Internet of things or threats?: on building trust in IoT (keynote)

The Internet of things (IoT) is rapidly emerging with the goal to connect the unconnected. Many new device manufacturers are entering the market of internet-connected appliances for smart homes and offices, ranging from motion sensors to virtual voice assistants. However, due to lack of security by design and flawed implementations we are facing significant security and privacy challenges specific to IoT, such as perilous IoT botnet attacks, and novel privacy threats caused by widespread installation of wireless sensors, actuators and smart home appliances even in the private setting of our homes. Unfortunately, basic security measures like properly encrypted communications does not protect against these threats. The massive scale of the IoT device population and enormous diversity of device hardware, operating systems, software frameworks and manufacturers makes it very difficult to establish standard IoT security and privacy-protecting solutions by simply applying known solutions, neither for per-device security architectures nor for network security measures. In particular, existing intrusion detection techniques to detect compromised IoT devices seem ineffective. In this talk, we will present our recent work on addressing various security and privacy challenges in the growing IoT landscape including industry collaborations. In particular, we focus on approaches for flexible management of security associations (pairing) among devices introduced into the user's trust domain as well as effectively and efficiently identifying these devices based on their inherent communication behavior and using these behavior patterns to automatically and reliably detect compromised IoT devices.

[1]  Eyal de Lara,et al.  Amigo: Proximity-Based Authentication of Mobile Devices , 2007, UbiComp.

[2]  Georgios Kambourakis,et al.  DDoS in the IoT: Mirai and Other Botnets , 2017, Computer.

[3]  Frank Stajano,et al.  The Resurrecting Duckling - What Next? , 2000, Security Protocols Workshop.

[4]  Virgil D. Gligor,et al.  A key-management scheme for distributed sensor networks , 2002, CCS '02.

[5]  Wade Trappe,et al.  ProxiMate: proximity-based secure pairing using ambient wireless signals , 2011, MobiSys '11.

[6]  Ahmad-Reza Sadeghi,et al.  DÏoT: A Crowdsourced Self-learning Approach for Detecting Compromised IoT Devices , 2018, ArXiv.

[7]  Tadayoshi Kohno,et al.  Computer security and the modern home , 2013, CACM.

[8]  Diana K. Smetters,et al.  Talking to Strangers: Authentication in Ad-Hoc Wireless Networks , 2002, NDSS.

[9]  Ahmad-Reza Sadeghi,et al.  Context-Based Zero-Interaction Pairing and Key Evolution for Advanced Personal Devices , 2014, CCS.

[10]  Dawn Xiaodong Song,et al.  Random key predistribution schemes for sensor networks , 2003, 2003 Symposium on Security and Privacy, 2003..

[11]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[12]  Stephan Sigg,et al.  Secure Communication Based on Ambient Audio , 2013, IEEE Transactions on Mobile Computing.

[13]  Thomas F. La Porta,et al.  Efficient Hybrid Security Mechanisms for Heterogeneous Sensor Networks , 2007, IEEE Trans. Mob. Comput..

[14]  Toerless Eckert,et al.  Bootstrapping Remote Secure Key Infrastructures (BRSKI) , 2020 .

[15]  Sneha Kumar Kasera,et al.  Secret Key Extraction from Wireless Signal Strength in Real Environments , 2009, IEEE Transactions on Mobile Computing.

[16]  Jose Romero-Mariona,et al.  IoDDoS - The Internet of Distributed Denial of Sevice Attacks - A Case Study of the Mirai Malware and IoT-Based Botnets , 2017, IoTBDS.

[17]  Xiang Gao,et al.  Comparing and fusing different sensor modalities for relay attack resistance in Zero-Interaction Authentication , 2014, 2014 IEEE International Conference on Pervasive Computing and Communications (PerCom).

[18]  N. Asokan,et al.  Drone to the Rescue: Relay-Resilient Authentication using Ambient Multi-sensing , 2014, Financial Cryptography.

[19]  Ahmad-Reza Sadeghi,et al.  IoT SENTINEL: Automated Device-Type Identification for Security Enforcement in IoT , 2016, 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).

[20]  Ahmad-Reza Sadeghi,et al.  I Know Where You are: Proofs of Presence Resilient to Malicious Provers , 2015, AsiaCCS.

[21]  Jiangtao Li,et al.  Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities , 2007, IEEE Transactions on Dependable and Secure Computing.

[22]  Rafail Ostrovsky,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, SIAM J. Comput..

[23]  Donggang Liu,et al.  Establishing pairwise keys in distributed sensor networks , 2005, ACM Trans. Inf. Syst. Secur..

[24]  Ahmad-Reza Sadeghi,et al.  Revisiting Context-Based Authentication in IoT , 2018, 2018 55th ACM/ESDA/IEEE Design Automation Conference (DAC).