Io t privacy and security considerations
-
Upload
yves-goeleven -
Category
Technology
-
view
248 -
download
4
description
Transcript of Io t privacy and security considerations
Yves Goeleven
#IoT: Privacy and security considerations
Thanks to
2
Yves Goeleven
• Founder of MessageHandler.net– Shipping software since 2001– Windows Azure MVP– Developer on NServiceBus
Exhibition theater @ kinepolis
4
Agenda
• Why this talk?• What are the dangers?• Security options• Privacy options
5
Agenda
Why this talk?
You might just leave this session with more questions than answers
11
Talk!
Let’s start a conversation!
12
Challenge!
I challenge anyone to do a follow up session with your own questions and ideas.
13
Agenda
What are the dangers?
Internet of Things
What are the dangers?Personal
& invisible
White lies are the common decency
holding us together
22
Agenda
What can we do?
24
Security options
• Prevent physical access– Behind locked doors– Secure casing– Do not expose physical ports (usb, ethernet, ...)
25
Security options
• Prevent virtual access– Do not open inbound ports– Design without ’listeners’ or ‘servers’ on the devices– Instead use ‘workers’ or ‘agents’ and remote queues
with outbound connections only
27
Security options
• Prevent physical tampering– Seals, markers– Alarms– Camera’s
28
Security options
• Prevent virtual tampering– Bootloader in chip or ROM, checks firmware origin
before loading into RAM
– Note: Updating (incl. security fixes) now just got a lot harder though
30
Security options
• Keep track of device identity– Let devices register themselves/call home– Do this on boot & periodically
31
Security options
• Analyze device behavior– Include device specific & variable information– Analyze it server side to detect hacked or spoofed
devices
32
Security options
• Block compromised devices– Access control lists– Protocol/package filtering– Signal Jamming– Unplug the power– On the device, or a specialized device
34
Security options
• Many low-power devices cannot encrypt data using standard encryption techniques– Not enough memory– Drains battery too fast
35
Security options
• Do not store unencrypted data– On publicly accessible devices– Better send it elsewhere, unencrypted if needed, to
store it safely
36
Security options
• Do not send unencrypted data over long distances– Use a local ‘gateway’, a powerfull local device to
encrypt it on behalf of dumb devices
37
Security options
• Use alternative encryption & data mangling strategies– Signed at the foundry, if you can live with lock-in– Ciphers, hashes & arithmetic algorithms
39
Security options
• Audit your physical environment– Know which devices are ‘smart’– And how they communicate– Include all technologies (IR, RF, Bluetooth)
40
Security options
• Spy on your things– Intercept communication between your ‘things’– Analyze the communication & detect anomalies
41
Security options
• Physical canary– Apply ‘social control’ amongst devices– Let devices report that other devices are talking to
them inappropriately
42
Internet of things, reference architecture
44
Privacy options
• There are privacy laws– Make sure not to break these!– Do not store, send or process information that you’re
not allowed to
– http://en.wikipedia.org/wiki/Data_Protection_Directive
45
Privacy options
• Is it clear what laws apply when?– Multinationals spread across different countries– Difference in laws where data is collected vs data is
processed or stored
– US vs EU: direct conflict
48
Privacy options
• Trust is paramount for adoption of IoT– Make it your policy not to break it– People may choose not to buy products from
violators
49
Privacy options
• Question is: is this really true?– Facebook is huge, yet no one trusts them (I hope)– Will convenience win over privacy concerns for
majority of people?
50
Privacy options
• Build trust by asking for user consent– On data collection devices– Oauth great for this!?– But how about devices without a screen?
52
Privacy options
• And how about exchanging and correlating information with 3rd parties in backend?– Need for federated authorization?– With context?– F.e. I allow you to analyse my energy consumption,
send the results to government, but not to utility?
Loyalty plan
Give me your address and you'll get 10% off on your next pair of jeans…
56
Other things we can do?
There’s a lot we can do
57
Other things we can do?
Also a lot of open questions
58
Other things we can do?
But maybe consumers just don’t care
(aren’t prepared to pay for it?)
59
Other things we can do?
What do you think?
60
A big thank you to our sponsors
Gold Partners
Silver & Track Partners
Platinum Partners