SlideShare ist ein Scribd-Unternehmen logo

Privacy and Security for the Emerging Internet of Things

Als PPTX, PDF herunterladen
Jason Hong
Jason Hong

Intel iSecCon2016 conference I talk about the pyramid of IoT devices, sketch out some of the security and privacy issues, and present some of the ongoing work we are doing in this space at Carnegie Mellon University.

Technologie
1 von 74
©2016CarnegieMellonUniversity:1 Privacy and Security for the Emerging Internet of Things Intel iSecCon 2016 Jason Hong @jas0nh0ng jasonh@cs.cmu.edu Computer Human Interaction: Mobility Privacy Security
©2016CarnegieMellonUniversity:2
©2016CarnegieMellonUniversity:3
©2016CarnegieMellonUniversity:4
©2016CarnegieMellonUniversity:5 We Are Just Starting to Enter the Third Wave of Computing • First Wave: Computation – Making the basics of computers work • Second Wave: Networking – Connecting computers around the world • Third Wave: Internet of Things (IoT) – Computation, communication, sensing, and actuation woven into our physical world • IoT offers tremendous potential societal benefits – Healthcare, transportation, sustainability, energy, …
©2016CarnegieMellonUniversity:6 New Privacy and Security Challenges
©2016CarnegieMellonUniversity:7 My Talk Today • What are frameworks for thinking about the privacy and security problems? • What are some opportunities for improving privacy and security for IoT? – No silver bullet, but lots of room for improvement • What are some of the IoT-related projects we’re doing at Carnegie Mellon University?
©2016CarnegieMellonUniversity:8 IoT Pyramid Top Tier • A few devices per person • High computational power • Tablets • Glasses • Laptops • Smartphones
©2016CarnegieMellonUniversity:9 IoT Pyramid Top Tier • A few devices per person • High computational power • Tablets • Glasses Middle Tier • Tens of devices per person • Moderate computational power • TVs • Smart Toys • Laptops • Smartphones • Thermostats • Refrigerators
©2016CarnegieMellonUniversity:10 IoT Pyramid Top Tier • A few devices per person • High computational power • Tablets • Glasses Middle Tier • Tens of devices per person • Moderate computational power • TVs • Smart Toys Bottom Tier • Hundreds of devices per person • Low computational power • HVAC • RFIDs • Lightbulbs • Laptops • Smartphones • Thermostats • Refrigerators • Smart toilets • Implanted medical devices
©2016CarnegieMellonUniversity:11 IoT Security Issues Top Tier Security • Cybersecurity good today • Can run endpoint protection • Large corporations developing
©2016CarnegieMellonUniversity:12 IoT Security Issues Top Tier Security • Cybersecurity good today • Can run endpoint protection • Large corporations developing Middle Tier Security • Cybersecurity weak today • Basic or no endpoint capabilities • Spotty security protections
©2016CarnegieMellonUniversity:13 IoT Security Issues Top Tier Security • Cybersecurity good today • Can run endpoint protection • Large corporations developing Middle Tier Security • Cybersecurity weak today • Basic or no endpoint protection • Spotty security protections Bottom Tier Security • Cybersecurity very poor today • Weak or no endpoint protection • Low manufacturer experience • High diversity in hw, sw, OS • Many devices never updated • Major scalability challenges
©2016CarnegieMellonUniversity:14 How is IoT Security Different? 1. Physical Safety and Security • Deliberate attacks – Ex. Crashing drones or autonomous vehicles – Note that most attackers won’t do this
©2016CarnegieMellonUniversity:15 How is IoT Security Different? 1. Physical Safety and Security • Different classes of attackers, different motives • State-sponsored – State secrets, intellectual property, sow discord • Non-state actors – Terrorism, advocacy for a cause • Organized crime – Repeatable business model, stay under radar • Disgruntled employee / Insider attack • Script kiddies
©2016CarnegieMellonUniversity:16 How is IoT Security Different? 1. Physical Safety and Security • More likely attack: Ransomware – Lock out of your house unless pay ransom – Make videos of you at home public unless you pay • Just as likely: attacks for the “lulz” – Tripping circuit breakers at office – Remotely adjusting thermostat to make harder sleep (or waste money, or let pipes freeze over) • What kinds of safeguards for physical safety? • Can we build models of normal vs abnormal behaviors for devices and apps, and enforce?
©2016CarnegieMellonUniversity:17 How is IoT Security Different? 2. Scalability • Billions of devices will need to be secured – Gartner estimates 20B devices by 2020 • Scale transforms easy into hard – Ex. Unique passwords for dozens of devices? – Ex. Security policies, each device having different user interface (most not having a display and keyboard)? – Ex. Physically locking down dozens of devices? – Ex. Installing software updates • What kinds of network protocols, APIs, and middleware to help manage IoT devices at scale?
©2016CarnegieMellonUniversity:18 How is IoT Security Different? 2. Scalability • Scalability also enables new classes of attacks http://shodan.io
©2016CarnegieMellonUniversity:19 How is IoT Security Different? 2. Scalability • Possible for attackers to search for and execute vulnerabilities at scale – Ex. Mirai botnet DDoS attack Oct 2016 • Nightmare scenarios – Find vulnerabilities in smartphone-connected blood glucose monitors, inject fake data – Find vulnerable medical implants, hold people hostage • Again, some kind of model or policy – Maybe formal model, maybe big data • Better ways of using proximity for access?
©2016CarnegieMellonUniversity:20 How is IoT Security Different? 3. Diversity of IoT Devices • Hundreds of different manufacturers for middle and bottom tier – Different operating systems, wireless networking, configuration software, log formats, cloud services – Poor or no I/O capabilities, each UI different too • Result: fragmentation of cybersecurity – More network-based (vs endpoint) approaches • Again, network protocols, APIs, and middleware to help configure and manage • Can we also help people make good decisions? – Ex. Crowdsourcing or AI / Machine Learning
©2016CarnegieMellonUniversity:21 How is IoT Security Different? 4. Low Manufacturer Experience • Most traditional software companies understand basics of good cybersecurity • But most IoT will be developed by non-traditional hardware companies – Mostly middle and bottom tier – Ex. Lighting, toys, medical equipment, audio, household appliances • And lots of small-scale manufacturers too – Ex. Kickstarter
©2016CarnegieMellonUniversity:22 106 Projects at Kickstarter for “iot”
©2016CarnegieMellonUniversity:23 327 Projects at Kickstarter for “sensor”
©2016CarnegieMellonUniversity:24 605 Projects at Kickstarter for “wireless”
©2016CarnegieMellonUniversity:25 How is IoT Security Different? 4. Low Manufacturer Experience • Low experience + Lots of small manufacturers • Result: Lots of really basic vulnerabilities – Poor software engineering practices for security – Lack of awareness, knowledge, motivation to be secure • Result: Lots of unsupported devices – Small manufacturers will go out of business – Or end of life from bigger manufacturers • How can we help devs with low experience? • How to offer security for lifespan of decades?
©2016CarnegieMellonUniversity:26 How is IoT Security Different? 5. Lots of Unexpected Emergent Behaviors
©2016CarnegieMellonUniversity:27 How is IoT Security Different? 5. Lots of Unexpected Emergent Behaviors • Are there better ways of testing / simulating? • Can we define overall properties for connected systems?
©2016CarnegieMellonUniversity:28 Why Does IoT Privacy Matter?
©2016CarnegieMellonUniversity:29 Why Does IoT Privacy Matter?
©2016CarnegieMellonUniversity:30 Why Does IoT Privacy Matter? • Pew Internet study about smartphones (2012) – 54% did not install app b/c of how much personal information app requested – 30% uninstalled an app after learning about app behaviors • Countless news articles, blog posts, op-ed pieces, books about privacy concerns Privacy may be the greatest barrier to creating a ubiquitously connected world
©2016CarnegieMellonUniversity:31 Taxonomy of IoT Privacy Device Perspective • Awareness of devices/apps and sensors/logs • Depth of sensing – How rich the sensing and user models are • Temporal scale • Input/Output capabilities • Privacy software • Third-party software – Whether other apps can be run on device
©2016CarnegieMellonUniversity:32 IoT Privacy Issues Top Tier Privacy • High awareness of devices • Rich depth in sensing • High temporal scale • Rich I/O • Lots of third-party apps (the major privacy problem)
©2016CarnegieMellonUniversity:33 IoT Privacy Issues Top Tier Privacy • High awareness of devices • Rich depth in sensing • High temporal scale • Rich I/O • Lots of third-party apps (the major privacy problem) Middle Tier Privacy • Hybrid of other tiers Bottom Tier Privacy • Low awareness of devices + apps • Shallow to rich sensing • Low to high temporal scale • Poor I/O • Few if any third-party apps • Scale (major privacy problem)
©2016CarnegieMellonUniversity:34 IoT Privacy Awareness
©2016CarnegieMellonUniversity:35 How Can We Make Invisible Information Flows Visible? • For top tier, people will be pretty aware of devices – Stylish form factors meant to get attention • The main privacy challenge for top-tier is understanding what your apps are doing – This is a hard problem but one we are starting to figure it out for smartphones
©2016CarnegieMellonUniversity:36 Shares your location, gender, unique phone ID, phone# with advertisers Uploads your entire contact list to their server (including phone #s) What Are Your Apps Really Doing?
©2016CarnegieMellonUniversity:37 Many Smartphone Apps Have “Unusual” Permissions Location Data Unique device ID Location Data Network Access Unique device ID Location Data Microphone Unique device ID
©2016CarnegieMellonUniversity:38 PrivacyGrade.org • Improve transparency • Assign privacy grades to all 1M+ Android apps
©2016CarnegieMellonUniversity:39 Privacy as Expectations Use crowdsourcing to compare what people expect an app to do vs what an app actually does • We crowdsourced expectations of 837 apps – Ex. “How comfortable are you with Drag Racing using your location for ads?” • Created a model to predict people’s likely privacy concerns and applied to 1M Android apps App Behavior (What an app actually does) User Expectations (What people think the app does)
©2016CarnegieMellonUniversity:40 How PrivacyGrade Works
©2016CarnegieMellonUniversity:41 Impact of this Research • Lots of popular press (NYTimes, CNN, BBC, CBS) • Earlier work helped lead to FTC fines • Google replicated PrivacyGrade internally • Seen improvements in grades over time • Some developers put out press releases about improving their privacy behaviors • Static analysis, dynamic analysis, crowd analysis – To address subjective aspects of privacy • Privacy today places burden on end-users – How can we help other parts of ecosystem do better?
©2016CarnegieMellonUniversity:42 How Can We Make Invisible Information Flows Visible? • For bottom-tier devices, devices non-obvious • CMU Giotto IoT Expedition Supersensors – Air temp, humidity, pressure, 6-axis IMU, grid eye, … • How to increase awareness of devices like this?
©2016CarnegieMellonUniversity:43 Signifiers.io • Project by some of our Master’s of HCI students
©2016CarnegieMellonUniversity:44 Signifiers.io Amazon Alexa and Google Home (Voice)
©2016CarnegieMellonUniversity:45 Signifiers.io Smart TVs Sensing Video and Audio
©2016CarnegieMellonUniversity:46 Signifiers.io Webcams Sensing Video and Audio
©2016CarnegieMellonUniversity:47 Long-Term Privacy and Security Issues 1. Designing For Awareness • What are tradeoffs in notification styles? – Audio, visual, motion, haptic, smartphone • Can we create new conventions? – Ex. Like light switches near doorways • Cost-benefit models of notifications? – Getting lots of notifications is distracting – Getting uninteresting notifications is annoying – Ex. First time, sensitivity of data, identifiability • Can we make it so a person can understand what data is being sensed in a room within 30 seconds?
©2016CarnegieMellonUniversity:48 Long-Term Privacy and Security Issues 2. Facilitating Privacy and Security on Low-End Devices • What kinds of middleware infrastructure can we build to help with basic privacy and security? – Offer common middleware services to simplify design and deployment of middle and bottom tiers – Ex. Access control, filtering, and software updates – Ex. What sensors a device has, what data collects, what servers it connects to, how concerning
©2016CarnegieMellonUniversity:49 Long-Term Privacy and Security Issues 3. Useful Defaults for Sharing • Let’s say we have a person locator for a campus – If default is “share nothing”, underutilized and no value – If default is “share everything”, too creepy • Can we figure out useful defaults that balance utility with privacy? – Ex. “On campus” or “not” – Ex. “In office” or “not” – Ex. {“office”, “on campus”, $city}
©2016CarnegieMellonUniversity:50 Long-Term Privacy and Security Issues 4. Using Big Data for Privacy • Paradox: use more data to improve privacy? • Use data to infer relationships and set defaults – Ex. People are more likely to share data with close friends and family • Use contact list, call log, SMS log, co-location, etc – Ex. Employees are more likely to share data with close teammates • Use floorplan, WiFi co-location, co-authorship, etc Wiese, J. et al. Are you close with me? Are you nearby? Investigating social groups, closeness, and willingness to share. Ubicomp 2011. Cranshaw, J. et al. Bridging the Gap Between Physical Location and Online Social Networks. Ubicomp 2010.
©2016CarnegieMellonUniversity:51 • Insert graph here • Describe entropy
©2016CarnegieMellonUniversity:52 Higher Place Entropy -> More Comfort Toch et al, Empirical Models of Privacy in Location Sharing, Ubicomp 2010
©2016CarnegieMellonUniversity:53 Two Research Projects at Carnegie Mellon University • Giotto IoT Expedition • IoT Hub for Homes
©2016CarnegieMellonUniversity:54 • Define open hardware and software stack for IoT ecology • Extensible and integrated • Pluggable modules • Security & privacy sensitive • Integrated machine learning • End-user programmable • Widely deployable • Enhance human – human and human-system and human- environment interaction Giotto IoT Stack
©2016CarnegieMellonUniversity:55 Giotto Privacy Privacy at Physical, Logical, App layers • Better programming abstractions – Ex. “home” vs raw GPS, “loud” vs raw microphone – Make it easier for devs with privacy as side effect • Devs specify purposes in apps and we verify – Ex. “Uses contacts for advertising” – Ex. “Uses location for maps” – Use static, dynamic, and crowd analysis • How do people’s privacy concerns vary? – By kind of data, granularity, who is seeing it, purpose • Useful defaults to balance privacy and utility
©2016CarnegieMellonUniversity:56 IoT Hub • Open source hub device for connecting devices – Ex. Battery life of devices, connect devices together – Ex. Check for patches, filtering (default passwords), Manufacturer Usage Descriptions, proximity – Ex. Centralize telemetry and learn patterns • How should devices be structured? – Metadata: URL for software updates – APIs: authentication IoT appliancesIoT HubInternet
©2016CarnegieMellonUniversity:57 What is the Value of IoT? • Security, privacy, and management costs quickly outweigh value of IoT devices Number of Devices Value Today’s IoT trajectory
©2016CarnegieMellonUniversity:58 What is the Value of IoT? • Can we make it so that value is linear or even superlinear with devices and services? Number of Devices Value Today’s IoT trajectory Desired IoT trajectory
©2016CarnegieMellonUniversity:59 What Can Intel Do? • Consider more human factors and social factors – Chips, sensors, software dev, data mgt – Policies, UI + understandability, social influences • Better ways of supporting devs – Most devs have no knowledge of privacy + security
©2016CarnegieMellonUniversity:60 What Can Intel Do? • Consider more human factors and social factors – Chips, sensors, software dev, data mgt – Policies, UI + understandability, social influences • Better ways of supporting devs – Most devs have no knowledge of privacy + security • Support better privacy and security education – Need strong push from industry to make it happen – Go beyond just CompSci too (psych, design, biz) • Join our Giotto Expedition (open source) • Consider ISTC on Privacy or on IoT – Make a big push in cooperation with academia
©2016CarnegieMellonUniversity:61
©2016CarnegieMellonUniversity:62 How can we create a connected world we would all want to live in?
©2016CarnegieMellonUniversity:63 Thanks! More info at cmuchimps.org or email jasonh@cs.cmu.edu Read more: • Towards a Safe and Secure Internet of Things https://www.newamerica.org/cybersecurity-initiative/policy- papers/toward-a-safe-and-secure-internet-of-things/ Special thanks to: • NSF • Alfred P. Sloan • NQ Mobile • DARPA • Google • CMU Cylab • New America
©2016CarnegieMellonUniversity:64
©2016CarnegieMellonUniversity:65 IoT offers Tremendous Societal Benefits • Healthcare • Transportation • Sustainability • Education • Energy • More…
©2016CarnegieMellonUniversity:66 What Can We Do About IoT Security? • Better cybersecurity education • Better collections of best practices • More data sharing • Cybersecurity insurance • Better legal protections • Larger centers for IoT privacy and security https://www.newamerica.org/cybersecurity-initiative/policy- papers/toward-a-safe-and-secure-internet-of-things/
©2016CarnegieMellonUniversity:67 What Can We Do About IoT Security? Policy Perspective: Better Cybersecurity Education • About half of developers don’t have CS degrees • Can we make security education required in CS? • Can we also expand cybersecurity education? – Ex. Psychology learn about social engineering – Ex. Visual design learn about warnings + compliance
©2016CarnegieMellonUniversity:68 What Can We Do About IoT Security? Policy Perspective: Better Collections of Best Practices
©2016CarnegieMellonUniversity:69 What Can We Do About IoT Security? Policy Perspective: Better Collections of Best Practices • We need to go beyond high-level guidelines • What we still need – Better code examples (lots of copy-and-paste) – Better toolchains and stacks – Better automated analysis tools – Simpler ways of distributing patches – Collections of design patterns • Lots of opportunities for big companies – Most breaches are relatively simple – Addressing basic issues means lots of positive impact
©2016CarnegieMellonUniversity:70 What Can We Do About IoT Security? Policy Perspective: More Data Sharing • Many major data breaches in past few years – Sony, RSA, LinkedIn, Yahoo, Target, OPM, and more • But we have learned very little, no real data – These are our version of Tacoma Narrows bridge
©2016CarnegieMellonUniversity:71 What Can We Do About IoT Security? Policy Perspective: More Data Sharing • We need organizations that can: – Help investigate the coming IoT failures – Disseminate knowledge to help prevent future failures in design and implementation – While also minimizing blame • Lots of challenges – Lots of proprietary information involved in failures – Who will fund this?
©2016CarnegieMellonUniversity:72 What Can We Do About IoT Security? Policy Perspective: Better Legal Protections • DMCA limits what researchers can do due to anti-circumvention provisions – Need to get permission from manufacturers – Exceptions: • Consumer devices, motorized land vehicles, medical devices • But slow, triennial reviews from Library of Congress – And consumer devices only one part of IoT
©2016CarnegieMellonUniversity:73 IoT Privacy Issues Input/Output • Same challenge as for security – Top-tier devices will have really good I/O capabilities – Bottom-tier will not have mouse, keyboard, display – Scalability makes everything harder • Can we develop network protocols and APIs to help configure and manage devices and apps? • Can we also help people make good decisions? – Ex. Crowdsourcing or AI / Machine Learning
©2016CarnegieMellonUniversity:74 Prognosis for IoT Privacy and Security?

Empfohlen

Privacy for Mobile Sensing Systems
Privacy for Mobile Sensing SystemsPrivacy for Mobile Sensing Systems
Privacy for Mobile Sensing Systems
Jason Hong
 
Helping Developers with Privacy
Helping Developers with PrivacyHelping Developers with Privacy
Helping Developers with Privacy
Jason Hong
 
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016
Jason Hong
 
Are my Devices Spying on Me? Living in a World of Ubiquitous Computing
Are my Devices Spying on Me? Living in a World of Ubiquitous Computing Are my Devices Spying on Me? Living in a World of Ubiquitous Computing
Are my Devices Spying on Me? Living in a World of Ubiquitous Computing
Jason Hong
 
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
Jason Hong
 
Privacy, Ethics, and Big (Smartphone) Data, at Mobisys 2014
Privacy, Ethics, and Big (Smartphone) Data, at Mobisys 2014Privacy, Ethics, and Big (Smartphone) Data, at Mobisys 2014
Privacy, Ethics, and Big (Smartphone) Data, at Mobisys 2014
Jason Hong
 
The Role of Social Influence In Security Feature Adoption, at CSCW 2015
The Role of Social Influence In Security Feature Adoption, at CSCW 2015The Role of Social Influence In Security Feature Adoption, at CSCW 2015
The Role of Social Influence In Security Feature Adoption, at CSCW 2015
Jason Hong
 
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Jason Hong
 

Empfohlen

Privacy for Mobile Sensing Systems
Privacy for Mobile Sensing SystemsPrivacy for Mobile Sensing Systems
Privacy for Mobile Sensing Systems
Jason Hong
 
Helping Developers with Privacy
Helping Developers with PrivacyHelping Developers with Privacy
Helping Developers with Privacy
Jason Hong
 
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016
Jason Hong
 
Are my Devices Spying on Me? Living in a World of Ubiquitous Computing
Are my Devices Spying on Me? Living in a World of Ubiquitous Computing Are my Devices Spying on Me? Living in a World of Ubiquitous Computing
Are my Devices Spying on Me? Living in a World of Ubiquitous Computing
Jason Hong
 
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
Jason Hong
 
Privacy, Ethics, and Big (Smartphone) Data, at Mobisys 2014
Privacy, Ethics, and Big (Smartphone) Data, at Mobisys 2014Privacy, Ethics, and Big (Smartphone) Data, at Mobisys 2014
Privacy, Ethics, and Big (Smartphone) Data, at Mobisys 2014
Jason Hong
 
The Role of Social Influence In Security Feature Adoption, at CSCW 2015
The Role of Social Influence In Security Feature Adoption, at CSCW 2015The Role of Social Influence In Security Feature Adoption, at CSCW 2015
The Role of Social Influence In Security Feature Adoption, at CSCW 2015
Jason Hong
 
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Jason Hong
 
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...
Jason Hong
 
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Jason Hong
 
Exploring Emergent Consumer Experience: A Topological Data Analysis Approach
Exploring Emergent Consumer Experience: A Topological Data Analysis ApproachExploring Emergent Consumer Experience: A Topological Data Analysis Approach
Exploring Emergent Consumer Experience: A Topological Data Analysis Approach
Donna Hoffman
 
Using Topological Data Analysis to Explore Emergent Consumer Experience from ...
Using Topological Data Analysis to Explore Emergent Consumer Experience from ...Using Topological Data Analysis to Explore Emergent Consumer Experience from ...
Using Topological Data Analysis to Explore Emergent Consumer Experience from ...
Donna Hoffman
 
Consumer Experience in the Internet of Things
Consumer Experience in the Internet of ThingsConsumer Experience in the Internet of Things
Consumer Experience in the Internet of Things
Donna Hoffman
 
Consumer Experience in the Internet of Things: Conceptual Foundations
Consumer Experience in the Internet of Things: Conceptual FoundationsConsumer Experience in the Internet of Things: Conceptual Foundations
Consumer Experience in the Internet of Things: Conceptual Foundations
Donna Hoffman
 
Bob Gourley
Bob GourleyBob Gourley
Bob Gourley
AFCEA International
 
The Internet of Things and Future Shock: Too Much Change Too Fast?
The Internet of Things and Future Shock: Too Much Change Too Fast?The Internet of Things and Future Shock: Too Much Change Too Fast?
The Internet of Things and Future Shock: Too Much Change Too Fast?
Pew Research Center's Internet & American Life Project
 
The Future of Communication Technology in 2022 A.D. By Lydia Mato
The Future of Communication Technology in 2022 A.D. By Lydia MatoThe Future of Communication Technology in 2022 A.D. By Lydia Mato
The Future of Communication Technology in 2022 A.D. By Lydia Mato
lydia mato
 
"Towards Value-Centric Big Data" e-SIDES Workshop - Slide-deck
"Towards Value-Centric Big Data" e-SIDES Workshop - Slide-deck"Towards Value-Centric Big Data" e-SIDES Workshop - Slide-deck
"Towards Value-Centric Big Data" e-SIDES Workshop - Slide-deck
e-SIDES.eu
 
10 reasons why now is the perfect time to get started with the mobile web
10 reasons why now is the perfect time to get started with the mobile web10 reasons why now is the perfect time to get started with the mobile web
10 reasons why now is the perfect time to get started with the mobile web
Tijs Vrolix
 
Internet and Society 2018 Digital Divide, Exclusion, Policy, and new harms
Internet and Society 2018 Digital Divide, Exclusion, Policy, and new harmsInternet and Society 2018 Digital Divide, Exclusion, Policy, and new harms
Internet and Society 2018 Digital Divide, Exclusion, Policy, and new harms
James Stewart
 
Big Data and High Performance Computing
Big Data and High Performance ComputingBig Data and High Performance Computing
Big Data and High Performance Computing
Abzetdin Adamov
 
The ethics of cloud and mobile computing for lawyers
The ethics of cloud and mobile computing for lawyersThe ethics of cloud and mobile computing for lawyers
The ethics of cloud and mobile computing for lawyers
Nicole Black
 
From Privacy Impact Assessment to Social Impact Assessment: Preserving TRrus...
From Privacy Impact Assessment to Social Impact Assessment: Preserving TRrus...From Privacy Impact Assessment to Social Impact Assessment: Preserving TRrus...
From Privacy Impact Assessment to Social Impact Assessment: Preserving TRrus...
Lilian Edwards
 
Future of the Internet: Role of the Web and New Media in the Public Sector
Future of the Internet: Role of the Web and New Media in the Public SectorFuture of the Internet: Role of the Web and New Media in the Public Sector
Future of the Internet: Role of the Web and New Media in the Public Sector
Pew Research Center's Internet & American Life Project
 
William Halal
William HalalWilliam Halal
William Halal
AFCEA International
 
Lin Wells
Lin WellsLin Wells
Lin Wells
AFCEA International
 
The Changing Digital Landscape: Where Things are Heading
The Changing Digital Landscape: Where Things are HeadingThe Changing Digital Landscape: Where Things are Heading
The Changing Digital Landscape: Where Things are Heading
Pew Research Center's Internet & American Life Project
 
When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...
When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...
When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...
mkeane
 
(2019) Hack All the Way Through From Fridge to Mainframe (v0.2)
(2019) Hack All the Way Through From Fridge to Mainframe (v0.2)(2019) Hack All the Way Through From Fridge to Mainframe (v0.2)
(2019) Hack All the Way Through From Fridge to Mainframe (v0.2)
Rui Miguel Feio
 
A Wake-Up Call for IoT
A Wake-Up Call for IoT A Wake-Up Call for IoT
A Wake-Up Call for IoT
Ahmed Banafa
 

Weitere ähnliche Inhalte

Was ist angesagt?

The Internet of Things and Future Shock: Too Much Change Too Fast?
The Internet of Things and Future Shock: Too Much Change Too Fast?The Internet of Things and Future Shock: Too Much Change Too Fast?
The Internet of Things and Future Shock: Too Much Change Too Fast?
Pew Research Center's Internet & American Life Project
 
The Future of Communication Technology in 2022 A.D. By Lydia Mato
The Future of Communication Technology in 2022 A.D. By Lydia MatoThe Future of Communication Technology in 2022 A.D. By Lydia Mato
The Future of Communication Technology in 2022 A.D. By Lydia Mato
lydia mato
 

Was ist angesagt? (20)

Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...
 
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
 
Exploring Emergent Consumer Experience: A Topological Data Analysis Approach
Exploring Emergent Consumer Experience: A Topological Data Analysis ApproachExploring Emergent Consumer Experience: A Topological Data Analysis Approach
Exploring Emergent Consumer Experience: A Topological Data Analysis Approach
 
Using Topological Data Analysis to Explore Emergent Consumer Experience from ...
Using Topological Data Analysis to Explore Emergent Consumer Experience from ...Using Topological Data Analysis to Explore Emergent Consumer Experience from ...
Using Topological Data Analysis to Explore Emergent Consumer Experience from ...
 
Consumer Experience in the Internet of Things
Consumer Experience in the Internet of ThingsConsumer Experience in the Internet of Things
Consumer Experience in the Internet of Things
 
Consumer Experience in the Internet of Things: Conceptual Foundations
Consumer Experience in the Internet of Things: Conceptual FoundationsConsumer Experience in the Internet of Things: Conceptual Foundations
Consumer Experience in the Internet of Things: Conceptual Foundations
 
Bob Gourley
Bob GourleyBob Gourley
Bob Gourley
 
The Internet of Things and Future Shock: Too Much Change Too Fast?
The Internet of Things and Future Shock: Too Much Change Too Fast?The Internet of Things and Future Shock: Too Much Change Too Fast?
The Internet of Things and Future Shock: Too Much Change Too Fast?
 
The Future of Communication Technology in 2022 A.D. By Lydia Mato
The Future of Communication Technology in 2022 A.D. By Lydia MatoThe Future of Communication Technology in 2022 A.D. By Lydia Mato
The Future of Communication Technology in 2022 A.D. By Lydia Mato
 
"Towards Value-Centric Big Data" e-SIDES Workshop - Slide-deck
"Towards Value-Centric Big Data" e-SIDES Workshop - Slide-deck"Towards Value-Centric Big Data" e-SIDES Workshop - Slide-deck
"Towards Value-Centric Big Data" e-SIDES Workshop - Slide-deck
 
10 reasons why now is the perfect time to get started with the mobile web
10 reasons why now is the perfect time to get started with the mobile web10 reasons why now is the perfect time to get started with the mobile web
10 reasons why now is the perfect time to get started with the mobile web
 
Internet and Society 2018 Digital Divide, Exclusion, Policy, and new harms
Internet and Society 2018 Digital Divide, Exclusion, Policy, and new harmsInternet and Society 2018 Digital Divide, Exclusion, Policy, and new harms
Internet and Society 2018 Digital Divide, Exclusion, Policy, and new harms
 
Big Data and High Performance Computing
Big Data and High Performance ComputingBig Data and High Performance Computing
Big Data and High Performance Computing
 
The ethics of cloud and mobile computing for lawyers
The ethics of cloud and mobile computing for lawyersThe ethics of cloud and mobile computing for lawyers
The ethics of cloud and mobile computing for lawyers
 
From Privacy Impact Assessment to Social Impact Assessment: Preserving TRrus...
From Privacy Impact Assessment to Social Impact Assessment: Preserving TRrus...From Privacy Impact Assessment to Social Impact Assessment: Preserving TRrus...
From Privacy Impact Assessment to Social Impact Assessment: Preserving TRrus...
 
Future of the Internet: Role of the Web and New Media in the Public Sector
Future of the Internet: Role of the Web and New Media in the Public SectorFuture of the Internet: Role of the Web and New Media in the Public Sector
Future of the Internet: Role of the Web and New Media in the Public Sector
 
William Halal
William HalalWilliam Halal
William Halal
 
Lin Wells
Lin WellsLin Wells
Lin Wells
 
The Changing Digital Landscape: Where Things are Heading
The Changing Digital Landscape: Where Things are HeadingThe Changing Digital Landscape: Where Things are Heading
The Changing Digital Landscape: Where Things are Heading
 
When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...
When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...
When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...
 

Ähnlich wie Privacy and Security for the Emerging Internet of Things

SIM Portland IOT - Sandhi Bhide - (09-14-2016)
SIM Portland IOT - Sandhi Bhide - (09-14-2016)SIM Portland IOT - Sandhi Bhide - (09-14-2016)
SIM Portland IOT - Sandhi Bhide - (09-14-2016)
sandhibhide
 
Views and myths of IoT
Views and myths of IoTViews and myths of IoT
Views and myths of IoT
Ahmed Banafa
 
Cyber Security at CTX15, London
Cyber Security at CTX15, LondonCyber Security at CTX15, London
Cyber Security at CTX15, London
John Palfreyman
 

Ähnlich wie Privacy and Security for the Emerging Internet of Things (20)

(2019) Hack All the Way Through From Fridge to Mainframe (v0.2)
(2019) Hack All the Way Through From Fridge to Mainframe (v0.2)(2019) Hack All the Way Through From Fridge to Mainframe (v0.2)
(2019) Hack All the Way Through From Fridge to Mainframe (v0.2)
 
A Wake-Up Call for IoT
A Wake-Up Call for IoT A Wake-Up Call for IoT
A Wake-Up Call for IoT
 
Dr Alisdair Ritchie | Research: The Answer to the Problem of IoT Security
Dr Alisdair Ritchie | Research: The Answer to the Problem of IoT SecurityDr Alisdair Ritchie | Research: The Answer to the Problem of IoT Security
Dr Alisdair Ritchie | Research: The Answer to the Problem of IoT Security
 
AM Briefing: Security for the internet of things
AM Briefing: Security for the internet of things AM Briefing: Security for the internet of things
AM Briefing: Security for the internet of things
 
IDTechEx Research: Internet of Things - After the Hype: So Who's Buying IoT?
IDTechEx Research: Internet of Things - After the Hype: So Who's Buying IoT?IDTechEx Research: Internet of Things - After the Hype: So Who's Buying IoT?
IDTechEx Research: Internet of Things - After the Hype: So Who's Buying IoT?
 
Christopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of Things
Christopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of ThingsChristopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of Things
Christopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of Things
 
Industrial Internet Nothing or Everything
Industrial Internet Nothing or EverythingIndustrial Internet Nothing or Everything
Industrial Internet Nothing or Everything
 
Internet of things
Internet of thingsInternet of things
Internet of things
 
Telefónica security io_t_final
Telefónica security io_t_finalTelefónica security io_t_final
Telefónica security io_t_final
 
Domain 7 of CEH Mobile Platform, IoT, and OT Hacking.pptx
Domain 7 of CEH Mobile Platform, IoT, and OT Hacking.pptxDomain 7 of CEH Mobile Platform, IoT, and OT Hacking.pptx
Domain 7 of CEH Mobile Platform, IoT, and OT Hacking.pptx
 
SIM Portland IOT - Sandhi Bhide - (09-14-2016)
SIM Portland IOT - Sandhi Bhide - (09-14-2016)SIM Portland IOT - Sandhi Bhide - (09-14-2016)
SIM Portland IOT - Sandhi Bhide - (09-14-2016)
 
Views and myths of IoT
Views and myths of IoTViews and myths of IoT
Views and myths of IoT
 
Iot ppt
Iot pptIot ppt
Iot ppt
 
Cyber Security at CTX15, London
Cyber Security at CTX15, LondonCyber Security at CTX15, London
Cyber Security at CTX15, London
 
IoT.ppt
IoT.pptIoT.ppt
IoT.ppt
 
Strengthening IoT Security Against Cyber Threats.pdf
Strengthening IoT Security Against Cyber Threats.pdfStrengthening IoT Security Against Cyber Threats.pdf
Strengthening IoT Security Against Cyber Threats.pdf
 
George konstantakis iot and product design
George konstantakis iot and product designGeorge konstantakis iot and product design
George konstantakis iot and product design
 
8 trends of IoT in 2018
8 trends of IoT in 20188 trends of IoT in 2018
8 trends of IoT in 2018
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranIoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.Prabhakaran
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking Bad
 

Kürzlich hochgeladen

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Kürzlich hochgeladen (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 

Privacy and Security for the Emerging Internet of Things

  • 1. ©2016CarnegieMellonUniversity:1 Privacy and Security for the Emerging Internet of Things Intel iSecCon 2016 Jason Hong @jas0nh0ng jasonh@cs.cmu.edu Computer Human Interaction: Mobility Privacy Security
  • 5. ©2016CarnegieMellonUniversity:5 We Are Just Starting to Enter the Third Wave of Computing • First Wave: Computation – Making the basics of computers work • Second Wave: Networking – Connecting computers around the world • Third Wave: Internet of Things (IoT) – Computation, communication, sensing, and actuation woven into our physical world • IoT offers tremendous potential societal benefits – Healthcare, transportation, sustainability, energy, …
  • 7. ©2016CarnegieMellonUniversity:7 My Talk Today • What are frameworks for thinking about the privacy and security problems? • What are some opportunities for improving privacy and security for IoT? – No silver bullet, but lots of room for improvement • What are some of the IoT-related projects we’re doing at Carnegie Mellon University?
  • 8. ©2016CarnegieMellonUniversity:8 IoT Pyramid Top Tier • A few devices per person • High computational power • Tablets • Glasses • Laptops • Smartphones
  • 9. ©2016CarnegieMellonUniversity:9 IoT Pyramid Top Tier • A few devices per person • High computational power • Tablets • Glasses Middle Tier • Tens of devices per person • Moderate computational power • TVs • Smart Toys • Laptops • Smartphones • Thermostats • Refrigerators
  • 10. ©2016CarnegieMellonUniversity:10 IoT Pyramid Top Tier • A few devices per person • High computational power • Tablets • Glasses Middle Tier • Tens of devices per person • Moderate computational power • TVs • Smart Toys Bottom Tier • Hundreds of devices per person • Low computational power • HVAC • RFIDs • Lightbulbs • Laptops • Smartphones • Thermostats • Refrigerators • Smart toilets • Implanted medical devices
  • 11. ©2016CarnegieMellonUniversity:11 IoT Security Issues Top Tier Security • Cybersecurity good today • Can run endpoint protection • Large corporations developing
  • 12. ©2016CarnegieMellonUniversity:12 IoT Security Issues Top Tier Security • Cybersecurity good today • Can run endpoint protection • Large corporations developing Middle Tier Security • Cybersecurity weak today • Basic or no endpoint capabilities • Spotty security protections
  • 13. ©2016CarnegieMellonUniversity:13 IoT Security Issues Top Tier Security • Cybersecurity good today • Can run endpoint protection • Large corporations developing Middle Tier Security • Cybersecurity weak today • Basic or no endpoint protection • Spotty security protections Bottom Tier Security • Cybersecurity very poor today • Weak or no endpoint protection • Low manufacturer experience • High diversity in hw, sw, OS • Many devices never updated • Major scalability challenges
  • 14. ©2016CarnegieMellonUniversity:14 How is IoT Security Different? 1. Physical Safety and Security • Deliberate attacks – Ex. Crashing drones or autonomous vehicles – Note that most attackers won’t do this
  • 15. ©2016CarnegieMellonUniversity:15 How is IoT Security Different? 1. Physical Safety and Security • Different classes of attackers, different motives • State-sponsored – State secrets, intellectual property, sow discord • Non-state actors – Terrorism, advocacy for a cause • Organized crime – Repeatable business model, stay under radar • Disgruntled employee / Insider attack • Script kiddies
  • 16. ©2016CarnegieMellonUniversity:16 How is IoT Security Different? 1. Physical Safety and Security • More likely attack: Ransomware – Lock out of your house unless pay ransom – Make videos of you at home public unless you pay • Just as likely: attacks for the “lulz” – Tripping circuit breakers at office – Remotely adjusting thermostat to make harder sleep (or waste money, or let pipes freeze over) • What kinds of safeguards for physical safety? • Can we build models of normal vs abnormal behaviors for devices and apps, and enforce?
  • 17. ©2016CarnegieMellonUniversity:17 How is IoT Security Different? 2. Scalability • Billions of devices will need to be secured – Gartner estimates 20B devices by 2020 • Scale transforms easy into hard – Ex. Unique passwords for dozens of devices? – Ex. Security policies, each device having different user interface (most not having a display and keyboard)? – Ex. Physically locking down dozens of devices? – Ex. Installing software updates • What kinds of network protocols, APIs, and middleware to help manage IoT devices at scale?
  • 18. ©2016CarnegieMellonUniversity:18 How is IoT Security Different? 2. Scalability • Scalability also enables new classes of attacks http://shodan.io
  • 19. ©2016CarnegieMellonUniversity:19 How is IoT Security Different? 2. Scalability • Possible for attackers to search for and execute vulnerabilities at scale – Ex. Mirai botnet DDoS attack Oct 2016 • Nightmare scenarios – Find vulnerabilities in smartphone-connected blood glucose monitors, inject fake data – Find vulnerable medical implants, hold people hostage • Again, some kind of model or policy – Maybe formal model, maybe big data • Better ways of using proximity for access?
  • 20. ©2016CarnegieMellonUniversity:20 How is IoT Security Different? 3. Diversity of IoT Devices • Hundreds of different manufacturers for middle and bottom tier – Different operating systems, wireless networking, configuration software, log formats, cloud services – Poor or no I/O capabilities, each UI different too • Result: fragmentation of cybersecurity – More network-based (vs endpoint) approaches • Again, network protocols, APIs, and middleware to help configure and manage • Can we also help people make good decisions? – Ex. Crowdsourcing or AI / Machine Learning
  • 21. ©2016CarnegieMellonUniversity:21 How is IoT Security Different? 4. Low Manufacturer Experience • Most traditional software companies understand basics of good cybersecurity • But most IoT will be developed by non-traditional hardware companies – Mostly middle and bottom tier – Ex. Lighting, toys, medical equipment, audio, household appliances • And lots of small-scale manufacturers too – Ex. Kickstarter
  • 24. ©2016CarnegieMellonUniversity:24 605 Projects at Kickstarter for “wireless”
  • 25. ©2016CarnegieMellonUniversity:25 How is IoT Security Different? 4. Low Manufacturer Experience • Low experience + Lots of small manufacturers • Result: Lots of really basic vulnerabilities – Poor software engineering practices for security – Lack of awareness, knowledge, motivation to be secure • Result: Lots of unsupported devices – Small manufacturers will go out of business – Or end of life from bigger manufacturers • How can we help devs with low experience? • How to offer security for lifespan of decades?
  • 26. ©2016CarnegieMellonUniversity:26 How is IoT Security Different? 5. Lots of Unexpected Emergent Behaviors
  • 27. ©2016CarnegieMellonUniversity:27 How is IoT Security Different? 5. Lots of Unexpected Emergent Behaviors • Are there better ways of testing / simulating? • Can we define overall properties for connected systems?
  • 30. ©2016CarnegieMellonUniversity:30 Why Does IoT Privacy Matter? • Pew Internet study about smartphones (2012) – 54% did not install app b/c of how much personal information app requested – 30% uninstalled an app after learning about app behaviors • Countless news articles, blog posts, op-ed pieces, books about privacy concerns Privacy may be the greatest barrier to creating a ubiquitously connected world
  • 31. ©2016CarnegieMellonUniversity:31 Taxonomy of IoT Privacy Device Perspective • Awareness of devices/apps and sensors/logs • Depth of sensing – How rich the sensing and user models are • Temporal scale • Input/Output capabilities • Privacy software • Third-party software – Whether other apps can be run on device
  • 32. ©2016CarnegieMellonUniversity:32 IoT Privacy Issues Top Tier Privacy • High awareness of devices • Rich depth in sensing • High temporal scale • Rich I/O • Lots of third-party apps (the major privacy problem)
  • 33. ©2016CarnegieMellonUniversity:33 IoT Privacy Issues Top Tier Privacy • High awareness of devices • Rich depth in sensing • High temporal scale • Rich I/O • Lots of third-party apps (the major privacy problem) Middle Tier Privacy • Hybrid of other tiers Bottom Tier Privacy • Low awareness of devices + apps • Shallow to rich sensing • Low to high temporal scale • Poor I/O • Few if any third-party apps • Scale (major privacy problem)
  • 35. ©2016CarnegieMellonUniversity:35 How Can We Make Invisible Information Flows Visible? • For top tier, people will be pretty aware of devices – Stylish form factors meant to get attention • The main privacy challenge for top-tier is understanding what your apps are doing – This is a hard problem but one we are starting to figure it out for smartphones
  • 36. ©2016CarnegieMellonUniversity:36 Shares your location, gender, unique phone ID, phone# with advertisers Uploads your entire contact list to their server (including phone #s) What Are Your Apps Really Doing?
  • 37. ©2016CarnegieMellonUniversity:37 Many Smartphone Apps Have “Unusual” Permissions Location Data Unique device ID Location Data Network Access Unique device ID Location Data Microphone Unique device ID
  • 39. ©2016CarnegieMellonUniversity:39 Privacy as Expectations Use crowdsourcing to compare what people expect an app to do vs what an app actually does • We crowdsourced expectations of 837 apps – Ex. “How comfortable are you with Drag Racing using your location for ads?” • Created a model to predict people’s likely privacy concerns and applied to 1M Android apps App Behavior (What an app actually does) User Expectations (What people think the app does)
  • 41. ©2016CarnegieMellonUniversity:41 Impact of this Research • Lots of popular press (NYTimes, CNN, BBC, CBS) • Earlier work helped lead to FTC fines • Google replicated PrivacyGrade internally • Seen improvements in grades over time • Some developers put out press releases about improving their privacy behaviors • Static analysis, dynamic analysis, crowd analysis – To address subjective aspects of privacy • Privacy today places burden on end-users – How can we help other parts of ecosystem do better?
  • 42. ©2016CarnegieMellonUniversity:42 How Can We Make Invisible Information Flows Visible? • For bottom-tier devices, devices non-obvious • CMU Giotto IoT Expedition Supersensors – Air temp, humidity, pressure, 6-axis IMU, grid eye, … • How to increase awareness of devices like this?
  • 43. ©2016CarnegieMellonUniversity:43 Signifiers.io • Project by some of our Master’s of HCI students
  • 47. ©2016CarnegieMellonUniversity:47 Long-Term Privacy and Security Issues 1. Designing For Awareness • What are tradeoffs in notification styles? – Audio, visual, motion, haptic, smartphone • Can we create new conventions? – Ex. Like light switches near doorways • Cost-benefit models of notifications? – Getting lots of notifications is distracting – Getting uninteresting notifications is annoying – Ex. First time, sensitivity of data, identifiability • Can we make it so a person can understand what data is being sensed in a room within 30 seconds?
  • 48. ©2016CarnegieMellonUniversity:48 Long-Term Privacy and Security Issues 2. Facilitating Privacy and Security on Low-End Devices • What kinds of middleware infrastructure can we build to help with basic privacy and security? – Offer common middleware services to simplify design and deployment of middle and bottom tiers – Ex. Access control, filtering, and software updates – Ex. What sensors a device has, what data collects, what servers it connects to, how concerning
  • 49. ©2016CarnegieMellonUniversity:49 Long-Term Privacy and Security Issues 3. Useful Defaults for Sharing • Let’s say we have a person locator for a campus – If default is “share nothing”, underutilized and no value – If default is “share everything”, too creepy • Can we figure out useful defaults that balance utility with privacy? – Ex. “On campus” or “not” – Ex. “In office” or “not” – Ex. {“office”, “on campus”, $city}
  • 50. ©2016CarnegieMellonUniversity:50 Long-Term Privacy and Security Issues 4. Using Big Data for Privacy • Paradox: use more data to improve privacy? • Use data to infer relationships and set defaults – Ex. People are more likely to share data with close friends and family • Use contact list, call log, SMS log, co-location, etc – Ex. Employees are more likely to share data with close teammates • Use floorplan, WiFi co-location, co-authorship, etc Wiese, J. et al. Are you close with me? Are you nearby? Investigating social groups, closeness, and willingness to share. Ubicomp 2011. Cranshaw, J. et al. Bridging the Gap Between Physical Location and Online Social Networks. Ubicomp 2010.
  • 52. ©2016CarnegieMellonUniversity:52 Higher Place Entropy -> More Comfort Toch et al, Empirical Models of Privacy in Location Sharing, Ubicomp 2010
  • 53. ©2016CarnegieMellonUniversity:53 Two Research Projects at Carnegie Mellon University • Giotto IoT Expedition • IoT Hub for Homes
  • 54. ©2016CarnegieMellonUniversity:54 • Define open hardware and software stack for IoT ecology • Extensible and integrated • Pluggable modules • Security & privacy sensitive • Integrated machine learning • End-user programmable • Widely deployable • Enhance human – human and human-system and human- environment interaction Giotto IoT Stack
  • 55. ©2016CarnegieMellonUniversity:55 Giotto Privacy Privacy at Physical, Logical, App layers • Better programming abstractions – Ex. “home” vs raw GPS, “loud” vs raw microphone – Make it easier for devs with privacy as side effect • Devs specify purposes in apps and we verify – Ex. “Uses contacts for advertising” – Ex. “Uses location for maps” – Use static, dynamic, and crowd analysis • How do people’s privacy concerns vary? – By kind of data, granularity, who is seeing it, purpose • Useful defaults to balance privacy and utility
  • 56. ©2016CarnegieMellonUniversity:56 IoT Hub • Open source hub device for connecting devices – Ex. Battery life of devices, connect devices together – Ex. Check for patches, filtering (default passwords), Manufacturer Usage Descriptions, proximity – Ex. Centralize telemetry and learn patterns • How should devices be structured? – Metadata: URL for software updates – APIs: authentication IoT appliancesIoT HubInternet
  • 57. ©2016CarnegieMellonUniversity:57 What is the Value of IoT? • Security, privacy, and management costs quickly outweigh value of IoT devices Number of Devices Value Today’s IoT trajectory
  • 58. ©2016CarnegieMellonUniversity:58 What is the Value of IoT? • Can we make it so that value is linear or even superlinear with devices and services? Number of Devices Value Today’s IoT trajectory Desired IoT trajectory
  • 59. ©2016CarnegieMellonUniversity:59 What Can Intel Do? • Consider more human factors and social factors – Chips, sensors, software dev, data mgt – Policies, UI + understandability, social influences • Better ways of supporting devs – Most devs have no knowledge of privacy + security
  • 60. ©2016CarnegieMellonUniversity:60 What Can Intel Do? • Consider more human factors and social factors – Chips, sensors, software dev, data mgt – Policies, UI + understandability, social influences • Better ways of supporting devs – Most devs have no knowledge of privacy + security • Support better privacy and security education – Need strong push from industry to make it happen – Go beyond just CompSci too (psych, design, biz) • Join our Giotto Expedition (open source) • Consider ISTC on Privacy or on IoT – Make a big push in cooperation with academia
  • 62. ©2016CarnegieMellonUniversity:62 How can we create a connected world we would all want to live in?
  • 63. ©2016CarnegieMellonUniversity:63 Thanks! More info at cmuchimps.org or email jasonh@cs.cmu.edu Read more: • Towards a Safe and Secure Internet of Things https://www.newamerica.org/cybersecurity-initiative/policy- papers/toward-a-safe-and-secure-internet-of-things/ Special thanks to: • NSF • Alfred P. Sloan • NQ Mobile • DARPA • Google • CMU Cylab • New America
  • 65. ©2016CarnegieMellonUniversity:65 IoT offers Tremendous Societal Benefits • Healthcare • Transportation • Sustainability • Education • Energy • More…
  • 66. ©2016CarnegieMellonUniversity:66 What Can We Do About IoT Security? • Better cybersecurity education • Better collections of best practices • More data sharing • Cybersecurity insurance • Better legal protections • Larger centers for IoT privacy and security https://www.newamerica.org/cybersecurity-initiative/policy- papers/toward-a-safe-and-secure-internet-of-things/
  • 67. ©2016CarnegieMellonUniversity:67 What Can We Do About IoT Security? Policy Perspective: Better Cybersecurity Education • About half of developers don’t have CS degrees • Can we make security education required in CS? • Can we also expand cybersecurity education? – Ex. Psychology learn about social engineering – Ex. Visual design learn about warnings + compliance
  • 68. ©2016CarnegieMellonUniversity:68 What Can We Do About IoT Security? Policy Perspective: Better Collections of Best Practices
  • 69. ©2016CarnegieMellonUniversity:69 What Can We Do About IoT Security? Policy Perspective: Better Collections of Best Practices • We need to go beyond high-level guidelines • What we still need – Better code examples (lots of copy-and-paste) – Better toolchains and stacks – Better automated analysis tools – Simpler ways of distributing patches – Collections of design patterns • Lots of opportunities for big companies – Most breaches are relatively simple – Addressing basic issues means lots of positive impact
  • 70. ©2016CarnegieMellonUniversity:70 What Can We Do About IoT Security? Policy Perspective: More Data Sharing • Many major data breaches in past few years – Sony, RSA, LinkedIn, Yahoo, Target, OPM, and more • But we have learned very little, no real data – These are our version of Tacoma Narrows bridge
  • 71. ©2016CarnegieMellonUniversity:71 What Can We Do About IoT Security? Policy Perspective: More Data Sharing • We need organizations that can: – Help investigate the coming IoT failures – Disseminate knowledge to help prevent future failures in design and implementation – While also minimizing blame • Lots of challenges – Lots of proprietary information involved in failures – Who will fund this?
  • 72. ©2016CarnegieMellonUniversity:72 What Can We Do About IoT Security? Policy Perspective: Better Legal Protections • DMCA limits what researchers can do due to anti-circumvention provisions – Need to get permission from manufacturers – Exceptions: • Consumer devices, motorized land vehicles, medical devices • But slow, triennial reviews from Library of Congress – And consumer devices only one part of IoT
  • 73. ©2016CarnegieMellonUniversity:73 IoT Privacy Issues Input/Output • Same challenge as for security – Top-tier devices will have really good I/O capabilities – Bottom-tier will not have mouse, keyboard, display – Scalability makes everything harder • Can we develop network protocols and APIs to help configure and manage devices and apps? • Can we also help people make good decisions? – Ex. Crowdsourcing or AI / Machine Learning