Security and Privacy Protection

for Internet of Things

Tzong-Chen Wu, Distinguished Professor

Department of Information Management
National Taiwan University of Science & Technology
tcwu@cs.ntust.edu.tw
2016/04/13 version 1.0

1
What is IoT?
Internet of Things
Definition from Wikipedia
The Internet of Things (IoT) is the network of
physical objects that enables these objects to
collect and exchange data
Physical objects include devices, vehicles,
buildings and other items embedded with
electronics, software, sensors and network
connectivity

2
Operation mode for IoT objects
Active mode vs. Passive mode
On-line, off-line, in-line
Data collector vs. Service provider
Physical signal (raw data)
Formatted data (information)
Cross-domain applications
Man-to-Machine vs. Machine-to-Machine
Manual operations (under control?)
Automatic operations (out of control?)

3
System model constructed from IoT
From Closed system to Open system
Interconnection with client/server architecture
Distributed system architecture
Virtual private network over public network
Cross-domain or Embedded
From Static system to Dynamic system
Ad hoc + Mobility
With unexpected JOIN or LEAVE of objects

4
Components of a system
Data
Transmitted data, stored data
Raw data, processed data
Input data, data store, output data
Hardware
Input unit, Output unit, Memory unit, CPU
Software
System programs (e.g., OS), application
Procedure
Normal procedure, exceptional procedure
People
Developer, Manager, End-user

5
Data-oriented system
People

Soft- Hard-
ware Data ware

Procedure
6
Service-oriented system
Data

Soft- Proce-
ware People dure

Hardware
7
Security requirements of system
Data-oriented
Confidentiality encryption/decryption
Integrity data authentication, digital signature
Authenticity secure communication
Service-oriented
Availability anti-interruption with reliability
Authenticity entity identification
Authorization access control, privacy protection
Non-repudiation transactions

8
 IoT security matrix
Information Physical Management
security security security
Application Intelligent transportation, Healthcare,
layer Smart home, Cloud computing,
Analytical services
Network Internet,
layer Mobile communication network
Sensing RFID, Sensor, GPS, WiFi, Bluetooth,
layer Zigbee

9
IoT architecture for Smart-Home

Brought you by the research group of NTUST@TWISC

10
Security requirements in Smart-Home
Sensing layer
Data-oriented issues
Data protection
Entity authentication
Network layer
Data-oriented and service-oriented issues
Secure communication protocol
Network security (anti-intrusion)
Application layer
Service-oriented issues
Non-repudiation protocol, digital forensics
Privacy protection, cloud security
11
Security issues in IoT
Who you are
Identification and locating of IoT objects
Authentication to users
What you are
Authentication to Apps or services
Access control by predefined authorization policy
Availability to Apps or services
Data protection
Confidentiality for data transmission
Confidentiality for data stores

12
Privacy protection issues in IoT
Anti-revelation (in accordance with the law)
Data encryption Confidentiality
Watermarking Sensitivity or Digital Rights
De-identification or data masking Anonymity
Anti-clone
Digital forensics Traitor tracing
Anti-ransom
Hijack (data, system or physical devices)
Digital forensics Investigation-enable
13
Development trends of IoTs
Technology development
Integrated Circuit (IC)
Micro Circuit
Microchip
Nanochip
Application development
Ad hoc wireless sensor networks (electronic appliances,
vehicles, people, animals, plants, )
Home-care (surveillance), life-care (medical), or social-
care (bio-medical) systems
Governmental services, public services, military usages

14
Highlight News in IoT
DARPA (Defense Advanced Research Projects
Agency)
Super Soldiers (2015, 9, 28)
Neural microchip to enhance deep learning on the
battlefield (2016, 2, 6)
Google
Driverless car (2012, 4, 1)
University of Calgary (Canada)
Biochip weds brain cells and electronics: Brain-on-a-
chip to treat Alzheimer's and Parkinson's (2010, 8, 11)

15
Scenes of IoTs in the near future
When you are driving home, maybe in a
driverless car, the car informs you that it just
told your visiting friend, standing in the front
door of your house, you will arrive by 5 minutes
Your refrigerator at home email or Line you that
you need to bring some bottles of milks back
after duty-off
Your puppy dog just posted a wanted note with
photo in Facebook that he was lost in
somewhere in the city
Any other scene you may not imagine
16
Potential threats and risk mitigation
in IoT RFID as example

B. Khoo, IEEE Conf. on Internet of Things, and Cyber, Physical, Social Computing, 2011
17
Open Web Application Security Project
OWASP online from 2001/12/01
Well-known projects
OWASP Mobile security project
OWASP Internet of Things project
OWASP Framework security project
OWASP Enterprise application security project
OWASP Security verification standard project
OWASP Python application security project

18
Open Web Application Security Project
OWASP online from 2001/12/01
Well-known Top 10 reports
Top 10 mobile risk
Top 10 privacy risk
Top 10 vulnerabilities
Several Top 10 reports released from OWASP
in every one or two years
Useful technical references and guidelines to
system developers

19
OWASP IoT Top 10 vulnerabilities
2014~2015
1. Insecure web interface
2. Insufficient authentication/authorization
3. Insecure network services
4. Lack of transport encryption/integrity verification
5. Privacy concerns
6. Insecure cloud interface
7. Insecure mobile interface
8. Insufficient security configurability
9. Insecure software/firmware
10. Poor physical security

20
OWASP IoT Top 10 privacy risk
2014~2015
1. Web application vulnerabilities
2. Operator-sided data leakage
3. Insufficient data breach response
4. Insufficient deletion of personal data
5. Non-transparent policies, terms and conditions
6. Collection of data with third party
7. Sharing of data with third party
8. Outdated personal data
9. Missing or insufficient session expiration
10. Insecure data transfer

21
Ongoing IoT security & privacy
Zhang et al., IEEE conf. on SOCA, 2014
Object identification and locating
Object authentication and authorization
Privacy in IoT
Lightweight cryptosystems and security protocols
Software verification and backdoor analysis
Malware in IoT
Android platform

22
Participants of IoT security and
privacy protection
Ethical hackers (white hat) against dark-side hackers
ICT experts for communicational platform and operational
environment
Software/System engineers for system and application
verification
Hardware engineers for physical security and interfaces
Cryptologists for data encryption and privacy protection
ISMS auditors for managerial issues in practices
Forensic experts for investigating available digital forensics
etc.

23
BEFORE: What are Hackers?
Capabilities of a hacker
Familiar with existing tools
Via known vulnerabilities or trial-errors
Good knowledge of OS, database or network
systems
Good knowledge of application domains
Wants of dark-side hackers
Most of the hackings are national security unrelated
Just for funs
Just for fames
Just for revenges

24
NOW: What are Hackers?
Capabilities of a hacker
Inherit from BEFORE capabilities
Self-constructed tools
Good knowledge in cryptology
Systematically exploit unknown or new security
flaws
Wants of dark-side hackers
May be national security or enterprise benefits
Someone works for money (from attacker to
defender)
Someone works like enthusiast or terrorist

25
FUTURE: What are Hackers in IoT?
Capabilities of a hacker
Inherit from NOW capabilities
Self-constructed lightweight tools
Advanced knowledge in computer science and
information engineering, and cryptology
Plotting artificial intelligence (AI) agent in IoT
Wants of dark-side hackers
Hijack your minds
Hijack all your life
Hijack a country

26
The top competition of hacking skills
-- DEF CON CTF
Defcon was founded by Jeff Moss in 1993, in Las
Vegas, USA
The name comes from the famous movie WarGames
(1983)
CON stands for hackers convention (or party)
DEF is taken from the telephone pad 3
Recent events of Defcon CTF
CTF means Capture The Flag
In 2015, IoT was first joined the menu of DEF CON
Village hacking the devices of Internet of Things
In 2016, hackers fight against a robotic agent with
artificial intelligence

27
Menu of DEF CON Villages in 2016
Crypto and privacy Wireless
Hardware hacking Car hacking
Lockpick Bio hacking
Packet hacking Social engineering
Tamper evidence Internet of Things

28
Hacking demos in DEF CON 2016
Hacking demonstrations include:
IoT device management
Healthcare system (patient health and hospital
security)
Travel & hospitality industry
Hotel system for room and guest safety
etc

29
Ransomwares are coming
Just happened
In 2006, the first ransomware was reported
In 2009, the first Bitcoin was announced
In 2011, each hijacked device (use RSA or AES to encrypt the
files stored in the device) should pay 1 Bitcoin ransom for
obtaining the decryption key
In 2014, Block-chains (designed by using digital signature
algorithm and hashing function) let the on-line payment
transaction of bitcoin be traceable
In 2015, the tsunami of ransomwares hijacked billions of
devices or application systems
More about Bitcoin
One Bitcoin equals 400 USD
The amount of Bitcoins is about 20 million

30
Dark side of IoT
Ubiquitous access to IoT
Low-power or limited-resource IoT objects
Asymmetric warfare in Internet
Powerful hackers in the dark side
Weak users of IoT objects
Unexpected threats from all connected things
What is the trade-off between ubiquitous but
un-controllable access and its intended
security/privacy concerns in the age of IoT ?
31