Securing the Internet of Things Mark Horowitz Stanford School of Engineering 1
Jul 09, 2015
Securing the Internet of Things
Mark Horowitz
Stanford School of Engineering
1
Secure Internet of Things
It's Worse Than You Think
3
Secure Internet of Things
Our Goal
• Embark on a 5-year research project to secure the Internet of Things▶ Collaboration between Stanford, Berkeley, and Michigan
• Rethink building IoT systems from the ground up▶ Systems, cryptography, applications, analytics, networks,
hardware, software, HCI
• Data security: novel cryptography that enables analytics on confidential data
• System security: a software framework for safe and secure IoT applications
4
Secure Internet of Things
Outline
• What is the "Internet of Things"?• Why IoT security is so hard• What we plan to do about it
5
Secure Internet of Things
The Internet of Things
6
Secure Internet of Things
Internet(s) of Things
7
NetworkedDevices
Tens/personUncontrolled Environment
Unlicensed spectrumConvenience
Powered
WiFi/802.11TCP/IP
IEEE/IETF
Personal AreaNetworks
Tens/personPersonal environmentUnlicensed spectrum
InstrumentationFashion vs. function
Bluetooth, BLE3G/LTE
3GPP/IEEE
Home AreaNetworksHundreds/person
Uncontrolled EnvironmentUnlicensed spectrum
ConvenienceConsumer requirements
ZigBee, Z-Wave6lowpan, RPL
IETF/ZigBee/private
IndustrialAutomation
Thousands/personControlled Environment
High reliabilityControl networks
Industrial requirements
WirelessHART, 802.15.46tsch, RPL
IEEE/IIC/IETF
Secure Internet of Things
Internet(s) of Things
8
NetworkedDevices
Tens/personUncontrolled Environment
Unlicensed spectrumConvenience
Powered
WiFi/802.11TCP/IP
IEEE/IETF
Personal AreaNetworks
Tens/personPersonal environmentUnlicensed spectrum
InstrumentationFashion vs. function
Bluetooth, BLE3G/LTE
3GPP/IEEE
Home AreaNetworksHundreds/person
Uncontrolled EnvironmentUnlicensed spectrum
ConvenienceConsumer requirements
ZigBee, Z-Wave6lowpan, RPL
IETF/ZigBee/private
IndustrialAutomation
Thousands/personControlled Environment
High reliabilityControl networks
Industrial requirements
WirelessHART, 802.15.46tsch, RPL
IEEE/IIC/IETF
Secure Internet of Things 9
IoT: MGC Architecture
Secure Internet of Things 10
IoT: MGC ArchitectureeMbedded
devices
Secure Internet of Things
Gateways
11
IoT: MGC Architecture
ZigBee,ZWave,
Bluetooth,WiFi
eMbeddeddevices
Secure Internet of Things
ZigBee,ZWave,
Bluetooth,WiFi
3G/4G,TCP/IP
GatewaysCloud
12
IoT: MGC ArchitectureeMbedded
devices
Secure Internet of Things
ZigBee,ZWave,
Bluetooth,WiFi
3G/4G,TCP/IP
eMbeddeddevices
GatewaysCloud
13User device
IoT: MGC Architecture
Secure Internet of Things
embedded C(ARM, avr, msp430)
14
ZigBee,ZWave,
Bluetooth,WiFi
3G/4G,TCP/IP
IoT: MGC Architecture
Secure Internet of Things 15
IoT: MGC Architectureembedded C(ARM, avr, msp430)
ZigBee,ZWave,
Bluetooth,WiFi
3G/4G,TCP/IP
Obj-C/C++, Java, Swift, Javascript/HTML
Secure Internet of Things 16
IoT: MGC Architecture
Obj-C/C++, Java, Swift, Javascript/HTML
embedded C(ARM, avr, msp430)
ZigBee,ZWave,
Bluetooth,WiFi
3G/4G,TCP/IP
Ruby/Rails,Python/Django,J2EE, PHP, Node.js
Secure Internet of Things
Secure Internet of Things 23
Obj-C/C++, Java, Swift, Javascript/HTML
embedded C(ARM, avr, msp430)
ZigBee,ZWave,
Bluetooth,WiFi
3G/4G,TCP/IP
Ruby/Rails,Python/Django,J2EE, PHP, Node.js
IoT Security is Hard
• Complex, distributed systems▶ 103-106 differences in resources across tiers▶ Many languages, OSes, and networks▶ Specialized hardware
• Just developing applications is hard• Securing them is even harder
▶ Enormous attack surface▶ Reasoning across hardware, software, languages, devices, etc.▶ What are the threats and attack models?
• Valuable data: personal, location, presence
• Rush to development + hard ➔ avoid, deal later17
18
What We're Going To Do About it
Secure Internet of Things
Two Goals
19
1.Research and define new cryptographic computational models for secure data analytics and actuation on enormous streams of real-time data from embedded systems.
2.Research and implement a secure, open source hardware/software framework that makes it easy to quickly build Internet of Things applications that use these new computational models.
Secure Internet of Things
Two Kinds of Security
20
• Data security: data collected and processed by IoT applications remains safe▶ Home occupancy▶ Medical data▶ Presence/location
• System security: elements of MGC architecture are hard to compromise▶ eMbedded devices▶ Gateways▶ Cloud systems▶ End applications
Secure Internet of Things
Data Security
• Security limits what you (or an attacker) can do• What do IoT applications need to do?
▶ Generate data samples▶ Process/filter these samples▶ Analytics on streams of data, combined with historical data▶ Produce results for end applications to view
• Goal: end-to-end security▶ Embedded devices generate encrypted data▶ Only end applications can fully decrypt and view data▶ Gateways and cloud operate on data without knowing what it is
21
Secure Internet of Things
End-to-End Security
22
ZigBee,ZWave,
Bluetooth,WiFi
3G/4G,TCP/IP
Data
Secure Internet of Things 23
ZigBee,ZWave,
Bluetooth,WiFi
3G/4G,TCP/IP
Data
End-to-End Security
Secure Internet of Things 23
ZigBee,ZWave,
Bluetooth,WiFi
3G/4G,TCP/IP
Data
End-to-End Security
Secure Internet of Things 23
ZigBee,ZWave,
Bluetooth,WiFi
3G/4G,TCP/IP
Data
End-to-End Security
Secure Internet of Things 23
ZigBee,ZWave,
Bluetooth,WiFi
3G/4G,TCP/IP
Data
End-to-End Security
Secure Internet of Things 23
ZigBee,ZWave,
Bluetooth,WiFi
3G/4G,TCP/IP
Data
End-to-End Security
Secure Internet of Things 23
ZigBee,ZWave,
Bluetooth,WiFi
3G/4G,TCP/IP
Data
End-to-End Security
Secure Internet of Things 24
ZigBee,ZWave,
Bluetooth,WiFi
3G/4G,TCP/IP
Data
End-to-End Security
Secure Internet of Things
End-to-End Security
• Sensing device samples data, encrypts it• Each processing stage can decrypt or operate on
encrypted data (increases storage requirements, limits potential operations)
• Possible that only end user can fully view data
data encrypted encrypted data
25
Secure Internet of Things
Homomorphic Encryption(Gentry, 2009)
• Take a sensor value S, encrypt it to be Se• It is possible to perform arbitrary computations on Se
▶ But 1,000,000 slower than computations on S
• So confidential analytics possible, but not yet practical▶ But can be fast for specific computations (e.g., addition)
26
Secure Internet of Things
New Computational Models
• Is it possible for devices to compute aggregate statistics without revealing their own data?▶ You’re in the 85th percentile for saving water today!▶ Your house consumed 120% of its average energy today
• Is it possible to compute complex analytics?• Need new cryptographic computation models
▶ Support computations that IoT applications need
• Faculty working in this area:▶ Christopher Ré on analytics▶ Dan Boneh on cryptographic computational models
27
Secure Internet of Things
Two Goals
28
1.Research and define new cryptographic computational models for secure data analytics and actuation on enormous streams of real-time data from embedded systems.
2.Research and implement a secure, open source framework that makes it easy to quickly build Internet of Things applications that use these new computational models.
Secure Internet of Things
Building an Application• Write a data processing pipeline
▶ Consists of a set of Models, describing data as it is stored▶ Transforms move data between Models▶ Instances of Models are bound to devices▶ Views can display Models▶ Controllers determine how data moves to Transforms
29
Motion!
10Hz !Sampling!
Recent!History!
Activity!
Long!History!
Behavior!
Analytics,!Suggestions!
Health!
Views!
Controllers!
Models and!Transforms!
Recent!History!
Activity!
Sensor! Gateway! PC/Server! App/Web!
security and privacy !Alarm! Schedule!
Secure Internet of Things
Code Generation• Framework generates (working) skeleton code for
entire pipeline▶ All Models, Transforms, and Controllers are written in a
platform-independent language▶ Views are device specific (although many are HTML/JS)
• Developer can modify this generated code▶ Framework detects if modifications violate pipeline description▶ E.g., data types, information leakage, encryption▶ Generated code compiles down to device OS/system
• Faculty working in this area:▶ David Mazières: software abstractions for security▶ Phil Levis: Ravel software system
30
Secure Internet of Things
The Internet of Things
• Networking is one of the hardest development challenges in IoT applications▶ Ultra-low power protocols▶ Difficult link layers (4G, BLE)▶ Protocol stack mismatches▶ Data packing/unpacking
• Framework handles this automatically▶ Novel network algorithms
• Faculty working in this area:▶ Keith Winstein, reliability in challenged networks▶ Prabal Dutta, low power wireless
31
Secure Internet of Things
Software-defined Hardware
• Hardware (boards, chips, power) is a daunting challenge to software developers▶ It easier to modify something than create it from scratch
• The data processing pipeline is sufficient information to specify a basic embedded device▶ Sensors, networking, storage, processing needed
• Faculty working in this area:▶ Mark Horowitz: automating constrained hardware design▶ Prabal Dutta: embedded device design▶ Björn Hartmann: prototyping new applications
32
Secure Internet of Things
Making It Easy
• If it's hard to use, people will work around it▶ Set password to "password"▶ Just store data in the clear
• Must understand development model▶ Embrace modification, incorporation, low barrier to entry▶ Do so such that prototypes can transition to production
• Faculty working in this area:▶ Björn Hartmann: prototyping new applications
33