Great ideas, big data and little privacy? Bart Preneel iminds and COSIC KU Leuven

Great ideas, big data and little privacy? Bart Preneel iminds and COSIC KU Leuven

2

3

NSA calls the iphone users public 'zombies' who pay for their own surveillance 4

Snowden revelations NSA: Collect it all, know it all, exploit it all most capabilities could have been extrapolated from open sources But still massive scale and impact redundancy: at least 3 methods to get to Google s data many other countries collaborated (beyond five eyes): economy of scale industry collaboration through bribery, security letters, 5

Snowden revelations (2) Most spectacular: active defense networks Quantum insertion: answer before the legitimate website FoxAcid: specific malware devices supply chain subversion Translation in human terms: complete control of networks and systems, including bridging the air gaps No longer deniable 6

Lessons learned Never underestimate a motivated, well-funded and competent attacker Pervasive surveillance requires pervasive collection and active attacks (also on innocent bystanders) active attacks undermine integrity of and trust in computing infrastructure Economics of scale play a central role: it is not about the US or US/UK or even five eyes other nations have or are developing similar capabilities organized crime and terrorists working on this too 7

The state of cybersecurity Governments are undermining ICT systems rather than improving cybersecurity (and part of industry is helping) Problems at network level end-to-end deployment of encryption meta data: IP address, location, network protocols such as BGP, DNS Problems at system level: secure execution and update supply chain security 0-day market 8

IoT security risks More pervasive and intrusive: building, car, body low cost larger attack surface harder to update Security bringing down the grid hacking cars and drones burglary hacking medical devices 9

OWASP IoT top 10 2014 https://www.owasp.org/index.php/owasp_internet_of_things_top_ten_project 1 Insecure Web Interface 2 Insufficient Authentication/Authorization 3 Insecure Network Services 4 Lack of Transport Encryption 5 Privacy Concerns 6 Insecure Cloud Interface 7 Insecure Mobile Interface 8 Insufficient Security Configurability 9 Insecure Software/Firmware 10 Poor Physical Security 10

IoT privacy nightmare? What is privacy? What are the limitations of the current approach? What are the risks? HP IoT study: 90% of devices collected at least one piece of personal information via the device, the cloud or its mobile application 11

What is privacy? Abstract and subjective concept, hard to define Depends on cultural aspects, scientific discipline, stakeholder, context Conflicts are inherent transparency discretion harmony social control 12

Legal approach Data controller: trusted Limited purpose: can be hard to define Consent: how will this work in IoT? transparency discretion Irish privacy commissioner here harmony social control 13

Data breaches Profiling Discrimination Manipulation Prediction Mass surveillance Privacy problems 14

Architecture is politics [Mitch Kaipor 93] Need to rethink centralized architectures with massive storage of raw data (designed for advertising/search/cost) Avoid single point of trust that becomes single point of failure 15

Governance and Architectures: Back to principles Data minimization through infrastructure Minimum disclosure: avoid centralized massive amounts of data cryptomagic local computations with proof of security centralized storage but encrypted under local key (can still do computations!) 16

Open Solutions Open source solutions with effective governance who adds code who does code reviews 17

Conclusions IoT technologies bring major privacy and security risks we cannot afford to continue the deploy now and fix later model Need to rethink everything architectures: where is the data? building blocks deployment (including supply chain) update mechanisms Need open solutions with open audit Support: legislation (economic incentives) and non-proliferation treaties Essential to maintain our European sovereignty and values 18

CONTACT DETAILS Bart Preneel, iminds and COSIC KU Leuven ADDRESS: WEBSITE: EMAIL: TELEPHONE: Kasteelpark Arenberg 10 Bus 2452, 3000 Leuven homes.esat.kuleuven.be/~preneel/ Bart.Preneel@esat.kuleuven.be +32 16 321148 www.facebook.com/iminds @iminds 19

THANK YOU FOR YOUR TIME