Leveraging the heterogeneity of the internet of things devices to improve the security of smart environments

The growing number of devices that are being incorporated into the Internet of Things (IoT) environments leads to a wider presence of a variety of sensors, making these environments heterogeneous. However, the lack of standard input interfaces in such ecosystems poses a challenge in securing them. Among other existing vulnerabilities, the most prevalent are the lack of adequate access control mechanisms and the exploitation of cross-channel interactions between smart devices. In order to tackle the first challenge, I propose a novel behavioral biometric system based on naturally occurring interactions with objects in smart environments. This system is designed to reduce the reliance on existing app-based authentication mechanisms of current smart home platforms and it leverages existing heterogeneous IoT devices to both identify and authenticate users without requiring any hardware modifications of existing smart home devices. To be able to collect the data and evaluate this system, I introduce an end-to-end framework for remote experiments. Such experiments play an important role across multiple fields of studies, from medical science to engineering, as they allow for better representation of human participants and more realistic experimental environments, and ensure research continuity in exceptional circumstances, such as nationwide lockdowns. Yet cyber security has few standards for conducting experiments with human participants, let alone in a remote setting. This framework systematizes design and deployment practices while preserving realistic, reproducible data collection and the safety and privacy of participants. Using this methodology, I conduct two experiments. The first one is a multi-user study taking place in six households composed of 25 participants. The second experiment involves 13 participants in a company environment and is used to study mimicry attacks on the biometric system proposed in this thesis. I demonstrate that this system can identify users in multi-user environments with an accuracy of at least 98% for a single object interaction without requiring any sensors on the object itself. I also show that it can provide seamless and unobtrusive authentication while remaining highly resistant to zero-effort, video, and in-person observation-based mimicry attacks. Even when at most 1% of the strongest type of mimicry attacks are successful, this system does not require the user to take out their phone to approve legitimate transactions in more than 80% of cases for a single interaction. This increases to 92% of transactions when interactions with more objects are considered. To mitigate the second vulnerability, where an attacker exploits multiple heterogeneous devices in a chain such that each one triggers the next, I propose a novel approach that uses only dynamic analysis to examine such interactions in smart ecosystems. I use real-time device data to generate a knowledge graph that models the interactions between devices and enables the system to identify attack chains and vulnerable automations. I evaluate this approach in a smart home environment with 8 devices and 10 automations, with and without the presence of an active user. I demonstrate that such a system can accurately detect 10 cross-channel interactions that lead to 30 different cross-channel interaction chains in the unoccupied environment and 6 such interactions that result in 13 interaction chains in the occupied environment

Key Generation for Internet of Things

Key generation is a promising technique to bootstrap secure communications for the Internet of Things devices that have no prior knowledge between each other. In the past few years, a variety of key generation protocols and systems have been proposed. In this survey, we review and categorise recent key generation systems based on a novel taxonomy. Then, we provide both quantitative and qualitative comparisons of existing approaches. We also discuss the security vulnerabilities of key generation schemes and possible countermeasures. Finally, we discuss the current challenges and point out several potential research directions

Key Generation for Internet of Things: A Contemporary Survey

Key generation is a promising technique to bootstrap secure communications for the Internet of Things (IoT) devices that have no prior knowledge between each other. In the past few years, a variety of key generation protocols and systems have been proposed. In this survey, we review and categorise recent key generation systems based on a novel taxonomy. Then, we provide both quantitative and qualitative comparisons of existing approaches. We also discuss the security vulnerabilities of key generation schemes and possible countermeasures. Finally, we discuss the current challenges and point out several potential research directions

Technology Trends and Opportunities for Construction Industry and Lifecycle Management

Master's thesis in for Offshore Technology: Industrial Asset ManagementThe purpose of the report is to highlight methods that can make it easier for the construction industry and industry in general to benefit from new technology. The report is intended as a reference to technological solutions that along with some techniques, can streamline workflow for multiple tasks in planning, design, and operation and maintenance management. The problems focused on is how to: • Simplify the procurement and tracing of documentation • Optimize building stages, design, and Life Cycle Management (LCM) • Provide interactions between disciplines and employees using different software Scientific Platform are based on literature within technology trends. Some history and trends in digital technology are presented. Definition of roles and general terms related to documentation is derived from Norsk Standard and is interpreted on this basis. The report charts the use of individual software and technical setup of digital tools within CAD-engineering (Computer Aided Design), HDS-technology (High Definition Surveying), and gaming technology. This technology combined with cloud-services to support planning, design and management of building stages. Later to support LCM of facilities and businesses' ERP-systems (Enterprise Resource Planning). Use of Robotic Process Automation (RPA) and Artificial Intelligence (AI), for document control tasks. The result of the report is that several suppliers provide services and products accessible through web. Setup and implementation will require some work and knowledge for business and organizations, but the gain largely seems to justify the use of resources for this purpose. Particularly through IOT-interactions (Internet of Things), cloud-services and free downloadable applications that may be considered as a paradigm shift related to the issues in the report. Also, presenting new platforms for engineering phases to support Building Information Modeling processes (BIM). With the use of Algorithmic Editors for encoding between computer programs without the need of data programmer expertise. To streamline workflows, reduce recreation of data, interactions between different software of various user level, and support of AI to optimize designing by adds-on for CAD-engineering (Computer Aided Design). Mobile devices like phones and tablets to support several of solutions and products presented is very accessible. It seems naturally to assume that the vast majority of people are familiar with technology related to smartphone applications for daily use. The use of resources for implementing the presented solutions have not been considered in this report. Some of the equipment presented can be interpreted as relatively expensive. Investment analysis would be sensible. The trend however, shows continues price drops and increased availability. At the same time as the user interface is being improved for both software and digital equipment. The conclusion, is that the construction industry, as well as Facility Management (FM). Within both, public, and private sector, can have much to gain using the technology and techniques presented in the report

AEROKEY: Using Ambient Electromagnetic Radiation for Secure and Usable Wireless Device Authentication

Wireless connectivity is becoming common in increasingly diverse personal devices, enabling various interoperation- and Internet-based applications and services. More and more interconnected devices are simultaneously operated by a single user with short-lived connections, making usable device authentication methods imperative to ensure both high security and seamless user experience. Unfortunately, current authentication methods that heavily require human involvement, in addition to form factor and mobility constraints, make this balance hard to achieve, often forcing users to choose between security and convenience. In this work, we present a novel over-the-air device authentication scheme named AEROKEY that achieves both high security and high usability. With virtually no hardware overhead, AEROKEY leverages ubiquitously observable ambient electromagnetic radiation to autonomously generate spatiotemporally unique secret that can be derived only by devices that are closely located to each other. Devices can make use of this unique secret to form the basis of a symmetric key, making the authentication procedure more practical, secure and usable with no active human involvement. We propose and implement essential techniques to overcome challenges in realizing AEROKEY on low-cost microcontroller units, such as poor time synchronization, lack of precision analog front-end, and inconsistent sampling rates. Our real-world experiments demonstrate reliable authentication as well as its robustness against various realistic adversaries with low equal-error rates of 3.4% or less and usable authentication time of as low as 24 s

An Approach to Guide Users Towards Less Revealing Internet Browsers

When browsing the Internet, HTTP headers enable both clients and servers send extra data in their requests or responses such as the User-Agent string. This string contains information related to the sender’s device, browser, and operating system. Previous research has shown that there are numerous privacy and security risks result from exposing sensitive information in the User-Agent string. For example, it enables device and browser fingerprinting and user tracking and identification. Our large analysis of thousands of User-Agent strings shows that browsers differ tremendously in the amount of information they include in their User-Agent strings. As such, our work aims at guiding users towards using less exposing browsers. In doing so, we propose to assign an exposure score to browsers based on the information they expose and vulnerability records. Thus, our contribution in this work is as follows: first, provide a full implementation that is ready to be deployed and used by users. Second, conduct a user study to identify the effectiveness and limitations of our proposed approach. Our implementation is based on using more than 52 thousand unique browsers. Our performance and validation analysis show that our solution is accurate and efficient. The source code and data set are publicly available and the solution has been deployed

Security Analysis of Internet of Things Devices: Hands-on lab

International audienc

Security and Privacy for IoT Ecosystems

Smart devices have become an integral part of our everyday life. In contrast to smartphones and laptops, Internet of Things (IoT) devices are typically managed by the vendor. They allow little or no user-driven customization. Users need to use and trust IoT devices as they are, including the ecosystems involved in the processing and sharing of personal data. Ensuring that an IoT device does not leak private data is imperative. This thesis analyzes security practices in popular IoT ecosystems across several price segments. Our results show a gap between real-world implementations and state-of-the-art security measures. The process of responsible disclosure with the vendors revealed further practical challenges. Do they want to support backward compatibility with the same app and infrastructure over multiple IoT device generations? To which extent can they trust their supply chains in rolling out keys? Mature vendors have a budget for security and are aware of its demands. Despite this goodwill, developers sometimes fail at securing the concrete implementations in those complex ecosystems. Our analysis of real-world products reveals the actual efforts made by vendors to secure their products. Our responsible disclosure processes and publications of design recommendations not only increase security in existing products but also help connected ecosystem manufacturers to develop secure products. Moreover, we enable users to take control of their connected devices with firmware binary patching. If a vendor decides to no longer offer cloud services, bootstrapping a vendor-independent ecosystem is the only way to revive bricked devices. Binary patching is not only useful in the IoT context but also opens up these devices as research platforms. We are the first to publish tools for Bluetooth firmware and lower-layer analysis and uncover a security issue in Broadcom chips affecting hundreds of millions of devices manufactured by Apple, Samsung, Google, and more. Although we informed Broadcom and customers of their technologies of the weaknesses identified, some of these devices no longer receive official updates. For these, our binary patching framework is capable of building vendor-independent patches and retrofit security. Connected device vendors depend on standards; they rarely implement lower-layer communication schemes from scratch. Standards enable communication between devices of different vendors, which is crucial in many IoT setups. Secure standards help making products secure by design and, thus, need to be analyzed as early as possible. One possibility to integrate security into a lower-layer standard is Physical-Layer Security (PLS). PLS establishes security on the Physical Layer (PHY) of wireless transmissions. With new wireless technologies emerging, physical properties change. We analyze how suitable PLS techniques are in the domain of mmWave and Visible Light Communication (VLC). Despite VLC being commonly believed to be very secure due to its limited range, we show that using VLC instead for PLS is less secure than using it with Radio Frequency (RF) communication. The work in this thesis is applied to mature products as well as upcoming standards. We consider security for the whole product life cycle to make connected devices and IoT ecosystems more secure in the long term

Digital Transformation

The amount of literature on Digital Transformation is staggering—and it keeps growing. Why, then, come out with yet another such document? Moreover, any text aiming at explaining the Digital Transformation by presenting a snapshot is going to become obsolete in a blink of an eye, most likely to be already obsolete at the time it is first published. The FDC Initiative on Digital Reality felt there is a need to look at the Digital Transformation from the point of view of a profound change that is pervading the entire society—a change made possible by technology and that keeps changing due to technology evolution opening new possibilities but is also a change happening because it has strong economic reasons. The direction of this change is not easy to predict because it is steered by a cultural evolution of society, an evolution that is happening in niches and that may expand rapidly to larger constituencies and as rapidly may fade away. This creation, selection by experimentation, adoption, and sudden disappearance, is what makes the whole scenario so unpredictable and continuously changing.The amount of literature on Digital Transformation is staggering—and it keeps growing. Why, then, come out with yet another such document? Moreover, any text aiming at explaining the Digital Transformation by presenting a snapshot is going to become obsolete in a blink of an eye, most likely to be already obsolete at the time it is first published. The FDC Initiative on Digital Reality felt there is a need to look at the Digital Transformation from the point of view of a profound change that is pervading the entire society—a change made possible by technology and that keeps changing due to technology evolution opening new possibilities but is also a change happening because it has strong economic reasons. The direction of this change is not easy to predict because it is steered by a cultural evolution of society, an evolution that is happening in niches and that may expand rapidly to larger constituencies and as rapidly may fade away. This creation, selection by experimentation, adoption, and sudden disappearance, is what makes the whole scenario so unpredictable and continuously changing