A Technical Seminar on

Security IN
the Internet of Things

Presented by Under the Guidance of

C.Samson P.Ashwini
18R91D5801 Associate Professor (HOD/CSE)
World Wide Web

Mobile Internet

Internet of things
Top barriers to iot and m2m adoption

Source: Infonetics, January 2014.

Security and privacy
MOBILE/
Things
gateway CLOUD Enterprise
Data Data
Data Data

ACCESS ACCESS

Access
Access
Data in Transit
 Challenges

Low friction human interaction

Unique device identification
Device Authenticity
Device-user association
Nature of the data
 More challenges

Limited encryption capabilities

Limited resources (RAM/ROM)
Limited clock synchronization
Firmware must be upgraded from time to time
 IoT security design rules

 Build Security in, it can not be added later

 Keep security mechanisms simple

 Use existing standards

 Obscurity does not provide security

 IoT security design rules

 Encrypt sensitive data at rest and in transit

 Use well-studied cryptographic building blocks

 Identity and Access Management must be part of the design

 Develop a realistic threat model

 Secure Web, Mobile and Cloud Interface

 Do not allow default credentials

 Assume device accessed Internally and Externally

 Credentials should not be stored in plain text nor travel in
unencrypted channels
 Protect against account enumeration & implement account
lockout
 Protect against XSS, CSRF, SQLi

 Implement an IAM/IRM system

 Implement an Identity
Relationship Management System
•Identity creation

•Authentication

•Authorization
Provisioning Device Identity

IDM System

PKI (SE)
I’m an Authentic device
I’m unique (D) Verify authenticity and
Register me registers device
Register user, AuthN, claim ownership

AM System
Verify identity of user,
Register user,
Register me Authenticate user
Authenticate Proof possession of
PKI (SE) Device
I own device D
Create Relationship
User-device
I allow device D to
send data on my
behalf to service S1 Generates OAuth2 Token
for 1 day
Provision Refresh and
Store R &A
Access Token to device
Tokens
Device send data on behalf of user

AM System

Send Data (OAuth2 Token)

Verify Device, OAuth2
PKI (SE) Access Token validity and
Scope (authorization)
…. Token expired Associate data to Alice

Refresh Token Negotiate new Access token

Store A.Token New Access Token
User shares data, revokes tokens

AM with
UMA System

Authenticate
PKI (SE)
I want to Share my data with
My Insurance Company

…. Lost my device
HTTP, MQTT, SASL
Revoke token
 Network Services

 Ensure only necessary ports are open

 Ensure services are not vulnerable to buffer
overflow and fuzzing attacks
 Ensure services are not vulnerable to DoS attacks
 Transport encryption

 Ensure data and credentials are encrypted while intransit

 Use secure encrypted channels
 Use good key lengths and good algorithms
(Elliptic Curve provides efficient encrypting)
 Protect against replay attacks
 Privacy as part of the design

 Collect only the minimum necessary data for the

functionality of the device
 Ensure any sensitive data collected is properly
protected with encryption
 Ensure the device properly protects personal data
 Software/Firmware
 Ensure your firmware does not contain hardcoded
credentials or sensitive data
 Use a secure channel to transmit the firmware during
upgrades
 Ensure the update is signed and verified before
allowing the update
 Do not send the public key with the firmware, use a hash
 Ensure your SVN/GIT repositories do not contain the
private keys
 Physical Security
 Ensure physical access to your device is
controlled
 Accessible USB or SD ports can be a weakness
 Can it be easily disassembled to access the
internal storage (RAM/ROM)
 If local data is sensitive, consider encrypting the data
 CONCLUSION

IoT (Internet of Things) diversifies the future Internet, and has drawn much attention. As more
and more gadgets (i.e. Things) connected to the Internet, the huge amount of data exchanged
has reached an unprecedented level. As sensitive and private information exchanged between
things, privacy becomes a major concern. Among many important issues, scalability,
transparency, and reliability are considered as new challenges that differentiate IoT from the
conventional Internet.
we enumerate the IoT communication scenarios and investigate the threats to the large-scale,
unreliable, pervasive computing environment. To cope with these new challenges, the
conventional security architecture will be revisited. In particular, various authentication
schemes will be evaluated to ensure the confidentiality and integrity of the exchanged data.
 REFERENCES

1.Public-Key Infrastructure (X.509), http://tools.ietf.org/wg/pkix/

2.Kohnfelder, L.M.: Towards a Practical Public Key System, Thesis

(1978), http://dspace.mit.edu/bitstream/handle/1721.1/15993/07113748.pdf

3.Neuman, B.C., Ts’o, T.: Kerberos: an authentication service for computer networks. IEEE
Communications Magazine 32(9), 33–38 (1994)CrossRefGoogle Scholar

4.OpenID, http://openid.net/specs/openid-authentication-1_1.html

5.Goodner, M.: Understanding WS-Federation (2007), http://msdn.microsoft.com/en-

us/library/bb498017.aspx
Thank You!