ABSTRACT
Embedded, mobile, and cyberphysical systems are becoming ubiquitous and are used in many applications, from consumer electronics, industrial control systems, modern vehicles, to critical infrastructures. Current trends and initiatives, such as Internet of Things (IoT) and smart cities, promise innovative business models and novel user experiences through strong connectivity and effective use of next generation embedded devices. These systems generate, process, and exchange vast amount of security-critical and privacy-sensitive data, which makes them attractive targets of attacks. Cyberattacks on IoT systems are highly critical since they may cause physical damage and threaten human lives. The complexity of these systems, the lack of security and privacy by design for current IoT devices, and potential impact of cyberattacks will bring about new threats. This paper gives an overview on the related security and privacy challenges, and an outlook on possible solutions towards a holistic security framework for IoT systems.
- Xbox 360 timing attack. 2007. {Online}. http://beta.ivc.no/wiki/index.php/Xbox_360_Timing_Attack.Google Scholar
- Critical security aw: glibc stack-based buffer overflow in getaddrinfo() (cve-2015-7547). 2015. {Online}. https://access.redhat.com/articles/2161461.Google Scholar
- C. Alcaraz, R. Roman, P. Najera, and J. Lopez. Security of industrial sensor network-based remote substations in the context of the internet of things. Ad Hoc Netw., 11(3), 2013. Google ScholarDigital Library
- O. Arias, J. Wurm, K. Hoang, and Y. Jin. Privacy and security in internet of things and wearable devices. IEEE Transactions on Multi-Scale Computing Systems, 1(2):99--109, 2015. Google ScholarDigital Library
- F. Armknecht, A.-R. Sadeghi, S. Schulz, and C. Wachsmann. A security framework for the analysis and design of software attestation. In ACM Conference on Computer & Communications Security (CCS). ACM, 2013. Google ScholarDigital Library
- N. Asokan, F. Brasser, A. Ibrahim, A.-R. Sadeghi, M. Schunter, G. Tsudik, and C. Wachsmann. Seda: Scalable embedded device attestation. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, 2015. Google ScholarDigital Library
- M. Blackstock and R. Lea. Toward interoperability in a web of things. In ACM Conference on Pervasive and Ubiquitous Computing Adjunct Publication (UbiComp). ACM, 2013. Google ScholarDigital Library
- F. Brasser, P. Koeberl, B. E. Mahjoub, A.-R. Sadeghi, and C. Wachsmann. TyTAN: Tiny trust anchor for tiny devices. In Design Automation Conference (DAC). ACM, 2015. Google ScholarDigital Library
- D. Brumley and D. Boneh. Remote timing attacks are practical. Computer Networks, 48(5):701--716, 2005. Google ScholarDigital Library
- bushing, marcan, segher, and sven. Console hacking 2010: Ps3 epic fail. In 27th Chaos Communication Congress, 2010.Google Scholar
- S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage, K. Koscher, A. Czeskis, F. Roesner, and T. Kohno. Comprehensive experimental analyses of automotive attack surfaces. In USENIX Conference on Security. USENIX Association, 2011. Google ScholarDigital Library
- A. Costin, J. Zaddach, A. Francillon, and D. Balzarotti. A large-scale analysis of the security of embedded firmwares. In USENIX Conference on Security Symposium. USENIX Association, 2014. Google ScholarDigital Library
- C. Cowan, S. Beattie, J. Johansen, and P. Wagle. Pointguard tm: protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th conference on USENIX Security Symposium, 2003. Google ScholarDigital Library
- C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Usenix Security, 1998. Google ScholarDigital Library
- A. Cui, J. Kataria, and S. J. Stofo. From prey to hunter: Transforming legacy embedded devices into exploitation sensor grids. In Proceedings of the 27th Annual Computer Security Applications Conference, 2011. Google ScholarDigital Library
- A. Cui and S. J. Stolfo. A quantitative analysis of the insecurity of embedded network devices: Results of a wide-area scan. In Annual Computer Security Applications Conference (ACSAC). ACM, 2010. Google ScholarDigital Library
- K. Eldefrawy, A. Francillon, D. Perito, and G. Tsudik. SMART: Secure and minimal architecture for (establishing a dynamic) root of trust. In Network and Distributed System Security Symposium (NDSS), 2012.Google Scholar
- K. Eldefrawy, G. Tsudik, A. Francillon, and D. Perito. SMART: Secure and minimal architecture for (establishing a dynamic) root of trust. In Network and Distributed System Security Symposium (NDSS). Internet Society, 2012.Google Scholar
- B. Fowler. Some top baby monitors lack basic security features, report finds. 2015. {Online}. http://www.nbcnewyork.com/news/local/Baby-Monitor-Security-Research-324169831.html.Google Scholar
- E. Grosse and M. Upadhyay. Authentication at scale. IEEE Security Privacy, 11(1), 2013. Google ScholarDigital Library
- G. Hernandez, O. Arias, D. Buentello, and Y. Jin. Smart nest thermostat: A smart spy in your home. In Black Hat USA, 2014.Google Scholar
- A. G. Illera and J. V. Vidal. Lights off! The darkness of the smart meters. In BlackHat Europe, 2014.Google Scholar
- M. Kabay. Attacks on power systems: Hackers, malware, 2010.Google Scholar
- H. Kagermann, W. Wahlster, and J. Helbig. Securing the future of German manufacturing industry --- Recommendations for implementing the strategic initiative Industrie 4.0, 2013.Google Scholar
- P. Koeberl, S. Schulz, A.-R. Sadeghi, and V. Varadharajan. TrustLite: A security architecture for tiny embedded devices. In European Conference on Computer Systems (EuroSys). ACM, 2014. Google ScholarDigital Library
- J. Kong, F. Koushanfar, P. K. Pendyala, A.-R. Sadeghi, and C. Wachsmann. PUFatt: Embedded platform attestation based on novel processor-based PUFs. In Design Automation Conference (DAC). ACM, 2014. Google ScholarDigital Library
- K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, and S. Savage. Experimental security analysis of a modern automobile. In IEEE Symposium on Security and Privacy (S&P), 2010. Google ScholarDigital Library
- F. Koushanfar, A.-R. Sadeghi, and H. Seudie. Eda for secure and dependable cybercars: Challenges and opportunities. In Proceedings of the 49th Annual Design Automation Conference. ACM, 2012. Google ScholarDigital Library
- X. Kovah, C. Kallenberg, C. Weathers, A. Herzog, M. Albin, and J. Butterworth. New results for timing-based attestation. In IEEE Symposium on Security and Privacy (S&P), 2012. Google ScholarDigital Library
- J. S. Kumar and D. R. Patel. A survey on internet of things: Security and privacy issues. International Journal of Computer Applications, 90(11), 2014. Google ScholarDigital Library
- R. Lemos. Sony left passwords, code-signing keys virtually unprotected. eWeek, 2014. {Online}. http://www.eweek.com/security/sony-left-passwords-code-signing-keys-virtually-unprotected.html.Google Scholar
- J. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. TrustVisor: Efficient TCB reduction and attestation. In IEEE Symposium on Security and Privacy (S&P), 2010. Google ScholarDigital Library
- F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative instructions and software model for isolated execution. In Hardware and Architectural Support for Security and Privacy (HASP). ACM, 2013. Google ScholarDigital Library
- M. Miettinen, N. Asokan, T. D. Nguyen, A.-R. Sadeghi, and M. Sobhani. Context-based zero-interaction pairing and key evolution for advanced personal devices. In Conference on Computer and Communications Security (CCS). ACM, 2014. Google ScholarDigital Library
- B. Miller and D. Rowe. A survey SCADA of and critical infrastructure incidents. In Research in Information Technology (RIIT). ACM, 2012. Google ScholarDigital Library
- D. Miorandi, S. Sicari, F. De Pellegrini, and I. Chlamtac. Survey internet of things: Vision, applications and research challenges. Ad Hoc Netw., 10(7), 2012. Google ScholarDigital Library
- Nest Labs. Open source compliance. {online}. https://nest.com/legal/compliance.Google Scholar
- J. Noorman, P. Agten, W. Daniels, R. Strackx, A. Van Herrewege, C. Huygens, B. Preneel, I. Verbauwhede, and F. Piessens. Sancus: Low-cost trustworthy extensible networked devices with a zero-software trusted computing base. In USENIX Conference on Security. USENIX Association, 2013. Google ScholarDigital Library
- E. Owusu, J. Guajardo, J. McCune, J. Newsome, A. Perrig, and A. Vasudevan. OASIS: On achieving a sanctuary for integrity and secrecy on untrusted platforms. In ACM Conference on Computer & Communications Security (CCS). ACM, 2013. Google ScholarDigital Library
- H. Park, D. Seo, H. Lee, and A. Perrig. SMATT: Smart meter attestation using multiple target selection and copy-proof memory. In Computer Science and its Applications. Springer, 2012.Google Scholar
- B. Parno, J. M. McCune, and A. Perrig. Bootstrapping trust in commodity computers. In Security and privacy (SP), 2010 IEEE symposium on, 2010. Google ScholarDigital Library
- K. Poulsen. Slammer worm crashed Ohio nuke plant network, 2003.Google Scholar
- PR Newswire. Computer virus strikes CSX transportation computers, 2003.Google Scholar
- M. Rostami, A. Juels, and F. Koushanfar. Heart-to-heart (h2h): authentication for implanted medical devices. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 2013. Google ScholarDigital Library
- M. Rostami, F. Koushanfar, and R. Karri. A primer on hardware security: Models, methods, and metrics. Proceedings of the IEEE, 2014.Google ScholarCross Ref
- B. Schneier. Cryptographic design vulnerabilities. Computer, 31(9):29--33, 1998. Google ScholarDigital Library
- A. Seshadri, M. Luk, A. Perrig, L. van Doorn, and P. Khosla. SCUBA: Secure code update by attestation in sensor networks. In ACM Workshop on Wireless Security (WiSe). ACM, 2006. Google ScholarDigital Library
- A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. Khosla. Pioneer: Verifying code integrity and enforcing untampered code execution on legacy systems. In ACM Symposium on Operating Systems Principles (SOSP). ACM, 2005. Google ScholarDigital Library
- D. Shahrjerdi, J. Rajendran, S. Garg, F. Koushanfar, and R. Karri. Shielding and securing integrated circuits with sensors. In Computer-Aided Design (ICCAD), 2014 IEEE/ACM International Conference on. IEEE, 2014. Google ScholarDigital Library
- S. Skorobogatov. Fault attacks on secure chips: from glitch to ash. In Design and Security of Cryptographic Algorithms and Devices (ECRYPT II), 2011.Google Scholar
- M. Smith. Security holes in the 3 most popular smart home hubs and honeywell tuxedo touch. 2015. {Online}. http://www.networkworld.com/article/2952718/microsoft-subnet/security-holes-in-the-3-most-popular-smart-home-hubs-and-honeywell-tuxedo-touch.html.Google Scholar
- R. Strackx, F. Piessens, and B. Preneel. Efficient isolation of trusted subsystems in embedded systems. In Security and Privacy in Communication Networks. Springer, 2010.Google ScholarCross Ref
- G. E. Suh, D. Clarke, B. Gassend, M. van Dijk, and S. Devadas. AEGIS: Architecture for tamper-evident and tamper-resistant processing. In Annual International Conference on Supercomputing (CIS). ACM, 2003. Google ScholarDigital Library
- H. Suo, J. Wan, C. Zou, and J. Liu. Security in the internet of things: A review. In International Conference on Computer Science and Electronics Engineering (ICCSEE), 2012. Google ScholarDigital Library
- L. Szekeres, M. Payer, T. Wei, and D. Song. Sok: Eternal war in memory. In 2013 IEEE Symposium on Security and Privacy (SP), 2013. Google ScholarDigital Library
- H. T. T. Truong, X. Gao, B. Shresthab, N. Saxena, N. Asokan, and P. Nurmi. Using contextual co-presence to strengthen zero-interaction authentication: Design, integration and usability. Pervasive and Mobile Computing, 2014.Google Scholar
- Trusted Computing Group (TCG). Website, 2011.Google Scholar
- S. Tuecke, V. Welch, D. Engert, L. Pearlman, and M. Thompson. Internet x. 509 public key infrastructure (pki) proxy certificate profile. Technical report, 2004.Google Scholar
- O. Vermesan and P. Friess. Internet of Things --- From Research and Innovation to Market Deployment. River Publishers, 2014.Google Scholar
- J. Vijayan. Stuxnet renews power grid security concerns, 2010.Google Scholar
- J. Winter. Trusted computing building blocks for embedded linux-based ARM Trustzone platforms. In ACM Workshop on Scalable Trusted Computing (STC). ACM, 2008. Google ScholarDigital Library
- J. Wurm, O. Arias, K. Hoang, A.-R. Sadeght, and Y. Jin. Security analysis on consumer and industrial iot devices. In 21st Asia and South Pacific Design Automation Conference (ASP-DAC), 2016.Google ScholarDigital Library
- K. Zhao and L. Ge. A survey on the internet of things security. In Computational Intelligence and Security (CIS), 2013. Google ScholarDigital Library
- S. Zonouz, J. Rrushi, and S. McLaughlin. Detecting industrial control malware using automated PLC code analytics. IEEE Security and Privacy, 12(6), 2014.Google Scholar
- D. Zuehlke. Smartfactory --- towards a factory of things. Annual Reviews in Control, 34(1), 2010.Google ScholarCross Ref
Index Terms
- Invited - Can IoT be secured: emerging challenges in connecting the unconnected
Recommendations
Invited - Can IoT be secured: emerging challenges in connecting the unconnected
DAC '16: Proceedings of the 53rd Annual Design Automation ConferenceEmbedded, mobile, and cyberphysical systems are becoming ubiquitous and are used in many applications, from consumer electronics, industrial control systems, modern vehicles, to critical infrastructures. Current trends and initiatives, such as Internet ...
Cyber Threat Mitigation of Wireless Sensor Nodes for Secured, Trustworthy IoT Services
This article discusses about the potential of the Internet of Things technology IoT, the IoT-enabled services in smart cities, wireless sensor nodes as key components to deliver the smart services, security threats of wireless sensor nodes and how we ...
Comments