Securing Real-Time Internet-of-Things

Modern embedded and cyber-physical systems are ubiquitous. A large number of critical cyber-physical systems have real-time requirements (e.g., avionics, automobiles, power grids, manufacturing systems, industrial control systems, etc.). Recent developments and new functionality requires real-time embedded devices to be connected to the Internet. This gives rise to the real-time Internet-of-things (RT-IoT) that promises a better user experience through stronger connectivity and efficient use of next-generation embedded devices. However RT- IoT are also increasingly becoming targets for cyber-attacks which is exacerbated by this increased connectivity. This paper gives an introduction to RT-IoT systems, an outlook of current approaches and possible research challenges towards secure RT- IoT frameworks

Akceptace platebních karet na zařízeních s OS Android

Hlavním cílem této diplomové práce je ověřit, zdali mohou být k akceptaci platebních karet používána běžně dostupná zařízení, jako např. mobilní telefony. Z tohoto důvodu se práce nejdříve zaměřuje na to, jakým způsobem funguje placení kartami, které využívají technologii EMV, a poté popisuje standardy SPoC a CPoC. Dále jsou zde také popsány rozdíly mezi mobilními aplikacemi Google Pay a Apple Pay umožňující použití mobilních telefonů namísto karet. V neposlední řadě je rozšířena komerční aplikace Dotypay tak, že může být provozována k akceptaci karet na mobilních telefonech a zařízeních Nexgo, které používají platformu Android. Pomocí specializovaného testovacího nástroje UL Brand Test Tool, který se v odvětví platebních karet běžně používá, je pak ověřeno, že aplikace správně zpracovává platební transakce.ObhájenoThe main goal of this master's thesis is to find out whether non-specialized devices, such as mobile phones, could be used to accept payment cards. Therefore, it covers the SPoC and CPoC standards and the way payment transactions utilizing the EMV technology are processed. Additionally, the differences between the Google Pay and Apple Pay mobile payment applications are described there. The commercial application Dotypay is extended in such a way that it can be used on mobile phones and Nexgo devices running the Android OS to accept cards. Finally, using the industry-standard UL Brand Test Tool product, it is verified that the extended application is able to correctly process payment transactions

Strong authentication based on mobile application

The user authentication in online services has evolved over time from the old username and password-based approaches to current strong authentication methodologies. Especially, the smartphone app has become one of the most important forms to perform the authentication. This thesis describes various authentication methods used previously and discusses about possible factors that generated the demand for the current strong authentication approach. We present the concepts and architectures of mobile application based authentication systems. Furthermore, we take closer look into the security of the mobile application based authentication approach. Mobile apps have various attack vectors that need to be taken under consideration when designing an authentication system. Fortunately, various generic software protection mechanisms have been developed during the last decades. We discuss how these mechanisms can be utilized in mobile app environment and in the authentication context. The main idea of this thesis is to gather relevant information about the authentication history and to be able to build a view of strong authentication evolution. This history and the aspects of the evolution are used to state hypothesis about the future research and development. We predict that the authentication systems in the future may be based on a holistic view of the behavioral patterns and physical properties of the user. Machine learning may be used in the future to implement an autonomous authentication concept that enables users to be authenticated with minimal physical or cognitive effort

Investigating Security for Ubiquitous Sensor Networks

The availability of powerful and sensor-enabled mobile and Internet-connected devices have enabled the advent of the ubiquitous sensor network paradigm which is providing various types of solutions to the community and the individual user in various sectors including environmental monitoring, entertainment, transportation, security, and healthcare. We explore and compare the features of wireless sensor networks and ubiquitous sensor networks and based on the differences between these two types of systems, we classify the security-related challenges of ubiquitous sensor networks. We identify and discuss solutions available to address these challenges. Finally, we briefly discuss open challenges that need to be addressed to design more secure ubiquitous sensor networks in the future

Security of GPS/INS based On-road Location Tracking Systems

Location information is critical to a wide-variety of navigation and tracking applications. Today, GPS is the de-facto outdoor localization system but has been shown to be vulnerable to signal spoofing attacks. Inertial Navigation Systems (INS) are emerging as a popular complementary system, especially in road transportation systems as they enable improved navigation and tracking as well as offer resilience to wireless signals spoofing, and jamming attacks. In this paper, we evaluate the security guarantees of INS-aided GPS tracking and navigation for road transportation systems. We consider an adversary required to travel from a source location to a destination, and monitored by a INS-aided GPS system. The goal of the adversary is to travel to alternate locations without being detected. We developed and evaluated algorithms that achieve such goal, providing the adversary significant latitude. Our algorithms build a graph model for a given road network and enable us to derive potential destinations an attacker can reach without raising alarms even with the INS-aided GPS tracking and navigation system. The algorithms render the gyroscope and accelerometer sensors useless as they generate road trajectories indistinguishable from plausible paths (both in terms of turn angles and roads curvature). We also designed, built, and demonstrated that the magnetometer can be actively spoofed using a combination of carefully controlled coils. We implemented and evaluated the impact of the attack using both real-world and simulated driving traces in more than 10 cities located around the world. Our evaluations show that it is possible for an attacker to reach destinations that are as far as 30 km away from the true destination without being detected. We also show that it is possible for the adversary to reach almost 60-80% of possible points within the target region in some cities

Server-based and server-less BYOD solutions to support electronic learning

Over the past 10 years, bring your own device has become an emerging practice across the commercial landscape and has empowered employees to conduct work-related business from the comfort of their own phone, tablet, or other personal electronic device. Currently in the Department of Defense, and specifically the Department of the Navy, no viable solution exists for the delivery of eLearning content to a service member's personal device that satisfy existing policies. The purpose of this thesis is to explore two potential solutions: a server-based method and a server-less method, both of which would allow Marines and Sailors to access eLearning course material by way of their personal devices. This thesis will test the feasibility and functionality of our server-based and server-less solutions by implementing a basic proof of concept for each. The intent is to provide a baseline from which further research and development can be conducted, and to demonstrate how these solutions present a low-risk environment that preserves government network security while still serving as a professional military education force multiplier. Both solutions, while demonstrated with limited prototypes, have the potential to finally introduce bring your own device into the Department of the Navy's eLearning realm.http://archive.org/details/serverbasedndser1094549343Captain, United States Marine CorpsCaptain, United States Marine CorpsApproved for public release; distribution is unlimited

Defining a sample template for governmental procurements of cryptographic products

Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2006Includes bibliographical references (leaves: 46-47)Text in English; Abstract: Turkish and Englishxi, 47 leavesIt is a well-known truth that nobody can easily find a law, act, directive, code or a publicly available technical specification which describe crytopgraphic-based security systems and/or cryptographic modules in Turkey. Besides that, from the international aspect, the only government released standarts take place in the "Federal Information Standarts Publication (FIPS) 140-2", published by United States "National Institute of Standarts and Technology (NIST)" on May 25th, 2001 (which became the international standart after Final Commitee Document accepted as "ISO/IEC 19790:2006" on March 9th, 2006) which specifies the security requirements that should be satisfied by a cryptographic module.Since the protection of sensitive and valuable (sometimes lifecritical) data transfered via critical governmental cryptographic systems is very important and requires high confidentiality, the need for defining a sample template technical specification of those cryptographic systems is that much high.The sample template specification which is made up in this study aims to be a starting point or initiative for preparing a cryptographic module specification in governmental procurements

A wireless method for monitoring medication compliance

There are many devices on the market to help remind patients to take their pills, but most require observation by a caregiver to assure medication compliance. This project demonstrates three modes to detect pill removal from a pillbox: a switch under the pills, a reflective type photointerrupter and a transmissive electric eye photosensor. Each mode exhibited blind spots or other failures to detect pill presence, but by combining modes with complementary characteristics, the accuracy of pill detection is greatly increased. Two methods of caregiver notification are demonstrated: text messages transmitted via an attached cellular phone, or the status is collected by a PC which provides an audit trail and daily notification if no pills were taken