A Critical Analysis on the Security of IoTs International Journal of Computer Applications (0975 8887) Volume 111 - No. 7, February 2015 Syeda Wishal Bokhari School of Material Sciences & Engineering December 3rd, 2015 Thursday

Contents Introduction Generic Architecture Security goals Security Challenges & issues Security at different layers Conclusion & future work

Contents Introduction Generic Architecture Security goals Security Challenges & issues Security at different layers Conclusion & future work

Introduction Why do we ne

Does the Internet of Things need Security? Pacemakers, insulin pumps etc. may be hacked Malicious applications may collect your private data (photos, messages, location, etc.) Smartphone Medical Devices Can burglars determine whether you are home? Your Smartphone Not only may your cellular provider be tracking information about you – such as with whom you communicate and your location – but it, as well as Google GOOG +0.15% (in the case of Android), Apple AAPL -8.11% (in the case of iPhones), or other providers of software on the device, may be aware of far more detailed actions such as what apps you install and run, when you run them, etc. Some apps sync your contacts list to the providers’ servers by default, and others have been found to ignore privacy settings. Phones may even be capturing pictures or video of you when you do not realize and sending the photos or video to criminals! Your Webcam or Home Security Cameras On that note, malware installed on your computer may take control of the machine’s webcam and record you – by taking photos or video – when you think the camera is off. Miss Teen USA was allegedly blackmailed by a hacker who took control of her laptop’s webcam and photographed her naked when she thought the camera was not on. Likewise, malware on computers or hackers operating on those machines could potentially intercept transmissions from security cameras attached to the same network as the devices (some cameras transmit data unencrypted), and copy such videos for their own systems. Such information is invaluable to burglars. Your Lights, Home Entertainment System, and Home Alarm System Various newer lighting, home entertainment, and home security systems can be controlled via Wi-Fi or even across the Internet. Remote control is a great convenience, but it also raises questions as to whether information is reported to outside parties. Does your alarm provider get notified every time you come and go? Is information about your choice of audio entertainment relayed to manufacturers of the equipment on which it is played or the supplier of the music? Could hackers gather information from smart lighting, entertainment, or security devices – or the networks on which they communicate – to determine patterns of when you are home, when you are likely to have company over, and when your house is empty? Your Laundry Equipment Like kitchen appliances, washers and dryers that connect to the Internet may report information that users may not realize is being shared, and that if intercepted, or misused, could help criminals identify when you are home and when you are not. Your Medical Devices It is not news that pacemakers, insulin pumps, and other medical devices can be hacked. But even normal functioning devices may spy on you. Various pacemakers relay patient status information over the Internet – this may be valuable in some cases, but also creates risks. Could unauthorized parties obtain information from such data in transmit? What if a criminal sent out phony “pacemaker impersonating” messages stating that a patient is in distress in order to have his physician instruct him to go to the hospital – and leave his home vulnerable? http://www.contextis.com/resources/blog/hacking-internet-connected-light-bulbs/ Laundry Equipment Broadcast WiFi passwords unencrypted Smart Lights Smart Kitchen Appliances Slide taken from Group # 6 presentation

Contents Generic Architecture Introduction Security goals Security Challenges & issues Security at different layers Conclusion & future work

Generic Architecture Perception Layer Network Middle-ware Layer Information processing Information applications e.g. smart homes etc. Information transmission Information generation with the help of sensors. Perception Layer Network Middle-ware Layer Application Layer

Contents Security Goals Introduction Generic Architecture Security Challenges & issues Security at different layers Conclusion & future work

Security Goals Confidentiality Availability Integrity Data Data Confidentiality: Providing freedom to the user from the external interference. Privacy of the sensitive information and guarantee the access to the data by authorized users only. Many security measures available e.g. DATA ENCRYPTION, 2-STEP VERIFICATION, BIOMETIC VERIFICATION. For IoTs, sensors don’t transmit their data to neighboring nodes and tags don’t transmit their data to the unauthorized reader. Data Integrity: Refers to the protection of information from the cybercriminals during transmission and reception with some common tracking methods so the data cannot be tempered without the system catching the threat. The methods include Checksum and Cyclic Redundancy Check (CRC). Continuous syncing for backup purposes can also ensure the integrity of the data until accessed by the authorized user. Data Availability: It ensures the intermediate access of the authorized party to the data in normal and even disastrous conditions. It is necessary to provide the firewalls to countermeasure the attacks on the services like DoS which can deny the availability of data to the end users.

Contents Security Challenges & issues Introduction Generic Architecture Security Goals Security Challenges & issues Security at different layers Conclusion & future work

Security Challenges & issues Perception Layer Challenge Unauthorized access to tags Tag cloning Eavesdropping Spoofing RF jamming

2. Network Layer Challenge Sybil Attack Manipulation of nodes Sinkhole Attack Silence traffic fooling system by the attacker Sleep deprivation Attack The minimization of life time of battery resulting in nodes shut down Denial of Service (DoS) Attack The unavailability of the network by a flood of traffic by the attacker Malicious Code Injection The injection of malicious code into the system Man-in-the-middle Attack Kind of eavesdropping 1 2 3 4 5 6

3. Middle-ware Layer Challenge Unauthorized Access DoS Attack Malicious insider Forbidding access to the related services of IoT by the attacker Failure of system by the unauthorized access System Shut down Unavailability of services Tempering of the data for personal benefits by authorized party for any 3rd party. Easy extraction and manipulation of the data.

4. Application Layer Challenge ALC Malicious Code Injection DoS Attack Sniffing Attack (introduction of sniffer app) Spear Phishing Attack (Junk/spam email) 4. Application Layer Challenge

Contents Security at different layers Introduction Generic Architecture Security Goals Security Challenges & issues Security at different layers Conclusion & future work

Security at different Layers Perception Layer Hash algorithms Encryption Mechanisms Anonymity approaches Risk assessment Intrusion detection Network Layer P2P Encryption Routing Security Data Integrity Application & Middle-ware Layer Integrated identity identification Encryption mechanisms Firewalls Risk assessments Intrusion detection

Contents Conclusion & future work Introduction Generic Architecture Security Goals Security Challenges & issues Security at different layers Conclusion & future work

Self defense system Self responsiveness Automated confront