Assignment -3

1) Identify and analyse the security and privacy issues in IoT, particularly the issue of securing its
wireless system

Security challenges within IoT

As the IoT expands and becomes more interwoven into the fabric of our everyday lives, as well as
becoming an increasingly important component of our critical national infrastructure, securing its systems
becomes vital. We discuss some of the most significant challenges, highlighting which principles are
under threat of compromise

1.Physical limitations of devices and communications:

In any application area, IoT devices are usually embedded with low power and low area processors, and it
has been recognised that the Internet Protocol could and should be applied even to the smallest devices.
Constraints on IoT devices limit the ability to process information at speed – there is a limited CPU,
memory, and energy budget. This means that challenging forms of security are required which satisfy the
competing goals of strong performance and minimal resource consumption. Designing appropriately
secure and robust systems is challenging, since communication between nodes is often over ‘lossy and
low-bandwidth channels’.

For security through digital signatures, a public key infrastructure is required, and this is a significant
challenge to IoT systems. Public key infrastructure can protect against both loss of confidentiality and
loss of integrity. However, even the encryption process with the public key requires computational and
memory resources that are beyond many wireless sensor systems, especially when frequent data
transmission is required.

2.Heterogeneity, scale, and ad-hoc nature:

It has been recognised that the high level of heterogeneity, compounded by the large scale of IoT
systems, will magnify security threats to the current internet. Heterogeneity has great influence over the
protocol and network security services that must be implemented in the IoT. Security solutions have to
cope with entities with varying hardware specifications, and need to provide authentication and
authorisation of IoT nodes, as well as key agreement. The lack of open standards and use of proprietary
solutions presents a significant problem, since security solutions must integrate with ‘black boxes’.
Allowing developers to implement security based on their own proprietary standards can lead to ‘security
through obscurity’, recognised as a flawed technique within the ambit of security. Security issues are
further exacerbated due to the fact that ‘transient and permanent random failures are common place, and
failures are vulnerabilities that can be exploited by attackers’, and that the ad hoc nature of the IoT
requires the tailoring of existing techniques. Clearly, as the number of devices connected to the internet
grows, so do security and privacy issues.

Many components of the IoT, particularly in the health and transport and logistics domains are also
mobile. This presents a challenge in ensuring that security solutions adapt to the mobile environment,
interacting with many different components and systems, each potentially offering different settings,
protocols, and standards.

3.Authentication and identity management:

Authentication within the IoT is critical, since without appropriate authentication the confidentiality,
integrity, and availability of systems can be compromised. This is because if an adversary can
authenticate as a legitimate user, they will have access to any data that the user has, and can see, modify,
and delete or restrict availability in the same way that the user can. The authentication and identification
of users in the IoT remains a significant challenge. Currently, username/password pairs are the most
common form of authentication and identification of users in electronic systems, though other forms such
as shared keys, digital certificates, or biometric credentials may be used.

Furthermore mobility, privacy, and anonymity require further analysis and research. Those IoT systems
that feature mobile services will have users passing through different architectures and infrastructures
owned by different providers. Managing the identity of users in such mobile, heterogeneous, and multiply
owned environments can be challenging. The issue of anonymity in the IoT presents a particular
challenge, especially in mobile environments. To be effective in IoT systems, there remains a challenge
for pseudonyms to operate in a standardised manner across multiple domains.

It is not just the identification and authentication of users that requires consideration. It is also necessary
to identify and validate service and devices in IoT systems. It can be challenging to perform
a strong authentication of devices in the IoT ‘because of the nature of the device or the context in which
it is being used’.

4.Authorisation and access control

It has been recognised that there is a need to ‘exercise access control over [the Internet of Things] at the
edge of the network in the device or, at least, a local access controller for the device’. There is an
important role in establishing whether the user, once identified and validated, has permission to access
the requested resources. Access control requires communication between entities to request and grant
access. Effective access control in an IoT context is challenging. In many IoT systems there is the
likelihood that the number of roles will grow rapidly, and thus handling all these roles, especially during
system updates, becomes difficult if fine-grained access control is intended.

5.Implementation, updating, responsibility, and accountability

It is vital, though often overlooked in discussion, that the implementation and updating of security
protection must be both manageable and low cost. IoT systems can be geographically remote and involve
sensors and actuators in extreme and challenging environments so there is a need for remote access to
allow these system updates. Designing a secure mechanism for dynamic installation is a challenging task.
It must also be recognised that updates can change the functionality of devices, and these changes may
not always be aligned with user expectations. Since the IoT, comprises different devices,
communications, infrastructure, and services under different control and ownership, determining
responsibility and liability remain a challenge. Whilst legal liability may lie with one organisation, the
impact of a seemingly innocuous attack on one component could cause catastrophic, irrevocable damage
to another. One minor vulnerability in one device or service may be exploited along with other,
seemingly innocuous vulnerabilities elsewhere in the system, controlled, owned or supplied by different
parties. If this leads to a major compromise, the level or responsibility of each party may not be
immediately clear. This makes it difficult to make a case for security investment.

6.Security issues in connected and autonomous vehicles

The connected and autonomous vehicles (CAV) area is complex and involves many different sensors,
actuators, infrastructure, communications protocols, and services. Modern vehicles have between 70 and
100 integrated electronic control units (ECUs) for various applications. Different manufacturers employ
different networks, but modern vehicles will feature a number of these network types. However, these
protocols were designed prioritising efficiency and safety rather than security.

Many applications in CAV involve a combination of personal and vehicular data that is sent externally.
This type of data can have its confidentiality and privacy breached in a number of ways. It is also
possible to undertake man in the middle attacks on the wireless communications entering a vehicle,
thereby compromise the integrity of that data. As connected vehicles interact with and become dependent
upon infrastructures such as Cloud and Edge-cloud, the risk and impact of attacks on the availability of
systems will increase.

Privacy challenges in the IoT

Privacy is seen as a major concern in the IoT. The IoT has made an enormous quantity of data available,
belonging not only to consumers such as is the case with the World Wide Web, but to citizens in general,
groups, and organisations. This can be used to establish what we are interested in, where we go, and our
intentions. Whilst this can provide great opportunities for improved services, it must be weighed against
our desire for privacy. It is vital that consumers trust the services they engage with to respect their
privacy. Trust is a fundamental element in the forming of any relationship, and is a vital factor in the
adoption of new technology. People will not use new technology if they do not have sufficient trust in the
safeguarding of privacy, security, and safety, and this is particularly true in complex systems such as the
IoT.

Sensors, including those embedded in mobile devices, collect a variety of data about the lives of citizens.
This data will be aggregated, analysed, processed, fused, and mined in order to extract useful information
for enabling intelligent and ubiquitous services. Trust refers to the determining of when and to whom
information should be released or disclosed. Techniques employed included clearing cookies, avoiding
using their real name, encrypting email and using virtual networks to hide their internet protocol (IP)
address.

A variety of privacy enhancing technologies have been developed for ensuring privacy, including Virtual
Private Networks, Transport Layer Security, DNS Security Extension, Onion Routing, and Private
Information Retrieval.

1.Too Much Data: The sheer amount of data that IoT devices can generate is staggering. A Federal
Trade Commission report entitled "Internet of Things: Privacy & Security in a Connected World" found
that fewer than 10,000 households can generate 150 million discrete data points every day. This creates
more entry points for hackers and leaves sensitive information vulnerable.

2.Unwanted Public Profile:  The aforementioned FTC report found that companies could use collected
data that consumers willingly offer to make employment decisions. For example, an insurance company
might gather information from you about your driving habits through a connected car when calculating
your insurance rate. The same could occur for health or life insurance thanks to fitness trackers.

3.Eavesdropping: Manufacturers or hackers could actually use a connected device to virtually invade a

person's home. German researchers accomplished this by intercepting unencrypted data from a smart
meter device to determine what television show someone was watching at that moment.

4.Consumer Confidence: Each of these problems could put a dent in consumers' desire to purchase
connected products, which would prevent the IoT from fulfilling its true potential.

2) Describe how blockchain is integrated and utilized in IoT.

It is a modular architecture whereby each layer is decoupled from other layers so that developers can
replace or add any new module without affecting the rest of the system. The IoT physical layer consists
of various linked devices with the abilities of communication, computing, and data storage. The main
function provided by the connectivity layer is routing management, because self-organization is required
since physical devices themselves have no global internet protocols (IPs). This layer also contains other
modules for providing services, including network management, security management, and message
broker. The IoT blockchain service layer contains all modules that organize common services to provide
various features of blockchain technologies, including identity management, consensus, and peer-to-peer
(P2P) communication. The distributed ledger is a consensus of replicated, shared, and synchronized
digital data that spread across the whole blockchain network, where all participants with the network can
have their own selfsame copy of the ledger. It also provides secure storage space to record the device
configuration and sensing data provided by physical sensors. Any changes to the ledger are reflected in
all copies in minutes, or in some cases, seconds. The ledger can be either permissioned or permissionless,
regarding if anyone or only approved members can run a peer to validate transactions. The big data
analytics module enables the blockchain to be an efficient mode for online data storage. Lots of
transactional data from various parties are stored in structured forms of ledgers, which makes it a perfect
source for further analysis. All of these parties can be granted access to one single network and it will be
convenient to access these details. The smart contract is sort of code invoked by an external client
application to manage access and modifications in the ledger. It is usually installed and instantiated onto
every peer of the network. The event management sends events every time a new block is added to ledger
or triggered whenever the predefined condition in the smart contract is fulfilled. The API interface
exposes the services provided by the blockchain network as services through which the client application
can access and manage the network. The top layer is the application layer, where various interfaces are
provided to visualize the data from physical devices, to manipulate and control devices.