iot: a security and privacy perspectiveiot.stanford.edu/workshop14/sitp-8-11-14-boneh.pdf ·...
TRANSCRIPT
Secure Internet of Things Project Workshop!Stanford University!
August 11, 2014!
IoT: a Security and Privacy Perspective!
Dan Boneh!Stanford University!
Dan Boneh!
• Professor, Stanford!▶ Computer science and electrical engineering!▶ Director, Security lab.!
• Research: security and cryptography!▶ Web Security!▶ Cryptosystems with novel properties!▶ Crypto for privacy!▶ Security protocols (e.g. HTTPS, tcpcrypt)!▶ Security education!!
Security Lab at Stanford!Alex Aiken
software analysis Dan Boneh
applied Crypto, web security
David Dill verification and secure Voting
Dawson Engler
static analysis
David Mazières Op. Systems
Phil Levis Security for sensor nets
John Mitchell protocol design, online ed.
Mendel Rosenblum VM’s in security
IoT Data Collection!
Cloud!
Devices!Gateway!
Personalization!Analysis!Recommendations!Reputation!
The Cloud!
Stores lots of IoT data!• A good target for attack!• A good target for subpoenas!!Ideal solution:!
• Provide same services (recommendations, personalization)… but without ever seeing user data in the clear!
Can an IoT cloud provide services without ! ! ! ! ! ! ! ! !seeing cleartext data?!
An IoT example: find broken roads!
NHTSA!
Goal: identify bad road segments!• Whenever my car activates its Traction Control (TCS)
send (location, time, velocity) to NHTSA cloud!• NHTSA: identify locations where TCS activated >T times!
TCS at (loc, time, speed)!
TCS at (loc, time, speed)!
Marketing problem:!• government tracking cars!• will not fly! ⇒ Data market failure !
Can we do better?!Goal: keep data on IoT device!
An approach: secure computation [Yao’82]!
Program P
Input x
P(x)! ???!Has become quite practical: !• 109 gates in reasonable time!
Problem: most practical work geared towards few parties (two or three) !
IoT: drives new directionsin practical secure computation !Secure computation with millions of users [HLP’11] !
Result (but nothing else)!
Our work (sample)!Design efficient protocols for these settings!!Examples:!
• Proximity alerts across millions of users [NTHLB’11] (BPA)!
• Machine learning on data from millions of users:!! !matrix factorization, regression [NIWJTB’13, NIWJBT’13]!
• Bad road segments:!▶ Approach: leverage secure voting systems!▶ NHTSA learns bad road segments, but not who was there!
!Long term: simplify protocol design !
!
!Claim: many IoT cloud computations can be done ! ! !as a distributed protocol among clients!
!!!⇒ cloud learns results, but not underlying data!
!!IoT: secure computation for:!• analyzing streams of data, multi-pass algorithms!• low communication overhead, ! intermittent network access, and low power!
Secure Internet of Things Project Workshop!Stanford University!
August 11, 2014!
An architecture challenge!
Misusing Sensors!
Sensors on IoT devices can be abused!!!Phone (MEMS) Gyroscope: designed for games!
▶ Unmitigated access, can be sampled at 200Hz!▶ Problem: sensitive enough to sense acoustic signals !⇒ GyroPhone: detect speech by sampling the Gyroscope!!
Phone fingerprinting via the accelerometer:!▶ Unmitigated access to accelerometer!▶ Manufacturing imperfections can be measured!⇒ provides a phone-specific fingerprint!!
with Yan Michalevsky and Gabi Nakibly!
Gateway security?!
Cloud!
Devices!Gateway!
Example: Pebble watch!cloud
services!Pebble
app!
Security challenges:!• IoT gateway app must ensure isolation among apps!• App on watch should not call another app’s connector!Every IoT device with 3rd party apps will face these problems!
Stock Tracker!3rd party app!
malicious!3rd party app!
THE END!