Studies in Big Data 47 N. Jeyanthi Ajith Abraham Editors Hamid Mcheick    Ubiquitous Computing and Computing Security of IoT Studies in Big Data Volume 47 Series editor Janusz Kacprzyk, Polish Academy of Sciences, Warsaw, Poland e-mail: [email protected] Theseries“StudiesinBigData”(SBD)publishesnewdevelopmentsandadvances in the various areas of Big Data- quickly and with a high quality. The intent is to coverthetheory,research,development,andapplicationsofBigData,asembedded inthefieldsofengineering,computerscience,physics,economicsandlifesciences. The books of the series refer to the analysis and understanding of large, complex, and/or distributed data sets generated from recent digital sources coming from sensorsorotherphysicalinstrumentsaswellassimulations,crowdsourcing,social networks or other internet transactions, such as emails or video click streams and others. The series contains monographs, lecture notes and edited volumes in Big Data spanning the areas of computational intelligence including neural networks, evolutionary computation, soft computing, fuzzy systems, as well as artificial intelligence, data mining, modern statistics and operations research, as well as self-organizing systems. Of particular value to both the contributors and the readership are the short publication timeframe and the world-wide distribution, which enable both wide and rapid dissemination of research output. More information about this series at http://www.springer.com/series/11970 N. Jeyanthi Ajith Abraham (cid:129) Hamid Mcheick Editors Ubiquitous Computing and Computing Security of IoT 123 Editors N.Jeyanthi HamidMcheick Schoolof Information Technology UniversitéduQuébecàChicoutimi andEngineering Chicoutimi, QC, Canada VIT University Vellore, Tamil Nadu,India Ajith Abraham ScientificNetwork forInnovation andResearchExcellence MachineIntelligence Research Labs (MirLabs) Auburn,WA,USA ISSN 2197-6503 ISSN 2197-6511 (electronic) Studies in BigData ISBN978-3-030-01565-7 ISBN978-3-030-01566-4 (eBook) https://doi.org/10.1007/978-3-030-01566-4 LibraryofCongressControlNumber:2018957051 ©SpringerNatureSwitzerlandAG2019 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpart of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission orinformationstorageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilar methodologynowknownorhereafterdeveloped. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publicationdoesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfrom therelevantprotectivelawsandregulationsandthereforefreeforgeneraluse. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authorsortheeditorsgiveawarranty,expressorimplied,withrespecttothematerialcontainedhereinor for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictionalclaimsinpublishedmapsandinstitutionalaffiliations. ThisSpringerimprintispublishedbytheregisteredcompanySpringerNatureSwitzerlandAG Theregisteredcompanyaddressis:Gewerbestrasse11,6330Cham,Switzerland Contents Security Protocols for IoT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 J. Cynthia, H. Parveen Sultana, M. N. Saroja and J. Senthil Security of Big Data in Internet of Things. . . . . . . . . . . . . . . . . . . . . . . 29 Rakesh Bandarupalli and H. Parveen Sultana IoT for Ubiquitous Learning Applications: Current Trends and Future Prospects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Salsabeel Shapsough and Imran A. Zualkernan Trust Management Approaches in Mobile Adhoc Networks . . . . . . . . . 69 R. Vijayan and N. Jeyanthi Security in Ubiquitous Computing Environment: Vulnerabilities, Attacks and Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 C. Shoba Bindu and C. Sasikala v Security Protocols for IoT J.Cynthia,H.ParveenSultana,M.N.SarojaandJ.Senthil Abstract The Internet of Things (IoT), is a network of devices that are uniquely identifiedandhasembeddedsoftwarerequiredtocommunicatethetransientstates anddatathatareusuallyusedtotriggeranactuator.Theedgenetworkingdevicesand protocolsareusedtocommunicatewithacloudserverthatprocessesandaggregates thebigdataarrivingfromvariousdevices,performsanalyticsandaidsinbusiness decisions.IoThasbecomeanintegralpartoftoday’sindustrial,agriculture,health- care and smart city revolution. Securing all entities involved in an IoT network is vitalasitinvolvespervasivedatacollectionanddissemination.CurrentIoTprotocols work with IP protocols as backbone, but they are specially designed to operate in multiplelayersandprovidesecurityatvariouslayers.ThischapterfocusesonIoT protocolsthatdealswithsecuringanIoTnetwork.Themajorchallengesinsecuring anIoTnetworkislackofstandardizationatmanufacturinglevelwhichexposesthe hardware,softwareandthedatatovariousthreatsandattacks.TheIoTprotocolshave todealwithsecuritybreachesatthesiteofthecloudserviceproviderandthesecurity issuespertainingtodataprivacy,authentication,authorizationandtrustmanagement inadistributedheterogeneousenvironment.Thischapteralsoelaboratesonvarious securityattacksandthesolutionsofferedbyIoTprotocols. · · · Keywords IoTsecurity IoTarchitecture IoTprotocols IoTthreats · IoTattacks Heterogeous 1 IoTIntroductionandSecurityOverview There are over billions of IoT devices, business process and systems with an IoT element in it. This dormant data available in the eco system must be trapped and J.Cynthia·M.N.Saroja·J.Senthil KumaraguruCollegeofTechnology,Coimbatore,India B H.ParveenSultana( ) VITUniversity,Vellore,TamilNadu,India e-mail:[email protected] ©SpringerNatureSwitzerlandAG2019 1 N.Jeyanthietal.(eds.),UbiquitousComputingandComputingSecurityofIoT, StudiesinBigData47,https://doi.org/10.1007/978-3-030-01566-4_1 2 J.Cynthiaetal. analyzed to see if any functional information that is of benefit to a customer or business could be retrieved. Essentialelements ofIoTarepeople, things,data and process. IoT systems aims at networking these elements that communicates with each other through wired or wireless medium. IoT devices are grouped as sensors thatcollectdata,Actuatorsthateffectactionsandgatewaysthatactasinterfacefor communicationandautomation.InanIoTframework,dataisgatheredfromsensors, processed by microcontrollers such as Raspberry Pi or Arduino, stored in a cloud database and data analytics from big data gathered is performed using any tool or languages such as python or java. IoT is designed to strengthen communication acrossDevicetoDevice(D2D),HumantoDevice(H2D),HumantoHuman(H2H) andDevicetoHuman(D2H). IoT has led to numerous autonomous applications in the area of health care, businesssolutions,smartcity,homeautomation,industryautomationandintelligent transportsystem.ThesuccessofIoTliesindistributeddatagathering,aggregation, processingandanalyticsthatcanbeperformedfromanylocationandisusuallydone asacloudservice.IoTsystemevolveswithflowofdatafromthesensorfromwhere itisacquiredtotheservicethatprocessesandperformsanalyticsonthedataacquired tothecustomerorbusinessthatmakesuseoftheanalyticsinformation. WithprevalentpresenceofIoT,securityrisksareinrise.Makingdataavailable anywheremakesitvulnerabletosecuritythreatsandattacks.Thischapterdealswith major issues, challenges and solutions for providing IoT security. A single com- promised entity in an IoT network makes other entities vulnerable. Since IoT is a collection of devices or sensors networked together to a cloud in order to pro- videinformationservice,allsecuritythreatsthatareapplicableforWirelessSensor Networks (WSN), internet and cloud are pertinent to IoT networks. IoT opens up tremendous opportunity for business with the associated risk. Absence of strong authenticationofIoTdevices,encryptionofIoTdata,keymanagement,etc.,makes anIoTnetworkvulnerabletoexternalattacksandthreats. 2 IoTSecurityRequirements SecuritymustbeaddressedthroughoutthelifecycleofanIoTdevice.Shipley[1]and Jingetal.[2]listssecurityrequirementstobecheckedatvariousstagesofthelife cycleinordertoalleviateanIoTattack.IoTsecurityrequirementsarelistedbelow, (cid:129) CryptographicAlgorithms—Symmetricalgorithmsarelightweightcomparedto asymmetricalgorithmsandhencewererecommendedforsecuringdatatransmis- sion.However,theyhaveproblemsinkeyexchange,confidentiality,digitalsigna- tureandmessageauthentication.Hencepublickeyalgorithmswererecommended astheywereabletoprovidekeymanagement,nodeauthentication,scalabilityand security. (cid:129) KeyManagementTechniques—Keymanagementisanimportantsecurityfeature inIoT.Lightweightsecurekeydistributionisrequiredforsecurecommunication. SecurityProtocolsforIoT 3 Key distribution schemes used in WSN are broadcast, group, node master and shared key distribution[2].The focuson key management researchistoreduce thecomplexity,powerconsumptionandsecurity. (cid:129) Secured routing algorithms—Traditional network routing protocols cannot be appliedforIoTnetwork.Theroutingprotocolmustensureauthenticityofrouted information and eaves dropping must be avoided while communicating through wirelessmedium.Routingprotocolsshouldbesecuredtopreventattackssuchas Dos,Wormhole,blackholeandselectiveforwarding. (cid:129) DataClassification—ThedatafloatinginanIoTnetworkcouldbeeitherfunctional or connected to people or an enterprise. The degree of protection required for a datadependsonthedegreeofsensitivityofthedata.Datamaybeprotectedbased onsensitivityclassification[3]. Hencefollowingrecommendationismadeforan IoTvendor, – Todefineadataclassificationschemebasedondatasensitivity. – IdentifyalldataanddatagroupsinanIoTnetworkandclassifythem. – Designasecurityfeaturethatprotectsviewingandeditingofdatabasedonits classificationlevel. (cid:129) Protectingdevicesatproductiontime—TheIoTdevicesmaybeprotectedatpro- duction time. Any interface used at production time must be removed before deployment.AllportstotheIoTdevicesmusthaveproperaccesscontrol.Devices placedinexposedlocationsmusthaveatamperproofcoveringandshieldingto avoidsidechannelattacks[3]. (cid:129) Trusted and staged boot sequence—A trusted staged boot sequence will ensure securityofanIoTdevice.However,thefirstsequenceisvitalandhenceshouldbe initiatedbysecuredlockedcode.Useofsecuremodulewherethecryptographic algorithms and associated keys are stored are recommended. At every stage of bootcode,itisrecommendedtocheckthetrustworthinessofbootcode,validity ofhardwareandcompletionofpreviouscode. (cid:129) Securedoperatingsystem—AnIoToperatingsystemshouldhavelimitedaccess rights and reduce the visibility of the system. The operating system should be designedsoastohaveonlythecomponents,packagesandlibrariesrequiredfor runninganIoTdevice.Throughoutthelifetimeofthedeployeddevicetheupdate must be provided. The ports, protocols and services that are not used are to be disabled.Haveseparateaccessrightsforuserandadministratorstoaccessthefiles anddirectoriesmustbegiven.Anencryptedfilesystemistobeused. (cid:129) Application security—Security considerations must be an integral part of appli- cationdevelopmentandshouldnotbeaddedseparately.Theapplicationgateway shouldvalidateallgathereddatabeforeitisgettingprocessed.Alluseraccounts andpasswordsaretoberelinquished.Credentialsfromapplicationhastobesep- arated into a secured storage. Any application errors should not reveal details abouttheunderlyingarchitecture.Useofsecuredsoftwaredevelopmentlifecycle procedureisrecommended. (cid:129) Credentialmanagement—Credentialssuchaspasswords,cryptographickeysand digitalcertificatesofuserandprocessthatareusedtoaccessthedatamustbekept 4 J.Cynthiaetal. in secured location that cannot be accessed by external entities. The passwords usedforauthenticatingmustbestrong,encryptedandmusthaveindustrystandard hashfunction.Twofactorauthenticationsmaybeusedforaccesscontrol.Unique digital certificate for each device is recommended and this certificate must be securedandupdatedatregularintervals. (cid:129) Encryption—StrongestandlatestencryptionisrecommendedforanIoTnetwork, ifitisaffordable.Theencryptionstandardshouldbeincorrelationwiththesensi- tivenessofthedatatobeprotected.Useofglobalkeysistobeavoided.Theprivate keyofadeviceshouldneverbeshared.Theencryptionkeysshouldbeabletobe replacedremotely.Theencryptionkeysmustbestoredintrustedkeymodules. (cid:129) Networkconnections—ThenumberofinterfacestoanIoTdevicethroughwhich itgetsconnectedtotheexternalnetworkmustbekeptasminimal.Thedevicemust beabletobeaccessedonlythroughminimalport,interfaceandservices.Secure protocolssuchashttpsandSFTPtoprotectconnectionsaretobeused.Receiver machinemustbeauthenticatedbeforesendinganysensitivedata. (cid:129) Software updating—Before any software updation, authentication of the source thatauthenticates,mustbedonewithhelpofaverifiedcertificateobtainedfroma authenticatedcertificationauthority.Thesoftwareupdatepackagesmustbesigned. (cid:129) Securedeventlogging—Theeventloggingshouldbeprotectedfromhackers,from beingmodifiedordeleted.Theeventlogsarenormallystoredinacentralizedlog pool away from the IoT device and hence must be transmitted though separate channels.Thelogsmustbeperiodicallyanalyzedtodetectanyfaultsandimme- diateactionistobetaken.Thelogfilesmustbestoredinseparatepartitionsinfile system.Accessrightstothelogfilearetoberestricted.Nosensitivecredentials suchaspasswordsaretobestoredinlogs. 3 IoTSecurityIssues TheissuesassociatedwithsecurityofIoTarenotonlytheissuesrelatedwithsecurity ofwirelessmedium,WSNandinternet,butalsoaccesscontrol,authenticationand privacyissuesassociatedwithIoT. (cid:129) Low power embedded device—IoT devices have less computation power and storage capacity. It is often found embedded in a bigger hardware or wearable devicewhereitisdifficulttoexecutesecurityalgorithmsthatarenormallyheavy weightandexpensiveforaresourceconstraineddevice. (cid:129) Trust Management—Trust management is required for data authentication data gathering and dissipation phases for which strong cryptographic techniques or digitalsignaturesarerecommended[2]. (cid:129) Heterogeneity—IoTisanintegrationofvariousheterogeneousnetworksandhence hasitsowncompatibilityandsecurityissues.Itisdifficulttoidentifytrustednodes in a heterogeneous environment. Heterogeneity, identity management, privacy faulttolerance[3].