Le principe est d’appliquer des mécanismes de contrôle dynamiques et fins sur les communications des objets (entre eux ou bien vers le cloud) sous le contrôle des utilisateurs.

1. © 2018 Nokia1
Sécurisation du réseau
des objets connectés
Bell Labs Future-X Future Spaces project (BL Paris-Saclay & Antwerp)
Open Source Innovation Spring - OSIS - Track IoT Critique 2018
Nicolas Le Sauze, Nokia Bell Labs France, IoT Control Research Department Head
24-05-2018
Public

2. © 2018 Nokia2 Public© 2018 Nokia2
Disclaimer
This presentation does not
represent the Nokia Strategy
on IoT, but the vision pursued
within an on-going research
project in Bell Labs

3. © 2018 Nokia3 Public
Big problem we want to solve
INTUITIVELY SECURE & ORGANIZE YOUR CONNECTED LIFE
CLOUD
Devices Cloud Applications
Who connects to
my IPv6 devices
Where does my
data go?
How do I make X
and Y work ?
How to better
protect from
vulnerabilities

4. © 2018 Nokia4
Empowering people to seamlessly & safely organize their connected lives
Future Spaces Project
Easiness of use & auto-configurability
• Intuitively and securely manage all your connected
assets through simple concepts and UIs
• Automation support to limit users burden
Fine-grained access control
• Dynamic fine-grained grouping of all your assets
• Naturally supporting multiple usage contexts and
intents
Multi-user, multi-party & multi-location
• Easily discover and interact with third party assets
• Securely and temporarily share your assets with others
Automatic security & privacy protection
• Strong isolation of assets with automatic policy
enforcement
• Protecting data privacy (e.g. home vs cloud hosting)
Public
Work
Home
Family
Health

5. © 2018 Nokia5
Enabling Fundamental concepts
Virtual places, managing all your assets
• Devices, public/private cloud services, personal content/data, policies,…
• Have secure access to your assets wherever you go
Secured vSpaces, contextually organizing multiple assets
• Grouping of assets across multiple contexts, spanning multiple vPlaces
• Assisting you for various tasks (e.g on-boarding new device, create an
isolated visitor spaces) through an automation layer and intuitive
interfaces
Advanced network & policy controller
• Isolating devices and services through a programmable network
• Multi-stakeholder policy resolution & enforcement
Improve Trust, protecting your assets and interests
• Monitoring the behavior of all assets, anomaly detection, etc.
Public
vPlace
vSpace 3: Work
vSpace 1: Home
vPlace
vSpace 2: Visitors

6. © 2018 Nokia6 Public
Building on current technological transformations
• Device virtualization: Virtualization of network equipment (virtual gateway) & devices
(virtual objects) to group multiple locations/devices under a unique managing entity
• Service cloudification: Distributed micro-service deployment and orchestration
• Automation: Business specific assistants translating users’ intents into network control
inputs via SDN

7. © 2018 Nokia7
Future Spaces Gateways: OpenWRT-based access points to the FS platform
Public
IPv6oBLE
Physical
FSGWs
Software
FSGWs
Mifi-Like Battery
powered devices
Home/Enterprise
Wifi Access Points
DSL/Cable/PON
Modems
PC Software
Helping IoT devices
in the
neighborhood
Android App
Performing
Wifi Tethering
FSGW
WIFI
https/node.js
WIFI:
▪ Open Wifi
▪ Hotspots
▪ Private Wifi
▪ Other FSGW
Radius
Eth
SmartDevices

8. © 2018 Nokia8 Public
An OpenStack-based cloud, an SD-LAN overlay network, & a smart assistant
• Distributed cloud infrastructure
- Dual orchestration (VMs + Containers)
- Physical Future Spaces gateways under
different form factors
- Virtual Place: collection of interconnected
domain resources
• Automation support
- Policy support for safe sharing of
devices in multi-tenants contexts
- Pluggable framework for automation
processes and business logic assistants
• Software Defined LAN
- Isolation-oriented network slices
grouping devices, possibly across domains
- LAN-like communication within a slice
(supporting unicast & multicast traffic
across multiple places)
• Security functions
- Monitoring/fingerprinting of devices
- Whitelisting device communications
- Secured guest devices onboarding
- Crowd-sourced device trust evaluation

9. © 2018 Nokia9 Public
Simple UIs to safely and intuitively onboard and organize devices
SD-LAN end-user programming

10. © 2018 Nokia10 Public
Travelling user connecting to his home & local environment
Example of use cases: Smart Homes & Multi-tenant device usage
Home sweet home
In Antwerpen
Wired
Wifi
Wifi or Wired
Future Spaces
user Controller
Media vSpace
Security vSpace
CLOUD
MyGW

11. © 2018 Nokia11
Collaboration with BL security research
Automating risk management for (home) IoT devices (1) – on-going work
Network automation for IoT
devices implies automated risk
management
• Network-based traffic blocking must be
seen as protective, not as a denial of
service
• Risk management must be based on
individual (non expert) users’ sensitivity
• Security settings should be intuitive and
continuously connected to the device
trust assessment
Public
user-friendly trust level classification
Limitations of local Trust evaluation
• Local intelligence can detect local abnormal/suspicious behaviors, but
• Need for an observation period and sufficient local analysis capabilities
• Potentially limited deviations, non exploitable in the local user context
• Rogue activities are not shared among different networks
Level Trust Label Scale of the impact Device Instances
1 Suspect Irrelevant Groups of benign devices such as anonymous sensors
2 Average minor annoyance Devices leaking « funny pictures », gaming environment
3 Good major annoyance Device hosting data that may harm one’s career or personal relations
4 Very Good Life-changing Connected door-lock leaving way to burglar, device hosting crucial
financial, health or self incriminating data
5 Pristine Life or death level Critical medical equipment like a connected insulin pump or
pacemaker firmware flashing device
LEVERAGING CROWD OBSERVATION TO EVALUATE DEVICE (CLASS) TRUSTWORTHINESS

12. © 2018 Nokia12 Public
Collaboration with BL security research
Automating risk management for (home) IoT devices (2) – on-going work
FSGW vPlace
Components
1. TERMS of use specify a “normal” network behavior
for each device as designed by the manufacturer (and
possibly latter on further refined by third parties).
Example: IETF MUD
3. The crowd-sourced reputation system easily allows
to add/remove automatically devices from vSpaces
comparing the trust expectations of vSpaces to the
current estimated trust of the device
2. Deviations from the TERMS are monitored locally
and reported in a distributed database (e.g.
blockchain) and used globally to build devices (or
class of devices) reputations
Local reports
Crowd-based
trust evaluation

13. © 2018 Nokia13 Public
Possible use cases in various IoT environments
Smart home
Securing, accessing & sharing
your home devices in a IoT
world
Smart Office
 Integrating Guest/IoT/BYOD
networks & streamlining wifi
onboarding
 Facilitating & securing
cross-location collaboration
in IoT era
Smart Industry
Secure & easy (remote)
maintenance, etc.
Smart Cities
Libraries, train stations,...: get
easy wifi access to relevant IoT
devices & securely link them to
you own
Smart Business
Hotels, AirBnB, restaurants,
fitness alleys, etc.
How to easily get connected
securely & temporarily to
foreign devices/services, link
them with your owns
Smart Health
Temporarily give remote/local
access to others (e.g., remote
patient/doctor, elderly care,
etc.)

15. © 2018 Nokia15 Public
Copyright and confidentiality
The contents of this document are proprietary and
confidential property of Nokia. This document is
provided subject to confidentiality obligations of the
applicable agreement(s).
This document is intended for use of Nokia’s
customers and collaborators only for the purpose
for which this document is submitted by Nokia. No
part of this document may be reproduced or made
available to the public or to any third party in any
form or means without the prior written permission
of Nokia. This document is to be used by properly
trained professional personnel. Any use of the
contents in this document is limited strictly to the
use(s) specifically created in the applicable
agreement(s) under which the document is
submitted. The user of this document may
voluntarily provide suggestions, comments or other
feedback to Nokia in respect of the contents of this
document ("Feedback").
Such Feedback may be used in Nokia products and
related specifications or other documentation.
Accordingly, if the user of this document gives Nokia
Feedback on the contents of this document, Nokia
may freely use, disclose, reproduce, license,
distribute and otherwise commercialize the
feedback in any Nokia product, technology, service,
specification or other documentation.
Nokia operates a policy of ongoing development.
Nokia reserves the right to make changes and
improvements to any of the products and/or
services described in this document or withdraw this
document at any time without prior notice.
The contents of this document are provided "as is".
Except as required by applicable law, no warranties
of any kind, either express or implied, including, but
not limited to, the implied warranties of
merchantability and fitness for a particular purpose,
are made in relation to the accuracy, reliability or
contents of this document. NOKIA SHALL NOT BE
RESPONSIBLE IN ANY EVENT FOR ERRORS IN THIS
DOCUMENT or for any loss of data or income or any
special, incidental, consequential, indirect or direct
damages howsoever caused, that might arise from
the use of this document or any contents of this
document.
This document and the product(s) it describes
are protected by copyright according to the
applicable laws.
Nokia is a registered trademark of Nokia
Corporation. Other product and company names
mentioned herein may be trademarks or trade
names of their respective owners.