This document discusses the Internet of Things (IoT) and related security issues. It provides examples of how IoT can enable smart homes and health monitoring, but also presents security risks like attacks on pacemakers and unauthorized access of IP cameras. The document summarizes research findings that IoT devices have issues like insufficient authentication, lack of encryption, and insecure software/firmware. It recommends adopting privacy-by-design approaches and implementing layered security controls like authentication frameworks. Security challenges for IoT include the long lifecycles of devices that cannot be easily updated and limited capabilities for cryptography.

1. Internet of
Things
IoT
Tutun Juhana
Telecommunication Engineering Department
School of Electrical Engineering & Informatics
Institut Teknologi Bandung
|
Mini Conference , 22 June 2015
Computer Science Dept., Faculty of Mathematics and Natural Sciences
Institut Pertanian Bogor

2. IoT is (will be)…….
2/22

3. IoT offers comforts
3/22

4. www.refitsmarthomes.org
Smart Homes
4/22

5. Health and Activity Monitoring
www.ece.uah.edu
5/22

6. VANET
Vehicle Ad-Hoc Network
6/22

7. IoT can also be nightmares
7/22

8. Pacemaker Attack
8/22

9. IP camera peeping
https://sites.google.com/site/web1camera/
Google Hacks
9/22

10. 10/22

11. http://zeecure.com/free-cctv-and-security-tools/complete-list-of-every-ip-camera-
default-username-password-and-ip-address/
11/22

12. Smart refrigerator
• Your fridge is full of
spam
• www.proofpoint.com
12/22

13. How vulnerable are we? 13/22

14. Research findings by HP
Internet of Things Research Study - 2014 report
Privacy concerns
Insufficient authentication and
authorization
Lack of transport encryption
Insecure software and firmware
14/22

15. 15/22

16. Recommended Security Controls
Analyze privacy impacts to stakeholders and adopt a Privacy-by-Design
approach to IoT development and deployment
Apply a Secure Systems Engineering approach to architecting and
deploying a new IoT System
Implement layered security protections to defend IoT assets
Implement data protection best-practices to protect sensitive
information
Define lifecycle controls for IoT devices
Define and implement an authentication/authorization framework for
the organization’s IoT Deployments
Define and implement a logging/audit framework for the organization’s IoT
ecosystem
Further reading: Security Guidance for Early Adopters
of the Internet of Things (IoT), CSA, April 2015
16/22

17. Cyber Security Pillars for Internet of Things Products
Security of Things: An Implementers’ Guide to Cyber-Security for Internet of Things Devices and Beyond,
Prepared by: Ollie Whitehouse 17/22

18. “Conventional Security” Tech doesn’t applied
to IoT
• The longevity of the device
• Updates are harder (or impossible)
• The size of the device
• Capabilities are limited – especially around crypto
• The fact there is a device
• Usually no UI for entering userids and passwords
• The data
• Often highly personal
• The mindset
• Appliance manufacturers don’t think like security experts
• Embedded systems are often developed by grabbing existing chips, designs,
etc
Securing the Internet of Things, Paul Fremantle, Paul Madsen 18/22

19. Device Classes – IETF RFC 7228
• Class 2:
• Data size (memory): 50 KB
• Code size (flash, disk): 250 KB
• Can interact with Internet nodes. Example protocol: HTTP-over-SSL/TLS
• Class 1:
• Data size (memory):10 KB
• Code size (flash, disk): 100 KB
• May interact with Internet nodes. Example protocol: CoAP-over-DTLS
• Class 0:
• Data size (memory): <<10 KB
• Code size (flash, disk): <<100 KB
• Depend on intermediaries (e.g. class 1 or 2 components) to interact with
Internet nodes 19/22

20. Crypto
Borrowed from Chris Swan:
http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13
20/22

21. Thank You