Presented at
AppSec USA 2016,
Oct. 14, 2016, 10:45 a.m.
(60 minutes).
The need to connect ‘things' to each other in the IoT ecosystem introduces new security requirements for authentication and self-announcement due to four major characteristics of IoT
1. Physical access and infinite time available to adversaries to take apart devices
2. Lower computation power of standalone devices
3. Unforeseen and emergent behavior of the system if arbitrary nodes are compromised
4. Endless possibility of privacy intrusion based on data intelligence and indirect identity inference.
In this work the IoT systems are modelled using a number of elements: person, machine/device, service, server, client (esp. mobile), and passive marker. New authentication scenarios emerge when these items introduce themselves to each other on trusted or untrusted networks. The majority of authentication and self-announcement needs could be modelled using the above elements. For major authentication and self-announcement scenarios, possible authentication patterns are presented. Here are four examples of how these patterns apply to sample IoT scenarios:
• Home automation as enabled by NEST devices
• Device collaboration in Zigbee-based networks
• Smart inventory management using NFC/RFID
• Remote device control based on XMPP (SASL authentication)
The minimum computation power (capability to perform cryptographic operations) and privacy preserving considerations are analyzed in each case.
Presenters:
-
Farbod H Foomany
- Senior Security Researcher (Tech. Lead) - Security Compass
Farbod H Foomany is a senior application security researcher (technical lead) at security compass. He has a bachelor degree in electrical engineering (control systems), Masters degree in artificial intelligence and robotics, and has completed a PhD with main research on security aspects of using voice-print and other biometrics in criminological and security applications. Farbod is currently involved in projects that aim to investigate and formulate security and privacy requirements of software development in various contexts. Farbod has published and presented his work on signal processing and security in several conferences and journals such IEEE conferences/journals, ISACA journal, crime science conference, OWASP AppSec conference, and IAPP conference.
-
Amir Pourafshar
- Application Security Researcher - Security Compass
Amir Pourafshar is an application security researcher at Security Compass. Amir is currently part of a research team working on an IoT project that aims to investigate and formulate the security requirements of system design/development in internet of things (IoT) ecosystem. Amir has done his masters in computer science at Information Security Centre of eXcellence (University of New Brunswick). Amir's experience includes active participation in and completion of several network security, application security, and software development projects.
Links:
Similar Presentations: