Fortress: Securing IoT Peripherals with Trusted Execution Environments

With the increasing popularity of Internet of Things (IoT) devices, securing sensitive user data has emerged as a major challenge. These devices often collect confidential information, such as audio and visual data, through peripheral inputs like microphones and cameras. Such sensitive information is then exposed to potential threats, either from malicious software with high-level access rights or transmitted (sometimes inadvertently) to untrusted cloud services. In this paper, we propose a generic design to enhance the privacy in IoT-based systems by isolating peripheral I/O memory regions in a secure kernel space of a trusted execution environment (TEE). Only a minimal set of peripheral driver code, resident within the secure kernel, can access this protected memory area. This design effectively restricts any unauthorised access by system software, including the operating system and hypervisor. The sensitive peripheral data is then securely transferred to a user-space TEE, where obfuscation mechanisms can be applied before it is relayed to third parties, e.g., the cloud. To validate our architectural approach, we provide a proof-of-concept implementation of our design by securing an audio peripheral based on inter-IC sound (I2S), a serial bus to interconnect audio devices. The experimental results show that our design offers a robust security solution with an acceptable computational overhead.Comment: 8 page

Energy Information Systems: From the Basement to the Boardroom

A significant buildings energy reduction opportunity exists in the office sector, given that this market segment typically is an early adopter of new technology. There is a rising trend towards smart and connected offices through the internet of things (IoT) that provides new opportunities for operational efficiency and environmental sustainability practices. Leading commercial real estate companies have begun to shift from individual building automation systems (BAS) to partially integrated and automated systems such as energy information systems (EIS). In both the United States and India, organizations are seeking operational excellence, enhanced tenant relationships, and topline growth. Hence it is imperative to engage the executives with decision-making power, by tapping into their interest in sustainability, corporate social responsibility, and innovation. This expansion of interest can enable data-driven decisions, strong energy investments, and deeper energy benefits, and would drive innovation in this field. However, none of this would be possible without robust, consistent building energy information to provide visibility across all the levels of decision making, i.e. from the basement where the facilities staff take operational action to the boardroom where the executives make investment decisions. Price, security, and ease of use remain barriers to the adoption and pervasive use of promising EIS technologies in commercial office buildings. We believe that these barriers can be addressed through the development of ready, simplified, consistent, commercially available, low-cost EIS-in-a-box packages, that have a pre-defined set of hardware components and software features and functionality that are pertinent to a particular building sector. These simplified, sector-specific EIS packages can help to obviate the need for customization, and enhance ease of use, thereby enabling scale-up, in order to facilitate building energy savings. The EIS-in-a-box are adaptable in both U.S. and Indian office buildings, and potentially beyond these two countries

Security Evaluation of Cyber-Physical Systems in Society- Critical Internet of Things

In this paper, we present evaluation of security awareness of developers and users of cyber-physical systems. Our study includes interviews, workshops, surveys and one practical evaluation. We conducted 15 interviews and conducted survey with 55 respondents coming primarily from industry. Furthermore, we performed practical evaluation of current state of practice for a society-critical application, a commercial vehicle, and reconfirmed our findings discussing an attack vector for an off-line societycritical facility. More work is necessary to increase usage of security strategies, available methods, processes and standards. The security information, currently often insufficient, should be provided in the user manuals of products and services to protect system users. We confirmed it lately when we conducted an additional survey of users, with users feeling as left out in their quest for own security and privacy. Finally, hardware-related security questions begin to come up on the agenda, with a general increase of interest and awareness of hardware contribution to the overall cyber-physical security. At the end of this paper we discuss possible countermeasures for dealing with threats in infrastructures, highlighting the role of authorities in this quest

Connected Bike-smart IoT-based Cycling Training Solution

The Connected Bike project combines several technologies, both hardware and software, to provide cycling enthusiasts with a modern alternative solution for training. Therefore, a trainer can monitor online through a Web Application some of the important parameters for training, more specifically the speed, cadence and power generated by the cyclist. Also, the trainer can see at every moment where the rider is with the aid of a GPS module. The system is built out of both hardware and software components. The hardware is in charge of collecting, scaling, converting and sending data from sensors. On the software side, there is the server, which consists of the Back-End and the MQTT (Message Queues Telemetry Transport) Broker, as well as the Front-End of the Web Application that displays and manages data as well as collaboration between cyclists and trainers. Finally, there is the Android Application that acts like a remote command for the hardware module on the bike, giving the rider control over how and when the ride is monitored

Development of a smart electric motor testbed for Internet of things and big data technologies

Smart devices and Internet of Things (IoT) technologies are becoming each day more common. At the same time, besides the exponentially increasing demand to analyze the produced data, there is an evolving trend to perform the data analysis closer to the data sources, particularly at the Fog and Edge levels. In this sense, the development of testbeds that can, e.g., simulate smart devices in IoT environments, are important to explore and develop the technologies to enable the complete realization of such IoT concepts. This paper describes the digitization of an electric motor, through the incorporation of sensing and an analytical computational environment, towards the development of a testbed for IoT and Big Data technologies. The smart electric motor testbed provides real-time data streams, enabling a continuous monitoring of its operation along all the device life-cycle through advanced data analytics. Furthermore, the paper discusses how specific data analytics features fit the different IoT layers, while preliminary experiments demonstrate the testbed potentials.info:eu-repo/semantics/publishedVersio

Novel Attacks and Defenses for Enterprise Internet-of-Things (E-IoT) Systems

This doctoral dissertation expands upon the field of Enterprise Internet-of-Things (E-IoT) systems, one of the most ubiquitous and under-researched fields of smart systems. E-IoT systems are specialty smart systems designed for sophisticated automation applications (e.g., multimedia control, security, lighting control). E-IoT systems are often closed source, costly, require certified installers, and are more robust for their specific applications. This dissertation begins with an analysis of the current E-IoT threat landscape and introduces three novel attacks and defenses under-studied software and protocols heavily linked to E-IoT systems. For each layer, we review the literature for the threats, attacks, and countermeasures. Based on the systematic knowledge we obtain from the literature review, we propose three novel attacks and countermeasures to protect E-IoT systems. In the first attack, we present PoisonIvy, several attacks developed to show that malicious E-IoT drivers can be used to compromise E-IoT. In response to PoisonIvy threats, we describe Ivycide, a machine-learning network-based solution designed to defend E-IoT systems against E-IoT driver threats. As multimedia control is a significant application of E-IoT, we introduce is HDMI-Walk, a novel attack vector designed to demonstrate that HDMI\u27s Consumer Electronics Control (CEC) protocol can be used to compromise multiple devices through a single connection. To defend devices from this threat, we introduce HDMI-Watch, a standalone intrusion detection system (IDS) designed to defend HDMI-enabled devices from HDMI-Walk-style attacks. Finally, this dissertation evaluates the security of E-IoT proprietary protocols with LightingStrike, a series of attacks used to demonstrate that popular E-IoT proprietary communication protocols are insecure. To address LightningStrike threats, we introduce LGuard, a complete defense framework designed to defend E-IoT systems from LightingStrike-style attacks using computer vision, traffic obfuscation, and traffic analysis techniques. For each contribution, all of the defense mechanisms proposed are implemented without any modification to the underlying hardware or software. All attacks and defenses in this dissertation were performed with implementations on widely-used E-IoT devices and systems. We believe that the research presented in this dissertation has notable implications on the security of E-IoT systems by exposing novel threat vectors, raising awareness, and motivating future E-IoT system security research