Intel iSecCon2016 conference
I talk about the pyramid of IoT devices, sketch out some of the security and privacy issues, and present some of the ongoing work we are doing in this space at Carnegie Mellon University.
5. Š2016CarnegieMellonUniversity:5
We Are Just Starting to Enter
the Third Wave of Computing
⢠First Wave: Computation
â Making the basics of computers work
⢠Second Wave: Networking
â Connecting computers around the world
⢠Third Wave: Internet of Things (IoT)
â Computation, communication, sensing, and
actuation woven into our physical world
⢠IoT offers tremendous potential societal benefits
â Healthcare, transportation, sustainability, energy, âŚ
7. Š2016CarnegieMellonUniversity:7
My Talk Today
⢠What are frameworks for thinking about the
privacy and security problems?
⢠What are some opportunities for improving
privacy and security for IoT?
â No silver bullet, but lots of room for improvement
⢠What are some of the IoT-related projects weâre
doing at Carnegie Mellon University?
9. Š2016CarnegieMellonUniversity:9
IoT Pyramid Top Tier
⢠A few devices per person
⢠High computational power
⢠Tablets
⢠Glasses
Middle Tier
⢠Tens of devices per person
⢠Moderate computational power
⢠TVs
⢠Smart Toys
⢠Laptops
⢠Smartphones
⢠Thermostats
⢠Refrigerators
10. Š2016CarnegieMellonUniversity:10
IoT Pyramid Top Tier
⢠A few devices per person
⢠High computational power
⢠Tablets
⢠Glasses
Middle Tier
⢠Tens of devices per person
⢠Moderate computational power
⢠TVs
⢠Smart Toys
Bottom Tier
⢠Hundreds of devices per person
⢠Low computational power
⢠HVAC
⢠RFIDs
⢠Lightbulbs
⢠Laptops
⢠Smartphones
⢠Thermostats
⢠Refrigerators
⢠Smart toilets
⢠Implanted
medical devices
12. Š2016CarnegieMellonUniversity:12
IoT Security Issues Top Tier Security
⢠Cybersecurity good today
⢠Can run endpoint protection
⢠Large corporations developing
Middle Tier Security
⢠Cybersecurity weak today
⢠Basic or no endpoint capabilities
⢠Spotty security protections
13. Š2016CarnegieMellonUniversity:13
IoT Security Issues Top Tier Security
⢠Cybersecurity good today
⢠Can run endpoint protection
⢠Large corporations developing
Middle Tier Security
⢠Cybersecurity weak today
⢠Basic or no endpoint protection
⢠Spotty security protections
Bottom Tier Security
⢠Cybersecurity very poor today
⢠Weak or no endpoint protection
⢠Low manufacturer experience
⢠High diversity in hw, sw, OS
⢠Many devices never updated
⢠Major scalability challenges
14. Š2016CarnegieMellonUniversity:14
How is IoT Security Different?
1. Physical Safety and Security
⢠Deliberate attacks
â Ex. Crashing drones or autonomous vehicles
â Note that most attackers wonât do this
15. Š2016CarnegieMellonUniversity:15
How is IoT Security Different?
1. Physical Safety and Security
⢠Different classes of attackers, different motives
⢠State-sponsored
â State secrets, intellectual property, sow discord
⢠Non-state actors
â Terrorism, advocacy for a cause
⢠Organized crime
â Repeatable business model, stay under radar
⢠Disgruntled employee / Insider attack
⢠Script kiddies
16. Š2016CarnegieMellonUniversity:16
How is IoT Security Different?
1. Physical Safety and Security
⢠More likely attack: Ransomware
â Lock out of your house unless pay ransom
â Make videos of you at home public unless you pay
⢠Just as likely: attacks for the âlulzâ
â Tripping circuit breakers at office
â Remotely adjusting thermostat to make harder sleep
(or waste money, or let pipes freeze over)
⢠What kinds of safeguards for physical safety?
⢠Can we build models of normal vs abnormal
behaviors for devices and apps, and enforce?
17. Š2016CarnegieMellonUniversity:17
How is IoT Security Different?
2. Scalability
⢠Billions of devices will need to be secured
â Gartner estimates 20B devices by 2020
⢠Scale transforms easy into hard
â Ex. Unique passwords for dozens of devices?
â Ex. Security policies, each device having different user
interface (most not having a display and keyboard)?
â Ex. Physically locking down dozens of devices?
â Ex. Installing software updates
⢠What kinds of network protocols, APIs, and
middleware to help manage IoT devices at scale?
19. Š2016CarnegieMellonUniversity:19
How is IoT Security Different?
2. Scalability
⢠Possible for attackers to search for and execute
vulnerabilities at scale
â Ex. Mirai botnet DDoS attack Oct 2016
⢠Nightmare scenarios
â Find vulnerabilities in smartphone-connected
blood glucose monitors, inject fake data
â Find vulnerable medical implants, hold people hostage
⢠Again, some kind of model or policy
â Maybe formal model, maybe big data
⢠Better ways of using proximity for access?
20. Š2016CarnegieMellonUniversity:20
How is IoT Security Different?
3. Diversity of IoT Devices
⢠Hundreds of different manufacturers for middle
and bottom tier
â Different operating systems, wireless networking,
configuration software, log formats, cloud services
â Poor or no I/O capabilities, each UI different too
⢠Result: fragmentation of cybersecurity
â More network-based (vs endpoint) approaches
⢠Again, network protocols, APIs, and middleware
to help configure and manage
⢠Can we also help people make good decisions?
â Ex. Crowdsourcing or AI / Machine Learning
21. Š2016CarnegieMellonUniversity:21
How is IoT Security Different?
4. Low Manufacturer Experience
⢠Most traditional software companies understand
basics of good cybersecurity
⢠But most IoT will be developed by non-traditional
hardware companies
â Mostly middle and bottom tier
â Ex. Lighting, toys, medical equipment, audio,
household appliances
⢠And lots of small-scale manufacturers too
â Ex. Kickstarter
25. Š2016CarnegieMellonUniversity:25
How is IoT Security Different?
4. Low Manufacturer Experience
⢠Low experience + Lots of small manufacturers
⢠Result: Lots of really basic vulnerabilities
â Poor software engineering practices for security
â Lack of awareness, knowledge, motivation to be secure
⢠Result: Lots of unsupported devices
â Small manufacturers will go out of business
â Or end of life from bigger manufacturers
⢠How can we help devs with low experience?
⢠How to offer security for lifespan of decades?
27. Š2016CarnegieMellonUniversity:27
How is IoT Security Different?
5. Lots of Unexpected Emergent Behaviors
⢠Are there better ways of testing / simulating?
⢠Can we define overall properties for connected
systems?
30. Š2016CarnegieMellonUniversity:30
Why Does IoT Privacy Matter?
⢠Pew Internet study about smartphones (2012)
â 54% did not install app b/c of how much personal
information app requested
â 30% uninstalled an app after learning about app
behaviors
⢠Countless news articles, blog posts, op-ed
pieces, books about privacy concerns
Privacy may be the greatest barrier to creating
a ubiquitously connected world
31. Š2016CarnegieMellonUniversity:31
Taxonomy of IoT Privacy
Device Perspective
⢠Awareness of devices/apps and sensors/logs
⢠Depth of sensing
â How rich the sensing and user models are
⢠Temporal scale
⢠Input/Output capabilities
⢠Privacy software
⢠Third-party software
â Whether other apps can be run on device
32. Š2016CarnegieMellonUniversity:32
IoT Privacy Issues Top Tier Privacy
⢠High awareness of devices
⢠Rich depth in sensing
⢠High temporal scale
⢠Rich I/O
⢠Lots of third-party apps
(the major privacy problem)
33. Š2016CarnegieMellonUniversity:33
IoT Privacy Issues Top Tier Privacy
⢠High awareness of devices
⢠Rich depth in sensing
⢠High temporal scale
⢠Rich I/O
⢠Lots of third-party apps
(the major privacy problem)
Middle Tier Privacy
⢠Hybrid of other tiers
Bottom Tier Privacy
⢠Low awareness of devices + apps
⢠Shallow to rich sensing
⢠Low to high temporal scale
⢠Poor I/O
⢠Few if any third-party apps
⢠Scale (major privacy problem)
35. Š2016CarnegieMellonUniversity:35
How Can We Make Invisible Information
Flows Visible?
⢠For top tier, people will be pretty aware of
devices
â Stylish form factors meant to get attention
⢠The main privacy challenge for top-tier is
understanding what your apps are doing
â This is a hard problem but one we are starting
to figure it out for smartphones
39. Š2016CarnegieMellonUniversity:39
Privacy as Expectations
Use crowdsourcing to compare what people
expect an app to do vs what an app actually does
⢠We crowdsourced expectations of 837 apps
â Ex. âHow comfortable are you with
Drag Racing using your location for ads?â
⢠Created a model to predict peopleâs likely
privacy concerns and applied to 1M Android apps
App Behavior
(What an app
actually does)
User Expectations
(What people think
the app does)
41. Š2016CarnegieMellonUniversity:41
Impact of this Research
⢠Lots of popular press (NYTimes, CNN, BBC, CBS)
⢠Earlier work helped lead to FTC fines
⢠Google replicated PrivacyGrade internally
⢠Seen improvements in grades over time
⢠Some developers put out press releases about
improving their privacy behaviors
⢠Static analysis, dynamic analysis, crowd analysis
â To address subjective aspects of privacy
⢠Privacy today places burden on end-users
â How can we help other parts of ecosystem do better?
42. Š2016CarnegieMellonUniversity:42
How Can We Make Invisible Information
Flows Visible?
⢠For bottom-tier devices, devices non-obvious
⢠CMU Giotto IoT Expedition Supersensors
â Air temp, humidity, pressure, 6-axis IMU, grid eye, âŚ
⢠How to increase awareness of devices like this?
47. Š2016CarnegieMellonUniversity:47
Long-Term Privacy and Security Issues
1. Designing For Awareness
⢠What are tradeoffs in notification styles?
â Audio, visual, motion, haptic, smartphone
⢠Can we create new conventions?
â Ex. Like light switches near doorways
⢠Cost-benefit models of notifications?
â Getting lots of notifications is distracting
â Getting uninteresting notifications is annoying
â Ex. First time, sensitivity of data, identifiability
⢠Can we make it so a person can understand what
data is being sensed in a room within 30 seconds?
48. Š2016CarnegieMellonUniversity:48
Long-Term Privacy and Security Issues
2. Facilitating Privacy and Security on Low-End Devices
⢠What kinds of middleware infrastructure can we
build to help with basic privacy and security?
â Offer common middleware services to simplify
design and deployment of middle and bottom tiers
â Ex. Access control, filtering, and software updates
â Ex. What sensors a device has, what data collects,
what servers it connects to, how concerning
49. Š2016CarnegieMellonUniversity:49
Long-Term Privacy and Security Issues
3. Useful Defaults for Sharing
⢠Letâs say we have a person locator for a campus
â If default is âshare nothingâ, underutilized and no value
â If default is âshare everythingâ, too creepy
⢠Can we figure out useful defaults that balance
utility with privacy?
â Ex. âOn campusâ or ânotâ
â Ex. âIn officeâ or ânotâ
â Ex. {âofficeâ, âon campusâ, $city}
50. Š2016CarnegieMellonUniversity:50
Long-Term Privacy and Security Issues
4. Using Big Data for Privacy
⢠Paradox: use more data to improve privacy?
⢠Use data to infer relationships and set defaults
â Ex. People are more likely to share data with close
friends and family
⢠Use contact list, call log, SMS log, co-location, etc
â Ex. Employees are more likely to share data with
close teammates
⢠Use floorplan, WiFi co-location, co-authorship, etc
Wiese, J. et al. Are you close with me? Are you nearby? Investigating social groups,
closeness, and willingness to share. Ubicomp 2011.
Cranshaw, J. et al. Bridging the Gap Between Physical Location and Online Social Networks.
Ubicomp 2010.
54. Š2016CarnegieMellonUniversity:54
⢠Define open hardware and
software stack for IoT ecology
⢠Extensible and integrated
⢠Pluggable modules
⢠Security & privacy sensitive
⢠Integrated machine learning
⢠End-user programmable
⢠Widely deployable
⢠Enhance human â human and
human-system and human-
environment interaction
Giotto IoT Stack
55. Š2016CarnegieMellonUniversity:55
Giotto Privacy
Privacy at Physical, Logical, App layers
⢠Better programming abstractions
â Ex. âhomeâ vs raw GPS, âloudâ vs raw microphone
â Make it easier for devs with privacy as side effect
⢠Devs specify purposes in apps and we verify
â Ex. âUses contacts for advertisingâ
â Ex. âUses location for mapsâ
â Use static, dynamic, and crowd analysis
⢠How do peopleâs privacy concerns vary?
â By kind of data, granularity, who is seeing it, purpose
⢠Useful defaults to balance privacy and utility
56. Š2016CarnegieMellonUniversity:56
IoT Hub
⢠Open source hub device for connecting devices
â Ex. Battery life of devices, connect devices together
â Ex. Check for patches, filtering (default passwords),
Manufacturer Usage Descriptions, proximity
â Ex. Centralize telemetry and learn patterns
⢠How should devices be structured?
â Metadata: URL for software updates
â APIs: authentication
IoT appliancesIoT HubInternet
57. Š2016CarnegieMellonUniversity:57
What is the Value of IoT?
⢠Security, privacy, and management costs quickly
outweigh value of IoT devices
Number of Devices
Value
Todayâs IoT trajectory
58. Š2016CarnegieMellonUniversity:58
What is the Value of IoT?
⢠Can we make it so that value is linear or even
superlinear with devices and services?
Number of Devices
Value
Todayâs IoT trajectory
Desired IoT trajectory
59. Š2016CarnegieMellonUniversity:59
What Can Intel Do?
⢠Consider more human factors and social factors
â Chips, sensors, software dev, data mgt
â Policies, UI + understandability, social influences
⢠Better ways of supporting devs
â Most devs have no knowledge of privacy + security
60. Š2016CarnegieMellonUniversity:60
What Can Intel Do?
⢠Consider more human factors and social factors
â Chips, sensors, software dev, data mgt
â Policies, UI + understandability, social influences
⢠Better ways of supporting devs
â Most devs have no knowledge of privacy + security
⢠Support better privacy and security education
â Need strong push from industry to make it happen
â Go beyond just CompSci too (psych, design, biz)
⢠Join our Giotto Expedition (open source)
⢠Consider ISTC on Privacy or on IoT
â Make a big push in cooperation with academia
63. Š2016CarnegieMellonUniversity:63
Thanks!
More info at cmuchimps.org
or email jasonh@cs.cmu.edu
Read more:
⢠Towards a Safe and Secure Internet of Things
https://www.newamerica.org/cybersecurity-initiative/policy-
papers/toward-a-safe-and-secure-internet-of-things/
Special thanks to:
⢠NSF
⢠Alfred P. Sloan
⢠NQ Mobile
⢠DARPA
⢠Google
⢠CMU Cylab
⢠New America
66. Š2016CarnegieMellonUniversity:66
What Can We Do About IoT Security?
⢠Better cybersecurity
education
⢠Better collections of
best practices
⢠More data sharing
⢠Cybersecurity insurance
⢠Better legal protections
⢠Larger centers for IoT
privacy and security
https://www.newamerica.org/cybersecurity-initiative/policy-
papers/toward-a-safe-and-secure-internet-of-things/
67. Š2016CarnegieMellonUniversity:67
What Can We Do About IoT Security?
Policy Perspective: Better Cybersecurity Education
⢠About half of developers donât have CS degrees
⢠Can we make security education required in CS?
⢠Can we also expand cybersecurity education?
â Ex. Psychology learn about social engineering
â Ex. Visual design learn about warnings + compliance
69. Š2016CarnegieMellonUniversity:69
What Can We Do About IoT Security?
Policy Perspective: Better Collections of Best Practices
⢠We need to go beyond high-level guidelines
⢠What we still need
â Better code examples (lots of copy-and-paste)
â Better toolchains and stacks
â Better automated analysis tools
â Simpler ways of distributing patches
â Collections of design patterns
⢠Lots of opportunities for big companies
â Most breaches are relatively simple
â Addressing basic issues means lots of positive impact
70. Š2016CarnegieMellonUniversity:70
What Can We Do About IoT Security?
Policy Perspective: More Data Sharing
⢠Many major data breaches in past few years
â Sony, RSA, LinkedIn, Yahoo, Target, OPM, and more
⢠But we have learned very little, no real data
â These are our version of Tacoma Narrows bridge
71. Š2016CarnegieMellonUniversity:71
What Can We Do About IoT Security?
Policy Perspective: More Data Sharing
⢠We need organizations that can:
â Help investigate the coming IoT failures
â Disseminate knowledge to help prevent future
failures in design and implementation
â While also minimizing blame
⢠Lots of challenges
â Lots of proprietary information involved in failures
â Who will fund this?
72. Š2016CarnegieMellonUniversity:72
What Can We Do About IoT Security?
Policy Perspective: Better Legal Protections
⢠DMCA limits what researchers can do due to
anti-circumvention provisions
â Need to get permission from manufacturers
â Exceptions:
⢠Consumer devices, motorized land vehicles,
medical devices
⢠But slow, triennial reviews from Library of
Congress
â And consumer devices only one part of IoT
73. Š2016CarnegieMellonUniversity:73
IoT Privacy Issues
Input/Output
⢠Same challenge as for security
â Top-tier devices will have really good I/O capabilities
â Bottom-tier will not have mouse, keyboard, display
â Scalability makes everything harder
⢠Can we develop network protocols and APIs to
help configure and manage devices and apps?
⢠Can we also help people make good decisions?
â Ex. Crowdsourcing or AI / Machine Learning