mark horowitz - stanford engineering - securing the internet of things

Securing the Internet of Things

Mark Horowitz

Stanford School of Engineering

1

Secure Internet of Things

It's Worse Than You Think

3


Our Goal

• Embark on a 5-year research project to secure the Internet of Things▶ Collaboration between Stanford, Berkeley, and Michigan

• Rethink building IoT systems from the ground up▶ Systems, cryptography, applications, analytics, networks,

hardware, software, HCI

• Data security: novel cryptography that enables analytics on confidential data

• System security: a software framework for safe and secure IoT applications

4


Outline

• What is the "Internet of Things"?• Why IoT security is so hard• What we plan to do about it

5


The Internet of Things

6


Internet(s) of Things

7

NetworkedDevices

Tens/personUncontrolled Environment

Unlicensed spectrumConvenience

Powered

WiFi/802.11TCP/IP

IEEE/IETF

Personal AreaNetworks

Tens/personPersonal environmentUnlicensed spectrum

InstrumentationFashion vs. function

Bluetooth, BLE3G/LTE

3GPP/IEEE

Home AreaNetworksHundreds/person

Uncontrolled EnvironmentUnlicensed spectrum

ConvenienceConsumer requirements

ZigBee, Z-Wave6lowpan, RPL

IETF/ZigBee/private

IndustrialAutomation

Thousands/personControlled Environment

High reliabilityControl networks

Industrial requirements

WirelessHART, 802.15.46tsch, RPL

IEEE/IIC/IETF


Internet(s) of Things

8

NetworkedDevices

Tens/personUncontrolled Environment

Unlicensed spectrumConvenience

Powered

WiFi/802.11TCP/IP

IEEE/IETF

Personal AreaNetworks

Tens/personPersonal environmentUnlicensed spectrum

InstrumentationFashion vs. function

Bluetooth, BLE3G/LTE

3GPP/IEEE

Home AreaNetworksHundreds/person

Uncontrolled EnvironmentUnlicensed spectrum

ConvenienceConsumer requirements

ZigBee, Z-Wave6lowpan, RPL

IETF/ZigBee/private

IndustrialAutomation

Thousands/personControlled Environment

High reliabilityControl networks

Industrial requirements

WirelessHART, 802.15.46tsch, RPL

IEEE/IIC/IETF

Secure Internet of Things 9

IoT: MGC Architecture


IoT: MGC ArchitectureeMbedded

devices


Gateways

11


ZigBee,ZWave,

Bluetooth,WiFi

eMbeddeddevices


ZigBee,ZWave,

Bluetooth,WiFi

3G/4G,TCP/IP

GatewaysCloud

12

IoT: MGC ArchitectureeMbedded

devices


ZigBee,ZWave,

Bluetooth,WiFi

3G/4G,TCP/IP

eMbeddeddevices

GatewaysCloud

13User device



embedded C(ARM, avr, msp430)

14

ZigBee,ZWave,

Bluetooth,WiFi

3G/4G,TCP/IP



IoT: MGC Architectureembedded C(ARM, avr, msp430)

ZigBee,ZWave,

Bluetooth,WiFi

3G/4G,TCP/IP

Obj-C/C++, Java, Swift, Javascript/HTML





ZigBee,ZWave,

Bluetooth,WiFi

3G/4G,TCP/IP

Ruby/Rails,Python/Django,J2EE, PHP, Node.js





ZigBee,ZWave,

Bluetooth,WiFi

3G/4G,TCP/IP

Ruby/Rails,Python/Django,J2EE, PHP, Node.js

IoT Security is Hard

• Complex, distributed systems▶ 103-106 differences in resources across tiers▶ Many languages, OSes, and networks▶ Specialized hardware

• Just developing applications is hard• Securing them is even harder

▶ Enormous attack surface▶ Reasoning across hardware, software, languages, devices, etc.▶ What are the threats and attack models?

• Valuable data: personal, location, presence

• Rush to development + hard ➔ avoid, deal later17

18

What We're Going To Do About it


Two Goals

19

1.Research and define new cryptographic computational models for secure data analytics and actuation on enormous streams of real-time data from embedded systems.

2.Research and implement a secure, open source hardware/software framework that makes it easy to quickly build Internet of Things applications that use these new computational models.


Two Kinds of Security

20

• Data security: data collected and processed by IoT applications remains safe▶ Home occupancy▶ Medical data▶ Presence/location

• System security: elements of MGC architecture are hard to compromise▶ eMbedded devices▶ Gateways▶ Cloud systems▶ End applications


Data Security

• Security limits what you (or an attacker) can do• What do IoT applications need to do?

▶ Generate data samples▶ Process/filter these samples▶ Analytics on streams of data, combined with historical data▶ Produce results for end applications to view

• Goal: end-to-end security▶ Embedded devices generate encrypted data▶ Only end applications can fully decrypt and view data▶ Gateways and cloud operate on data without knowing what it is

21


End-to-End Security

22

ZigBee,ZWave,

Bluetooth,WiFi

3G/4G,TCP/IP

Data


ZigBee,ZWave,

Bluetooth,WiFi

3G/4G,TCP/IP

Data

End-to-End Security


End-to-End Security

• Sensing device samples data, encrypts it• Each processing stage can decrypt or operate on

encrypted data (increases storage requirements, limits potential operations)

• Possible that only end user can fully view data

data encrypted encrypted data

25


Homomorphic Encryption(Gentry, 2009)

• Take a sensor value S, encrypt it to be Se• It is possible to perform arbitrary computations on Se

▶ But 1,000,000 slower than computations on S

• So confidential analytics possible, but not yet practical▶ But can be fast for specific computations (e.g., addition)

26


New Computational Models

• Is it possible for devices to compute aggregate statistics without revealing their own data?▶ You’re in the 85th percentile for saving water today!▶ Your house consumed 120% of its average energy today

• Is it possible to compute complex analytics?• Need new cryptographic computation models

▶ Support computations that IoT applications need

• Faculty working in this area:▶ Christopher Ré on analytics▶ Dan Boneh on cryptographic computational models

27


Two Goals

28

1.Research and define new cryptographic computational models for secure data analytics and actuation on enormous streams of real-time data from embedded systems.

2.Research and implement a secure, open source framework that makes it easy to quickly build Internet of Things applications that use these new computational models.


Building an Application• Write a data processing pipeline

▶ Consists of a set of Models, describing data as it is stored▶ Transforms move data between Models▶ Instances of Models are bound to devices▶ Views can display Models▶ Controllers determine how data moves to Transforms

29

Motion!

10Hz !Sampling!

Recent!History!

Activity!

Long!History!

Behavior!

Analytics,!Suggestions!

Health!

Views!

Controllers!

Models and!Transforms!

Recent!History!

Activity!

Sensor! Gateway! PC/Server! App/Web!

security and privacy !Alarm! Schedule!


Code Generation• Framework generates (working) skeleton code for

entire pipeline▶ All Models, Transforms, and Controllers are written in a

platform-independent language▶ Views are device specific (although many are HTML/JS)

• Developer can modify this generated code▶ Framework detects if modifications violate pipeline description▶ E.g., data types, information leakage, encryption▶ Generated code compiles down to device OS/system

• Faculty working in this area:▶ David Mazières: software abstractions for security▶ Phil Levis: Ravel software system

30


The Internet of Things

• Networking is one of the hardest development challenges in IoT applications▶ Ultra-low power protocols▶ Difficult link layers (4G, BLE)▶ Protocol stack mismatches▶ Data packing/unpacking

• Framework handles this automatically▶ Novel network algorithms

• Faculty working in this area:▶ Keith Winstein, reliability in challenged networks▶ Prabal Dutta, low power wireless

31


Software-defined Hardware

• Hardware (boards, chips, power) is a daunting challenge to software developers▶ It easier to modify something than create it from scratch

• The data processing pipeline is sufficient information to specify a basic embedded device▶ Sensors, networking, storage, processing needed

• Faculty working in this area:▶ Mark Horowitz: automating constrained hardware design▶ Prabal Dutta: embedded device design▶ Björn Hartmann: prototyping new applications

32


Making It Easy

• If it's hard to use, people will work around it▶ Set password to "password"▶ Just store data in the clear

• Must understand development model▶ Embrace modification, incorporation, low barrier to entry▶ Do so such that prototypes can transition to production

• Faculty working in this area:▶ Björn Hartmann: prototyping new applications

33