10 Pages
2550 Words
IoT Systems Design And Security Evaluation(2) Assignment Sample
Introduction of IoT Systems Design And Security Evaluation(2) Assignment
Get free written samples from expert assignment writers and academic writing services in UK.
Chapter 1: IoT Communication
LoRa
As an IoT communication technology, LoRa (short for "long range") is a low-power, long-range radio frequency that has a high reception sensitivity, allowing it to operate successfully in noisy environments. LoRa is also intended to be low-cost, power-efficient, and highly scalable in comparison to existing communication technologies.
Security Risks
LoRa, like any other technology, has weaknesses that may lead to jamming tactics, replay assaults, and wormhole attacks. When a malicious entity is deployed to disturb the connectivity and bandwidth of two end systems for the LoRa higher layers, this might allow any hostile material or unidentified parties to jamming the LoRa system itself (Liyanage et al., 2020). This is an ongoing problem in the IoT market. An IoT network that uses LoRa as its communication technology is vulnerable to replay assaults.
These attacks primarily target the security protocol, re-sending or re-transmitting the authenticated data. To begin attacking wireless networks, it collects data on the various programs used by various devices. LoRa devices and gateways are protected against replay assaults since the AppSKey is required for decryption of communications. If an attacker can reset an end-device, it may then get any information about the transport between both the end-device and gateway, despite LoRa's frame counters countering any malicious signals being delivered.
Replaying network and physical alarm messages on the end-device is possible with this feature. Finally, wormhole attacks use a node as the hub of communication, collecting transmissions from a physical unit and then transferring them to other nodes in the network, such that the captured packet may be replayed by other nodes on the network. A wormhole attack on the LoRa network may do a lot of damage because of the network's poor physical layer. There are two devices that may be used for this purpose: the sniffer and the jammer. As packets are collected, the sniffer will notify the jammer, which will then attempt to jam the packet. Even if this packet never makes it to the gateway, its validity will be unaffected by its failure to get there. Regular and alert messages will be unable to reach their destinations because of this.
Risk Mitigation
One of the greatest ways to fight an IoT jamming assault would be to recognise it by its frequency and begin dropping out of the network promptly. To avoid the effects of jamming, the system administrators who command of that network must change the operating frequency. Frame counters specified in the LoRa network are used by LoRa (Sharma et al., 2020). It is possible to utilise the frame counters in LoRa to identify and delete messages that have been replayed.
Because the LoRa network controls frame counts in such a manner, a replay attack may be able to take advantage of this flaw. Since LoRaWAN's message system does not include a time component, it is very hard to ascertain wormhole attacks inside LoRaWAN networks. To protect against wormhole attacks, no existing countermeasures exist, unless the LoRa network or LoRa devices themselves change.
Smart Bluetooth
Smartphones as well as other smart devices are increasingly being utilised in IoT applications because to the widespread adoption of smart Bluetooth (commonly known as BLE or Bluetooth 4.0). Wireless Bluetooth (BLE) is particularly power efficient since it requires less power and takes a small amount of energy from a battery.
Security Risks
There are many various sorts of attacks that may be used against Bluetooth, but the most common are MITM (man in the middle), denial of service, and bluejacking. MITM is a kind of assault that primarily targets electronic systems in communication with one another. The user's devices are tricked into believing that they have successfully paired, and the communications are forwarded back to the attacker without the user's awareness (Pal et al., 2020). Network breakdowns and system restarts are the result of a denial-of-service attack that primarily targets a network's resource — in this example, packet flow.
A denial-of-service assault on Bluetooth, on the other hand, disrupts communication, drains the battery of the devices, and damages other services. This wreaks havoc and makes it more vulnerable to further assaults. Unsolicited communications are used to deceive the user into entering an access code by employing the bluejacking technique. Because of this, an attacker may access all a victim's data, and it's most typically exploited in public places for this reason.
Risk Mitigation
When not in use, Bluetooth should be turned off, the device should be hidden from other devices, and a strong pin password should be set up for when additional devices attempt to connect to prevent an MITM attack. Defending against a DOS attack may be done by ensuring sure Bluetooth is turned off when not, and only connecting to objects that the user knows about. Creating and using strong passwords, updating them often, and making sure the device itself is up to date are all recommended measures for preventing a bluejacking attack.
Chapter 2: Attacks on IoT
DAG Inconsistency Attack
Whenever the direction of a transmission somehow doesn't match one's own rank relationship in the DAG, the RPL node will flag this as an inconsistency in the graph. For each discrepancy discovered, RPL sends a R bit flag, which will either be disregarded or sent along, depending on whether it's ignored or forwarded (Chaki & Roy, 2021). A higher frequency of control messages is therefore as a result. Using a rogue node to alter the error flags and reset the DIO trickling timer allows the attacker user to start broadcasting DIO messages more often than usual, creating and generating local instability in the RPL network. A blackhole attack or other violent assaults inside the network may be triggered by this one.
Blackhole Attack
Denial of service attacks on the RPL network are sometimes referred to as "blackhole attacks" since the rogue node used in this assault drops all packets that are supposed to be sent forward. The sinkhole attack may be used in conjunction with the blackhole assault, resulting in massive traffic interruption for the network. In most cases, this is a sort of DDoS assault on a network (Dehghantanha & Choo, 2019).
Performance Metrics
Performance measures like as power consumption, battery life, and the lack of network resources available to nodes are all affected by the DAG inconsistency attack. This leads to an overall decline in network performance. The RPL network becomes more unstable when the DIO trickle time is reset by hand (Ahmed, 2018). The RPL network suffers substantially because of the Blackhole attack, including packet latency, control overhead, and overall performance loss. Combined with a sinkhole attack, the RPL network would be severely damaged, causing far more issues than there already were.
Risk Mitigation
Limiting the number of times, the timer resets would be the most effective countermeasure for averting a DAG inconsistency attack. As a result, the DAG attack would be unable to get access to the network. The Blackhole attack, fortunately, has remedies in the form of different pathways for routing the very same message through the network's disconnected paths. This keeps the RPL network from being overburdened at a single place.
Chapter 3: IoT OWASP
IoT devices are noted for their frequently updated Top Ten Web Application Vulnerabilities list. Meanwhile, a team is working on developing a list of the most prevalent flaws there in Internet of Things (IoT). All these smart items include one common factor: they include full-fledged computers and interact directly or indirectly over the Internet and may also be accessible via the Internet. As a result, they're a prime target for cybercriminals such as botnet operators, spammers, and those looking to distribute malware.
Hardcoded passwords or passwords that are simple to guess
Hardcoded default password is used in the virtual machine.
It is common for many devices to have default passwords that the user is not compelled to update. The default passwords are frequently simple and easy to guess, and in some cases, same across devices when they are first installed. Furthermore, a policy requiring strong passwords is often absent, enabling users to use simple passwords. Hard-coded passwords or backdoors are built into many gadgets and cannot be altered or erased.
Network services that aren't safe
Vulnerable services are exposed in the virtual machine’s network.
There is a risk that data processed on the devices and their functionalities will be compromised if services that are not necessary or hazardous for their real performance are made available to the public. These systems may also be used as a gateway to other networked systems.
Ecosystem interfaces that are not secure
The virtual machine’s drive is not encrypted.
Vulnerabilities, such as missing or inaccurate access restrictions and insufficient encryption, may exist in web services or interfaces provided by the device manufacturer on the Internet (e.g., to access video data from cameras).
The updating mechanism is insecure.
Many IoT devices do not have secure updating methods. For example, signature algorithms may be used to verify the legitimacy of an upcoming update and ensure the integrity of data transmissions.
Using out-of-date or unsafe systems
Outdated code is found in the virtual machine.
Most IoT devices rely on third-party components for their software and hardware. Weak spots might occur from employing old components or poorly adapting them to the product.
Inadequate security for personal data
As a result of this, any personal information input on the device or in the manufacturer's ecosystem would be handled incorrectly. When it comes to data collection, many people don't have a choice in the matter.
A lack of trust in the security of data transmission and storage
Unencrypted transmission is happening in the virtual machine.
The confidentiality of data saved on the manufacturer's devices or ecosystem and data communicated over the Internet is compromised if the encryption is missing or is poor.
There is a lack of control over the devices
Most Internet of Things (IoT) devices don't provide any means of integration into centralised asset or update management, making it hard to utilise several devices at once safely or to run devices on corporate networks, for example.
Default settings that aren't safe
Constraints are typically imposed on a device when it is initially installed, and privacy-by-default does not always come pre-installed with the device.
Lack of physical hardness
It might be difficult to function safely in public or publicly accessible areas when devices provide little or no protection against physical assaults. Additionally, this involves the availability of unnecessary device interfaces.
Chapter 4: Conclusion
All facets of IoT security, macro, and micro, must be considered. To design an IoT project, a planner must consider both the global as well as the holistic aspects as well as the IoT devices. There is no IoT project that does not incorporate networks, management systems, and any applicable compliance and regulatory requirements. Regardless as to whether the system is utilised in a commercial or residential setting, identity and authentication are essential components of strong IoT security. Since the IoT data is prone to be affected over the Internet, it must be consulted to ensure is encrypted.
In addition, it must be guaranteed that the management platform already in use likewise supports the IoT devices. Edge computer solutions must be analysed for potential attack surfaces and vulnerabilities if they are to be implemented, and this must be done before implementing an edge computer solution. With all this new technology, it is important to assess the applicable compliance and regulatory requirements for the organisation (or industry) associated with the transmission and storage of IoT data. Multi-factor authentication must be setup and strong passwords must be used. Hard-coded passwords should never be used in Internet of Things (IoT) devices.
The attackers may easily defeat these minibars. Access to IoT devices must also be governed by rules of authorization. Privilege-based access control is ideal here. The execution of security and privacy rules must not be based on assumptions. The usage of Internet of Things (IoT) devices with insufficient security and privacy characteristics is obviously prohibited by this rule. There should be a separate network dedicated to IoT devices. Only via the use of a firewall can this network connect with the rest of the firm, and it should have its own monitoring capabilities.
All unnecessary functionalities must be disabled on the IoT devices. The restrictions and security procedures may be readily bypassed by (unnecessary) new functions. Controls that are necessary to the device's operation should be kept out of reach of the user. It is necessary to lock or delete the reset and password change buttons. Wireless networks should not be used for automatic connections. The isolation of network components may also be necessary to prevent IoT devices from infiltrating the network.
It must be assured that the software ports that permit configuration and remote control are disabled or limited if incoming traffic is not totally blocked. Encryption should be utilised wherever feasible. In the absence of encryption, the Internet of Things devices should not be used. A virtual private network (VPN) may be helpful in this situation. If the firmware or software must be updated manually or locally, then the device should not be purchased in the first place. When an IoT device reaches the end of its useful life or the manufacturer stops providing updates, it should be removed from the network.
References
Ahmed, B. (2018). Secure and Smart Internet of Things (IoT). River Publishers. https://www.riverpublishers.com/book_details.php?book_id=669
Chaki, R., & Roy, D. B. (2021). Security in IoT. CRC Press. https://blackwells.co.uk/bookshop/product/Security-in-IoT-by-Rituparna-Chaki-editor-Debdutta-Barman-Roy-editor/9780367711412
Dehghantanha, A., & Choo, K.-K. R. (2019). Handbook of Big Data and IoT Security. Springer. https://link.springer.com/book/10.1007/978-3-030-10543-3
Liyanage, M., Braeken, A., Kumar, P., & Ylianttila, M. (2020). IoT Security: Advances in Authentication. John Wiley & Sons. https://www.wiley.com/en-us/IoT+Security%3A+Advances+in+Authentication-p-9781119527923
Pal, S., Díaz, V. G., & Le, D.-N. (2020). IoT: Security and Privacy Paradigm. CRC Press. https://www.taylorfrancis.com/books/edit/10.1201/9780429289057/iot-souvik-pal-vicente-garc%C3%ADa-d%C3%ADaz-dac-nhuong-le
Sharma, S. K., Bhushan, B., & Debnath, N. C. (2020). IoT Security Paradigms and Applications: Research and Practices. CRC Press. https://www.taylorfrancis.com/books/edit/10.1201/9781003054115/iot-security-paradigms-applications-sudhir-kumar-sharma-bharat-bhushan-narayan-debnath