Professional Documents
Culture Documents
5G Network Security
——Current Research Situation and Progress
5G
2 5G网络安全关键技术
5G Network Security Key Technologies
3 5G网络安全研究进展
5G Network Security Research Progress
5G与物联网安全
4 5G and the Internet of Things Security
目录
Contents
5G网络安全发展现状 CHAPTER
5G Network Security ONE
Development Status
5G网络背景 5G network background
随着物联网设备的发展,5G网络业务也从1G-4G的面向个人通信扩展到工业互联网和智慧城市
With the development of IoT devices, 5G network services are also expanding from 1G-4G
personal-oriented communications to industrial Internet and smart cities.
1G 2G 3G 4G 5G
美国AT&T等
启动商用
5G技术试验 联盟规划
启动商用
5G技术试验
日本DoCoMo
移动获2515MHz-2675MHz与4800MHz-4900MHz频段(2.6GHz/4.9GHz)
启动商用
电信获3400MHz-3500MHz共100MHz带宽的5G试验频率(3.4GHz-3.5GHz)
韩国KT
启动商用
联通获3500MHz-3600MHz共100MHz带宽的5G试验频率(3.5GHz-3.6GHz)
5G网络背景 5G network background
中国IMT-2020 (5G)推进组全面组织5G工作。我国5G试验阶段划分和目标任务:
China IMT-2020 (5G) Promotion Group comprehensively organizes 5G work. China's 5G test phase
division and target tasks:
中国IMT-2020 (5G)推进组(专家组)
秘书处
5G应用 C-V2X 频谱 无线技术 网络技术 5G试验 ITU 3GPP IEEE 知识产权 国际合作
工作组 工作组 工作组 工作组 工作组 工作组 工作组 工作组 工作组 工作组 工作组
增强的移动宽带 高频段
24GHz以上
低频段
5G 1GHz以下
物流
急救
虚拟现实 高可靠低时延连接(uRLLC)
最多1ms的延迟体验
2G/3G/4G 10-5误码率的可靠性
社交通信
云办公
车联网 海量连接物联网业务(mMTC)
真实3D
106 links/km2 的连接数
吞吐量
5G关键性能
5G Critical Performance
保证用户数率 用户终端容纳量
≥50Mb/s ≥200亿
物联网终端容量 总体服务可靠性
≥1万亿 ≥99.999%
支持地面交通的 室外终端定位精度
移动速度
≥500km/h ≤1米
5G网络技术 5G network technology
云
5G核心网:
SDN和NFV 大
SDN/NFV
SDN/NFV 网络切片 数
控制器
控制器 云计算 据
分
雾节点
雾节点 析
接入网: 与
极化码 人
大规模天线技术 工
毫米波 智
雾/边缘计算
能
5G场景:车联网
5G网络技术 5G network technology
业务互联网化技术
基于API的业务体系(SBA)/协议互联网化
网络虚拟化技术
业务切片、SDN/NFV、无定型小区、用户中心网
转发面技术
云化通信网络
L3 IP层无连接选路、面向连接的源选路(SR)
(MEC/C-RAN) L2 MAC层帧交换、基于以太网的时延敏感网络(TSN)
L1.5 灵活的以太网交叉连接(FlexE)
光纤传输承载网
时分复用SDH(CPRI)、统计复用、M-OTN/100GE/SPN
无线接入网
大规模天线、超密集组网、宏微蜂窝混合、上下行解耦、V2V通信
各类终端
智能移动终端、可穿戴设备、网联车、机器人、传感器
与4G相比,5G利用先进无线技术突破改进了核心网架构,支持更多的业务场景、更高的性能指标、更强更灵活的通信安全能力
Compared with 4G, it adopts new advanced wireless technology with breakthrough improvements in core network architecture, supporting
more business scenarios, higher performance indicators, and stronger and more flexible communication security capabilities
5G网络业务场景与安全需求
5G Network Service Scenarios and Security Requirements
五大安全挑战:Five Security Challenges:
新业务场景New Business Scenarios 新技术&新特征New Technologies & Features 新商业模式New
Business Models 多种接入技术&设备Multiple Access Technologies & Devices 增强的隐私保护需求
Enhanced Privacy Protection Requirements
1 增强型移动宽带(eMBB) 2 高可靠低时延连接(uRLLC) 3 海量连接物联网业务(mMTC)
提供低时延高可靠信息交互能力支持互联实体间高 提供更高连接密度时优化的信令控制能力,支持大规模
提供更高体验速率和更大带宽的接入能力,支持解
度实时、高度精密和高度安全的业务协作 、低成本、低能耗IoT设备的高效接入和管理
析 度 更 高 、 体 验 更 鲜 活 的 多 媒 体 内 容 P ro v i d e
Provide low-latency and high-reliability Provide optimized signaling control capabilities at
higher experience rate and larger bandwidth
information interaction capabilities to higher connection densities to support efficient
access to support higher resolution and more
support highly real-time, highly sophisticated access and management of large-scale, low-cost,
vibrant multimedia contents
and highly secure business collaboration low-energy IoT devices
among interconnected entities
多层次 多样安全
切片安全 认证管理
统一 按需
安全要求
认证架构 隐私保护
面向业务 开放
安全保护 安全能力
●贩卖伪造账户
● 利用网络设备漏洞 ● 劫持基于卫星 ● 隐私侵权 ● 损坏广播密钥 ● 勒索、经济窃取
网络 ●分享账户
● 损坏网络设备 的网络链路 ● 黑市出售窃取 ● 发送阻止销售的 ● 破坏智能设备
犯罪 ●损坏核心应用
● 拦截敏感信息 ● BGP劫持 的移动服务 勒索和恶意软件 ● 开发网络设备漏洞
●欺诈账单系统
● 直接提供敏感 ●创造伪造账户 ●欺诈 ● 欺诈
内部 ● 内容盗版
●直接提供有价值的信息 基础设施路径 ●贩卖员工折扣券 ●贩卖交易秘密 ● 数据外泄
攻击 ● 黑市贩卖服务
(如地理位置)●注入恶意代码 ●贩卖财务数据 ● 倒卖未授权服务
5G网络的安全风险和挑战
Security Risks and Challenges in 5G Networks
需要统一的认证框架,以支持多种应用场景的网络接入认证。 A unified authentication framework is
needed to support network access authentication for multiple application scenarios.
无定型小区 统一认证框架
Amorphous Community Unified Authentication Framework
● 5G宏蜂窝和微蜂窝联合组网,控制面与数据面分离组网,控制面在宏蜂窝, ● 来自不同网络系统、不同接入技术、不同类型的站点并行/同时接入,如
用户面在微蜂窝 5G macrocells and microcells are jointly networked, DDoS 攻 击 可 使 5G 降 维 到 4G/3G 从 而 更 容 易 实 施 攻 击
with separate control and data planes. The control plane is in the Parallel/simultaneous access from different network systems,
macrocells and the user plane is in the microcells different access technologies, and different types of sites, e.g.
● 5G 上 下 行 解 耦 , 蜂 窝 边 缘 可 采 用 5G 下 行 +4G 上 行 的 异 构 方 式 通 信 5G DDoS attacks can downgrade 5G to 4G/3G thus making it easier to
uplink and downlink are decoupled, and cellular edge can carry out attacks.
communicate in a heterogeneous way with 5G downlink + 4G uplink ● 需要采用跨越底层异构、多层无线接入网的统一认证框架,来实现不同应
● 然而,传统4G安全机制没有涉及密集异构组网情景下的安全威胁 However, 用场景 下灵 活高效 的双 向的认 证接 入 It needs to adopt a unified
security threats in dense heterogeneous networking scenarios are not authentication framework across the underlying heterogeneous,
addressed by traditional 4G security mechanisms multi-layer radio access network to achieve flexible and efficient
two-way authentication access in different application scenarios.
5G网络的安全风险和挑战
Security Risks and Challenges in 5G Networks
SDN安全威胁 NFV安全威胁
应 应用层安全威胁: 1. MANO安全威胁 4. NFV网络安全威胁
用 APP1 APP2 APP3 •假冒控制器 •MANO实体安全威胁 •VNF间通信安全威胁
层 •信息泄露 包括通信内容被篡改、拦截
包 括 遭 受 病 毒 、 蠕 虫 、 、重放
DoS攻击,存储数据被篡 •NFV组网安全威胁
北向接口安全威胁:
SDN 控制器安全威胁: 改、非法访问等
•中间人攻击 包括从外部网络攻击NFV核
北向接口 特有 •DDoS/DoS攻击
•通信内容被篡改、窃听等
•渗透攻击 •MANO 实 体 间 以 及 心区域、低安全级威胁扩散
控 •信息泄露 MANO与传统网管、VNF 到高安全级别
制 SDN控制器 •流表篡改 间的通信安全威胁 5. NFVI安全威胁
层 •安全策略绕行 包括通信内容被篡改或拦 •VM安全威胁
南向接口安全威胁: 南向接口 截等 包括虚拟机被滥用、虚拟机
•中间人攻击
2.VNF安全威胁 逃逸、虚拟机间嗅探、镜像
•通信内容被篡改、窃听等
数据层安全威胁: •篡改/伪造VNF软件包 被篡改或非法访问
•传输协议漏洞 SDN
特有 •流表篡改 •Hypervisor安全威胁
数 •流表项溢出
•非法访问VNF 包 括 通 过 VM 攻 击 ,
据 设备 设备 •DDoS/DoS攻击 •敏感数据泄露 hypervisor,漏洞利用等
设备
层 •信息泄露 3. 管理安全威胁 •硬件安全威胁
SDN管理集中性导致攻击对象高度集中,攻击难度下降 •权限滥用、账号密码盗用 包括服务器遭受DDoS、病
毒等及物理攻击等
SDN management centralization leads to a high concentration of attack targets and reduced attack difficulty
应用层开放性使安全漏洞更易暴露,NFV使传统的防护边界被破坏
Application layer openness makes security vulnerabilities more exposed and NFV disrupts traditional protective boundaries
5G网络的安全风险和挑战
Security Risks and Challenges in 5G Networks
5G开放了管理和编排能力(MAMO),让第三方实现网络部署、更新和扩容,但带来一系列安全问题
5G opens up management and orchestration (MAMO) capabilities to allow third parties to enable
network deployment, updating and scaling, but raises a number of security concerns
车联网安全Internet of Vehicles Security 物联网安全 Internet of Things Security
● 车 联 网 中 有 汽 车 到 汽 车 之 间 的 通 信 ( V2V ) , 也 有 移 动 边 缘 通 信 ● 通常的物联网终端资源受限,网络环境复杂,海量连接,易受到攻击
There is Vehicle-to-Vehicle communication (V2V) in the IoV, as Typical IoT terminals have limited resources, complex network
well as mobile edge communication environments, massive connections, and are vulnerable to attacks
● 车联网要求空口时延低于1ms,而传统的认证和加密流程等协议未考 ● 每个设备的每条消息都需要单独认证,若终端信令请求超过网络处理能
虑超高可靠低时延通信场景 IoV requires air interface latency to be 力,则会触发信令风暴 Each message from each device needs to be
less than 1ms, while traditional protocols such as authentication individually authenticated, and a signaling storm will be triggered
and encryption processes do not take into account ultra-high if the terminal signaling request exceeds the network's
reliability and low latency communication scenarios processing capacity
● 车与车之间也可以不经过网络进行通信,这时需要车与车之间交互认 ● mMTC 需 要 有 群 组 认 证 机 制 ; 需 要 采 用 轻 量 化 的 安 全 机 制 , 需 要 抗
证 Vehicles can also communicate with each other without DDOS 攻 击 机 制 , 防 止 被 劫 持 mMTC requires a group
going through the network, which requires vehicle-to-vehicle authentication mechanism; it needs to adopt a lightweight
interaction and authentication security mechanism and an anti-DDOS attack mechanism to
prevent hijacking
5G网络的安全风险和挑战
Security Risks and Challenges in 5G Networks
5G开放了管理和编排能力(MAMO),让第三方实现网络部署、更新和扩容,但带来一系列安全问题
5G opens up management and orchestration (MAMO) capabilities to allow third parties to enable
network deployment, updating and scaling, but raises a number of security concerns
边缘计算 Edge Computing 网络切片 Network Slicing
● 部署在边缘的MEC设备更容易暴露给外部攻击者,被攻击的边 ● 若未采取恰当的安全隔离机制,当某个网络切片受到恶意攻击,
缘计算设备风险延展至网络基础设施 MEC devices deployed 则拥有该切片访问权限的攻击者可以借此切片为基点,攻击其他
at the edge are more easily exposed to external 目 标 切 片 , 导致 被 攻 击的 目 标 切片 无 法 提 供 正常 的 服 务 If
attackers, and the risk of attacked edge computing proper security isolation mechanisms are not adopted,
devices extends to the network infrastructure. when a network slice is maliciously attacked, attackers
● 数据分布在网络边缘,造成数据控制能力减弱 Data is with access rights to that slice can use it as a base to
distributed at the edge of the network, resulting in attack other target slices, resulting in the attacked target
weaker data control slice being unable to provide normal services.
● 打破了内容安全集中式监管形态,内容监管难度加大 Breaking
the centralised regulatory shape of content security,
making it harder to regulate content
5G网络的安全风险和挑战
Security Risks and Challenges in 5G Networks
5G开放了管理和编排能力(MAMO),让第三方实现网络部署、更新和扩容,但带来一系列安全问题
5G opens up management and orchestration (MAMO) capabilities to allow third parties to enable
network deployment, updating and scaling, but raises a number of security concerns
网络能力开放 Open Network Capabilities 智能终端安全Smart Terminal Security
● 隐私信息从封闭平台共享到开放平台,数据泄露风险增大,共享数 ● 通用要求:用户与信令数据的机密性保护、签约凭证的安全存储与处
据安全监管难度增大 Privacy information is shared from closed 理 、 用 户 隐 私 保 护 等 General requirements: confidentiality
to open platforms, increasing the risk of data leakage and the protection of user and signaling data, secure storage and
difficulty of monitoring the security of shared data handling of contracted certificate, user privacy protection, etc.
● 若在开放授权过程中出现信任问题,则恶意第三方将通过获得的网 ● 特殊要求:对uRLLC的终端需要支持高安全高可靠的安全机制;对
络操控能力对网络发起攻击,API攻击、DDOS攻击、Worm恶意软 mMTC终端,需要支持轻量级的安全算法和协议;对于一些特殊行业
件攻击等规模更大且更频繁 If there is a trust issue during the ,需要专用的安全芯片,定制操作系统和特定的应用商店 Special
open authorization process, malicious third parties will launch requirements: uRLLC terminals need to support high-security
attacks on the network through the acquired network and high-reliability security mechanisms; mMTC terminals need
manipulation capabilities. API attacks, DDOS attacks, Worm to support lightweight security algorithms and protocols; for
malware attacks, etc. will be larger in scale and more some special industries, dedicated security chips, customized
frequent. operating systems and specific application stores are required.
5G网络安全关键技术 CHAPTER
5G Network TWO
Security Key
Technologies
5G网络接入安全 5G Network Access Security
多媒体
NEF NRF PCF UDM AF
/视频
Multimedia 基站Base
/Video Stations
AUSF AMF SMF
物联网
IoT Primary authentication
WiFi
Secondary authentication
UPF DN
车联网
IoV 定置网Fixed nets
用户设备User Equipment 接入网络Access Network 核心网络Core Network 外部数据网络External DN
● 认证协议Authentication Protocol:使用EAP-AKA’ 实现统一 ● 隐私保护Privacy Protection: USIM卡增加运营商设定的公钥,
框架下的双向认证支持非3GPP的接入;使用5G-AKA增强归属网 首次附着网络使用公钥加密IMSI,解决初始接入身份泄露问题
络控制 ● 信令保护Signaling Protection:提供空口和NAS层信令的加密和
● 二次认证Two-factor Authentication:借助于第三方提供认证 完整性保护
服务 ● 用户面保护User Plane Protection:按需提供空口和/或UE到核
● 认证扩展Authentication Extensions:适应于IoT的群组认证; 心网之间的用户面加密和完整性保护
适应于车联网的点对点快速认证等 ● 密钥管理体系Key Management System:支持层次化的密钥派
● 密码算法Cryptographic Algorithm:支持主流的加密和完整性 生机制,认证机制变化切片引入、用户面完整性等需要新的密钥
保护算法,例如AES,Snow-3G,ZUC
5G网络控制面、用户面、信令加密
5G Network Control Plane, User Plane, Signaling Encryption
5G的加密技术支持层次化的密钥派生机制、动态认证机制、切片引入技术、用户面完整性验证等
Cryptography for 5G supports hierarchical key derivation mechanisms, dynamic authentication
mechanisms, slicing introduction techniques, user-plane integrity verification, etc.
Protecting keys for signaling and messaging on the wireless communication side
身份管理
Identity
Management
物理/逻辑转换抽象
(I)
(III) (I) (I) 归属层 (I) (I) 归属层
USIM HE /服务层 (III) USIM (V)
HE /服务层
(II)
(I) (I) (II) (I)
SN ME SN
(I) (II) 传输层 (I) 3GPP AN 传输层
ME AN (I) (II)
(I) non-3GPP AN
1
2
3
4
5
核心网域 核心网控制平面
Core Network 网络切片 用户数据
Domain 选择 网络存储库 策略控制 管理 应用程序
其他运营商
NSSF NRF PCF UDM AF 安全边缘
N32
防护代理
Nnssf Nnrf Npcf Nudm Naf
SEPP
Nausf Namf Nsmf Nnef
Nnef 应用程序/应用程序平台
AUSF AMF SMF
NEF (如MEC,即移动边缘计算)
认证 接入和移 会话管理
动性管理 网络功能公开 N4
非3GPP接入 非3GPP N2
互通功能 服务器
N4
N2
数据网
无线接入网 N3 N6
(NG-RAN) 用户面功能 用户面功能 (Data Network)
User Plane Function User Plane Function
N1 核心网用户平面
用户设备 ⚫ 为了利用虚拟化,5G核心网的控制平面(CP)采用了SBA,即每个CP网络功能(NF)都将其能力公开为“服务”。
(UE) To take advantage of virtualization, the control plane of the 5G core network adopts a Service Based Architecture, where each CP
Network Function exposes its capabilities as a "service".
⚫ 系统流程被描述为一系列NF服务调用,其中所有CP NF之间的交互都被抽象化。
The system flow is described as a series of NF service invocations, where interactions between all CP NFs are abstracted (e.g., Request-
Response, Subscription-Notify).
⚫ 安全边缘防护代理为公共陆地移动网(PLMN)运营商之间的交互提供防护。
The Secure Edge Protection Agent provides protection for interactions between Public Land Mobile Network operators.
统一身份认证 Unified Authentication
支持第三方认证
统一身份认证认证框架 Support third-party authentication
Unified authentication framework • Secondary authentication
• Network credentials with UICC and non-UICC • Support operation between UE, SMF, UPF and third-party
AAA authentication servers
support
• Same authentication entity (AMF/AUSF/UDM)
for both 3GPP access and n3GPP access AKA Cert …… AKA Cert ……
身份认证协议
EAP EAP
Authentication protocol
• 5G NR (New RAN) Access: 5G AKA or EAP-AKA’ NAS NAS
• n3GPP Access: EAP-AKA' or 5G AKA AUSF/
UE AMF
• Enterprise scenario:EAP-TLS UDM
身份认证协议选择
Authentication protocol selection
• UDM selects authentication protocols based on
user subscriptions
1.Valid server
2. Tampering to a NAS:Confidentiality and Integrity
malicious server
3.Malicious
RRC:
server
4. Connecting to Confidentiality
malicious servers and Integrity
UP:
malicious
Confidentiality
UE relay eNodeB CN and Integrity
⚫ 该漏洞源自缺乏针对LTE用户平面的完整性保护
The vulnerability stems from the lack of integrity protection for the LTE
user plane. 5GC
⚫ 只有实验室条件中的特定情况可以实施漏洞攻击,商业4G网络仍然
可以抵御此类攻击 UE gNB CN
The vulnerability can only be exploited under certain circumstances in
lab conditions. Commercial 4G networks are still resistant to such attacks.
安全增强:IMSI保护
Security Enhancement: IMSI Protection
IMSI:International Mobile Subscriber Identity SUCI:Subscription Concealed Identifier SUPI:Subscription Permanent Identifier
IPsec/TLS确保NE(网元)间和NF(网络功能)间的安全
IPsec/TLS ensures security between Network Elements and Network Functions
IP
⚫ IPsec用在3GPP网元之间保证安全性 L2
R16 R17+
1、 EvolutionImprovement
2、 Empowering
3、 Security of the architecture
Vertical Industries
⚫R-16
⚫UE wireless
⚫For does notcapability
redundant affect theis5G
PDU sessions, security
sent URLLC
after AS architecture
enhances defined
security isthe use ofprior
activated andtoconnectivity
R-15 security
user-facing issues
policies
are under discussion
⚫Convergence
⚫AKMAscale
⚫Small of wireline
has data
entered
transfer andCLOT
a normative
in wireless
phase extends
is based
where 5Gkey
onthe application
NAS/AS structure boundaries,
securityandas basic
definedR16 onlyhave
processes
in R15 considers non-roaming, security
been defined
⚫Theaddition
⚫In
framework
basicdefined in R15
conclusion
to EAP-AKA', has
on UP notistypes
other
IP changed
that the
of protocols
application canofbe
theused
UP in
IP stand-alone
architecturalprivate
approach
networks
in R15 is the basis for
⚫
⚫R16
The defines
optionsIAB node
2\4\5\7 supports
slice UE’s functionality, and the F1 interface utilizes IPsec
authentication
eV2X标准化进程 eV2X Standardization process
Proposer:LG
Participants:LG,IDDC,华为,Ericsson爱立信,Nokia诺基亚
⚫Work already done in the standard:
✓ A separate TS is established.
✓ Proposes requirements for defense against linkability and
traceability attacks on the 2nd layer and follows the LTE V2X
solution.
⚫Research Progress:
✓ Aspects to be considered when switching between PC5 and Uu:
security of multicast, security of broadcast, security of UE
service authorization and deregistration, and handling of user-
plane security policies.
✓ The security of eV2X unicast messages on PC5 and solutions
#3, #8, #19, #12, #16 is the basis for the above normative work.
集成接入回传标准化进程 IAB Standardization process
Proposer:Samsung
Participants:华为、 Ericsson 、Samsung、QC、Orange、AT&T
⚫Progress on standardization:
✓ The IAB-node is referred to as the IAB-UE, which will
support encryption, integrity protection and replay
protection, as well as mutual authentication for NAS
signaling and RRC signaling.
✓ The IAB integration process consists of three phases:
✓ IAB-UE end establish
✓ BH RLC channel establish and route update
✓ IAB-DU side establish
✓ The IAB-UE function shall act as a UE and reuse the UE
process
超高可靠低时延标准化进程 URLLC Standardization process
Proposer:华为
Participants:华为、 Ericsson 、QC、Nokia
⚫Standardization process: 80%
✓ Redundant user plane paths based on dual connectivity:
✓ The network (UDM and/or SMF) shall ensure the same UP security policy settings.
✓ The MN shall ensure that the first and redundant PDU sessions have the same user plane security
activation status.
✓ The “Preferred” option is not allowed and the MN shall forward the UP security policy to the SN.
✓ Allow the “Preferred” option , the MN shall make the decision on UP cryptographic protection and
integrity protection, and then the MN shall provide the user plane security activation state to the SN.
✓ Redundant transport on N3/N9 interfaces:
✓ NDS/IP multiplexing
行业局域网标准化进程 Vertical LAN Standardization process
Proposer:Nokia
Participants:华为、 Ericsson 、QC、Nokia、Orange
⚫Summary of the report:
✓ Annex l in TS 33.501 applies to non-public
networks (NPN)
✓ NPNs means Standalone Non-Public Networks
(SNPNs) that may use authentication methods other
than AKA-based authentication methods.
✓ When the EAP authentication method is selected
instead of the EAP-AKA' authentication method the
UE and the network will use the EAP method
credentials in the authentication;
✓ Two new appendices in 5G LAN and TSN were
agreed.
AKMA标准化进程 AKMA Standardization process
User
5MBS Prose MEC
Plane
TV
UPF DN
Satellite
networks
Physical security
Lifecycle management
IoT devices may be physically vulnerable to
Heterogeneity
attacks, such as tampering or theft.
IoT devices may have a long lifecycle and may
be difficult to update or replace, making it
IoT systems consist of a variety of different
challenging to maintain their security over time.
devices and platforms
Scalabilitythat have different
security requirements and capabilities.
IoT systems are designed to be scalable, which
means that security measures must be able to
Connectivity
adapt and scale along with the system.
Complexity IoT devices are connected to the internet and
other networks,Datamaking
privacythem vulnerable to
IoT systems are complex and often have multiple cyber attacks.
layers of hardware and software components, IoT devices collect and transmit sensitive data,
making it difficult to secure all aspects. such as personal and financial information, which
must be protected from unauthorized access.
IoT Security Incidents
Hackers demonstrated that WannaCry ransomware Several U.S. government
they could take control of a infected thousands of agencies were hacked via a
Jeep Cherokee remotely computers worldwide, software update from
through its internet-connected including some IoT devices, SolarWinds. Hackers can
entertainment system. encrypting their files and exploit a vulnerability in the
demanding ransom software supply chain.
payments.
2010 2016 2017.9 2021
➢ The hardware should have the security ➢ The terminal should have a two-way
capability against hardware removal. The access authentication and identification
terminal should have the warning mechanism for the console. The terminal
capability if it detects that it is being should be able to identify the identity of
illegally removed. There should also be a
the person giving the command (e.g.,
connection timeout check mechanism and
black and white list), and the access
automatic interface locking mechanism.
Because of the large number of terminals, system should be able to terminate the
most of them are unattended. The exposed current session with the perceptual layer
hardware interfaces are easy to be directly access entity to be accessed when the
exploited by attackers. identification response exceeds the
specified time limit.
➢ …
➢…
Threats at the Network Layer
The network layer is responsible for the transmission of data from the
sensing layer to the application layer, mainly for data routing and data
analysis.
Man-in-the-middle (MITM) attacks: In Eavesdropping attacks: This type of
this type of attack, the attacker intercepts passive attack allows an intruder to
the communication between two devices eavesdrop on private communications
and can eavesdrop, modify, or inject over a communications link. The intruder
malicious data into the conversation. can extract useful information.
IoT Network Layer Security
⚫ Secure routing ⚫ High-speed transmission network security
➢ Cloud storage system has a stronger data ➢ Among the technical means, the security of
security approach than traditional storage personal information can be increased
methods. Cloud storage data is through authentication technology,
distributed. Only very small blocks of authorization technology, etc., and it also
data are stored on each storage device, increases the difficulty for criminals to
and stealing data from a particular device eavesdrop information.
does not get the complete video data.
➢ In the management means, the form of
➢ The clustered and distributed nature of the managing network equipment data
cloud storage system guarantees that no information should be adopted. Some
data will be lost due to instability of the information protection codes should be
device. added to the system program to improve the
security index of the system.
➢ …
➢ …