Jinsong Han,Feng Lin,Wenbo Shen,Kui Ren

DOI: https://doi.org/10.1145/3313294.3313380

2019-01-01

Abstract:We have witnessed a tremendous growth of Internet of Things (IoT) and popularization of IoT devices in past decades, including wireless sensors, smart phones, wearable devices, smart tags, activity trackers, and the like. These devices are widely deployed to enable intelligent computing and services in our daily life, such as the logistics, retailing, healthcare to be used in the smart city. However, trustworthy authentication in IoT becomes a key challenge towards a smooth and rapid development of IoT. According to a survey by Altman Vilandrie & Company [1], due to the lack of authentication and other system protections, small and medium-sized enterprises suffer a losses of up to 13% of their annual revenues from attacks on IoT systems. In the IoT environment, trust also becomes ubiquitous. Merely authenticating individual users or devices is not enough, because collaborative interaction and cooperation among users, devices, and environments are critical in IoT. In such circumstance, information is shared, data is fused, and all elements, including the human, device, and environment, are highly integrated. Thus, the authentication requirement for IoT applications should be characterized as temporally-spatially consistent, human-and-environment-in-the-loop, and continuously trustworthy. Unfortunately, conventional authentication methods failed to meet above demands. The main reasons are as follows. • Existing approaches usually perform authentication on the user and device separately. Meanwhile, there is scarcely seen the authentication carried out in the environment. An attacker can eavesdrop in the communication, counterfeit the authentication tokens or proofs [2], or just simply carry out replaying attacks to impersonate the actual user or device [3]. • Existing authentication systems have little consideration on the spatio-temporal nature of IoT computing and services. Besides the authenticity of data, users, and devices, it is also necessary to ensure the spatiotemporal consistence of the computing and services. In other words, a transaction in IoT also requires the au-

Amir Dirin,Ian Oliver,Teemu H Laine

DOI: https://doi.org/10.3390/s23177532

2023-08-30

Abstract:The trustworthiness of a system is not just about proving the identity or integrity of the hardware but also extends to the data, control, and management planes of communication between devices and the software they are running. This trust in data and device integrity is desirable for Internet of Things (IoT) systems, especially in critical environments. In this study, we developed a security framework, IoTAttest, for building IoT systems that leverage the Trusted Platform Module 2.0 and remote attestation technologies to enable the establishment of IoT devices' collected data and control plan traffic integrity. After presenting the features and reference architecture of IoTAttest, we evaluated the privacy preservation and validity through the implementation of two proof-of-concept IoT applications that were designed by two teams of university students based on the reference architecture. After the development, the developers answered open questions regarding their experience and perceptions of the framework's usability, limitations, scalability, extensibility, potential, and security. The results indicate that IoTAttest can be used to develop IoT systems with effective attestation to achieve device and data integrity. The proof-of-concept solutions' outcomes illustrate the functionalities and performance of the IoT framework. The feedback from the proof-of-concept developers affirms that they perceived the framework as usable, scalable, extensible, and secure.

Quanyan Zhu,Stefan Rass,Peter Schartner

DOI: https://doi.org/10.48550/arXiv.1810.00281

2018-09-30

Abstract:With more and more devices becoming connectable to the internet, the number of services but also a lot of threats increases dramatically. Security is often a secondary matter behind functionality and comfort, but the problem has already been recognized. Still, with many IoT devices being deployed already, security will come step-by-step and through updates, patches and new versions of apps and IoT software. While these updates can be safely retrieved from app stores, the problems kick in via jailbroken devices and with the variety of untrusted sources arising on the internet. Since hacking is typically a community effort? these days, security could be a community goal too. The challenges are manifold, and one reason for weak or absent security on IoT devices is their weak computational power. In this chapter, we discuss a community based security mechanism in which devices mutually aid each other in secure software management. We discuss game-theoretic methods of community formation and light-weight cryptographic means to accomplish authentic software deployment inside the IoT device community.

Computers and Society,Cryptography and Security

Christos-Minas Mathas,Costas Vassilakis,Nicholas Kolokotronis

DOI: https://doi.org/10.1109/SERVICES48979.2020.00047

2021-09-04

Abstract:In modern internet-scale computing, interaction between a large number of parties that are not known a-priori is predominant, with each party functioning both as a provider and consumer of services and information. In such an environment, traditional access control mechanisms face considerable limitations, since granting appropriate authorizations to each distinct party is infeasible both due to the high number of grantees and the dynamic nature of interactions. Trust management has emerged as a solution to this issue, offering aids towards the automated verification of actions against security policies. In this paper, we present a trust- and risk-based approach to security, which considers status, behavior and associated risk aspects in the trust computation process, while additionally it captures user-to-user trust relationships which are propagated to the device level, through user-to-device ownership links.

Cryptography and Security

Bing Zhang,Xinxin Ma,Zhiguang Qin

2011-01-01

Abstract:⎯By analyzing existed Internet of Things’ system security vulnerabilities, a security architecture on trusting one is constructed. In the infrastructure, an off-line identity authentication based on the combined public key (CPK) mechanism is proposed, which solves the problems about a mass amount of authentications and the cross-domain authentication by integrating nodes’ validity of identity authentication and uniqueness of identification. Moreover, the proposal of constructing nodes’ authentic identification, valid authentication and credible communication connection at the application layer through the perception layer impels the formation of trust chain and relationship among perceptional nodes. Consequently, a trusting environment of the Internet of Things is built, by which a guidance of designing the trusted one would be provided. Index Terms⎯Combined public key, elliptic curves cryptography, Internet of Things, radio frequency identification, security system, trusting system.

Xujie Zhou,Jinchuan Tang,Shuping Dang,Gaojie Chen

DOI: https://doi.org/10.3390/e25081198

2023-08-11

Abstract:In this paper, we propose a lightweight and adaptable trust mechanism for the issue of trust evaluation among Internet of Things devices, considering challenges such as limited device resources and trust attacks. Firstly, we propose a trust evaluation approach based on Bayesian statistics and Jøsang's belief model to quantify a device's trustworthiness, where evaluators can freely initialize and update trust data with feedback from multiple sources, avoiding the bias of a single message source. It balances the accuracy of estimations and algorithm complexity. Secondly, considering that a trust estimation should reflect a device's latest status, we propose a forgetting algorithm to ensure that trust estimations can sensitively perceive changes in device status. Compared with conventional methods, it can automatically set its parameters to gain good performance. Finally, to prevent trust attacks from misleading evaluators, we propose a tango algorithm to curb trust attacks and a hypothesis testing-based trust attack detection mechanism. We corroborate the proposed trust mechanism's performance with simulation, whose results indicate that even if challenged by many colluding attackers that can exploit different trust attacks in combination, it can produce relatively accurate trust estimations, gradually exclude attackers, and quickly restore trust estimations for normal devices.

Yuan Ji,Tian Ye,Xiang -Yang Li

DOI: https://doi.org/10.1109/bigcom57025.2022.00027

2022-01-01

Abstract:With the gradual development of the Internet of Things, people rely more and more on the Internet of Things devices to assist their daily lives. The permissions of IoT devices make it easy for them to rescue or destroy our lives. This paper proposes a new scalable IoT security framework (ISDF), which uses the unforgeable physical layer characteristics of IoT devices as the verification basis to identify illegal devices. This framework combined with the identifier generation algorithm to generate a unique trusted identifier. Under the verification of more than a dozen devices such as bluetooth, wifi, and voice, the identifiers we generate have high robustness and stability, the accuracy of verification is more than 93%. Compared with existing solutions, our framework has the advantages of supporting multimodality and high verification success rate.

Dongfeng Fang,Yi Qian,Rose Qingyang Hu

DOI: https://doi.org/10.1109/jiot.2020.2970974

IF: 10.6

2020-04-01

IEEE Internet of Things Journal

Abstract:Internet-of-Things (IoT) applications have been rapidly deployed into pervasive environment, where both challenges and opportunities abound. On the one hand, a large number of IoT devices and their rich functions contribute significant volumes of data, which has brought tremendous convenience to the daily lives of end users. On the other hand, the heterogeneous IoT devices and a large amount of private information transmitted through networks also bring serious security and privacy issues. It is a big challenge to model IoT systems and trust relationships between different entities with a large number of heterogeneous IoT devices. In this article, we study a general IoT system architecture with consideration of heterogeneous IoT devices. Different trust models are proposed and analyzed based on the trust relationships between different entities in the IoT system. We propose a flexible and efficient authentication scheme with a consideration of heterogeneous IoT devices based on the least trust-required model. The proposed scheme provides security and privacy to resource-limited IoT devices flexibly and efficiently by utilizing IoT devices with better storage and computational ability. Moreover, secure data transmission is presented with contextual privacy and data integrity services. The proposed scheme achieves not only the mutual authentication, initial session key agreement, and data integrity but also anonymity, contextual privacy, forward security, end-to-end security, and key escrow resilience. Security analysis is presented to provide verification of the proposed protocol and security objectives. Moreover, performance evaluation is presented with comparison to the other schemes in terms of security features, computational overhead, and communication overhead. The performance comparisons show that our proposed scheme provides flexible and efficient security by consideration of heterogeneous IoT devices. With the higher proportion of resource-limited IoT devic-s, our proposed scheme outperforms other similar schemes.

computer science, information systems,telecommunications,engineering, electrical & electronic

Guanjie Cheng,Yewei Wang,Shuiguang Deng,Zhengzhe Xiang,Xueqiang Yan,Peng Zhao,Schahram Dustdar

DOI: https://doi.org/10.1109/tsc.2023.3349305

IF: 11.019

2024-01-01

IEEE Transactions on Services Computing

Abstract:The property of Internet of Things (IoT) applications is their capability to execute tasks through the collaboration of interconnected IoT objects. However, IoT collaborations face significant challenges due to security threats that undermine their reliability. An uncertified task publisher may deceive IoT devices into executing illegal tasks, while malicious attackers may intercept and modify transmitted data. Existing works on IoT trusted management issues tend to concentrate on individual aspects, such as authentication, privacy protection, and access control. However, trusted management for IoT collaboration is a multifaceted and intricate endeavor that necessitates a comprehensive approach. To fill this gap, we propose a lightweight authentication-driven trusted management framework that includes a novel authentication and key agreement scheme to guarantee the validity of task publishers, with greatly reduced overheads compared to recent works. The framework also incorporates a distributed data storage scheme and a fine-grained access control mechanism. We record the interactive messages on the blockchain to ensure behavior traceability. We evaluate the authentication scheme through comparative experiments and formal security analysis, demonstrating its efficiency and effectiveness. The experimental results of data storage and acquisition in real-world IoT environments indicate that the proposed framework is a feasible solution for reliable IoT collaboration.

computer science, information systems, software engineering

Yue Xiao,Yi He,Xiaoli Zhang,Qian Wang,Renjie Xie,Kun Sun,Ke Xu,Qi Li

DOI: https://doi.org/10.14722/ndss.2024.241231

2024-03-22

Abstract:The proliferation of consumer IoT products in our daily lives has raised the need for secure device authentication and access control. Unfortunately, these resource-constrained devices typically use token-based authentication, which is vulnerable to token compromise attacks that allow attackers to impersonate the devices and perform malicious operations by stealing the access token. Using hardware fingerprints to secure their authentication is a promising way to mitigate these threats. However, once attackers have stolen some hardware fingerprints (e.g., via MitM attacks), they can bypass the hardware authentication by training a machine learning model to mimic fingerprints or reusing these fingerprints to craft forge requests.

Cryptography and Security

Kevin Fu,Wenyuan Xu

DOI: https://doi.org/10.1145/3176402

IF: 22.7

2018-01-01

Communications of the ACM

Abstract:Protecting the Internet of Things with embedded security.

Mumin Adam,Mohammad Hammoudeh,Rana Alrawashdeh,Basil Alsulaimy

DOI: https://doi.org/10.1109/access.2024.3382709

IF: 3.9

2024-01-01

IEEE Access

Abstract:The Internet of Things (IoT) emerged as a pervasive technology, facilitating the seamless interaction of devices, individuals, and services, enabling data exchange and task execution across various domains. While the impact of IoT is undeniably transformative, its extensive proliferation raised significant concerns surrounding security, privacy, and trust, which stand as critical barriers to the widespread adoption and advancement of IoT technology. This review article explores IoT security, privacy, and trust research using a 3-layer IoT architecture. After introducing the fundamental tenets of IoT security, privacy, and trust, it proceeds to examine the prevalent security requirements within IoT architectures and their associated challenges. Then, the survey investigates the recent trends in research dedicated to addressing security, privacy, and trust issues within IoT systems. Furthermore, this article reviews the latest advancements and methodologies designed to secure IoT systems against security breaches and protect the privacy of sensitive data. Finally, the survey outlines unresolved challenges within the IoT security landscape and potential solutions. By offering this consolidated insight, this article offers a bridge between foundational and advanced IoT security topics, providing researchers with an in-depth understanding of current IoT security, privacy, and trust challenges, as well as cutting-edge solutions tailored to address the security and trust-related obstacles faced by IoT applications. This comprehensive overview equips the IoT community with the knowledge necessary to navigate the complex terrain of security, privacy, and trust in IoT systems.

computer science, information systems,telecommunications,engineering, electrical & electronic

Junqing Zhang,Sekhar Rajendran,Zhi Sun,Roger Woods,Lajos Hanzo

DOI: https://doi.org/10.1109/mwc.2019.1800455

IF: 12.777

2019-01-01

IEEE Wireless Communications

Abstract:A low-complexity, yet secure framework is proposed for protecting the IoT and for achieving both authentication and secure communication. In particular, the slight random difference among transceivers is extracted for creating a unique radio frequency fingerprint and for ascertaining the unique user identity. The wireless channel between any two users is a perfect source of randomness and can be exploited as cryptographic keys. This can be applied to the physical layer of the communications protocol stack. This article reviews these protocols and shows how they can be integrated to provide a complete IoT security framework. We conclude by outlining the future challenges in applying these compelling physical layer security techniques to the IoT.

Zhiting Lin,Liang Dong

DOI: https://doi.org/10.1109/TKDE.2017.2762678

2017-04-12

Abstract:A social approach can be exploited for the Internet of Things (IoT) to manage a large number of connected objects. These objects operate as autonomous agents to request and provide information and services to users. Establishing trustworthy relationships among the objects greatly improves the effectiveness of node interaction in the social IoT and helps nodes overcome perceptions of uncertainty and risk. However, there are limitations in the existing trust models. In this paper, a comprehensive model of trust is proposed that is tailored to the social IoT. The model includes ingredients such as trustor, trustee, goal, trustworthiness evaluation, decision, action, result, and context. Building on this trust model, we clarify the concept of trust in the social IoT in five aspects such as (1) mutuality of trustor and trustee, (2) inferential transfer of trust, (3) transitivity of trust, (4) trustworthiness update, and (5) trustworthiness affected by dynamic environment. With network connectivities that are from real-world social networks, a series of simulations are conducted to evaluate the performance of the social IoT operated with the proposed trust model. An experimental IoT network is used to further validate the proposed trust model.

Social and Information Networks,Multiagent Systems

Davide Margaria,Alberto Carelli,Andrea Vesco

DOI: https://doi.org/10.1109/CCGridW63211.2024.00006

2024-10-14

Abstract:Nowadays, Internet of Things platforms are being deployed in a wide range of application domains. Some of these include use cases with security requirements, where the data generated by an IoT node is the basis for making safety-critical or liability-critical decisions at system level. The challenge is to develop a solution for data exchange while proving and verifying the authenticity of the data from end-to-end. In line with this objective, this paper proposes a novel solution with the proper protocols to provide Trust in Data, making use of two Roots of Trust that are the IOTA Distributed Ledger Technology and the Trusted Platform Module. The paper presents the design of the proposed solution and discusses the key design aspects and relevant trade-offs. The paper concludes with a Proof-of-Concept implementation and an experimental evaluation to confirm its feasibility and to assess the achievable performance.

Cryptography and Security

Marco Arazzi,Serena Nicolazzo,Antonino Nocera

DOI: https://doi.org/10.1016/j.pmcj.2024.101889

2023-10-02

Abstract:With the number of connected smart devices expected to constantly grow in the next years, Internet of Things (IoT) solutions are experimenting a booming demand to make data collection and processing easier. The ability of IoT appliances to provide pervasive and better support to everyday tasks, in most cases transparently to humans, is also achieved through the high degree of autonomy of such devices. However, the higher the number of new capabilities and services provided in an autonomous way, the wider the attack surface that exposes users to data hacking and lost. In this scenario, many critical challenges arise also because IoT devices have heterogeneous computational capabilities (i.e., in the same network there might be simple sensors/actuators as well as more complex and smart nodes). In this paper, we try to provide a contribution in this setting, tackling the non-trivial issues of equipping smart things with a strategy to evaluate, also through their neighbors, the trustworthiness of an object in the network before interacting with it. To do so, we design a novel and fully distributed trust model exploiting devices' behavioral fingerprints, a distributed consensus mechanism and the Blockchain technology. Beyond the detailed description of our framework, we also illustrate the security model associated with it and the tests carried out to evaluate its correctness and performance.

Cryptography and Security,Machine Learning

John Wickström,Magnus Westerlund,Göran Pulkkis

DOI: https://doi.org/10.48550/arXiv.2007.02652

2020-07-06

Cryptography and Security

Abstract:Proliferation of IoT devices in society demands a renewed focus on securing the use and maintenance of such systems. IoT-based systems will have a great impact on society and therefore such systems must have guaranteed resilience. We introduce cryptographic-based building blocks that strive to ensure that distributed IoT networks remain in a healthy condition throughout their lifecycle. Our presented solution utilizes deterministic and interlinked smart contracts on the Ethereum blockchain to enforce secured management and maintenance for hardened IoT devices. A key issue investigated is the protocol development for securing IoT device deployments and means for communicating securely with devices. By supporting values of openness, automation, and provenance, we can introduce novel means that reduce the threats of surveillance and theft, while also improving operator accountability and trust in IoT technology.

Lijun Wei,Yuhan Yang,Jing Wu,Chengnian Long,Bo Li

DOI: https://doi.org/10.1109/jiot.2021.3139989

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Driven by the rapid development of the Internet of Things (IoT) technology, the issue of trust has become increasingly apparent and received considerable scholarly attention in recent years. With the occurrence of various security incidents, data leakage accidents, and service fraud, which seriously affects the quality of service and system efficiency of IoT, trust is fast becoming a key issue in IoT system. In addition to the security and efficiency, trust further contains the reliability, attack resistance, fairness, flexibility, and incentive, resulting in a wide range of new researches from the trust management framework to the quantification method. In this work, various dimensions of trust, including definition, composition, aggregation, and computation are introduced and analyzed. We focus on comprehensive comparison of the state-of-the-art trust management researches and the related applications. Besides, we explore and discuss the important challenges, including performance bottleneck, bidirectional trust, dynamic changes of context, privacy preserving, and cross-domain issue. Some potential enabling technologies for trust management are further analyzed. The objective of this article is to comprehend the trust issue and the composition of trust management in IoT, and illustrate the difference of existing work, thereby motivating further research interest in this field.

computer science, information systems,telecommunications,engineering, electrical & electronic

David Barrera,Ian Molloy,Heqing Huang

DOI: https://doi.org/10.48550/arXiv.1712.03623

2017-12-11

Abstract:Over 20 billion Internet of Things devices are set to come online by 2020. Protecting such a large number of underpowered, UI-less, network-connected devices will require a new security paradigm. We argue that solutions dependent on vendor cooperation such as secure coding and platform changes are unlikely to provide adequate defenses for the majority of devices. Similarly, regulation approaches face a number implementation challenges which limit their effectiveness. As part of the new paradigm, we propose IDIoT, a network security policy enforcement framework for IoT devices. IDIoT prevents widespread network attacks by restricting IoT devices to only their necessary network behavior. IDIoT is simple and effective, building on decades of tried-and-true network security principles without requiring changes to the devices or cloud infrastructure.

Cryptography and Security

Brennecke, Martin,Fridgen, Gilbert,Radszuwill, Sven,Sedlmeir, Johannes

DOI: https://doi.org/10.1007/s10796-024-10511-z

2024-08-25

Information Systems Frontiers

Abstract:In the Internet of Things (IoT), interconnected smart things enable new products and services in cyber-physical systems. Yet, smart things not only inherit information technology (IT) security risks from their digital components, but they may also aggravate them through the use of technology platforms (TPs). In the context of the IoT, TPs describe a tangible (e.g., hardware) or intangible (e.g., software and standards) general-purpose technology that is shared between different models of smart things. While TPs are evolving rapidly owing to their functional and economic benefits, this is partly to the detriment of security, as several recent IoT security incidents demonstrate. We address this problem by formalizing the situation's dynamics with an established risk quantification approach from platforms in the automotive industry, namely a Bernoulli mixture model. We outline and discuss the implications of relevant parameters for security risks of TP use in the IoT, i.e., correlation and heterogeneity, vulnerability probability and conformity costs, exploit probability and non-conformity costs, as well as TP connectivity. We argue that these parameters should be considered in IoT governance decisions and delineate prescriptive governance implications, identifying potential counter-measures at the individual, organizational, and regulatory levels.

computer science, information systems, theory & methods