A systematic review of crime facilitated by the consumer Internet of Things

The nature of crime is changing — estimates suggest that at least half of all crime is now committed online. Once everyday objects (e.g. televisions, baby monitors, door locks) that are now internet connected, collectively referred to as the Internet of Things (IoT), have the potential to transform society, but this increase in connectivity may generate new crime opportunities. Here, we conducted a systematic review to inform understanding of these risks. We identify a number of high-level mechanisms through which offenders may exploit the consumer IoT including profiling, physical access control and the control of device audio/visual outputs. The types of crimes identified that could be facilitated by the IoT were wide ranging and included burglary, stalking, and sex crimes through to state level crimes including political subjugation. Our review suggests that the IoT presents substantial new opportunities for offending and intervention is needed now to prevent an IoT crime harvest

Verification of information flow security in cyber-physical systems

With a growing number of real-world applications that are dependent on computation, securing the information space has become a challenge. The security of information in such applications is often jeopardized by software and hardware failures, intervention of human subjects such as attackers, incorrect design specification and implementation, other social and natural causes. Since these applications are very diverse, often cutting across disciplines a generic approach to detect and mitigate these issues is missing. This dissertation addresses the fundamental problem of verifying information security in a class of real world applications of computation, the Cyber-physical systems (CPSs). One of the motivations for this work is the lack of a unified theory to specify and verify the complex interactions among various cyber and physical processes within a CPS. Security of a system is fundamentally characterized by the way information flows within the system. Information flow within a CPS is dependent on the physical response of the system and associated cyber control. While formal techniques of verifying cyber security exist, they are not directly applicable to CPSs due to their inherent complexity and diversity. This Ph.D. research primarily focuses on developing a uniform framework using formal tools of process algebras to verify security properties in CPSs. The merits in adopting such an approach for CPS analyses are three fold- i) the physical and continuous aspects and the complex CPS interactions can be modeled in a unified way, and ii) the problem of verifying security properties can be reduced to the problem of establishing suitable equivalences among the processes, and iii) adversarial behavior and security properties can be developed using the features like compositionality and process equivalence offered by the process algebras --Abstract, page iii

TorSH: Obfuscating consumer Internet-of-Things traffic with a collaborative smart-home router network

When consumers install Internet-connected smart devices in their homes, metadata arising from the communications between these devices and their cloud-based service providers enables adversaries privy to this traffic to profile users, even when adequate encryption is used. Internet service providers (ISPs) are one potential adversary privy to users’ incom- ing and outgoing Internet traffic and either currently use this insight to assemble and sell consumer advertising profiles or may in the future do so. With existing defenses against such profiling falling short of meeting user preferences and abilities, there is a need for a novel solution that empowers consumers to defend themselves against profiling by ISP-like actors and that is more in tune with their wishes. In this thesis, we present The Onion Router for Smart Homes (TorSH), a network of smart-home routers working collaboratively to defend smart-device traffic from analysis by ISP-like adversaries. We demonstrate that TorSH succeeds in deterring such profiling while preserving smart-device experiences and without encumbering latency-sensitive, non-smart-device experiences like web browsing

Inferences from Interactions with Smart Devices: Security Leaks and Defenses

We unlock our smart devices such as smartphone several times every day using a pin, password, or graphical pattern if the device is secured by one. The scope and usage of smart devices\u27 are expanding day by day in our everyday life and hence the need to make them more secure. In the near future, we may need to authenticate ourselves on emerging smart devices such as electronic doors, exercise equipment, power tools, medical devices, and smart TV remote control. While recent research focuses on developing new behavior-based methods to authenticate these smart devices, pin and password still remain primary methods to authenticate a user on a device. Although the recent research exposes the observation-based vulnerabilities, the popular belief is that the direct observation attacks can be thwarted by simple methods that obscure the attacker\u27s view of the input console (or screen). In this dissertation, we study the users\u27 hand movement pattern while they type on their smart devices. The study concentrates on the following two factors; (1) finding security leaks from the observed hand movement patterns (we showcase that the user\u27s hand movement on its own reveals the user\u27s sensitive information) and (2) developing methods to build lightweight, easy to use, and more secure authentication system. The users\u27 hand movement patterns were captured through video camcorder and inbuilt motion sensors such as gyroscope and accelerometer in the user\u27s device

A multivariant secure framework for smart mobile health application

This is an accepted manuscript of an article published by Wiley in Transactions on Emerging Telecommunications Technologies, available online: https://doi.org/10.1002/ett.3684 The accepted version of the publication may differ from the final published version.Wireless sensor network enables remote connectivity of technological devices such as smart mobile with the internet. Due to its low cost as well as easy availability of data sharing and accessing devices, the Internet of Things (IoT) has grown exponentially during the past few years. The availability of these devices plays a remarkable role in the new era of mHealth. In mHealth, the sensors generate enormous amounts of data and the context-aware computing has proven to collect and manage the data. The context aware computing is a new domain to be aware of context of involved devices. The context-aware computing is playing a very significant part in the development of smart mobile health applications to monitor the health of patients more efficiently. Security is one of the key challenges in IoT-based mHealth application development. The wireless nature of IoT devices motivates attackers to attack on application; these vulnerable attacks can be denial of service attack, sinkhole attack, and select forwarding attack. These attacks lead intruders to disrupt the application's functionality, data packet drops to malicious end and changes the route of data and forwards the data packet to other location. There is a need to timely detect and prevent these threats in mobile health applications. Existing work includes many security frameworks to secure the mobile health applications but all have some drawbacks. This paper presents existing frameworks, the impact of threats on applications, on information, and different security levels. From this line of research, we propose a security framework with two algorithms, ie, (i) patient priority autonomous call and (ii) location distance based switch, for mobile health applications and make a comparative analysis of the proposed framework with the existing ones.Published onlin

Embedded System Security: A Software-based Approach

We present a body of work aimed at understanding and improving the security posture of embedded devices. We present results from several large-scale studies that measured the quantity and distribution of exploitable vulnerabilities within embedded devices in the world. We propose two host-based software defense techniques, Symbiote and Autotomic Binary Structure Randomization, that can be practically deployed to a wide spectrum of embedded devices in use today. These defenses are designed to overcome major challenges of securing legacy embedded devices. To be specific, our proposed algorithms are software- based solutions that operate at the firmware binary level. They do not require source-code, are agnostic to the operating-system environment of the devices they protect, and can work on all major ISAs like MIPS, ARM, PowerPC and X86. More importantly, our proposed defenses are capable of augmenting the functionality of embedded devices with a plethora of host-based defenses like dynamic firmware integrity attestation, binary structure randomization of code and data, and anomaly-based malcode detection. Furthermore, we demonstrate the safety and efficacy of the proposed defenses by applying them to a wide range of real- time embedded devices like enterprise networking equipment, telecommunication appliances and other commercial devices like network-based printers and IP phones. Lastly, we present a survey of promising directions for future research in the area of embedded security

A model personal energy meter

Every day each of us consumes a significant amount of energy, both directly through transport, heating and use of appliances, and indirectly from our needs for the production of food, manufacture of goods and provision of services. This dissertation investigates a personal energy meter which can record and apportion an individual's energy usage in order to supply baseline information and incentives for reducing our environmental impact. If the energy costs of large shared resources are split evenly without regard for individual consumption each person minimises his own losses by taking advantage of others. Context awareness offers the potential to change this balance and apportion energy costs to those who cause them to be incurred. This dissertation explores how sensor systems installed in many buildings today can be used to apportion energy consumption between users, including an evaluation of a range of strategies in a case study and elaboration of the overriding principles that are generally applicable. It also shows how second-order estimators combined with location data can provide a proxy for fine-grained sensing. A key ingredient for apportionment mechanisms is data on energy usage. This may come from metering devices or buildings directly, or from profiling devices and using secondary indicators to infer their power state. A mechanism for profiling devices to determine the energy costs of specific activities, particularly applicable to shared programmable devices is presented which can make this process simpler and more accurate. By combining crowdsourced building-inventory information and a simple building energy model it is possible to estimate an individual's energy use disaggregated by device class with very little direct sensing. Contextual information provides crucial cues for apportioning the use and energy costs of resources, and one of the most valuable sources from which to infer context is location. A key ingredient for a personal energy meter is a low cost, low infrastructure location system that can be deployed on a truly global scale. This dissertation presents a description and evaluation of the new concept of inquiry-free Bluetooth tracking that has the potential to offer indoor location information with significantly less infrastructure and calibration than other systems. Finally, a suitable architecture for a personal energy meter on a global scale is demonstrated using a mobile phone application to aggregate energy feeds based on the case studies and technologies developed

Internet of Things From Hype to Reality

The Internet of Things (IoT) has gained significant mindshare, let alone attention, in academia and the industry especially over the past few years. The reasons behind this interest are the potential capabilities that IoT promises to offer. On the personal level, it paints a picture of a future world where all the things in our ambient environment are connected to the Internet and seamlessly communicate with each other to operate intelligently. The ultimate goal is to enable objects around us to efficiently sense our surroundings, inexpensively communicate, and ultimately create a better environment for us: one where everyday objects act based on what we need and like without explicit instructions