. Enabling Autonomous Communications ... Wireless Sensor. Networks. Communication ...
Enabling Autonomous Communications between Machines, Humans, and Things Jesús Alonso-Zárate, PhD Head of M2M Department Senior Researcher
[email protected]
Workshop on Security and Privacy for Internet of Things and Cyber-Physical Systems IEEE ICC, 2015, London, UK, 12th June 2015. http://conta.uom.gr/IoTCPSsecurity2015/
201506
CPS and the IoT
A cyber-physical system (CPS) is a system of collaborating computational elements controlling physical entities. Today, a precursor generation of cyber-physical systems can be found in areas as diverse as aerospace, automotive, chemical processes, civil infrastructure, energy, healthcare, manufacturing, transportation, entertainment, and consumer appliances. Source: wikipedia
J. Alonso-Zarate, June 2015
2
Just a vision… Communication Networks
Wireless Sensor Networks Batteries Devices
Sensors & Actuators Cyber-Physical Systems The Internet of Things
J. Alonso-Zarate, June 2015
3
What is the Internet of Things?
J. Alonso-Zarate, June 2015
4
Source: IoT World Forum 2014, Wim Elfrink, Cisco’s Executive Vice President Keynote J. Alonso-Zarate, June 2015
5
Source: IoT World Forum 2014, Wim Elfrink, Cisco’s Executive Vice President Keynote
J. Alonso-Zarate, June 2015
6
Source: IoT World Forum 2014, Wim Elfrink, Cisco’s Executive Vice President Keynote J. Alonso-Zarate, June 2015
7
Source: IoT World Forum 2014, Wim Elfrink, Cisco’s Executive Vice President Keynote J. Alonso-Zarate, June 2015
8
Source: IoT World Forum 2014, Wim Elfrink, Cisco’s Executive Vice President Keynote J. Alonso-Zarate, June 2015
9
Source: IoT World Forum 2014, Wim Elfrink, Cisco’s Executive Vice President Keynote J. Alonso-Zarate, June 2015
10
Source: IoT World Forum 2014, Wim Elfrink, Cisco’s Executive Vice President Keynote J. Alonso-Zarate, June 2015
11
The Third Industrial Revolution 1st: 1800s Industrial Revolution 2nd: 1990 The World Wide Web (www) 1 billion connected devices 3rd: 2000 Mobile Internet From 2 to 6 billion devices 4th: 2020 The Internet of Things (Everything) 2013: 10 billion October 2014 (IoT World Forum): 13,7 billion Predictions: 28-50 billion devices
J. Alonso-Zarate, June 2015
12
Why now? Progress in technology makes it possible Miniaturization Low Cost
Saturation of human-based markets Opportunity to connect lots of devices Huge Market Opportunity (despite low ARPU)
Potential Improve existing and create new business Enhance processes (efficiency) Create new jobs Boost well-being
J. Alonso-Zarate, June 2015
13
From industry to individuals
http://www.gereports.com/new_industrial_internet_service_ technologies_from_ge_could_eliminate_150_billion_in_waste/
J. Alonso-Zarate, June 2015
14
Key IoT Verticals BANKING
PUBLIC SAFETY WEARABLES CONNECTED HOMES
FUTURE DRIVING (V2X) SMART CITIES TRANSPORTATION LOGISTICS RETAIL & VENDING
SMART GRID
INDUSTRY
HEALTH CARE
J. Alonso-Zarate, June 2015
15
IoT Platforms Machine-to-Machine
Sensor Streams (Real Time)
BIG DATA Analytics
Improve Efficiency
Human-to-Machine
Crowdsourcing
W
Offer New Services
KNW Information-to-Machine
Internet (Open Data)
J. Alonso-Zarate, June 2015
INFO
Applications
DATA
16
Technical Challenges ahead
Device Domain
Network Domain M2M Communications Applications Domain
J. Alonso-Zarate, June 2015
17
Key challenges ahead • Lack of experience in M2M systems • Implementation costs / risks • Maintenance of M2M Solutions • Lack of standards and common legal framework • Interoperability between different technologies • Need to educate customers • Security and Privacy risks • CIA: Confidentiality, Integrity, Availability
J. Alonso-Zarate, June 2015
18
Security and Privacy Privacy is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. The boundaries and content of what is considered private differ among cultures and individuals, but share common themes. The domain of privacy partially overlaps security, which can include the concepts of appropriate use, as well as protection of information. Source: wikipedia
J. Alonso-Zarate, June 2015
19
What is new in IoT? • Longevity of devices (hard to update firmware) • Size of devices (limited resources) • Lack of human supervision (no inputs for authentication) • Typically highly personal data or critical data • The mindset • IoT manufacturers do not think too much about security • Embedded devices use existing chips with no security
Source: “Securing the Internet of Things”, Paul Fremantle, March 2014.
J. Alonso-Zarate, June 2015
20
Making things simple Big Data 44 ZB by 2020 44,000,000,000,000 GB Heterogeneous wireless techs
M2M Platform
Device Device Device
Gateway
Device 50 billions by 2020
J. Alonso-Zarate, June 2015
Virtualized Core Network
Device
Apps
21
Many holes… Access Hole
1010101010…. Data Holes
M2M Platform
Device
Platform Hole
Device Device
Gateway
Device Device Hole
Network Hole
Device
Apps
User Hole J. Alonso-Zarate, June 2015
22
Some examples of vulnerabilities •
Physical manipulation of devices
•
Various simultaneous connections (some not secure)
•
Information leakage
•
Poor password security
•
Outdated firmware or OS
•
Clear-text API calls
•
Unencrypted stored data
•
Hardcoded credentials to accelerate access
•
Lack of authentication
J. Alonso-Zarate, June 2015
23
Things are getting personalized • 40% of all generated data is private • Google • Facebook, Twitter, Linkedin, Instagram, … • Youtube, Netflix, … • Whatsapp, Telegram, … (instant messaging) • Smart Banking • Smart House • Medical Data • …
J. Alonso-Zarate, June 2015
24
Example: Pseudo-Anonymity •
Example presented by Felix Bauer (https://www.youtube.com/watch?v=iKvFSIYlmSQ) • CODE_n Conference, March 2015 • CEO & founder of Aircloak.
•
Example of releasing public data of TAXIS in NYC •
Routes in NYC, stops, money they make, etc.
•
Anonymize data via hash function to generate unique identifiers.
•
DANGER!!! Pseudo-anonymity is not anonymity.
•
Reason: we have pre-knowledge of the data (data format)
•
The IoT is about having tons of data!!!
•
IoT is in danger because of this.
J. Alonso-Zarate, June 2015
25
Key security concerns for the IoT •
Interconnection of many vulnerable devices •
Ex: If-This-Then-That (IFTT) supports over 80 platforms, services, and devices
•
Pseudo-anonymity (not direct personal data)
•
Need to ensure continuity and availability
•
Data privacy
•
Trustful authentication (avoid unlawful actions)
•
Different applicable laws in every country.
•
Start-ups will probably not have the expertise / time
•
Widespread of easy-programmable devices and open source code •
One bug could affect many, many, many products
J. Alonso-Zarate, June 2015
26
Summarizing
1) ADVOCACY No one is protecting your data.
2) AWARENESS People are not aware of security and privacy issues.
3) VISIBILITY It is difficult to know what exactly is happening to your data.
J. Alonso-Zarate, June 2015
27
3. Real World Problems
J. Alonso-Zarate, June 2015
28
Some IoT Security Fails •
TRENDnet: January 2012 • Various IP Camera Products would allow anyone with a generic URL to access the camera’s live feed without requiring authentication
•
Belkin, July 2012 • The WeMo Switch allows for UPnP actions (e.g. power cycle) that did not require authentication to be performed to do so
•
Philips, August 2013 • The Hue Lighting System utilized the MD5 hash of the MAC address of an authorized system as a “secret token” to control the platform.
Source: “The Internet of Things: We’ve Got to Chat”, Mark Stanislav, February 2014 J. Alonso-Zarate, June 2015
29
Some IoT Security Fails •
IZON: October 2013 • Video clips of “alerts” were saved in an AWS S3 bucket unencrypted, with no access control preventing someone from viewing the file
•
Redacted, December 2013 • API call to purchase in-app credits for service was done without purchase verification and via clear-text HTTTP calls
•
Belkin, February 2014 • The WeMo Home Automation API allowed XML injection (XXE) allowing for the potential revealing of filesystem contents
Source: “The Internet of Things: We’ve Got to Chat”, Mark Stanislav, February 2014 J. Alonso-Zarate, June 2015
30
The (wireless) access hole J. Alonso-Zarate, June 2015
31
The Alphabet Soup…
J. Alonso-Zarate, June 2015
32
Clarifying concepts
J. Alonso-Zarate, June 2015
33
Application Layer Protocols
AllJoyn
Open-Source project Promoted by the Allseen Alliance (part of the Linux Foundation) Some Partners: Qualcomm, LG, Panasonic, Sharp, ATT, Cisco, HTC, … Multi-platform: Linux, Windows, Android, OS/X, etc.
COAP – Constrained Application Protocol SWAP MQTT – Message Queuing Telemetry Transport
Originally developed by IBM Small code footprint suitable for low-cost devices Large number of messages
REST (Constrained HTTP)
J. Alonso-Zarate, June 2015
34
How does everything work?
J. Alonso-Zarate, June 2015
35
A General View (Wireless) Data Transmission Rate ( Delay! Energy! Reliability! … !) Gbps
VLC LTE, LTE-A, beyond
Mbps
WIFI
2G, 3G, 3G+
Kbps Zigbee bps RFID
LPWA- M2M Low Throughput Networks (LTN)
Bluetooth LE 10m
J. Alonso-Zarate, June 2015
100m
1km
10km
36
Prime Business Criteria Availability
Standardized Cellular Proprietary Cellular Low Power WLAN
Reliability
Bluetooth LE
Zigbee-like
Wired M2M
Availability = coverage, roaming, mobility, critical mass in rollout, etc. Reliability = resilience to interference, throughput guarantees, low outages, etc. (Total Cost of Ownership = CAPEX, OPEX.) J. Alonso-Zarate, June 2015
37
Limitations of ZigBee Interference in ISM
No Global Infrastructure
2bn Wifi Devices
Lack of Interoperability
Higher Total Cost
WPA2/PSK/TLS/SSL J. Alonso-Zarate, June 2015
38
Advantages of WiFi Ubiquitous Infrastructure
Vibrant Standard
300 members Source: Wireless Broadband Access (WBA), Informa, Nov. 2011
Low Cost
J. Alonso-Zarate, June 2015
Sound Security
WPA2/PSK/TLS/SSL
39
Limitations of WiFi Crowded ISM Band
Lack of Network Planning
Limited Power
Still using CSMA/CA!!!
WPA2/PSK/TLS/SSL J. Alonso-Zarate, June 2015
40
LP-Wifi vs ZigBee Capillary M2M
7x © IEEE, from “Feasibility of Wi-Fi Enabled Sensors for Internet of Things,” by Serbulent Tozlu (2011)
“Low-power Wi-Fi provides a significant improvement over typical Wi-Fi on both latency and energy consumption counts.” “LP-Wifi consumes approx the same as 6LoWPAN for small packets but is much better for large packets.”
J. Alonso-Zarate, June 2015
41
Low-Power WiFi Eco-System [examples]
J. Alonso-Zarate, June 2015
42
Advantages of Bluetooth It is everywhere
Evolving Standard
Embedded Low Cost
WPA2/PSK/TLS/SSL J. Alonso-Zarate, June 2015
43
Limitations of Bluetooth Low Transmission Rates
Short Range
Small number of simultaneous devices
J. Alonso-Zarate, June 2015
WPA2/PSK/TLS/SSL
44
Bluetooth is good for the IoT Low Transmission Rates
Short Range
Small number of simultaneous devices
J. Alonso-Zarate, June 2015
WPA2/PSK/TLS/SSL
45
Proprietary Radio Solutions
J. Alonso-Zarate, June 2015
WPA2/PSK/TLS/SSL
46
Advantages of LPWA Large Coverage
Available Today
J. Alonso-Zarate, June 2015
Low Cost
Operator Model
47
3GPP Cellular Networks Ubiquitous Coverage
Interference Control
J. Alonso-Zarate, June 2015
Mobility & Roaming
Service Platforms
48
However… ITU-R req. for IMT-Advanced
Means to achieve higher data rates: More spectrum, more efficient RRM, smaller cells
2G
2.5G
3G
3.5G
4GExabyte = 10^185G
Source: NEC – Andreas Maeder, Feb 2012 J. Alonso-Zarate, June 2015
49
Key Technical Novelties
Cellular Networks have been designed for humans!
Accommodation of M2M requires paradigm shift:
There will be a lot of M2M nodes More and more applications are delay-intolerant, mainly control There will be little traffic per node, and mainly in the uplink Nodes need to run autonomously for a long time Automated security & trust mechanisms
… and all this without jeopardizing current cellular services!
J. Alonso-Zarate, June 2015
50
3GPP Release 13 and beyond
Release 12 (completed):
Release 13: eMTC
Category 0 Half Duplex 20 MHz Improved coverage Improved Power consumption 1,4 MHz channelization
Cellular IoT (targets Release 13)
Brand new radio interface in GERAN (narrowband)
J. Alonso-Zarate, June 2015
51
Visible Light Communications?
SECURITY
NO MAINSTREAM TECHNOLOGY
NO RADIO EMISSIONS
COST
BANDWIDTH
RANGE
HIGH DATA RATES
J. Alonso-Zarate, June 2015
LINE OF SIGHT
52
A huge mix of all these will live together J. Alonso-Zarate, June 2015
53
End-to-End IoT Testbed
http://www.theiot.es/smartworld http://technologies.cttc.es/m2m/ J. Alonso-Zarate, June 2015
54
Integration of technologies LTE Dongle
DQ Border Router
Green Shield AP SIGFOX Eq.
(covered by Raspberry case)
Red Border Router
J. Alonso-Zarate, June 2015
55
Some pictures
J. Alonso-Zarate, June 2015
56
Current Applications • • • • •
Smart Parking Geofencing (with GPS) Indoor / Outdoor Location Security (stolen control) Presence control
Cloud Web J. Alonso-Zarate, June 2015
57
The future of IoT? Distributed Queuing (DQ)
J. Alonso-Zárate, E. Kartsakli, A. Cateura, C. Verikoukis, and L. Alonso, “A Near-Optimum Cross-Layered Distributed Queuing Protocol for Wireless LAN,” IEEE Wireless Communication Magazine. Special Issue on MAC protocols for WLAN vol. 15, no. 1, pp. 48-55, February 2008.
J. Alonso-Zarate, June 2015
58
To sum up…
The IoT is here and is becoming bigger More and more devices More and more applications More and more different technical solutions More and more data More and more personalized data or critical data Need for PRIVACY and SECURITY Need to make things simple and low cost Need to integrate security and privacy from the beginning Need to explore more J. Alonso-Zarate, June 2015
59
Final Take-Away Message
Henry Ford “If I had asked people what they wanted, they would have said… A FASTER HORSE!”
J. Alonso-Zarate, June 2015
60
THANKS! Jesus Alonso-Zarate, PhD Senior Researcher Head of M2M Department @CTTC Co-Editor in Chief of EAI Transactions on IoT Editor of Wiley ETT
[email protected] @jalonsozarate www.jesusalonsozarate.com www.theiot.es
J. Alonso-Zarate, June 2015
61
Thanks! Jesus Alonso‐Zarate http://www.jesusalonsozarate.com http://www.theiot.es http://technologies.cttc.es/m2m/
