新兴的物联网安全威胁和对策EmergingSecurityThreat

EmergingSecurityThreatsandCountermeasuresinIoTShiuhpyngWinstonShiehIEEEReliabilitySocietyVicePresidentIEEEIoTInitiativeSteeringCommitteememberEditor-in-Chief,IEEEReliabilityDigestIEEEFellow&ACMDistinguishedScientistDistinguishedProfessor,CSDept.,NCTU,TaiwanDirector,TaiwanInformationSecurityCenteratNCTUEmail:ssp@cs.nctu.edu.twASIACCS–Happy10thAnniversaryOutline1IEEEIoTInitiative’sperspectiveIoTSecurityThreatsandPitfallsChallengesandCountermeasuresIdentityManagementObjectAuthenticationVulnerabilityandMalwareConclusionsInternetofThings(IoT)2WhatisInternetofThings?WhataretheThings?PhysicalObjects?VirtualObjects?Both?Researchersarestilltryingtoreachaconsensusofdefinitionsandstandards.IEEEIoTInitiativeNIST(NationalInstituteofStandardsandTechnology)ETSI(EuropeanTelecommunicationsStandardsInstitute)CEN(EuropeanCommitteeforStandardization)…...:Internet_of_things_signed_by_the_author.jpg3LaunchedtheIEEEIoTWebPortalAverage2,200visits/1,670visitorspermonthinceptioninJune2013Morethan70%ofvisitorsreturn63%ofvisitorsfromoutsideUSPortalinformationrefreshed~30times–Refreshesincludenewvideos,IEEEIoTexpertsbylinedandindustryarticlesVisitorGrowthProfile44LaunchedFlagshipInitiativeConference5FirstIEEEWF-IoTConference6-8March2014;Seoul,SouthKorea237attendees:58%IEEEMembers,27%Non-Members,15%StudentsRepresentationfrom60+globalorganizations230submittedand127acceptedpapersincluding18postersBroadfinancialsponsorshipFinancialsurplus:$94K+Participationin/supportforIEEEandnon-IEEEeventsOlegLogvinovYKChen:ChallengesandOpportunitiesofConnectedVehicleSafetyRobertoMinerva:GreatInternetofThingsDebateRobertoMinerva:FromM2MtoVirtualContinuumRobertoMinerva:SteeringCommitteeYKChen:GeneralChairIEEE-SASilverSponsorOlegLogvinov:EcosystemStudyonIoTstandardsIoTInitiative:BronzeSponsorRobertoMinerva:MasteringtheInnovationChallengesoftheFutureNetworkOperatorsinanEmergingIoTWorldJaeSeungSong:UnderstandingGlobalM2MStandardsYKChen:GeneralCo-Chair56IEEEIoTonTwitter1,000meaningfulfollowersinjusteightmonthsIEEEIoTreaching2.1millionTwitterusersIEEEIoT’sKloutscoreof52identifiesitasatop-tiervoiceandresourceinsocialmediaLinkedIn1700+Membersinjustoneyear66%seniorlevelorhigher,35%inengineering,projectmanagement,orITBuildingaDiverseIoTCommunity020040060080010001200IEEEIoTTwitterGrowthJanuary–August2014Followers0500100015002000LinkedInGroupGrowthLaunchtoPresentMembers67NewsletterlaunchedSept.2014NewsletterdevelopedinrecordtimeBi-monthly;4articlesperissue;2issuesin2014TheInstituteSpecialReport:TheInternetofThings,March2014Online45,000visitsIoTTechNewsvideofromissuefeaturedonIEEE.tvreceived6,000viewsMarketing/PRSupportforIoTJournalFourissues;33papersCloseto10KdownloadsinfirstsixmonthsNewsletter/VisibilityinExistingPublications7CreatinganIoTEcosystemThroughStandardsWorkshopsGatheringofglobalIoTexperts,leadersandotherparticipantstoexplorenewtechnologies,IEEEstandards,applicationsandfuturebusinessmodelsPriorWorkshops–SiliconValley,CA–Shenzen,China–Milan,ItalyLaunchedNewStandardsProject–P2413WilldefinesanarchitecturalframeworkfortheIoT,includingdescriptionsofvariousIoTdomains,definitionsofIoTdomainabstractions,andidentificationofcommonalitiesbetweendifferentIoTdomainsLaunchedEcosystemStudyDeterminetheconnectiveareasandpotentialgapsintheconceptofIoTthatcouldbeaddressedthroughpre-standardsandstandardsactivities.Thestudywillincentactivitiesfor2015andbeyond.8837IEEEIoTExpertBylines&Articles99IEEEIoTInitiative'sdefinition-basedonIoTInitiative’swhitepaper,(TAB:TechnicalActivitiesBoard;FDC:FutureDirectionCommittee)10Smallenvironmentscenario:It’sanetworkthatconnectsuniquelyidentifiable“Things”totheinternet.The“Things”havesensing/actuationandpotentialprogrammabilitycapability.Informationaboutthe“Thing”canbecollected.Thestateofthe“Thing”canbechanged.Connectionfromanywhere,atanytime,byanythingLargeenvironmentscenario:Aself-configuringandadaptivecomplexnetworkthatinterconnects“things”totheInternetthroughtheuseofinteroperablecommunicationprotocol.‘Things’toPonder(ComputerSecurityDivision,NIST-JeffVoas)111.Thingsmaybeallsoftwareorhardware,acombination,orhuman.(IdentityRelatedIssues)2.Thingsmayhaveastealth/invisiblemodecomingandgoingcreatingzerotraceability.(Privacy&MobilityIssues)3.Authenticationaddressesthe‘Who’sWho’and‘What’sWhat’questions.Thingsmaymisidentify.(Identification&AuthenticationIssues)4.Actuatorsarethings;iffedmaliciousdatafrom‘otherthings’,issueswithlife-threateningconsequencesarepossible.(VulnerabilityandMalwareIssues)12ReVulnLtd.discoveredazero-dayvulnerabilityintheSamsungSmartTVthatallowsattackerstoobtainremotecontrol.ReVuln-TheTViswatchingyouSamsungiswarningcustomersaboutdiscussingpersonalinformationinfrontoftheirsmarttelevisionset.Whatisrecorded?Whocanaccessthedata?Whatifbeinghacked?13BBC(09Feb.2015),Notinfrontofthetelly:Warningover'listening'TV[Online],Avaiable:IoTlightbulb(LIFX)connectstoWiFinetwo