ESW/IoT Course Lecture

covering security related

research questions around IoT
By Sachin Gaur
25.10.2021
Thinking like an attacker or an artist: Modern
Art
 Hardware device along with sensors and
IoT Stack radio interface

Firmware to enable
connectivity

User Interface ( Mobile, Smart Speakers, BCI)

Backend Cloud Computing for data

storage and network intelligence

Intelligence from Network of

Smart Devices
Camera as an example to Illustrate the same

Camera as a Device Camera as a connected Camera as an intelligent

• Installed at the door for security
usecase
• Local access and limited storage
device device
• Check the stream anytime, • Unlock doors for approved faces
anywhere • Buy premium intelligence features
• Unlimited storage and keep getting more value from
the same investments
We are surrounded by systems around us
which acquire data?
We are surrounded by systems around us
which acquire data?
We are surrounded by systems around us
which acquire data?
Unsuspecting photocopier!
The next big thing: voice activated devices?
IRTF RFC 8576 : IoT Security State of the Art
and Challenges

Figure taken from the RFC document

Now reflect on this statement?
“People will eventually be unable to know how
many devices they are carrying, which ones are
currently connected and what data they contain.
Is the data personal or not? Who is able to access
it? Who is able to perform software update
without the user’s knowledge? “
- Aurelien Francillon, Eurecom, France
The formal work on IoT security is fast
catching up but not yet there
The formal work on IoT security is fast
catching up but not yet there
The formal work on IoT security is fast
catching up but not yet there
The formal work on IoT security is fast
catching up but not yet there
Lets explore some research
ideas?
Idea is not violate someone’s intellectual property but to get inspired and develop
our own original approach
Power
fingerprinting

https://research.kudelskisecurity.com/2019/10/16/power-analysis-to-the-people/
An example of power fingerprinting!
Replacing the firmware / server code once in
a while?
How SCIT works?
Self- Cleaning Intrusion Tolerance is a patented technique for providing ultra-
low intruder persistence time. We constantly restore systems to a pristine
state to remove malware and rob intruders of the time needed to plan and
launch attacks. SCIT does not require changes to existing information
systems, applications, or security protocols to deliver new high level of
protection. When intruders get in, you need to throw them out as quickly as
possible without waiting to figure out what they are up to. SCIT-MTD (SCIT
Moving Target Defense) assumes that while intrusions are inevitable, the
bigger problem is that intruders are in your systems for a very long time
watching how your system works. Once they are in, they learn how your
systems operate, where your most valuable assets are located, and how to
get your data out of your system under your security radar. SCIT disrupts the
hacker processes and makes it difficult for hackers to succeed.
Dealing with legacy devices?
• You cannot update them
• The vulnerabilities are known
• The exploits are also available
• What if the device we are talking about is not cheap? If it is an Xray
machine, MRI machine will you throw it away once you know you
cannot update it?
Monitoring the IoT Traffic
 What could be a potential solution in the long
term?

https://www.nist.gov/news-events/events/2021/09/workshop-cybersecurity-labeling-programs-consumers-internet-things-iot
Another non technical solution could be….
Not to buy devices but rent them!
Rent the most secure device always.
Open Discussion
• What is your view on security of IoT Devices?
• What is that most popular device that you would like to investigate
for Confidentiality, Integrity and Availability?
• Any approaches that you will like share and discuss