Authorization Framework for the Internet-of-Things

This paper describes a framework that allows fine-grained and flexible access control to connected devices with very limited processing power and memory. We propose a set of security and performance requirements for this setting and derive an authorization framework distributing processing costs between constrained devices and less constrained back-end servers while keeping message exchanges with the constrained devices at a minimum. As a proof of concept we present performance results from a prototype implementing the device part of the framework

A survey of communication protocols for internet of things and related challenges of fog and cloud computing integration

The fast increment in the number of IoT (Internet of Things) devices is accelerating the research on new solutions to make cloud services scalable. In this context, the novel concept of fog computing as well as the combined fog-to-cloud computing paradigm is becoming essential to decentralize the cloud, while bringing the services closer to the end-system. This article surveys e application layer communication protocols to fulfill the IoT communication requirements, and their potential for implementation in fog- and cloud-based IoT systems. To this end, the article first briefly presents potential protocol candidates, including request-reply and publish-subscribe protocols. After that, the article surveys these protocols based on their main characteristics, as well as the main performance issues, including latency, energy consumption, and network throughput. These findings are thereafter used to place the protocols in each segment of the system (IoT, fog, cloud), and thus opens up the discussion on their choice, interoperability, and wider system integration. The survey is expected to be useful to system architects and protocol designers when choosing the communication protocols in an integrated IoT-to-fog-to-cloud system architecture.Peer ReviewedPostprint (author's final draft

Secure store and forward proxy for dynamic IoT applications over M2M networks

Internet of Things (IoT) applications are expected to generate a huge unforeseen amount of traffic flowing from Consumer Electronics devices to the network. In order to overcome existing interoperability problems, several standardization bodies have joined to bring a new generation of Machine to Machine (M2M) networks as a result of the evolution of wireless sensor/actor networks and mobile cellular networks to converged networks. M2M is expected to enable IoT paradigms and related concepts into a reality at a reasonable cost. As part of the convergence, several technologies preventing new IoT services to interfere with existing Internet services are flourishing. Responsive, message-driven, resilient and elastic architectures are becoming essential parts of the system. These architectures will control the entire data flow for an IoT system requiring sometimes to store, shape and forward data among nodes of a M2M network to improve network performance. However, IoT generated data have an important personal component since it is generated in personal devices or are the result of the observation of the physical world, so rises significant security concerns. This article proposes a novel opportunistic flexible secure store and forward proxy for M2M networks and its mapping to asynchronous protocols that guarantees data confidentiality

Cloud-based system for IoT data acquisition

IoT permite-nos trazer o mundo físico para o mundo virtual, dando o poder de o controlar e monitorizar. Isto tem encorajado um aumento no interesse em IoT, devido às múltiplas aplicações nos mais variados contextos. Ainda assim sistemas de IoT enfrentam desafios tais como o suporte de altos volume de conexões ou a baixa capacidade de computação face a algoritmos para segurança dos dados. O objectivo desta dissertação é criar um sistema de recolha de dados de sensor de qualidade do ar que resolva esses desafios usando tecnologias de estado de arte, dando preferência a ferramentas de código aberto. O sistema foi implementado em volta Apache Kafka, com Spring Boot e VerneMQ responsáveis por receber dados e PostgreSQL, com plugin Timescale, encarregue de os guardar. Um protótipo do sistema foi implementado usando contentores Docker, mas não foi possível organiza-los com Kubernetes; Abstract: Cloud-based system for IoT data acquisition The purpose of IoT is to bring the physical world into a digital one and allowing it to be controlled and monitored from a virtual standpoint. The interest in IoT has increased due to its many applications in various fields, but IoT systems still deal with challenges such as the support of a high volume of connections or the low processing capacity of devices faced with data security algorithms. The objective of this dissertation is to create a data collection for air quality sensors system, that solves those challenges based on state of the art technologies, giving preference to open-source tools. Implementation was done around Apache Kafka, with Spring Boot and VerneMQ receiving data, HMAC granting a level security on data transport and PostgreSQL with the plugin Timescale storing the data. A prototype of the system was implemented in Docker containers, but we were unable to orchestrate them through Kubernetes

Efficient Security Protocols for Constrained Devices

During the last decades, more and more devices have been connected to the Internet.Today, there are more devices connected to the Internet than humans.An increasingly more common type of devices are cyber-physical devices.A device that interacts with its environment is called a cyber-physical device.Sensors that measure their environment and actuators that alter the physical environment are both cyber-physical devices.Devices connected to the Internet risk being compromised by threat actors such as hackers.Cyber-physical devices have become a preferred target for threat actors since the consequence of an intrusion disrupting or destroying a cyber-physical system can be severe.Cyber attacks against power and energy infrastructure have caused significant disruptions in recent years.Many cyber-physical devices are categorized as constrained devices.A constrained device is characterized by one or more of the following limitations: limited memory, a less powerful CPU, or a limited communication interface.Many constrained devices are also powered by a battery or energy harvesting, which limits the available energy budget.Devices must be efficient to make the most of the limited resources.Mitigating cyber attacks is a complex task, requiring technical and organizational measures.Constrained cyber-physical devices require efficient security mechanisms to avoid overloading the systems limited resources.In this thesis, we present research on efficient security protocols for constrained cyber-physical devices.We have implemented and evaluated two state-of-the-art protocols, OSCORE and Group OSCORE.These protocols allow end-to-end protection of CoAP messages in the presence of untrusted proxies.Next, we have performed a formal protocol verification of WirelessHART, a protocol for communications in an industrial control systems setting.In our work, we present a novel attack against the protocol.We have developed a novel architecture for industrial control systems utilizing the Digital Twin concept.Using a state synchronization protocol, we propagate state changes between the digital and physical twins.The Digital Twin can then monitor and manage devices.We have also designed a protocol for secure ownership transfer of constrained wireless devices. Our protocol allows the owner of a wireless sensor network to transfer control of the devices to a new owner.With a formal protocol verification, we can guarantee the security of both the old and new owners.Lastly, we have developed an efficient Private Stream Aggregation (PSA) protocol.PSA allows devices to send encrypted measurements to an aggregator.The aggregator can combine the encrypted measurements and calculate the decrypted sum of the measurements.No party will learn the measurement except the device that generated it

Contributions to Securing Software Updates in IoT

The Internet of Things (IoT) is a large network of connected devices. In IoT, devices can communicate with each other or back-end systems to transfer data or perform assigned tasks. Communication protocols used in IoT depend on target applications but usually require low bandwidth. On the other hand, IoT devices are constrained, having limited resources, including memory, power, and computational resources. Considering these limitations in IoT environments, it is difficult to implement best security practices. Consequently, network attacks can threaten devices or the data they transfer. Thus it is crucial to react quickly to emerging vulnerabilities. These vulnerabilities should be mitigated by firmware updates or other necessary updates securely. Since IoT devices usually connect to the network wirelessly, such updates can be performed Over-The-Air (OTA). This dissertation presents contributions to enable secure OTA software updates in IoT. In order to perform secure updates, vulnerabilities must first be identified and assessed. In this dissertation, first, we present our contribution to designing a maturity model for vulnerability handling. Next, we analyze and compare common communication protocols and security practices regarding energy consumption. Finally, we describe our designed lightweight protocol for OTA updates targeting constrained IoT devices. IoT devices and back-end systems often use incompatible protocols that are unable to interoperate securely. This dissertation also includes our contribution to designing a secure protocol translator for IoT. This translation is performed inside a Trusted Execution Environment (TEE) with TLS interception. This dissertation also contains our contribution to key management and key distribution in IoT networks. In performing secure software updates, the IoT devices can be grouped since the updates target a large number of devices. Thus, prior to deploying updates, a group key needs to be established among group members. In this dissertation, we present our designed secure group key establishment scheme. Symmetric key cryptography can help to save IoT device resources at the cost of increased key management complexity. This trade-off can be improved by integrating IoT networks with cloud computing and Software Defined Networking (SDN).In this dissertation, we use SDN in cloud networks to provision symmetric keys efficiently and securely. These pieces together help software developers and maintainers identify vulnerabilities, provision secret keys, and perform lightweight secure OTA updates. Furthermore, they help devices and systems with incompatible protocols to be able to interoperate

IoT on Shared Vehicles

Nowadays the need of people to have the power to control everything is increasing. Due to the technological evolution together with the Internet of things, this is already possible. In this context, the shared vehicles are a good example. With just one click people can use a vehicle from a vehicle sharing eet anywhere, anytime. During the realization of this project the uMDC was developed. It is a small device capable of managing and controlling di erent types of vehicles, with the main focus being the electric bicycles. As a nal conclusion of the project, the results obtained with the uMDC have proved very attractive. During its integration in the electric bicycles, the system was capable of controlling the bicycle's di erent components, as required for the rst prototype.Hoje em dia, a necessidade das pessoas terem controlo sobre tudo está a aumentar. Devido á evolução tecnológica juntamente com a Internet das coisas, isso já é possível. Neste contexto, os veículos partilhados são um bom exemplo disso. Com um simples clique, as pessoas podem usufruir e uma viatura de uma frota de veículos partilhados em qualquer lugar, a qualquer hora. Durante a realização deste projeto, foi desenvolvido o uMDC. Um pequeno ispositivo capaz de gerir e controlar diferentes tipos de veículos, sendo o foco principal as bicicletas elétricas. No nal deste projeto, os resultados obtidos com o uMDC foram bastante satisfatórios. Durante a sua integração nas bicicletas elétricas, o sistema foi capaz de controlar diferentes componentes das mesmas, como requerido para primeiro protótipo