ViotSOC: Controlling Access to Dynamically Virtualized IoT Services using Service Object Capability

Virtualization of Internet of Things(IoT) is a concept of dynamically building customized high-level IoT services which rely on the real time data streams from low-level physical IoT sensors. Security in IoT virtualization is challenging, because with the growing number of available (building block) services, the number of personalizable virtual services grows exponentially. This paper proposes Service Object Capability(SOC) ticket system, a decentralized access control mechanism between servers and clients to effi- ciently authenticate and authorize each other without using public key cryptography. SOC supports decentralized partial delegation of capabilities specified in each server/- client ticket. Unlike PKI certificates, SOC’s authentication time and handshake packet overhead stays constant regardless of each capability’s delegation hop distance from the root delegator. The paper compares SOC’s security bene- fits with Kerberos and the experimental results show SOC’s authentication incurs significantly less time packet overhead compared against those from other mechanisms based on RSA-PKI and ECC-PKI algorithms. SOC is as secure as, and more efficient and suitable for IoT environments, than existing PKIs and Kerberos

SEABASS: Symmetric-keychain Encryption and Authentication for Building Automation Systems

There is an increasing security risk in Building Automation Systems (BAS) in that its communication is unprotected, resulting in the adversary having the capability to inject spurious commands to the actuators to alter the behaviour of BAS. The communication between the Human-Machine-Interface (HMI) and the controller (PLC) is vulnerable as there is no secret key being used to protect the authenticity, confidentiality and integrity of the sensor data and commands. We propose SEABASS, a lightweight key management scheme to distribute and manage session keys between HMI and PLCs, providing a secure communication channel between any two communicating devices in BAS through a symmetric-key based hash-chain encryption and authentication of message exchange. Our scheme facilitates automatic renewal of session keys periodically based on the use of a reversed hash-chain. A prototype was implemented using the BACnet/IP communication protocol and the preliminary results show that the symmetric keychain approach is lightweight and incurs low latency

Twenty security considerations for cloud-supported Internet of Things

To realise the broad vision of pervasive computing, underpinned by the “Internet of Things” (IoT), it is essential to break down application and technology-based silos and support broad connectivity and data sharing; the cloud being a natural enabler. Work in IoT tends towards the subsystem, often focusing on particular technical concerns or application domains, before offloading data to the cloud. As such, there has been little regard given to the security, privacy and personal safety risks that arise beyond these subsystems; that is, from the wide-scale, crossplatform openness that cloud services bring to IoT. In this paper we focus on security considerations for IoT from the perspectives of cloud tenants, end-users and cloud providers, in the context of wide-scale IoT proliferation, working across the range of IoT technologies (be they things or entire IoT subsystems). Our contribution is to analyse the current state of cloud-supported IoT to make explicit the security considerations that require further work.This work was supported by UK Engineering and Physical Sciences Research Council grant EP/K011510 CloudSafetyNet: End-to-End Application Security in the Cloud and Microsoft through the Microsoft Cloud Computing Research Centre

Secure service virtualization in IoT by dynamic service dependency verification

Virtualizing Internet of Things (IoT) services is a concept of dynamically building customized high-level IoT services that rely on the real time data streams flowing from lowlevel standalone IoT devices. IoT service virtualization is essential when a myriads of IoT devices can get on-line, interact with each other, exchange data and based on them create one’s own service. Especially, when virtualization occurs across multiple externals domains, it’s crucial for clients to verify the source of virtual services, i.e. whether they are built based on authentic original service sources. Also, original services sources must be constantly aware of the identity of entities who (recursively) virtualize their services. To address these issues, this paper proposes IoT Service Dependency Tree (SDT) validation scheme. SDT uses service dependency trees and dependency signature trees, which enable clients to validate the original sources of a virtual IoT service, verify its service dependency relationships, and have original service sources to be constantly notified of the list of entities (recursively) virtualizing their services. This paper explains SDT scheme and presents use cases for IoT service virtualization where SDT can be applied. Our experimental analysis shows SDT is scalable for practical use