Securing the Internet of

Things
Mark Horowitz
Stanford School of Engineering



It's Worse Than You Think

Secure Internet of Things

Our Goal
Embark on a 5-year research project to secure the
Internet of Things

Collaboration between Stanford, Berkeley, and Michigan

Rethink building IoT systems from the ground up

Systems, cryptography, applications, analytics, networks,

hardware, software, HCI

Data security: novel cryptography that enables

analytics on confidential data

System security: a software framework for safe
and secure IoT applications

Secure Internet of Things

Outline

What is the "Internet of Things"?

Why IoT security is so hard
What we plan to do about it

Secure Internet of Things

The Internet of Things

Secure Internet of Things

Internet(s) of Things

Industrial
Automation

Home Area
Networks

Personal Area
Networks

Networked
Devices

Thousands/person
Controlled Environment
High reliability
Control networks
Industrial requirements

Hundreds/person
Uncontrolled Environment
Unlicensed spectrum
Convenience
Consumer requirements

Tens/person
Personal environment
Unlicensed spectrum
Instrumentation
Fashion vs. function

Tens/person
Uncontrolled Environment
Unlicensed spectrum
Convenience
Powered

WirelessHART, 802.15.4
6tsch, RPL
IEEE/IIC/IETF

ZigBee, Z-Wave
6lowpan, RPL
IETF/ZigBee/private

Bluetooth, BLE
3G/LTE
3GPP/IEEE

WiFi/802.11
TCP/IP
IEEE/IETF

Secure Internet of Things

Internet(s) of Things

Industrial
Automation

Home Area
Networks

Personal Area
Networks

Networked
Devices

Thousands/person
Controlled Environment
High reliability
Control networks
Industrial requirements

Hundreds/person
Uncontrolled Environment
Unlicensed spectrum
Convenience
Consumer requirements

Tens/person
Personal environment
Unlicensed spectrum
Instrumentation
Fashion vs. function

Tens/person
Uncontrolled Environment
Unlicensed spectrum
Convenience
Powered

WirelessHART, 802.15.4
6tsch, RPL
IEEE/IIC/IETF

ZigBee, Z-Wave
6lowpan, RPL
IETF/ZigBee/private

Bluetooth, BLE
3G/LTE
3GPP/IEEE

WiFi/802.11
TCP/IP
IEEE/IETF

Secure Internet of Things

IoT: MGC Architecture

Secure Internet of Things

IoT: MGC Architecture

eMbedded
devices

Secure Internet of Things

10

IoT: MGC Architecture

eMbedded
devices
ZigBee,
ZWave,
Bluetooth,
WiFi

Secure Internet of Things

Gateways

11

IoT: MGC Architecture

eMbedded
devices
Cloud
ZigBee,
ZWave,
Bluetooth,
WiFi

Gateways

3G/4G,
TCP/IP

Secure Internet of Things

12

IoT: MGC Architecture

eMbedded
devices
Cloud
ZigBee,
ZWave,
Bluetooth,
WiFi

Gateways

3G/4G,
TCP/IP

Secure Internet of Things

User device

13

IoT: MGC Architecture

embedded C
(ARM, avr, msp430)
ZigBee,
ZWave,
Bluetooth,
WiFi

3G/4G,
TCP/IP

Secure Internet of Things

14

IoT: MGC Architecture

embedded C
(ARM, avr, msp430)
ZigBee,
ZWave,
Bluetooth,
WiFi

3G/4G,
TCP/IP

Secure Internet of Things

Obj-C/C++, Java,
Swift, Javascript/HTML 15

IoT: MGC Architecture

embedded C
(ARM, avr, msp430)

Ruby/Rails,
Python/Django,
J2EE, PHP, Node.js

ZigBee,
ZWave,
Bluetooth,
WiFi

3G/4G,
TCP/IP

Secure Internet of Things

Obj-C/C++, Java,
Swift, Javascript/HTML 16

IoT Security is Hard

Complex, distributed systems

103-106 differences in resources across tiers

Many languages, OSes, and networks
Specialized hardware

embedded C
(ARM, avr, msp430)
ZigBee,
ZWave,
Bluetooth,
WiFi

Just developing applications is hard

Securing them is even harder

Ruby/Rails,
Python/Django,
J2EE, PHP, Node.js

3G/4G,
TCP/IP

Enormous attack surface

Reasoning across hardware, software, languages, devices, etc.
What are the threats and attack models?
Secure Internet of Things

Obj-C/C++, Java,
Swift, Javascript/HTML 23

Valuable data: personal, location, presence

Rush to development + hard avoid, deal later
Secure Internet of Things

17

What We're Going To

Do About it

18

Two Goals
1. Research and define new cryptographic
computational models for secure data analytics
and actuation on enormous streams of real-time
data from embedded systems.

2. Research and implement a secure, open source

hardware/software framework that makes it easy
to quickly build Internet of Things applications that
use these new computational models.

Secure Internet of Things

19

Two Kinds of Security

Data security: data collected and processed by
IoT applications remains safe

Home occupancy
Medical data
Presence/location

System security: elements of MGC architecture

are hard to compromise

eMbedded devices
Gateways
Cloud systems
End applications

Secure Internet of Things

20

Data Security
Security limits what you (or an attacker) can do
What do IoT applications need to do?

Generate data samples

Process/filter these samples
Analytics on streams of data, combined with historical data
Produce results for end applications to view

Goal: end-to-end security

Embedded devices generate encrypted data

Only end applications can fully decrypt and view data
Gateways and cloud operate on data without knowing what it is

Secure Internet of Things

21

End-to-End Security

Data

ZigBee,
ZWave,
Bluetooth,
WiFi

3G/4G,
TCP/IP

Secure Internet of Things

22

End-to-End Security

Data

ZigBee,
ZWave,
Bluetooth,
WiFi

3G/4G,
TCP/IP

Secure Internet of Things

23

End-to-End Security

ZigBee,
ZWave,
Bluetooth,
WiFi

Data

3G/4G,
TCP/IP

Secure Internet of Things

23

End-to-End Security

ZigBee,
ZWave,
Bluetooth,
WiFi

Data
3G/4G,
TCP/IP

Secure Internet of Things

23

End-to-End Security

ZigBee,
ZWave,
Bluetooth,
WiFi

Data

3G/4G,
TCP/IP

Secure Internet of Things

23

End-to-End Security

ZigBee,
ZWave,
Bluetooth,
WiFi

Data

3G/4G,
TCP/IP

Secure Internet of Things

23

End-to-End Security

ZigBee,
ZWave,
Bluetooth,
WiFi

3G/4G,
TCP/IP

Data
Secure Internet of Things

23

End-to-End Security

ZigBee,
ZWave,
Bluetooth,
WiFi

3G/4G,
TCP/IP

Data
Secure Internet of Things

24

End-to-End Security
Sensing device samples data, encrypts it
Each processing stage can decrypt or operate on

encrypted data (increases storage requirements,

limits potential operations)
Possible that only end user can fully view data

data
Secure
Internet of Things
25

encrypted

encrypted

data

Homomorphic Encryption
(Gentry, 2009)

Take a sensor value S, encrypt it to be Se

It is possible to perform arbitrary computations on Se

But 1,000,000 slower than computations on S

So confidential analytics possible, but not yet practical

But can be fast for specific computations (e.g., addition)

Secure Internet of Things

26

New Computational Models

Is it possible for devices to compute aggregate
statistics without revealing their own data?

Youre in the 85th percentile for saving water today!

Your house consumed 120% of its average energy today

Is it possible to compute complex analytics?

Need new cryptographic computation models

Support computations that IoT applications need

)DFXOW\ZRUNLQJLQWKLVDUHD

Christopher R on analytics
Dan Boneh on cryptographic computational models

Secure Internet of Things

27

Two Goals
1. Research and define new cryptographic
computational models for secure data analytics
and actuation on enormous streams of real-time
data from embedded systems.

2. Research and implement a secure, open source

framework that makes it easy to quickly build
Internet of Things applications that use these new
computational models.

Secure Internet of Things

28

Building an Application
Write a data processing pipeline

Consists of a set of Models, describing data as it is stored

Transforms move data between Models
Instances of Models are bound to devices
Views can display Models
Controllers determine how data moves to Transforms
Sensor!

Gateway!

PC/Server!

App/Web!

Views!

Controllers!
Models and!
Transforms!

10Hz !
Sampling!

Recent!
History!

Recent!
History!

Long!
History!

Analytics,!
Suggestions!

Motion!

Activity!

Activity!

Behavior!

Health!

Alarm!

Schedule!

Secure Internet of Things

security and privacy !

29

Code Generation
Framework generates (working) skeleton code for
entire pipeline

All Models, Transforms, and Controllers are written in a

platform-independent language
Views are device specific (although many are HTML/JS)

Developer can modify this generated code

Framework detects if modifications violate pipeline description

E.g., data types, information leakage, encryption
Generated code compiles down to device OS/system

)DFXOW\ZRUNLQJLQWKLVDUHD
David Mazires: software abstractions for security
3KLO/HYLV: 5DYHO software V\VWHP

Secure Internet of Things

30

The Internet of Things

Networking is one of the hardest development
challenges in IoT applications

Ultra-low power protocols

Difficult link layers (4G, BLE)
Protocol stack mismatches
Data packing/unpacking

Framework handles this automatically

Novel network algorithms

)DFXOW\ZRUNLQJLQWKLVDUHD

Keith Winstein, reliability in challenged networks

Prabal Dutta, low power wireless

Secure Internet of Things

31

Software-defined Hardware
Hardware (boards, chips, power) is a daunting
challenge to software developers

It easier to modify something than create it from scratch

The data processing pipeline is sufficient

information to specify a basic embedded device

Sensors, networking, storage, processing needed

)DFXOW\ZRUNLQJLQWKLVDUHD

Mark Horowitz: DXWRPDWLQJFRQVWUDLQHGKDUGZDUHGHVLJQ

Prabal Dutta: embedded device design
Bjrn Hartmann: prototyping new applications

Secure Internet of Things

32

Making It Easy
If it's hard to use, people will work around it

Set password to "password"

Just store data in the clear

Must understand development model

Embrace modification, incorporation, low barrier to entry

Do so such that prototypes can transition to production

)DFXOW\ZRUNLQJLQWKLVDUHD

Bjrn Hartmann: prototyping new applications

Secure Internet of Things

33