Haroon Mahmood,Maliha Arshad,Irfan Ahmed,Sana Fatima,Hafeez ur Rehman

DOI: https://doi.org/10.1016/j.fsidi.2024.301748

IF: 1.805

2024-04-06

Forensic Science International Digital Investigation

Abstract:Internet of Things (IoT) systems often consist of heterogeneous, resource-constrained devices that generate massive amounts of data. This data is important for assessments, behaviour analysis, and decision-making. However, IoT devices are also susceptible to cyber-attacks, such as information theft, personal device intervention, and privacy invasion. In case of an incident, these devices are subject to digital forensic investigation to identify and analyze crimes and misuse. Over the years, several forensic frameworks and techniques have been proposed to facilitate the investigation of IoT networks and devices, but finding a perfect solution that covers the diversity of IoT devices and networks is still a research challenge. In this study, we present a comparative analysis of existing forensic investigation frameworks and identify their strengths and weaknesses in handling forensic challenges of IoT devices. The study uses evaluation metrics of ten important parameters, including heterogeneity, scalability, and chain of custody, to thoroughly audit the effectiveness of these models. Our analysis concludes that the existing investigation frameworks do not cater to all requirements and aspects of IoT forensics. It further highlights the need for standard mechanisms to acquire and analyze digital artifacts in IoT devices.

computer science, information systems, interdisciplinary applications

Abdulghani Ali Ahmed,Khalid Farhan,Waheb A Jabbar,Abdulaleem Al-Othmani,Abdullahi Gara Abdulrahman

DOI: https://doi.org/10.3390/s24165210

2024-08-12

Abstract:The Internet of Things forensics is a specialised field within digital forensics that focuses on the identification of security incidents, as well as the collection and analysis of evidence with the aim of preventing future attacks on IoT networks. IoT forensics differs from other digital forensic fields due to the unique characteristics of IoT devices, such as limited processing power and connectivity. Although numerous studies are available on IoT forensics, the field is rapidly evolving, and comprehensive surveys are needed to keep up with new developments, emerging threats, and evolving best practices. In this respect, this paper aims to review the state of the art in IoT forensics and discuss the challenges in current investigation techniques. A qualitative analysis of related reviews in the field of IoT forensics has been conducted, identifying key issues and assessing primary obstacles. Despite the variety of topics and approaches, common issues emerge. The majority of these issues are related to the collection and pre-processing of evidence because of the counter-analysis techniques and challenges associated with gathering data from devices and the cloud. Our analysis extends beyond technological problems; it further identifies the procedural problems with preparedness, reporting, and presentation as well as ethical issues. In particular, it provides insights into emerging threats and challenges in IoT forensics, increases awareness and understanding of the importance of IoT forensics in preventing cybercrimes, and ensures the security and privacy of IoT devices and networks. Our findings make a substantial contribution to the field of IoT forensics, as they not only involve a critical analysis of the challenges presented in existing works but also identify numerous problems. These insights will greatly assist researchers in identifying appropriate directions for their future research.

Ayushi Mishra,Tej Kiran Boppana,Priyanka Bagade

2023-12-07

Abstract:The Medical Internet of Things (MIoT) has enabled small, ubiquitous medical devices to communicate with each other to facilitate interconnected healthcare delivery. These devices interact using communication protocols like MQTT, Bluetooth, and Wi-Fi. However, as MIoT devices proliferate, these networked devices are vulnerable to cyber-attacks. This paper focuses on the vulnerabilities present in the Message Queuing Telemetry and Transport (MQTT) protocol. The MQTT protocol is prone to cyber-attacks that can harm the system's functionality. The memory-constrained MIoT devices enforce a limitation on storing all data logs that are required for comprehensive network forensics. This paper solves the data log availability challenge by detecting the attack in real-time and storing the corresponding logs for further analysis with the proposed network forensics framework: MediHunt. Machine learning (ML) techniques are the most real safeguard against cyber-attacks. However, these models require a specific dataset that covers diverse attacks on the MQTT-based IoT system for training. The currently available datasets do not encompass a variety of applications and TCP layer attacks. To address this issue, we leveraged the usage of a flow-based dataset containing flow data for TCP/IP layer and application layer attacks. Six different ML models are trained with the generated dataset to evaluate the effectiveness of the MediHunt framework in detecting real-time attacks. F1 scores and detection accuracy exceeded 0.99 for the proposed MediHunt framework with our custom dataset.

Cryptography and Security

Juan Manuel Castelo Gómez,Javier Carrillo-Mondéjar,José Luis Martínez Martínez,Jorge Navarro García,Juan Manuel Castelo Gómez,Javier Carrillo-Mondéjar,José Luis Martínez Martínez,Jorge Navarro García

DOI: https://doi.org/10.1016/j.fsidi.2022.301451

2022-09-01

Abstract:Forensic investigations in the Internet of Things (IoT) are becoming ever more important as the number of cyberincidents that occur in it continues to rise. As a result, it has become necessary to determine how to proceed in performing examinations in this environment, as its novelty and new characteristics demand the development of new forensic solutions that can guarantee a complete and efficient analysis. The approach followed until now by the research community has been to examine the most popular IoT devices and systems with the aim of gaining an insight into what data can be extracted from them, how to extract these data, and what limitations an investigator may encounter in the process. Following this idea, this article, apart from studying the state of the art of IoT forensic investigations, details the examination process for the “Xiaomi Mi Smart Sensor Set” smart home kit, emphasizing the acquisition and analysis of the three main types of forensic evidence: non-volatile memory, volatile memory and network traffic. In particular, we extract and list the useful forensic artifacts that can be obtained from this kit, describing their purpose and location.

computer science, information systems, interdisciplinary applications

Shams Forruque Ahmed,Shanjana Shuravi,Afsana Bhuyian,Shaila Afrin,Aanushka Mehjabin,Sweety Angela Kuldeep,Md. Sakib Bin Alam,Amir H. Gandomi

DOI: https://doi.org/10.48550/arXiv.2309.02707

2023-09-06

Networking and Internet Architecture

Abstract:Given the exponential expansion of the internet, the possibilities of security attacks and cybercrimes have increased accordingly. However, poorly implemented security mechanisms in the Internet of Things (IoT) devices make them susceptible to cyberattacks, which can directly affect users. IoT forensics is thus needed for investigating and mitigating such attacks. While many works have examined IoT applications and challenges, only a few have focused on both the forensic and security issues in IoT. Therefore, this paper reviews forensic and security issues associated with IoT in different fields. Future prospects and challenges in IoT research and development are also highlighted. As demonstrated in the literature, most IoT devices are vulnerable to attacks due to a lack of standardized security measures. Unauthorized users could get access, compromise data, and even benefit from control of critical infrastructure. To fulfil the security-conscious needs of consumers, IoT can be used to develop a smart home system by designing a FLIP-based system that is highly scalable and adaptable. Utilizing a blockchain-based authentication mechanism with a multi-chain structure can provide additional security protection between different trust domains. Deep learning can be utilized to develop a network forensics framework with a high-performing system for detecting and tracking cyberattack incidents. Moreover, researchers should consider limiting the amount of data created and delivered when using big data to develop IoT-based smart systems. The findings of this review will stimulate academics to seek potential solutions for the identified issues, thereby advancing the IoT field.

Narasimha Swamy S,Dheeraj Manirathnam Anna,Vijayalakshmi M N,Kota Solomon Raju

DOI: https://doi.org/10.1109/jiot.2024.3349394

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Recent advancements in IoT have led to emergence of fascinating breakthroughs in diverse applications. Nowadays, the use-cases of smart home systems are augmenting as they provide functionalities like real-time monitoring and high degree of remote control. MQTT protocol is one of the most widely used messaging protocols in IoT-based applications including smart homes. This protocol lacks required security features owing to which, the intruders can launch variety of attacks easily. Stirred by this, we proposed a lightweight device authentication scheme for MQTT protocol. In this work, publisher/ subscriber, and broker use lightweight cryptographic operations to enable device authentication. Also, this mechanism utilizes the lightweight cryptographic keys such as One-time Key (OTKey) and Tokens (Ti) to complete registration and authentication process respectively. Compared to other protocols, our approach reduces both communication and computation costs while maintaining the security demands. We put a prototype into practice to assess the performance of the proposed authentication mechanism. Further, we perform the formal analysis of the proposed authentication mechanism using AVISPA protocol analyzer tool. The proposed security mechanism is resistant to various attacks such as replay attack, device impersonate attack, malicious node attack, etc., and it enables the security features like device authentication and device anonymity in smart homes.

computer science, information systems,telecommunications,engineering, electrical & electronic

Asanka Sayakkara,Nhien-An Le-Khac,Mark Scanlon

DOI: https://doi.org/10.48550/arXiv.1904.02089

2019-04-04

Abstract:Internet of Things (IoT) devices have expanded the horizon of digital forensic investigations by providing a rich set of new evidence sources. IoT devices includes health implants, sports wearables, smart burglary alarms, smart thermostats, smart electrical appliances, and many more. Digital evidence from these IoT devices is often extracted from third party sources, e.g., paired smartphone applications or the devices' back-end cloud services. However vital digital evidence can still reside solely on the IoT device itself. The specifics of the IoT device's hardware is a black-box in many cases due to the lack of proven, established techniques to inspect IoT devices. This paper presents a novel methodology to inspect the internal software activities of IoT devices through their electromagnetic radiation emissions during live device investigation. When a running IoT device is identified at a crime scene, forensically important software activities can be revealed through an electromagnetic side-channel analysis (EM-SCA) attack. By using two representative IoT hardware platforms, this work demonstrates that cryptographic algorithms running on high-end IoT devices can be detected with over 82% accuracy, while minor software code differences in low-end IoT devices could be detected over 90% accuracy using a neural network-based classifier. Furthermore, it was experimentally demonstrated that malicious modification of the stock firmware of an IoT device can be detected through machine learning-assisted EM-SCA techniques. These techniques provide a new investigative vector for digital forensic investigators to inspect IoT devices.

Cryptography and Security

Snehal Sathwara,Nitul Dutta,Emil Pricop

DOI: https://doi.org/10.1109/ECAI.2018.8679017

2019-09-06

Abstract:Security issues, threats, and attacks in relation with the IoT have been identified as promising and challenging area of research. Eventually, the need for a forensics methodology for investigating IoT-related crime is therefore essential. However, the IoT poses many challenges for forensics investigators. These include the wide range and variety of information, the unclear lines of differentiation between networks, for example private networks increasingly fading into public networks. Further, integration of a large number of objects in IoT forensic interest, along with the relevance of identified and collected devices makes forensic of IoT devices more complicated. The scope of this paper is to present a framework for IoT forensic. We aimed at the study and development of the link to support digital investigations of IoT devices and tackle emerging challenges in digital forensics. We emphasize on various steps for digital forensic with respect to IoT devices.

Networking and Internet Architecture,Cryptography and Security

Tanveer Zia,Peng Liu,Weili Han

DOI: https://doi.org/10.1145/3098954.3104052

2017-01-01

Abstract:Besides its enormous benefits to the industry and community the Internet of Things (IoT) has introduced unique security challenges to its enablers and adopters. As the trend in cybersecurity threats continue to grow, it is likely to influence IoT deployments. Therefore it is eminent that besides strengthening the security of IoT systems we develop effective digital forensics techniques that when breaches occur we can track the sources of attacks and bring perpetrators to the due process with reliable digital evidence. The biggest challenge in this regard is the heterogeneous nature of devices in IoT systems and lack of unified standards. In this paper we investigate digital forensics from IoT perspectives. We argue that besides traditional digital forensics practices it is important to have application-specific forensics in place to ensure collection of evidence in context of specific IoT applications. We consider top three IoT applications and introduce a model which deals with not just traditional forensics but is applicable in digital as well as application-specific forensics process. We believe that the proposed model will enable collection, examination, analysis and reporting of forensically sound evidence in an IoT application-specific digital forensics investigation.

Mohamed Abdel‐Basset,Nour Moustafa,Hossam Hawash,Weiping Ding

DOI: https://doi.org/10.1007/978-3-030-89025-4_4

2021-01-01

Abstract:As IoT technology becomes an integral part of everyday life, enhancing productivity for businesses through automation, it should come as no surprise that attackers would seek to exploit these systems and the services they provide for profit.

Miraqa Safi,Sajjad Dadkhah,Farzaneh Shoeleh,Hassan Mahdikhani,Heather Molyneaux,Ali A. Ghorbani

DOI: https://doi.org/10.1145/3539736

2022-09-06

ACM Transactions on Internet of Things

Abstract:The proliferation of heterogeneous Internet of things (IoT) devices connected to the Internet produces several operational and security challenges, such as monitoring, detecting, and recognizing millions of interconnected IoT devices. Network and system administrators must correctly identify which devices are functional, need security updates, or are vulnerable to specific attacks. IoT profiling is an emerging technique to identify and validate the connected devices’ specific behaviour and isolate the suspected and vulnerable devices within the network for further monitoring. This article provides a comprehensive review of various IoT device profiling methods and provides a clear taxonomy for IoT profiling techniques based on different security perspectives. We first investigate several current IoT device profiling techniques and their applications. Next, we analyzed various IoT device vulnerabilities, outlined multiple features, and provided detailed information to implement profiling algorithms’ risk assessment/mitigation stage. By reviewing approaches for profiling IoT devices, we identify various state-of-the-art methods that organizations of different domains can implement to satisfy profiling needs. Furthermore, this article also discusses several machine learning and deep learning algorithms utilized for IoT device profiling. Finally, we discuss challenges and future research possibilities in this domain.

Fabio Palmese,Alessandro E. C. Redondi

2023-05-18

Abstract:The Internet of Things (IoT) has boomed in recent years, with an ever-growing number of connected devices and a corresponding exponential increase in network traffic. As a result, IoT devices have become potential witnesses of the surrounding environment and people living in it, creating a vast new source of forensic evidence. To address this need, a new field called IoT Forensics has emerged. In this paper, we present \textit{CSI Sniffer}, a tool that integrates the collection and management of Channel State Information (CSI) in Wi-Fi Access Points. CSI is a physical layer indicator that enables human sensing, including occupancy monitoring and activity recognition. After a description of the tool architecture and implementation, we demonstrate its capabilities through two application scenarios that use binary classification techniques to classify user behavior based on CSI features extracted from IoT traffic. Our results show that the proposed tool can enhance the capabilities of forensic investigations by providing additional sources of evidence. Wi-Fi Access Points integrated with \textit{CSI Sniffer} can be used by ISP or network managers to facilitate the collection of information from IoT devices and the surrounding environment. We conclude the work by analyzing the storage requirements of CSI sample collection and discussing the impact of lossy compression techniques on classification performance.

Networking and Internet Architecture,Signal Processing

Abdulelah Al Hanif,Mohammad Ilyas

DOI: https://doi.org/10.3390/s24061782

IF: 3.9

2024-03-10

Sensors

Abstract:The explosive growth of the domain of the Internet of things (IoT) network devices has resulted in unparalleled ease of productivity, convenience, and automation, with Message Queuing Telemetry Transport (MQTT) protocol being widely recognized as an essential communication standard in IoT environments. MQTT enables fast and lightweight communication between IoT devices to facilitate data exchange, but this flexibility also exposes MQTT to significant security vulnerabilities and challenges that demand highly robust security. This paper aims to enhance the detection efficiency of an MQTT traffic intrusion detection system (IDS). Our proposed approach includes the development of a binary balanced MQTT dataset with an effective feature engineering and machine learning framework to enhance the security of MQTT traffic. Our feature selection analysis and comparison demonstrates that selecting a 10-feature model provides the highest effectiveness, as it shows significant advantages in terms of constant accuracy and superior training and testing times across all models. The results of this study show that the framework has the capability to enhance the efficiency of an IDS for MQTT traffic, with more than 96% accuracy, precision, recall, F1-score, and ROC, and it outperformed the most recent study that used the same dataset.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Fu Chen,Yongfeng Huang,Jianming Zhu,Sheng Gao,Zhiyuan Sui,Meijiao Duan

DOI: https://doi.org/10.1109/icct50939.2020.9295944

2020-01-01

Abstract:As a lightweight protocol, the Message Queuing Telemetry Transport (MQTT) is widely used in the scopes of Internet of Things on account of its quite low bandwidth requirements. We built a temperature and humidity monitoring system using the Raspberry Pi and NodeMcu to communicate with each other through the MQTT protocol. This work applies network analytics tools such as Wireshark to capture and analyze network data. We looped message to broker with different QoS level and time interval and then observed the RTT (Round Trip Time) to analyze correlation between them.

Huikai Xu,Miao Yu,Yanhao Wang,Yue Liu,Qinsheng Hou,Zhenbang Ma,Haixin Duan,Jianwei Zhuge,Baojun Liu

DOI: https://doi.org/10.1109/EuroSP53844.2022.00019

2022-01-01

Abstract:MQTT is widely adopted by IoT devices because it allows for the most efficient data transfer over a variety of communication lines. The security of MQTT has received increasing attention in recent years, and several studies have demonstrated the configurations of many MQTT brokers are insecure. Adversaries are allowed to exploit vulnerable brokers and publish malicious messages to subscribers. However, little has been done to understanding the security issues on the device side when devices handle unauthorized MQTT messages. To fill this research gap, we propose a fuzzing framework named SHADOWFUZZER to find client-side vulnerabilities when processing incoming MQTT messages. To avoiding ethical issues, SHADOWFUZZER redirects traffic destined for the actual broker to a shadow broker under the control to monitor vulnerabilities. We select 15 IoT devices communicating with vulnerable brokers and leverage SHADOWFUZZER to find vulnerabilities when they parse MQTT messages. For these devices, SHADOWFUZZER reports 34 zero-day vulnerabilities in 11 devices. We evaluated the exploitability of these vulnerabilities and received a total of 44,000 USD bug bounty rewards. And 16 CVE/CNVD/CN-NVD numbers have been assigned to us.

Sonam Bhardwaj,Mayank Dave

DOI: https://doi.org/10.1007/s11235-024-01105-w

2024-02-17

Telecommunication Systems

Abstract:This article focuses on the urgent cybersecurity concerns in the Internet of Things (IoT) environment, highlighting the crucial importance of protecting these networks in the face of increasing amounts of IoT data. The paper explores the intricacies of deploying security mechanisms for Internet of Things (IoT) devices, specifically those that are restricted by limited resources. This study examines the inherent weaknesses in IoT systems and analyses the strategies used by malicious individuals to gain control and privileges. In order to tackle these difficulties, the study suggests a sophisticated security system that combines artificial intelligence and an intelligent attack graph. An outstanding characteristic of the model incorporates a method devised to restrain virus spread and accelerate network restoration by introducing virtual nodes. The research showcases the results of the vulnerable attack path predictor (VAPP) module of the proposed model, emphasising its exceptional accuracy in distinguishing between black (0) and red (1) attack paths compared to alternative Machine Learning techniques. Moreover, a thorough evaluation of the module's performance is carried out, with a specific emphasis on security concerns and predictive capacities. Proverif is utilised to validate the security settings and evaluate the resilience of the secret keys. The findings demonstrate a detection rate of 98.48% and an authentication rate of 85%, outperforming the achievements of earlier studies. The contributions greatly enhance the ability of IoT networks to withstand challenges, and the use of cryptographic verification confirms its dependability in the ever-changing digital environment.

telecommunications

Carlotta Tagliaro,Martina Komsic,Andrea Continella,Kevin Borgolte,Martina Lindorfer

DOI: https://doi.org/10.1145/3678890.3678899

2024-10-01

Abstract:Internet-of-Things (IoT) devices, ranging from smart home assistants to health devices, are pervasive: Forecasts estimate their number to reach 29 billion by 2030. Understanding the security of their machine-to-machine communication is crucial. Prior work focused on identifying devices' vulnerabilities or proposed protocol-specific solutions. Instead, we investigate the security of backends speaking IoT protocols, that is, the backbone of the IoT ecosystem. We focus on three real-world protocols for our large-scale analysis: MQTT, CoAP, and XMPP. We gather a dataset of over 337,000 backends, augment it with geographical and provider data, and perform non-invasive active measurements to investigate three major security threats: information leakage, weak authentication, and denial of service. Our results provide quantitative evidence of a problematic immaturity in the IoT ecosystem. Among other issues, we find that 9.44% backends expose information, 30.38% CoAP-speaking backends are vulnerable to denial of service attacks, and 99.84% of MQTT- and XMPP-speaking backends use insecure transport protocols (only 0.16% adopt TLS, of which 70.93% adopt a vulnerable version).

Cryptography and Security,Networking and Internet Architecture

Antonio Boiano,Alessandro Enrico Cesare Redondi,Matteo Cesana

2023-10-05

Abstract:The widespread deployment of Consumer Internet of Things devices in proximity to human activities makes them digital observers of our daily actions. This has led to a new field of digital forensics, known as IoT Forensics, where digital traces generated by IoT devices can serve as key evidence for forensic investigations. Thus, there is a need to develop tools that can efficiently acquire and store network traces from IoT ecosystems. This paper presents IoTScent, an open-source IoT forensic tool that enables IoT gateways and Home Automation platforms to perform IoT traffic capture and analysis. Unlike other works focusing on IP-based protocols, IoTScent is specifically designed to operate over IEEE 802.15.4-based traffic, which is the basis for many IoT-specific protocols such as Zigbee, 6LoWPAN and Thread. IoTScent offers live traffic capture and feature extraction capabilities, providing a framework for forensic data collection that simplifies the task of setting up a data collection pipeline, automating the data collection process, and providing ready-made features that can be used for forensic evidence extraction. This work provides a comprehensive description of the IoTScent tool, including a practical use case that demonstrates the use of the tool to perform device identification from Zigbee traffic. The study presented here significantly contributes to the ongoing research in IoT Forensics by addressing the challenges faced in the field and publicly releasing the IoTScent tool.

Cryptography and Security,Networking and Internet Architecture,Social and Information Networks

Karim Kamoun,Fatma Hmissi,Sofiane Ouni,Sonia Ouni

DOI: https://doi.org/10.1002/ett.4945

IF: 3.6

2024-02-01

Transactions on Emerging Telecommunications Technologies

Abstract:Abstract Message queuing telemetry transport (MQTT) is an application layer protocol that enables effective device communication in the Internet of Things (IoT). MQTT operates according to a publish‐subscribe model, where a broker receives messages from the publishers and then forwards them to the subscribers. However, existing cloud‐based MQTT brokers lead to network bottlenecks due to the large number of devices that interact with them. Therefore, mist computing is involved, where the MQTT brokers are deployed closer to the IoT devices and the workload is distributed across multiple brokers. Nevertheless, the distributed mist‐based MQTT architecture introduces serious issues caused by the massive volume of flow exchanged by IoT devices. In this article, we introduce MQTT‐SD to address these issues. MQTT‐SD enhances MQTT protocol syntax with fusion semantic aggregation. It accomplishes MQTT topic fusion on the MQTT broker side with consideration of topics' distribution. We carried out extensive simulation and emulation to demonstrate MQTT‐SD efficacy. The results show that MQTT‐SD reduces MQTT flow and has the lowest traffic load compared to MQTT+ and MQTT‐MFA.

telecommunications

Asanka P. Sayakkara,M. Scanlon,Muhammad Rusyaidi Zunaidi

DOI: https://doi.org/10.1109/ISDFS60797.2024.10527284

2024-04-29

Abstract:In an era where digital data security is becoming all-pervasive, and data encryption is baked in by default on many consumer-level and commercial-level devices, the encryption of Internet of Things (IoT) devices presents a significant obstacle for lawful digital forensic investigation. Towards addressing this issue, this paper introduces a novel digital forensic methodology that leverages electromagnetic side-channel analysis (EM-SCA) for the non-invasive recovery of encryption keys from black-box IoT devices, i.e., where little/nothing is known about the device's encryption in advance. By reducing the key space necessary for brute-force decryption and employing machine-learning techniques, the proposed approach enhances the digital forensic process - helping to mitigate investigative roadblocks and case backlogs. This automated, adaptable system not only preserves the integrity of forensic evidence, but also ensures wide applicability within the evolving IoT landscape. This practical methodology could prove invaluable for investigators facing the complexities of encrypted device analysis encountered during their cases.

Engineering,Computer Science