Notes from Security Reading Group Discussion Discussants: Nick and Seda Participants: Paper raises more questions than answer problem: - diversity of devices, multiple providers, none of them control the whole ecosystem: traditional approaches may not automatically apply - go into reasons of why: policies that people may need to express - typically security requires looking at signatures of attacks, comparing traffic against signatures, or alternatively looking at behaviors that deviate - they claim that those are not going to necessarily work out in the setting of IoT - since devices are different, it may be difficult to come up with a signature, making learning very difficult - network security is usually thought of as a perimeter defense: in the IoT setting, that may not work out - you can't do host-centric approaches: host AV is dead, low resource, providers don't care how can the solution look: - the rest of the paper is open to a lot of discussion proposal: -high-level vision: control platform, customized microboxes that are sitting in different places in the network, middleboxes. lightweight? route traffic through these. not controversial, and you are going to apply some learning and policies - security architecture: centralized control point may be a home router: discussion point: one vendor is going to be a control point? approach: for capturing device interactions they sort of assume that the environment has states that it can be in, fire alarm can be on and off, windows open and closed, and use that to build policies define the possible states that devices can be in, and groups of states that are ok or are not ok and states that can cause alarm or concern this requires a brute force enumeration of the rules and they do mention state explosion brute force is interesting: all the rules, if you sort of suspend consdieration of cross device interaction, the rules are going to be simple and there is going to be many of them. enumerating is going to be hard. you are not doing classification or clustering, i didn't see the immediate solution to that problem then they talk about how you learn security policies. they raise it as a question rather than provide a solution two standard approaches: - defining and detecting attack signatures - detecting anomalous behavior that deviate from normal the scale and diversity is so great, also to define what normal and anomalous mean, your standard snort rules may not straight up apply. this is a big question: this is one of the challenges in the area they skipped over device identification you need to know what the devices are what is normal behavior if you don't know if this is a thermostat or a tablet their proposed approach is crowdsourcing people are going to publish traces for devices i was not clear on how that was going to work and then they sort of talk about the need to model cross device interaction hand waving: we need more community effort the big questions i had: 1) scale: they mention the need to enumerate rules and signatures 2) diversity: of devices make the problem unique important things they didn't consider: 1) the points of control and responsibility: i am not sure that is the only way 2) the responsibility: whose responsibility is it to write these policies and maintain them, users, vendors, isps 3) stakeholders: that is an interesting thing with policy you have different stakeholders; consumers unable or unwilling to secure devices vendors: unable or financially disincentivized to care about security and privacy isps: who historically have not needed to think about this kind of thing, netneutrality, everything is pointing to the isp to be a bit pipe. but at the same time, there are isps selling antivirus to their customers. how do we keep things convenient for most users while making sure special users can still access their devices and practice their autonomy over them Further attacks: there are different kinds of security and differences between security and privacy so they were not specific about the attack model users: there are two kinds of internet of things municipality and metropolitan level home level why is the home level iot is different from what we have with computers and mobile devices is the billion problem for iot devices at homes or at the city level people: they are worried about traffic in the city city level: cameras, etc. selecting volumes of data i am not clear that the billion device problem is the home device problem you won't have billion devices in the home soon but you already have probably 50 there is scale, which may not apply under 100 but diversity is an issue: there is a universe of billion things that you can bring home there are not 1 billion iot devices right now? depends on how you count (exactly what bowker and star would say) basically: there is all this motion about kickstarters, they will have their own flaws i don't know about the trillion flaws they have talked about shifting to security to the network level they mainly talk about a smart home environment you can attack either hrough physical access or home environment an attacker getting close to your device is unlikely network is the most important attack model in a home environment we can't have access to the software of a billion devices there may be devices coming from other countries which we cannot make policy interventions in cars and stuff are a different issue they may have different ways to get access to the internet but they can also use the centralized gateway the centralized solution made sense: maybe you want the attacker to concentrate on that device there are disadvantages to centralized security point i saw the architecture as a hierarchy with the micromboxes the question is how do you decide where to place the boxes? and who puts the policy on those boxes? device manufacturers: do you trust them to write a privacy policy for you? the policy may be different for every home you can't have someone write a policy for each home one of the technical challenges: the device identification, the state that the device is in user control: general point: this question of who gets to control the devices and their behavior in marshini's slides she said everyone wants to have control, but then you give it to them and they don't know what to do their mental models of what a network is is often totally off but some users do know what is going on and access for them is valuable: admins, maintenance folks. the home router is where this debate is raging right now wifi lock down the issue is on the one hand, you want the ability to modify the firmware and customize radio there are things that users need to stay out of who gets to control the firmware on the router it is reasonable to say we should stay out of the radar spectrum there is this categorical question of whether iot is different or not but there are botnets and there research has shown that some control executed through isps helps i think your point about the either/or is very good a much more controlled environment for a company where they can set rules and what states they want tohave companies that do anomaly detection: they don't know what is going on in their network so, i wonder how you can then scale some of these systems to the whole world we are writing off liability a little too soon software companies don't have any liability for their products and this is leading to things like the samsung story where they leak information to third parties and don't feel liable: there needs to be some sort of liability in these environments yes, administrators have little idea of what is going on with their networks how do you know that the signal that is coming is a firealarm it is probably going to say it is an apple device and you will see a mac address and you don't know what that is it seems conceivable that that is a more learnable issue you have a device, and the network asks what that and it can share that learning with others so, what is your most parsimonious representation of that i am an iphone 6s you could fingerprint it but with what protocols? are all the devices talking with the internet or are there devices that just talk with each other and not the internet currently the model is that everything goes through the cloud if your amazon echo wants to talk to nest, they will go through their servers and then come back home your phone controls this on any network maybe in the future that may not be true there is also this diversity wifi/zigbee/bluetooth so you need different hubs what is an internet connected device?! in all internet papers: we have things connected by gateways zigbee nework connects to a gateway that connects to the internet marketing, too: i can watch the baby in the crib from my iphone they market this as a cool thing, but then, you wonder couple of questions they are advocating a white list approach focused on states network works well for things i don't want does that model carry well to issues of information leakage i don't want to have a random person looking through my cameras or i don't want an attacker to turn my house into a botnet since white lists is focused on what is coming in rather than what is leaving my house do we need to throw out all the original security maybe there are solutions that they do help with and don't help with whitelisting is an aggressive security protection and that would maybe eliminate the less aggressive appraoches anomaly stuff: you would think that it would be somewhat easier in this context computers are really complicated the simple iot stuff: you can explicitly model what that thing should do in formal language but, how many devices do you sit down and model the manufacturers should give these out you can do formal specification and make it verifiable this reminds me of modeling device behavior and interactions using a system like mininet if you have device traffic and look at it through a mininet how does mininet work? even if you get a pcap of one device, i am not sure how it would be able to capture interaction... is there any way to set up a centralized white list thing that is not susceptible to attacks? i say blacklisted things should be whitelisted only allowing states that make no sense if you have this database that is insanely large that is pretty hard to audit and it is probably pretty easy to slip some bad rules into that database whitelists and ontologies classification the difficulties surrounding that there is also the practical question of what granularity you are happy with is nest thermostat one type of device or thirty types of devices can and how should the signatures capture this you upgrade the firmware and the defaults of how often it calls home changes and all of a sudden traffic patterns change they talk about different classes of devices it seems a little bit over simplified: toaster and the smart bread the worst thing is that we don't yet know what a thing is and most of them are running old kernels of linux the input surface is so small Resources on Privacy and Security in the Internet of Things: Suggestions for reading group: HotNets Paper: Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things http://conferences.sigcomm.org/hotnets/2015/papers/yu.pdf Ian Brown report to ITU: http://www.itu.int/en/ITU-D/Conferences/GSR/Documents/GSR2015/Discussion_papers_and_Presentations/GSR_DiscussionPaper_IoT.pdf Industrial/Independent Security Research on IoT: DefCon Talk Slide Deck: https://speakerdeck.com/duosec/the-internet-of-things-weve-got-to-chat Security Community Efforts https://www.iamthecavalry.org/ Recommendations from security researcher Mark Stanislaw (Rapid7) In terms of published guidance: 1) https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_Early_Adopters_of_the_Internet_of_Things.pdf 2) https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=OWASP_Internet_of_Things_Top_10_for_2014 3) https://www.nccgroup.com/media/481272/2014-04-09_-_security_of_things_-_an_implementers_guide_to_cyber_security_for_internet_of_things_devices_and_beyond-2.pdf In my experience (which is not dissimilar to IoT Top 10 listed above), some big issues are: 1) Insecure network connectivity for device functionality (e.g. API calls from a mobile app and/or web app to the device; transport of data (video/audio/etc.)) 2) Poor supply chain management (devices often use stock firmware from ODMs who don't secure anything or patch anything for years [or ever] 3) Weak cloud services (most IoT devices leverage 1-5 cloud services to function, often outsourced to third parties and have vulnerabilities or access control issues) 4) Standard software bugs (services, on-device web applications, etc. we see common code issues like buffer overflows, local file inclusion, sql injection, etc.) 5) Bad firmware security (firmware is unlikely to be cryptographically signed, and rarely has any mechanism at a hardware level to ensure integrity; updates are often over cleartext) Notes from prior discussions: Report authored by Ian Brown: http://www.itu.int/en/ITU-D/Conferences/GSR/Documents/GSR2015/Discussion_papers_and_Presentations/GSR_DiscussionPaper_IoT.pdf Challenges and opportunities *cost and reliability *connectivity *standards *open platforms, data and APIs Policy and regulatory implications and best practices: *licensing and spectrum management *switching and roaming *addressing and numbering *competition *privacy and security FTC Staff Report on Internet of Things (possibly outdated) https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf *Security issues: *(1) enabling unauthorized access and misuse of personal information; *(2) facilitating attacks on other systems; and *(3) creating safety risks *Privacy Issues: *(1) Notice and consent *(2) data minimization and overcollection (insecurely) Workshop with Nathan Freitas - the need to focus on ability of devices to talk to each other (most research focuses on things talking with centralized servers/clouds) - security issues when devices trust each other and there is no common securit policy - multiple number of devices and users: not just DoS, but management of service. Your network has 100 devices! Is it as bad or comparable to having 100 apps on your phone? How do you know which device is yours etc. Seda report for SIPA cybersecurity conference: *manufacturers need to think beyond securing the devices themselves: device moves across security domains, passed on from one user to the other *how do you bootstrap device and security *better process integration: development of chips to deployment and maintenance: end-to-end supply chain transparency and security mechanisms at ever step of production *remote maintenance? *physical attacks *emergent properties: emergent failure (how to deal with emergent behavior in general? who is responsible for what?) *gathering experience and intelligence about attack and security *negative testing: testing how gracefully devices fail *lifetime assessment: what is the lifetime of a device?what happens once the device manufacturer/vendor disappears? *ONS: what are the infrastructures for IoT to function, security issues here? *http://edoc.hu-berlin.de/oa/conferences/reDH5lBuIZRZ/PDF/21RqIaDPoPHRo.pdf *security of everything vs. compartmentalization: how do you avoid putting everything under surveillance because they may be detrimental to cybersecurity? *security vs. user autonomy and privacy: can't update firmware extract personal (or other) information General exploratory questions: *does context matter: health, smart city, car, home device, activist use. would they have different security and privacy requirements? *in fact, we may first need to discuss what is our domain of analysis before moving further since currently things are all over the place. *sim integration: often attached to the device, what is its role in security? (too much hardware?) *IoT: uplink heavy, current networks: downlink heavy *NFC: enables the potential of using smartphones as universal platforms for individuals to interact with IoT objects. NFCs, as far as I know, are in miserable shape. Security? *power sources: challenging for cheap but long-life sensors *future needs: standards functions in smartphones to interact with tags and sensors: how about security here? *application specific networks and their security challenges? *data silos: no open data standards or apis *5g *lack of api standards: while there are standards for wireless communication, APIs lack them. mess *integration of infrastructure and networks also a challenge: shall we dig deeper? (Intel example in Ian Brown's text) Network troubles: Where a company such as a smart meter operator is managing thousands or millions of M2M devices via mobile data networks, they have very different requirements from a typical mobile telephone customer. They need comprehensive network status information, to determine whether a non?communicating device or its network connection is faulty. They want a single subscription for the system, not on a per?device basis. And in many cases, the intended device lifetime will be much longer than individuals typically own a mobile phone – perhaps a decade or more. Replacing a device or even communications module within it will require either an expensive service visit, or a complicated process for customers that may cause faults. Not all mobile network operators can yet cope with these requirements, although many have set up specific business units to address them.53 Standards initiatives: What do they do on security? ITU?T has created a Global Standards Initiative on Internet of Things (IoT?GSI) to “promote… a unified approach in ITU?T for development of technical standards (Recommendations) enabling the Internet of Things on a global scale,” The OneM2M group brings together manufacturers, service providers, end?users, and regional standards bodies from North America, Europe and East Asia.64 IoT application?specific standards frameworks, such as the M/490 Smart Grid reference architecture Domains: Nick's suggestion is to focus on consumer electronics: cameras etc. IoT security at different levels: On the network: Object Name Service papers for RFID infrastructure Network to device Device to device