuals, and countries.

In few words: ubiquitous computing and massive bigdata analysis, with human being a part of it.

IoT: what about SECURITY?

Discarding fancy definitions, what is really IoT? IoT isessentially cheap, easy hackable constrained devicesin your homes and workplaces (and even worse SCADAunprotected devices in your cities criticalinfrastructures) with access to the Web: ChristmasDay for the bad guys.

From weird IoT enabled teddies...

... to Mirai botnet and massive DDOS

Passing through IoT APT...

... used for Cyberwarfare

Four points on "smart housing" IoT Sec

1. To make secure constrained devices: with lowcomputational power and low memory capacity theimplementation of classic mitigation techniquescan be from hard to impossible;

2. To make secure constrained devices work with lowpower consumption;

3. To make constrained devices secure withoutmaking it economically disadvantageous;

4. To make possible the isolation of a compromisednetwork: an attack on your local network cannot bean issue for all the Internet.

Still in doubt about IoT Sec?

Shodan, a cybersecurity tool for professionals whichbasically is a search engine for connected objects,makes easy to find things like private IP cameras oreven weird and creepy stuff like crematoriums, all ofthat in most cases is accessible from your office desksdue to lack of security: just judge for yourself what theyfind in 2015 in the next slide...

Yup, Internet of BIG Things!

In case you are wondering, this is an interface to thecyclotron at the Lawrence Berkeley NationalLaboratory!

Creepy but real IoT Smart Home devices

The real weird thing in that: if you check the websitesof this products... There is from little to no attention forsecurity!É Prophix smart toothbrush with 10 MP CAMERA (!)

inside;É Kinsa smart stick thermometer, just: WHY? This

device is connected to a mobile app... And mobileapp in this case probably means software with nosecurity at all;É GenieCan smart can... With WiFi connection,

obiviously.

Useful IoT Smart Home devices but...

... are costly or just vulnerable, an average user simplybuy cheaper and less secure devices!É Netgear Arlo IP Cameras have a decent security

maintenance but at the price of 200 $ each for thecheaper models (and are not immune to humanfails);É Belkin Wemo smart light switches costs about 50 $

each and have a recently discovered bufferoverflow vulnerability;É Amazon Echo is a notorious smart home assistant

witch was recently hacked to become an eavesdropmachine, although in not-so-easy manner.

HEART Network

HEART network has to be easy deployable withminimum aesthetic impact on tenant building; thenetwork have to be also maintained with minimumin-building human intervention: that makesimplementation of the network and technical choicesalready challenging even ignoring security aspects.

HEART Network and IoT Sec

The network proposed for the project fits perfectly allthe four points of security presented:1. Sensors deployed are low power devices with no

original security;2. More hardware for security means higher power

consumption in devices;3. Add security layers means more hardware and

more implementation costs, also due to morehuman intervention for maintenance;

4. Connection to the Internet makes clear that thenetwork not only have to be safe against functionalfailure but also against improper usage.

Conclusions

ICT experts in HEART project have to work on a easydeployable network with minimum aesthetic impact intenant building, making it secure to system failure andimproper usage, all of this with minimum maintenanceintervention on site and also minimum overall costs:not an easy to do task!

Thanks for the attention!

... and here, our first nineties Internet Toaster!