Table Of ContentStudies in Big Data 47
N. Jeyanthi
Ajith Abraham
Editors
Hamid Mcheick
Ubiquitous
Computing
and Computing
Security of IoT
Studies in Big Data
Volume 47
Series editor
Janusz Kacprzyk, Polish Academy of Sciences, Warsaw, Poland
e-mail: [email protected]
Theseries“StudiesinBigData”(SBD)publishesnewdevelopmentsandadvances
in the various areas of Big Data- quickly and with a high quality. The intent is to
coverthetheory,research,development,andapplicationsofBigData,asembedded
inthefieldsofengineering,computerscience,physics,economicsandlifesciences.
The books of the series refer to the analysis and understanding of large, complex,
and/or distributed data sets generated from recent digital sources coming from
sensorsorotherphysicalinstrumentsaswellassimulations,crowdsourcing,social
networks or other internet transactions, such as emails or video click streams and
others. The series contains monographs, lecture notes and edited volumes in Big
Data spanning the areas of computational intelligence including neural networks,
evolutionary computation, soft computing, fuzzy systems, as well as artificial
intelligence, data mining, modern statistics and operations research, as well as
self-organizing systems. Of particular value to both the contributors and the
readership are the short publication timeframe and the world-wide distribution,
which enable both wide and rapid dissemination of research output.
More information about this series at http://www.springer.com/series/11970
N. Jeyanthi Ajith Abraham
(cid:129)
Hamid Mcheick
Editors
Ubiquitous Computing
and Computing Security
of IoT
123
Editors
N.Jeyanthi HamidMcheick
Schoolof Information Technology UniversitéduQuébecàChicoutimi
andEngineering Chicoutimi, QC, Canada
VIT University
Vellore, Tamil Nadu,India
Ajith Abraham
ScientificNetwork forInnovation
andResearchExcellence
MachineIntelligence Research Labs
(MirLabs)
Auburn,WA,USA
ISSN 2197-6503 ISSN 2197-6511 (electronic)
Studies in BigData
ISBN978-3-030-01565-7 ISBN978-3-030-01566-4 (eBook)
https://doi.org/10.1007/978-3-030-01566-4
LibraryofCongressControlNumber:2018957051
©SpringerNatureSwitzerlandAG2019
Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpart
of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations,
recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission
orinformationstorageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilar
methodologynowknownorhereafterdeveloped.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this
publicationdoesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfrom
therelevantprotectivelawsandregulationsandthereforefreeforgeneraluse.
The publisher, the authors and the editors are safe to assume that the advice and information in this
book are believed to be true and accurate at the date of publication. Neither the publisher nor the
authorsortheeditorsgiveawarranty,expressorimplied,withrespecttothematerialcontainedhereinor
for any errors or omissions that may have been made. The publisher remains neutral with regard to
jurisdictionalclaimsinpublishedmapsandinstitutionalaffiliations.
ThisSpringerimprintispublishedbytheregisteredcompanySpringerNatureSwitzerlandAG
Theregisteredcompanyaddressis:Gewerbestrasse11,6330Cham,Switzerland
Contents
Security Protocols for IoT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
J. Cynthia, H. Parveen Sultana, M. N. Saroja and J. Senthil
Security of Big Data in Internet of Things. . . . . . . . . . . . . . . . . . . . . . . 29
Rakesh Bandarupalli and H. Parveen Sultana
IoT for Ubiquitous Learning Applications: Current Trends and
Future Prospects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Salsabeel Shapsough and Imran A. Zualkernan
Trust Management Approaches in Mobile Adhoc Networks . . . . . . . . . 69
R. Vijayan and N. Jeyanthi
Security in Ubiquitous Computing Environment: Vulnerabilities,
Attacks and Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
C. Shoba Bindu and C. Sasikala
v
Security Protocols for IoT
J.Cynthia,H.ParveenSultana,M.N.SarojaandJ.Senthil
Abstract The Internet of Things (IoT), is a network of devices that are uniquely
identifiedandhasembeddedsoftwarerequiredtocommunicatethetransientstates
anddatathatareusuallyusedtotriggeranactuator.Theedgenetworkingdevicesand
protocolsareusedtocommunicatewithacloudserverthatprocessesandaggregates
thebigdataarrivingfromvariousdevices,performsanalyticsandaidsinbusiness
decisions.IoThasbecomeanintegralpartoftoday’sindustrial,agriculture,health-
care and smart city revolution. Securing all entities involved in an IoT network is
vitalasitinvolvespervasivedatacollectionanddissemination.CurrentIoTprotocols
work with IP protocols as backbone, but they are specially designed to operate in
multiplelayersandprovidesecurityatvariouslayers.ThischapterfocusesonIoT
protocolsthatdealswithsecuringanIoTnetwork.Themajorchallengesinsecuring
anIoTnetworkislackofstandardizationatmanufacturinglevelwhichexposesthe
hardware,softwareandthedatatovariousthreatsandattacks.TheIoTprotocolshave
todealwithsecuritybreachesatthesiteofthecloudserviceproviderandthesecurity
issuespertainingtodataprivacy,authentication,authorizationandtrustmanagement
inadistributedheterogeneousenvironment.Thischapteralsoelaboratesonvarious
securityattacksandthesolutionsofferedbyIoTprotocols.
· · ·
Keywords IoTsecurity IoTarchitecture IoTprotocols IoTthreats
·
IoTattacks Heterogeous
1 IoTIntroductionandSecurityOverview
There are over billions of IoT devices, business process and systems with an IoT
element in it. This dormant data available in the eco system must be trapped and
J.Cynthia·M.N.Saroja·J.Senthil
KumaraguruCollegeofTechnology,Coimbatore,India
B
H.ParveenSultana( )
VITUniversity,Vellore,TamilNadu,India
e-mail:[email protected]
©SpringerNatureSwitzerlandAG2019 1
N.Jeyanthietal.(eds.),UbiquitousComputingandComputingSecurityofIoT,
StudiesinBigData47,https://doi.org/10.1007/978-3-030-01566-4_1
2 J.Cynthiaetal.
analyzed to see if any functional information that is of benefit to a customer or
business could be retrieved. Essentialelements ofIoTarepeople, things,data and
process. IoT systems aims at networking these elements that communicates with
each other through wired or wireless medium. IoT devices are grouped as sensors
thatcollectdata,Actuatorsthateffectactionsandgatewaysthatactasinterfacefor
communicationandautomation.InanIoTframework,dataisgatheredfromsensors,
processed by microcontrollers such as Raspberry Pi or Arduino, stored in a cloud
database and data analytics from big data gathered is performed using any tool or
languages such as python or java. IoT is designed to strengthen communication
acrossDevicetoDevice(D2D),HumantoDevice(H2D),HumantoHuman(H2H)
andDevicetoHuman(D2H).
IoT has led to numerous autonomous applications in the area of health care,
businesssolutions,smartcity,homeautomation,industryautomationandintelligent
transportsystem.ThesuccessofIoTliesindistributeddatagathering,aggregation,
processingandanalyticsthatcanbeperformedfromanylocationandisusuallydone
asacloudservice.IoTsystemevolveswithflowofdatafromthesensorfromwhere
itisacquiredtotheservicethatprocessesandperformsanalyticsonthedataacquired
tothecustomerorbusinessthatmakesuseoftheanalyticsinformation.
WithprevalentpresenceofIoT,securityrisksareinrise.Makingdataavailable
anywheremakesitvulnerabletosecuritythreatsandattacks.Thischapterdealswith
major issues, challenges and solutions for providing IoT security. A single com-
promised entity in an IoT network makes other entities vulnerable. Since IoT is
a collection of devices or sensors networked together to a cloud in order to pro-
videinformationservice,allsecuritythreatsthatareapplicableforWirelessSensor
Networks (WSN), internet and cloud are pertinent to IoT networks. IoT opens up
tremendous opportunity for business with the associated risk. Absence of strong
authenticationofIoTdevices,encryptionofIoTdata,keymanagement,etc.,makes
anIoTnetworkvulnerabletoexternalattacksandthreats.
2 IoTSecurityRequirements
SecuritymustbeaddressedthroughoutthelifecycleofanIoTdevice.Shipley[1]and
Jingetal.[2]listssecurityrequirementstobecheckedatvariousstagesofthelife
cycleinordertoalleviateanIoTattack.IoTsecurityrequirementsarelistedbelow,
(cid:129) CryptographicAlgorithms—Symmetricalgorithmsarelightweightcomparedto
asymmetricalgorithmsandhencewererecommendedforsecuringdatatransmis-
sion.However,theyhaveproblemsinkeyexchange,confidentiality,digitalsigna-
tureandmessageauthentication.Hencepublickeyalgorithmswererecommended
astheywereabletoprovidekeymanagement,nodeauthentication,scalabilityand
security.
(cid:129) KeyManagementTechniques—Keymanagementisanimportantsecurityfeature
inIoT.Lightweightsecurekeydistributionisrequiredforsecurecommunication.
SecurityProtocolsforIoT 3
Key distribution schemes used in WSN are broadcast, group, node master and
shared key distribution[2].The focuson key management researchistoreduce
thecomplexity,powerconsumptionandsecurity.
(cid:129) Secured routing algorithms—Traditional network routing protocols cannot be
appliedforIoTnetwork.Theroutingprotocolmustensureauthenticityofrouted
information and eaves dropping must be avoided while communicating through
wirelessmedium.Routingprotocolsshouldbesecuredtopreventattackssuchas
Dos,Wormhole,blackholeandselectiveforwarding.
(cid:129) DataClassification—ThedatafloatinginanIoTnetworkcouldbeeitherfunctional
or connected to people or an enterprise. The degree of protection required for a
datadependsonthedegreeofsensitivityofthedata.Datamaybeprotectedbased
onsensitivityclassification[3]. Hencefollowingrecommendationismadeforan
IoTvendor,
– Todefineadataclassificationschemebasedondatasensitivity.
– IdentifyalldataanddatagroupsinanIoTnetworkandclassifythem.
– Designasecurityfeaturethatprotectsviewingandeditingofdatabasedonits
classificationlevel.
(cid:129) Protectingdevicesatproductiontime—TheIoTdevicesmaybeprotectedatpro-
duction time. Any interface used at production time must be removed before
deployment.AllportstotheIoTdevicesmusthaveproperaccesscontrol.Devices
placedinexposedlocationsmusthaveatamperproofcoveringandshieldingto
avoidsidechannelattacks[3].
(cid:129) Trusted and staged boot sequence—A trusted staged boot sequence will ensure
securityofanIoTdevice.However,thefirstsequenceisvitalandhenceshouldbe
initiatedbysecuredlockedcode.Useofsecuremodulewherethecryptographic
algorithms and associated keys are stored are recommended. At every stage of
bootcode,itisrecommendedtocheckthetrustworthinessofbootcode,validity
ofhardwareandcompletionofpreviouscode.
(cid:129) Securedoperatingsystem—AnIoToperatingsystemshouldhavelimitedaccess
rights and reduce the visibility of the system. The operating system should be
designedsoastohaveonlythecomponents,packagesandlibrariesrequiredfor
runninganIoTdevice.Throughoutthelifetimeofthedeployeddevicetheupdate
must be provided. The ports, protocols and services that are not used are to be
disabled.Haveseparateaccessrightsforuserandadministratorstoaccessthefiles
anddirectoriesmustbegiven.Anencryptedfilesystemistobeused.
(cid:129) Application security—Security considerations must be an integral part of appli-
cationdevelopmentandshouldnotbeaddedseparately.Theapplicationgateway
shouldvalidateallgathereddatabeforeitisgettingprocessed.Alluseraccounts
andpasswordsaretoberelinquished.Credentialsfromapplicationhastobesep-
arated into a secured storage. Any application errors should not reveal details
abouttheunderlyingarchitecture.Useofsecuredsoftwaredevelopmentlifecycle
procedureisrecommended.
(cid:129) Credentialmanagement—Credentialssuchaspasswords,cryptographickeysand
digitalcertificatesofuserandprocessthatareusedtoaccessthedatamustbekept
4 J.Cynthiaetal.
in secured location that cannot be accessed by external entities. The passwords
usedforauthenticatingmustbestrong,encryptedandmusthaveindustrystandard
hashfunction.Twofactorauthenticationsmaybeusedforaccesscontrol.Unique
digital certificate for each device is recommended and this certificate must be
securedandupdatedatregularintervals.
(cid:129) Encryption—StrongestandlatestencryptionisrecommendedforanIoTnetwork,
ifitisaffordable.Theencryptionstandardshouldbeincorrelationwiththesensi-
tivenessofthedatatobeprotected.Useofglobalkeysistobeavoided.Theprivate
keyofadeviceshouldneverbeshared.Theencryptionkeysshouldbeabletobe
replacedremotely.Theencryptionkeysmustbestoredintrustedkeymodules.
(cid:129) Networkconnections—ThenumberofinterfacestoanIoTdevicethroughwhich
itgetsconnectedtotheexternalnetworkmustbekeptasminimal.Thedevicemust
beabletobeaccessedonlythroughminimalport,interfaceandservices.Secure
protocolssuchashttpsandSFTPtoprotectconnectionsaretobeused.Receiver
machinemustbeauthenticatedbeforesendinganysensitivedata.
(cid:129) Software updating—Before any software updation, authentication of the source
thatauthenticates,mustbedonewithhelpofaverifiedcertificateobtainedfroma
authenticatedcertificationauthority.Thesoftwareupdatepackagesmustbesigned.
(cid:129) Securedeventlogging—Theeventloggingshouldbeprotectedfromhackers,from
beingmodifiedordeleted.Theeventlogsarenormallystoredinacentralizedlog
pool away from the IoT device and hence must be transmitted though separate
channels.Thelogsmustbeperiodicallyanalyzedtodetectanyfaultsandimme-
diateactionistobetaken.Thelogfilesmustbestoredinseparatepartitionsinfile
system.Accessrightstothelogfilearetoberestricted.Nosensitivecredentials
suchaspasswordsaretobestoredinlogs.
3 IoTSecurityIssues
TheissuesassociatedwithsecurityofIoTarenotonlytheissuesrelatedwithsecurity
ofwirelessmedium,WSNandinternet,butalsoaccesscontrol,authenticationand
privacyissuesassociatedwithIoT.
(cid:129) Low power embedded device—IoT devices have less computation power and
storage capacity. It is often found embedded in a bigger hardware or wearable
devicewhereitisdifficulttoexecutesecurityalgorithmsthatarenormallyheavy
weightandexpensiveforaresourceconstraineddevice.
(cid:129) Trust Management—Trust management is required for data authentication data
gathering and dissipation phases for which strong cryptographic techniques or
digitalsignaturesarerecommended[2].
(cid:129) Heterogeneity—IoTisanintegrationofvariousheterogeneousnetworksandhence
hasitsowncompatibilityandsecurityissues.Itisdifficulttoidentifytrustednodes
in a heterogeneous environment. Heterogeneity, identity management, privacy
faulttolerance[3].
