!"#$%&'()* +,--./012 3456378191,":1;78<=74>,?>17@./7AB12C;?D= .E./FEGFEH IJ7KLM=CNC/G

!"#$ • ౬ଜ ཌྷ (@yumu19) • ๺ւಓ৘ใେֶ ৘ใϝσΟΞֶ෦ ৘ใϝσΟΞֶՊ ।ڭत (2021/04ʙ) • ࠃཱݚڀ։ൃ๏ਓ৘ใ௨৴ݚڀػߏ(NICT) ڠྗݚڀһ (݉຿) • ઐ໳͸৘ใՊֶ • ϢϏΩλείϯϐϡʔςΟϯά • ώϡʔϚϯίϯϐϡʔλΠϯλϥΫγϣϯ • ωοτϫʔΫ • ࡳຈग़਎ (ࠓ೥15೥ͿΓʹ๺ւಓʹ໭͖ͬͯ·ͨ͠) 2 Ϟϊͮ͘Γܥ ϙουΩϟετ ඼ϞϊϥδΦ Ӊ஦σʔλΛ࢖ͬͨ ϋοΧιϯ NASA SpaceApps ΋ͷͮ͘ΓలࣔΠϕϯτ NTࡳຈ

%&'()*+,-./0'(123456789:;<=>?@ABCDEFGH93IJK8 • 2015-16 αΠόʔ߈ܸରࡦ૯߹ݚڀηϯλʔ αΠόʔ߈ܸݕূݚڀࣨ ٕज़һ • 2016-21 ૯߹ςετϕουݚڀ։ൃਪਐηϯλʔɹɹɹɹɹɹɹɹɹɹɹɹ ςετϕουݚڀ։ൃӡ༻ࣨ ݚڀһ • NICTͷηϯλʔ(ࣄۀॴ)ͷͻͱͭ (ৄࡉ͸blogࢀর) • ੴ઒ݝೳඒࢢʹ͋Δੈք࠷େن໛ͷωοτϫʔΫςετϕου • ࢪઃ಺ʹ໿1000୆ͷ෺ཧϊʔυ + ίϯςφܕσʔληϯλʔ͕Քಇ • ػߏ಺֎ͷݚڀऀɾ։ൃऀʹ࣮ݧ؀ڥΛఏڙ (Hardeningʹ΋ʂ) 3

@LAMNOPQRST-.UV • ෱ౢ, ౬ଜΒ, Bluetooth Low Energyͷ൓ࣹి೾Λ༻͍ͨɹ Ոఉ಺Ͱͷੜମ৘ใऔಘ (2020) • Bluetooth Low Energyͷ൓ࣹి೾Λܭଌͯ͠ݺٵ਺Λܭଌ 4

@WXYZZ[\@WX]=ZZ=^_`abHGc'()* • ଟ਺ͷBLEػثʹΑΔૹड৴Λιϑτ΢ΣΞతʹ࠶ݱ • ༗ઢωοτϫʔΫ(Πʔαωοτ)্ͰBLEϑϨʔϜΛૹड৴ 5

dXef][=]g7hij[e • PC΍εϚϗͷนࢴ͸ΧελϚΠζͰ͖Δ • ΩʔϘʔυ͸(ιϑτ΢ΣΞతʹ)ΧελϚΠζͰ͖ͳ͍ʂ • ө૾ΤϑΣΫτΛΩʔԡԼ࣌ʹ෇༩͠ɺλΠϐϯάମݧΛ֦ு 6

klmnopqrs • ৸ͯΔ͕࣌ؒ΋͍ͬͨͳ͍ → ༗ޮ׆༻ → ৸ͯΔؒʹήʔϜ • ίϯτϩʔϥͱͯ͠γϦίϯΩʔϘʔυΛϕουʹෑ͘ • ΩʔԡԼͰମͷҐஔΛݕ஌ • ৸ฦΓʹ߹Θͤͯόʔ͕Ҡಈ • ͜ΕΛ৸ͯΔؒʹϓϨΠ 7

6tuv • Webαʔόʹରͯ͠೚ҙͷIPΞυϨε͔ΒͷΞΫηεΛੜ੒ • IPΞυϨε·ͰؚΊͨWebαʔϏεͷςετ͕Մೳ (IP Geolocation౳) • OpenFlow (Ryu) Λ࢖༻ 8 ౬ଜΒ, CROW: OpenFlowΛ༻͍ͨಈతWebΞΫηε໛฿γεςϜ (2016)

4567At9w9BdABdLx<9w945tyd4d9w96xtA93z{|}~•€•‚ƒ„8 9 NICTER • μʔΫωοτ΁ͷΞΫηεݩՄࢹԽ • ىಈͷߴ͞͸ϙʔτ൪߸ • ৭͸L4σʔλάϥϜछ(TCP SYN,TCP ACK, UDP౳) NIRVANA • ΞϓϥΠΞϯεͷΞϥʔτ౳ͷू໿ɾՄࢹԽ DAEDALUS • ରαΠόʔ߈ܸΞϥʔτγεςϜ • μʔΫωοτ΁ͷΞΫηεݩՄࢹԽ • DDoS͕Θ͔Γ΍͍͢ CURE • ηΩϡϦςΟؔ࿈৘ใΛू໿͢ΔηΩϡϦςΟ৘ใ༥߹ج൫

<]…†>…‡ˆ‰Š93z{|}~•€•‚ƒ„8 • NICT͕ओ࠵͢ΔηΩϡϦςΟਓࡐҭ੒ϓϩάϥϜ • ೥1ճืूɺ25ࡀҎԼɺࢀՃඅແྉɺֶੜ͸ަ௨අશֹิॿ 10

]‹…XŒ] • ޡղΛආ͚ΔͨΊɺෆ࣮֬ͳ͜ͱʹ͸ͳΔ΂͘ݴٴ͠ͳ͍Α͏ʹ͠·͢ • ࿩୊ఏڙͱͯ͠ฉ͍͍ͯͩ͘͞ʢڵຯΛ࣋ͬͨΒ֤ࣗͰௐ΂ͯΈ͍ͯͩ͘͞ʣ 11

•Žc•• • εϚʔτεϐʔΧʔͷηΩϡϦςΟϦεΫ • ωοτϫʔΫΧϝϥͷηΩϡϦςΟϦεΫ • ਓؒߦಈೝٕࣝज़ʹΑΔηΩϡϦςΟϦεΫ • IoTػثΛλʔήοτͱͨ͠Ϛϧ΢ΣΞ • IoTγεςϜͷηϯαϊʔυͱήʔτ΢ΣΠͷηΩϡϦςΟϦεΫ 12

5Z7‘{ • Internet of ThingsɿϞϊͷΠϯλʔωοτɿʮϞϊʯͱ͸ʁ • PCɾεϚϗ͕Πϯλʔωοτʹܨ͕Δ → ී௨ • র໌ɺ࿹࣌ܭɺମॏܭ͕Πϯλʔωοτʹܨ͕Δ → ͍͢͝ʂ(ʁ) • ͬ͘͟Γ͍͏ͱɺPCͱεϚϗҎ֎ͰωοτϫʔΫʹܨ͕Δػثʢͬ͘͟Γౖ͗ͯ͢ΒΕΔ΍ͭʣ • ΢ΣΞϥϒϧσόΠεɺϔϧεέΞɺεϚʔτϗʔϜ / ϗʔϜΦʔτϝʔγϣϯɺεϚʔτγ ςΟɺ޻৔ɺ೶৔ etc. • όζϫʔυͳͷͰɺ࢖͏ਓʹΑͬͯҙຯ͕ҟͳΔ • ʮ͏Μ͏ΜɺͦΕ΋·ͨIoTͩͶʯ • ͳΜͰ΋ηϯγϯά (σʔλऩू) Ͱ͖ΔΑ͏ʹͳΔ • ίϯϐϡʔλͷখܕԽɾ௿Ձ֨Խ • ηϯαͷ௿Ձ֨Խ • ωοτϫʔΫͷ௿Ձ֨Խɾ௿ফඅిྗԽ (LPWA) 13

•Ž’•“”•5Z7– 14 εϚʔτεϐʔΧʔ https://www.amazon.co.jp/ εϚʔτϩοΫ https://akerun.com/ ωοτϫʔΫΧϝϥ https://www.keian.co.jp/products/c7823wip/

—˜H™—šH›H • ΦϯϥΠϯߨԋͱ͔Ͱݴͬͯ͸͍͚ͳ͍ϫʔυʮAlexaʯʮOK, GoogleʯʮHey, Siriʯetc… (wakeup word) 15 Amazon Echo https://www.amazon.co.jp/

—˜H™—šH›HcEœa•žŸ•—q3 8 • υʔϧϋ΢εࣄ݅ (US, 2015) • ʮࢠڙ͕EchoΛ࢖ͬͯυʔϧϋ΢εΛ஫จͯ͠͠·ͬͨʯͱ͍͏ χϡʔε͕TV์ૹ͞Εͨ • Ωϟελʔ͕ϫʔυΛಡΈ্͛ͨͨΊɺTVࢹௌऀͷՈఉͷAmazon Echo͕൓Ԡͯ͠ಉ࣌ʹେྔʹυʔϧϋ΢εΛൃ஫ • όʔΨʔΩϯάCM (US, 2017) • TVCMͷ࠷ޙʹʮOK, Google. What is whopper?ʯͱ͍͏ηϦϑ • ֤ՈఉͷGoogle Home͕આ໌͠͸͡ΊΔ • → (Wikipediaͷ಺༰ΛಡΈ্͍͛ͯΔͨΊ) WikipediaͷߥΒ͕͠ൃੜ • → Google HomeͷΞοϓσʔτͰ൓Ԡ͠ͳ͍Α͏मਖ਼ 16

—˜H™—šH›HcEœa•žŸ•—q3¡8 • Webձٞ΍ಈը഑৴ͷίϝϯτಡΈ্͛Ͱʮࢲͷॅॴ͸ʁʯ 17 https://twitter.com/depolarization1/status/1342651891931435009 άʔάϧͷԻ੠Ξγελϯτ͕࿥Իͨ͠ձ࿩͸ɺ୭ʹͲ͜·Ͱʮฉ͔Εͯʯ͍Δͷ͔ʁ | WIRED.jp https://wired.jp/2019/07/17/whos-listening-talk-google-assistant/ • ࿥Ի͞Ε͍ͯΔʁ

—˜H™—šH›HcEœa•žŸ•—q3ˆ8 • 伴(εϚʔτϑΥϯ/εϚʔτ΢Υον)Λ࣋ͨͣʹ֎ग़ • εϚʔτϩοΫͷࣗಈࢪৣͰకΊग़͠ • ֎͔ΒΠϯλʔϗϯͱ୐಺εϚʔτεϐʔΧܦ༝Ͱղৣ • ੬ऑੑʹͳΓಘΔ • ʢ௕ԡ͢͠Δͱ࿩ͤΔΠϯλʔϗϯ͕͋Δʁʣ 18 εϚʔτϩοΫ͕ղআͰ͖ͣ਱ʹకΊͩ͠ʹ͋ͬͯ͠·ͬͨ࿩ - έʔλΠ Watch https://k-tai.watch.impress.co.jp/docs/column/minna/1340971.html

dg¢]?Œ>?j>W9A‹>fiW]Œ • Adversarial (ఢରత) ɹExamples (ྫ) • ਓ͕ؒݟΕ͹Ұ໨ྎવͳը૾Ͱ΋ػցֶशͷ෼ྨΛڰΘͤΔ͜ͱ͕Ͱ͖Δ • ػցֶशͰ͸ʮಛ௃ྔʯΛ൑ผʹར༻͍ͯ͠Δ 19 Goodfellow et al., Explaining and Harnessing Adversarial Examples (2015) ςφΨβϧ

—˜H™—šH›HcEœa•žŸ•—q3£8 • Audio Adversarial Examples • ਓؒʹόϨͳ͍Α͏ʹεϚʔτεϐʔΧ΁໋ྩͰ͖ͪΌ͏ 20 Carlini and Wagner, Audio Adversarial Examples: Targeted Attacks on Speech-to-Text (2017) • σϞ • 1ճ໨ɿΦϦδφϧ (ԻָͷΈ) • 2ճ໨ɿ“speech can be embedded in music” ͱ͍͏Ի੠͕ຒΊࠐ·Ε͍ͯΔ

,¤¥¦§¨ 21 ڑ཭ηϯα ಈըɾը૾ ߦಈೝࣝ RUNNING WALKING SITTING STANDING JUMPING σʔλ εϚʔτϑΥϯ ʢՃ଎౓ɾ܏͖ɾ஍࣓ؾ౳ʣ ΢ΣΞϥϒϧσόΠε ʢՃ଎౓ɾ຺೾౳ʣ • ਓؒߦಈೝࣝ (Human Activity Recognition: HAR) • ϔϧεέΞɺεϙʔπɺεϚʔτϗʔϜͳͲ • ΢ΣΞϥϒϧηϯαɺεϚʔτϑΥϯɺಈը૾ɺ؀ڥηϯαʢڑ཭ηϯ αɺαʔϞάϥϑΟʣͳͲͷσʔλ͕༻͍ΒΕΔ • ਓؒߦಈೝٕࣝज़ͷଟ͘ʹػցֶश͕༻͍ΒΕΔ • αϙʔτϕΫλʔϚγϯ • ϥϯμϜϑΥϨετ • Deep Learning (CNN౳)

¥¦§¨9©9

¥¦§¨9©9ª«M¬-®G•F¯°±”¥¦²³ • ߴྛΒ, ਍அπʔϧΛ༻͍ͨεϚʔτλοϓͷফඅిྗ৘ใʹΑΔਓͷ ߦಈਪఆਫ਼౓ͷ࣮ূධՁ (2018) • εϚʔτλοϓͰऔಘͨ͠ফඅిྗྔ͔Βʮىচɺ֎ग़ɺؼ୐ɺब৸ʯ Λਪఆ 23

¥¦§¨9©9™´bp™µH¶Hc·Um¸¹Pº¨» • ૔ڮΒ, τΠϨοτϖʔύͷճసʹجͮ͘τΠϨ࢖༻ऀࣝผख๏ (2017) • τΠϨοτϖʔύʔͷਊʹ֯଎౓ηϯαΛઃஔ͠ɺ5ͭͷಛ௃ྔ(࢖༻ ྔɺ࣌ؒɺ଎౓ͷ࠷େ஋ɺ଎౓ͷฏۉ஋ɺ଎౓ͷ෼ࢄ)͔Β࢖༻ऀΛਪఆ 24 http://cse.eedept.kobe-u.ac.jp/portfolio/tp_identi fi cation/

¥¦§¨‘¼HG‘½¾´¿ÀH • “ͳΜͰ΋σʔλऩूͰ͖ΔΑ͏ʹͳΔ” IoTͱߦಈೝࣝ͸૬ੑ͕ྑ͍ • Ұํɾɾɾ • ࿙Εͯ΋໰୊ͳ͍ͱࢥͬͨσʔλ͔Βɺ༧ظ͠ͳ͍৘ใ(ߦಈσʔλͳ Ͳ)͕࿙ΕΔՄೳੑ΋͋Δ • σʔλͷѻ͍͸ɺ͜Ε·ͰҎ্ʹϓϥΠόγʔʹ഑ྀ͢Δඞཁ͕͋Δ 25

5Z7‘q¾ÁÂÃÄ • Ոి͕࢖͑ͳ͍ɺݐ෺ʹೖΕͳ͍ etc. • Amazon EC2ͷSLA: 99.99% • SLA(Service Level Agreement): ߹ҙՔಇ཰ (͜ΕΛԼճΔͱฦۚ) • ೥ؒ 52.56 ෼·Ͱࢭ·Δ (΋ͪΖΜ࣮ࡍ͸΋ͬͱ௿͍) 26 Ϋϥ΢υো֐ͰՈిૢ࡞Ͱ͖ͣɹεϚʔτϗʔϜʹམͱ݀͠ | ೔ܦΫϩεςοΫʢxTECHʣ https://xtech.nikkei.com/atcl/nxt/mag/nc/18/092400133/031100045/

Åp™ÆHq›Ç¾ • Πϯλʔωοτӽ͠ʹө૾ΛݟΔ͜ͱ͕Ͱ͖ΔΧϝϥ • ๷൜Χϝϥɺࣗ୐ϖοτ؂ࢹ etc. • ੬ऑͳύεϫʔυ΍όοΫυΞʹΑΔෆਖ਼ΞΫηεͷϦεΫ΋ 27 தࠃ੡ωοτϫʔΫΧϝϥʹ؅ཧऀݖݶΛୣऔͰ͖ΔόοΫυΞͷଘࡏ͕ใࠂ͞ΕΔ - GIGAZINE https://gigazine.net/news/20200207-xiongmai-backdoor/

<†uBd4 • Πϯλʔωοτ઀ଓػثͷݕࡧαΠτ 28

j[Œ]…>f • ύεϫʔυઃఆ͍ͯ͠ͳ͍ωοτϫʔΫΧϝϥͷө૾ΛूΊͨWebαΠτ΋͋Δ 29 ๷൜Χϝϥө૾Λͷ͖ͧݟͰ͖ͯ͠·͏ʮinsecamʯϨϏϡʔɺ ೔ຊͷ๷൜Χϝϥ΋1000୆Ҏ্ϦΞϧλΠϜͰ౪ΈݟՄೳ - GIGAZINE https://gigazine.net/news/20200718-insecam/

5Z71ÈOGHÉp™‘sR˜ÊÁËÌ • Mirai (2016) • ωοτϫʔΫΧϝϥɺՈఉ༻ϧʔλ౳ͷLinuxػثΛλʔήοτ • ײછػث͕ϘοτωοτΛߏங͠DDoS߈ܸ • IoTػث͸ύεϫʔυ͕੬ऑ (ॳظύεϫʔυ) ͳ͜ͱ΋ଟ͍ 30 ҆৺૬ஊ૭ޱͩΑΓɿIPA ಠཱߦ੓๏ਓ ৘ใॲཧਪਐػߏ https://www.ipa.go.jp/security/anshin/mgdayori20161125.html

4u756A • Πϯλʔωοτ઀ଓػثͷ੬ऑੑௐࠪ • ૯຿লɺࠃཱݚڀ։ൃ๏ਓ৘ใ௨৴ݚڀػߏ͕࣮ࢪ 31 NOTICEʛαΠόʔ߈ܸʹѱ༻͞ΕΔ͓ͦΕͷ͋ΔIoTػثͷௐࠪɺ஫ҙשىΛߦ͏ϓϩδΣΫτ https://notice.go.jp/

ÍÎ\%&'()*+,-./0'(12+ • ࠃཱݚڀ։ൃ๏ਓ͸ɺͦͷ໨త΍ۀ຿಺༰ɺۀ຿ൣғ౳͕๏཯ͰఆΊΒΕ͍ͯΔ • ۀ຿಺༰͕௥Ճ͞ΕΔ৔߹ʹ͸๏վਖ਼͕ඞཁ 32

Ï®HÐp™93ÑÒÓOÔ“€•ÕÖºcצOØÙ8 33 ٶ࡚ ॣ, ࣗಈंϋχʔϙοτ (Valpot) ͷߏ੒ͱ࣮ݧ http://www.gentei.org/~hayao/material/ 20190309_honeypot_tech_event.pdf IoTϋχʔϙοτ X-Pot ࣗಈंϋχʔϙοτ Valpot ٢Ԭ ࠀ੒, ߈ܸ؍ଌݚڀͷ৽ͨͳεςʔδ ʙαΠόʔੈքͷ”PCRݕࠪ”ͷ࣮ݱʹ޲͚ͯʙ https://www.jssec.org/dl/ 20210609_sf21_yoshioka.pdf

d9

<]…X?j=h95ŒŒX]Œ9>=9<][Œj[e9L>h]? • Node Capturing: ηϯαϊʔυΛΩϟϓνϟ / ஔ͖׵͑ • Malicious Code Injection Attack: ѱҙͷ͋Δ ίʔυ஫ೖ • False Data Injection Attack: ِͷσʔλ஫ೖ • Side-Channel Attacks (SCA): ࿙Εग़Δσʔ λ (ి࣓์ࣹɺফඅిྗ౳) Λ࢖ͬͨ৘ใऔಘ • Eavesdropping and Interference: ౪ௌͱׯব • Sleep Deprivation Attacks (ਭ຾ෆ଍߈ܸ): IoT୺຤ػثͷόοςϦʔΛফ໣ͤ͞Δ • Booting Attacks (ىಈ߈ܸ): ىಈϓϩηε࣮ ߦதͷ੬ऑੑΛૂ͏ 35 Hassija et al., A Survey on IoT Security: Application Areas, Security Threats, and Solution Architectures (2019)

<]…X?j=h95ŒŒX]Œ9>=9Ú>=]Û>hŒ • ຤୺ͷηϯαϊʔυ͕༻͍Δ௨৴ϓϩτίϧ͸༷ʑ • LoraWan, ZigBee, Z-Wave etc. • Ϋϥ΢υαʔό΁ͷ઀ଓ͸ήʔτ΢ΣΠΛհ͢ • End-to-End Encryption: ήʔτ΢ΣΠͰ෮߸Խ͢Δ(E2EͰ͸ͳ͍)ͱϦεΫߴ • Extra Interfaces: ߈ܸର৅ྖҬͱͳΔͷͰ࠷খݶʹͱͲΊΔ΂͖ • Firmware updates: ήʔτ΢ΣΠ͸IoTσόΠεͷϑΝʔϜ΢ΣΞΞοϓσʔ τ΋୲͏ࣄ͕ଟ͍ 36

5Z7‘Eœa•žŸ9©9‚‘Ü 37 while(true ) printf “Hello ” end • ର৅͕෺ཧۭؒʹ޿͕Δ • ਓମͷ҆શ͕ڴ͔͞ΕΔՄೳੑ ίϯϐϡʔληΩϡϦςΟ • ର৅͸৘ใ • ݸਓ৘ใ΍ࢿ࢈͕ڴ͔͞ΕΔՄೳੑ IoTηΩϡϦςΟ • ʮηΩϡϦςΟʯ͸૯߹֨ಆٕ (༷ʑͳ෼໺ͷ஌͕ࣝབྷΉ) • ʮIoTʯ͸૯߹֨ಆٕ • ʮIoTͷηΩϡϦςΟʯ͸ʮ૯߹֨ಆٕͷ૯߹֨ಆٕʯ

t]Ý]?][…]Œ

5Z7Eœa•žŸc޴¾´Fß 39 IoTͷηΩϡϦςΟɿIPA ಠཱߦ੓๏ਓ ৘ใॲཧਪਐػߏ https://www.ipa.go.jp/security/iot/index.html

àác——Ç 40 #෼ղͷεεϝ ࿥ըΞʔΧΠϒ – Medium https://medium.com/bunkai

jZ=9Œ]…X?j=h 41 iot security https://www.trendmicro.com/jp/iot-security/

Eœa•žŸcÌb93âZg…>Œ=98 42 podcast - #ηΩϡϦςΟͷΞϨ - ΏΔʔ͍ηΩϡϦςΟͷϙουΩϟετͰ͢Αɻ https://www.tsujileaks.com/

—˜H™—šH›Hãäå‘æçè 43 Ḻ୩ ༏໻, εϚʔτεϐʔΧʔ࢓૊Έͱةݥੑ https://www.eng.okayama-u.ac.jp/oict/wp-content/uploads/2020/01/doc44-4.pdf

éê 44 ळా७Ұ, ༲͛ͯᖰͬͯΘ͔Δ ίϯϐϡʔλͷ͘͠Έ (2020) ΞϯυϦϡʔ“όχʔ”ϑΝϯ, ϋʔυ΢ΣΞϋοΧʔ (2018)

éê 45 ࠇྛޝ, ଜౡ ਖ਼ߒ, ϋοΧʔͷֶߍ IoTϋοΩϯάͷڭՊॻ (2018) ্দ྄հ, ϋοΧʔͷٕज़ॻ IoTιϑτ΢ΣΞແઢͷڭՊॻ (2020) ീࢠ஌ྱ, ਿࢁ߃࢘, ஛೭Լߤ༸, দӜ ਅٷ, ౔ຊ׮ࢠ, IoTͷجຊɾ࢓૊Έɾ ॏཁࣄ߲͕શ෦Θ͔ΔڭՊॻ (2017)