Exploring Vulnerabilities and Security Schemes of Service-Oriented Internet 0f Things (IoT) Protocols

Kayas, Golam, 0000-0001-7186-3442

08 1900

The Internet of Things (IoT) is spearheading a significant revolution in the realm of computing systems for the next generation. IoT has swiftly permeated various domains, including healthcare, manufacturing, military, and transportation, becoming an essential component of numerous smart devices and applications. However, as the number of IoT devices proliferates, security concerns have surged, resulting in severe attacks in recent years. Consequently, it is imperative to conduct a comprehensive investigation into IoT networks to identify and address vulnerabilities in order to preempt potential adversarial activities. The aim of this research is to examine different IoT-based systems and comprehend their security weaknesses. Additionally, the objective is to develop effective strategies to mitigate vulnerabilities and explore the security loopholes inherent in IoT-based systems, along with a plan to rectify them. IoT-based systems present unique challenges due to the expanding adoption of IoT technology across diverse applications, accompanied by a wide array of IoT devices. Each IoT network has its own limitations, further compounding the challenge. For instance, IoT devices used in sensor networks often face constraints in terms of resources, possessing limited power and computational capabilities. Moreover, integration of IoT with existing systems introduces security issues. A prime example of this integration is found in connected cars, where traditional in-vehicle networks, designed to connect internal car components, must be highly robust to meet stringent requirements. However, modern cars are now connected to a wide range of IoT nodes through various interfaces, thus creating new security challenges for professionals to address. This work offers a comprehensive investigation plan for different types of IoT-based systems with varying constraints to identify security vulnerabilities. We also propose security measures to mitigate the vulnerabilities identified in our investigation, thereby preventing adversarial activities. To facilitate the exploration and investigation of vulnerabilities, our work is divided into two parts: resource-constrained IoT-based systems (sensor networks, smart homes) and robustness-constrained IoT-based systems (connected cars). In our investigation of resource-constrained IoT networks, we focus on two widely used service-oriented IoT protocols, namely Universal Plug and Play (UPnP) and Message Queue Telemetry Transport (MQTT). Through a structured phase-by-phase analysis of these protocols, we establish a comprehensive threat model that explains the existing security gaps in communications. The threat models present security vulnerabilities of service-oriented resource-constrained IoT networks and the corresponding security attacks that exploit these vulnerabilities. We propose security solutions to mitigate the identified vulnerabilities and defend against potential security breaches. Our security analysis demonstrates that the proposed measures successfully thwart adversarial activities, and our experimental data supports the feasibility of the proposed models. For robustness-constrained IoT-based systems, we investigate the in-vehicle networks of modern cars, specifically focusing on the Controller Area Network (CAN) bus system, which is widely adopted for connecting Electronic Control Units (ECUs) in vehicles. To uncover vulnerabilities in these in-vehicle networks, we leverage fuzz testing, a method that involves testing with random data. Fuzz testing over the CAN bus is a well-established technique for detecting security vulnerabilities in in-vehicle networks. Furthermore, the automatic execution of test cases and assessment of robustness make CAN bus fuzzing a popular choice in the automotive testing community. However, a major drawback of fuzz testing is the generation of a large volume of execution reports, often containing false positives. Consequently, all execution reports must be manually reviewed, which is time-consuming and prone to human errors. To address this issue, we propose an automatic investigation mechanism to identify security vulnerabilities from fuzzing logs, considering the class, relative severity, and robustness of failures. Our proposed schema utilizes artificial intelligence (AI) to identify genuine security-critical vulnerabilities from fuzz testing execution logs. Additionally, we provide mechanisms to gauge the relative severity and robustness of a failure, thereby determining the criticality of a vulnerability. Moreover, we propose an AI-assisted vulnerability scoring system that indicates the criticality of a vulnerability, offering invaluable assistance in prioritizing the mitigation of critical issues in in-vehicle networks. / Computer and Information Science

Computer science

Automotive security

Internet of Things (IoT)

IoT security

Security

Informationshantering i fastighetsbranschen

Albrektsson, Elof, Helsingen, Per

January 2017

No description available.

Digitalisering

Informationshantering

Fastighetsbranschen

BIM

Internet of things

Social Sciences

Samhällsvetenskap

EFFICIENT ROUTING AND OFFLOADING DESIGN IN INTERNET-OF-THINGS SYSTEMS

Wang, Ning

January 2018

One of the fundamental challenges in Internet-of-Things systems is that network environment is always changing. Conventional networking approaches do not consider the dynamic evaluation of the networks or consider the network dynamic as a mirror thing, which may not be able to work or has a low efficiency in the Internet-of-Things systems. This dissertation is uniquely built by considering the dynamic network environment and even taking advantage of the network dynamic to improve the network performances, with a focus on the routing and offloading issues. The first part is related to the routing design in the opportunistic mobile networks. The opportunistic mobile network is expected to be an intrinsic part of the Internet of Things. Devices communicate with each other autonomously without any centralized control and collaborate to gather, share, and forward information in a multi-hop manner. The main challenge in opportunistic mobile networks is due to intermittent connection and thus data is delivered through store-carry-forwarding paradigm. In this dissertation, We found an observation regarding the contact duration and proposed efficient data partitioning routing algorithms in the opportunistic mobile networks. The second part is related to the offloading issues in the Internet-of-things systems. With the surging demand on high-quality mobile services at any time, from anywhere, how to accommodate the explosive growth of traffics with/without existing network infrastructures is a fundamental issue. Specifically, We consider three different offloading problems, i.e., cellular data offloading, cloud task offloading, and mobile worker task offloading problems in vehicular networks, cloud, and crowdsourcing platforms. The common issue behind them is how to efficiently utilize the network resources in different scenarios by design efficient scheduling mechanisms. For the cellular data offloading, We explored the trade-off of cellular offloading in the vehicular network. For the cloud task offloading, We conducted the research to adjust the offloading strategies wisely so that the total offloading cost is minimized. For the worker task offloading in the smart cities, We optimized the cost-efficiency of the crowdsourcing platforms. / Computer and Information Science

Computer Science

Cloud

Crowdsoucing

Edge Computing

Internet-of-things

Designing Effective Security and Privacy Schemes for Wireless Mobile Devices

Wu, Longfei

January 2017

The growing ubiquity of modern wireless and mobile electronic devices has brought our daily lives with more convenience and fun. Today's smartphones are equipped with a variety of sensors and wireless communication technologies, which can support not only the basic functions like phone call and web browsing, but also advanced functions like mobile pay, biometric security, fitness monitoring, etc. Internet-of-Things (IoT) is another category of popular wireless devices that are networked to collect and exchange data. For example, the smart appliances are increasingly deployed to serve in home and office environments, such as smart thermostat, smart bulb, and smart meter. Additionally, implantable medical devices (IMD) is the typical type of modern wireless devices that are implanted within human body for diagnostic, monitoring, and therapeutic purposes. However, these modern wireless and mobile devices are not well protected compared with traditional personal computers (PCs), due to the intrinsic limitations in computation power, battery capacity, etc. In this dissertation, we first present the security and privacy vulnerabilities we discovered. Then, we present our designs to address these issues and enhance the security of smartphones, IoT devices, and IMDs. For smartphone security, we investigate the mobile phishing attacks, mobile clickjacking attacks and mobile camera-based attacks. Phishing attacks aim to steal private information such as credentials. We propose a novel anti-phishing scheme MobiFish, which can detect both phishing webpages and phishing applications (apps). The key idea is to check the consistency between the claimed identity and the actual identity of a webpage/app. The claimed identity can be extracted from the screenshot of login user interface (UI) using the optical character recognition (OCR) technique, while the actual identity is indicated by the secondary-level domain name of the Uniform Resource Locator (URL) to which the credentials are submitted. Clickjacking attacks intend to hijack user inputs and re-route them to other UIs that are not supposed to receive them. To defend such attacks, a lightweight and independent detection service is integrated into the Android operating system. Our solution requires no user or app developer effort, and is compatible with existing commercial apps. Camera-based attacks on smartphone can secretly capture photos or videos without the phone user's knowledge. One advanced attack we discovered records the user's eye movements when entering passwords. We found that it is possible to recover simple passwords from the video containing user eye movements. Next, we propose an out-of-band two-factor authentication scheme for indoor IoT devices (e.g., smart appliances) based on the Blockchain infrastructure. Since smart home environment consists of multiple IoT devices that may share their sensed data to better serve the user, when one IoT device is being accessed, our design utilizes another device to conduct a secondary authentication over an out-of-band channel (light, acoustic, etc.), to detect if the access requestor is a malicious external device. Unlike smartphones and IoT devices, IMDs have the most limited computation and battery resources. We devise a novel smartphone-assisted access control scheme in which the patient's smartphone is used to delegate the heavy computations for authentication and authorization. The communications between the smartphone and the IMD programmer are conducted through an audio cable, which can resist the wireless eavesdropping and other active attacks. / Computer and Information Science

Computer Science

Implantable Medical Devices

Internet-of-things

Privacy

Security

Smartphone

Aggregated sensor payload submission model for token-based access control in the Web of Things

Amir, Mohammad, Pillai, Prashant, Hu, Yim Fun

26 October 2015

Yes / Web of Things (WoT) can be considered as a merger of newly emerging paradigms of Internet of Things (IoT) and cloud computing. Rapidly varying, highly volatile and heterogeneous data traffic is a characteristic of the WoT. Hence, the capture, processing, storage and exchange of huge volumes of data is a key requirement in this environment. The crucial resources in the WoT are the sensing devices and the sensing data. Consequently, access control mechanisms employed in this highly dynamic and demanding environment need to be enhanced so as to reduce the end-to-end latency for capturing and exchanging data pertaining to these underlying resources. While there are many previous studies comparing the advantages and disadvantages of access control mechanisms at the algorithm level, vary few of these provide any detailed comparison the performance of these access control mechanisms when used for different data handling procedures in the context of data capture, processing and storage. This study builds on previous work on token-based access control mechanisms and presents a comparison of two different approaches used for handling sensing devices and data in the WoT. It is shown that the aggregated data submission approach is around 700% more efficient than the serial payload submission procedure in reducing the round-trip response time.

The security of big data in fog-enabled IoT applications including blockchain: a survey

Tariq, N., Asim, M., Al-Obeidat, F., Farooqi, M.Z., Baker, T., Hammoudeh, M., Ghafir, Ibrahim

24 January 2020

Yes / The proliferation of inter-connected devices in critical industries, such as healthcare and power grid, is changing the perception of what constitutes critical infrastructure. The rising interconnectedness of new critical industries is driven by the growing demand for seamless access to information as the world becomes more mobile and connected and as the Internet of Things (IoT) grows. Critical industries are essential to the foundation of today’s society, and interruption of service in any of these sectors can reverberate through other sectors and even around the globe. In today’s hyper-connected world, the critical infrastructure is more vulnerable than ever to cyber threats, whether state sponsored, criminal groups or individuals. As the number of interconnected devices increases, the number of potential access points for hackers to disrupt critical infrastructure grows. This new attack surface emerges from fundamental changes in the critical infrastructure of organizations technology systems. This paper aims to improve understanding the challenges to secure future digital infrastructure while it is still evolving. After introducing the infrastructure generating big data, the functionality-based fog architecture is defined. In addition, a comprehensive review of security requirements in fog-enabled IoT systems is presented. Then, an in-depth analysis of the fog computing security challenges and big data privacy and trust concerns in relation to fog-enabled IoT are given. We also discuss blockchain as a key enabler to address many security related issues in IoT and consider closely the complementary interrelationships between blockchain and fog computing. In this context, this work formalizes the task of securing big data and its scope, provides a taxonomy to categories threats to fog-based IoT systems, presents a comprehensive comparison of state-of-the-art contributions in the field according to their security service and recommends promising research directions for future investigations.

Security

Big data

Internet of Things

Fog computing

Edge computing

Blockchain

Recent advances in antenna design for 5G heterogeneous networks

Elfergani, Issa T., Hussaini, A.S., Rodriguez, J., Abd-Alhameed, Raed

14 January 2022

Yes

Antenna design

5G

5G heterogeneous networks

Internet of Things (IoT)

Machine Learning for Botnet Detection: An Optimized Feature Selection Approach

Lefoane, Moemedi, Ghafir, Ibrahim, Kabir, Sohag, Awan, Irfan U.

05 April 2022

Yes / Technological advancements have been evolving for so long, particularly Internet of Things (IoT) technology that has seen an increase in the number of connected devices surpass non IoT connections. It has unlocked a lot of potential across different organisational settings from healthcare, transportation, smart cities etc. Unfortunately, these advancements also mean that cybercriminals are constantly seeking new ways of exploiting vulnerabilities for malicious and illegal activities. IoT is a technology that presents a golden opportunity for botnet attacks that take advantage of a large number of IoT devices and use them to launch more powerful and sophisticated attacks such as Distributed Denial of Service (DDoS) attacks. This calls for more research geared towards the detection and mitigation of botnet attacks in IoT systems. This paper proposes a feature selection approach that identifies and removes less influential features as part of botnet attack detection method. The feature selection is based on the frequency of occurrence of the value counts in each of the features with respect to total instances. The effectiveness of the proposed approach is tested and evaluated on a standard IoT dataset. The results reveal that the proposed feature selection approach has improved the performance of the botnet attack detection method, in terms of True Positive Rate (TPR) and False Positive Rate (FPR). The proposed methodology provides 100% TPR, 0% FPR and 99.9976% F-score.

Botnet detection

Machine learning

Cyber attacks

Internet of Things

Network security

Security and Privacy for Internet of Things: Authentication and Blockchain

Sharaf Dabbagh, Yaman

21 May 2020

Reaping the benefits of the Internet of Things (IoT) system is contingent upon developing IoT-specific security and privacy solutions. Conventional security and authentication solutions often fail to meet IoT requirements due to the computationally limited and portable nature of IoT objects. Privacy in IoT is a major issue especially in the light of current attacks on Facebook and Uber. Research efforts in both the academic and the industrial fields have been focused on providing security and privacy solutions that are specific to IoT systems. These solutions include systems to manage keys, systems to handle routing protocols, systems that handle data transmission, access control for devices, and authentication of devices. One of these solutions is Blockchain, a trust-less peer-to-peer network of devices with an immutable data storage that does not require a trusted party to maintain and validate data entries in it. This emerging technology solves the problem of centralization in systems and has the potential to end the corporations control over our personal information. This unique characteristic makes blockchain an excellent candidate to handle data communication and storage between IoT devices without the need of oracle nodes to monitor and validate each data transaction. The peer-to-peer network of IoT devices validates data entries before being added to the blockchain database. However, accurate authentication of each IoT device using simple methods is another challenging problem. In this dissertation, a complete novel system is proposed to authenticate, verify, and secure devices in IoT systems. The proposed system consists of a blockchain framework to collect, monitor, and analyze data in IoT systems. The blockchain based system exploits a method, called Sharding, in which devices are grouped into smaller subsets to provide a scalable system. In addition to solving the scalability problem in blockchain, the proposed system is secured against the 51% attack in which a malicious node tries to gain control over the majority of devices in a single shard in order to disrupt the validation process of data entries. The proposed system dynamically changes the assignment of devices to shards to significantly decrease the possibility of performing 51% attacks. The second part of the novel system presented in this work handles IoT device authentication. The authentication framework uses device-specific information, called fingerprints, along with a transfer learning tool to authenticate objects in the IoT. The framework tracks the effect of changes in the physical environment on fingerprints and uses unique IoT environmental effects features to detect both cyber and cyber-physical emulation attacks. The proposed environmental effects estimation framework showed an improvement in the detection rate of attackers without increasing the false positives rate. The proposed framework is also shown to be able to detect cyber-physical attackers that are capable of replicating the fingerprints of target objects which conventional methods are unable to detect. In addition, a transfer learning approach is proposed to allow the use of objects with different types and features in the environmental effects estimation process. The transfer learning approach was also implemented in cognitive radio networks to prevent primary users emulation attacks that exist in these networks. Lastly, this dissertation investigated the challenge of preserving privacy of data stored in the proposed blockchain-IoT system. The approach presented continuously analyzes the data collected anonymously from IoT devices to insure that a malicious entity will not be able to use these anonymous datasets to uniquely identify individual users. The dissertation led to the following key results. First, the proposed blockchain based framework that uses sharding was able to provide a decentralized, scalable, and secured platform to handle data exchange between IoT devices. The security of the system against 51% attacks was simulated and showed significant improvements compared to typical blockchain implementations. Second, the authentication framework of IoT devices is shown to yield to a 40% improvement in the detection of cyber emulation attacks and is able to detect cyber-physical emulation attacks that conventional methods cannot detect. The key results also show that the proposed framework improves the authentication accuracy while the transfer learning approach yields up to 70% additional performance gains. Third, the transfer learning approach to combine knowledge about features from multiple device types was also implemented in cognitive radio networks and showed performance gains with an average of 3.4% for only 10% relevant information between the past knowledge and the current environment signals. / Doctor of Philosophy / The Internet of things (IoT) system is anticipated to reach billions of devices by the year 2020. With this massive increase in the number of devices, conventional security and authentication solutions will face many challenges from computational limits to privacy and security challenges. Research on solving the challenges of IoT systems is focused on providing lightweight solutions to be implemented on these low energy IoT devices. However these solutions are often prone to different types of attacks. The goal of this dissertation is to present a complete custom solution to secure IoT devices and systems. The system presented to solve IoT challenges consists of three main components. The first component focuses on solving scalability and centralization challenges that current IoT systems suffer from. To accomplish this a combination of distributed system, called blocchain, and a method to increase scalability, called Sharding, were used to provide both scalability and decentralization while maintaining high levels of security. The second component of the proposed solution consists of a novel framework to authenticate the identity of each IoT device. To provide an authentication solution that is both simple and effective, the framework proposed used a combination of features that are easy to collect, called fingerprints. These features were used to model the environment surrounding each IoT device to validate its identity. The solution uses a method called transfer learning to allow the framework to run on different types of devices. The proposed frameworks were able to provide a solution that is scalable, simple, and secured to handle data exchange between IoT devices. The simulation presented showed significant improvements compared to typical blockchain implementations. In addition, the frameworks proposed were able to detect attackers that have the resources to replicate all the device specific features. The proposed authentication framework is the first framework to be able to detect such an advanced attacker. The transfer learning tool added to the authentication framework showed performance gains of up to 70%.

Blockchain

Internet of things (IoT)

Cyber-Physical Systems

Authentication

Giving Smart Agents a Voice: How a Smart Agent's Voice Influences Its Relationships with Consumers

Han, Yegyu

04 June 2020

Advances in speech recognition and voice synthesis software now allow "smart agents" (e.g., voice-controlled devices like Amazon's Alexa and Google Home) to interact naturally with humans. The machines have a skills repertoire with which they can "communicate" and form relationships with consumers – managing aspects of their daily lives and providing advice on various issues including purchases. This dissertation develops three essays that examine the role played by the smart agent's voice (rational vs. emotional) in such relationships. The social cognition and persuasion literature on interpersonal communication serves as a comparison backdrop. In Essay 1, I investigate how identical purchase recommendations delivered in a rational or an emotional voice elicit different consumer responses, when the voice is ascribed to a human versus a smart agent. I argue that consumers distinctively categorize smart agents and humans, which, in turn, leads them to have different expectations when interacting with them. In Essay 2, I focus on how a smart agent's vocal tone (rational vs. emotional) influences consumer compliance with the agent's recommendation as well as the role of trust as a mediator of the underlying process. I find that the level of intimacy in the relationship between the smart agent and the human user moderates whether the voice effect on persuasion operates through trust that is cognitively or affectively rooted. In Essay 3, I examine the proposition that consumers may anthropomorphize a smart agent both mindfully (consciously) and mindlessly (non-consciously), depending on the agent's voice. In addition to using extant measures of the degree to which anthropomorphism is explicit (conscious), I develop an auditory analog of the implicit association test (IAT) that assesses implicit (non-conscious) anthropomorphism. In additional experiments, I further assess the robustness of the auditory IAT test and demonstrated a dissociation between the measures of the explicit and implicit subconstructs of anthropomorphism. Taken together, these essays contribute to our understanding of the factors driving consumer relationships with smart agents in the rapidly evolving IoT world. / Doctor of Philosophy / Advances in artificial intelligence technologies are creating "smart devices," i.e., machines that can "understand" how people talk and respond meaningfully to such communication in their own voices. Thus, familiar voice-controlled devices like Amazon's Alexa and Google Home are now increasingly able to "communicate" and form relationships with consumers – managing aspects of their daily lives and providing advice on various issues including purchases. However, little is known about how a smart agent's vocal tones (rational vs. emotional) may influence how consumers perceive and relate to the smart agent. My primary goal in this research is to contribute to our understanding of the role played by the smart agent's voice (rational vs. emotional) in such relationships. Specifically, in Essay 1, I investigate how identical purchase recommendations delivered in a rational or an emotional voice elicit different consumer responses, when the voice is ascribed to a human versus a smart agent. I argue that consumers perceive smart agents and humans as belonging to distinct categories, which leads them to have different expectations when interacting with them. In Essay 2, I focus on how a smart agent's vocal tone (rational vs. emotional) influences consumer compliance with the agent's recommendation as well as the role of trust as a mediator of the underlying process. The level of intimacy in the relationship between the smart agent and the human user influences whether the voice effect on persuasion is driven by trust that is rooted in cognition (knowledge, competence) or affect (caring, warmth). In Essay 3, I examine whether consumers imbue humanlike qualities (anthropomorphize) a smart agent both mindfully (consciously) and mindlessly (non-consciously) based on the agent's voice. In addition to using available measures of conscious anthropomorphism, I develop an auditory analog of the implicit association test (IAT) to assesses implicit (non-conscious) anthropomorphism. In additional experiments, I assess the robustness of the auditory IAT test and the relationship between measures of mindful and mindless anthropomorphism. Taken together, the research reported in these three essays contributes to our understanding of the factors driving consumer relationships with smart agents in the rapidly evolving IoT (Internet of Things) world.

Smart Agents

Voice-mediated Communication

Internet of Things

Persuasion

Consumer Behavior