iot: a security and privacy perspectiveiot.stanford.edu/workshop14/sitp-8-11-14-boneh.pdf ·...

Secure Internet of Things Project Workshop!Stanford University!

August 11, 2014!

IoT: a Security and Privacy Perspective!

Dan Boneh!Stanford University!

Dan Boneh!

•  Professor, Stanford!▶  Computer science and electrical engineering!▶  Director, Security lab.!

•  Research: security and cryptography!▶  Web Security!▶  Cryptosystems with novel properties!▶  Crypto for privacy!▶  Security protocols (e.g. HTTPS, tcpcrypt)!▶  Security education!!

Security Lab at Stanford!Alex Aiken

software analysis Dan Boneh

applied Crypto, web security

David Dill verification and secure Voting

Dawson Engler

static analysis

David Mazières Op. Systems

Phil Levis Security for sensor nets

John Mitchell protocol design, online ed.

Mendel Rosenblum VM’s in security

IoT Data Collection!

Cloud!

Devices!Gateway!

Personalization!Analysis!Recommendations!Reputation!

The Cloud!

Stores lots of IoT data!•  A good target for attack!•  A good target for subpoenas!!Ideal solution:!

•  Provide same services (recommendations, personalization)… but without ever seeing user data in the clear!

Can an IoT cloud provide services without ! ! ! ! ! ! ! ! !seeing cleartext data?!

An IoT example: find broken roads!

NHTSA!

Goal: identify bad road segments!•  Whenever my car activates its Traction Control (TCS)

send (location, time, velocity) to NHTSA cloud!•  NHTSA: identify locations where TCS activated >T times!

TCS at (loc, time, speed)!

TCS at (loc, time, speed)!

Marketing problem:!•  government tracking cars!•  will not fly! ⇒ Data market failure !

Can we do better?!Goal: keep data on IoT device!

An approach: secure computation [Yao’82]!

Program  P  

Input    x  

P(x)! ???!Has become quite practical: !•  109 gates in reasonable time!

Problem: most practical work geared towards few parties (two or three) !

IoT: drives new directionsin practical secure computation !Secure computation with millions of users [HLP’11] !

Result (but nothing else)!

Our work (sample)!Design efficient protocols for these settings!!Examples:!

•  Proximity alerts across millions of users [NTHLB’11] (BPA)!

•  Machine learning on data from millions of users:!! !matrix factorization, regression [NIWJTB’13, NIWJBT’13]!

•  Bad road segments:!▶  Approach: leverage secure voting systems!▶  NHTSA learns bad road segments, but not who was there!

!Long term: simplify protocol design !

!

!Claim: many IoT cloud computations can be done ! ! !as a distributed protocol among clients!

!!!⇒ cloud learns results, but not underlying data!

!!IoT: secure computation for:!•  analyzing streams of data, multi-pass algorithms!•  low communication overhead, ! intermittent network access, and low power!

Secure Internet of Things Project Workshop!Stanford University!

August 11, 2014!

An architecture challenge!

Misusing Sensors!

Sensors on IoT devices can be abused!!!Phone (MEMS) Gyroscope: designed for games!

▶  Unmitigated access, can be sampled at 200Hz!▶  Problem: sensitive enough to sense acoustic signals !⇒ GyroPhone: detect speech by sampling the Gyroscope!!

Phone fingerprinting via the accelerometer:!▶  Unmitigated access to accelerometer!▶  Manufacturing imperfections can be measured!⇒ provides a phone-specific fingerprint!!

with  Yan  Michalevsky  and  Gabi  Nakibly!

Gateway security?!

Cloud!

Devices!Gateway!

Example: Pebble watch!cloud

services!Pebble

app!

Security challenges:!•  IoT gateway app must ensure isolation among apps!•  App on watch should not call another app’s connector!Every IoT device with 3rd party apps will face these problems!

Stock Tracker!3rd party app!

malicious!3rd party app!

THE END!