Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Security and Privacy in the Age of IoT Junia Valente, Matthew Wynn, Alvaro Cardenas
University of Texas at Dallas
New Security and Privacy Threats
[1]. Junia Valente, Alvaro A. Cardenas. Security and Privacy of Smart Toys. In Proc. of the 1st Workshop on Internet of Things Security and Privacy (IoTS&P ’17). Dallas, TX, USA. November 3, 2017.
[2]. Junia Valente, Alvaro A. Cardenas. Understanding Security Threats in Consumer Drones Through the Lens of the Discovery Quadcopter Family. In Proc. of the 1st Workshop on Internet of Things Security and Privacy (IoTS&P ’17). Dallas, TX, USA. November 3, 2017.
[3]. Matthew Wynn, Kyle Tillotson, Ryan Kao, Andrea Calderon, Andres Murillo, Javier Camargo, Rafael Mantilla, Brahian Rangel, Alvaro Cardenas, Sandra Rueda. Sexual Intimacy in the Age of Smart Devices: Are we Practicing Safe IoT? In Proc. of the 1st Workshop on Internet of Things Security and Privacy (IoTS&P ’17). Dallas, TX, USA. November 3, 2017.
[4]. Junia Valente, Alvaro A. Cardenas. Remotes Proofs of Video Freshness for Public Spaces. In Proc. of the 3rd ACM Cyber-Physical Systems Security and Privacy Workshop (CPS-SPC). Dallas, TX, USA. November 3, 2017.
References
$119.99
Legend:webservercloud access point
sensor
Eavesdrop and injectvoip traffic
Internet Connected Smart Toys [1]
1
Attack: Injecting voice
An attacker can make: Dino speak arbitrary things to a child:! Ask child to open front door ! Drink Poison! Insult the child
We discovered and reported several vulnerabilities: (CVE-2017-8867); (CVE- 2017-8866); (CVE-2017-8865).
Security and Privacy for Drones [2]
connect to drone open AP2
AP network
AttackerDroneflying the
drone
Owner
JV 2/17
1
3
Attacker is able to poweroff the drone, and take other controls!
login to telnet 4 poweroff the drone!
5 lose control to the drone
Study of Drones
We discovered and reported vulnerability (CVE-2017-3209)
● “Intimate” IoT is gaining more and more traction○ Future: more interactive and intelligent devices
● These are not “just toys”, attacks can have serious consequences○ Privacy: usually the most privacy-sensitive information○ Safety: attacks can lead to sexual assault or even rape○ Vendors have to take security more seriously than the “average”
IoT device
Intimacy in the Age of IoT [3]
Solutions?Visual Challenge Proposal for Cameras [4]
We propose using public information like news, stock prices, tweets as visual challenges They are informative, and visually more appealing than random strings and barcodes.
Q: Are they random enough to prevent replay attacks?
Challenge Log
save historyvisual challenge
video feed
Physical Environment
Digital Signage
sense
visual challenge fabrication
Trusted
Camera Verifier
Security• Physical Attack: Cover, move camera to a different place
• Spoofing Attacker: Attacker authenticates itself to the prover, and sends fake video
• Replay Attacker: launches replay attacks using old footage (Hollywood style)
• Smart Replay Attacker: attacker knows the system is in place
• Anti-forensics attack: attacker attempts to create forged frames with the challenge
Physical Environment Camera Verifier
visual challenge
responsesense compromisedattacker knows about
video frame
image processing
recognized textI'm closing in on Mars! Who is going to sleep tonight? Not the team, too excited/scared/anxious seeing 5 years of work come
to this last day
I'm closing In on Mars! Who is going to sleep tonight? Not the team. too excited/scared/anxlous seeing 5 years of work come
to this tast day
original textaccuracy score
2
5
3
4
1
OCR
Edit distance: metric to tell how far apart two strings are