Privacy Preserving Information Sharing in Modern and Emerging Platforms

Tian, Yuan

01 May 2018

Users share a large amount of information with modern platforms such as web platforms and social platforms for various services. However, they face the risk of information leakage because modern platforms still lack proper security policies. Existing security policies, such as permission systems and isolation, can help regulate information sharing. However, these policies have problems, such as coarse granularity, bad usability, and incompleteness, especially when new features are introduced. I investigate the security impacts of new features in web and mobile platforms and find design problems that lead to user information leakage. Based on these analyses, I propose design principles for permission systems that mediate how information should be shared in modern and emerging platforms, such as web and social platforms, to provide functionality with privacy preserved. I aim to design permission systems that only allow least-privilege information access. Specifically, I utilize program analysis and natural language processing to understand how applications use sensitive data and correlate these data with their functionality. With this understanding, I design schemes that ask for user consent about unexpected information access and automatically reduce overprivileged access. I provide guidelines for platform designers to build their permission systems according to respective adversary models and resources. In particular, I implement the new permission system for social platforms and Internet of Things (IoT) platforms that enable least-privilege information sharing. For the social platforms, I incorporate the primitives of Opaque handle, Opaque display, and User-driven access control (OOU) to design a least-privilege, user-friendly, developer-friendly, and feature-rich permission system. According to my study on Facebook, OOU can be applied to remove or replace 81.2% of sensitive permission instances without affecting functionality. For IoT platforms, I present a new authorization framework, SmartAuth, that supports user-centric, semantic-based authorization. SmartAuth automatically collects security-relevant information from an IoT application’s description, code, and annotations, and generates an authorization user interface to bridge the gap between the functionalities explained to the user and the operations the application actually performs.

Authorization

IoT security

Privacy protection

Security and Privacy

Advantages and Risks of Sensing for Cyber-Physical Security

Han, Jun

01 May 2018

With the the emergence of the Internet-of-Things (IoT) and Cyber-Physical Systems (CPS), modern computing is now transforming from residing only in the cyber domain to the cyber-physical domain. I focus on one important aspect of this transformation, namely shortcomings of traditional security measures. Security research over the last couple of decades focused on protecting data in regard to identities or similar static attributes. However, in the physical world, data rely more on physical relationships, hence requires CPS to verify identities together with relative physical context to provide security guarantees. To enable such verification, it requires the devices to prove unique relative physical context only available to the intended devices. In this work, I study how varying levels of constraints on physical boundary of co-located devices determine the relative physical context. Specifically, I explore different application scenarios with varying levels of constraints – including smart-home, semi-autonomous vehicles, and in-vehicle environments – and analyze how different constraints affect binding identities to physical relationships, ultimately enabling IoT devices to perform such verification. Furthermore, I also demonstrate that sensing may pose risks for CPS by presenting an attack on personal privacy in a smart home environment.

Context-based Pairing

IoT Security

Sensor Fusion

Sensor Security

Fingerprinting the Smart Home: Detection of Smart Assistants Based on Network Activity

Hashemi, Arshan

01 December 2018

As the concept of the Smart Home is being embraced globally, IoT devices such as the Amazon Echo, Google Home, and Nest Thermostat are becoming a part of more and more households. In the data-driven world we live in today, internet service providers (ISPs) and companies are collecting large amounts of data and using it to learn about their customers. As a result, it is becoming increasingly important to understand what information ISPs are capable of collecting. IoT devices in particular exhibit distinct behavior patterns and specific functionality which make them especially likely to reveal sensitive information. Collection of this data provides valuable information and can have some serious privacy implications. In this work I present an approach to fingerprinting IoT devices behind private networks while only examining last-mile internet traffic . Not only does this attack only rely on traffic that would be available to an ISP, it does not require changes to existing infrastructure. Further, it does not rely on packet contents, and therefore works despite encryption. Using a database of 64 million packets logged over 15 weeks I was able to train machine learning models to classify the Amazon Echo Dot, Amazon Echo Show, Eufy Genie, and Google Home consistently. This approach combines unsupervised and supervised learning and achieves a precision of 99.95\%, equating to one false positive per 2,000 predictions. Finally, I discuss the implication of identifying devices within a home.

IoT

Smart Assistants

Machine Learning

Fingerprinting

IoT Privacy

IoT Security

Exploring Vulnerabilities and Security Schemes of Service-Oriented Internet 0f Things (IoT) Protocols

Kayas, Golam, 0000-0001-7186-3442

08 1900

The Internet of Things (IoT) is spearheading a significant revolution in the realm of computing systems for the next generation. IoT has swiftly permeated various domains, including healthcare, manufacturing, military, and transportation, becoming an essential component of numerous smart devices and applications. However, as the number of IoT devices proliferates, security concerns have surged, resulting in severe attacks in recent years. Consequently, it is imperative to conduct a comprehensive investigation into IoT networks to identify and address vulnerabilities in order to preempt potential adversarial activities. The aim of this research is to examine different IoT-based systems and comprehend their security weaknesses. Additionally, the objective is to develop effective strategies to mitigate vulnerabilities and explore the security loopholes inherent in IoT-based systems, along with a plan to rectify them. IoT-based systems present unique challenges due to the expanding adoption of IoT technology across diverse applications, accompanied by a wide array of IoT devices. Each IoT network has its own limitations, further compounding the challenge. For instance, IoT devices used in sensor networks often face constraints in terms of resources, possessing limited power and computational capabilities. Moreover, integration of IoT with existing systems introduces security issues. A prime example of this integration is found in connected cars, where traditional in-vehicle networks, designed to connect internal car components, must be highly robust to meet stringent requirements. However, modern cars are now connected to a wide range of IoT nodes through various interfaces, thus creating new security challenges for professionals to address. This work offers a comprehensive investigation plan for different types of IoT-based systems with varying constraints to identify security vulnerabilities. We also propose security measures to mitigate the vulnerabilities identified in our investigation, thereby preventing adversarial activities. To facilitate the exploration and investigation of vulnerabilities, our work is divided into two parts: resource-constrained IoT-based systems (sensor networks, smart homes) and robustness-constrained IoT-based systems (connected cars). In our investigation of resource-constrained IoT networks, we focus on two widely used service-oriented IoT protocols, namely Universal Plug and Play (UPnP) and Message Queue Telemetry Transport (MQTT). Through a structured phase-by-phase analysis of these protocols, we establish a comprehensive threat model that explains the existing security gaps in communications. The threat models present security vulnerabilities of service-oriented resource-constrained IoT networks and the corresponding security attacks that exploit these vulnerabilities. We propose security solutions to mitigate the identified vulnerabilities and defend against potential security breaches. Our security analysis demonstrates that the proposed measures successfully thwart adversarial activities, and our experimental data supports the feasibility of the proposed models. For robustness-constrained IoT-based systems, we investigate the in-vehicle networks of modern cars, specifically focusing on the Controller Area Network (CAN) bus system, which is widely adopted for connecting Electronic Control Units (ECUs) in vehicles. To uncover vulnerabilities in these in-vehicle networks, we leverage fuzz testing, a method that involves testing with random data. Fuzz testing over the CAN bus is a well-established technique for detecting security vulnerabilities in in-vehicle networks. Furthermore, the automatic execution of test cases and assessment of robustness make CAN bus fuzzing a popular choice in the automotive testing community. However, a major drawback of fuzz testing is the generation of a large volume of execution reports, often containing false positives. Consequently, all execution reports must be manually reviewed, which is time-consuming and prone to human errors. To address this issue, we propose an automatic investigation mechanism to identify security vulnerabilities from fuzzing logs, considering the class, relative severity, and robustness of failures. Our proposed schema utilizes artificial intelligence (AI) to identify genuine security-critical vulnerabilities from fuzz testing execution logs. Additionally, we provide mechanisms to gauge the relative severity and robustness of a failure, thereby determining the criticality of a vulnerability. Moreover, we propose an AI-assisted vulnerability scoring system that indicates the criticality of a vulnerability, offering invaluable assistance in prioritizing the mitigation of critical issues in in-vehicle networks. / Computer and Information Science

Computer science

Automotive security

Internet of Things (IoT)

IoT security

Security

Threats, Countermeasures, and Research Trends for BLE-based IoT Devices

January 2017

abstract: The Internet of Things has conjured up a storm in the technology world by providing novel methods to connect, exchange, aggregate, and monitor data across a system of inter-related devices and entities. Of the myriad technologies that aid in the functioning of these IoT devices, Bluetooth Low Energy also known as BLE plays a major role in establishing inter-connectivity amongst these devices. This thesis aims to provide a background on BLE, the type of attacks that could occur in an IoT setting, the possible defenses that are available to prevent the occurrence of such attacks, and a discussion on the research trends that hold great promise in presenting seamless solutions to integrate IoT devices across different industry verticals. / Dissertation/Thesis / Masters Thesis Computer Science 2017

Computer science

BLE

Bluetooth Low Energy

IoT security

IoT Survey

Research Trends in Bluetooth

Threats

Evaluation and Implementation of a Secure Zero Configuration IoT System

Yi, Lirong

January 2017

The Internet of Things (IoT) comprises a large number of heterogeneous devices. It is forecasted that up to 50 billion devices will be connected to the Internet by 2020. All of them have to be configured. Due to the heterogeneity of devices and the enormous increasing number of devices, manual configuration becomes more and more complex and inefficient. Zero configuration is put forward to solve this problem, which makes device configured automatically without additional manual involvement. Besides that, there are many security threats we want to avoid in the future. These security problems include unauthenticated nodes accessing to IoT data, denial of service, lack of confidentiality, malicious attack from hackers and so on. This paper studies the characteristics of IoT firstly and then highlights the implementation of zero configuration and security to IoT. This paper describes the underlying features of zero configuration and primary requirements of security, as well as finds some related mature technologies, based on that proposes a concise solution – combining the Bonjour and many security approaches for implementation of a secure zero IoT system. In addition, this solution is implemented in a small environment scenario of IoT, a smart home. All the programs are in Java language. Evaluation and conclusion are done in final phase.

IoT

zero configuration

IoT security

mDNS

DNS-DS

confidentiality

authenticity

Bonjour

Java

Software Engineering

Programvaruteknik

Bring your own device - a concern for organizations? : A thesis about tech organizations awareness and management of smartwatches

Gustavsson, Simon, Årman, Fredrik

January 2020

With 5G around the corner and an overall increase in a faster and more stable internet connection, the future of Internet of Things (IoT) looks bright. There is a steady increase in the development of IoT devices, such as the smartwatch, and a high increase in usage of IoT, both by organizations and private citizens. Organizational managing of a smartwatch falls under the “Bring your own device” (BYOD) policy which allows employees to do work on their private devices. It appears to be a lack of knowledge in organizations on how to manage IoT devices both regarding policies and technical IT security. There has been an increase in malware attacks against IoT devices, and compromised smartwatches could be used to gain unauthorized access to organizations’ networks. The smartwatch is a common and powerful IoT device and will be used as an example in this thesis which purpose is to examine how organizations’ perceive and manage IoT devices, focusing on the smartwatch in order to gain insight regarding whether IoT devices such as the smartwatch is an area of concern within organizations. To understand the smartwatch, understanding IoT first will be important. The literature review delves into both IoT and smartwatch functionality and security. It looks at the BYOD policy and technical IT security solutions regarding the smartwatch. The review pointed to there being IT security issues with smartwatches and that implementing a BYOD policy increases productivity but increases the risk of malware attacks from and against the allowed devices. To fulfill the thesis purpose, qualitative interviews with high ranking IT security personnel at tech organizations were performed, thematized, and analyzed. The most prominent results are discussed; if the smartwatch is a threat and possible technical solutions for prevention, the organizations customer businesses IT security level, and BYOD policy. The results from the thesis showed that the organizations had a high awareness of the smartwatch and the IT security risks brought with it. They all had BYOD policies to restrict/limit access for the smartwatch’s access to their internal networks and a set of technical solutions to prevent breaches in the IT infrastructure and to detect if there had been a breach. The informants claimed that their organizations’ awareness regarding the smartwatch and the concerning IT security was higher than many of their customer businesses, which makes for an interesting subject for future research. How can these organizations reach the same level of awareness? / Med 5G runt hörnet och en generell ökning av både snabbare och stabilare internet så ser framtiden för Internet of Things (IoT) ljus ut. Det pågår en stadig ökning i utvecklingen av IoT-enheter såsom smartklockan, samtidigt som en användandet av IoT ökar både på företag och hos privatpersoner. En verksamhets hantering av smartklockan hamnar under policyn ”Bring your own device” (BYOD) vilket tillåter anställda att använda sina privata enheter i jobbrelaterat syfte. Det verkar finnas en kunskapsbrist hos verksamheter avseende hur man hanterar IoT-enheter, både gällande policy och teknisk IT-säkerhet. Det har skett en ökning av malware attacker (skadlig kod) mot IoT-enheter och en kompromissad smartklocka kan potentiellt användas för att få otillbörlig åtkomst till en verksamhets nätverk. Smartklockan är en vanlig och kraftfull IoT-enhet och kommer att användas som exempel i den här uppsatsen. Syftet med uppsatsen är att undersöka hur verksamheter uppfattar och hanterar IoT-enheter med fokus på smartklockan, för att ta reda på om IoT-enheter såsom smartklockan är ett område som verksamheter arbetar med. För att förstå smartklockan så är det viktigt att först förstå IoT. I litteraturstudien redogörs både IoT och smartklockors funktionalitet samt säkerhetsaspekter. Vidare beskrivs även BYOD policy och tekniska IT-säkerhetslösningar gällande smartklockan. Litteraturstudien pekade på att det existerar IT-säkerhetsproblem med smartklockan och att implementera en BYOD policy kan öka verksamhetens produktivitet men även öka riskerna med malware attacker, både mot och från de tillåtna enheterna. För att uppfylla uppsatsens syfte utfördes kvalitativa intervjuer med högt uppsatt IT-säkerhetspersonal på IT-orienterade verksamheter, som sedan tematiserades och analyserades. De mest relevanta resultaten diskuteras, avseende smartklockan som ett hot och de relaterade tekniska lösningarna, verksamheternas kundföretags IT-säkerhetsnivå och BYOD policyn. De empiriska resultaten från uppsatsen visade att verksamheterna som intervjuades hade en hög medvetenhet relaterat till smartklockan och de IT-säkerhetsproblem som den kan medföra. Alla verksamheterna hade en BYOD policy för att begränsa/förbjuda smartklockans åtkomst till deras interna nätverk, samt ett par tekniska lösningar för att förebygga intrång i deras IT-infrastruktur och för att upptäcka om ett intrång redan skett. Informanterna påstod att deras verksamheters medvetenhet kring smartklockan och den relaterade IT-säkerheten var högre kontra flera av deras kundföretags, vilket är ett relevant ämne för framtida forskning. Hur kan dessa verksamheter nå upp till samma nivå av medvetenhet?

Smartwatch

IoT

IoT security management

Byod policy

Information Systems

IoT Security With INFINITE: The 3-Dimensional Internet Of Things Maturity Model

Haar, Christoph, Buchmann, Erik

25 February 2022

Many companies are more and more interested in using IoT devices, either to optimize their processes or due to the lack of alternatives. The situation is similar to some years ago, when cameras were banned on company premises for security considerations, but all modern cell phones had cameras. Observations have shown, that the security properties of IoT devices with a similar functionality might differ significantly. This makes it challenging for a company to identify IoT devices that match its security policy. In order to make it possible for companies to assess the level of security of IoT devices before buying them, we introduce INFINITE, our 3-dimensional INternet oF thINgs maturITy modEl. INFINITE can be used at procurement-time, to find out to which degree an IoT device meets the requirements of the company’s security policy. This simplifies the procurement process, prevents the introduction of IoT devices that cannot be integrated into an enterprise-wide security strategy, and ultimately saves costs. To this end, INFINITE allows us to considers both the software and the hardware life cycle of an IoT device.:1. Introduction 2. Related Work 3. Defining INFINITE 4. Evaluation 5. Conclusion

IoT Security, Maturity Model

info:eu-repo/classification/ddc/004

ddc:004

Detecting DoS Attack in Smart Home IoT Devices Using a Graph-Based Approach

Paudel, Ramesh, Muncy, Timothy, Eberle, William

01 December 2019

The use of the Internet of Things (IoT) devices has surged in recent years. However, due to the lack of substantial security, IoT devices are vulnerable to cyber-attacks like Denial-of-Service (DoS) attacks. Most of the current security solutions are either computationally expensive or unscalable as they require known attack signatures or full packet inspection. In this paper, we introduce a novel Graph-based Outlier Detection in Internet of Things (GODIT) approach that (i) represents smart home IoT traffic as a real-time graph stream, (ii) efficiently processes graph data, and (iii) detects DoS attack in real-time. The experimental results on real-world data collected from IoT-equipped smart home show that GODIT is more effective than the traditional machine learning approaches, and is able to outperform current graph-stream anomaly detection approaches.

anomaly detection

DoS attack detection

graph mining

IoT Security

smart home

EMBEDDED INCREASED ENTROPY PHYSICALLY UNCLONABLE FUNCTIONS

Harding, Jessica Catherine

26 August 2022

No description available.

Electrical Engineering

PUFs

physically unclonable functions

embedded PUFs

IoT security

device authentication