Föreläsning 7 - Identifying and responding to security threats targeting IoT-based systems Flashcards
(25 cards)
Hashing algorithm -
the process of transforming any given key or a string of characters into another value. Encryption algorithm och hashing algorithm är inte samma sak. You can not reverse the hashing algorithm. Hashing algorithm and salt → You add one extra random value to e.g. a password before hashing it.
Security as a quality attribute -
Source (human, process, malware). Stimulus (the actual threat or attack). Artifact (is the affected element). Environment (the current state or context in which a system or device operates - online/offline, connected/disconnected, behind firewall/open to network). Respons (countermeasures to minimise the attack - data or service are protected from unauthorized access). Response measure (how we assess the system’s reaction to a security-related event - how much of the system is compromised?…).
Tactics for security -
- Detect attack (spot intrusions by comparing traffic patterns with known attack signatures, check IP, protocol, delays etc). 2. Resisting attack (identify users/devices, user authentication and access control, encrypt data). 3. React to attack (revok access, shut down/disconnect device, send alerts, log the attempt or block it). 4. Recover from attack (review audit logos to assess damage, restore backups, replace devices, renew digital certificates).
IoT reference architecture -
perception layer, network/transportation layer, management/processing layer, application/service layer
Perception layer -
Collects data from the physical world (e.g. smart vehicles, sensors). Some devices can’t connect directly to the internet—IoT gateways act as bridges. Security Issues: Booting attack: device attacked during startup when security is off. Port exploits: attackers use unused or insecure interfaces. Firmware flaws: hardcoded passwords, weak credentials. Security Best Practices: Disable unused ports/interfaces to prevent local access. Encrypt data at rest to protect sensitive info. Fault detection algorithms to spot malicious nodes.
Network/transporation layer -
Manages data transfer between devices, apps, and servers. Uses networks like Wi-Fi, cellular, Bluetooth, etc. Security Issues: Radio sniffing: attackers capture wireless traffic. Port scanning tools (e.g. Nmap, Shodan) to find vulnerabilities. Jamming attacks: block signals with interference. Security Best Practices: Encrypt wireless communication (e.g. TLS). Use TLS for secure, authenticated, and confidential data. Physical interaction (like tapping or scanning) can stop remote snooping.
Management/processing layer -
Manages devices, services, software updates, dashboards, and data storage. Handles lifecycle and computing for IoT devices. Security Issues: Cloud-related risks: VM sprawl, credential leaks, human errors. Malware injection: into software updates or firmware. Poor monitoring: limited visibility into IoT device activity. Security Best Practices: Use edge computing to improve data privacy. Validate software integrity before updates. Protect data sources from tampering.
Application/service layer -
Delivers apps like mobile apps, APIs, and web interfaces. Used in smart home, health, and building systems. Security Issues: Cloud vulnerabilities (e.g. weak backend security) Weak authentication or default passwords Web app attacks (e.g. XSS, SQLi). Security Best Practices: Use strong passwords, Apply role-based access control, Log system activity and user secure password recovery.
What threats are there in physical attacks? -
physical damage, node tampering, malicious node injection.
What threats are there in software attacks? -
malicious scripts/injection (SQLi), malware (virus, trojan, worm)
What threats are there in network attacks? -
DoS/DDoS, routing, eavesdropping/traffic analysis, tracking/monitoring.
What threats are there in encryption attacks?
- side-channel, cryptanalysis.
Name types of attacks -
DDoS, routing, and malicious injection.
IoT security best practices in cloud -
encrypt data at rest and in transit, Device authorisation using oAuth 2.0, Device identity using a digital certificate.
IoT security best practices WAN communication security (MQTT example) -
Encrypt the transport protocol. Secure 4G/5G connection. Device-based authentication IDS/IPS.
IoT security best practices in application -
Use secure API for RESTful communications. Authentication. Authorization. Encryption
IoT security best practices PAN communication security (bluetooth example) -
Device authentication. Frequency hopping. Do not bond BLE automatically. Pair only using the push button or human enables signal on the device
IoT security best practices in endpoint security (hardware) -
Physical and tamper security. Secure boot and root trust. Encrypt data at rest.
IoT security best practices in edge routing/gateway security (hardware) -
Physical and tamper security. Secure boot and root of trust. Encrypt data at rest. Trusted execution environment.
Challenges in securing the IoT -
Device-level challenges (device have limited memory, battey and processing power, many devices lack input options (no keyboard/screen) - makes secure setup harder, devices are often physically exposed). Network/service-level challenges (complex communication between layers - hard to secure, devices can connect/disconnect anytime - hard to monitor). Application-level challenges (huge amount of data - hard to manage and secure, privacy concerns due to constant data collectio, apps may have security flaws.
Privacy in IoT -
refers to the control needed to protect personal information from exposure in IoT systems. Privacy can be considered from individual social needs and control such as privacy of communication, of association, of activities, of behavior and action, of feeling, and of safeguarding personal data leakage from sensing.
Three different practices that threaten privacy -
- Data gathering: techniques used to collect and record personal information, often without the knowledge and consent of users.
- Data exchange: techniques used to transfer and exchange personal data, typically without the knowledge and consent of users.
- Data mining: techniques used to search large databases in order to generate consumer profiles based on the behavioural patterns of certain groups.
Challenges in preserving privacy in IoT -
Challenges in understanding the complicated privacy documents that come with the IoT devices. Lack of awareness of data collection, transmission, processing and storage through sensors installes in smart buildings or public places. Difficulty in implementing informed consent compliance through data protection regulations.
Privacy-by-Design seven Principles -
- Proactive, not reactive; preventative, not remedial. 2. Privacy as default setting. 3. Privacy embedded into design (the system shouldn’t work without alignment). 4. Full functionality - positive sum, not zero-sum. 5. End-to-end security - full life cycle protection. 6. Visibility and transparency by keeping it open. 7. Respect for user privacy by keeping it user- centric.
