Security, Privacy and Dependability in Mobile Networks

Center for Wireless
Innovation Norway
cwin.no

CWI Norway Int. Conference on Mobility 2012,
Venice, Oct2012

Security, Privacy and Dependability
in Mobile Networks

Josef Noll, Sarfraz Alam, Zahid Iqbal,
Mohammad M. R. Chowdhury
Prof. at University of Oslo/UNIK
Member of CWI Norway
josef@unik.no
1

Outline
Josef Noll, Oslo - CTO
! About the author Steering board member, Norway section at MobileMonday
Chief technologist at Movation AS, Prof. at University Graduate
! Security in Mobile Networks Studies (UNIK), University of Oslo (UiO)
IARIA Fellow, Chairman of IARIA’s Intern. Conf. on Mobility
– Privacy Past: Research Manager/Researcher at Telenor R&I (R&D)
Staff member at ESA ESTEC
Chip designer at SIEMENS
– Dependability
! The way ahead: Internet of Things
– connection of sensors to mobile
– business decisions based on information
! Security Challenges
– BYOD “bring your own device”
– Be aware of the value of information
– Measurable security
! Use case for
– From Entertainment to Socialtainment
– Sensor data fusion
! Conclusions
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 2

Center for Wireless Innovation CWI

A facilitator for industry and seven research
institutions to form strategic partnerships in
wireless R&D
B3G BS
Sensor
Networks
Sensor Network Aggregation
Abstraction &
Home/Office
Monitoring
Sensor
Networks

Car Offshore
Sensor
Networks Sensor
Networks

Oct 2012, Josef Noll

Center for Wireless Innovation CWI

A facilitator for industry and seven research
institutions to form strategic partnerships in
wireless R&D
n to
t io
o ra arc h
B3G BS
Sensor

ab ese
Networks
Aggregation

ll
Sensor Network
Abstraction &
Home/Office
Monitoring
c o e r
r o m at iv Sensor
Networks

F b o r Car

la
Offshore

co l Sensor
Networks Sensor
Networks

Oct 2012, Josef Noll

Innovation through Collaboration
Statoil ...
Nets
Opera

Inner Circle eBAN
Telenor Members
Business
Angels
NFR NorBAN
Strategic
NICe Partners
Innovation
IIP Artemisia
Stock Exchange
Int. Innov.
Communities InnoBoerse.eu
Prog.
MoMo ETSI
MobileMonday
Academia
Entrepreneurs MIT

CWI
CTIF

4
Providing the infrastructure for open collaboration Oct2012
Josef Noll

Outline

! About the author
! Security in Mobile Networks
– Privacy
– Dependability
! Use case for
! Conclusions

Generations of Mobile Networks
Service view
Personalised broadband
4G? LTE wireless services

3G: UMTS Multimedia communication

2G: GSM Mobile telephony, SMS,
FAX, Data

1G:
NMT Mobile telephony

1970 1980 1990 2000 2010

[adapted from Per Hjalmar Lehne, Telenor, 2000]


Generations of Mobile Networks
Service view Security view
IP security with
Personalised broadband heterogeneous access,
4G? LTE wireless services sensors

3G: UMTS Multimedia communication Open, modular security
architecture - force 2G

2G: GSM Mobile telephony, SMS, One way authentication,
FAX, Data encryption visibility, “obscurity”

1G:
NMT Mobile telephony tap the line,
connect in

1970 1980 1990 2000 2010

[adapted from Per Hjalmar Lehne, Telenor, 2000]


Security in Mobile Networks
! NMT
– tap the line
! GSM
– No authentication of network:
IMSI catcher pretend to be BTS
and request IMSI
– Undisclosed crypto algorithms
! UMTS
– adds integrity and freshness
checks on signalling data from
network to MS
– forced attack to 2G
! LTE
– full IP security package
– heterogeneous access networks
[Source: Lars Strand: “Security Architecture for Mobile Telephony Systems”, PhD presentation, UiO, 2011]]

Summary of Mobile Security

Threats/attacks Security services Security mechanisms
GSM
Cloning Authentication Authentication mechanism
(challenge-response with a
shared secret)

Eavesdropping Confidentiality Encryption of call content
(voice sent in clear) (A5/1, A5/2, A5/3)

Spying (identity tracking) Confidentiality Location security (TMSI)

[adopted from: Lars Strand: “Security Architecture for Mobile Telephony Systems”, PhD presentation, UiO, 2011]]

GSM
Threats/attacks Security services
Cloning Security mechanisms
Authentication Authentication mechanism
shared secret)

UMTS Eavesdropping
(voice sent in clear)
Confidentiality Encryption of call content
(A5/1, A5/2, A5/3)

False BST Mutual authentication mechanism
Authentication (challenge-response with a

shared secret)

Encryption of signaling and call
Eavesdropping
Confidentiality content
(Poor GSM encryption)

Data sent in clear in the Encryption and integrity protection
Confidentiality of data, to also cover operator
operator network
network


LTE Threats/attacks Security services Security mechanisms
GSM
Threats/attacks Security services
Cloning Security mechanisms
AuthenticationAuthentication mechanism
shared secret)

Eavesdropping Data confidentiality (voice sent in clear)
IPSec (A5/1, A5/2, A5/3)


Modification of content Data integrity
IPSec
UMTS

Impersonation Authentication
shared secret)

EAP-AKA
Eavesdropping

Denial of service,
Data sent in clear in the
operator network
Confidentiality Availability service
Encryption and integrity protection
of data, to also cover operator
network
fast re-authentication?
roaming, performance different access network?


GSM
Cloning Authentication Authentication mechanism
shared secret)

(voice sent in clear) (A5/1, A5/2, A5/3)



UMTS
shared secret)

Eavesdropping

Encryption and integrity protection
LTE
Data sent in clear in the
Confidentiality of data, to also cover operator
operator network
network

Eavesdropping Data confidentiality IPSec

Modification of content Data integrity IPSec

Impersonation Authentication EAP-AKA

Denial of service, Availability service fast re-authentication?
roaming, performance different access network?


Security in Mobile Networks
! Main focus so far on accountability (for billing)
! End-to-end encryption is a challenge
– Interoperability: variety of access networks, coding
– key handling in TLS
– application specific solutions: SIP
! Privacy
– personal privacy
– business value privacy
! Dependability, reliability
– infrastructures
– systems of systems

[Source: Lars Strand: “Security Architecture for Mobile Telephony Systems”, PhD presentation, UiO, 2011]]


Physical vs Organisational privacy
! don’t touch me
! don’t invade
! preferences

! locations


Physical vs Organisational privacy
! don’t touch me ! What is in Coca Cola?
! don’t invade
! preferences ! When will VW launch
the new Golf?
! locations Value of Information

! Access to fingerprints
of all people


Protecting the identity?

! 8 million US residents victims of identity theft in 2006
(4% of adults)
! US total (known) cost of identity theft was $49 billion
– ~10% was paid by customers
– remaining by merchants and financial institutions

! Average victim spent $531 and 25 hours to repair
for damages Source: Lasse Øverlier & California Office of Privacy Protection

ID theft in seconds
http://itpro.no/art/11501.html


Outline

! About the author
– Privacy
– Dependability
! Use case for
! Conclusions

IoT paradigm
• The present "Internet of PCs" will move towards an "Internet of
Things" in which 50 to 100 billion devices will be connected to
the Internet by 2020. [CERP-IoT, 03.2010]
• “We are entering a new paradigm where things have their own
identity and enter into dialogue with both other things and
humans mediated through processes that are being formed
today. [IoT Europe 2010 conf., 06.2010]
"Now
subs we have
c
30...5 ribers. I roughly
0 n 5
! The speed of development – H Mio de some ye .2 Mio m
ans C vices ar w obile 2010
hristi o e
an H n the m will hav
augli o e
, CEO bile net
“In 201 , Tele work
2 there nor O ”
storage on single chip

people were m bject
on the ore dev s
– Han mobile ic
s Chris networ es than
tian Ha k of Te
ugli, CE lenor”.
O, Tele
nor Ob
jects

source: Gerhard Fettweis, TU Dresden
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll

[Source: J. Schaper, FI PPP Constituency Event Nice, March 2010] Josef Noll
Oct 2012, 14
Security, Privacy and Dependability in Mobile Networks

The IoT technology and
application domain
business reliability
decisions

privacy


Outline

! About the author
– Privacy
– Dependability
! Use case for
! Conclusions

The security challenge of the
Internet
How come these guys didn’t think of that?

1973 Kjeller

ave
ld h rnet
wou Inte
we ow
“If
n h ed, ...”
k now elop
Steve Crocker dev

Jon Postel

1972 Vinton Cerf
Expo Berlin 2007 Source: http://www.michaelkaul.de/History/history.html
©2007 Deloitte & Touche GmbH Wirtschaftsprüfungsgesellschaft


Security in the Internet of Things?
Source: L. Atzori et al., The
Internet of Things: A survey,
Comput. Netw. (2010), doi:
10.1016/ j.comnet.2010.05.010

Text


Security in the Internet of Things?
Source: L. Atzori et al., The
Internet of Things: A survey,
Comput. Netw. (2010), doi:
10.1016/ j.comnet.2010.05.010

Trust

Text

* context-aware,
* “privacy”
* personalised


Security challenges
! Sensors everywhere Request
Semantic layer
Semantic layer

– SOA based Mobile, Internet
Proximity,
Service
e, Sensor
hom ors
al, ens Service Registry
edic al s
Mobile/Proximity/
Sensor services
m
stri
i ndu sensors
sensors

! Bring your own device
(BYOD)
– 30-100 devices/employee
tab,
Contacts
– “phone in the cloud” e, Calendar
hon ed... SMS, ...
C, p bedd
MA em
C, ad,
P
po d, p

Measurable Security
! Value of information is &
lys
na nt
– Identify k A sme
Ris ses
– Analyse As
– Evaluate Risk

Measurable security sis
!
analy
fit
– “Banks are secure” -B ene
– IETF working group: Better C ost
than nothing security
– Cardinal numbers?


Security Challenges in sensor-
enabled clouds
! Security, here
– security (S) Cloud services

– privacy (P) Intelligence
challenge:
Overlay physics
– dependability (D)
Network
! across the value chain
challenge:
– from sensors to physics
Sensors,
services Embedded Systems
! measurable security?
can be
Could be
composed
Is made by
Components and SPD Components,
System SPD functionalities
functionalities


Measuring Security, Privacy and
Dependability (SPD) in the IoT
Ontology logical representation: each concept is modelled and the relations are
identified in order to have the logical chains that enables the SPD-aware
composability

can be
Could be composed
Is made by Components SPD Components,
System and SPD functionalities
functionalities

realise
SPD Means
Are counter
measured by
Is mapped are
into affected by
SPD level SPD Attributes SPD Threats

[source: Andrea Fiaschetti, pSHIELD project, Sep 2011]


SPD Metrics specification Factor Value
Elapsed Time
<= one day 0

Minimum attack potential value to <= one week
<= one month
1
4

exploit a vulnerability <= two months 7
<= three months 10
= SPD value <= four months 13
Factors to be <= five months 15

considered <= six months 17
> six months 19
Expertise

where •Elapsed Time Layman 0

Calculated attack •Expertise Proficient
Expert
3*(1)
6

potential •Knowledge of Multiple experts 8
functionality Knowledge of
functionality
•Window of opportunity
Public 0
with •Equipment
Attack scenarios Restricted
Sensitive
3
7
Critical 11
SPD SPD SPD Window of
level attributes threats Unnecessary / unlimited 0
access

Easy 1
Essential to build Moderate 4
Difficult 10
Base of knowledge Unfeasible 25**(2)
Equipment

Functio Standard 0
SPD
System
nality system Specialised 4(3)
Bespoke 7
Multiple bespoke 9
[source: Andrea Fiaschetti, pSHIELD project, Sep 2011]

Outline

! About the author
– Privacy
– Dependability
! Use case for
! Conclusions

Use case:
SPD in heterogeneous systems
! Nano-Micro-Personal-M2M Platform
– identity, cryptography,
dependability
! SPD levels through overlay
functionality
– answering threat level
– composing services

! Policy-based management
– composable security
! Integration into Telecom Platform
– from information to business
decisions


Application Example:
Socialtainment (eMobility)
! From Entertainment
to Socialtainment Pool

! Social mobility
vehicles people
through inclusion of traffic
micro-
social networks charging
coordination
warning social
parking
tour
CO2 consumption
6 %
31 % Corporate travel
33 %
Corporate cars
Social
CO2 25 %6 % Commuting
Flights Mobility
Energy & Logistics info energy
music control
maps
! answering the need for CO2
reduction in transport www IoT
! SAP 45% (2009) smart grid

Semantic Representation
Cloud service representation through semantic integration

Overlay Policy-based Core Services

Trust Composition Discovery

Policy System

Cloud services Suggested
Desired Intelligence
service
service Overlay

Network
Overlay “Embedded
Intelligence”
Sensors,
Embedded Systems s

OWL OWL
goals integration
OWL
integration

Semantic Technologies


The IoT ecosystem
Trust ?

! Creating business
– openness, competitive infrastructure:
Consumers broadband,
– climate for innovation adaptation mobile
Business
! Public authorities climate:
market
– trust, confidence Public
Creative
Authorities
– demand demand
IoT - Business programmers
Ecosystem software
! Consumers
Academia
– (early) adapters research,
– education Entrepreneurs Sensor
education

ideas
! Infrastructure providers

– broadband, mobile
– competition

Internet usage across Europe
[Robert Madelin, Directorate-General for Information Society and Media, EU commission, Aug 2010]

* “use of IT in a proper way can increase eﬀectiveness with 30-40%”
IS
* “we are good in technology development. But access to venture
95,1%
capital is bad in Europe as compared to the USA”.
[Aftenposten, 3. October 2011] gunhild@aftenposten.no NO
94,8%
SE
% of people used the Internet DK 93,2%
100 90,7%
IT EU
90
HE 58,8% 73,7%
80
47,5%
70

60

50

40
Tyrkia

Romania

Hellas

Bulgaria

l
Kypros

Kroatia

Italia

Malta

Litauen

Polen

Ungarn

Spania

Latvia

Slovenia

Tsjekkia

Irland

EU snitt

Østerike

Estland

e
Belgia

Slovenia

Tyskland

nia
Finland

k

ourg

nd
Sverige

Norge

Island
Portuga

Danmar
Frankrik

Nederla
Storbrita

Luxemb

Internet service usage

90

83 84
77 Greece
71
60 Norway
61 EU-average

41 39 41 40
30 36

13 16
12
0
3 6

g

t ce
in
db es
d

e

es

gh er
rv t
nk
oa m

se ac
m
an

ic

ou m
Ba
br ho

ho

ic nt

- b om
bl co
ith te

et
of
ts C

eC
w iva

rn

pu e
ou s P

e

to nlin
id

te
Pr

ed les

In

O
us ire
W


Conclusions

• The mobile system is secure,
but...
– evolvement to provable security
– bring your own devices, heterogeneity
– from sensors to business decisions

• Building the IoT architecture
– Cross-layer intelligence & knowledge
– Accounting for security

• Measurable security
– Metrics describing threats
– Overlay description for system of systems

• Building the Ecosystem
– Human perspective: trust, privacy, context
The wo
– Security based on measures of components, rld is w
attacks and human interaction
i reless


CWI
My special thanks to
• JU Artemis and the Research • Sarfraz Alam (UNIK) and Geir
Councils of the participating Harald Ingvaldsen (JBV) for the
countries (IT, HE, PT, SL, NO, ES) train demo
• Andrea Fiaschetti for the semantic • Zahid Iqbal and Mushfiq
middleware and ideas Chowdhury for the semantics
• Inaki Eguia Elejabarrieta,Andrea • Hans Christian Haugli and Juan
Morgagni, Francesco Flammini, Carlos Lopez Calvet for the
Renato Baldelli, Vincenzo Suraci Shepherd ® interfaces
for the Metrices • and all those I have forgotten to
• Przemyslaw Osocha for running mention
the pSHIELD project, Luigi Trono
for running nSHIELD

Oct 2012, Josef Noll 32

Security, Privacy and Dependability in Mobile Networks

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a Security, Privacy and Dependability in Mobile Networks

Semelhante a Security, Privacy and Dependability in Mobile Networks (20)

Mais de Josef Noll

Mais de Josef Noll (12)

Security, Privacy and Dependability in Mobile Networks