Security Evaluation of Cyber-Physical Systems in Society- Critical Internet of Things

In this paper, we present evaluation of security awareness of developers and users of cyber-physical systems. Our study includes interviews, workshops, surveys and one practical evaluation. We conducted 15 interviews and conducted survey with 55 respondents coming primarily from industry. Furthermore, we performed practical evaluation of current state of practice for a society-critical application, a commercial vehicle, and reconfirmed our findings discussing an attack vector for an off-line societycritical facility. More work is necessary to increase usage of security strategies, available methods, processes and standards. The security information, currently often insufficient, should be provided in the user manuals of products and services to protect system users. We confirmed it lately when we conducted an additional survey of users, with users feeling as left out in their quest for own security and privacy. Finally, hardware-related security questions begin to come up on the agenda, with a general increase of interest and awareness of hardware contribution to the overall cyber-physical security. At the end of this paper we discuss possible countermeasures for dealing with threats in infrastructures, highlighting the role of authorities in this quest

Security threats from connecting mobile phones to connected vehicles

Abstract. Technical innovations and constantly expanding role of software has made modern cars more like computers than ever before. Software has introduced new features to cars. With the addition of new features, also new sensors have been added as well. Together with connecting user accounts and devices to the vehicle, vehicles have started to gather more and more information on their users. New connective technology has made cars more connected than ever. The large amounts of information that cars now collect can be accessed from all over the globe with the use of internet. It should now be carefully determined whether safety and security measures have kept pace with the influx of these new changes. This research was done as a literary review. Relevant material was collected by using search engines Google, Google Scholar and Scopus. IEEE Explore and Web of Science were used for searching for papers as well as for downloading them. ResearchGate was used for downloading the papers as well. Papers were also chosen by finding relevant papers from already chosen papers’ list of references. Papers were selected based on their relevance to the topic. Papers that were on the topic of vehicle information or electronic security or specifically about vehicle security regarding connections with mobile phones or other connective technology were selected. Cars were originally designed to be closed systems. There are technical weaknesses stemming from this original design idea, that now create holes in the security of connected vehicles. This research divided these threat categories to three parts. The first category is phones themselves. The second one is the threats that come from the main connection between phones and cars which is Bluetooth. The third category is the OBD-II port. Risks from phones come from the relatively fast product cycle they have. Malware also should be taken into consideration. Bluetooth risks come from pairing issues and discoverability, and there are several types of Bluetooth attacks that should be taken into consideration. The threats from OBD-II ports come from the access it gives to the internal network of the vehicle. Problems also rise from the way OBD-II port dongles are designed, as in the worst case their security features can be abysmal. Together with the access that the port provides, it should be critical to correct this issue. All of these threat categories could enable attackers to gain complete access to the vehicle’s systems. They can also collect information from the vehicle or control the vehicle’s different systems like telematics unit, or even go as far as controlling the safety critical systems like steering and braking. The main contribution of this research was presenting several studies that demonstrated reasons why the threat from connecting phones to connected vehicles is real and should be taken very seriously. A valuable contribution was also in showing several sources together on how serious these threats can be and how much control of the vehicle and its data attackers can achieve.Tiivistelmä. Tutkimus käsittelee turvallisuusuhkia, joita aiheutuu puhelimien yhdistämisestä autoihin. Uudet tekniset innovaatiot ja ohjelmiston kasvava rooli ovat tehneet moderneista autoista tietokoneiden kaltaisia. Ohjelmisto on mahdollistanut uusien ominaisuuksien lisäämisen autoihin. Lisäksi autoihin on lisätty myös uudenlaisia sensoreita. Nykyään autoihin voi yhdistää erilaisia käyttäjätilejä ja laitteita, minkä vuoksi autot keräävät käyttäjistään tietoa yhä enenevissä määrin. Autoihin on lisätty myös uudenlaista teknologiaa, jonka vuoksi autojen keräämät isot tietomäärät ovat saavutettavissa mistä tahansa maapallolla. Sen vuoksi olisikin tärkeä määrittää ovatko turvallisuus toimenpiteet pysyneet näiden uusien muutoksien mukana. Tutkimus toteutettiin kirjallisuuskatsauksena. Materiaali tutkimusta varten kerättiin käyttämällä Google, Google Scholar ja Scopus hakukoneita. Lisäksi hakuja tehtiin myös IEEE Explore ja Web of Science sivustoilla, joita käytettiin myös paperien lataamiseen ResearchGate sivuston lisäksi. Materiaalia etsittiin myös jo valmiiksi valittujen julkaisujen lähdeluetteloista. Lähdemateriaaliksi valittiin aiheeseen relevantit julkaisut. Julkaisu valittiin mukaan tutkimukseen, jos sen aiheena oli joko autojen tieto- tai elektroninen turvallisuus, tai se käsitteli nimenomaan autojen ja puhelimien tai autojen ja jonkin muun yhteysteknologian turvallisuutta. Autot suunniteltiin alun perin suljetuiksi järjestelmiksi, mistä aiheutuu turvallisuus uhkia moderneille yhteysteknologiaa sisältäville autoille. Tutkimuksessa uhkat jaettiin kolmeen eri kategoriaan. Ensimmäinen kategoria ovat puhelimet itse. Toinen kategoria on Bluetooth-yhteys, joka on pääasiallinen yhteystapa puhelimien ja autojen välillä. Kolmas kategoria on OBD-II-portti. Puhelimista aiheutuvat riskit tulevat niiden nopeasta tuotesyklistä ja lisäksi haittaohjelmat tulisi myös huomioida. Bluetooth riskit tulevat paritukseen ja löydettävyyteen liittyvistä ongelmista. On olemassa myös useita erilaisia Bluetooth hyökkäyksiä, jotka tulisi ottaa huomioon. OBD-II-porttiin liittyvät uhkat johtuvat siitä, että portista pääsee käsiksi autojen sisäiseen verkkoon. Uhkia aiheutuu myös OBD-II-portteihin liitettävistä lähettimistä ns. dongleista, joiden turvallisuusominaisuudet voivat pahimmassa tapauksessa olla olemattomia. Koska OBD-II-portista pääsee käsiksi autojen sisäiseen verkkoon, on näiden ongelmien korjaaminen äärimmäisen tärkeää. Kaikki nämä kolme uhkakategoriaa voi mahdollistaa sen, että hyökkääjä saa auton järjestelmät täydellisesti haltuunsa. Ne voivat myös mahdollistaa informaation keräämistä autosta tai auton eri järjestelmien kuten telematiikan hallinnoimista. Voi olla jopa mahdollista, että hyökkääjää saa haltuunsa turvallisuuden kannalta kriittisiä järjestelmiä, kuten ohjaus- ja jarrutusjärjestelmät. Tutkimuksen päämerkitys oli koota yhteen useita tutkimuksia, jotka osoittavat miksi puhelimien yhdistäminen yhteysteknologiaa sisältäviin autoihin sisältää uhkia, ja miksi nämä uhkat tulisi ottaa vakavasti. Tutkimus osoitti myös useita lähteitä sille kuinka isoja uhkia nämä voivat olla ja kuinka paljon hyökkääjät voivat saada autoa ja sen dataa hallintaansa

The Internet of Hackable Things

The Internet of Things makes possible to connect each everyday object to the Internet, making computing pervasive like never before. From a security and privacy perspective, this tsunami of connectivity represents a disaster, which makes each object remotely hackable. We claim that, in order to tackle this issue, we need to address a new challenge in security: education

Enhancing mobile learning security

Mobile devices have been playing vital roles in modern day education delivery as students can access or download learning materials on their smartphones and tablets, they can also install educational apps and study anytime, anywhere. The need to provide adequate security for portable devices being used for learning cannot be underestimated. In this paper, we present a mobile security enhancement app, designed and developed for Android smart mobile devices in order to promote security awareness among students. The app can also identify major and the most significant security weaknesses, scan or check for vulnerabilities in m-learning devices and report any security threat

Mobile Authentication with NFC enabled Smartphones

Smartphones are becoming increasingly more deployed and as such new possibilities for utilizing the smartphones many capabilities for public and private use are arising. This project will investigate the possibility of using smartphones as a platform for authentication and access control, using near field communication (NFC). To achieve the necessary security for authentication and access control purposes, cryptographic concepts such as public keys, challenge-response and digital signatures are used. To focus the investigation a case study is performed based on the authentication and access control needs of an educational institutions student ID. To gain a more practical understanding of the challenges mobile authentication encounters, a prototype has successfully been developed on the basis of the investigation. The case study performed in this project argues that NFC as a standalone technology is not yet mature to support the advanced communication required by this case. However, combining NFC with other communication technologies such as Bluetooth has proven to be effective. As a result, a general evaluation has been performed on several aspects of the prototype, such as cost-effectiveness, usability, performance and security to evaluate the viability of mobile authentication

Dawn Of The Mobile Malware: Reviewing Mobile Worms .

There is a new era of worm attack on mobile devices. In the past, worms on cell phones and PDA were more like science fiction but recently it is more than a reality. The objective of this paper is to brief the new threats on mobile devices and review the current hazards on it. We did taxonomy of current malware on mobile devices specifically worms and state their technical details

Evaluating Smartphone Application Security: A Case Study on Android

Currently, smart phones are becoming indispensable for meeting the social expectation ofalways staying connected and the need for an increase inproductivity are the reasons for the increase in smartphone usage. One of the leaders of the smart phone evolution is Google2019;s Android operating system. It ishighly likely that Android is going to be installed in manymillions of cell phones during the near future. With thepopularity of Android smart phones everyone finds it convenient to make transactions through these smartphones because of the openness of Android applications. The malware attacks are also significant. Androidsecurity is complex and we evaluate an applicationdevelopment environment which is susceptible tomalware attacks. This paper evaluates Android securitywith the purpose of identifying a secure applicationdevelopment environment for performing securetransactions on Android-based smart phones

NFC and mobile payments today

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2011NFC (Near Field Communication) e pagamentos móveis são duas áreas que se tornaram muito populares ultimamente, ambas duplicaram o seu índice de volume de pesquisas medido pelo Google Trends no último ano. NFC é uma tecnologia de comunicação sem fios já disponível em alguns telemóveis, sendo que mais estão anunciados para breve, e os pagamentos móveis são um serviço cuja utilização se espera que cresça a um ritmo bastante acelerado nos próximos anos. Este crescimento já foi previsto antes, e as expectativas saíram goradas, mas pensa-se que a NFC seja a tecnologia que vai trazer os pagamentos móveis às massas. Esta tese foca-se nestas duas áreas e em como a NFC pode ser útil num protocolo para executar pagamentos móveis nos dias de hoje. Para isto, um novo protocolo chamado mTrocos é apresentado. Este possui várias características desejáveis tais como anonimato, alta segurança, boa usabilidade, a não dependência de bancos ou instituições financeiras tradicionais, o suporte para micro-pagamentos e não requer nenhum hardware especial. O seu desenho é baseado no conceito de dinheiro digital e em protocolos de estabelecimento de chaves ad-hoc. Estes últimos são úteis visto que a NFC é um meio sem fios que não oferece nenhuma segurança de raiz para além do seu curto alcance. É detalhada uma prova de conceito da implementação usando um telefone com o sistema operativo Android e um leitor NFC de secretária, provando que ela funciona usando apenas hardware comum disponível actualmente. No entanto, a API (Application Programming Interface) de NFC do Android revelou-se limitada, o que influenciou o desenho do mTrocos, e o impediu de fazer uso apenas da NFC para a troca das suas mensagens. Como parte da avaliação do protocolo, foram feitos testes com utilizadores que mostram que o mTrocos é fácil de usar e que é indicado para o cenário pensado: máquinas de venda automática. Outra conclusão a que se pode chegar é que a NFC é uma tecnologia que melhora a experiência de utilização e que vai ser de grande utilidade para o crescimento dos pagamentos móveis.NFC (Near Field Communication) and mobile payments are two areas that have received a significant amount of attention lately. NFC is a wireless communication technology already available on some mobile phones, with more to come in the near future, and mobile payments are a service whose usage is expected to grow at a significant rate in the coming years. This growth has been predicted before, and expectations have been let down, but NFC is thought to be the technology that will bring mobile payments to the masses. This thesis is focused on these two areas and how NFC can be of use in a protocol to conduct mobile payments. For this, a new protocol called mTrocos is presented that possesses several desirable characteristics such as anonymity, high security, good usability, unbanked, support for micropayments and no special hardware requirements. Its design is based on digital money concepts and ad-hoc key establishment protocols. The latter are useful because NFC is a wireless medium and offers no built-in security other than its limited range. A proof-of-concept implementation with an Android phone and a desktop NFC reader is detailed, proving that it works using only commodity equipment currently available. However, Android’s NFC API (Application Programming Interface) was found to be limited, which influenced the design of mTrocos, preventing it from relying only on NFC for the exchange of the messages. As part of the protocol’s evaluation, user tests were conducted which show that mTrocos is easy to use and that it is suited to the envisaged scenario: vending machines. Another conclusion is that NFC is a technology that improves the user experience and will be of great help for the growth of mobile payments

An investigation into the security behaviour of tertiary students regarding mobile device security

The use of mobile devices is becoming more popular by the day. With all the different features that the smart mobile devices possess, it is starting to replace personal computers both for personal use and business use. There are also more attacks concerning security on mobile devices because of their increased usage and the security measures not as effective and well-known as on personal computers. The perceived perception is that the young adult population does not act safely and they have a low level of technical advanced knowledge when using their mobile devices. Mobile users are largely responsible to protect themselves and other users from a security viewpoint. This paper reports on a study including a survey done regarding the behaviour of tertiary students concerning security of their mobile devices. Aspects of mobile device security will be discussed and the current status of tertiary students’ behaviour regarding mobile device security will be presented resulting from a survey conducted at a South African University. Findings indicate that tertiary students have diverse behaviour levels concerning mobile device security. The value of these results is that we can focus on specific content when educating smart device users on the subject of security including avoidance of risky or unsafe behaviour. Recommendations in this regard are presented in this paper