Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
http://www.infoworld.com/category/security/
http://www.infoworld.com/article/3144362/devops/10-key-security-terms-dev
ops-ninjas-need-to-know.html//
[Paraphrase the paragrapgh: ReWrite in your own words] However, the integrati
on of these smart things into the standard Internet , Moreover, commercializatio
n of IoT has led to public security concerns, including personal privacy issues,
threat of cyber attacks, and organized crime. , this survey attempts to provide
a comprehensive list of vulnerabilities and countermeasures against services on
the edge-side layer of IoT, which consists of three levels: (i) edge nodes, (ii
) communication, and (iii) edge computing. To achieve this goal, a brief discuss
ion of three widely-known IoT reference models and definition of security in the
context of IoT healthcare is made. Second, we discuss the possible applications
of IoT and potential motivations of the attackers who target this new paradigm.
Third, we discuss different attacks and threats [Arsalan Mohsen Nia, Student Mem
ber, IEEE and Niraj K. Jha, A Comprehensive Study of Security of Internet-of-Thin
gs Fellow, IEEEhttp://0-ieeexplore.ieee.org.brum.beds.ac.uk/stamp/stamp.jsp?arnum
ber=7562568]
[Mine]Consideration for preservation of security at the edge of computing
devices at which point data is processed and Your insecure product may not be th
e ultimate target but could provide the pivot point for an attack elsewhere in t
he system.The study survey models and standard of IoT in the healthcare practice
s and identifies emerging security threats and privacy issues at the edge of IoT
consumer patience where there is an uphill to physically secure smart devices, h
ealth safety, to ensure trust and privacy of data exchange on the patience netwo
rk. This paper surveys both physical and data security issues, including privacy
concern at the edge side layer of IoT. [Mine]. The paper is more concerned with
IoT consumer technologies involving the technologies and the users. Emphasis is
placed on security of human medical health systems at the edge side layer of Io
T reference model.
A. Mohsen Nia; N. K. Jha, "A Comprehensive Study of Security of Internet-
of-Things," in IEEE Transactions on Emerging Topics in Computing , vol.PP, no.99
, pp.1-1 doi: 10.1109/TETC.2016.2606384
II THE IoT SYSTEM MODEL
For knowledge of security challenges in IoT system, it is imperative to understa
nd the building block with regard to functionality and requirement. The survey c
onsiders the CISCO seven layers model in [A. Mohsen Nia; N. K. Jha, "A Comprehen
sive Study of Security of Internet-of-Things," in IEEE Transactions on Emerging
Topics in Computing , vol.PP, no.99, pp.1-1 doi: 10.1109/TETC.2016.2606384 [Mine]
http://0-ieeexplore.ieee.org.brum.beds.ac.uk/stamp/stamp.jsp?arnumber=7562568&ta
g=1 ]
* Level 1-Edge devices: The first level of this reference model typically consis
ts of computing nodes, e.g., smart controllers, sensors, RFID readers, etc., and
different versions of RFID tags. Data confidentiality and integrity must be tak
en into account from this level upwards.
* Level 2-Communication: The communication level consists of all the components
that enable transmission of information or commands: (i) communication between d
evices in the first level, (ii) communication between the components in the secon
d level, and (iii) transmission of information between the first and third level
s (edge computing level).
* Level 3-Edge computing: Edge computing, also called fog computing, is the thir
d level of the model in which simple data processing is initiated. This is essen
tial for reducing the computation load in the higher level as well as providing
a fast response. Most real-time applications need to perform computations as clo
se to the edge of the network as possible. The amount of processing in this leve
l depends on the computing power of the service providers, servers, and computin
g nodes. Typically, simple signal processing and learning algorithms are utilize
d here.
* Level 4-Data accumulation: Most of the applications may not need instant data
processing. This level enables conversion of data in motion to data at rest, i.e
., it allows us to store the data for future analysis or to share with high-leve
l computing servers. The main tasks of this level are converting the format from
network packets to database tables, reducing data through filtering and selecti
ve storing, and determining whether the data are of interest to higher levels.
* Level 5-Data abstraction: This level provides the opportunity to render and st
ore data such that further processing becomes simpler or more efficient. The com
mon tasks of entities at this level include normalization, denormalization, inde
xing and consolidating data into one place, and providing access to multiple dat
a stores.
* Level 6-Applications: The application level provides information interpretatio
n, where software cooperates with data accumulation and data abstraction levels.
The applications of IoT are numerous and may vary significantly across markets
and industrial needs.
* Level 7-Users and centers: The highest level of the IoT is where the users are
. Users make use of the applications and their analytical data.normalization, in
dexing and consolidating data into one place, and providing access to multiple d
ata stores. Level 6-Applications: The application level provides information int
erpretation, where software cooperates with data accumulation and data abstracti
on levels. The applications of IoT are numerous and may vary significantly acros
s markets and industrial needs. Level 7-Users and centers: The highest level of
the IoT is where the users are. Users make use of the applications and their ana
lytical data.
HOWEVER, this paper places more emphasis on security and privacy at the edge sid
e layers; namely; the perception and network layers. [Q. Jing et al., Security of
the Internet of Things: Perspectives and Challenges, Wireless Networks, vol. 20,
no. 8, 2014, pp. 2481 2501.]The perception layer deals with low-level data transmi
ssion (device level) and whereas the network layer deals with Internet-level dat
a transmission.
TECHNOLOGICAL OUTLOOK OF INTERNET OF THINGS
* A solution is remote monitoring or telemonitoring that helps the physicians to
follow up the progress of the patient and decide if a medical assistant or a do
ctor must be present or if the patient will be transported to another medical fa
cility. In this way patients retain the quality of medical services but at lower
cost.
* The 2net Platform is designed for maximum security and interoperability offeri
ng a menu of plug-and-play wireless health solutions that work within an FDA-lis
ted enterprise grade infrastructure. Solutions developed using this platform can
be rapidly deployed and scaled so that organizations can quickly meet their rem
ote monitoring and care management goals.Patient self-management combined with c
onnectivity to a care network is an emerging model that enables scalable chronic
disease management for patients and providers. [Jon Markman, The IoT Is Coming
To Healthcare http://www.forbes.com/sites/jonmarkman/2016/09/15/the-iot-is-coming
-to-healthcare/#14140e075036 , 2016.
* Edisse has a prototype wearable sensor for real-time tracking, fall detection,
and alerts. It basically combines the GPS, mobile data, short messaging service
s (SMSs), and an accelerometer to detect unusual movements such as a fall and th
en reports them to a third party such as adult children or other caregivers [108
]
* Edisse has a prototype wearable sensor for real-time tracking, fall detection,
and alerts. It basically combines the GPS, mobile data, short messaging service
s (SMSs), and an accelerometer to detect unusual movements such as a fall and th
en reports them to a third party such as adult children or other caregivers [108
]
* This wrist band sends to the user s smartphone this vital information. A group o
f researchers in Korea has introduced a sufficiently compact and subtle wearable
BP sensor that can be used to deliver nonstop monitoring for a long period with
out disturbing the daily activity of the user [116]. An iHealth Lab team has dev
eloped a set of IoT healthcare devices including a wireless BP wrist monitor, a
BP dock, a wireless body analysis scale, iHealth Lite, iHealth Edge, a wireless
pulse oximeter, iHealth Align, and a wireless smart glucose-monitoring system [1
17]
* S. M. R. Islam, D. Kwak, M. H. Kabir, M. Hossain and K. S. Kwak, "The Internet
of Things for Health Care: A Comprehensive Survey," in IEEE Access, vol. 3, no.
, pp. 678-708, 2015.
doi: 10.1109/ACCESS.2015.2437951 http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&
arnumber=7113786&isnumber=7042252
* GLUCOSE LEVEL SENSING: Diabetes is a group of metabolic diseases in which ther
e are high blood glucose (sugar) levels over a prolonged period. Blood glucose m
onitoring reveals individual patterns of blood glucose changes and helps in the
planning of meals, activities, and medication times. An m-IoT configuration meth
od for noninvasive glucose sensing on a real-time basis is proposed in [28]. In
this method, sensors from patients are linked through IPv6 connectivity to relev
ant healthcare providers. The utility model in [65] unveils a transmission devic
e for the transmission of collected somatic data on blood glucose based on IoT n
etworks. This device includes a blood glucose collector, a mobile phone or a com
puter, and a background processor. A similar innovation is found in [66]. In add
ition, a generic IoT-based medical acquisition detector that can be used to moni
tor the glucose level is proposed in [67].
* Wheelchair Management: Many researchers have worked to develop smart wheelchai
rs with full automation for disabled people. The IoT has the potential to accele
rate the pace of work. A healthcare system for wheelchair users based on the IoT
technology is proposed in [40]. The design comes with WBANs integrated with var
ious sensors whose functions are tailored to IoT requirements. A medical support
system considering peer-to-peer (P2P) and the IoT technology is implemented in
[91]. This system provides for chair vibration control and can detect the status
of the wheelchair user. Another noteworthy example of IoT-based wheelchair deve
lopment is the connected wheelchair designed by Intel s IoT department [92]. This
development eventually shows that standard things can evolve into connected machin
es driven by data. This device can monitor vitals of the individual sitting in t
he chair and collect data on the user s surroundings, allowing for the rating of a
location s accessibility.
*
* MEDICATION MANAGEMENT: The noncompliance problem in medication poses a serious
threat to public health and causes huge financial waste across the world. To ad
dress this issue, the IoT offers some promising solutions. An intelligent packag
ing method for medicine boxes for IoT-based medication management is proposed in
[89]. This method entails a prototype system of the I2Pack and the iMedBox and
verifies the system by field trials. This packaging method comes with controlled
sealing based on delamination materials controlled by wireless communications.
The eHealth service architecture based on RFID tags for a medication control sys
tem over the IoT network is presented in [90]. Here the prototype implementation
is demonstrated, and this ubiquitous medication control system is designed spec
ifically for providing AAL solutions.
* 2) ELECTROCARDIOGRAM MONITORING: The monitoring of the electrocardiogram (ECG)
, that is, the electrical activity of the heart recorded by electrocardiography,
includes the measurement of the simple heart rate and the determination of the
basic rhythm as well as the diagnosis of multifaceted arrhythmias, myocardial is
chemia, and prolonged QT intervals [68]. The application of the IoT to ECG monit
oring has the potential to give maximum information and can be used to its fulle
st extent [69]. A number of studies [20], [31], [33], [35], [40], [56], [70] hav
e explicitly discussed IoT-based ECG monitoring. The innovation in [71] introduc
es an IoT-based ECG monitoring system composed of a portable wireless acquisitio
n transmitter and a wireless receiving processor. The system integrates a search
automation method to detect abnormal data such that cardiac function can be ide
ntified on a real-time basis. There exists a comprehensive detection algorithm o
f ECG signals at the application layer of the IoT network for ECG monitoring [72
].
* OXYGEN SATURATION MONITORING: Pulse oximetry is suitable for the noninvasive n
onstop monitoring of blood oxygen saturation. The integration of the IoT with pu
lse oximetry is useful for technology-driven medical healthcare applications. A
survey of CoAP-based healthcare services discusses the potential of IoT-based pu
lse oximetry [80]. The function of the wearable pulse oximeter Wrist OX2 by Noni
n is illustrated in [31]. This device comes with connectivity based on a Bluetoo
th health device profile, and the sensor connects directly to the Monere platfor
m. An IoT-optimized low-power/low-cost pulse oximeter for remote patient monitor
ing is proposed in [81]. This device can be used to continuously monitor the pat
ient s health over an IoT network. An integrated pulse oximeter system for telemed
icine applications is described in [82]. A wearable pulse oximeter for health mo
nitoring using the WSN can be adapted to the IoT network [83].
* 3) BLOOD PRESSURE MONITORING: The question of how the combination of a KIT blo
od pressure (BP) meter and an NFC-enabled KIT mobile phone becomes part of BP mo
nitoring based on the IoT is addressed in [47]. A motivating scenario in which B
P must be regularly controlled remotely is presented by showing the communicatio
ns structure between a health post and the health center in [73]. The question o
f how the Withings BP device operates depends on the connection to an Apple mobi
le computing device is addressed in [74]. A device for BP data collection and tr
ansmission over an IoT network is proposed in [75]. This device is composed of a
BP apparatus body with a communication module. A location-intelligent terminal
for carry-on BP monitoring based on the IoT is proposed in [76].
* Rehabilitation System: Because physical medicine and rehabilitation can enhance
and restore the functional ability and quality of life of those with some physi
cal impairment or disability, they represent a vital branch of medicine. The IoT
has the potential to enhance rehabilitation systems in terms of mitigating prob
lems linked to aging populations and the shortage of health experts. An ontology
-based automating design method for IoT-based smart rehabilitation systems is pr
oposed in [42]. This design successfully demonstrates that the IoT can be an eff
ective platform for connecting all necessary resources to offer real-time inform
ation interactions. IoT-based technologies can form a worthwhile infrastructure
to support effective remote consultation in comprehensive rehabilitation [84]. T
here are many IoT-based rehabilitation systems such as an integrated application
system for prisons [85], the rehabilitation training of hemiplegic patients [86
], a smart city medical rehabilitation system [87], and a language-training syst
em for childhood autism [88].
*
* Asthma Monitoring: Observation is the key to asthma management. When, where an
d what triggers an attack is very critical to maintain an adequate environment a
nd alleviating symptoms. Peak flow meter is a simple hand-held device for asthma
monitoring. A wearable stethoscope to continuously monitor the patients with as
thma or other pulmonary diseases is described by [17]. The system transmitting t
he signals via a wireless sensor attach to the skin. A wearable sensor system co
nsisting of a wristband and chest patch for understanding impacts of ozone on ch
ronic asthma conditions is described by [18]. The data from the device is stream
ed and transferred to a server for cloud storage. The battery life of wristband
is around 15 hours and the chest patch is around 36 hours.
*
* Nowadays, there are a wide variety of AmI systems [4], such as ambient assiste
d living ((AAL),
]
Philips is developing HealthSuite, a cloud-enabled connected health ecosystem of
devices, apps and digital tools that will work seamlessly together to empower p
ersonalized health and continuous care. HealthSuite is purpose-built to benefit
consumers, patients and populations across the health continuum, from healthy li
ving and prevention to diagnosis, treatment and home care.
As well as helping to improve the efficiency and personalization of healthcare,
our aim is to make consumers feel empowered. So instead of health being somethin
g monitored and treated by healthcare professionals where the consumer is only i
nformed and not involved they are empowered to take more proactive ownership of
their own health.
II SECURITY REQUIREMENT OF IoT IN THE CONTEXT OF HEALTH CARE
INTRO: The security of the thing is only as secure as the network in which it resides:
this includes the people, processes and technologies involved in its developmen
t, delivery modes (hardware and software) and usage[Mine]. [Christian Lesjak, Dan
iel Hein & Johannes Winter, Hardware-Security Technologies for Industrial IoT: T
rustZone and Security Controller Industrial Electronics Society, IECON 2015 - 41st
Annual Conference of the IEEE, Issue Date: 9-12 Nov. 2015,
http://0-ieeexplore.ieee.org.brum.beds.ac.uk/stamp/stamp.jsp?arnumber=7392493&ta
g=1]
Thus, for a secure IoT there must be a functional requirements and [M. Zhang, A.
Raghunathan, and N. K. Jha, Trustworthiness of medical devices and body area netw
orks, Proceedings of the IEEE, vol. 102, no. 8, pp. 1174 1188, 2014. http://0-ieeex
plore.ieee.org.brum.beds.ac.uk/xpls/icp.jsp?arnumber=6827202#at-glance ] identif
ied the following requirement that characterized a secure system:
* Reliability:
* Confidentiality
* Integrity
* Availability
* privacy
Security requirements are broken down into three main categories: (i) confidenti
ality, (ii) integrity, and (iii) availability, referred to as the CIA-triad. Con
fidentiality entails applying a set of rules to limit unauthorized access to cer
tain information. It is crucial for IoT devices because they might handle critic
al personal information, e.g., medical records and prescription. For instance, a
n unauthorized access to personal health devices may reveal personal health info
rmation or even lead to life-threatening situations [11]. Integrity is also nece
ssary for providing a reliable service. The device must ensure that the received
commands and collected information are legitimate.
Cherdantseva et al. show that the CIA-triad does not address new threats that em
erge in a collaborative security environment [Y. Cherdantseva and J. Hilton, A re
ference model of information assurance & security, in Proc. IEEE 8th Int. Conf. A
vailability, Reliability and Security, 2013, pp. 546 555]. They provide a comprehe
nsive list of security requirements by analyzing and examining a variety of info
rmation, assurance, and security literature. This list is called the IAS-octave
and is proposed as an extension to CIAtriad.
EXPLANATION but paraphrasse accordingly
[M. Zhang, A. Raghunathan, and N. K. Jha, Trustworthiness of medical devices and
body area networks, Proceedings of the IEEE, vol. 102, no. 8, pp. 1174 1188, 2014]
[Explain in detail each of this...] a technology is classified insecure if these
requirements are lacking.
First, a remote, or software, attacker gains privileged access to the industrial
equipment's processor via a network connection. This attacker does not have phy
sical access to the equipment hardware. But after a successful software attack h
e can arbitrarily access the data authentication mechanisms, and even worse, ext
ract cryptographic keys, such as the secret snapshot authentication key. Second,
a local attacker has physical access to the industrial equipment's electronics.
Such an attacker may be an insider attacker, like a disgruntled employee, or an
intruder into company facilities. Upon success a local attacker may read out th
e equipment's memory to extract cryptographic credentials.
Bot frameworks, machine learning, and cognitive services all three are part of t
he Cortana Intelligence Suite, Microsoft s ambition to transform data into intelli
gent action
For fig below: [A. Mohsen Nia; N. K. Jha, "A Comprehensive Study of Security of Int
ernet-of-Things," in IEEE Transactions on Emerging Topics in Computing , vol.PP,
no.99, pp.1-1
doi: 10.1109/TETC.2016.2606384, [Mine]
http://0-ieeexplore.ieee.org.brum.beds.ac.uk/stamp/stamp.jsp?arnumber=7562568 ]
III. IoT HEALTH CARE SYSTEM
The IoT medical devices falls under the classification of U.S. Food and Drug Adm
inistration for standard medical devices. Each device approved by the FDA is clas
sified into general and special control. Challenges abound for medication requiri
ng special control and IoI are right on hand with IWMDs of two kinds: sensors tha
t monitor the patient s ECG, temperature, blood glucose and oxygen levels, etc., a
nd actuators that deliver therapies, such as cardiac pacing and drug injection [
M. Zhang, A. Raghunathan, and N. K. Jha, Trustworthiness of medical devices and b
ody area networks, Proceedings of the IEEE, vol. 102, no. 8, pp. 1174 1188, 2014].
However, [. M. R. Islam, D. Kwak, M. H. Kabir, M. Hossain and K. S. Kwak, "The I
nternet of Things for Health Care: A Comprehensive Survey," in IEEE Access, vol.
3, no. , pp. 678-708, 2015. doi: 10.1109/ACCESS.2015.2437951
keywords: {Biological system modeling;Internet of things;Market research;Medical
services;Network architecture;Network security;Applications;Architectures;Chall
enges;Health Care;Industries;Internet of Things;Networks;Platforms;Policies;Secu
rity;Services;Technologies},
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7113786&isnumber=70
42252]
Others are replacement heart valves, cardiac pacemakers, and neurostimulators. De
vices with a minimal risk, such as tongue depressors and handheld surgical instr
uments. wheelchairs, surgical needles, and infusion pumps
[M. Mozaffari-Kermani, M. Zhang, A. Raghunathan, and N. K. Jha, Emerging frontier
s in embedded security, in Proc. IEEE Int. Conf. VLSI Design, 2013, pp. 203 208 htt
p://0-ieeexplore.ieee.org.brum.beds.ac.uk/stamp/stamp.jsp?tp=&arnumber=7562568&t
ag=1 ]. IoT-based longterm personal health monitoring and drug delivery systems,
in which various physiological signals are captured, analyzed, and stored for fu
ture use, provide a fundamentally new approach to healthcare.
An actuator is usually equipped with a programmer to change configurations or is
sue commands wirelessly. For certain devices, such as pacemakers, programmers ar
e available only in clinics or hospitals, and the patient must visit a qualified
healthcare provider for device tuning. For other devices, such as insulin pumps
, patient programmers are available that allow patients to adjust the devices to
meet their needs at any time.
However, due to their increasing functional complexity, ensuring the reliability
of IWMDs is more challenging than ever. As devices become increasingly smaller
in size, but more complex in both software and hardware, their design, testing,
and eventual regulatory approval are becoming much more expensive for medical de
vice manufacturers, both in terms of time and cost. The number of devices that h
ave recently been recalled due to software and hardware defects is increasing at
an alarming rate.
Thus, the ToT healthcare domain deals with object tracking, identification/authe
ntication of people, and automatic data collection/sensing [D. Puthal, S. Nepal,
R. Ranjan and J. Chen, "Threats to Networking Cloud and Edge Datacenters in the
Internet of Things," in IEEE Cloud Computing, vol. 3, no. 3, pp. 64-71, May-Jun
e 2016.
doi: 10.1109/MCC.2016.63 http://0-ieeexplore.ieee.org.brum.beds.ac.uk/stamp/stamp.
jsp?tp=&arnumber=7503493&isnumber=7503478 ]
III SOURCES OF ATTACK
The overall IoT system is prone to both physical and cyber threats. Sources of a
ttacks in IoT
1. Apps: personal details your whereabouts and daily routines financial informat
ion, such as bank account.
2. Communication system: disruption and non availability of network system. An a
ttack on a segment of the network could affect other section of the network[Mine
].
3. Smart infrastructure systems; Door and window security alarms wifi and Intern
et access central heating lighting. And for business include: door and window se
curity alarms wifi and Internet access heating, ventilation & air conditioning s
erver room chillers and power supplies lifts lighting refrigeration
4.
IV FORMS OF ATTACK ON IoT HEALTH SERVICES OR SECURITY ISSUES IN IOT HEALTH CARE S
Using the IoT reference mode, method of attack at the perception layer is consid
ered, namely; the device, network and actuators.
1. Perception Device:
Physical Tampering: An adversary can physically tamper with (for example,
switch off, restart) the node and steal keys, code, and data. may extract on-dev
ice program codes, keys, and data. An attacker may reprogram compromised devices
with malicious codes
Eavesdropping: tool installed on computers without permission. Sensor devi
ce capture. An adversary can collect information about the EDC by eavesdropping
on the wireless medium and use this information to hack sensor devices. https://
www.theguardian.com/technology/2015/jun/23/google-eavesdropping-tool-installed-c
omputers-without-permission
Sybil attack: An attacker can forge the identities of more than one sensor
device, resulting in
2. Edge Computing: Edge computing nodes: We begin with attacks against the edge
computing nodes, e.g., RFID readers, sensor nodes, and compact controlling node
s. The following are possible attacks at the perception network layer in an (EDC
);
In man-in-the-middle attacks, intruders secretly introduce themselves and alter
the communication link between source sensor device, gateways, in-transit networ
k devices, and the CDC.
Jamming: occurs if the malicious device broadcasts radio signals on the same freq
uency as the source sensor device, overpowering the original signal. The jam sig
nal results in additional collisions to other frames and leads to excessive wait
times for non transmitting devices.
In a timing attack: an attacker can obtain the secret and shared key information
by analyzing the encryption algorithm. An attacker can predict how much time he
or she needs to get all possible secret keys and use each key to decrypt the enc
rypted data packets.
A replay attack: which is mainly employed during authentication, destroys the cer
tificate s validity. In this type of attack, the intruder can provide a false resp
onse on behalf of the destination node to get access to the trusted properties o
f the source-sensing device.
In routing threats: an attacker can create routing loops by tampering with and re
sending or blocking the routing information. This type of attack blocks data pac
ket transmission via the network layer, leading to aggravated delays.
3. Actuator networks:
Involves loss of privacy or incorrect or delayed data. There are common in health
care, position and animal tracking, and transportation [D. Puthal, S. Nepal, R.
Ranjan and J. Chen, "Threats to Networking Cloud and Edge Datacenters in the Int
ernet of Things," in IEEE Cloud Computing, vol. 3, no. 3, pp. 64-71, May-June 20
16.
doi: 10.1109/MCC.2016.63]. Common security challenges at the edge computing nodes
are;
* Malware and Trojan attack: [Mine]This type of attack involve vicious alteratio
n of software codes, changes in integrated circuits (ICs) of sensors and encryption
keys of IoT systems. The modus operandi is to trigger a malicious attack on a set
time when a condition is met. [ S. Bhasin and F. Regazzoni, A survey on hardware
Trojan detection techniques, in Proc. IEEE Int. Symp. Circuits and Systems, 2015
, pp. 2021 2024.]. While the software trojan horse (STH) are found in operating sy
stem to harm and steal privileged information, the hardware trojans are embedded
in chips of host devices. Their it creates backdoor to undermine the system and
hijack sensitive information [Mine]. Others are Trojans, keyloggers, botnets, an
d rootkits, have emerged and keep evolving and adapting to new platforms. Smartp
hone platforms, such as Android and iOS, have been breached by mobile malware [6
1], [62][Search online for reference].
[Arsalan Mohsen Nia, Student Member, IEEE and Niraj K. Jha, A Comprehensive Study
of Security of Internet-of-Things, Published in Transactions on Emerging Topics
in Computing, 2016,]. Hardware Trojans have emerged as a major security concern
for integrated circuits [17] [21].Security of a computer system has been tradition
ally related to the security of the software or the information being processed.
The underlying hardware used for information processing has been considered tru
sted. The emergence of hardware Trojan attacks violates this root of trust. Thes
e attacks, in the form of malicious modifications of electronic hardware at diff
erent stages of its life cycle, pose major security concerns in the electronics
industry. An adversary can mount such an attack with an objective to cause opera
tional failure or to leak secret information from inside a chip-e.g., the key in
a cryptographic chip, during field operation[ S. Bhunia, M. S. Hsiao, M. Banga,
and S. Narasimhan, Hardware Trojan attacks: Threat analysis and countermeasures,
Proceedings of the IEEE, vol. 102, no. 8, pp. 1229 1247, 2014.].
* Non-network side-channel attacks: Side-channel attacks exploit information lea
ked through physical channels, such as power consumption, execution time, electr
omagnetic emission. The schedule of health sessions and video calls, for example
, could be deduced from monitoring the network traffic flow [M. Zhang, A. Raghun
athan and N. K. Jha, "Trustworthiness of Medical Devices and Body Area Networks,
" in Proceedings of the IEEE, vol. 102, no. 8, pp. 1174-1188, Aug. 2014. doi: 10.
1109/JPROC.2014.2322103 http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6827
202]
Each node may reveal critical information under normal operation, even when not
using any wireless communication to transmit data. For example, the electromagne
tic (EM) signature, i.e., the EM waves emitted by the node, can provide valuable
information about the status of the device. In this case, known signal and prot
ocol could be tapped and transmitting information and content decoded at the det
riment of the user [A. M. Nia, S. Sur-Kolay, A. Raghunathan, and N. K. Jha, Physi
ological information leakage: A new frontier in health information security, acce
pted for publication in IEEE Trans. Emerging Topics in Computing].
IoT live video surveillance system has been observed to be prone to side channel
as users can access live video footage using smart devices at convenience[ Mine
]. [H. Li, Y. He, L. Sun, X. Cheng and J. Yu, "Side-channel information leakage
of encrypted video stream in video surveillance systems," IEEE INFOCOM 2016 - Th
e 35th Annual IEEE International Conference on Computer Communications, San Fran
cisco, CA, 2016, pp. 1-9. doi: 10.1109/INFOCOM.2016.7524621].Our findings indica
te that the traffic patterns of a camera differ significantly when a user perfor
ms different activities of daily living such as dressing, styling hair, moving,
and eating. By exploiting this side-channel information leakage, we developed a
method to infer a user's activities of daily living based only on the size of th
e encrypted traffic of a video stream. Our experimental results demonstrate that
one can easily recognize a user's daily activities with high accuracy.
Another example of side channel attack is Energy attack, also known as power ana
lysis attack, is currently the most successful example of the side channel attac
k technology. For cryptographic chip in processing, there will always be some le
akage information such as sound, running time, temperature, power consumption, e
lectromagnetic radiation etc. combined with the input, output and design details
of the algorithm, the cryptanalyst can easily carry on further analysis. Power
Attack on devices.: Differential power analysis attack and efficient countermeasur
es on PRESENT [X. Duan, Q. Cui, S. Wang, H. Fang and G. She, "Differential power
analysis attack and efficient countermeasures on PRESENT," 2016 8th IEEE Intern
ational Conference on Communication Software and Networks (ICCSN), Beijing, 2016
, pp. 8-12. doi: 10.1109/ICCSN.2016.7586627]
Next is vampire attack [A. A. Patel and S. J. Soni, "A Novel Proposal for Defend
ing against Vampire Attack in WSN," 2015 Fifth International Conference on Commu
nication Systems and Network Technologies, Gwalior, 2015, pp. 624-627.
doi: 10.1109/CSNT.2015.94]which occurring at network layer. It leads to resource
depletion (energy) at each sensor nodes, by reducing the battery power of any n
ode. resource consumption attacks that use routing protocols to permanently disab
le ad hoc wireless sensor networks by depleting nodes battery power.
* In man-in-the-middle attacks: intruders secretly introduce themselves and alter
the communication link between source sensor device, gateways, in-transit netwo
rk devices, and the CDC.
*
* In a HELLO flood: a laptop-class attacker broadcasts information with enough tr
ansmission power to convince every node in the network that it s a neighbor. Becau
se the transmission medium is wireless, the affected node selects the attacker a
s its neighbor for future data transmission
* Denial of Service (DoS) attacks: Occur due to constraints in power life of IoT
devices. A smaller battery life and power capacity means that any modification
could trigger lost of service. The system is characterised insecure once communi
cation and functionalities are unavailable. A denial-of-service (DoS) attack is
produced by the unintentional failure of nodes or malicious action and can sever
ely limit a wireless sensor network s value. [D. Puthal, S. Nepal, R. Ranjan and J
. Chen, "Threats to Networking Cloud and Edge Datacenters in the Internet of Thi
ngs," in IEEE Cloud Computing, vol. 3, no. 3, pp. 64-71, May-June 2016. Source d
evice authentication problems and delay of sensor device.
doi: 10.1109/MCC.2016.63 http://0-ieeexplore.ieee.org.brum.beds.ac.uk/stamp/stam
p.jsp?tp=&arnumber=7503493&isnumber=7503478
]There are three well known types of DoS attacks against edge computing nodes: b
attery draining, sleep deprivation, and outage attacks. [H. Li, Y. He, L. Sun, X
. Cheng and J. Yu, "Side-channel information leakage of encrypted video stream i
n video surveillance systems," IEEE INFOCOM 2016 - The 35th Annual IEEE Internat
ional Conference on Computer Communications, San Francisco, CA, 2016, pp. 1-9. d
oi: 10.1109/INFOCOM.2016.7524621]
*
Battery Draining:
Sleep Deprivation:
Outage attack:
* In a collision: An intruder alters the transmission octets to disrupt packets.
* Data Rate Attacks
* If the amount of data being transferred from a remote medical sensor depends o
n any physiological parameters, then an attacker may be able to learn some healt
h information simply from the data transfer rate. For example, if a packet is se
nt after every heart beat, the heart rate can be easily inferred from the number
of packets being sent per minute. Defense against this type of attack involves
using techniques such as padding to maintain the same data rate independent of p
hysiological events.
* Routing diversion attack
* In an exploit attack, an intruder takes advantage of an existing vulnerability an
d introduces a surprising behavior to confuse data senders and receivers.
* A Fault-Tolerant:
* Heartbleed: An OpenSSL vunerability in an era openly connected things. [Queal,
Zachary D. "Necessary Implementation of Adjustable Work Factor Ciphers in Moder
n Cryptographic Algorithms as it Relates to HeartBleed and OpenSSL." 2014]The pu
rpose of Heartbeat in internet communication is to ensure the end-to-end monitor
ing the connection health. Heartbeat is a process of signaling that I am Alive to
the connected client by a server or server by a client Heartbleed is a very leth
al attack since it steals-away memory of a system in plaintext, An embedded devi
ce can lose its complete RAM in few seconds which may include passwords and secu
rity keys [I. Ghafoor, I. Jattala, S. Durrani and C. Muhammad Tahir, "Analysis o
f OpenSSL Heartbleed vulnerability for embedded systems," 17th IEEE Internationa
l Multi Topic Conference 2014, Karachi, 2014, pp. 314-319. doi: 10.1109/INMIC.201
4.7097358]
* location cheating attack: which allows an attacker to spoof other users to anot
her location and make them query the database with wrong location, or allows a m
alicious user to forge location arbitrarily and query the database for services.
Privacy-Preserving Location Proof for Securing Large-Scale Database-Driven Cognit
ive Radio Networks http://0-ieeexplore.ieee.org.brum.beds.ac.uk/stamp/stamp.jsp?
arnumber=7275115
* Side channel attack: A more dangerous type of side-channel attack exploits ele
ctromagnetic interference (EMI) and differential power analysis (DPA) attack.
In EMI, an attacker inducing voltage on conductors. Analog sensors in IWMDs are
particularly susceptible. It has been shown that EMI can inhibit pacing and indu
ce defibrillation shocks on implantable cardiac devices at a close distance [D.
Kune et al., Ghost talk: Mitigating EMI signal injection attacks against analog se
nsors, in Proc. IEEE Symp. Security Privacy, May 2013.]
A DPA attack can extract secret keys from extremely noisy signals and is very di
fficult to guard against. It employs statistical analysis of measured power cons
umption traces, which are correlated with the data handled by the physical devic
e [[M. Zhang, A. Raghunathan and N. K. Jha, "Trustworthiness of Medical Devices
and Body Area Networks," in Proceedings of the IEEE, vol. 102, no. 8, pp. 1174-1
188, Aug. 2014. doi: 10.1109/JPROC.2014.2322103 http://ieeexplore.ieee.org/stamp/
stamp.jsp?arnumber=6827202]]
* Insecure encryption and authentication for wireless: [[https://www.pwc.com/ca/e
n/consulting/publications/2016-01-18-pwc-cyber-savvy-securing-operational-techno
logy-assets.pdf ]. In some instances, radio telemetry technologies such as WiMAX
and LTE are used to connect remote stations and field devices when physical com
munication channels are not available. It is not uncommon for the deployed wirel
ess equipment in OT networks to use deprecated security protocols or technologie
s, leaving them vulnerable to modern eavesdropping and authentication bypass att
acks.
Another type of attack could stem from the fact that actual sensed data is encry
pted but the sensor device ID is sent unencrypted. This could trigger a chain of
new attacks based on some well-known vulnerability of the device type in questi
on. A. P. Johnson, S. Patranabis, R. S. Chakraborty and D. Mukhopadhyay, "Remote
Dynamic Clock Reconfiguration Based Attacks on Internet of Things Applications,
" 2016 Euromicro Conference on Digital System Design (DSD), Limassol, 2016, pp.
431-438.
doi: 10.1109/DSD.2016.16
* Missing security updates Availability:The inherent danger of this approach is
that OT systems end up running outdated software versions with known security vu
lnerabilities, leading to increased risk of compromise by an attacker
[http://www.ey.com/Publication/vwLUAssets/EY-cybersecurity-and-the-internet-of-t
hings/$FILE/EY-cybersecurity-and-the-internet-of-things.pdf] page 7
HARDWARE-BASED SECURITY
[M. Sabt, M. Achemlal and A. Bouabdallah The dual-execution-environment approach:
Analysis and comparative evaluation ICT Systems Security and Privacy Protection,
pp. 557-570, 2015].
List kinds of attack AND APPROACHES in IoT
Section II of the paper highlight prevailing security challenges of IoT [Mine].
audio surveillance device for miscreant hackers.
TRUST:
This enlist confidentiality, integrity in all interactiveness within the IoT. Ho
wever, autonomous interaction of equipment requires trust in communication gatew
ay of users at the edge and in the integrity of the data[Mine] [Christian Lesjak,
Daniel Hein & Johannes Winter, Hardware-Security Technologies for Industrial Io
T: TrustZone and Security Controller Industrial Electronics Society, IECON 2015 -
41st Annual Conference of the IEEE, Issue Date: 9-12 Nov. 2015, http://0-ieeexplo
re.ieee.org.brum.beds.ac.uk/stamp/stamp.jsp?arnumber=7392493&tag=1]
Otherwise, data may be maliciously modified by factory outsiders or insiders, in
order to sabotage processes. Thus, a major challenge to be addressed is trust i
n automated process entities.
Finally, some participants pointed out that perceived risks to privacy and secur
ity, even if not realized, could undermine the consumer confidence necessary for
the technologies to meet their full potential and may result in less widespread
adoption.
CriticalMeasure
Privacy
Research Favour
against
analysis
Privacy is a right to control 75 As one participant stated, promoting privacy and
data protection principles remains paramount to ensure societal acceptance of I
oT services. [https://www.ftc.gov/system/files/documents/reports/federal-trade-co
mmission-staff-report-november-2013-workshop-entitled-internet-things-privacy/15
0127iotrpt.pdf]
The privacy approaches is discussed in three areas, namely; (1) Consumers (2) Man
ufactureres (3) Service Providers
1. Consumers: [IDENTIFY SECURITY MEASURES]To protect consumers at the edge of Io
T from threats and prevent attacks, the UK Home office identified potential risk
and preventive measures for individuals, households and businesses [Mine].