Big data, Data Analytics, Security, and Privacy in IoT. Why do they conflict. Threats and solutions in selecting devices, network, and processing

1. Dilum Bandara, PhD
Dept. of Computer Science & Engineering,
University of Moratuwa
Mobitel NB-IoT Forum, Mar 23, 2018

2. 2
Big Data
Privacy
Security
• Huge datasets that we capture, transfer,
store, & process to reveal associations,
patterns, & trends
• Volume, Variety, Velocity, & Veracity
• Protection of computing systems &
data that they store or access
• Confidentiality, Integrity, &
Availability (CIA)• Our interest in preventing
inappropriate collection, use,
& release of PII
• Privacy of personal behavior,
communications, & data
What
do I
want?
Security & Privacy
are afterthoughts

3. 3
Reckless Driving
Driving
Anomaly
Detection
Fault Detection
& Prediction
Tracking &
Surveillance
Fuel
Fraud
IoT
Data
Anal
ytics
Smart
Driving

4. 4
High-end OBD2 +
GPS dongle to send
data directly to cloud
Dedicated GPS
trackers send data
directly to cloud
Low-end OBD2 dongle + App to send
data to cloud & gives real-time alerts

5. 5

6.  Real-time Analysis
 Driving anomaly detection
 Fuel fraud detection
 Geo fencing
 Vehicle fault detection
 Historical Analysis
 Driver profiling – UBI
 Driver coaching
 Predicting sensor failure
 Case analysis 6

7. 7
 Driver behavior detection
 Change of driver
 Driving under influence
 Fatigue
 Sensor failure detection
 Mass Air Flow (MAF) sensor
 Emission issues
 Check Engine Light

8.  Long-distance bus fitted with a GPS unit &
high-precision fuel sensor
 Could you
 explain variability in fuel consumption
 predict fuel consumption of a journey
 give tips to improve fuel consumption 8
?
• 4 months data
• Timestamp, Longitude,
Latitude, Elevation,
Distance, Speed,
Acceleration, Ignition
status, Battery voltage, Fuel
level, Fuel consumption

9. 9

10. 10
Actual Consumption : 84.08L
Predicted Consumption : 91.77L
Error: 9.1%
Gradient Boosting
Neural NetworkRandom Forest

11. 11

12. 12
www.curwsl.org

13.  Being set up for flood control & water
management in Metro Colombo
 Initial focus Kelani river basin
 Entirely cloud-based
 Weather Stations (9  50  100s)
 Water-Level Gauges (2  12  34)
 Controlling Flood Gates & Pumping Stations
 Solar-powered Sensors & Communication
 Reports data periodically to WSO2 IoT-Server
via HTTP over GSM
 Secured via Password or Oauth2
authentication to IoT Server
 Plans to use MQTT
13

14. Security Issues
 Disabling & tampering of
devices
 Unauthorized control of
sensors & actuators
 Modification of data
 Incorrect forecasts/warnings
 DoS attacks
Privacy Issues
 Use of driver profiles against
accident claims
 Driver tracking
 Business sensitive insights
 Profiling for UBI
 Flood insurance
 Exposure of socio-economic
data
14

15.  Massive no of DNS lookups
from 10+ millions IoT
devices infected with Mirai
malware
 IP cameras, home gateways,
DVRs, & baby monitors
 Simple attack
1. Scans for IPs
2. Try known 60 (username,
password) pairs via telnet
3. Load malware
4. Wait for commands
15
Source: TheUSBport
Credit: Joey Devilla, globalnerdy.com

16. # Attack Vulnerabilities
1 Insecure Web Interface Weak default credentials & no lockouts, credentials exposed in
traffic, XSS, SQL-injection, session management
2 Insufficient Authentication/
Authorization
Simple passwords, lack of role-based access control, lack of / by
passing separation of roles, no 2-factor authentication
3 Insecure Network Services Vulnerable Services - telnet, Buffer Overflow, Open Ports via UPnP
4 Lack of Transport Encryption Unencrypted Services, Poorly or Misconfigured SSL/TLS
5 Privacy Concerns Collection of Unnecessary (Personal) Data
6 Insecure Cloud Interface Account enumeration, no account lockout, credentials exposed in
traffic, weak API keys, weak or no encryption7 Insecure Mobile Interface
8 Insufficient Security
Configurability
Lack of granular permission & password control, lack of logging &
monitoring
9 Insecure Software/Firmware No update possible, Unencrypted & unsigned update files,
firmware with sensitive information
10 Poor Physical Security Access via USB/JTAG ports, removal of storage media 16

17. 17
Devices Network Storage & Processing
Image credit: www.ecomm.in/big-data-and-analytics.html

18. 1. Collect only what is essential to application
2. No defaults – Accounts, passwords, services
3. Use digital certificates for authentication
4. Use role-based access control
5. Use inbuilt & encrypted device storage – No SD cards
6. Web interface / console shouldn’t be susceptible to brute-force, SQLi,
XSS, & CSRF attacks
7. Use hardware-level encryption – AES, NB-IoT supports 2048-bit RSA
8. Should support secure boot & over-the-air updates – Encrypted & signed
firmware
9. Block USB/JTAG ports
10. Use tamperproof & rugged devices 18

19. 1. All communication must be secure – Plain text, REST API, MQTT
 Use TLS v1.1 & v1.2 (not SSL v2/v3 or TLS V1.0)
 Obtain certificates from a reliable CA – No default or self-signed certificates
2. Use secure underlying networks
 NB-IoT, LTE-M, & EC-GSM-IoT are relatively better compared to LoRaWAN &
SigFox
 Wi-Fi with WPA 2.0, ZigBee
 Avoid Bluetooth
3. Use VPN – especially for gateways
4. Use VLANs
5. Application-level payload encryption
6. Use standard encryption algorithms
19

20. 1. Collect, process, & store only what is essential to application
2. No defaults – Accounts, passwords, services
3. Use role-based access control
4. Accounts should lockout
5. Use digital certificates for authentication & secure communication
6. Web interface / REAT API shouldn’t be susceptible to brute-force,
SQLi, XSS, & CSRF attacks
7. Use strong API keys & protect those keys
8. Strong encrypted data storage, unencrypt as you process
9. Use OAuth2 & 2-factor Authentication
10. Know your 3rd party tools & libraries
20

21.  Collection of Big Data is a functional requirement
 Security & Privacy are non-functional requirements
 They are often in conflict!
 Accept the fact that “You will be hacked!”
 People are starting to realize “I should worry about my privacy…”
 A bad IoT product in an extremely competitive market is a real killer
 Choose a good balance from design, development, to deployment
 Know, practice, & monitor
 Follow OWASP Top 10 attacks & guidelines for Web Applications, Mobile, & IoT
21

22.  Students
 Sandareka Wickramanayake (MSc)
 Shashika Muramudalige (MSc, BSc)
 Gihan Karunarathne (MSc)
 Niranda Perera (MSc)
 Thilina Madumal (MSc)
 Biman Hettiarachchi (MSc)
 Chami Keerthisinghe (MSc)
 Lasitha Petthawadu (MSc)
 Asiri Liyana Arachchi (BSc)
 Malintha Amarasinghe (BSc)
 Sasikala Kottegoda (BSc)
 Pasindu Upulwan (BSc)
 Pubudu Meththananda (BSc)
 Amila Karunathilaka (BSc)
 Gayathri Kalani (BSc)
 Harishanth Thiraviyanathan (BSc)
 Sivarajan Balakumaran (BSc)
 Sajeevan Alagendirarajah (BSc)
 Nirojan Neethirajah (BSc)
 Research partners
 Mr. Nishal Samarasekera (Dept. of
TLM, UoM)
 Prof. Srikantha Herath (UNU,
Japan)
 Data & Exposure
 Nimbus Venture (Pvt) Ltd.
 TechCERT
 VaticHub
 Many other drivers who help us
collect data
22