Security in the Internet of Things

sweetlipscasteSecurity

Nov 2, 2013 (3 years and 9 months ago)

75 views

Manfred Aigner

IAIK


TU Graz


Austria

Email:
manfred.aigner@iaik.tugraz.at

Austria

TU Graz

IAIK ?

Institute for Applied Information Processing
and Communications

Manfred Aigner

Internet of Things





… network of objects . . .

… a system . . . that would be able to
instantaneously identify any kind of object.


...one major next step in this development of
the Internet, which is
is

to progressively
evolve from a network of interconnected
computers to a network of interconnected
objects …



… from communicating people (Internet)


... to communicating items …


... from 3
-
5 computers per person …


... to 10
-
25 communicating items per person …


... from human triggered communication …


... to event triggered communication …

Internet of Things

Characteristics


Pervasive

Ubiquitous

Emerging

Global



Internet of Things: … pervasive
-

ubiquitous

Define:
pervasive

Define:
ubiquitous

Technology that will be all around us
and therefore “invisible”

Internet of Things: … emerging

Define:
emerging

Technology that emergences becomes
more than “many single instances of it”

I do not yet know whereto the IoT
“emerges”

Internet of Things: ….global …

The Internet of Things …

… is it here already?

The Interent of Thing is becoming true …

… without planning …

What sort of applications will we have?



What do we have today?


I just crashed
my car …

Christopher has
uploaded a new
slideshow

Typical Web 2.0 application

Johnny says:

For the last 5 minutes I
was terribly bored by a
IoT

presentation held by
a strange Austrian guy

Are those applications (facebook, flickr, twitter,
etc.) protected?

Yes!

Without protection, no $$

Are those applications good enough protected?

Well, … we can discuss …

Typical/Possible IoT Application

Tag says:

My UID is
0e12457f8

Typical/Possible IoT Application

My UID is
0x44558833
and the answer to your
challenge is
0xAAbb45271839

Typical/Possible IoT Application

I measured 25C and it
is brighter than
25min ago

Are those devices protected?

Are the already existing

IoT applications protected?



HR
-
Sensor
-

wrist watch:
Well …

No



TUG Gate: Smart Card


Reader:

No



RFIDTag


Reader:

No



RFIDTag


Reader (Mifare et al):

No



WISP


Reader:

No



Semi
-
passive Tag:
No



Ipod


Shoetag:
I do not know …





Remember:

no protection, no $$

Why are passive RFID tags so special?

© by NXP

© by NXP

Requirements for protection

Pervasive / ubiquitous

feasible for passive devices

Emerging (may become important)

proper security level

Global

prevents proprietary undisclosed solutions

Connected with Interent

compatible to existing protection

Security in the IoT

What do we need?


authentication of tags … proof of origin of
products


authentication of readers … access control
to tag’s data/configuration


encryption … privacy


anti
-
eavesdropping,
etc.


secure point to point connection


data
integrity


signatures by tags/objects … mobile readers
and static tags …

Towards a secure
IoT



Where are we now?





Current RFID tags (logisitcs): no protection



RFID applications: mainly closed loop apps


“Security” tags:


CRYPTO01


broken


DST
-
40


broken


Legic Prime


broken


Keeloq


broken



… more to come …

Towards a secure
IoT



where do we go?





security is a “hot topic”



security standardization for ISO
-
18000 ongoing



research has shown that


real crypto is feasible (symm. & asymm.)


protocols are feasible


tools for prototyping exist


programmable tags


simulation platforms


programmable reader platforms

Will the IoT be secure in the future?


Remember:

no protection, no
$$