Big data, Security, or Privacy in IoT: Choice is Yours
1. Dilum Bandara, PhD
Dept. of Computer Science & Engineering,
University of Moratuwa
Mobitel NB-IoT Forum, Mar 23, 2018
2. 2
Big Data
Privacy
Security
• Huge datasets that we capture, transfer,
store, & process to reveal associations,
patterns, & trends
• Volume, Variety, Velocity, & Veracity
• Protection of computing systems &
data that they store or access
• Confidentiality, Integrity, &
Availability (CIA)• Our interest in preventing
inappropriate collection, use,
& release of PII
• Privacy of personal behavior,
communications, & data
What
do I
want?
Security & Privacy
are afterthoughts
4. 4
High-end OBD2 +
GPS dongle to send
data directly to cloud
Dedicated GPS
trackers send data
directly to cloud
Low-end OBD2 dongle + App to send
data to cloud & gives real-time alerts
7. 7
Driver behavior detection
Change of driver
Driving under influence
Fatigue
Sensor failure detection
Mass Air Flow (MAF) sensor
Emission issues
Check Engine Light
8. Long-distance bus fitted with a GPS unit &
high-precision fuel sensor
Could you
explain variability in fuel consumption
predict fuel consumption of a journey
give tips to improve fuel consumption 8
?
• 4 months data
• Timestamp, Longitude,
Latitude, Elevation,
Distance, Speed,
Acceleration, Ignition
status, Battery voltage, Fuel
level, Fuel consumption
13. Being set up for flood control & water
management in Metro Colombo
Initial focus Kelani river basin
Entirely cloud-based
Weather Stations (9 50 100s)
Water-Level Gauges (2 12 34)
Controlling Flood Gates & Pumping Stations
Solar-powered Sensors & Communication
Reports data periodically to WSO2 IoT-Server
via HTTP over GSM
Secured via Password or Oauth2
authentication to IoT Server
Plans to use MQTT
13
14. Security Issues
Disabling & tampering of
devices
Unauthorized control of
sensors & actuators
Modification of data
Incorrect forecasts/warnings
DoS attacks
Privacy Issues
Use of driver profiles against
accident claims
Driver tracking
Business sensitive insights
Profiling for UBI
Flood insurance
Exposure of socio-economic
data
14
15. Massive no of DNS lookups
from 10+ millions IoT
devices infected with Mirai
malware
IP cameras, home gateways,
DVRs, & baby monitors
Simple attack
1. Scans for IPs
2. Try known 60 (username,
password) pairs via telnet
3. Load malware
4. Wait for commands
15
Source: TheUSBport
Credit: Joey Devilla, globalnerdy.com
16. # Attack Vulnerabilities
1 Insecure Web Interface Weak default credentials & no lockouts, credentials exposed in
traffic, XSS, SQL-injection, session management
2 Insufficient Authentication/
Authorization
Simple passwords, lack of role-based access control, lack of / by
passing separation of roles, no 2-factor authentication
3 Insecure Network Services Vulnerable Services - telnet, Buffer Overflow, Open Ports via UPnP
4 Lack of Transport Encryption Unencrypted Services, Poorly or Misconfigured SSL/TLS
5 Privacy Concerns Collection of Unnecessary (Personal) Data
6 Insecure Cloud Interface Account enumeration, no account lockout, credentials exposed in
traffic, weak API keys, weak or no encryption7 Insecure Mobile Interface
8 Insufficient Security
Configurability
Lack of granular permission & password control, lack of logging &
monitoring
9 Insecure Software/Firmware No update possible, Unencrypted & unsigned update files,
firmware with sensitive information
10 Poor Physical Security Access via USB/JTAG ports, removal of storage media 16
18. 1. Collect only what is essential to application
2. No defaults – Accounts, passwords, services
3. Use digital certificates for authentication
4. Use role-based access control
5. Use inbuilt & encrypted device storage – No SD cards
6. Web interface / console shouldn’t be susceptible to brute-force, SQLi,
XSS, & CSRF attacks
7. Use hardware-level encryption – AES, NB-IoT supports 2048-bit RSA
8. Should support secure boot & over-the-air updates – Encrypted & signed
firmware
9. Block USB/JTAG ports
10. Use tamperproof & rugged devices 18
19. 1. All communication must be secure – Plain text, REST API, MQTT
Use TLS v1.1 & v1.2 (not SSL v2/v3 or TLS V1.0)
Obtain certificates from a reliable CA – No default or self-signed certificates
2. Use secure underlying networks
NB-IoT, LTE-M, & EC-GSM-IoT are relatively better compared to LoRaWAN &
SigFox
Wi-Fi with WPA 2.0, ZigBee
Avoid Bluetooth
3. Use VPN – especially for gateways
4. Use VLANs
5. Application-level payload encryption
6. Use standard encryption algorithms
19
20. 1. Collect, process, & store only what is essential to application
2. No defaults – Accounts, passwords, services
3. Use role-based access control
4. Accounts should lockout
5. Use digital certificates for authentication & secure communication
6. Web interface / REAT API shouldn’t be susceptible to brute-force,
SQLi, XSS, & CSRF attacks
7. Use strong API keys & protect those keys
8. Strong encrypted data storage, unencrypt as you process
9. Use OAuth2 & 2-factor Authentication
10. Know your 3rd party tools & libraries
20
21. Collection of Big Data is a functional requirement
Security & Privacy are non-functional requirements
They are often in conflict!
Accept the fact that “You will be hacked!”
People are starting to realize “I should worry about my privacy…”
A bad IoT product in an extremely competitive market is a real killer
Choose a good balance from design, development, to deployment
Know, practice, & monitor
Follow OWASP Top 10 attacks & guidelines for Web Applications, Mobile, & IoT
21
Figure source - https://mic.lk/nbiot/
Volume – Amount of data
Variety – Different forms of data
Velocity – Speed at which they come
Veracity – Uncertainty associated with data
CIA triad – We want to achieve these 3 goals
PII - Personally Identifiable Information – where we are, what we do, who we love, what we buy
Privacy vs Security:
Movement wanting to know & control what appear on FB
Cambridge Analytica - personal data to change election results
40K, 20K, 2K
Mirai – The Future (Japanese)
OWASP – Open Web Application Security Project
OWASP Web Application & Mobile Top 10
XSS – Cross Site Scripting
UPnP - Universal Plug and Play
JTAG - used for debugging, programming and testing on virtually ALL embedded devices
Hardware encryption - Secure, faster, & energy efficient
62% of users said privacy is my biggest worry in IoT