Monday, 4 September

Asymmetric cryptography has long been considered infeasible for resource-constrained devices. However, since the new IoT devices are equipped with sufficient RAM, flash, a standard 32-bit CPU and crypto hardware it is possible to bring internet-grade security to IoT. This talk will present PKI building blocks for resource-constrained IoT devices and highlight current standardization efforts around this. However, availability of security protocols is not enough, it is also important that IoT manufacture must enable and continuously test state-of-the-art security solutions, which is covered by the new EU Cybersecurity Act though cybersecurity certification. Traditional methods for one-off and manual certification are not scalable to millions of heterogeneous IoT devices. This is particularly important when regular software updates are necessary, which may break the certificate seal. It is therefore necessary that automated, lightweight, and cost-effective initial- and re- certification techniques should be available for modern IoT devices. This talk will also present such an automated re-certification solution for IoT and its integration with state-of-the-art standardized security solutions for IoT devices.

Tuesday, 5 September

With the rise of devices connected to the internet, increasing the robustness of security frameworks for IoT is an urgent demand. In this sense, SIMs are ubiquitous technologies used for over 30 years for security processes (e.g subscriber identification and authentication in cellular networks). Extending the security features of those well-accepted secure elements for IoT seems like a natural step. Furthermore, the programmatic control of network functions according to security knowledge and needs is quite promising – these functions are positioned between the devices and the internet and have ability to control communications. This keynote will focus on these 2 aspects: the use of eSIM and of Programmable Networks for IoT cybersecurity.

Alongside traditional Information and Communication Technologies, more recent ones like Smartphones and IoT devices also became pervasive. Furthermore, all technologies manage an increasing amount of confidential data. The concern of protecting these data is not only related to an adversary gaining physical or remote control of a victim device through traditional attacks, but also to what extent an adversary without the above capabilities can infer or steal information through side and covert channels! In this talk, we survey a corpus of representative research results published in the domain of side and covert channels, ranging from TIFS 2016 to more recent Usenix Security 2022, and including several demonstrations at Black Hat Hacking Conferences. We discuss threats coming from contextual information and to which extent it is feasible to infer very specific information. In particular, we discuss attacks like inferring actions that a user is doing on mobile apps, by eavesdropping their encrypted network traffic, identifying the presence of a specific user within a network through analysis of energy consumption, or inferring information (also key one like passwords and PINs) through timing, acoustic, or video information.

This tutorial provides an overview of cybersecurity features in Contiki-NG, an open-source operating system for resource-constrained IoT devices. The tutorial contains both presentations and hands-on exercises covering two main topics: secure connectivity and trusted execution environments. First, we will show the participants how to set up an application with secure connectivity using CoAP and DTLS. Second, we will show how to use Arm TrustZone in Contiki-NG. During the exercises, the participants will get the opportunity to work with both the Cooja simulator and a real IoT platform (Nordic Semiconductor nRF5340), and use a Docker-based development environment. Through this tutorial, participants will gain practical experience of using Contiki-NG’s cybersecurity features in a resource-constrained IoT environment.

Wednesday, 6 September

IoT apps empower users by connecting a variety of otherwise unconnected services. IoT apps often run on Trigger-Action Platforms (TAPs) that receive app input from trigger services and send app output to action services. With the convenience and interoperability of TAPs comes the concern that the TAP is effectively a “person-in-the-middle”, acting on behalf of the user with respect to trigger and action services. This poses security and privacy challenges since in the event of a compromised TAP, the users’ sensitive input data is also compromised. We demonstrate that popular TAPs are susceptible to several classes of attacks that violate user privacy, integrity, and availability. We suggest countermeasures, discuss the formal guarantees they provide, and evaluate their effectiveness on practical benchmarks. Finally, we discuss how data access minimization can be enforced automatically on TAPs so that excessive amounts of sensitive data is not sent to the TAPs in the first place.

“Don’t roll your own crypto” is a widely quoted mantra in the software industry, and for most purposes best practice is to use well established open-source libraries instead. In the silicon (integrated circuits) industry, however, open source is much less prevalent, even though it has many benefits especially for security technology: it enables transparency and auditability by independent parties, and it makes canonical, scrutinized implementations of key components a commodity. In this talk, we discuss challenges with open source and security that are unique to silicon and present four key security components that are available as open-source silicon today: a block cipher (AES) accelerator, a message authentication code / hashing (Keccak/SHA3) accelerator, a RISC-V CPU core, and a root of trust (RoT) combining the former three.

This session will provide an introduction to the world of hacking. You will get familiar with some of the techniques and approaches used in real hacking scenarios and get experience trying to break the security of computer software. We will begin with an introduction on some of the central concepts and techniques within the field and then move on to a practical exercise where you will get the opportunity to try your skills and knowledge to solve a number of hacking challenges. Working as a team you will get to participate in a small scale Capture the Flag (CTF) competition where the goal is to identify and exploit a number of software vulnerabilities in order to find hidden messages (flags). Our goal is to open your eyes to the practical side of cybersecurity and give you a better understanding of how hacking works in practice.

Social Dinner

@ TRE VALV – Järntorget 83, 111 29 Stockholm

Thursday, 7 September

Integrating cryptographic algorithms in IoT systems and other constrained environments is often difficult due to limited resources and additional security challenges. Driven by this demand, NIST has initiated a lightweight cryptography competition between 2019 and 2023. Among 57 submissions, Ascon has been selected as the new standard for authenticated encryption and hashing. In this talk, we show how Ascon was designed to address the specific challenges in the IoT, including security, performance, and footprint. Since ciphers are not used in an ideal world, we show how Ascon also improves robustness against certain implementation attacks and mistakes.

IoT and edge devices are prone to easy software manipulation due to their physical distribution and low-cost, which often implies low security standards. Trusted computing techniques may help to demonstrate the software integrity of a node, as well as its real identity. This talk will introduce concepts about hardware root-of-trust, trusted execution, remote attestation, and device identity, showing how they can cooperate to provide better security in nodes with limited computational resources, such as IoT and edge devices. Finally, the implementation of this approach foreseen by the SPIRS project will be described.

Imagining a new Internet architecture enables us to explore new networking concepts without the constraints imposed by the current infrastructure. What are the benefits of a multi-path inter-domain routing protocol that finds dozens of paths? What about a data plane without inter-domain forwarding tables on border routers? What secure systems can we build if a router can derive a symmetric key for any host on the Internet within nanoseconds? In this presentation, we invite you to join us on our 13-year long expedition of creating the SCION next-generation secure Internet architecture. SCION has already been deployed at several ISPs and domains, and has been in production use since 2017. On our journey, we have found that path-aware networking and multipath communication not only provide security benefits, but also enable higher efficiency for communication, increase network capacity, and can even provide opportunities for reducing the carbon footprint of communication.

This seminar overviews recent research and standardization activities on lightweight solutions for end-to-end secure (group) communication, as especially suitable for the Internet of Things (IoT). First, we will introduce the IETF standards CoAP and OSCORE as main building blocks for message exchange and end-to-end security. Then, we will consider methods for establishing and updating keying material for OSCORE. After that, we will focus on the adaptation of OSCORE to support secure group communication in CoAP groups. This will cover message protection with the Group OSCORE security protocol; the secure provisioning of group keying material leveraging the ACE framework for access control; as well as advanced communication models and supportive management services for secure group communication. The presented topics will be positioned in the remit of the related standardization activities within the Internet Engineering Task Force (IETF).

Friday, 8 September

Within the “Internet of Things” paradigm connected devices are covering more and more aspects of personal activities, business processes and public life, e.g. in household assistance, smart manufacturing (Industry 4.0) and traffic. Often safety critical processes like controlling vehicles and critical infrastructures are involved and very sensitive data are being processed. These developments ask for attention to security and privacy aspects, which often are not understood by all players. This talk will discuss some examples of the Internet of Things and the respective security and privacy issues. Where appropriate it will give hints to technical, organisational, regulatory or strategic trends and solution approaches and/or the lack thereof.

Socio-Technical Modeling of IoT Security Eco-Systems

Stewart Kowalski, Norwegian University of Science and Technology