IOT CYBER SECURITY RESEARCH AT UTS

eryk.dutkiewicz@uts.edu.au

Prof. Eryk DutkiewiczHead of School

School of Computing and Communications

IoT enables objects to talk to other objects. Billions of devices envisaged with a wide range of applications. Greatly extends the current Internet. Security is essential for many applications.

An Example

Internet of Things and Cyber Security

Secure Connectivity and Configuration

Secure Production and Data Collection Telemetry

Localisation, Sensing/Actuation

, Collection,

Aggregation and Filtering

Throughput and Per-message

QoS

NotificationsScheduling and

Targeting (Edge Devices, Device Groups

within large populations)

Command/Control and Query

Correlation, Sessions and Batching

Secure Brokerage, Storage & Integration

Interoperation and Integration,

APIs, 3rd Party Support, Legacy Systems

Secure Visualisation and Action

Predictive Analytics, Load Balancing.

Scenario Generation,Simulation and Training

• Secure production and visualization of image of image-based IoT applications

• Secure communications for hard-to-secure devices

Secure Connectivity and

Configuration

Secure Production and Data Collection

TelemetryLocalisation,

Sensing/Actuation, Collection, Aggregation

and FilteringThroughput and Per-

message QoS

NotificationsScheduling and Targeting (Edge Devices, Device

Groups within large populations)

Command/Control and QueryCorrelation,

Sessions and Batching

Secure Brokerage, Storage & Integration

Interoperation and Integration, APIs, 3rd Party Support,

Legacy Systems

Secure Visualisation and Action Predictive Analytics,

Load Balancing. Scenario Generation,

Simulation and Training

1. Secure production and visualization in image-based IoT applications

2. Secure communications for hard-to-secure IoT devices

Figure 4: General architecture of proposed model Figure 3: Relation between contrast and human sensitivity

Figure 1: This image contains 100 pages of text with various facts about Sydney

Figure 2: The concept

Securing Information in Digital Artifacts

Contact: Dr Zenon Chaczko

Encoding and Securing Data: Time Stamping, Invisible Copyrighting, …

Steganography

Social Event Identification and TrackingTime Series Analysis

Causality Analysis

Dynamic sparse representation

Contact: Dr Min XuCross-domain event analysis

Easier-to-secure devices: smart phone, laptops...

IoT Devices and Security Challenges

Hard-to-secure devices: limited in power and computational capability

Smart meters, wearable devices, sensors, implantable devices (e.g., pacemakers)

Smart metters

Fitbit actifity tracker

Pacemaker

CoAP uses client/server interaction model similar to HTTPIn our scheme, the clients and server challenge each other for the authentication> Involves four handshake messages

> Payload of each message does not exceed 256 bits

Advanced Encryption Standard 128-bit is used for the payload encryption> Optimised for low energy consumption

A Lightweight Mutual Authentication SchemeUsing Payload-Based Encryption

Four Phases > Session/Connection initiation

> Server challenge

> Client response and challenge

> Server response

Pre-Requisite> Provisioning Phase

Contact: Dr Priyadarsi Nanda

• Legal and security/privacy issues• Monitor everything causing privacy concerns

• Data is everywhere

• Distributed nature• Management of a large number of distributed devices

• Sensors in public areas unprotected

• Hard-to-secure devices• Limited power, computation capability, storage ...

• Wireless links vulnerable to simple attacks (e.g. eavesdropping, jamming)

• Passive RFID tags

Unprecedented Security Challenges in IoT

Smart meters/sensors fieldSource: WinLab Rutgers

• TI MSP430 16-bit microcontroller, CC1150 Radio

Example:

• 14B packet at 250kbps requires 448 µsec for transmission and consumes 34.9 µJ

• If security overhead is about the same only about 448 x 10-6 x 12 x 106 = 5376 security operations can be performed

• But light TSL requires 16 millions operations*

Conventional encryption/TSL does not apply

Need novel approaches to secure little devices in IoTs

Conventional Encryption Does not Apply

*Source: WinLab Rutgers

Unauthorized Access:

Read smart meters, wearable devices, implant devicess

Eavesdropping:

Leak confidential information (e.g., RFID and chip on credit cards)

Modification of Information

Typical Threats to Hard-to-Secure Devices

• Blind eavesdroppers with Artificial Interference/Jamming

• Meter reader injects interference to conceal readings

• Cancels it own interference through self-

interference suppression

Solution 1: Rx-based Friendly Jamming

x+2

x+3

y+21

Address eavesdropping and information modification

Reader

Contact: Dr Diep Nguyen

Solution 2: Data Forensics or Big Data for Little Devices

Address unauthorized access/authentication issues

Detect spoofing via anomaly detection:

• Physical channel statistics: RSSI readings, fading profile

• MAC layer statistics: packet sequence number, packet loss ratio

• Traffic statistics: inter-arrival packet time

B

AX

SpoofingReader

Contact: Dr Diep Nguyen

Thank You!