In this project, we explore new architectures to address the security challenges created by the Internet of Things (IoT).
The Internet-of-Things (IoT) has moved from hype to reality with 5 billion
IoT devices deployed in 2015, with expectations to grow significantly.
While IoT has the potential to transform our daily lives, significant
security risk accompanies its rise since vendors typically prioritize cost
and functionality over security. Unfortunately, today's IT security
ecosystem is fundamentally ill equipped to handle IoT deployments. For
example, since IoT devices typically operate inside the network,
traditional perimeter defenses are ineffective. Many IoT devices do not
run a full-fledged OS since they are often power and resource constrained.
Moreover, the longevity of these devices means that vulnerable devices
(e.g., default passwords, unpatched bugs) remain deployed long after
vendors cease to produce or support them. Thus, traditional
endpoint-centric mechanisms (e.g., anti-virus, patches) are impractical.
Finally, given the rapid churn in the environment and device behaviors, we
need to reassess and update the system's security posture. Unfortunately,
today's security enforcement stems from a static mindset and cannot handle
To address these issues, we believe that the network will play a
critical role in securing IoT deployments. We are developing a new IoT
security architecture called Precise Security for IoT (PSI). PSI
envisions customized µNFs (Micro Network-security Functions) acting as
security gateways for each IoT device. A logically centralized PSI
controller monitors the contexts of different devices and the
environment and generates a global view for cross-device policy
enforcement. Based on this view, it instantiates and configures
individual µNFs and the necessary forwarding mechanisms to route packets
to these µNFs. This vision is general and can support a range of IoT
management models; e.g., directly connected devices vs. IoT hubs vs.
smartphone-controlled. To enable immediate deployment, we assume the
enterprise has a well-provisioned on premise compute cluster. In homes,
we envision an upgraded version of an IoT router (e.g., Google OnHub)
with compute capabilities. Each IoT device's first-hop edge router or
wireless access point (AP) is configured to tunnel packets to/from
device to the cluster. Note that tunneling is already supported in
commodity switches. This vision is synergistic with emerging network
management paradigms of software-defined networking (SDN) and network
functions virtualization (NFV). Specifically, PSI uses NFV concepts to
dynamically launch virtualized network functions (e.g., virtual IDS) on
demand and SDN capabilities to route the traffic to the desired µNFs.
“Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things”
by Tianlong Yu, Vyas Sekar, Srinivasan Seshan, Yuvraj Agarwal, and Chenren Xu.
In Proceedings of HotNets, (Philadelphia, PA), Nov. 2015.
Details. Download: PDF.