Notes from Security Reading Group Discussion
Discussants: Nick and Seda
Participants: <add your name here>
Paper raises more questions than answer
problem:
- diversity of devices, multiple providers, none of them control the whole ecosystem: traditional approaches may not automatically apply
- go into reasons of why: policies that people may need to express
- typically security requires looking at signatures of attacks, comparing traffic against signatures, or alternatively looking at behaviors that deviate
- they claim that those are not going to necessarily work out in the setting of IoT
- since devices are different, it may be difficult to come up with a signature, making learning very difficult
- network security is usually thought of as a perimeter defense: in the IoT setting, that may not work out
- you can't do host-centric approaches: host AV is dead, low resource, providers don't care
how can the solution look:
- the rest of the paper is open to a lot of discussion
proposal:
-high-level vision: control platform, customized microboxes that are sitting in different places in the network, middleboxes. lightweight? route traffic through these. not controversial, and you are going to apply some learning and policies
- security architecture: centralized control point may be a home router: discussion point: one vendor is going to be a control point?
approach:
for capturing device interactions
they sort of assume that the environment has states that it can be in, fire alarm can be on and off, windows open and closed, and use that to build policies
define the possible states that devices can be in, and groups of states that are ok or are not ok
and states that can cause alarm or concern
this requires a brute force enumeration of the rules and they do mention state explosion
brute force is interesting: all the rules, if you sort of suspend consdieration of cross device interaction, the rules are going to be simple and there is going to be many of them. enumerating is going to be hard. you are not doing classification or clustering, i didn't see the immediate solution to that problem
then they talk about how you learn security policies. they raise it as a question rather than provide a solution
two standard approaches:
- defining and detecting attack signatures
- detecting anomalous behavior that deviate from normal
the scale and diversity is so great, also to define what normal and anomalous mean, your standard snort rules may not straight up apply.
this is a big question: this is one of the challenges in the area
they skipped over device identification
you need to know what the devices are
what is normal behavior if you don't know if this is a thermostat or a tablet
their proposed approach is crowdsourcing
people are going to publish traces for devices
i was not clear on how that was going to work
and then they sort of talk about the need to model cross device interaction
hand waving: we need more community effort
the big questions i had:
1) scale: they mention the need to enumerate rules and signatures
2) diversity: of devices
make the problem unique
important things they didn't consider:
1) the points of control and responsibility: i am not sure that is the only way
2) the responsibility: whose responsibility is it to write these policies and maintain them, users, vendors, isps
3) stakeholders: that is an interesting thing with policy
you have different stakeholders; consumers unable or unwilling to secure devices
vendors: unable or financially disincentivized to care about security and privacy
isps: who historically have not needed to think about this kind of thing, netneutrality, everything is pointing to the isp to be a bit pipe. but at the same time, there are isps selling antivirus to their customers.
how do we keep things convenient for most users while making sure special users can still access their devices and practice their autonomy over them
Further attacks:
there are different kinds of security and differences between security and privacy
so they were not specific about the attack model
users: there are two kinds of internet of things
municipality and metropolitan level
home level
why is the home level iot is different from what we have with computers and mobile devices
is the billion problem for iot devices at homes or at the city level
people: they are worried about traffic in the city
city level: cameras, etc. selecting volumes of data
i am not clear that the billion device problem is the home device problem
you won't have billion devices in the home soon
but you already have probably 50
there is scale, which may not apply under 100
but diversity is an issue: there is a universe of billion things that you can bring home
there are not 1 billion iot devices right now?
depends on how you count (exactly what bowker and star would say)
basically: there is all this motion about kickstarters, they will have their own flaws
i don't know about the trillion flaws
they have talked about shifting to security to the network level
they mainly talk about a smart home environment
you can attack either hrough physical access or home environment
an attacker getting close to your device is unlikely
network is the most important attack model in a home environment
we can't have access to the software of a billion devices
there may be devices coming from other countries
which we cannot make policy interventions in
cars and stuff are a different issue
they may have different ways to get access to the internet
but they can also use the centralized gateway
the centralized solution made sense: maybe you want the attacker to concentrate on that device
there are disadvantages to centralized security point
i saw the architecture as a hierarchy with the micromboxes
the question is how do you decide where to place the boxes?
and who puts the policy on those boxes?
device manufacturers: do you trust them to write a privacy policy for you?
the policy may be different for every home
you can't have someone write a policy for each home
one of the technical challenges: the device identification, the state that the device is in
user control:
general point: this question of who gets to control the devices and their behavior
in marshini's slides she said everyone wants to have control, but then you give it to them and they don't know what to do
their mental models of what a network is is often totally off
but some users do know what is going on and access for them is valuable: admins, maintenance folks.
the home router is where this debate is raging right now
wifi lock down
the issue is on the one hand, you want the ability to modify the firmware and customize radio
there are things that users need to stay out of
who gets to control the firmware on the router
it is reasonable to say we should stay out of the radar spectrum
there is this categorical question of whether iot is different or not
but there are botnets and there research has shown that some control executed through isps helps
i think your point about the either/or is very good
a much more controlled environment for a company where they can set rules and what states they want tohave
companies that do anomaly detection: they don't know what is going on in their network
so, i wonder how you can then scale some of these systems to the whole world
we are writing off liability a little too soon
software companies don't have any liability for their products
and this is leading to things like the samsung story where they leak information to third parties and don't feel liable: there needs to be some sort of liability in these environments
yes, administrators have little idea of what is going on with their networks
how do you know that the signal that is coming is a firealarm
it is probably going to say it is an apple device and you will see a mac address and you don't know what that is
it seems conceivable that that is a more learnable issue
you have a device, and the network asks what that
and it can share that learning with others
so, what is your most parsimonious representation of that
i am an iphone 6s
you could fingerprint it
but with what protocols?
are all the devices talking with the internet or are there devices that just talk with each other and not the internet
currently the model is that everything goes through the cloud
if your amazon echo wants to talk to nest, they will go through their servers and then come back home
your phone controls this on any network
maybe in the future that may not be true
there is also this diversity
wifi/zigbee/bluetooth
so you need different hubs
what is an internet connected device?!
in all internet papers: we have things connected by gateways
zigbee nework connects to a gateway that connects to the internet
marketing, too: i can watch the baby in the crib from my iphone
they market this as a cool thing, but then, you wonder
couple of questions
they are advocating a white list approach focused on states
network works well for things i don't want
does that model carry well to issues of information leakage
i don't want to have a random person looking through my cameras
or i don't want an attacker to turn my house into a botnet
since white lists is focused on what is coming in rather than what is leaving my house
do we need to throw out all the original security
maybe there are solutions that they do help with and don't help with
whitelisting is an aggressive security protection
and that would maybe eliminate the less aggressive appraoches
anomaly stuff: you would think that it would be somewhat easier in this context
computers are really complicated
the simple iot stuff: you can explicitly model what that thing should do in formal language
but, how many devices do you sit down and model
the manufacturers should give these out
you can do formal specification and make it verifiable
this reminds me of modeling device behavior and interactions
using a system like mininet
if you have device traffic and look at it through a mininet
how does mininet work?
even if you get a pcap of one device, i am not sure how it would be able to capture interaction...
is there any way to set up a centralized white list thing that is not susceptible to attacks?
i say blacklisted things should be whitelisted
only allowing states that make no sense
if you have this database that is insanely large
that is pretty hard to audit and it is probably pretty easy to slip some bad rules into that database
whitelists and ontologies
classification
the difficulties surrounding that
there is also the practical question of what granularity you are happy with
is nest thermostat one type of device or thirty types of devices
can and how should the signatures capture this
you upgrade the firmware and the defaults of how often it calls home changes
and all of a sudden traffic patterns change
they talk about different classes of devices
it seems a little bit over simplified: toaster and the smart bread
the worst thing is that we don't yet know what a thing is
and most of them are running old kernels of linux
the input surface is so small
Resources on Privacy and Security in the Internet of Things:
Suggestions for reading group:
HotNets Paper:
Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things
http://conferences.sigcomm.org/hotnets/2015/papers/yu.pdf
Ian Brown report to ITU:
http://www.itu.int/en/ITU-D/Conferences/GSR/Documents/GSR2015/Discussion_papers_and_Presentations/GSR_DiscussionPaper_IoT.pdf
Industrial/Independent Security Research on IoT:
DefCon Talk Slide Deck:
https://speakerdeck.com/duosec/the-internet-of-things-weve-got-to-chat
Security Community Efforts
https://www.iamthecavalry.org/
Recommendations from security researcher Mark Stanislaw (Rapid7)
In terms of published guidance:
1) https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_Early_Adopters_of_the_Internet_of_Things.pdf
2) https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=OWASP_Internet_of_Things_Top_10_for_2014
3) https://www.nccgroup.com/media/481272/2014-04-09_-_security_of_things_-_an_implementers_guide_to_cyber_security_for_internet_of_things_devices_and_beyond-2.pdf
In my experience (which is not dissimilar to IoT Top 10 listed above), some big issues are:
1) Insecure network connectivity for device functionality (e.g. API calls from a mobile app and/or web app to the device; transport of data (video/audio/etc.))
2) Poor supply chain management (devices often use stock firmware from ODMs who don't secure anything or patch anything for years [or ever]
3) Weak cloud services (most IoT devices leverage 1-5 cloud services to function, often outsourced to third parties and have vulnerabilities or access control issues)
4) Standard software bugs (services, on-device web applications, etc. we see common code issues like buffer overflows, local file inclusion, sql injection, etc.)
5) Bad firmware security (firmware is unlikely to be cryptographically signed, and rarely has any mechanism at a hardware level to ensure integrity; updates are often over cleartext)
Notes from prior discussions:
Report authored by Ian Brown:
http://www.itu.int/en/ITU-D/Conferences/GSR/Documents/GSR2015/Discussion_papers_and_Presentations/GSR_DiscussionPaper_IoT.pdf
Challenges and opportunities
- cost and reliability
- connectivity
- standards
- open platforms, data and APIs
Policy and regulatory implications and best practices:
- licensing and spectrum management
- switching and roaming
- addressing and numbering
- competition
- privacy and security
FTC Staff Report on Internet of Things (possibly outdated)
https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf
- Security issues:
- (1) enabling unauthorized access and misuse of personal information;
- (2) facilitating attacks on other systems; and
- (3) creating safety risks
- Privacy Issues:
- (1) Notice and consent
- (2) data minimization and overcollection (insecurely)
Workshop with Nathan Freitas
- the need to focus on ability of devices to talk to each other (most research focuses on things talking with centralized servers/clouds)
- security issues when devices trust each other and there is no common securit policy
- multiple number of devices and users: not just DoS, but management of service. Your network has 100 devices! Is it as bad or comparable to having 100 apps on your phone? How do you know which device is yours etc.
Seda report for SIPA cybersecurity conference:
- manufacturers need to think beyond securing the devices themselves: device moves across security domains, passed on from one user to the other
- how do you bootstrap device and security
- better process integration: development of chips to deployment and maintenance: end-to-end supply chain transparency and security mechanisms at ever step of production
- remote maintenance?
- physical attacks
- emergent properties: emergent failure (how to deal with emergent behavior in general? who is responsible for what?)
- gathering experience and intelligence about attack and security
- negative testing: testing how gracefully devices fail
- lifetime assessment: what is the lifetime of a device?what happens once the device manufacturer/vendor disappears?
- ONS: what are the infrastructures for IoT to function, security issues here?
-
http://edoc.hu-berlin.de/oa/conferences/reDH5lBuIZRZ/PDF/21RqIaDPoPHRo.pdf
- security of everything vs. compartmentalization: how do you avoid putting everything under surveillance because they may be detrimental to cybersecurity?
- security vs. user autonomy and privacy: can't update firmware extract personal (or other) information
General exploratory questions:
- does context matter: health, smart city, car, home device, activist use. would they have different security and privacy requirements?
- in fact, we may first need to discuss what is our domain of analysis before moving further since currently things are all over the place.
- sim integration: often attached to the device, what is its role in security? (too much hardware?)
- IoT: uplink heavy, current networks: downlink heavy
- NFC: enables the potential of using smartphones as universal platforms for individuals to interact with IoT objects. NFCs, as far as I know, are in miserable shape. Security?
- power sources: challenging for cheap but long-life sensors
- future needs: standards functions in smartphones to interact with tags and sensors: how about security here?
- application specific networks and their security challenges?
- data silos: no open data standards or apis
- 5g
- lack of api standards: while there are standards for wireless communication, APIs lack them. mess
- integration of infrastructure and networks also a challenge: shall we dig deeper? (Intel example in Ian Brown's text)
Network troubles:
Where a company such as a smart meter operator is managing thousands or millions of M2M devices via mobile data networks, they have very different requirements from a typical mobile telephone customer. They need comprehensive network status information, to determine whether a non?communicating device or its network connection is faulty. They want a single subscription for the system, not on a per?device basis. And in many cases, the intended device lifetime will be much longer than individuals typically own a mobile phone – perhaps a decade or more. Replacing a device or even communications module within it will require either an expensive service visit, or a complicated process for customers that may cause faults. Not all mobile network operators can yet cope with these requirements, although many have set up specific business units to address them.53
Standards initiatives:
What do they do on security?
ITU?T has created a Global Standards Initiative on Internet of Things (IoT?GSI) to “promote… a unified approach in ITU?T for development of technical standards (Recommendations) enabling the Internet of Things on a global scale,”
The OneM2M group brings together manufacturers, service providers, end?users, and regional standards bodies from North America, Europe and East Asia.64
IoT application?specific standards frameworks, such as the M/490 Smart Grid reference architecture
Domains:
Nick's suggestion is to focus on consumer electronics: cameras etc.
IoT security at different levels:
On the network: Object Name Service papers for RFID infrastructure
Network to device
Device to device