Toward Building a Safe, Secure, and Easy-To-Use Internet of Things
Total Page:16
File Type:pdf, Size:1020Kb
IOT CONNECTION Toward Building a Safe, Secure, and Easy-to-Use Sal glances at the display near her office door and sees that her next meeting is in 10 Internet of Things minutes. One participant is out of town and the other two people are running late, but the meeting room is still occupied Infrastructure by several people. The display also suggests it might be a Yuvraj Agarwal and Anind K. Dey, Carnegie Mellon University good time to get coffee because the lines are short at the cafe downstairs. Her good friend Joe Carnegie Mellon University is leading a happens to be at the cafe, too. multi-institutional effort to build an open Sal checks an app she recently built and sees that the coffee is infrastructure to support the Internet of Things. freshly brewed. “That simplifies things,” she thinks to herself as she heads toward the cafe. safe and secure world enabled by the Inter- This is the unique promise of a successful IoT, and is net of Things (IoT) promises to lead to truly what we are aiming for with GIoTTO, the IoT program connected environments, where people and at Carnegie Mellon University (CMU) named after the things collaborate to improve the overall famous Renaissance painter. qualityA of life. The IoT will give us actionable informa- tion at our fingertips, without us having to ask for it or NEED FOR AN OPEN INFRASTRUCTURE even recognizing that it might be needed. Consider this Although numerous commercial and academic programs example that combines many simple uses of the IoT to cu- focus on building IoT systems, it’s clear that for any IoT mulatively form an omnipotent assistant: stack to be widely adopted, it must be open—without a 40 COMPUTER PUBLISHED BY THE IEEE COMPUTER SOCIETY 0018-9162/16/$33.00 © 2016 IEEE EDITOR ROY WANT Google; [email protected] singular organization claiming own- ership. We must involve the commu- FROM THE EDITOR nity with the IoT’s design, develop- Building on our inaugural column from February, this month’s article presents an open ment, and deployment—that means program that sets out to explore the Internet of Things’ (IoT’s) value proposition. Just truly open source development, as as the Internet belongs to all of us, I believe this program embodies the principles we exemplified by Linux and Android. hope will be the driving forces behind an equally successful IoT architecture. In this We also believe that an IoT stack must column, researchers from Carnegie Mellon University eloquently outline the tenants provide immediate value to anyone and goals of the GIoTTO software stack. —Roy Want wanting to deploy and use it, with- out requiring substantial integration work upfront. Practically, this means that it must provide important first- software, and services to develop an IoT apps/App store/End-user environments class features such as robust machine interconnected world. Although the IoT development environments learning, easy end-user programming, vision of an IoT-enabled future is enor- security, and privacy. Our vision of the mously compelling, several key chal- Abstractions/Analytics/Machine learning GIoTTO stack, which we are develop- lenges must be addressed before it can Time-series datastore/Controls ing at CMU, is shown in Figure 1. become a reality. These challenges are GloTTO stack Edge analytics and cloudlets GIoTTO is an open source infra- related to three critical questions: structure intended to support the con- Data integration and middleware struction, maintenance, and use of › How can we build an IoT infra- Sensors and actuators IoT-enabled environments. We formed structure that is safe, secure, our team at CMU shortly after Google and private from the ground up? held an open call for proposals on the Safety implies that IoT devices Figure 1. The GIoTTO open source stack. Open Web of Things. We responded won’t do anything unexpected and received the lead award on what or unintended. Security implies is now known as the IoT Expedition that IoT devices only allow au- with the multitude of other (www.iotexpedition.org), which in- thorized entities, whether com- technologies that showed much cludes partners at Cornell Tech, the puter programs or humans, to promise only to be ignored after University of Illinois, and Google. The access their services. Privacy im- deployment. IoT Expedition’s goals match those of plies that IoT devices don’t access GIoTTO, and the project has adopted or leak private user data either SECURITY, PRIVACY, GIoTTO as its software infrastructure. directly or indirectly without a AND SAFETY Each partner will contribute to and clearly defined, and verifiable, A key design decision we’re address- build on GIoTTO to demonstrate its purpose being presented to and ing in our GIoTTO software stack is to value through a series of living labora- accepted by users. face these concerns from the ground tories at each site. › How can we leverage the huge up rather than retrofitting later. Al- amount of data being collected by though these concerns have some IOT CHALLENGES sensors embedded in all objects? natural overlaps (for example, safety The number of IoT-connected devices This calls for machine learning concerns sometimes imply security is- is expected to grow to 21 billion by and data analytics to be inte- sues), we’re looking to devise solutions 2020 (www.gartner.com/newsroom grated at every level from sensors for each one. Safety in IoT means being /id/3165317), presenting a major mar- and actuators to end users. able to reason about the behavior of ket opportunity for established hard- › How can we enable end users IoT devices, especially actuators, and ware (such as Intel, Apple, Qualcomm, of varying technical ability to being able to detect and prevent unin- ARM, Samsung, and LG) and software manage, interact with, and even tended or unexpected behavior. This vendors (such as Google, Microsoft, control and program IoT-enabled is a very difficult problem because it and IFTTT) across the world, in addi- environments? For the IoT to requires not only understanding “nor- tion to spawning new entrepreneur- be truly pervasive, IoT systems mal” behavior, but also being able to ship opportunities. These companies must be accessible to end users, develop models for device interactions are working on producing IoT devices, or they might be discarded along and devising mechanisms to enforce APRIL 2016 41 IOT CONNECTION safety properties. The challenges in en- more conservative data model might apparent that people won’t be able to suring the safety of IoT devices are also only reveal whether a user is “on cam- consume all the data. Most IoT efforts due to extreme heterogeneity, lack of pus” or “in a meeting.” This approach support sensing, simple computation, standardization, and ineffectiveness of controls who has access to which tier communication, distribution, and traditional defenses like end-host fire- of data, but also supports privacy pol- actuation, but not analytics and ma- walls and antivirus software. We be- icies and audits. Our goal is to even- chine learning. In contrast, we treat lieve the underlying network provides tually expose mechanisms where IoT all these aspects as core functions of a key vantage point to not only observe applications must specify a clearly any IoT infrastructure. these device-to- device and device-to- defined set of purposes of data access At the lowest level (collecting data cloud interactions, but also to enforce that can be checked by our GIoTTO from sensors embedded in the environ- safety and security using techniques stack and reported to users who own ment or objects), data analytics can be from network middleboxes. We’re ex- that data. applied to reduce overall power usage. Instructions sent to sensors to collect data at a particular rate can be config- ured in real time using power consump- A key design decision we’re addressing tion analytics. The configuration must in our GIoTTO software stack is to face security satisfy all current requests for data (in- and privacy concerns from the ground up cluding just storing the data), while op- rather than retrofitting later. timizing for power consumption. As another example, we’re cur- rently working on developing algo- ploring methods to represent these Security in IoT means providing ac- rithms to identify novel patterns IoT device interactions (for example, cess control mechanisms and policies present in sensor data and in people’s crowdsourcing) and devise models for and being able to enforce them, par- behaviors (as captured by sensors). safety policies that can be dissemi- ticularly in the face of the tremendous Identifying these patterns creates nated to IoT users. number of heterogeneous devices. In new, higher forms of data from low- IoT privacy challenges stem from the GIoTTO stack, we’ve implemented a level data. We call these components sensors directly or indirectly leaking robust access control layer to allow flex- that can capture complex high-level private information about users, often ible security policies to be expressed patterns—or even ones that perform unbeknownst to them. Although use- as well as abstractions to manage the simple ana lyses such as averaging ful for controlling appliances when number of rules that must be specified. across sensors—virtual sensors. Vir- users aren’t home, occupancy sensors Done naively, one would need to have tual sensors take input from one or can also be used by attackers to deter- as many rules as the number of devices more physical or virtual sensors and mine how often homeowners are out multiplied by the number of users. We produce some new output. An IoT in- of town. Information about users and leveraged ideas from role-based access frastructure must be able to support their behavior can be inferred from control, and mechanisms for grouping the production of simple and sophisti- sensors indirectly or by combining in- users and sensors to reduce the num- cated virtual sensors.