risk factory: let's get physical
DESCRIPTION
Security issues associated with the Internet of hings (IoT)TRANSCRIPT
""Let’s Get Physical"Let’s Get Physical"Cyber Security in an IP-Enabled WorldCyber Security in an IP-Enabled World
A simple, easy to use, online, B2B procurement portal for purchasing products and services to
identify, minimise and manage the security threat to business data.
www.riskfactory.com
VirusesViruses
Road ApplesRoad Apples
CrackersCrackers
Script KiddiesScript Kiddies
WormsWorms
PhishingPhishingAdwareAdware
PharmingPharming
ZombiesZombies
MMalwaralwaree
Screen GrabbersScreen Grabbers
Root KitsRoot Kits BackdoorsBackdoors
Data Mining Data Mining
Denial of Service Attacks Denial of Service Attacks
Spyware Spyware
Encryption Cracking Encryption Cracking
Port ScanningPort Scanning
Fingerprinting Fingerprinting
Social Engineering Social Engineering
BotnetsBotnets
CrawlersCrawlers
CookiesCookies
Ear WiggingEar Wigging
EavesdroppingEavesdropping
MockingbirdsMockingbirds
Script ScrapersScript Scrapers
Smurfing Smurfing
Stealth BombsStealth BombsSpoofersSpoofers
Steganography Steganography
Stripping Stripping
SuppressionSuppression
Google HackingGoogle Hacking
SpimSpim
Data Slurping Data Slurping
War Driving War Driving
X-Site Scripting X-Site Scripting
SQL InjectionSQL Injection
Man-in-the Middle Attacks Man-in-the Middle Attacks
Always do whatever's next…Always do whatever's next…
• Wireless
• Bluetooth
• Cloud
Our Internet Based On…Our Internet Based On………
• 60’s concepts, requirements & funding
• 70’s computing environments
• 80’s operating systems, applications, networks, and programming languages
• 90’s security technology
• 2000’s operational and business practices
The End is NeighThe End is Neigh
In the next 2 years the present IP address space
(IPv4) will reach its capacity.
Birth Follows Every DeathBirth Follows Every Death
It will be replaced by IPv6 which has addresses
enough (about 5x10 to the 28th power) for each of the 6.8 billion human
beings on the planet.
In Other Words...In Other Words...
Every human being on the planet could have their own Every human being on the planet could have their own personal network the size of today’s internet.personal network the size of today’s internet.
Why?Why?
• The Internet is preparing to leave its virtual world and enter our physical world.
• IPv6 provides an infrastructure for assigning IP addresses to physical “things”
• The networking of the virtual world to the physical world
• The networking of “things” • Evolution: from a network of interconnected
computers to a network of interconnected objects …
The "average" person owns somewhere between
1000 to 5000 things – possessions.
ImagineImagine
• What if you could put them all on your own network? • Have a complete inventory of everything you own and
know where it is – real-time?• What if you could connect this network of your things
to other networks and interact?• Life on this planet would be significantly and
profoundly changed. • We’d never run out of anything.• No more theft as we know it – we’d know exactly where
things are at any given movement anywhere on the planet
Wake UpWake Up
• It’s all ready here• Internet of Things (IoT)• Concept founded by Auto-ID Centre at in MIT
back in 1999• Phase 1 underway, bottom up, level-specific
functionality• Internet Protocol for Smart Objects (IPSO)
Alliance founded 2008
IoT CharacteristicsIoT Characteristics
Pervasive: present throughout
Ubiquitous: everywhere at the same time
Evolving: constantly changing
Global: everywhere on this planet
Beyond Accidental Beyond Accidental
"Anytime, anywhere, by anyone and everything"
A Day in the Life…A Day in the Life…
First Things FirstFirst Things First
• Everything on the electrical grid - first
• Balance of power (grids)– Plant to substations– Substations to lines– Lines – transformers– Transformers to homes
Second Things SecondSecond Things Second
• Any “thing” with a power source to any “thing” with a power source and vice versa…
– Refrigerator to a television– Toaster to smoke detector– Fire alarms to ovens – Smoke detectors to gas supplier
And Last But Not LeastAnd Last But Not Least
• Any “person” to any “thing” or any person?
– You to your house– You to your appliances– You to your car– You to your….
Communication is KeyCommunication is Key
• Need mobile “smart” communication devices to connect:
– Things to things– People to things
• IP Smart Objects (IPSO)• RFID chip the leader
IoT LanguageIoT Language
Hello: My UID is 1234567fa and my challenge is X4665
Bonjour: My UID is af7654321 and the answer to your challenge is Ab455839
CommunicationCommunication
FrameworkFramework
Netless: is an anamorphic structure of nodes that is capable of holding some amounts of digital data. each node is a small, low-power wireless digital transponder. There is no permanent network connection. Every time any node would appear in the vicinity of any other node - they would establish a wireless link and swap the data that was stored internally.
Keywords: permission-less, parasitic network, off-line data-sharing, city-net, WAN, othernet, decentralized, node-network, sneakernet, sensor-network, grassroots-network, wireless.
Looks LikeLooks Like
Soylent Green is People! Soylent Green is People!
Newly developed ‘RFID Powder’, as invisible as a speck of dust: 0.05 mm x 0.05 x 0.005mm
Chips are packed with 128 bits of static memory, enough to store a unique 38-digit ID number, 2.45 GHz, 1mW
Can be embed directly into pieces of paper
Current favored application: anti-counterfeiting
Already ThereAlready There
• Retail stores using RFID for stock control
• Vehicles paying by RFID on motorways
• Cows, Dogs, Cats, Sheep implanted with RFID chips
• Consumer products from cars and mobiles to children’s tennis shoes now equipped with GPS RFID chips
Security Requirements Security Requirements
Can our current C.I.A. definition fit the IoT?
Pervasive: present throughout?
Ubiquitous: everywhere simultaneously?
Emerging: constantly evolving?
Global: everywhere on this planet?
Application ChallengesApplication Challenges
IP ChallengesIP Challenges
Packet spoofing
Network traffic analysis
Device analysis
Device spoofing
Encryption
Key distribution
Privacy protection
Identity protection
Identity and identifier management
IPSO ChallengesIPSO Challenges
• Devices are not reachable
– Most of the time a device is not connected
• Devices can be lost and stolen
– Makes security difficult when the device
is not connected
• Devices are not crypto-engines
– Strong security difficult without processing power
• Devices have finite life
– Credentials need to be tied to lifetime
• Devices are transportable
– Will cross borders
• Devices need to be recognised by many readers
– What data is released to what reader?
Privacy ChallengesPrivacy Challenges
• What things you own• Where you bought them• The price you paid for them• Where they are located• What you use them for• How often you use them• What they connect to• Who they connect to
Fraud ChallengesFraud Challenges
• "Thing" Theft
• Counterfeit
• Piracy
Professional ChallengesProfessional Challenges
• See the bigger picture - now • Anticipate the potential problems• Security professionals are always
“catching up” to technology• Step up. Consider the implications of the
next world of networked things • Prepare for it – now• Lead - Don’t follow.
26 Dover Street 26 Dover Street LondonLondon
United KingdomUnited KingdomW1S 4LYW1S 4LY
+44 (0)20 3586 1025+44 (0)20 3586 1025+44 (0)20 7763 7101(fax)+44 (0)20 7763 7101(fax)