1
Karen Rose Senior Director, Strategy & Analysis Internet Society
The Internet of Things: An Overview
2
• IoT Concepts & Drivers
• IoT Key Challenges Security (and recent DDOS attacks) Privacy Interoperability
Paper available at: http://www.internetsociety.org/IoT
3
IoT Overview: Concepts & Drivers
4
What is IoT really?
• Despite the buzz, no single definition. • Or agreed numbers, or categories, or taxonomies... • Different emphasis on different aspects of the concept
• Functionally: The extension of network connectivity and computing capability to a variety of objects, devices, sensors and everyday items allowing them to generate/exchange data, often with remote with data analytic/management capabilities.
• As Value: Data & what can be done with it.
• As a Vision: The realization of a ‘hyper-connected” world. • This is why it matters. • This is why it’s hard.
One view, from McKinsey Global Institute:
5
Computers, Networks, and “Things” “Machine to Machine” (M2M)
(~1970s +) Internet of Things Beginnings
Carnegie Mellon Internet Coke Machine (1982, 1990)
Trojan Room Coffee Pot
(first webcam) (1991)
Internet Toaster (1990)
6
Internet Invariants: What Makes IoT Possible
6
Global R
each &
Integrit
y
General
Purpose
Permissi
onless
Innovati
on
Accessib
le
Interoperability & mutual agreement
Collaborat
ion
Interoperable Building Blocks
No Permanent Favorites
7
If it’s not new, why now?: A Confluence of Market Trends
UBIQUITOUS CONNECTIVITY
WIDESPREAD ADOPTION OF IP
COMPUTING ECONOMICS
MINIATURIZATION
ADVANCES IN DATA ANALYTICS UBIQUITOUS
CONNECTIVITY
WIDESPREAD ADOPTION OF IP
COMPUTING ECONOMICS
MINIATURIZATION
ADVANCES IN DATA
ANALYTICS
RISE OF CLOUD COMPUTING
8
IoT Challenges
9
Key IoT Challenges
10
Key IoT Challenges
11
Security
12
Security Must be a Fundamental Priority
• Security information technology is not new, but IoT presents different challenges
• Growth in devices increases the surface available for cyberattack
• Poorly secured devices affect the security of the Internet and other devices globally, not just locally.
• Not just data at stake; Vulnerable devices interacting with the physical world could present risk to property and life
Developers and users of IoT devices and systems have a collective obligation to ensure they do not expose others and the Internet itself to potential harm.
13
A Spectrum of Unique IoT Device Security Challenges
See also IETF RFC 7452 Architectural Considerations in Smart Object Networking
• Cost/Size/Functionality
• Volume of Identical Devices
• Deployment at Mass Scale
• Long Service Life
• No / Limited Upgradability
• Limited Visibility into Internal Workings
• Embedded Devices
• Physical Security Vulnerabilities
• Unintended Use
• BYOIoT
Internet connectivity as the next product “value add”
14
Recent IoT-Related DDoS Attacks
Date Target Size
20 September KrebsOnSecurity (Security Blog) ~660 Gbps
20 September OVH (French Hosting Provider) ~1 Tbps
21 October DYN (DNS Managed Services) ~1.2 Tbps
• All Linked to the Mirai malware which uses IoT devices as Bots
• Mirai source code released on hacking websites in October
15
Krebs DDoS attack data
From CloudFlare POV & Analysis of KOSA:
• Several waves of the attack
• Largest attack originated from bots on 737 Networks
• Some 128,833 unique IP addresses
Location of top source ASN’s (wave 3):
It’s not about where you are, it’s about what’s exploitable on your network!
Source: https://blog.cloudflare.com/say-cheese-a-snapshot-of-the-massive-ddos-attacks-coming-from-iot-cameras/
Images from: http://krebsonsecurity.com/ dyn.com, ovh.com and http://opte.org/
17
What vulnerabilities does Mirai exploit?
• Human behaviour!
• Scans the Internet for IoT devices that have not changed factory username and password defaults
• 68+ username and password pairs in Mirai’s source code.
Source: https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/
18
The Good News: Internet Resiliency and Collaborative Security in Action
• The Internet did not “go down”
• Website & service disruptions but functionality restored relatively swiftly
• Collaboration and collective action across companies to stem the attacks
• Widespread information sharing
• Collaboration between private sector and government
• Multistakeholder dialouges
• Key Action Points:
• Good design practices
• Data confidentiality, authentication, and access control
• Field upgradability
• Device obsolescence
• Standards and metrics
• Consumer awareness
• Penalties for irresponsible actors?
19
Online Trust Alliance IoT Security Framework and Resources
19
https://otalliance.org/initiatives/internet-things
20
Privacy
21
Privacy and IoT: Data is a Double-Edged Sword • The data streams /analytics that drive the value IoT can also paint very detailed
and intrusive pictures of our lives.
• Expands the feasibility / reach of surveillance and tracking
• Redefining the debate about privacy issues
• Can dramatically change the ways personal data is collected, analyzed, used and protected.
• Implications on our:
• Basic rights
• Sense of personal safety and control
• Ability to trust the Internet and devices connected to it.
22
Meaningful Awareness &
Control
Breakdown of “Notice and
Consent”
Managing Across Many Devices
Different Dimensions of Privacy Challenges in IoT
Individual Preferences in
Common Contexts
Aggregation of Personal /
Behavioral Data
Cross-Border Data Flows
Global Data Protection
Discrimination
Law
Enforcement
23
Enhancing Privacy in IoT • Strategies need to be developed that respect individual privacy choices across a
broad spectrum of expectations, while still fostering innovation in new technology and services.
• Traditional on-line privacy models may not fit.
• Adapting/adopting basic privacy principles, such as:
• Transparency/Openness
• Meaningful Choice
• Data Minimization
• Use Limitation
• Among others..
24
Interoperability & Standards
25
I&S: Not Just a Tech Challenge, It’s a Market Issue
Overall
N. America
Europe
Source: World Economic Forum
40% Interoperability is necessary to create up to 40 percent of the economic value generated by IoT -- McKinsey Global Institute
Efficiency Scale Market Value
26
Interoperability / Standards Considerations • Complex / Dynamic Service Delivery Chains and Use Cases
• Land Rush and Schedule Risk
• Proliferation of Standards Efforts
• Industry coalitions, alliances, SDOs, proprietary development etc.
• Where is Interoperability Needed?
• Reusable Building Blocks
• Best Practices and Reference Models
Source: xkdc
Ultimately about advancing innovation and user choice
27
Closing Thoughts • IoT is happening now, with tremendous transformational
potential
• May change the way we think about what it means to be “online”
• But the challenges must be addressed to realize the opportunities and benefits
• Significant. Real. But not insurmountable
• Solutions won’t found by simply pitting promise vs. peril
• It will take Informed engagement, dialogue, and collaboration across a range of stakeholders to find solutions and to plot the most effective ways forward.
28
Additional Information and Resources
Internet Invariants: http://www.internetsociety.org/internet-invariants-what-really-matters
Collaborative Security: http://www.internetsociety.org/collaborativesecurity
Trust Policy Framework: http://www.internetsociety.org/doc/policy-framework-open-and-trusted-internet
ISOC Briefing Papers: http://www.internetsociety.org/policybriefs
ISOC Deploy360 Resources: http://www.internetsociety.org/deploy360/ Mutually Agreed Norms for Routing Security (MANRS) Initiative: http://www.routingmanifesto.org/ ISOC IoT Overview Paper: http://www.internetsociety.org/iot Online Trust Alliance IoT Resources (IoT Framework, Consumer Check lists etc.): https://otalliance.org/iot
29
Karen Rose Sr. Director, Strategy & Analysis [email protected]
Thank You The Internet of Things: An Overview Understanding the Issues and Challenges of a More Connected World http://www.internetsociety.org/IoT