Mitigating Threats in IoT Network using Device Isolation

In recent years, the proliferation of the Internet of Things (IoT) is seen across various sectors. There is a sharp inclination towards using IoT devices in both home and office premises. Many traditional manufacturers are enhancing their traditional appliances into IoT devices. With the myriad of devices in the market, there also exist vulnerable devices which can be exploited by adversaries. Several security solutions are trying to address different areas of security such as network security, privacy, threat detection, etc. IoT Sentinel is one such novel system that can identify device types based on their pattern of communication. IoT Sentinel proposes several isolation levels that can be used to control the traffic of devices identified as vulnerable. IoT Sentinel uses a Software-defined Networking (SDN) component for controlling the traffic flow for devices and isolating them. In this thesis, we develop a solution to extend IoT Sentinel for device isolation, which is not dependent on SDN. The goal is to build a generic and deployable solution for network segmentation and device isolation that is suitable for home networks. The system divides the network into isolated subnets and places new devices into appropriate subnets. Communication between the subnets is controlled using a firewall thereby isolating them. We dynamically configure a DHCP server to place (lease IP address) new IoT devices identified by IoT Sentinel into appropriate subnets based on their level of vulnerability. Using our solution, we can confine vulnerable devices. Thus, the solution minimizes the damage that could be caused by vulnerable devices present in a network. Finally, we evaluate the developed solution for its security requirement of device isolation. We also present the performance evaluation of our solution based on time-delay and throughput analysis. We observe that our solution adds an acceptable delay to the existing IoT Sentinel processes. We also observe that the system throughput is not significantly affected by firewall rules in a home network scenario

SD-MCAN: A Software-Defined Solution for IP Mobility in Campus Area Networks

Campus Area Networks (CANs) are a subset of enterprise networks, comprised of a network core connecting multiple Local Area Networks (LANs) across a college campus. Traditionally, hosts connect to the CAN via a single point of attachment; however, the past decade has seen the employment of mobile computing rise dramatically. Mobile devices must obtain new Internet Protocol (IP) addresses at each LAN as they migrate, wasting address space and disrupting host services. To prevent these issues, modern CANs should support IP mobility: allowing devices to keep a single IP address as they migrate between LANs with low-latency handoffs. Traditional approaches to mobility may be difficult to deploy and often lead to inefficient routing, but Software-Defined Networking (SDN) provides an intriguing alternative. This thesis identifies necessary requirements for a software-defined IP mobility system and then proposes one such system, the Software-Defined Mobile Campus Area Network (SD-MCAN) architecture. SD-MCAN employs an OpenFlow-based hybrid, label-switched routing scheme to efficiently route traffic flows between mobile hosts on the CAN. The proposed architecture is then implemented as an application on the existing POX controller and evaluated on virtual and hardware testbeds. Experimental results show that SD-MCAN can process handoffs with less than 90 ms latency, suggesting that the system can support data-intensive services on mobile host devices. Finally, the POX prototype is open-sourced to aid in future research

Exploiting Wireless Sensors: a gateway for 868MHz sensors

[ANGLÈS] The great interest in monitoring everything around us has increased the number of sensors that we utilize in our daily lives. Furthermore, the evolution of wireless technologies has facilitated their ubiquity. Moreover, is in locations such as homes and offices where exploitation of the data from these sensors has been more important. For example, we want to know if the temperature in our home is adequate, otherwise we want to turn on the heating (or cooling) system automatically and we want to be able to monitor the environment of the home or office remotely. The knowledge from these sensors and the ability to actuate devices, summon human assistance, and adjust contracts for electrical power, heating, cooling, etc. can facilitate a myriad of ways to improve the quality of our life and potentially even reduce resource consumption. This master?s thesis project created a gateway that sniffs wireless sensor traffic in order to collect data from existing sensors and to provide this data as input to various services. These sensors work in the 868 MHz band. Although these wireless sensors are frequently installed in homes and offices, they are generally not connected to any network. We designed a gateway capable of identifying these wireless sensors and decoding the received messages, despite the fact that these messages may use a vendor?s proprietary protocol. This gateway consists of a microcontroller, a radio transceiver (868-915 MHz), and an Ethernet controller. This gateway enables us to take advantage of all the data that can be captured. Thinking about these possibilities, imultaneously acquiring data from these various sensors could open a wide range of alternatives in different fields, such as home automation, industrial controlling? Not only can the received data be interesting by itself; but when different sensors are located in the same environment we can exploit this data using sensor fusion. For example, time differences in arrival and differences in signal strength as measured t multiple receivers could be used to locate objects. The final aim of this thesis project is to support diverse applications that could be developed using the new gateway. This gateway creates a bridge between the information that is already around us and our ability to realize many new potential services. A wide range of opportunities could be realized by exploiting the wireless sensors we already have close to us.[CASTELLÀ] El gran interés en el seguimiento de todo lo que nos rodea ha incrementado el número de sensores que utilizamos en nuestra vida diaria. Por otra parte, la evolución de la tecnología inalámbrica ha facilitado su instalación. Es en lugares como casas y oficinas donde el aprovechamiento de los datos de estos sensores ha sido más importante. Por ejemplo, si queremos saber si la temperatura en casa es la adecuada para activar el sistema de calefacción (o refrigeración) de forma automática. La capacidad para accionar dispositivos externos y ajustar los contratos de energía eléctrica, calefacción, refrigeración, etc. puede facilitar una gran variedad de formas de mejorar la calidad de nuestra vida y, potencialmente, incluso reducir el consumo de recursos. Este proyecto de tesis ha creado una gateway que detecta el tráfico de sensores inalámbricos con el fin de recoger datos de los sensores existentes y proporcionarlos como entrada a varios servicios. Estos sensores funcionan en la banda de 868 MHz. A pesar de que estos sensores inalámbricos son frecuentemente instalados en hogares y oficinas, generalmente no están conectados a ninguna red. Hemos diseñado una gateway capaz de identificar estos sensores inalámbricos y descodificar los mensajes recibidos, aunque estos mensajes pueden utilizar un protocolo exclusivo del propietario. Esta gateway consta de un microcontrolador, un transceptor de radio (868-915 MHz) y un controlador Ethernet. Esta gateway nos permite tomar ventaja de todos los datos que se pueden capturar. Pensando en todas estas posibilidades a la vez, la adquisición de los datos de estos diversos sensores podría abrir una amplia gama de alternativas en diferentes campos, como la automatización del hogar, control industrial ... No sólo los datos recibidos pueden ser interesantes, sino que los diferentes sensores que se encuentran en el mismo entorno pueden explotar estos datos mediante la fusión de sensores. Por ejemplo, las diferencias de tiempo en la llegada y las diferencias en intensidad de la señal, según lo que determina múltiples receptores también podría ser utilizado para localizar objetos. El objetivo final de este proyecto de tesis es dar apoyo a las diversas aplicaciones que pueden ser desarrolladas utilizando la nueva gateway. Esta gateway crea un puente entre la información que ya está a nuestro alrededor y nuestra capacidad de realizar muchos nuevos servicios potenciales. Una amplia gama de posibilidades puede ser generada mediante la explotación red de sensores inalámbricos que ya están presentes en nuestro alrededor.[CATALÀ] El gran interès en el seguiment de tot el que ens envolta ha incrementat el nombre de sensors que utilitzem en la nostra vida diària. D'altra banda, l'evolució de la tecnologia sense fils ha facilitat la seva instal·lació. És en llocs com cases i oficines on l'aprofitament de les dades d'aquests sensors ha estat més important. Per exemple, si volem saber si la temperatura a casa és l'adequada per activar el sistema de calefacció (o refrigeració) de forma automàtica. La capacitat per accionar dispositius externs i ajustar els contractes d'energia elèctrica, calefacció, refrigeració, etc. pot facilitar una gran varietat de formes de millorar la qualitat de la nostra vida i, potencialment, fins i tot reduir el consum de recursos. Aquest projecte de tesi ha creat una gateway que ensuma el tràfic de sensors sense fils amb la finalitat de recollir dades dels sensors existents i proporcionar-les com a entrada de diversos serveis. Aquests sensors funcionen a la banda de 868 MHz. Malgrat aquests sensors sense fils són sovint instal·lats en llars i oficines, generalment no estan connectats a cap xarxa. Hem dissenyat una gateway capaç d'identificar aquests sensors sense fil i descodificar el missatges rebuts, tot i que aquests missatges poden utilitzar un protocol exclusiu del propietari. Aquesta gateway consta d'un microcontrolador, un transceptor de ràdio (868-915 MHz) i un controlador Ethernet. Aquesta gateway ens permet prendre avantatge de totes les dades que es poden capturar. Pensant en totes aquestes possibilitats a la vegada, l'adquisició de les dades d'aquests diversos sensors podria obrir una àmplia gamma d'alternatives en diferents camps, com ara l'automatització de la llar, control industrial ... No només les dades rebudes poden ser interessants, sinó que els diferents sensors que es troben en el mateix entorn poden explotar aquestes dades mitjançant la fusió de sensors. Per exemple, les diferències de temps en l'arribada i les diferències en intensitat del senyal segons el que determina múltiples receptors també podria ser utilitzat per localitzar objectes. L'objectiu final d'aquest projecte de tesi és donar suport a les diverses aplicacions que poden ser desenvolupades utilitzant la nova gateway. Aquesta gateway crea un pont entre la informació que ja està al nostre voltant i la nostra capacitat de realitzar nous serveis potencials . Una àmplia gamma de possibilitats pot ser generada mitjançant l'explotació de la xarxa de sensors sense fils que ja tenim a prop nostre

Castle in the Air: A Domain Name System for Spectrum

This article envisions the foundational infrastructure for a true wireless Internet. The domain name system (DNS) for addressing allowed the Internet to scale as a decentralized, loosely-coupled system. A similar system for the wireless communication would allow devices to negotiate frequently assignments and other attributes dynamically. The traditional, static approach to spectrum allocation creates massive inefficiencies, which will become increasingly problematic as wireless demand grows. A DNS for spectrum could be based on the database the Federal Communications Commission recently mandated for devices operating in the “White Spaces” around broadcast television channels. Such an infrastructure would enable rapid growth and innovation in next-generation mobile devices and applications

A Look Back at "Security Problems in the TCP/IP Protocol Suite"

About fifteen years ago, I wrote a paper on security problems in the TCP/IP protocol suite. In particular, I focused on protocol-level issues, rather than implementation flaws. It is instructive to look back at that paper, to see where my focus and my predictions were accurate, where I was wrong, and where dangers have yet to happen. This is a reprint of the original paper, with added commentary