Presentation is loading. Please wait.

Presentation is loading. Please wait.

Spinning CPEs Collaborative work on CPE IoT protection 1

Published byFrancine Owen Modified over 5 years ago

Similar presentations

Presentation on theme: "Spinning CPEs Collaborative work on CPE IoT protection 1"— Presentation transcript:

1 Spinning CPEs Collaborative work on CPE IoT protection 1
Peter Steinhäuser – Embedd Jelte Jansen – SIDN Labs RIPE 78 - May 23, 2019 1

2 So, about that IoT 2

3 Ways to add some ‘s’ to IoT
Better practices for manufacturers? Better (free) standard software libraries? International policy, regulation, and certification? Generate market demand for secure products? Quarantine bad actors at ISP level? Educate users? Empower users? 3

4 “Yes” Ways to add some ‘s’ to IoT Better practices for manufacturers?
Better (free) standard software libraries? International policy, regulation, and certification? Generate market demand for secure products? Quarantine bad actors at ISP level? Educate users? Empower users? “Yes” 4

5 Ongoing work around IoT (security) in IETF
Manufacturer Usage Description (MUD) Specification – RFC8520 Limit the Internet destinations of Things in networks. Thing tells the location (URL) of it’s communication profile Communication profile is enforced (MUD file) Enforcement of communication profile is also usefull for other applications Denial-of-Service Open Threat Signaling (DOTS) Signal Channel Call Home - Drafts With the DOTS initiative, information on DDoS attacks is shared and analysed A major part of the DDoS sources are IoT devices. With the DOTS .. Call Home initiative, IoT devices can selectively be quarantined Based on 5-tuple (IP addresses, portnumbers & time stamp) Service providers can use this feature without knowledge about the Thing (Privacy!)

6 Formal standardization in ISO/IEC and CEN/CENELEC
Formal standardization is country – region – worldwide organized; CEN & CENELEC European, ISO & IEC worldwide CEN/CLC/JTC 13 aims at Cybersecurity and Data Protection including IoT WG 6: Security of products including related services and environments In the Netherlands there is an initiative to focus om IoT Security & Privacy standardisation A similar initiative might be happening in your country Formal standardization often takes place in alignment with regulators. There are already government initiatives to improve IoT security: Code of Practice for consumer IoT Security (UK) Baseline Security Recommendations for IoT (EU ENISA) Radio Equipment Directive (RED) (there are ~12 European directives / recommendations / regulations that could improve IoT security) Could end up in certifications

7 Ways to add some ‘s’ to IoT
Better practices for manufacturers? Better (free) standard software libraries? International policy, regulation, and certification? Generate market demand for secure products? Quarantine bad actors at ISP level? Educate users? Empower users: SPIN 7

8 IoT at SIDN / SPIN goals Protect home networks from rogue/insecure IoT devices Protect the Internet from home networks 8

9 The SPIN project at SIDN Labs
Security and Privacy for In-home Networks Research into ways of SPIN functionality: Empower home users Protect home network Protect from home networks Software prototype(s) Traffic monitor Traffic analysis (local!) Traffic control

10 Running prototype: visualiser
Shows DNS queries Shows data traffic User can block traffic based on source or destination In latest release: Select device and download (live) pcap for selected device 10

11 Core components, changes after talks with CPE people
Since last presentation here, lots of talks and collaboration 11

12 Other changes after talking to random people (tm)
Valibox release images now available for other systems Raspberry Pi v3 VirtualBox Adding prototype ‘spin-off’ tools in releases Pcap-reader Peak-detection Fancier custom interface Pre-dots-signal-home (‘incident reporter’) PoC Some of this in current release, some will be in next 12

13 Core components, changes after talks with CPE people
Use standard kernel modules for traffic capture (custom kernel module too scary) Add UCI (and soon luci) configuration (easier integration with configuration tools) Add RPC with optional UBUS support (easier integration with control tools) Better packaging (easier deployment) Some of this in current release, some will be in next 13

14 Why CPE? Previous SPIN setups required a separate device
Moving SPIN and related services into the CPE reduces home network complexity Putting SPIN to the home network’s “border” simplifies Automatic actions like firewalling malicious devices Reporting unusual activities to the ISP to initiate further analysis/actions Could significantly improve the coverage and adoption of SPIN

15 Why OpenWRT? Quasi-standard SDK for open source CPE firmware development Wide hardware support (QCA / BRCM / MTK / Marvell…) Gaining more and more industry support, even adopted by some chipset makers (i.e. QCA QSDK) Simple integration as an opkg; information here: Hassle-free install work in progress

16 Related initiatives Broadband Forum Collaboration
CPE management standards are set in the Broadband Forum Best known for TR-069 (to be replaced by USP), which is behind the over 1 Billion broadband connections. IoT and security are hot topics; next meeting will have a Security BoF. “Fixing” UPnP on CPE’s When UPnP is enabled on a CPE (~75%), all traffic measures can be overruled be devices on the local network. Source: home-unpatched-known-vulnerabilities/ No improvement / standardization effort is identified to address this issue.

17 Demo 17

18 Discussion/questions/cheers/tomatoes
Jelte Jansen Peter Steinhäuser Go try it out! (and send us feedback) ((or any other suggestions)) 18

Download ppt "Spinning CPEs Collaborative work on CPE IoT protection 1"

Similar presentations

Gateway Agent Product & Architecture

Gateway Agent Product & Architecture
Internet Gateway Device (IGD)

Internet Gateway Device (IGD)
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
IT security Are you protected against hackers?. Why are we in danger?  The Internet is worldwide, publicly accessible  More and more companies and institutes.

IT security Are you protected against hackers?. Why are we in danger?  The Internet is worldwide, publicly accessible  More and more companies and institutes.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.

Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.
UPnP Device Management Andre Bottaro France Telecom Group UPnP DM co-chairman End User Device Management panel Sunday, January 11th, 2009 CCNC'09.

UPnP Device Management Andre Bottaro France Telecom Group UPnP DM co-chairman End User Device Management panel Sunday, January 11th, 2009 CCNC'09.
Introduction to Broadband HamNet

Introduction to Broadband HamNet
Broadband Forum Machine-to-Machine (M2M) Solutions Robin Mersh, CEO The information in this presentation is public.

Broadband Forum Machine-to-Machine (M2M) Solutions Robin Mersh, CEO The information in this presentation is public.
Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.

Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.
Module 1: Installing Windows XP Professional. Overview Manually Installing Windows XP Professional Automating a Windows XP Professional Installation Using.

Module 1: Installing Windows XP Professional. Overview Manually Installing Windows XP Professional Automating a Windows XP Professional Installation Using.
P6 - CONFIGURE THE SOFTWARE. CONFIGURE SOFTWARE Most software can be configured to suit an individual user, for example by changing the appearance of.

P6 - CONFIGURE THE SOFTWARE. CONFIGURE SOFTWARE Most software can be configured to suit an individual user, for example by changing the appearance of.
Networking Security Chapter 8 powered by dj. Chapter Objectives  Explain various security threats  Monitor security in Windows Vista  Explain basic.

Networking Security Chapter 8 powered by dj. Chapter Objectives  Explain various security threats  Monitor security in Windows Vista  Explain basic.
University of Murcia 8 June 2011 IPv6 in Europe Jacques Babot European Commission - DG INFSO Directorate, Emerging Technologies and Infrastructures.

University of Murcia 8 June 2011 IPv6 in Europe Jacques Babot European Commission - DG INFSO Directorate, Emerging Technologies and Infrastructures.
Windows Small Business Server 2003 Setting up and Connecting David Overton Partner Technical Specialist.

Windows Small Business Server 2003 Setting up and Connecting David Overton Partner Technical Specialist.
Protecting Students on the School Computer Network Enfield High School.

Protecting Students on the School Computer Network Enfield High School.
NETWORKING COMPONENTS Buddy Steele Assignment 3, Part 1 CECS-5460: Summer 2014.

NETWORKING COMPONENTS Buddy Steele Assignment 3, Part 1 CECS-5460: Summer 2014.
© 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation Cloud Security: Who do you trust? Martin Borrett Director of the IBM Institute for.

© 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation Cloud Security: Who do you trust? Martin Borrett Director of the IBM Institute for.
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.

IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
International Telecommunication Union ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004 Infrastructure Security: The impact on Telecommunications.

International Telecommunication Union ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004 Infrastructure Security: The impact on Telecommunications.

Similar presentations

Ads by Google