Upgrade to Pro — share decks privately, control downloads, hide ads and more …

IoTとセキュリティ #ldd21sec / IoT and Security

yumulab
September 04, 2021

IoTとセキュリティ #ldd21sec / IoT and Security

2021年9月4日(土)に開催されたLOCAL Developer Day Online ’21 /Securityの発表資料
https://local.connpass.com/event/219312/

yumulab

September 04, 2021
Tweet

More Decks by yumulab

Other Decks in Technology

Transcript

  1. !"#$ • ౬ଜ ཌྷ (@yumu19) • ๺ւಓ৘ใେֶ ৘ใϝσΟΞֶ෦ ৘ใϝσΟΞֶՊ ।ڭत

    (2021/04ʙ) • ࠃཱݚڀ։ൃ๏ਓ৘ใ௨৴ݚڀػߏ(NICT) ڠྗݚڀһ (݉຿) • ઐ໳͸৘ใՊֶ • ϢϏΩλείϯϐϡʔςΟϯά • ώϡʔϚϯίϯϐϡʔλΠϯλϥΫγϣϯ • ωοτϫʔΫ • ࡳຈग़਎ (ࠓ೥15೥ͿΓʹ๺ւಓʹ໭͖ͬͯ·ͨ͠) 2 Ϟϊͮ͘Γܥ ϙουΩϟετ ඼ϞϊϥδΦ Ӊ஦σʔλΛ࢖ͬͨ ϋοΧιϯ NASA SpaceApps ΋ͷͮ͘ΓలࣔΠϕϯτ NTࡳຈ
  2. %&'()*+,-./0'(123456789:;<=>?@ABCDEFGH93IJK8 • 2015-16 αΠόʔ߈ܸରࡦ૯߹ݚڀηϯλʔ αΠόʔ߈ܸݕূݚڀࣨ ٕज़һ • 2016-21 ૯߹ςετϕουݚڀ։ൃਪਐηϯλʔɹɹɹɹɹɹɹɹɹɹɹɹ ςετϕουݚڀ։ൃӡ༻ࣨ

    ݚڀһ • NICTͷηϯλʔ(ࣄۀॴ)ͷͻͱͭ (ৄࡉ͸blogࢀর) • ੴ઒ݝೳඒࢢʹ͋Δੈք࠷େن໛ͷωοτϫʔΫςετϕου • ࢪઃ಺ʹ໿1000୆ͷ෺ཧϊʔυ + ίϯςφܕσʔληϯλʔ͕Քಇ • ػߏ಺֎ͷݚڀऀɾ։ൃऀʹ࣮ݧ؀ڥΛఏڙ (Hardeningʹ΋ʂ) 3
  3. klmnopqrs • ৸ͯΔ͕࣌ؒ΋͍ͬͨͳ͍ → ༗ޮ׆༻ → ৸ͯΔؒʹήʔϜ • ίϯτϩʔϥͱͯ͠γϦίϯΩʔϘʔυΛϕουʹෑ͘ •

    ΩʔԡԼͰମͷҐஔΛݕ஌ • ৸ฦΓʹ߹Θͤͯόʔ͕Ҡಈ • ͜ΕΛ৸ͯΔؒʹϓϨΠ 7
  4. 4567At9w9BdABdLx<9w945tyd4d9w96xtA93z{|}~•€•‚ƒ„8 9 NICTER • μʔΫωοτ΁ͷΞΫηεݩՄࢹԽ • ىಈͷߴ͞͸ϙʔτ൪߸ • ৭͸L4σʔλάϥϜछ(TCP SYN,TCP

    ACK, UDP౳) NIRVANA • ΞϓϥΠΞϯεͷΞϥʔτ౳ͷू໿ɾՄࢹԽ DAEDALUS • ରαΠόʔ߈ܸΞϥʔτγεςϜ • μʔΫωοτ΁ͷΞΫηεݩՄࢹԽ • DDoS͕Θ͔Γ΍͍͢ CURE • ηΩϡϦςΟؔ࿈৘ใΛू໿͢ΔηΩϡϦςΟ৘ใ༥߹ج൫
  5. 5Z7‘{ • Internet of ThingsɿϞϊͷΠϯλʔωοτɿʮϞϊʯͱ͸ʁ • PCɾεϚϗ͕Πϯλʔωοτʹܨ͕Δ → ී௨ •

    র໌ɺ࿹࣌ܭɺମॏܭ͕Πϯλʔωοτʹܨ͕Δ → ͍͢͝ʂ(ʁ) • ͬ͘͟Γ͍͏ͱɺPCͱεϚϗҎ֎ͰωοτϫʔΫʹܨ͕Δػثʢͬ͘͟Γౖ͗ͯ͢ΒΕΔ΍ͭʣ • ΢ΣΞϥϒϧσόΠεɺϔϧεέΞɺεϚʔτϗʔϜ / ϗʔϜΦʔτϝʔγϣϯɺεϚʔτγ ςΟɺ޻৔ɺ೶৔ etc. • όζϫʔυͳͷͰɺ࢖͏ਓʹΑͬͯҙຯ͕ҟͳΔ • ʮ͏Μ͏ΜɺͦΕ΋·ͨIoTͩͶʯ • ͳΜͰ΋ηϯγϯά (σʔλऩू) Ͱ͖ΔΑ͏ʹͳΔ • ίϯϐϡʔλͷখܕԽɾ௿Ձ֨Խ • ηϯαͷ௿Ձ֨Խ • ωοτϫʔΫͷ௿Ձ֨Խɾ௿ফඅిྗԽ (LPWA) 13
  6. —˜H™—šH›HcEœa•žŸ•—q3 8 • υʔϧϋ΢εࣄ݅ (US, 2015) • ʮࢠڙ͕EchoΛ࢖ͬͯυʔϧϋ΢εΛ஫จͯ͠͠·ͬͨʯͱ͍͏ χϡʔε͕TV์ૹ͞Εͨ •

    Ωϟελʔ͕ϫʔυΛಡΈ্͛ͨͨΊɺTVࢹௌऀͷՈఉͷAmazon Echo͕൓Ԡͯ͠ಉ࣌ʹେྔʹυʔϧϋ΢εΛൃ஫ • όʔΨʔΩϯάCM (US, 2017) • TVCMͷ࠷ޙʹʮOK, Google. What is whopper?ʯͱ͍͏ηϦϑ • ֤ՈఉͷGoogle Home͕આ໌͠͸͡ΊΔ • → (Wikipediaͷ಺༰ΛಡΈ্͍͛ͯΔͨΊ) WikipediaͷߥΒ͕͠ൃੜ • → Google HomeͷΞοϓσʔτͰ൓Ԡ͠ͳ͍Α͏मਖ਼ 16
  7. —˜H™—šH›HcEœa•žŸ•—q3ˆ8 • 伴(εϚʔτϑΥϯ/εϚʔτ΢Υον)Λ࣋ͨͣʹ֎ग़ • εϚʔτϩοΫͷࣗಈࢪৣͰకΊग़͠ • ֎͔ΒΠϯλʔϗϯͱ୐಺εϚʔτεϐʔΧܦ༝Ͱղৣ • ੬ऑੑʹͳΓಘΔ •

    ʢ௕ԡ͢͠Δͱ࿩ͤΔΠϯλʔϗϯ͕͋Δʁʣ 18 εϚʔτϩοΫ͕ղআͰ͖ͣ਱ʹకΊͩ͠ʹ͋ͬͯ͠·ͬͨ࿩ - έʔλΠ Watch https://k-tai.watch.impress.co.jp/docs/column/minna/1340971.html
  8. —˜H™—šH›HcEœa•žŸ•—q3£8 • Audio Adversarial Examples • ਓؒʹόϨͳ͍Α͏ʹεϚʔτεϐʔΧ΁໋ྩͰ͖ͪΌ͏ 20 Carlini and

    Wagner, Audio Adversarial Examples: Targeted Attacks on Speech-to-Text (2017) • σϞ • 1ճ໨ɿΦϦδφϧ (ԻָͷΈ) • 2ճ໨ɿ“speech can be embedded in music” ͱ͍͏Ի੠͕ຒΊࠐ·Ε͍ͯΔ
  9. ,¤¥¦§¨ 21 ڑ཭ηϯα ಈըɾը૾ ߦಈೝࣝ RUNNING WALKING SITTING STANDING JUMPING

    σʔλ εϚʔτϑΥϯ ʢՃ଎౓ɾ܏͖ɾ஍࣓ؾ౳ʣ ΢ΣΞϥϒϧσόΠε ʢՃ଎౓ɾ຺೾౳ʣ • ਓؒߦಈೝࣝ (Human Activity Recognition: HAR) • ϔϧεέΞɺεϙʔπɺεϚʔτϗʔϜͳͲ • ΢ΣΞϥϒϧηϯαɺεϚʔτϑΥϯɺಈը૾ɺ؀ڥηϯαʢڑ཭ηϯ αɺαʔϞάϥϑΟʣͳͲͷσʔλ͕༻͍ΒΕΔ • ਓؒߦಈೝٕࣝज़ͷଟ͘ʹػցֶश͕༻͍ΒΕΔ • αϙʔτϕΫλʔϚγϯ • ϥϯμϜϑΥϨετ • Deep Learning (CNN౳)
  10. ¥¦§¨9©9<h[=^]=j…9<][ŒZ?Œ • Laput et al., Synthetic Sensors: Towards General-Purpose Sensing

    (2017) • Ոఉ಺ͰͷߦಈΛΧϝϥΛ࢖Θͣʹਪఆ • ϚΠΫɺ੺֎ઢηϯαɺՃ଎౓ηϯαɺ࣓ྗܭͳͲΛ౥ࡌͨ͠ηϯα 22 https://youtu.be/aqbKrrru2co
  11. 5Z7‘q¾ÁÂÃÄ • Ոి͕࢖͑ͳ͍ɺݐ෺ʹೖΕͳ͍ etc. • Amazon EC2ͷSLA: 99.99% • SLA(Service

    Level Agreement): ߹ҙՔಇ཰ (͜ΕΛԼճΔͱฦۚ) • ೥ؒ 52.56 ෼·Ͱࢭ·Δ (΋ͪΖΜ࣮ࡍ͸΋ͬͱ௿͍) 26 Ϋϥ΢υো֐ͰՈిૢ࡞Ͱ͖ͣɹεϚʔτϗʔϜʹམͱ݀͠ | ೔ܦΫϩεςοΫʢxTECHʣ https://xtech.nikkei.com/atcl/nxt/mag/nc/18/092400133/031100045/
  12. 5Z71ÈOGHÉp™‘sR˜ÊÁËÌ • Mirai (2016) • ωοτϫʔΫΧϝϥɺՈఉ༻ϧʔλ౳ͷLinuxػثΛλʔήοτ • ײછػث͕ϘοτωοτΛߏங͠DDoS߈ܸ • IoTػث͸ύεϫʔυ͕੬ऑ

    (ॳظύεϫʔυ) ͳ͜ͱ΋ଟ͍ 30 ҆৺૬ஊ૭ޱͩΑΓɿIPA ಠཱߦ੓๏ਓ ৘ใॲཧਪਐػߏ https://www.ipa.go.jp/security/anshin/mgdayori20161125.html
  13. Ï®HÐp™93ÑÒÓOÔ“€•ÕÖºcצOØÙ8 33 ٶ࡚ ॣ, ࣗಈंϋχʔϙοτ (Valpot) ͷߏ੒ͱ࣮ݧ http://www.gentei.org/~hayao/material/ 20190309_honeypot_tech_event.pdf IoTϋχʔϙοτ

    X-Pot ࣗಈंϋχʔϙοτ Valpot ٢Ԭ ࠀ੒, ߈ܸ؍ଌݚڀͷ৽ͨͳεςʔδ ʙαΠόʔੈքͷ”PCRݕࠪ”ͷ࣮ݱʹ޲͚ͯʙ https://www.jssec.org/dl/ 20210609_sf21_yoshioka.pdf
  14. d9<X?¢]h9Z[95Z79<]…X?j=h • Hass ij a et al., A Survey on

    IoT Security: Application Areas, Security Threats, and Solution Architectures (2019) • ೔ຊޠͰཁ໿ͨ͠΋ͷΛNotionʹ্͛·ͨ͠ (ݩ࿦จͱಉ͘͡ CC-BY 3.0) 34
  15. <]…X?j=h95ŒŒX]Œ9>=9<][Œj[e9L>h]? • Node Capturing: ηϯαϊʔυΛΩϟϓνϟ / ஔ͖׵͑ • Malicious Code

    Injection Attack: ѱҙͷ͋Δ ίʔυ஫ೖ • False Data Injection Attack: ِͷσʔλ஫ೖ • Side-Channel Attacks (SCA): ࿙Εग़Δσʔ λ (ి࣓์ࣹɺফඅిྗ౳) Λ࢖ͬͨ৘ใऔಘ • Eavesdropping and Interference: ౪ௌͱׯব • Sleep Deprivation Attacks (ਭ຾ෆ଍߈ܸ): IoT୺຤ػثͷόοςϦʔΛফ໣ͤ͞Δ • Booting Attacks (ىಈ߈ܸ): ىಈϓϩηε࣮ ߦதͷ੬ऑੑΛૂ͏ 35 Hassija et al., A Survey on IoT Security: Application Areas, Security Threats, and Solution Architectures (2019)
  16. <]…X?j=h95ŒŒX]Œ9>=9Ú>=]Û>hŒ • ຤୺ͷηϯαϊʔυ͕༻͍Δ௨৴ϓϩτίϧ͸༷ʑ • LoraWan, ZigBee, Z-Wave etc. • Ϋϥ΢υαʔό΁ͷ઀ଓ͸ήʔτ΢ΣΠΛհ͢

    • End-to-End Encryption: ήʔτ΢ΣΠͰ෮߸Խ͢Δ(E2EͰ͸ͳ͍)ͱϦεΫߴ • Extra Interfaces: ߈ܸର৅ྖҬͱͳΔͷͰ࠷খݶʹͱͲΊΔ΂͖ • Firmware updates: ήʔτ΢ΣΠ͸IoTσόΠεͷϑΝʔϜ΢ΣΞΞοϓσʔ τ΋୲͏ࣄ͕ଟ͍ 36
  17. 5Z7‘Eœa•žŸ9©9‚‘Ü 37 while(true ) printf “Hello ” end • ର৅͕෺ཧۭؒʹ޿͕Δ

    • ਓମͷ҆શ͕ڴ͔͞ΕΔՄೳੑ ίϯϐϡʔληΩϡϦςΟ • ର৅͸৘ใ • ݸਓ৘ใ΍ࢿ࢈͕ڴ͔͞ΕΔՄೳੑ IoTηΩϡϦςΟ • ʮηΩϡϦςΟʯ͸૯߹֨ಆٕ (༷ʑͳ෼໺ͷ஌͕ࣝབྷΉ) • ʮIoTʯ͸૯߹֨ಆٕ • ʮIoTͷηΩϡϦςΟʯ͸ʮ૯߹֨ಆٕͷ૯߹֨ಆٕʯ
  18. éê 45 ࠇྛޝ, ଜౡ ਖ਼ߒ, ϋοΧʔͷֶߍ IoTϋοΩϯάͷڭՊॻ (2018) ্দ྄հ, ϋοΧʔͷٕज़ॻ

    IoTιϑτ΢ΣΞແઢͷڭՊॻ (2020) ീࢠ஌ྱ, ਿࢁ߃࢘, ஛೭Լߤ༸, দӜ ਅٷ, ౔ຊ׮ࢠ, IoTͷجຊɾ࢓૊Έɾ ॏཁࣄ߲͕શ෦Θ͔ΔڭՊॻ (2017)