This document summarizes a presentation given by Josef Noll at the International Conference on Mobility in Venice in October 2012. The presentation discusses security, privacy, and dependability issues in mobile networks. It provides an overview of how security mechanisms have evolved with each generation of mobile networks from 1G to 4G. It highlights key challenges regarding privacy of personal data, reliability of infrastructure systems, and the growth of the Internet of Things connecting billions of sensors to mobile networks.
Who ownes the SIM? a user-centric view on future networks
Security, Privacy and Dependability in Mobile Networks
1. Center for Wireless
Innovation Norway
cwin.no
CWI Norway Int. Conference on Mobility 2012,
Venice, Oct2012
Security, Privacy and Dependability
in Mobile Networks
Josef Noll, Sarfraz Alam, Zahid Iqbal,
Mohammad M. R. Chowdhury
Prof. at University of Oslo/UNIK
Member of CWI Norway
josef@unik.no
1
2. Outline
Josef Noll, Oslo - CTO
! About the author Steering board member, Norway section at MobileMonday
Chief technologist at Movation AS, Prof. at University Graduate
! Security in Mobile Networks Studies (UNIK), University of Oslo (UiO)
IARIA Fellow, Chairman of IARIA’s Intern. Conf. on Mobility
– Privacy Past: Research Manager/Researcher at Telenor R&I (R&D)
Staff member at ESA ESTEC
Chip designer at SIEMENS
– Dependability
! The way ahead: Internet of Things
– connection of sensors to mobile
– business decisions based on information
! Security Challenges
– BYOD “bring your own device”
– Be aware of the value of information
– Measurable security
! Use case for
– From Entertainment to Socialtainment
– Sensor data fusion
! Conclusions
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 2
3. Center for Wireless Innovation CWI
A facilitator for industry and seven research
institutions to form strategic partnerships in
wireless R&D
B3G BS
Sensor
Networks
Sensor Network Aggregation
Abstraction &
Home/Office
Monitoring
Sensor
Networks
Car Offshore
Sensor
Networks Sensor
Networks
Oct 2012, Josef Noll
4. Center for Wireless Innovation CWI
A facilitator for industry and seven research
institutions to form strategic partnerships in
wireless R&D
n to
t io
o ra arc h
B3G BS
Sensor
ab ese
Networks
Aggregation
ll
Sensor Network
Abstraction &
Home/Office
Monitoring
c o e r
r o m at iv Sensor
Networks
F b o r Car
la
Offshore
co l Sensor
Networks Sensor
Networks
Oct 2012, Josef Noll
5. Innovation through Collaboration
Statoil ...
Nets
Opera
Inner Circle eBAN
Telenor Members
Business
Angels
NFR NorBAN
Strategic
NICe Partners
Innovation
IIP Artemisia
Stock Exchange
Int. Innov.
Communities InnoBoerse.eu
Prog.
MoMo ETSI
MobileMonday
Academia
Entrepreneurs MIT
CWI
CTIF
4
Providing the infrastructure for open collaboration Oct2012
Josef Noll
6. Outline
! About the author
! Security in Mobile Networks
– Privacy
– Dependability
! The way ahead: Internet of Things
– connection of sensors to mobile
– business decisions based on information
! Security Challenges
– BYOD “bring your own device”
– Be aware of the value of information
– Measurable security
! Use case for
– From Entertainment to Socialtainment
– Sensor data fusion
! Conclusions
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 5
7. Generations of Mobile Networks
Service view
Personalised broadband
4G? LTE wireless services
3G: UMTS Multimedia communication
2G: GSM Mobile telephony, SMS,
FAX, Data
1G:
NMT Mobile telephony
1970 1980 1990 2000 2010
[adapted from Per Hjalmar Lehne, Telenor, 2000]
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 6
8. Generations of Mobile Networks
Service view Security view
IP security with
Personalised broadband heterogeneous access,
4G? LTE wireless services sensors
3G: UMTS Multimedia communication Open, modular security
architecture - force 2G
2G: GSM Mobile telephony, SMS, One way authentication,
FAX, Data encryption visibility, “obscurity”
1G:
NMT Mobile telephony tap the line,
connect in
1970 1980 1990 2000 2010
[adapted from Per Hjalmar Lehne, Telenor, 2000]
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 6
9. Security in Mobile Networks
! NMT
– tap the line
! GSM
– No authentication of network:
IMSI catcher pretend to be BTS
and request IMSI
– Undisclosed crypto algorithms
! UMTS
– adds integrity and freshness
checks on signalling data from
network to MS
– forced attack to 2G
! LTE
– full IP security package
– heterogeneous access networks
[Source: Lars Strand: “Security Architecture for Mobile Telephony Systems”, PhD presentation, UiO, 2011]]
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 7
10. Summary of Mobile Security
Threats/attacks Security services Security mechanisms
GSM
Cloning Authentication Authentication mechanism
(challenge-response with a
shared secret)
Eavesdropping Confidentiality Encryption of call content
(voice sent in clear) (A5/1, A5/2, A5/3)
Spying (identity tracking) Confidentiality Location security (TMSI)
[adopted from: Lars Strand: “Security Architecture for Mobile Telephony Systems”, PhD presentation, UiO, 2011]]
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 8
11. Summary of Mobile Security
Threats/attacks Security services Security mechanisms
GSM
Threats/attacks Security services
Cloning Security mechanisms
Authentication Authentication mechanism
(challenge-response with a
shared secret)
UMTS Eavesdropping
(voice sent in clear)
Confidentiality Encryption of call content
(A5/1, A5/2, A5/3)
False BST Mutual authentication mechanism
Authentication (challenge-response with a
Spying (identity tracking) Confidentiality Location security (TMSI)
shared secret)
Encryption of signaling and call
Eavesdropping
Confidentiality content
(Poor GSM encryption)
Data sent in clear in the Encryption and integrity protection
Confidentiality of data, to also cover operator
operator network
network
[adopted from: Lars Strand: “Security Architecture for Mobile Telephony Systems”, PhD presentation, UiO, 2011]]
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 8
12. Summary of Mobile Security
LTE Threats/attacks Security services Security mechanisms
GSM
Threats/attacks Security services
Cloning Security mechanisms
AuthenticationAuthentication mechanism
(challenge-response with a
shared secret)
Eavesdropping Confidentiality Encryption of call content
Eavesdropping Data confidentiality (voice sent in clear)
IPSec (A5/1, A5/2, A5/3)
Spying (identity tracking) Confidentiality Location security (TMSI)
Modification of content Data integrity
Threats/attacks Security services Security mechanisms
IPSec
UMTS
False BST Mutual authentication mechanism
Authentication (challenge-response with a
Impersonation Authentication
shared secret)
Encryption of signaling and call
EAP-AKA
Eavesdropping
Confidentiality content
(Poor GSM encryption)
Denial of service,
Data sent in clear in the
operator network
Confidentiality Availability service
Encryption and integrity protection
of data, to also cover operator
network
fast re-authentication?
roaming, performance different access network?
[adopted from: Lars Strand: “Security Architecture for Mobile Telephony Systems”, PhD presentation, UiO, 2011]]
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 8
13. Summary of Mobile Security
Threats/attacks Security services Security mechanisms
GSM
Cloning Authentication Authentication mechanism
(challenge-response with a
shared secret)
Eavesdropping Confidentiality Encryption of call content
(voice sent in clear) (A5/1, A5/2, A5/3)
Spying (identity tracking) Confidentiality Location security (TMSI)
Threats/attacks Security services Security mechanisms
UMTS
False BST Mutual authentication mechanism
Authentication (challenge-response with a
shared secret)
Encryption of signaling and call
Eavesdropping
Confidentiality content
(Poor GSM encryption)
Encryption and integrity protection
LTE
Data sent in clear in the
Confidentiality of data, to also cover operator
operator network
network
Threats/attacks Security services Security mechanisms
Eavesdropping Data confidentiality IPSec
Modification of content Data integrity IPSec
Impersonation Authentication EAP-AKA
Denial of service, Availability service fast re-authentication?
roaming, performance different access network?
[adopted from: Lars Strand: “Security Architecture for Mobile Telephony Systems”, PhD presentation, UiO, 2011]]
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 8
14. Security in Mobile Networks
! Main focus so far on accountability (for billing)
! End-to-end encryption is a challenge
– Interoperability: variety of access networks, coding
– key handling in TLS
– application specific solutions: SIP
! Privacy
– personal privacy
– business value privacy
! Dependability, reliability
– infrastructures
– systems of systems
[Source: Lars Strand: “Security Architecture for Mobile Telephony Systems”, PhD presentation, UiO, 2011]]
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 9
15. Physical vs Organisational privacy
! don’t touch me
! don’t invade
! preferences
! locations
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 10
16. Physical vs Organisational privacy
! don’t touch me ! What is in Coca Cola?
! don’t invade
! preferences ! When will VW launch
the new Golf?
! locations Value of Information
! Access to fingerprints
of all people
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 10
17. Protecting the identity?
! 8 million US residents victims of identity theft in 2006
(4% of adults)
! US total (known) cost of identity theft was $49 billion
– ~10% was paid by customers
– remaining by merchants and financial institutions
! Average victim spent $531 and 25 hours to repair
for damages Source: Lasse Øverlier & California Office of Privacy Protection
ID theft in seconds
http://itpro.no/art/11501.html
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 11
18. Outline
! About the author
! Security in Mobile Networks
– Privacy
– Dependability
! The way ahead: Internet of Things
– connection of sensors to mobile
– business decisions based on information
! Security Challenges
– BYOD “bring your own device”
– Be aware of the value of information
– Measurable security
! Use case for
– From Entertainment to Socialtainment
– Sensor data fusion
! Conclusions
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 12
19. IoT paradigm
• The present "Internet of PCs" will move towards an "Internet of
Things" in which 50 to 100 billion devices will be connected to
the Internet by 2020. [CERP-IoT, 03.2010]
• “We are entering a new paradigm where things have their own
identity and enter into dialogue with both other things and
humans mediated through processes that are being formed
today. [IoT Europe 2010 conf., 06.2010]
"Now
subs we have
c
30...5 ribers. I roughly
0 n 5
! The speed of development – H Mio de some ye .2 Mio m
ans C vices ar w obile 2010
hristi o e
an H n the m will hav
augli o e
, CEO bile net
“In 201 , Tele work
2 there nor O ”
storage on single chip
people were m bject
on the ore dev s
– Han mobile ic
s Chris networ es than
tian Ha k of Te
ugli, CE lenor”.
O, Tele
nor Ob
jects
source: Gerhard Fettweis, TU Dresden
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll
20. [Source: J. Schaper, FI PPP Constituency Event Nice, March 2010] Josef Noll
Oct 2012, 14
Security, Privacy and Dependability in Mobile Networks
21. The IoT technology and
application domain
business reliability
decisions
privacy
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 15
22. Outline
! About the author
! Security in Mobile Networks
– Privacy
– Dependability
! The way ahead: Internet of Things
– connection of sensors to mobile
– business decisions based on information
! Security Challenges
– BYOD “bring your own device”
– Be aware of the value of information
– Measurable security
! Use case for
– From Entertainment to Socialtainment
– Sensor data fusion
! Conclusions
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 16
24. Security in the Internet of Things?
Source: L. Atzori et al., The
Internet of Things: A survey,
Comput. Netw. (2010), doi:
10.1016/ j.comnet.2010.05.010
Text
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 18
25. Security in the Internet of Things?
Source: L. Atzori et al., The
Internet of Things: A survey,
Comput. Netw. (2010), doi:
10.1016/ j.comnet.2010.05.010
Trust
Text
* context-aware,
* “privacy”
* personalised
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 18
26. Security challenges
! Sensors everywhere Request
Semantic layer
Semantic layer
– SOA based Mobile, Internet
Proximity,
Service
e, Sensor
hom ors
al, ens Service Registry
edic al s
Mobile/Proximity/
Sensor services
m
stri
i ndu sensors
sensors
! Bring your own device
(BYOD)
– 30-100 devices/employee
tab,
Contacts
– “phone in the cloud” e, Calendar
hon ed... SMS, ...
C, p bedd
MA em
C, ad,
P
po d, p
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 19
27. Measurable Security
! Value of information is &
lys
na nt
– Identify k A sme
Ris ses
– Analyse As
– Evaluate Risk
Measurable security sis
!
analy
fit
– “Banks are secure” -B ene
– IETF working group: Better C ost
than nothing security
– Cardinal numbers?
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 20
28. Security Challenges in sensor-
enabled clouds
! Security, here
– security (S) Cloud services
– privacy (P) Intelligence
challenge:
Overlay physics
– dependability (D)
Network
! across the value chain
challenge:
– from sensors to physics
Sensors,
services Embedded Systems
! measurable security?
can be
Could be
composed
Is made by
Components and SPD Components,
System SPD functionalities
functionalities
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 21
29. Measuring Security, Privacy and
Dependability (SPD) in the IoT
Ontology logical representation: each concept is modelled and the relations are
identified in order to have the logical chains that enables the SPD-aware
composability
can be
Could be composed
Is made by Components SPD Components,
System and SPD functionalities
functionalities
realise
SPD Means
Are counter
measured by
Is mapped are
into affected by
SPD level SPD Attributes SPD Threats
[source: Andrea Fiaschetti, pSHIELD project, Sep 2011]
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 22
30. SPD Metrics specification Factor Value
Elapsed Time
<= one day 0
Minimum attack potential value to <= one week
<= one month
1
4
exploit a vulnerability <= two months 7
<= three months 10
= SPD value <= four months 13
Factors to be <= five months 15
considered <= six months 17
> six months 19
Expertise
where •Elapsed Time Layman 0
Calculated attack •Expertise Proficient
Expert
3*(1)
6
potential •Knowledge of Multiple experts 8
functionality Knowledge of
functionality
•Window of opportunity
Public 0
with •Equipment
Attack scenarios Restricted
Sensitive
3
7
Critical 11
SPD SPD SPD Window of
level attributes threats Unnecessary / unlimited 0
access
Easy 1
Essential to build Moderate 4
Difficult 10
Base of knowledge Unfeasible 25**(2)
Equipment
Functio Standard 0
SPD
System
nality system Specialised 4(3)
Bespoke 7
Multiple bespoke 9
[source: Andrea Fiaschetti, pSHIELD project, Sep 2011]
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 23
31. Outline
! About the author
! Security in Mobile Networks
– Privacy
– Dependability
! The way ahead: Internet of Things
– connection of sensors to mobile
– business decisions based on information
! Security Challenges
– BYOD “bring your own device”
– Be aware of the value of information
– Measurable security
! Use case for
– From Entertainment to Socialtainment
– Sensor data fusion
! Conclusions
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 24
32. Use case:
SPD in heterogeneous systems
! Nano-Micro-Personal-M2M Platform
– identity, cryptography,
dependability
! SPD levels through overlay
functionality
– answering threat level
– composing services
! Policy-based management
– composable security
! Integration into Telecom Platform
– from information to business
decisions
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 25
33. Application Example:
Socialtainment (eMobility)
! From Entertainment
to Socialtainment Pool
! Social mobility
vehicles people
through inclusion of traffic
micro-
social networks charging
coordination
warning social
parking
tour
CO2 consumption
6 %
31 % Corporate travel
33 %
Corporate cars
Social
CO2 25 %6 % Commuting
Flights Mobility
Energy & Logistics info energy
music control
maps
! answering the need for CO2
reduction in transport www IoT
! SAP 45% (2009) smart grid
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 26
34. Semantic Representation
Cloud service representation through semantic integration
Overlay Policy-based Core Services
Trust Composition Discovery
Policy System
Cloud services Suggested
Desired Intelligence
service
service Overlay
Network
Overlay “Embedded
Intelligence”
Sensors,
Embedded Systems s
OWL OWL
goals integration
OWL
integration
Semantic Technologies
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 27
35. The IoT ecosystem
Trust ?
! Creating business
– openness, competitive infrastructure:
Consumers broadband,
– climate for innovation adaptation mobile
Business
! Public authorities climate:
market
– trust, confidence Public
Creative
Authorities
– demand demand
IoT - Business programmers
Ecosystem software
! Consumers
Academia
– (early) adapters research,
– education Entrepreneurs Sensor
education
ideas
! Infrastructure providers
– broadband, mobile
– competition
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 28
36. Internet usage across Europe
[Robert Madelin, Directorate-General for Information Society and Media, EU commission, Aug 2010]
* “use of IT in a proper way can increase effectiveness with 30-40%”
IS
* “we are good in technology development. But access to venture
95,1%
capital is bad in Europe as compared to the USA”.
[Aftenposten, 3. October 2011] gunhild@aftenposten.no NO
94,8%
SE
% of people used the Internet DK 93,2%
100 90,7%
IT EU
90
HE 58,8% 73,7%
80
47,5%
70
60
50
40
Tyrkia
Romania
Hellas
Bulgaria
l
Kypros
Kroatia
Italia
Malta
Litauen
Polen
Ungarn
Spania
Latvia
Slovenia
Tsjekkia
Irland
EU snitt
Østerike
Estland
e
Belgia
Slovenia
Tyskland
nia
Finland
k
ourg
nd
Sverige
Norge
Island
Portuga
Danmar
Frankrik
Nederla
Storbrita
Luxemb
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 29
37. Internet service usage
90
83 84
77 Greece
71
60 Norway
61 EU-average
41 39 41 40
30 36
13 16
12
0
3 6
g
t ce
in
db es
d
e
es
gh er
rv t
nk
oa m
se ac
m
an
ic
ou m
Ba
br ho
ho
ic nt
- b om
bl co
ith te
et
of
ts C
eC
w iva
rn
pu e
ou s P
e
to nlin
id
te
Pr
ed les
In
O
us ire
W
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 30
38. Conclusions
• The mobile system is secure,
but...
– evolvement to provable security
– bring your own devices, heterogeneity
– from sensors to business decisions
• Building the IoT architecture
– Cross-layer intelligence & knowledge
– Accounting for security
• Measurable security
– Metrics describing threats
– Overlay description for system of systems
• Building the Ecosystem
– Human perspective: trust, privacy, context
The wo
– Security based on measures of components, rld is w
attacks and human interaction
i reless
Security, Privacy and Dependability in Mobile Networks Oct 2012, Josef Noll 31
39. CWI
My special thanks to
• JU Artemis and the Research • Sarfraz Alam (UNIK) and Geir
Councils of the participating Harald Ingvaldsen (JBV) for the
countries (IT, HE, PT, SL, NO, ES) train demo
• Andrea Fiaschetti for the semantic • Zahid Iqbal and Mushfiq
middleware and ideas Chowdhury for the semantics
• Inaki Eguia Elejabarrieta,Andrea • Hans Christian Haugli and Juan
Morgagni, Francesco Flammini, Carlos Lopez Calvet for the
Renato Baldelli, Vincenzo Suraci Shepherd ® interfaces
for the Metrices • and all those I have forgotten to
• Przemyslaw Osocha for running mention
the pSHIELD project, Luigi Trono
for running nSHIELD
Oct 2012, Josef Noll 32