Enabling Autonomous Communications between Machines ... · PDF fileEnabling Autonomous...
Transcript of Enabling Autonomous Communications between Machines ... · PDF fileEnabling Autonomous...
201506
Jesús Alonso-Zárate, PhDHead of M2M DepartmentSenior [email protected]
Enabling Autonomous Communications between Machines, Humans, and Things
Workshop on Security and Privacy for Internet of Things and Cyber-Physical SystemsIEEE ICC, 2015, London, UK, 12th June 2015.http://conta.uom.gr/IoTCPSsecurity2015/
J. Alonso-Zarate, June 2015 2
A cyber-physical system (CPS) is a system of collaborating computational elements controlling physical entities.
Today, a precursor generation of cyber-physical systems can be found in areas as diverse as aerospace, automotive,
chemical processes, civil infrastructure, energy, healthcare, manufacturing, transportation, entertainment, and consumer
appliances.
CPS and the IoT
Source: wikipedia
J. Alonso-Zarate, June 2015 3
The Internet of Things
Cyber-Physical Systems
Wireless Sensor Networks
CommunicationNetworks
Devices
Batteries
Sensors & Actuators
Just a vision…
J. Alonso-Zarate, June 2015 4
What is the Internet of Things?
J. Alonso-Zarate, June 2015 5
Source: IoT World Forum 2014, Wim Elfrink, Cisco’s Executive Vice President Keynote
J. Alonso-Zarate, June 2015 6
Source: IoT World Forum 2014, Wim Elfrink, Cisco’s Executive Vice President Keynote
J. Alonso-Zarate, June 2015 7
Source: IoT World Forum 2014, Wim Elfrink, Cisco’s Executive Vice President Keynote
J. Alonso-Zarate, June 2015 8
Source: IoT World Forum 2014, Wim Elfrink, Cisco’s Executive Vice President Keynote
J. Alonso-Zarate, June 2015 9
Source: IoT World Forum 2014, Wim Elfrink, Cisco’s Executive Vice President Keynote
J. Alonso-Zarate, June 2015 10
Source: IoT World Forum 2014, Wim Elfrink, Cisco’s Executive Vice President Keynote
J. Alonso-Zarate, June 2015 11
Source: IoT World Forum 2014, Wim Elfrink, Cisco’s Executive Vice President Keynote
J. Alonso-Zarate, June 2015 12
The Third Industrial Revolution
1st: 1800s Industrial Revolution2nd: 1990 The World Wide Web (www)
1 billion connected devices3rd: 2000 Mobile Internet
From 2 to 6 billion devices4th: 2020 The Internet of Things (Everything)
2013: 10 billion October 2014 (IoT World Forum): 13,7 billion Predictions: 28-50 billion devices
J. Alonso-Zarate, June 2015 13
Why now?
Progress in technology makes it possible Miniaturization Low Cost
Saturation of human-based markets Opportunity to connect lots of devices
Huge Market Opportunity (despite low ARPU)
Potential Improve existing and create new business Enhance processes (efficiency) Create new jobs Boost well-being
J. Alonso-Zarate, June 2015 14
From industry to individuals
http://www.gereports.com/new_industrial_internet_service_technologies_from_ge_could_eliminate_150_billion_in_waste/
J. Alonso-Zarate, June 2015 15
Key IoT Verticals
WEARABLES
FUTURE DRIVING (V2X)
SMART CITIES
CONNECTED HOMES
TRANSPORTATION
RETAIL & VENDING
LOGISTICS
SMART GRID
HEALTH CARE
INDUSTRY
PUBLIC SAFETYBANKING
J. Alonso-Zarate, June 2015 16
IoT Platforms
Internet(Open Data)
Crowdsourcing
Sensor Streams(Real Time) Improve Efficiency
Offer New Services
BIG DATAAnalytics
Applications
Machine-to-Machine
Human-to-Machine
Information-to-Machine
DATA
KNW
W
INFO
J. Alonso-Zarate, June 2015 17
Device Domain
Network DomainM2M
Communications
Applications Domain
Technical Challenges ahead
J. Alonso-Zarate, June 2015 18
Key challenges ahead
• Lack of experience in M2M systems
• Implementation costs / risks
• Maintenance of M2M Solutions
• Lack of standards and common legal framework
• Interoperability between different technologies
• Need to educate customers
• Security and Privacy risks• CIA: Confidentiality, Integrity, Availability
J. Alonso-Zarate, June 2015 19
Privacy is the ability of an individual or group to seclude themselves, or information about themselves, and thereby
express themselves selectively. The boundaries and content of what is considered private differ among cultures and
individuals, but share common themes.
The domain of privacy partially overlaps security, which can include the concepts of appropriate use, as well as
protection of information.
Security and Privacy
Source: wikipedia
J. Alonso-Zarate, June 2015 20
What is new in IoT?
• Longevity of devices (hard to update firmware)
• Size of devices (limited resources)
• Lack of human supervision (no inputs for authentication)
• Typically highly personal data or critical data
• The mindset• IoT manufacturers do not think too much about security
• Embedded devices use existing chips with no security
Source: “Securing the Internet of Things”, Paul Fremantle, March 2014.
J. Alonso-Zarate, June 2015 21
Making things simple
Device
Device
Device
Device
Gateway
M2M Platform
AppsDevice
Big Data44 ZB by 2020
44,000,000,000,000 GBHeterogeneous wireless
techs
50 billions by 2020
Virtualized Core Network
J. Alonso-Zarate, June 2015 22
Many holes…
Device
Device
Device
Device
Gateway
M2M Platform
AppsDeviceDevice Hole
Access Hole
Network Hole
Platform Hole
1010101010….Data Holes
User Hole
J. Alonso-Zarate, June 2015 23
Some examples of vulnerabilities
• Physical manipulation of devices
• Various simultaneous connections (some not secure)
• Information leakage
• Poor password security
• Outdated firmware or OS
• Clear-text API calls
• Unencrypted stored data
• Hardcoded credentials to accelerate access
• Lack of authentication
J. Alonso-Zarate, June 2015 24
Things are getting personalized
• 40% of all generated data is private• Google
• Facebook, Twitter, Linkedin, Instagram, …
• Youtube, Netflix, …
• Whatsapp, Telegram, … (instant messaging)
• Smart Banking
• Smart House
• Medical Data
• …
J. Alonso-Zarate, June 2015 25
Example: Pseudo-Anonymity
• Example presented by Felix Bauer (https://www.youtube.com/watch?v=iKvFSIYlmSQ)
• CODE_n Conference, March 2015
• CEO & founder of Aircloak.
• Example of releasing public data of TAXIS in NYC• Routes in NYC, stops, money they make, etc.
• Anonymize data via hash function to generate unique identifiers.
• DANGER!!! Pseudo-anonymity is not anonymity.
• Reason: we have pre-knowledge of the data (data format)
• The IoT is about having tons of data!!!
• IoT is in danger because of this.
J. Alonso-Zarate, June 2015 26
Key security concerns for the IoT
• Interconnection of many vulnerable devices• Ex: If-This-Then-That (IFTT) supports over 80 platforms, services, and devices
• Pseudo-anonymity (not direct personal data)
• Need to ensure continuity and availability
• Data privacy
• Trustful authentication (avoid unlawful actions)
• Different applicable laws in every country.
• Start-ups will probably not have the expertise / time
• Widespread of easy-programmable devices and open source code• One bug could affect many, many, many products
J. Alonso-Zarate, June 2015 27
Summarizing
1) ADVOCACY No one is protecting your data.
2) AWARENESS People are not aware of security and privacy issues.
3) VISIBILITY It is difficult to know what exactly is happening to your data.
J. Alonso-Zarate, June 2015 28
3. Real World Problems
J. Alonso-Zarate, June 2015 29
Some IoT Security Fails
• TRENDnet: January 2012
• Various IP Camera Products would allow anyone with a generic URL
to access the camera’s live feed without requiring authentication
• Belkin, July 2012
• The WeMo Switch allows for UPnP actions (e.g. power cycle) that did
not require authentication to be performed to do so
• Philips, August 2013
• The Hue Lighting System utilized the MD5 hash of the MAC address
of an authorized system as a “secret token” to control the platform.
Source: “The Internet of Things: We’ve Got to Chat”, Mark Stanislav, February 2014
J. Alonso-Zarate, June 2015 30
Some IoT Security Fails
• IZON: October 2013
• Video clips of “alerts” were saved in an AWS S3 bucket unencrypted,
with no access control preventing someone from viewing the file
• Redacted, December 2013
• API call to purchase in-app credits for service was done without
purchase verification and via clear-text HTTTP calls
• Belkin, February 2014
• The WeMo Home Automation API allowed XML injection (XXE)
allowing for the potential revealing of filesystem contents
Source: “The Internet of Things: We’ve Got to Chat”, Mark Stanislav, February 2014
J. Alonso-Zarate, June 2015 31
The (wireless) access hole
J. Alonso-Zarate, June 2015 32
The Alphabet Soup…
J. Alonso-Zarate, June 2015 33
Clarifying concepts
J. Alonso-Zarate, June 2015 34
Application Layer Protocols
AllJoyn Open-Source project Promoted by the Allseen Alliance (part of the Linux Foundation) Some Partners: Qualcomm, LG, Panasonic, Sharp, ATT, Cisco, HTC, … Multi-platform: Linux, Windows, Android, OS/X, etc.
COAP – Constrained Application Protocol SWAP MQTT – Message Queuing Telemetry Transport
Originally developed by IBM Small code footprint suitable for low-cost devices Large number of messages
REST (Constrained HTTP)
J. Alonso-Zarate, June 2015 35
How does everything work?
J. Alonso-Zarate, June 2015 36
A General View (Wireless)
WIFI
Bluetooth LE
Data Transmission Rate ( Delay! Energy! Reliability! … !)
10m 100m 1km 10km
Kbps
bps
Mbps
Gbps
RFID
Zigbee
2G, 3G, 3G+
LTE, LTE-A, beyond
LPWA- M2MLow Throughput Networks (LTN)
VLC
J. Alonso-Zarate, June 2015 37
Prime Business Criteria
Reliability
Availability
Zigbee-like
Bluetooth LE
Low Power WLANProprietary Cellular
Standardized Cellular
Wired M2M
Availability = coverage, roaming, mobility, critical mass in rollout, etc.Reliability = resilience to interference, throughput guarantees, low outages, etc.(Total Cost of Ownership = CAPEX, OPEX.)
J. Alonso-Zarate, June 2015 38
Limitations of ZigBeeInterference in ISM No Global Infrastructure
Lack of Interoperability Higher Total Cost
2bn Wifi Devices
WPA2/PSK/TLS/SSL
J. Alonso-Zarate, June 2015 39
Ubiquitous Infrastructure Vibrant Standard
Low Cost Sound Security
300 members
WPA2/PSK/TLS/SSL
Source: Wireless Broadband Access (WBA), Informa, Nov. 2011
Advantages of WiFi
J. Alonso-Zarate, June 2015 40
Crowded ISM Band Limited Power
Lack of Network Planning
WPA2/PSK/TLS/SSL
Still using CSMA/CA!!!
Limitations of WiFi
J. Alonso-Zarate, June 2015 41
LP-Wifi vs ZigBee Capillary M2M
© IEEE, from “Feasibility of Wi-Fi Enabled Sensors for Internet of Things,” by Serbulent Tozlu (2011)
“Low-power Wi-Fi provides a significant improvement over typical Wi-Fi on both latency and energy consumption counts.”“LP-Wifi consumes approx the same as 6LoWPAN for small packets but is much better for large packets.”
7x
J. Alonso-Zarate, June 2015 42
Low-Power WiFi Eco-System [examples]
J. Alonso-Zarate, June 2015 43
It is everywhere Evolving Standard
Embedded Low Cost
WPA2/PSK/TLS/SSL
Advantages of Bluetooth
J. Alonso-Zarate, June 2015 44
Low Transmission Rates Short Range
WPA2/PSK/TLS/SSL
Limitations of Bluetooth
Small number of simultaneous devices
J. Alonso-Zarate, June 2015 45
Low Transmission Rates Short Range
WPA2/PSK/TLS/SSL
Bluetooth is good for the IoT
Small number of simultaneous devices
J. Alonso-Zarate, June 2015 46WPA2/PSK/TLS/SSL
Proprietary Radio Solutions
J. Alonso-Zarate, June 2015 47
Advantages of LPWALarge Coverage Low Cost
Available Today Operator Model
J. Alonso-Zarate, June 2015 48
3GPP Cellular Networks
Ubiquitous Coverage Mobility & Roaming
Interference Control Service Platforms
J. Alonso-Zarate, June 2015 49
Exabyte = 10^182G 2.5G 3G 3.5G 4G 5G
Means to achieve higher data rates:More spectrum, more efficient RRM,
smaller cells
ITU-R req. for IMT-Advanced
Source: NEC – Andreas Maeder, Feb 2012
However…
J. Alonso-Zarate, June 2015 50
Key Technical Novelties
Cellular Networks have been designed for humans!
Accommodation of M2M requires paradigm shift: There will be a lot of M2M nodes More and more applications are delay-intolerant, mainly control There will be little traffic per node, and mainly in the uplink Nodes need to run autonomously for a long time Automated security & trust mechanisms
… and all this without jeopardizing current cellular services!
J. Alonso-Zarate, June 2015 51
3GPP Release 13 and beyond
Release 12 (completed): Category 0 Half Duplex 20 MHz
Release 13: eMTC Improved coverage Improved Power consumption 1,4 MHz channelization
Cellular IoT (targets Release 13) Brand new radio interface in GERAN (narrowband)
J. Alonso-Zarate, June 2015 52
Visible Light Communications?
SECURITY
NO RADIO EMISSIONS
HIGH DATA RATES
BANDWIDTH
NO MAINSTREAM TECHNOLOGY
RANGE
LINE OF SIGHT
COST
J. Alonso-Zarate, June 2015 53
A huge mix of all these will live
together
J. Alonso-Zarate, June 2015 54
End-to-End IoT Testbed
http://www.theiot.es/smartworldhttp://technologies.cttc.es/m2m/
J. Alonso-Zarate, June 2015 55
Integration of technologies
Red Border Router
Green Shield AP(covered by Raspberry case)
LTE Dongle
SIGFOX Eq.
DQ Border Router
J. Alonso-Zarate, June 2015 56
Some pictures
J. Alonso-Zarate, June 2015 57
• Smart Parking• Geofencing (with GPS)• Indoor / Outdoor Location• Security (stolen control)• Presence control
Current Applications
Cloud
Web
J. Alonso-Zarate, June 2015 58
Distributed Queuing (DQ)
The future of IoT?
J. Alonso-Zárate, E. Kartsakli, A. Cateura, C. Verikoukis, and L. Alonso,“A Near-Optimum Cross-Layered Distributed Queuing Protocol for Wireless LAN,”IEEE Wireless Communication Magazine. Special Issue on MAC protocols for WLANvol. 15, no. 1, pp. 48-55, February 2008.
J. Alonso-Zarate, June 2015 59
To sum up…
The IoT is here and is becoming bigger More and more devices More and more applications More and more different technical solutions More and more data More and more personalized data or critical data Need for PRIVACY and SECURITY Need to make things simple and low cost Need to integrate security and privacy from the beginning Need to explore more
J. Alonso-Zarate, June 2015 60
Final Take-Away Message
Henry Ford
“If I had asked people what they wanted, they would have said…
A FASTER HORSE!”
J. Alonso-Zarate, June 2015 61
THANKS!
Jesus Alonso-Zarate, PhDSenior Researcher
Head of M2M Department @CTTCCo-Editor in Chief of EAI Transactions on IoT
Editor of Wiley ETT
[email protected]@jalonsozarate
www.jesusalonsozarate.comwww.theiot.es
Thanks!
Jesus Alonso‐Zaratehttp://www.jesusalonsozarate.comhttp://www.theiot.eshttp://technologies.cttc.es/m2m/