Security of Internet of Things Protocol Stacks Øystein Løvdal Andersen Master of Science in Communication Technology Submission date: June 2016 Supervisor: Colin Alexander Boyd, ITEM Norwegian University of Science and Technology Department of Telematics Title: SecurityofInternetofThingsProtocolStacks Student: ØysteinLøvdalAndersen ProblemDescription: ResearchanddevelopmentintheInternetofThings(IoT)isprogressingfast. Todayitiswidely believedthattherearetoomanystandardsbutitisnotyetclearwhichoneswillwinoutinthe marketplace. Since security is one of the main IoT challenges, an important consideration is which protocol stack provides best security and privacy services. Security can be provided at differentlevelssoitisnotsimpletodecidetheoptimalchoice. TheInternetofThingscoversseveraldifferentdomainsandtechnologies,introducingchal- lengesregardinginteroperabilitybetweendifferentstacks,andimplementationofstandardson low powered and low energy devices. All of this combined creates new challenges in security andquestionsregardinghowtoensureconfidentiality, integrityandavailability. AppleHome- Kit, Samsung Smart, Thread, ZigBee and IETFs suggested protocol stack are just some of the proposed frameworks and protocol stacks today, with many more upcoming and challenging themarketwiththeirownsolutions. TheGoalofthismasterthesisis: • IdentifysecurityrequirementsintroducedinIoT • CompareandreviewestablishedprotocolstacksinIoTbasedonprivacy,confidentiality, integrityandavailabilitytodetermineadvantagesanddisadvantagesofdifferentprotocol stacks • Suggest guidelines of which protocol stacks to use based on different security require- ments,technologiesand/ordomains ResponsibleProfessor: ColinAlexanderBoyd Supervisor: BrittaHale i iii Preface ThisthesisissubmittedtotheNorwegianUniversityofScienceandTechnology(NTNU)asthe concluding part of my Master of Science in the Communication Technology program at the DepartmentofTelematics(ITEM),andwascarriedoutduringthespringsemesterof2016. Trondheim,12.06.2016 ØysteinLøvdalAndersen v Acknowledgment IwouldliketothankmyresponsibleprofessorColinAlexanderBoydandsupervisorBrittaHale fortheirguidanceandfeedbackduringthecourseofthisproject. I would also like to thank Thomas Ulleberg at Wireless Trondheim for introducing me to InternetofThings,andansweringmyquestionsthroughoutthisperiod. vii Abstract InternetofThingshasbecomeoneofthebigbuzzwordsintheITmarketinrecentyears,anditis predictedtocontinueitsrapidgrowthinthecomingyears. InordertotalkabouttheInternetof Things,thisthesispresentsanintroductiontoInternetofThings,whatitis,howitsurroundsus, andwhyitissoimportanttoprovidesecuritytoInternetofThingsdevices.A4-layeredprotocol stack is proposed to work towards a common development framework for Internet of Things. Duetothelimitationsinpower,bandwidthandprocessingpowerofdevices,manyoftheestab- lishedtechnologiesandsolutionswehavetodayissimplynotcompatiblewiththerequirements broughtalongbytheInternetofThings. Wearables,smarthomesandtheIndustrialInternetof Things are just some examples of what Internet of Things is being used for, and together with theuseofpreviousresearchfindings,itisshownhowthedifferentuse-caseareasbringdifferent securityrequirementstodevelopers. Standards such as ZigBee, Thread, Z-Wave, Bluetooth Low Energy, and WirelessHART are someexamplesofestablishedstandardstryingtowinoutinthemarketplace. Often,thesestan- dards serve specific use-case areas, and thus, a new standard is proposed. IP-Smart is based on open and well-known protocols and is intended to cover several use-case areas. Compar- ison of the different standards shows that the application layer is sometimes left open for de- velopers(Thread,BLE,IP-Smart)tocarryout,howweaknessesisfoundinstandardsproposing theirowncryptographicalgorithms(ZigBee,Z-Wave,andWirelessHART),howThread,IP-Smart and (if properly configured) BLE fulfills security off wearables, how standards require proper implementations to fulfill smart home requirements, and WirelessHART being the only stan- dardwhichfulfillstheadditionalperformancerequirementsfoundintheIndustrialInternetof Things. While many of the standards offer satisfactory security properties, the actual imple- mentationissometimeslefttothedeveloperstoensuresecureproducts. Aninvestigationinto the two application layer protocols MQTT and CoAP indicates how CoAP with its use of DTLS providesareasonableoptiontoMQTTifextrareliabilityinlossynetworksisofimportancefor thedevelopers.
Description: