Dissertations / Theses on the topic 'Internet of Things (IoT) Security'

The Internet of Things (IoT) is our future and human life is now entering in to a generation where everyone will be using sensory information and artificial intelligence to make day to day life decisions in real-time. With implementation and enhancements around Internet protocol (IP) now it’s possible to connect and control these devices from anywhere around the globe they can be control by either human or even machines. Security is a critical element and building block for Internet of things (IoT) success. First, we have worked finding out possibility of detecting different types of attacks in Internet of things Wireless networks and identify them based on throughput, delay and energy consumed. Attack that we have work on include DOS attacks and DDOS attacks. Motivated by current use of Blockchain in resolving various problems we have evaluated its implementation to find solutions to secure Internet of Things. This become possible by utilising block chain network and smart contracts to validate any IoT communication . Using Blockchain network allowed IoT to detect securely authenticate without over utilizing device resource keeping in mind the limited hardware and bandwidth. IoT node or nodes communicates to a validator node within Blockchain network to get the most current binary of contracts status and in order to achieve this all the devices required to be in sync with Blockchain version of accounts stored by this validator node. We have worked out how this communication will work in order to ensure security and privacy while doing performance analysis of overheads. In conclusion IoT and Blockchain combine together is very promising solution to solve many current security issues in order to take it to mass scale deployment which allow implementation of Internet of things for a purposeful manner.

The Internet of Things (IoT) is an emerging paradigm that will change theway we interact with objects and computers in the future. It envisions a globalnetwork of devices interacting with each other, over the Internet, to perform auseful action. As such, quite a number of useful and benecial applications ofthis technology have been proposed.Although a convenient technology, the use of IoT technology will add additionalrisks to our lives that the traditional Internet did not have. This is primarilybecause IoT technology allows the virtual world to directly aect the physicalworld.Therefore, ensuring security is of paramount importance for IoT technology. Assuch, this thesis has two aims. First, we will identify the security issues for IoTtechnology as well as highlight what approaches academia has developed to resolvethem. This will allow us to see the state of this technology along with whatstill needs to be done in the future. Secondly, we will analyze some security protocolsproposed by academia and evaluate whether they ensure condentialityand authenticity.A literature survey is used to achieve the rst goal and the results show thatalthough a lot of research has been performed regarding security for IoT environments.We still have quite a way to go before a full holistic system isdeveloped which ensures all the security requirements for IoT.The results for the security protocol analysis shows that less than half of theprotocols proposed ensured authenticity and condentiality; despite the factthat their respective papers claim that they did. Therefore, we emphasize thefact that good peer reviews need to be enforced and that protocols need to bevalidated to ensure what is proposed performs as described.

The Internet of Things (IoT) is emerging the Internet and other networks with wireless technologies to make physical objects interact online. The IoT has developed to become a promising technology and receives significant research attention in recent years because of the development of wireless communications and micro-electronics.  Like other immature technological inventions, although IoT will promise their users a better life in the near future, it is a security risk, especially today the privacy is increasingly concerned by people. The key technologies of IoT are not yet mature. Therefore the researches and applications of the IoT are in the early stage. In order to make the IoT pervade people’s everyday life, the security of the IoT must be strengthened. In this thesis, first, the IoT is compared with the Internet. Though the IoT is based on the Internet, due to the characteristics of the IoT, those mature end-to-end security protocols and protective measures in the Internet can not directly provide the end-to-end data security through the perceptual layer, the transport layer the and application layer. For the IoT security addressing issues (such as the Internet DNS attack), this thesis proposes the IoT addressing security model. The traditional access control and the identity authentication only works in the same layer. The IoT addressing security model designed in this thesis effectively solves the issues of vertically passing the authentication results in the addressing process without changing the protocols for two communication parties. Besides, this thesis provides the object access control and privacy protection from the object application layer addressing, DNS addressing and IP addressing phases. Finally, combining the IoT object addressing security model with practical application scenario, this thesis designs the IoT object security access model. In this model, the access requester can access objects in different domains through a single sign-on. This model provides the protection for the end-to-end communication between the access requester and object.

L’internet des objets (IoT) introduit de nouveaux défis pour la sécurité des réseaux. La plupart des objets IoT sont vulnérables en raison d'un manque de sensibilisation à la sécurité des fabricants d'appareils et des utilisateurs. En conséquence, ces objets sont devenus des cibles privilégiées pour les développeurs de malware qui veulent les transformer en bots. Contrairement à un ordinateur de bureau, un objet IoT est conçu pour accomplir des tâches spécifiques. Son comportement réseau est donc très stable et prévisible, ce qui le rend bien adapté aux techniques d'analyse de données. Ainsi, la première partie de cette thèse tire profit des algorithmes de deep learning pour développer des outils de surveillance des réseaux IoT. Deux types d'outils sont explorés: les systèmes de reconnaissance de type d’objets IoT et les systèmes de détection d'intrusion réseau IoT. Pour la reconnaissance des types d’objets IoT, des algorithmes d'apprentissage supervisé sont entrainés pour classifier le trafic réseau et déterminer à quel objet IoT le trafic appartient. Le système de détection d'intrusion consiste en un ensemble d'autoencoders, chacun étant entrainé pour un type d’objet IoT différent. Les autoencoders apprennent le profil du comportement réseau légitime et détectent tout écart par rapport à celui-ci. Les résultats expérimentaux en utilisant des données réseau produites par une maison connectée montrent que les modèles proposés atteignent des performances élevées. Malgré des résultats préliminaires prometteurs, l’entraînement et l'évaluation des modèles basés sur le machine learning nécessitent une quantité importante de données réseau IoT. Or, très peu de jeux de données de trafic réseau IoT sont accessibles au public. Le déploiement physique de milliers d’objets IoT réels peut être très coûteux et peut poser problème quant au respect de la vie privée. Ainsi, dans la deuxième partie de cette thèse, nous proposons d'exploiter des GAN (Generative Adversarial Networks) pour générer des flux bidirectionnels qui ressemblent à ceux produits par un véritable objet IoT. Un flux bidirectionnel est représenté par la séquence des tailles de paquets ainsi que de la durée du flux. Par conséquent, en plus de générer des caractéristiques au niveau des paquets, tel que la taille de chaque paquet, notre générateur apprend implicitement à se conformer aux caractéristiques au niveau du flux, comme le nombre total de paquets et d'octets dans un flux ou sa durée totale. Des résultats expérimentaux utilisant des données produites par un haut-parleur intelligent montrent que notre méthode permet de générer des flux bidirectionnels synthétiques réalistes et de haute qualité<br>The growing Internet of Things (IoT) introduces new security challenges for network activity monitoring. Most IoT devices are vulnerable because of a lack of security awareness from device manufacturers and end users. As a consequence, they have become prime targets for malware developers who want to turn them into bots. Contrary to general-purpose devices, an IoT device is designed to perform very specific tasks. Hence, its networking behavior is very stable and predictable making it well suited for data analysis techniques. Therefore, the first part of this thesis focuses on leveraging recent advances in the field of deep learning to develop network monitoring tools for the IoT. Two types of network monitoring tools are explored: IoT device type recognition systems and IoT network Intrusion Detection Systems (NIDS). For IoT device type recognition, supervised machine learning algorithms are trained to perform network traffic classification and determine what IoT device the traffic belongs to. The IoT NIDS consists of a set of autoencoders, each trained for a different IoT device type. The autoencoders learn the legitimate networking behavior profile and detect any deviation from it. Experiments using network traffic data produced by a smart home show that the proposed models achieve high performance.Despite yielding promising results, training and testing machine learning based network monitoring systems requires tremendous amount of IoT network traffic data. But, very few IoT network traffic datasets are publicly available. Physically operating thousands of real IoT devices can be very costly and can rise privacy concerns. In the second part of this thesis, we propose to leverage Generative Adversarial Networks (GAN) to generate bidirectional flows that look like they were produced by a real IoT device. A bidirectional flow consists of the sequence of the sizes of individual packets along with a duration. Hence, in addition to generating packet-level features which are the sizes of individual packets, our developed generator implicitly learns to comply with flow-level characteristics, such as the total number of packets and bytes in a bidirectional flow or the total duration of the flow. Experimental results using data produced by a smart speaker show that our method allows us to generate high quality and realistic looking synthetic bidirectional flows

Mestrado em Engenharia de Computadores e Telemática<br>IoT assume que dispositivos limitados, tanto em capacidades computacionais como em energia disponível, façam parte da sua infraestrutura. Dispositivos esses que apresentam menos capacidades e mecanismos de defesa do que as máquinas de uso geral. É imperativo aplicar segurança nesses dispositivos e nas suas comunicações de maneira a prepará-los para as ameaças da Internet e alcançar uma verdadeira e segura Internet das Coisas, em concordância com as visões atuais para o futuro. Esta dissertação pretende ser um pequeno passo nesse sentido, apresentando alternativas para proteger as comunicações de dispositivos restritos numa perspetiva de performance assim como avaliar o desempenho e a ocupação de recursos por parte de primitivas criptográficas quando são aplicadas em dispositivos reais. Dado que a segurança em diversas ocasiões tem de se sujeitar aos recursos deixados após a implementação de funcionalidades, foi colocada uma implementação de exposição de funcionalidades, recorrendo ao uso de CoAP, num dispositivo fabricado com intenção de ser usado em IoT e avaliada de acordo com a sua ocupação de recursos.<br>IoT comprehends devices constrained in both computational capabilities and available energy to be a part of its infrastructure. Devices which also present less defense capabilities and mechanisms than general purpose machines. It’s imperative to secure such devices and their communications in order to prepare them for the Internet menaces and achieve a true and secure Internet of Things compliant with today’s future visions. This dissertation intends to be a small step towards such future by presenting alternatives to protect constrained device’s communications in a performance related perspective as well as benchmarks and evaluation of resources used by cryptographic primitives when implemented on real devices. Due to security being on multiple occasions subjected to the resources available only after functionalities implementation, a minimalist implementation of functionalities exposure through the use of CoAP was also deployed in an IoT intended device and assessed according to resource overhead.

The emerging Internet of Things (IoT) revolution has introduced many useful applications that are utilized in our daily lives. Users can program these devices in order to develop their own IoT applications; however, the platforms and languages that are used during development are abounding, complicated, and time-consuming. The software solution provided in this thesis, PROVIZ+, is a secure sensor application development software suite that helps users create sophisticated and secure IoT applications with little software and hardware experience. Moreover, a simple and efficient domain-specific programming language, namely Panther language, was designed for IoT application development to unify existing programming languages. In addition to these contributions, PROVIZ+ supports a novel secure over-the-air programming framework, namely SOTA, using Bluetooth and WiFi as well as serial programming. In this thesis, we explain the features of PROVIZ+’s components, how these tools can help develop IoT applications, and SOTA. We also present the performance evaluations of PROVIZ+ and SOTA.

This thesis work consists of a literature study where different aspects of DNS and the Internet of Things have been researched. A functional naming and service identification method is an essential part in making the IoT global, and DNS is the current method of naming devices on the Internet. The study looks into some challenges DNS will encounter, namely functionality, security and availability. This report concludes that a multicast DNS (mDNS) based solution designed for constrained networks is advantageous. This is despite the limited security that is currently available for such a solution. In the future, it is important that security has top priority, as there are currently limited means of security in DNS. Further study is needed when it comes to availability and how name resolving would work with constrained devices that utilise sleep mode.<br>Detta examensarbete består av en litteraturstudie där olika aspekter av DNS (Domännamnssystemet, eng. Domain Name System) och Sakernas Internet (eng. Internet of Things) har studerats. En fungerande namngivnings-och serviceidentifieringsmetod är en viktig del för att kunna göra Sakernas Internet globalt, och DNS är den nuvarande metoden för att namnge enheter på Internet. Studien undersöker vissa utmaningar som DNS kan stöta på, nämligen funktionalitet, tillgänglighet och säkerhet. Rapportens slutsats är att en lösning baserad på multisändnings-DNS (eng. multicast DNS, mDNS) som är anpassad för begränsade nätverk (eng. constrained networks) är fördelaktig. Detta trots den begränsade säkerhet som finns tillgänglig just nu för en sådan lösning. I framtiden är det viktigt att säkerheten har högsta prioritet, eftersom säkerheten är begränsad hos DNS. Det behövs ytterligare studier när det gäller tillgänglighet och hur adressöversättning skulle fungera med begänsade enheter (eng. constrained devices) som använder viloläge.

The use of Internet-of-Things (IoT) makes it possible to inter-connect Information Technology (IT) and Operational Technology (OT) into a completely new system. This convergence is often known as Industrial IoT (IIoT). IIoT brings a lot of benefits to industrial assets, such as improved efficiency and productivity, reduced cost, and depletion of human error. However, the high inter-connectivity opens new possibilities for cyber incidents. These incidents can cause major damage like halting of production on the manufacturing line, or catastrophic havoc to companies, communities, and countries causing power outages, floods, and fuel shortages. Such incidents are important to be predicted, stopped, or alleviated at no cost. Moreover, these incidents are a great motive for researchers and practitioners to investigate known security problems and find potential moderation strategies.  In this thesis work, we try to identify what types of IIoT systems have been investigated in the literature. We seek out to find if software-related issues can yield security problems. Also, we make an effort to perceive what are the proposed methods to mitigate the security threats.We employ the systematic literature review (SLR) methodology to collect this information. The results are gathered from papers published in the last five years and they show an increased interest in research in this domain. We find out software vulnerabilities are a concern for IIoT systems, mainly firmware vulnerabilities and buffer overflows, and there are a lot of likely attacks that can cause damage, mostly injection and DDoS attacks. There are a lot of different solutions which offer the possibility to stop the identified problems and we summarize them. Furthermore, the research gap considering the update process in these systems and devices, as well as a problem with the unsupervised software supply chain is identified.

Background: IoT is a system of devices with unique identifiers (UIDs) and can transfer data over a network. They are widely used in various sectors such as Health, Commercial, Transport, etc. However, most IoT devices are being exploited, as it is being recorded for the past few years, on how vulnerable users can be if they have any of these devices in their network. Arduino is one of the most commonly used IoT devices, notable products such as Uno and Mega2560 is highly acceptable in the market and the research world. It is important to know how these devices react to security measures such as encryptions. Objectives: To carry out a theoretical study and performance comparison on Arduino devices and standard cryptographic encryption. The devices and encryption used are Arduino Uno, Mega2560 and AES, XXTEA respectively. Methods: To gain knowledge and information about the selected algorithms and devices, a literature analysis was adopted. An experiment was also carried out to get measurements and record how the algorithms perform on these devices. Results: The literature analysis provides the design similarities and differences of the algorithms and devices. The controlled experiment shows the measurement of the stated encryptions on the Arduino devices. Conclusions: The conclusion is that Arduino Uno and Mega2560 have a similar design but differ in their memory allocation. The AES and XXTEA algorithm have different designs and performances. The result in the controlled experiment shows that the XXTEA outperforms the AES algorithm in terms of Memory and Time consumption significantly in both devices. The Arduino Uno device is slightly ahead of Mega2560 when comparing the result.

Internet of Things (IoT) is a concept that encompasses various objects and methods of communication to exchange information. Today IoT is more a descriptive term of a vision that everything should be connected to the internet. IoT will be fundamental in the future because the concept opens up opportunities for new services and new innovations. All objects will be connected and able to communicate with each other, while they operate in unprotected environments. This later aspect leads to major security challenges. Today, IoT is in great need of standardization and clear architectures that describe how this technology should be implemented and how IoT devices interact with each other in a secure manner. The security challenges are rooted in the technology and how information is acquired and manipulated by this technology. This thesis provides an introduction to what the IoT is and how it can be used as well as some of the threats that IoT may face in regards to information security. In addition, the thesis provides the reader with some suggestions about how to potentially solve the fundamental need for authentication and secure communications. The solutions presented are based on both contemporary solutions and technologies that are under development for the future. Contemporary solutions are based on security protocols such as IPSec and DTLS. These protocols are being used in an environment that extends across the Internet and into a 6LoWPAN network. The proposed authentication solution has been developed based on a public key infrastructure and trust models for certificate management. As future work, the thesis presents several research areas where this thesis can be used as a basis. These specialization areas include further analysis of vulnerabilities and an implementation of the proposed solutions.<br>Internet of Things (IoT) är ett koncept som omfattar olika objekt och kommunikationsmetoder för utbyte av information. Idag är IoT mer en beskrivande term av den framtidsvision som finns att allting ska vara uppkopplat på internet. IoT kommer vara fundamentalt i framtiden eftersom konceptet öppnar upp möjligheter för nya tjänster samt nya innovationer. Då alla objekt ska vara uppkopplade och kunna kommunicera med varandra samtidigt som de skall kunna operera i oskyddade miljöer, bidrar detta till stora säkerhetsutmaningar. Dagens IoT är i stort behov av standardisering och klara strukturer för hur tekniken ska implementeras samt samverka med varandra på ett säkert sätt.  Utmaningarna ligger i att säkra tekniken samt informationen som tekinken bidrar med. Denna rapport ger en introduktion till vad IoT är och hur det kan användas samt vilka hot som IoT kan möta i avseende till informationssäkerhet. Utöver detta så förser rapporten läsaren med förslag om hur man eventuellt kan lösa de fundamentala behoven av autentisering och säker kommunikation. Lösningarna som läggs fram är baserade på både nutida lösningar och teknik som är under utveckling inför framtiden. Nutida lösningar är baserade på säkerhetsprotokoll som IPsec och DTLS som används i en miljö som sträcker över internet och in i ett 6LoWPAN nätverk. Den autentiseringslösning som tagits fram grundar sig på PKI och förtroendemodeller för certifikathantering. För framtida arbete presenteras flertalet vidare fördjupningsområden där denna rapport kan användas som grund. Dessa fördjupningsområden inkluderar vidare analys av sårbarheter och implementation av de lösningar som tagits fram.

In the past decade, Internet of Things (IoT) has beena fast growing product type. Most homes in a modern societyhas several IoT-products, to automate and simplify the daily lifeof many people. While IoT-devices may increase the quality oflife, they can impose a great security threat. The simplicity ofthe products usually makes them an easy target for hackers andother types of malicious activity.To increase the security of these types of devices the aim ofthis project is to simplify the process of finding and preventingsecurity flaws. This was done by creating a programmable modelmodell which can be used to simulate attacks on IoT-devices. Theresults from the validation shows that this model can be used forsimulation of attacks with great precision for basic systems.<br>Under det senaste årtiondet, har Internet of Things (IoT) haft en snabb framfart. De flesta hem i vårt moderna samhälle innehåller numera ett flertal IoT-produkter, för att automatisera och förenkla vardagen. Trots att IoT-enheter förenklar vardagen för många människor utgör de ofta även ett stort säkerhetshot. Systemens enkelhet bidrar till att de ofta är lätta måltavlor för hackers och andra typer av skadlig aktivitet.  För att förbättra säkerheten i dessa typer av system är  målet med detta projekt att förenkla processen att hitta och motarbeta säkerhetsbrister. Genom att skapa en programmerbar modell som kan användas för att simulera attacker mot IoTsystem kunde detta göras. Resultaten från valideringen visar att modellen kan användas för att simulera attacker med god precision för enklare system.<br>Kandidatexjobb i elektroteknik 2020, KTH, Stockholm

In order to develop secure Internet of Things (IoT) devices, it is vital that security isconsidered throughout the development process. However, this is not enough as vulnerabledevices still making it to the open market. To try and solve this issue, this thesis presentsa structured methodology for performing security analysis of IoT platforms. The presented methodology is based on a black box perspective, meaning that theanalysis starts without any prior knowledge of the system. The aim of the presentedmethodology is to obtain information in such a way as to recreate the system design fromthe implementation. In turn, the recreated system design can be used to identify potentialvulnerabilities. Firstly the potential attack surfaces are identified, which the methodology calls inter-faces. These interfaces are the point of communication or interaction between two partsof a system. Secondly, since interfaces do not exist in isolation, the surrounding contextsin which these interfaces exist in are identified. Finally the information processed by theseinterfaces and their contexts are analyzed. Once the information processed by the iden-tified interfaces in their respective contexts are analysed, a risk assessment is performedbased on this information. The methodology is evaluated by performing an analysis of the IKEA “TRÅDFRI”smart lighting platform. By analysing the firmware update process of the IKEA “TRÅD-FRI” platform it can be concluded that the developers have used standardized protocolsand standardized cryptographic algorithms and use these to protect devices from ma-licious firmware. The analysis does however find some vulnerabilities, even though thedevelopers have actively taken steps to protect the system.

While IoT safety and security incidents continue to increase in frequency, scope and severity, there remains a gap in how the issue will be addressed. While the debate continues within academia, industry standards bodies, government and industry media, new entrants continue to rapidly enter the market with cheaper more powerful products with little incentive to address information security issues. In a free market economy, the supply and the demand would determine the product and services and the associated prices without intervention. Manufacturers are free to innovate, consumers drive choice and competition brings these opposing forces to an equilibrium of market price. But how does this economic system factor in the risk of an event that neither party may ever consider and, yet, it may impact not only impact those involved, but has the potential to have catastrophic harm to others? The downside, the system does not consider “external factors”, i.e. a compromise to accommodate what consumers need. Economists often urge governments to adopt policies that "internalize" an externality, so that costs and benefits will affect mainly parties who choose to incur them. Such an intervention, however, often comes with many challenges and consequences. Even with the added urgency of growing risk to human safety, regulatory intervention takes time. Likewise, a self-regulating market would undoubtedly also take a significant amount of time to take the necessary actions to address such an externality, even if incentivized. While it continues to be all too easy to defer the blame and risk on consumer, like the industrial revolution, this industry must overcome its own safety challenges like the auto, transportation or energy industries before it. While, consumers must inevitably take some reasonable measures to protect their interests, clearly the accountability must reside elsewhere. There is a potentially increasingly significant influential subset of consumers in the IoT ecosystem, the Enterprise Buyer, specifically marketing and technology executives, who champion consumer needs within their organization’s broader products and services that incorporate IoT. In this thesis, we aim to investigate the following issue: What are the attitudes and potential role for Enterprise Buyers in influencing negative externalities, i.e. IoT security in the IoT market, specifically from the perspective of marketing and technology executives? We believe that this group is uniquely positioned to understand a consumer first mindset and how to articulate value in otherwise negatively perceived field of information security by examining context, business/technical challenges and opportunities and reveal awareness, attitude and accountability. The results of our survey show the majority of marketing and technology executives who responded believe information security awareness is increasingly an executive accountability and priority and Enterprise Buyers hold a highly influential position in their ability to influence the IoT market and its security development and maturation.<br>Medan IoT- säkerhetsincidenter fortsätter att öka i frekvens, omfattning och svårighetsgrad, finns det fortfarande ett gap i hur problemet ska hanteras. Samtidigt som debatten fortsätter inom akademin, branschstandardorganen, myndigheter i regeringen och industrin fortsätter nya aktörer att snabbt komma in på marknaden med billigare, kraftfullare produkter med få incitament att ta itu med informationssäkerhetsfrågor. I en öppen marknadsekonomi skulle utbud och efterfrågan avgöra produkt och tjänster och tillhörande priser utan intervention. Tillverkare kan obehindrat driva innovation, konsumenterna driver urval och konkurrens ger dessa motstridiga krafter jämvikt genom marknadspriset. Men hur påverkar detta ekonomiska system risken för en händelse som ingen av parterna någonsin kan överväga och som ändå kan påverka inte bara de inblandade som berörs utan även har potential att få katastrofala skador på andra? Nersidan är att systemet inte beaktar "yttre faktorer", det vill säga gör en kompromiss för att leverera vad konsumenterna behöver. Ekonomer uppmanar ofta regeringar att anta policies som "internaliserar" något externt, så att kostnader och fördelar kommer att påverka främst parter som väljer att ådra sig dem. Ett sådant ingrepp kommer emellertid ofta med många utmaningar och konsekvenser. Trots att förhöjda hot mot människors säkerhet ökar angelägenheten tar uppdatering av regelverken tid. På samma sätt skulle en självreglerande marknad utan tvivel också ta väldigt mycket tid på sig för att vidta nödvändiga åtgärder för att hantera en sådan extern faktor, även om det fanns incitament för att göra det. Medan det fortsätter att vara alltför lätt att överlåta ansvaret och risken till konsumenten, såsom under den industriella revolutionen, måste denna industri övervinna sina egna säkerhetsutmaningar såsom bil-, transport- eller energibranschen gjort före den. Samtidigt som konsumenter oundvikligen behöver vidta rimliga åtgärder för att skydda sina intressen, måste yttersta ansvaret ligga någon annanstans. Det finns en potentiellt allt större inflytelserik delmängd av konsumenter i IoT-ekosystemet; företagsköpare, specifikt ledare inom marknadsföring och teknologi, som driver konsumentbehov inom sin organisations bredare produkter och tjänster som innehåller IoT. I denna avhandling strävar vi efter att undersöka följande problem: Vad är företagsköparnas attityder och möjliga roll för att påverka negativa externa effekter, det vill säga IoT-säkerhet på IoT-marknaden, särskilt ur marknadsförings- och teknikledarens perspektiv? Vi tror att denna grupp är unik positionerad för att förstå en konsumenternas första tankegång och hur man kan uttrycka värdet i ett annars negativt uppfattat område för informationssäkerhet genom att undersöka kontext, affärs- / tekniska utmaningar och möjligheter och avslöja medvetenhet, attityd och ansvar. Resultaten av vår undersökning visar de flesta marknadsförings- och teknikchefer som svarade tror att informationssäkerhet blir del av ledningens ansvar och prioriteringar och att företagsköpare har en mycket inflytelserik position i deras förmåga att påverka IoT- marknaden och dess säkerhetsutveckling och mognad.

La course à la miniaturisation des appareils informatiques est en train de transformer notre relation avec ces derniers, ainsi que leurs rôles dans notre société. Le nombre d’ordinateurs miniatures contrôlés à distance augmente considérablement et ces objets connectés - comme ils sont communément appelés - sont de plus en plus sollicités pour effectuer des tâches à la place de l’Homme. La tendance actuelle consiste à créer une place dans Internet pour ces objets connectés, autrement dit, à construire des protocoles adaptés à leurs ressources limitées. Cette tendance est connue comme l’Internet desObjets - ou l’acronyme anglais IoT - qui est différent des protocoles destinés à une utilisation exclusivement par des humains dit Internet des Personnes ou IoP en anglais. Avec l’adoption de cette séparation conceptuelle, comment est-ce qu’une personne échangerait ses informations avec des objets sans sacrifier la sécurité ? Pour aider à réduire cet écart, on a besoin d’un intermédiaire et la mise en réseau de ces intermédiaires amène à construire le concept d’Internet des Services ou IoS en anglais. Les personnes et les objets sont connectés à travers les services. Le réseau dans son ensemble, incluant les personnes, les objets et les services est donc l’Internet des Personnes, des Objets et des Services. Notre travail se situe à l’intersection de ces trois domaines et notre contribution est double. Premièrement, nous assurons que la liaison entre l’identité d’une personne et de ses objets ne se fasse pas au détriment des propriétés de sécurité telles que l'Intégrité, l'Anonymat et la confidentialité. Et deuxièmement, nous abordons la gestion de la confidentialité des données avec les objets dits connectés. Dans la quête d’une meilleure intégration des objets connectés à Internet, nous avons contribué à la définition de protocoles autant sur la couche applicative que sur la couche réseau du modèle OSI, avec pour préoccupations principales les contraintes de l’IoT et la sécurité<br>The constant efforts of miniaturization of computing machines is transforming our relationships with machines and their role in society. The number of tiny computers remotely controlled is skyrocketing and those connected things are now more and more asked to do things on human behalf. The trend consists in making room for these specific machines into the Internet, in other words, building communication protocols adapted to their limited resources. This trend is commonly known as the Internet of Things (IoT) which consist of appliances and mechanisms different from those meant to be used exclusively by humans, the Internet of Persons (IoP). This conceptual separation being adopted, how would a Person exchange information with Things ?Sorts of brokers can help bridging that gap. The networking of those brokers led to the concept of Internetof Services (IoS). Persons and Things are connected through Services. This global networking is called the Internet of Persons Things and Services (IoPTS). Our work is on the edge of these 3 Internet areas and our contributions are two fold. In the first hand, we tackle the secure biding of devices’ and persons’ identities while preserving the Integrity, Anonymity and Confidentiality security properties. On the other hand, we address the problem of the secrecy of data on constrained Internet-connected devices. Other mechanisms must be created in order to seamlessly bind these conceptual areas of IoP, IoT andIoS. In this quest for a better integration of Internet connected-devices into the Internet of Persons, our work contributes to the definition of protocols on application and network layers, with IoT concerns and security at heart

This research studies the security challenges in IoT devices. At first, security challenges have been described and then specifically the security of communication protocols in the IoT has been addressed. Finally, among different communication protocols, ZigBee and Z-Wave protocols have been chosen for this study. The criterion for choosing these two protocols is the level of security they provide for IoT devices to protect them against unauthorized access and hacking. Security, frequency, power consumption and data rate are the characteristics that have been discussed in the review of these two protocols. In the end, a comparison of the various features of these two protocols clarified that the security of IoT devices in each of these protocols depends on the type of the IoT device, the required range and other requirements, however, in most cases the ZigBee protocol showed more security than Z-Wave.

L’Internet des Objects (IoT) est un modèle qui évolue rapidement et qui permet à des utilisateursd’utiliser et contrôler une large variété d’objets connectés entre eux. Ces environnementsconnectés augmentent la surface d’attaque d’un système puisque les risques sont multipliés parle nombre d’appareils connectés. Ces appareils sont responsables de tâches plus ou moinscritiques, et peuvent donc être la cible d’utilisateurs malveillants. Dans ce travail de thèse nousprésentons une méthodologie pour évaluer la sécurité de systèmes IoT. Nous proposons unemanière de représenter les systèmes IoT, couplée avec des arbres d’attaques afin d’évaluer leschances de succès d’une attaque sur un système donné. La représentation des systèmes est faitevia un langage formel que nous avons développé : SOML (Security Oriented Modeling Language).Ce langage permet de définir le comportement des différents acteurs du système et d’ajouterdes probabilités sur leurs actions. L’abre d’attaque nous offre un moyen simple et formel dereprésenter de possibles attaques sur le système. L’analyse probabiliste est ensuite effectuée viaun outil de Statistical Model Checking : Plasma. Nous utilisons deux algorithmescomplémentaires pour effectuer cette analyse : Monte Carlo et importance splitting<br>LoT is a rapidly emerging paradigm that provides a way to the user to instrument and control a large variety of objects interacting between each other over the Internet. In IoT systems, the security risks are multiplied as they involve hetero- geneous devices that are connected to a shared network and that carry critical tasks, and hence, are targets for malicious users. In this thesis, we propose a security-based framework for modeling IoT systems where attack trees are defined alongside the model to detect and prevent security risks in the system. The language we implemented aims to model the IoT paradigm in a simple way. The IoT systems are composed of entities having some communication capabilities between each other. Two entities can communicate if (i) they are connected through a communication protocol and (ii) they satisfy some constraints imposed by the protocol. In order to identify and analyze attacks on the security of a system we use attack trees which are an intuitive and practical formal method to do so. A successful attack can be a rare event in the execution of a well-designed system. When rare, such attacks are hard to detect with usual model checking techniques. Hence, we use importance splitting as a statistical model checking technique for rare events

In a world where technological progress is constant, understanding the views and experiences of users is essential. With the use of technology, there are many dangers. Issues with privacy and security are among them. This thesis deals with understanding the perception of privacy and security of smart home IoT devices. The literature review consists of understanding concepts of trust, possible ways of intrusion, and prevention and elaborating more about the Internet of Things technology and smart homes. The review also contains notes on previous findings of the user's perception. The review of the literature also connects possible ways of intrusion with the underlying IoT architecture as well as explains notions of privacy by design, compliance, and GDPR. To understand the phenomenon of privacy and security in the context of a smart home, a simple qualitative study was conducted. Sixteen participants who are part of the general public were interviewed. The collected information was analyzed using a general inductive approach, and answers were grouped into categories as suggested by Thematic Analysis. Interviews were done online and a transcript summary can be found in the last Appendix. The findings from the interviews suggest that privacy and convenience matter most to the users. Participants demonstrated a willingness to purchase if they perceived a device as something that will increase their quality of life and were willing to share data such as location but they were not willing to lose anonymity. What type of data and for what purpose was mentioned as most important. When it comes to security attacks, participants were less worried about how it might happen and more worried about what might happen to them and what are the consequences for them. In the conclusion of the study, I present advice for students and academia, device manufacturers, and service providers as well as the general public as the last main stakeholder. Since technology is not static, it would be of importance to revisit topics of privacy and security of IoT.

À la différence de la confiance dans les sciences sociales, où les interactions entre les humains sont mesurées, la confiance dans la sécurité de l'IdO (Internet des Objets) se concentre davantage sur les interactions entre les nœuds (objets) grâce à l'intégration des objets intelligents. En outre, comme les nœuds de l'IdO peuvent en quelque sorte bénéficier d'un "groupe"/d'une "communauté" puisqu'ils sont formés par leurs propres intérêts ou fonctionnalités similaires, l'évaluations de la confiance d'intergroupes, interindividuelle, et celle de groupe-individuel, sont également importantes. Cependant, la gestion des limitations apportées par les menaces potentielles et la vulnérabilité inhérente à l'architecture des MT reste un défi. Cette thèse étudie la confiance sous trois angles dans l'internet des objets orienté services (SO-IoT) : La confiance intergroupe, la confiance groupe-individu et la confiance interindividuelle. Tout d'abord, un modèle dynamique basé sur les rôles est développé pour évaluer la confiance intra- et inter-communauté (groupe), en améliorant les activités orientées services et en abordant les questions de sécurité au sein des communautés et entre elles. Une approche centralisée locale en quatre phases est employée, qui se concentre sur les contre-mesures contre les attaques sur les services au sein de la communauté. En outre, un mécanisme en trois phases est conçu pour mesurer la coopération entre les communautés. Une implémentation basée sur le système ROS 2 a été mise en œuvre pour analyser les performances du modèle proposé sur la base des résultats préliminaires. Deuxièmement, pour traiter le mauvais comportement dans SO-IoT en termes de confiance interindividuelle, un jeu stochastique bayésien (SBG) est introduit, qui prend en compte l'hétérogénéité des nœuds IoT, et des schémas comportementaux complexes des fournisseurs de services sont incorporés, encourageant la coopération et pénalisant les actions stratégiques malveillantes. Enfin, le travail d'évaluation de la confiance des messages V2X dans l'IoV démontre la possibilité de mettre en œuvre la gestion de la confiance dans un environnement de l'IdO concret<br>Unlike Trust in Social Science, in which interactions between humans are measured, thanks to the integration of numerous smart devices, Trust in IoT security focuses more on interactions between nodes. Moreover, As IoT nodes can somehow benefit from 'Group'/'Community' since they form by similar interests or functionalities, the assessment of Group-Individual and Inter-Individual Trust is also important. However, handling limitations brought by potential threats and inherent vulnerability due to TM architecture remains challenging. This thesis investigates Trust from three perspectives in the Service-Oriented Internet of Things (SO-IoT): Inter-Group Trust, Group-Individual Trust, and Inter-Individual Trust. Firstly, a role-based dynamic model is developed to assess intra- and inter-community(group), enhancing service-oriented activities and addressing security issues within and between communities. A locally centralized four-phase approach is employed, focusing on countermeasures against attacks on services within the community. Additionally, a three-phase mechanism is devised to measure cooperativeness between communities. An implementation based on the ROS 2 system was implemented to analyze the performance of the proposed model based on the preliminary results. Secondly, to address misbehavior in SO-IoT in terms of Inter-Individual trust, a Stochastic Bayesian Game (SBG) is introduced, which considers the heterogeneity of IoT nodes, and complex behavioral schemes of service providers are incorporated, encouraging cooperation and penalizing malicious strategical actions. Lastly, the work of assessing the Trust of V2X messages in IoV demonstrates the possibility of implementing Trust Management in a concrete IoT environment

Modern cities are undergoing rapid expansion. The number of connected devices in the networks in and around these cities is increasing every day and will exponentially increase in the next few years. At home, the number of connected devices is also increasing with the introduction of home automation appliances and applications. Many of these appliances are becoming smart devices which can track our daily routines. It is imperative that all these devices should be secure. When cryptographic keys used for encryption and decryption are stored on memory present on these devices, they can be retrieved by attackers or adversaries to gain control of the system. For this purpose, Physical Unclonable Functions (PUFs) were proposed to generate the keys required for encryption and decryption of the data or the communication channel, as required by the application. PUF modules take advantage of the manufacturing variations that are introduced in the Integrated Circuits (ICs) during the fabrication process. These are used to generate the cryptographic keys which reduces the use of a separate memory module to store the encryption and decryption keys. A PUF module can also be recon gurable such that the number of input output pairs or Challenge Response Pairs (CRPs) generated can be increased exponentially. This dissertation proposes three designs of PUFs, two of which are recon gurable to increase the robustness of the system.

Internet of Things (IoT) devices are becoming more and more common in homes, making the security and privacy of these increasingly important. Previous research has found that home IoT users can become a threat to themselves if they lack knowledge of their devices and awareness of potential threats. To investigate how the users’ security and privacy practices can be improved, it is necessary to understand the current everyday practices and what impacts these. This is examined in 10 interviews, revealing that the practices are primarily influenced by convenience, motivation and the effort required from the user. Using these insights, this thesis suggests that tangible interaction needs to be used as a complement to digital solutions to improve the security and privacy practices. By having a physical object that in a simple way can inform everyone of the current security and privacy situation and is equally accessible for all members of a household, the security and privacy can become more attainable for all users no matter their level of knowledge and experience.<br>Internet of Things (IoT) enheter har blivit vanligt förekommande i hem vilket gör deras säkerhet och integritet allt viktigare. Det har tidigare visats att användare av IoT i hemmet kan utgöra ett hot mot sig själva om de saknar kunskap om enheterna och kännedom om potentiella hot. För att undersöka hur användarnas vanor kring säkerhet och integitet kan förbättras är det först nödvändigt att utforska de nuvarande vanorna och vad som påverkar dessa. Detta undersöks i tio intervjuer som visar att vanorna främst påverkas av bekvämlighet, motivation och ansträngningen som krävs av användaren. Utifrån dessa insikter föreslås det att fysisk interaktion används som ett komplement till digitala lösningar för att förbättra vanorna kring säkerhet och integritet. Genom att ha ett fysiskt objekt som på ett enkelt sätt kan förmedla enheternas nuvarande status och är lika tillgängligt för alla medlemmar i ett hushåll kan säkerhet och integritet bli mer uppnåeligt för alla användare, oavsett deras nivå av kunskap och erfarenhet.

The emergence of the Internet of Things (IoT) shows us that more and more devices will be connected to the internet for all types of different purposes. One of those devices, the smart plug, have been rapidly deployed because of the ease it brings users into achieving home automation by turning their previous dumb devices smart by giving them the means of controlling the devices remotely. These IoT devices that gives the user control could however poseserious security problems if their vulnerabilities were not care fully investigated and analyzed before we blindly integrate them into our everyday life. In this paper, we do a threat model and subsequent penetration testing on a smart plug system made by particular brand by exploiting its singular communication protocol and we successfully launch five attacks: a replay attack, a MCU tampering attack, a firmware attack, a sniffing attack, and a denial-of-service attack. Our results show that we can hijack the device or obtain the authentication credentials from the users by performing these attacks. We also present guidelines for securing the IoT device.<br>Framväxten av sakernas internet (IoT)visar oss att fler och fler enheter kommer att anslutas tillinternet för alla möjliga olika ändamål. En av dessa enheter, den smarta strömbrytaren har snabbt distribuerats på grund av den lätthet den ger användare att uppnå hemautomation genom att göra sina tidigare dumma enheter smarta genom att ge användarna möjligheten att fjärrstyra de olika enheterna. Dessa IoT-enheter som ger användaren kontrollkan dock utgöra allvarliga säkerhetsproblem om deras sårbarheter inte undersöks noggrant och analyseras innan vi blint integrerar dem i vår vardag. I denna uppsats gör vi försten hotmodell och sedan penetrations testar vi en smart IoT strömbrytare som säljs av ett visst välkänt varumärke genom att utnyttja det enda kommunikationsprotokollet som finns på enheten och vi lyckas framgångsrikt med fem olikaattacker: en återuppspelningsattack, en MCU manipuleringsattack, en firmware-attack, enöverlyssningsattack och överbelastningsattack. Våra resultatvisar att vi kan enkelt kapa enheten samt få autentiseringsuppgifterna från enheten genom att utföra dessa attacker. Vi presenterar också riktlinjer för att kunna säkra IoT-enheten.

<p> This dissertation addresses new challenges in the Internet of Things (IoT) related to security and privacy. The current transition from legacy internet to Internet of Things leads to multiple changes in its communication paradigms. Today's Machine to Machine (M2M) and Internet of Things architectures further accentuated this trend, not only by involving wider architectures but also by adding heterogeneity, resource capabilities inconstancy, and autonomy to once uniform and deterministic systems and the issue of scalability within a WSN. Unlike internet servers, most of IoT components are characterized by low capabilities in terms of both energy and computing resources and thus, are unable to support complex security schemes. A direct use of existing key establishment protocols to initiate connections between two IoT entities may be impractical unless both endpoints are able to run the required (expensive) cryptographic primitives, thus leaving aside a whole class of resource constrained devices. In this dissertation, we propose novel security solution approaches for key establishments designed to reduce the requirements of existing security protocols in order to be supported by resource-constrained devices and for the scalability of sensors with a WSN in contest of IoT. We have investigated the feasibility of substituting the key management scheme of ZigBee stack by implementing LEAP+ to enhance its security and scalability capabilities in a WSN. LEAP+ is surprisingly well-suited to different types of network topologies, device types, and addressing modes offered by ZigBee stack, resolving the issue of scalability due to ZigBee&rsquo;s key management centralized approach, and our experimental results and performance evaluation parameters illustrated these facts. We designed new key establishment protocols for the constrained wireless sensors to delegate their heavy cryptographic load to less constrained nodes in their neighborhood, exploiting the spatial heterogeneity of IoT nodes. Allowing cooperation between sensor nodes may open the way to a new class of threats, known as internal attacks, that conventional cryptographic mechanisms fail to deal with. This introduces the concept of trustworthiness within a cooperative group. Proposed protocols aim to track nodes behaviors and past performances to detect their trustworthiness and select reliable ones for cooperative assistance. Sensor nodes&rsquo; trustworthiness is verified by accompanying them with an accelerometer to detect whether these cooperative sensors are installed on the same body. Based on an extensive analysis and their accelerometers&rsquo; data correlations with the base station (mobile phone in this case) accelerometer data, we identify a set of neighboring devices able to provide assistance in performing heavy asymmetric computations effectively without compromising the security of the whole system. Formal security and privacy verifications and performance analyses with respect to the resource-constrained sensor&rsquo;s energy are also conducted to ensure the security effectiveness and energy efficiency of our proposed protocols. </p><p>

An increasing number of devices, from coffee makers to electric kettles, are becoming connected to the Internet. These are all a part of the Internet of Things, or IoT. Each device generates unique network traffic and power consumption patterns. Until now, there has not been a comprehensive set of data that captures these traffic and power patterns. This thesis documents how we collected 10 to 15 weeks of network traffic and power consumption data from 15 different IoT devices and provides an analysis of a subset of 6 devices. Devices including an Amazon Echo Dot, Google Home Mini, and Google Chromecast were used on a regular basis and all of their network traffic and power consumption was logged to a MySQL database. The database currently contains 64 million packets and 71 gigabytes of data and is still growing in size as more data is collected 24/7 from each device. We show that it is possible to see when users are asking their smart speaker a question or whether the lights in their home are on or off based on power consumption and network traffic from the devices. These trends can be seen even if the data being sent is encrypted.

The introduction of Physical Unclonable Functions (PUFs) and lightweight consensus algorithms to aid in the bolstering of security and privacy in both IoT and IoE does show a great deal of promise not only in these areas, but in resource cost over traditional methods of blockchain.  However, several previous studies make claims regarding performance of novel solutions without providing detailed information as to the physical components of their experiments.  This comparative study shows that Proof of Authentication (PoAh) performs the best out of three selected consensus algorithms and that the claims made regarding the performance of PUFChain and Proof of PUF-enabled Authentication (PoP) could not be replicated in this instance.

La fusion des réseaux IP avec la technologie sans fil à faible consommation d’énergie a donné naissance à l’Internet Industriel des Objets (IIoT). En raison du large échelle et de la nature dynamique de l’IIoT, la sécurité de ce réseau est d’une importance capitale. L’une des attaques les plus critiques concerne celles menées lors de la phase d’intégration de nouveaux nœuds dans un réseau IIoT. Dans cette thèse, nous concentrons notre étude sur la sécurisation de la phase d’intégration de ces réseaux.Les phases d’intégration dans l’IoT reposent sur des méthodes d’authentification mutuellebasées sur une clé prépartagée (PSK) partagée entre le coordinateur du réseau et le nœudd’intégration. La standarization manque souvent de clarifications sur le partage de PSK, cequi rend impraticable la préconfiguration de chaque appareil avec une clé unique dans lesréseaux à grande échelle et dynamiques tels que l’IIoT. Pour répondre à ces problématiques,cette thèse présente un protocole d’authentification mutuelle autonome et d’établissement declés pour les réseaux IIoT. Dans cette solution, le coordinateur du réseau authentifie d’abordle nœud d’intégration via un certificat, et réciproquement, le nœud d’intégration authentifiele coordinateur du réseau en utilisant un mécanisme de consensus léger basé sur le partagede secret de Shamir. Une fois cette authentification mutuelle accomplie, une clé est établieentre le coordinateur du réseau et le nouveau noeud sur un canal public. Notre solution a étéintégrée dans le cadre du protocole 6TiSCH, garantissant une sécurité robuste avec un tauxd’authentification élevé, même en présence de nœuds malveillants. De plus, elle s’est prouvéefficace en termes de communication, de latence et de consommation d’énergie dans diversscénarios réseau, y compris sur des appareils aux ressources limitées.De plus, lors du processus d’intégration du réseau IoT, les nœuds proxy jouent un rôle essentiel en transférant les demandes d’intégration et les réponses entre le nœud d’intégration et le coordinateur du réseau. Sécuriser cette phase est essentielle, car les nœuds proxy malveillants peuvent perturber l’intégration de nouveaux nœuds ou les rediriger vers une autre entité se faisant passer pour le coordinateur. Par conséquent, nous présentons un système robuste axé sur l’identification de nœuds proxy malveillants lors de la phase d’intégration. Ce système, centré autour du coordinateur, tient un registre des participations de chaque nœud en tant que nœud proxy. Après chaque phase d’intégration, le coordinateur reçoit un paquet chiffré de bout en bout du nœud d’intégration, détaillant les rencontres avec des nœuds proxy malveillants. Ces informations sont utilisées pour calculer le nombre de participations légitimes de nœuds proxy pour chaque nœud. Le système de détection utilise ces métriques, en conjonction avec des paramètres ajustables, pour catégoriser les nœuds comme malveillants ou dignes de confiance. De plus, notre solution prend en compte les attaques potentielles sur le processus de détection, émanant à la fois des nœuds proxy et des nœuds d’intégration<br>The fusion of IP-enabled networks with low-power wireless technology has given birth tothe Industrial Internet of Things (IIoT). Due the large scale and dynamic nature of IIoT, thesecurity of such network is of paramount importance. One of the most critical attacks arethose conducted during the joining phase of new nodes to an IIoT network. In this thesis, we focus our study on securing the joining phase of such networks.Joining phases in IoT rely on mutual authentication methods based on a pre-shared key (PSK) shared between the network coordinator and the joining node. Standardization often lacks clear PSK sharing guidelines, which in large-scale and dynamic networks like IIoT makes pre-configuring each device with a unique key impractical. To address these concerns, this thesis introduces an autonomous mutual authentication and key establishment protocol for IIoT networks. In this solution, the network coordinator first authenticates the joining node via a certificate, and reciprocally, the joining node authenticates the network coordinator using a novel and lightweight consensus mechanism based on Shamir Secret Sharing. Once this mutual authentication is accomplished, a key is established between the network coordinator and the joining node over a public channel. Our solution was integrated into the 6TiSCH framework, ensuring robust security with high authentication success, even when dealing with malicious nodes. Additionally, it proved efficient in terms of communication, latency, and energy usage across various network scenarios, even on resource-constrained devices.Moreover, during the IoT network joining process, proxy nodes play a pivotal role in forwarding Join Requests and Join Responses between the joining node and the network coordinator. Securing this phase is vital, as malicious proxy nodes can disturb new node joins or redirect them another entity impersonating the coordinator. Therefore, we present a robust system focused on identifying malicious proxy nodes during the joining phase. Centered around the coordinator, this system maintains a log table tracking each node’s participation as a proxy node. Post each joining phase, the coordinator receives an End-to-End encrypted packet from the joining node, detailing any encounters with malicious proxy nodes. This information is utilized to calculate the number of legitimate proxy node involvements for each node. The detection system utilizes these metrics, in conjunction with adjustable parameters, to categorize nodes as either malicious or trustworthy. Additionally, our solution accounts for potential attacks on the detection process, originating from both proxy nodes and joining nodes

The Internet of Things (IoT) is increasingly becoming an integral component of many applications in consumer, industrial and other areas. Notions such as smart industry, smart transport, and smart world are, in large part, enabled by IoT. At its core, the IoT is underpinned by a group of devices, such as sensors and actuators, working collaboratively to provide a required service. One of the important requirements most IoT applications are expected to satisfy is ensuring the security and privacy of users. Security is an umbrella term that encompasses notions such as confidentiality, integrity and privacy, that are typically achieved using cryptographic encryption techniques. A special form of communication common in many IoT applications is group communication, where there are two or more recipients of a given message. In or-der to encrypt a message broadcast to a group, it is required that the participating parties agree on a group key a priori. Establishing and managing a group key in IoT environments, where devices are resources-constrained and groups are dynamic, is a non-trivial problem. The problem presents unique challenges with regard to con-structing protocols from lightweight and secure primitives commensurate with the resource-constrained nature of devices and maintaining security as devices dynamically leave or join a group. This thesis presents lightweight group key management protocols proposed to address the aforementioned problem, in a widely adopted model of a generic IoT network consisting of a gateway with reasonable computational power and a set of resource-constrained nodes. The aim of the group key management protocols is to enable the gateway and the set of resource-constrained devices to establish and manage a group key, which is then used to encrypt group messages. The main problems the protocols attempt to solve are establishing a group key among participating IoT devices in a secure and computationally feasible manner; enabling additionor removal of a device to the group in a security preserving manner; and enabling generation of a group session key in an efficient manner without re-running the protocol from scratch. The main challenge in designing such protocols is ensuring that the computations that a given IoT device performs as part of participating in the protocol are computationally feasible during initial group establishment, group keyupdate, and adding or removing a node from the group. The work presented in this thesis shows that the challenge can be overcome by designing protocols from lightweight cryptographic primitives. Specifically, protocols that exploit the lightweight nature of crypto-systems based on elliptic curves and the perfect secrecy of the One Time Pad (OTP) are presented. The protocols are designed in such a way that a resource-constrained member node performs a constant number of computationally easy computations during all stages of the group key management process. To demonstrate that the protocols are practically feasible, implementation resultof one of the protocols is also presented, showing that the protocol outperforms similar state-of-the-art protocols with regard to energy consumption, execution time, memory usage and number of messages generated.<br><p>Vid tidpunkten för framläggningen av avhandlingen var följande delarbete opublicerat: delarbete 3 (manuskript).</p><p>At the time of the defence the following paper was unpublished: paper 3 (manuscript).</p><br>SMART (Smarta system och tjänster för ett effektivt och innovativt samhälle)

Internetuppkopplade apparater blir allt vanligare att se i våra hem. Samlingsordet för dessa enheter är Internet of Things (IOT). Med införande av IoT i våra hem skapas fler accesspunkter till internet, vilket även skapar en större attackyta. I kombinationmed den ständigt växande cyberkriminalliteten och införandet av IoT i våra hem ökar risken för att utsättas för en attack. Tidigare forskning inom området gällande konsumenters informationssäkerhetsmedvetenhet visar att konsumenterna har låg medvetenhet och bristande kunskaper för de hot som tillkommer vid integrationen av en IoT-enhet ihemmet. Det finns även tidigare forskning som undersökt vilka faktorer som påverkar individernas inställning till att anta ny teknologi. Mycket av den tidigare forskningen inom området har fokuserat på de tekniska aspekterna och fokuset har inte varit på konsumenternas informationssäkerhetsmedvetenhet och deras inställning till den ökande integrationen av IoT. Den här studien syftade till att undersöka svenska konsumenters informationssäkerhetsmedvetenhet och deras inställning till den ökande integrationen av IoT. Studien avsåg att undersöka hur medvetna konsumenterna är för de informationssäkerhetsrisker som tillkommer vid integreringen av IoT i hemmet i kombination med att undersöka deras syn på den ökade integrationen av IoT ivardagen. Studien har fokuserat på två olika enheter. Dessa enheter genererar data via ljudupptagning samt videoinspelning. En kvantitativ metod med en enkätundersökning tillämpades för att se ifall den låga kunskapen hos respondenter fanns, men även för att lättare nå ut till fler respondenter. För att förstå konsumenternas beteende utformades enkätfrågorna utifrån den allmänt tillämpade beteendemodellen Theory of planned behavior (TPB). Studien fann att majoriteten av respondenterna hade en låg medvetenhet för de risker som tillkommer med integreringen av IoT-enheter, samt låga kunskap för de säkerhetsåtgärder som går att implementera. Trots den låga medvetenheten för riskerna visade det sig att respondenterna hade en mycket positiv inställning till den ökade integrationen av IoT och att de funderar på att införskaffa fler IoT-enheter.<br>Internet-connected devices are becoming more common to see in our homes. The collective word for these devices is Internet of Things (IoT). With the introduction of IoT in our homes, more access points to the internet are created, which also creates alarger attack area. Combined with the ever-growing cybercrime and the introduction of IoT in our homes, the risk of being attacked increases. Previous research in the field of consumer information security awareness shows that consumers have low awareness, and lack of knowledge about the threats posed by the integration of an IoT device in the home. Previous research has examined the factors that influence individuals attitudes towards adopting new technology. Much of the previous research in the field has focused on the technical aspects and the focus has not been on consumers information security awareness and their attitude to the increasing integration of IoT. This study aimed to examine Swedish consumers' information security awareness and their attitude towards the increasing integration of IoT. The study aimed to examine how aware consumers are of the information security risks that arise from the integration of IoT in the home in combination with examining their stand on the increased integration of IoT in their everyday life. The study has focused on two specific IoT-devices. These devices generate data via audio recording and video recording. A quantitative method with a survey was applied to examine how aware the consumers where of the information security risks, but also to be able to include more respondents in the study. To understand consumer behavior, the questionnaires were designed based on the generally applied behavioral model Theory of plannedbehavior (TPB).The study found that the majority of respondents had a low awareness of the risks involved with the integration of IoT devices, as well as low knowledge of the security measures that can be implemented. Despite the low awareness of the risks, it turnedout that the respondents had a very positive attitude towards the increased integrationof IoT, and that they also are considering acquiring more IoT devices.

The Internet of Things is a growing area with growing security concerns, new threat emerge almost everyday. Keeping up to date, monitor the network and devices and responding to compromised devices and networks are a hard and complex matters.  This bachelor’s thesis aims to discover how a IT-company can work with security management within the Internet of Things, this is done by looking into how a IT-company can work with updating, monitoring and responding within the Internet of Things, as well what challenges there are with working with this.  A qualitative research approach was used for this case study along with an interpretative perspective, as well as abductive reasoning. Interviews were performed with employees of a large IT-company based in Sweden, along with extensive document analysis.  Our bachelor’s thesis results in challenges with Security Management within the areas updating, monitoring and responding along with how our Case Company works with these security challenges. Largely these challenges can be summarized that everything is harder with the number of devices there are within the Internet of Things<br>Internet of Things eller Sakernas internet är ett växande område med en växande hotbild och nya hot uppkommer dagligen. Att hålla sig uppdaterad, övervaka nätverk och enheter samt att reagera på att enheter och nätverk blir hackade är en svår och komplicerad uppgift. Den här uppsatsen ämnar undersöka hur ett IT-företag kan arbeta med säkerhetshantering inom Internet of Things. Detta har gjorts genom att kolla utmaningar och säkerhetslösningar inom de tre områdena uppdatera, övervaka och reagera.  En kvalitativ forskningsmetod har använts i denna fallstudie tillsammans med ett tolkande synsätt och en abduktiv ansats. Vi har utfört intervjuer på ett stort IT-företag baserat i Sverige tillsammans med en utförlig dokumentanalys.  Resultatet av denna uppsats påvisar ett antal utmaningar inom säkerhetshanteringen inom områdena uppdatera, övervaka och reagera tillsammans med hur vårt fallföretag jobbar med att motarbeta dessa utmaningar. I stort sett kan utmaningarna sammanfattas till att allting är svårare när mängden enheten är så hög som den är inom Internet of Things.

With the ever increasing number of Internet of Things devices going out on the market for consumers that are Zigbee certified there is a need for security testing. This is to make sure that security standards are upheld and improved upon in order to make sure networks are protected from unauthorized users. Even though a lot of research and testing has been done on the Zigbee key exchange mechanism, called Zigbee commissioning, improvements have still not been enough with severe vulnerabilities in consumer grade devices still existing today. The devices tested in this study use EZ-mode commissioning in order to exchange the network key between a Zigbee coordinator and a Zigbee end device in order to encrypt later communication after being paired.  By using a simple radio receiver and a packet capturing program such as Wireshark an eavesdropping attack was conducted in order to capture the network key. The experiment demonstrates that this is still a weak point as the network key was successfully captured using eavesdropping. The analysis of the results show that previous criticisms of Zigbee commissioning have still not fully been addressed and can be a potential weak point in networks that use Zigbee certified IoT products.

The diploma thesis deals with the implementation of own design of an electronic security system with the possibility of extension with the elements of home automation. The control panel is built using the Raspberry Pi3 B+ with a touch screen that communicates with the sensors using Bluetooth Low Energy technology.

The Internet of Things (IoT) paradigm is gradually populating the world with billions of interconnected smart devices, which are rapidly spreading in different domains. These devices range from tiny wearables to larger interconnected industrial devices, and are used for very different purposes, e.g., building automation, physical access control, or healthcare. As IoT is penetrating in every domain of our life, and in particular in safety and privacy critical domains such as automotive or healthcare, security and privacy become extremely important concerns. This dissertation analyzes emerging security and privacy challenges in different IoT services, and presents targeted solutions to mitigate potential threats. The content of this thesis is composed of three main parts: (1) an introduction of the Attribute-Based Encryption (ABE) cryptographic tool, and an assessment of its performance on IoT devices; (2) the design of secure management solution services for large scale IoT deployments; and (3) the design of privacy-enhanced IoT services. The first part of this dissertation provides an introduction of ABE, and presents a comprehensive evaluation of its performance on popular low cost IoT-enabling boards. ABE is a novel and expressive cryptographic tool that allows a data owner to (cryptographically) enforce access control on a piece of data, specifying the required attributes to decrypt it. Thanks to its high-level and expressive set of functionalities, ABE has been used in several security enhancing IoT services in the literature, as well as in two solutions we later present in this thesis. Our evaluation aims at providing researchers and practitioners with a tool to estimate costs and trade-offs of using ABE in novel IoT solutions. The second part of this dissertation focuses on secure device management, and in particular looks at two fundamental management sub-tasks: software updates distribution for IoT devices, and software integrity assessment of large scale IoT deployments. We consider a scenario where a management entity communicates with a network of IoT devices through a (potentially untrusted) intermediate distribution infrastructure; such infrastructure provides in-network data aggregation and caching, to facilitate data collection (many-to-one) and distribution (one-to-many). In the realistic case where this intermediate infrastructure can be compromised, providing scalable and secure management becomes a challenging task: the management entity cannot rely on the intermediate network to correctly aggregate the data it collects; or to respect the confidentiality and integrity of the transmitted data. For this reason, we present our protocol for one-to-many software updates distribution, which provides both updates end-to-end integrity and confidentiality using ABE as a building block. We describe our design on top of the Named-Data Networking protocol, a data-centric network protocol that provides request aggregation and pervasive caching at the network level. Then, we present our secure collective attestation protocol, which allows to securely collect and aggregate attestation proofs from end devices, this way reducing the complexity of the assessment at the management server side, even in presence of an untrusted aggregation network. The third and final part of this dissertation presents privacy-enhancing solutions for three relevant IoT scenarios: Location-Based Services (LBS), Advanced Metering Infrastructure (AMI), and decentralized multi-agent systems. In a LBS, mobile users share their location with a LBS Provider (LBSP) in order to obtain location information, such as the position of the closest hospital, movie theater, etc. In this scenario, users' privacy may be at risk--LBSP can track or identify users based on their location. We present a collaborative solution for mobile users that guarantees users' anonymity in LBS, and that gives users flexibility in selecting the desired anonymity degree. Another privacy sensitive domain is AMI, an infrastructure in modern Smart Grids that allows a management entity to collect fine-grained measurements from Smart Meter devices. Unfortunately, metering data collection in an AMI may turn into a privacy nightmare for users: researchers showed how the detailed energy consumption data from private houses (collected by smart energy meters) can reveal privacy sensitive information, such as user physical presence, or even the appliances in use, at a given point in time. We propose a solution to tackle this problem, which provides anonymous and scalable metering data collection under realistic security assumptions. Finally, we look at privacy-preserving decentralized information fusion in a multi-agent system. In this scenario, interconnected IoT devices collaboratively combine multiple local measurements into a unique value without the need for them to share their local measurements in clear; the final goal is to derive a binary decision, e.g., if the final value is above or below a threshold. We propose the design of a privacy-preserving protocol for information fusion in a decentralized semi-trusted setting. Our protocol leverages additive blinding and proxy re-encryption as building blocks to privately reach a consensus, and garbled circuit to perform a binary decision step.<br>Il paradigma Internet of Things (IoT) sta popolando il mondo di milioni di dispositivi "smart" interconnessi tra loro, e in continua espansione in domini diversi. I dispositivi IoT variano da oggetti di piccole dimensioni, come i cosiddetti "wearables", a dispositivi industriali, e sono utilizzati per scopi diversi, per esempio automazione di edifici, controllo di accesso, o in ambito sanitario. Dato il grado di diffusione di IoT in vari aspetti delle nostre vite, ed in particolare in ambienti critici, come nel settore automobilistico o nel campo sanitario, diviene fondamentale progettare sistemi e servizi che garantiscano la sicurezza e la privacy degli utenti. Questa tesi analizza problematiche relative a sicurezza e privacy in diversi servizi IoT, e presenta soluzioni ad-hoc per mitigare potenziali minacce. Il contenuto della tesi è suddiviso in tre parti: (1) una introduzione dell'algoritmo di crittografia Attribute-Based Encryption (ABE), e un'analisi delle sue performance su dispositivi IoT; (2) la progettazione di soluzioni scalabili e sicure per la gestione e il controllo di sistemi IoT su larga scala; e (3) la progettazione di servizi IoT "privacy-friendly'. La prima parte di questa tesi introduce ABE, e presenta una valutazione delle sue performance su popolari dispositivi a basso costo e con ridotte capacità di calcolo, tipici del mondo IoT. ABE è un algoritmo di crittografia a chiave pubblica che permette di applicare (crittograficamente) politiche di controllo di accessi sui dati, specificando gli "attributi" che un utente deve avere per decifrarli. Grazie alla sua espressività e alle sue funzionalità, ABE è stato utilizzato sia in molti servizi IoT proposti in letteratura, che in due soluzioni che verranno introdotte nella tesi. La nostra valutazione sperimentale ha come obiettivo quello fornire mezzi per stimare a priori il costo, ed eventuali trade-off, derivanti dall'utilizzo di ABE. La seconda parte della tesi si focalizza sulla gestione e il controllo di dispositivi IoT in sistemi di larghe dimensioni. In particolare, questa parte presenta il nostro contributo nella risoluzione di due sottoproblemi: la distribuzione sicura di aggiornamenti software, e la valutazione dell'integrità del software in esecuzione nei dispositivi. Consideriamo uno scenario dove un'entità di controllo comunica con una rete di dispositivi IoT di larghe dimensioni tramite una rete di distribuzione intermedia "inaffidabile"; questa infrastruttura intermedia applica tecniche di caching e aggregazione dati con lo scopo di facilitare la distribuzione di contenuti (uno-a-molti) e la raccolta di dati dai dispositivi (molti-a-uno). In scenari realistici, questa infrastruttura può essere compromessa e/o controllata da attaccanti, e ció rende le attività di gestione e controllo dei dispositivi particolarmente complesse: l'entità di controllo non può infatti affidarsi completamente all'infrastruttura intermedia, ne per quanto riguarda l'aggregazione, ne per il mantenimento della confidenzialità e l'integrità dei dati distribuiti. Per questo motivo, in questa parte della tesi descriviamo prima il nostro protocollo per la distribuzioni di aggiornamenti software, il quale mantenendone confidenzialità e integrità sfruttando ABE; il design del protocollo viene presentato sopra a Named-Data Networking, un protocollo di rete di tipo "data centric" che fornisce nativamente aggregazione dati e caching a livello rete. Presentiamo poi il design di un protocollo per la verifica collettiva di una rete di dispositivi IoT. Il protocollo prevede la raccolta e l'aggregazione di prove di integrità del software da dispositivi IoT, e garantisce allo stesso tempo una ridotta complessità di processing lato entità di controllo, e l'integrità delle prove raccolte. La terza e ultima parte della tesi presenta soluzioni che forniscono garanzie di privacy in tre importanti servizi legati a IoT, e in particolare in servizi basati su: localizzazione (Location-Based Services, LBS), misurazione avanzata in ambito Smart Grid (noti come Advanced Metering Infrastructure, AMI), e comunicazione decentralizzata in sistemi muli-agente. Nei servizi LBS, gli utenti mobili condividono la loro posizione geografica con dei provider, i quali forniscono informazioni legate ad essa, come ad esempio l'ospedale, ristorante, o cinema, più vicini alla posizione dell'utente. Servizi di questo tipo possono rappresentare una minaccia per la privacy degli utenti: un provider può infatti tracciare o acquisire informazioni sensibili sugli utenti, in base alla loro posizione. Per ovviare a questo problema, presentiamo un protocollo che permette agli utenti di usufruire di tali servizi mantenendo l'anonimato. Il protocollo presentato funziona in modo collaborativo, e permette agli utenti di inviare richieste definendo il grado di privacy desiderato. Il secondo servizio considerato è quello di misurazione avanzata (AMI) fornito dalle moderne reti Smart Grid. Questo servizio permette ai gestori di energia elettrica di raccogliere misurazioni frequenti del consumo elettrico da dispositivi intelligenti denominati Smart Meters, per motivi di monitoraggio e/o controllo. Purtroppo, an- che questo servizio rappresenta una minaccia per la privacy gli utenti finali: infatti, ricercatori hanno dimostrato come le informazioni sul consumo energetico possano essere utilizzate in modo malevolo per inferire informazioni sensibili, come la presenza fisica di un utente in casa, o il tipo di elettrodomestici che utilizza. Presentiamo la nostra soluzione a questo problema, la quale permette allo stesso tempo agli utenti di condividere misurazioni in modo anonimo, e al gestore di energia elettrica di effettuare agevolmente la raccolta dei dati di consumo. Infine, in questa parte della tesi presentiamo la nostra soluzione per garantire "private information fusion" in servizi basati su sistemi multi-agente. In tali sistemi, dispositivi IoT (agenti) interconnessi tra loro spesso necessitano di combinare osservazioni locali per ottenere un unico valore, ed effettuare una decisione binaria (per esempio, decidere se un valore combinato di temperatura è inferiore ad una soglia data). L'obiettivo è quello di permettere ai vari dispositivi di effettuare tale "fusione", senza dover condividere le loro misurazioni locali in chiaro. La soluzione presentata in questa tesi permette ai dispositivi di raggiungere un consenso in modo decentralizzato, e in presenza di dispositivo "semi-trusted", utilizzando come building block additive blinding e proxy re-encryption, per raggiungere un consenso, mentre garbled circuit per effettuare lo step finale di decisione.

A future Internet of Things (IoT) system will consist of a huge quantity of heterogeneous IoT devices, each capable of providing services upon request. It is of utmost importance for an IoT device to know if another IoT service is trustworthy when requesting it to provide a service. In this dissertation research, we develop trust-based service management techniques applicable to distributed, centralized, and hybrid IoT environments. For distributed IoT systems, we develop a trust protocol called Adaptive IoT Trust. The novelty lies in the use of distributed collaborating filtering to select trust feedback from owners of IoT nodes sharing similar social interests. We develop a novel adaptive filtering technique to adjust trust protocol parameters dynamically to minimize trust estimation bias and maximize application performance. Our adaptive IoT trust protocol is scalable to large IoT systems in terms of storage and computational costs. We perform a comparative analysis of our adaptive IoT trust protocol against contemporary IoT trust protocols to demonstrate the effectiveness of our adaptive IoT trust protocol. For centralized or hybrid cloud-based IoT systems, we propose the notion of Trust as a Service (TaaS), allowing an IoT device to query the service trustworthiness of another IoT device and also report its service experiences to the cloud. TaaS preserves the notion that trust is subjective despite the fact that trust computation is performed by the cloud. We use social similarity for filtering recommendations and dynamic weighted sum to combine self-observations and recommendations to minimize trust bias and convergence time against opportunistic service and false recommendation attacks. For large-scale IoT cloud systems, we develop a scalable trust management protocol called IoT-TaaS to realize TaaS. For hybrid IoT systems, we develop a new 3-layer hierarchical cloud structure for integrated mobility, service, and trust management. This architecture supports scalability, reconfigurability, fault tolerance, and resiliency against cloud node failure and network disconnection. We develop a trust protocol called IoT-HiTrust leveraging this 3-layer hierarchical structure to realize TaaS. We validate our trust-based IoT service management techniques developed with real-world IoT applications, including smart city air pollution detection, augmented map travel assistance, and travel planning, and demonstrate that our trust-based IoT service management techniques outperform contemporary non-trusted and trust-based IoT service management solutions.<br>Ph. D.

Urban expansion is a key driving force of our modern world. Increasing environmental footprint is an example issue that is directly caused by it. The city of St. Petersburg employs on average almost 500 garbage trucks on a daily basis and spends more than 1 million US Dollars every year to collect, process and manage waste. In order for megacities, such as St. Petersburg, to cope with its effects, new ideas are needed. This seems to be an obvious area in which technology can be used to improve current practices and help save resources. In this study, we investigate how the Internet of Things, blockchain and Quantum Key Distribution systems can be integrated to provide a safe and efficient method for improving the waste management process in the context of Smart City projects. Our implemented simulations in Mininet show that there are some clear challenges with regards to the adoption of blockchain technology in an IoT environment. However, the integration of quantum channels and the use of Quantum Key Distribution within the blockchain infrastructure shows good potential for balancing the advantages and disadvantages of blockchain. With the implemented simulations we demonstrate the superior capabilities of the Proof of Infrastructure blockchain solution, which can facilitate secure transactions within the waste management scenario.

Internet of things (IoT) is growing at a phenomenal speed and outpacing all the technological revolutions that occurred in the past. Together with window of opportunity it also poses quite a few challenges. One of the most important and unresolved challenge is vulnerability in security and privacy in IoT. This is mainly due to lack of a global decentralized standard even though characteristically IoT is based on distributed systems. Due to lack of standard IoT has interoperability issue between different devices and platform suppliers which implicitly creates need of reliance on the suppliers as they store and control user data. There is no decentralized industry wide solution which can offer the control of user data and security back to the user. While experts in IoT are still wondering on solving the challenge, a new Block chain technology has surfaced in past few years and showed signs of disruptive innovation in financial industry. This technology is decentralized, secure and private. Let alone information, block chain innovation has proven to keep assets secure. Recently few forms of block chains have emerged. This research will focus on analyzing the innovative block chain technology, their characteristics specifically the types of block chain to address the privacy and security challenges of IoT. Research proposes a new concept of hybrid block chain as a solution to IoT security and privacy problem.

Cela fait dix ans que la technologie blockchain a été créée. Cet amalgame de cryptographie et d'application peer to peer apporte de nombreuses innovations et services de sécurité au-delà des services financiers aux systèmes d'information ordinaires et offre de nouveaux cas d'utilisation pour les applications distribuées dans le contexte industriel. Pendant ce temps,l'IoT est devenu proéminent dans l'industrie comme la future révolution industrielle apportant de nouvelles applications mais ouvrant la voie à des vulnérabilités de sécurité. Au cours de cette thèse, nous avons exploré les principaux problèmes auxquels est confronté l'Internet des objets. Nous avons étudié comment les fournisseurs de plates-formes IIOT abordent ces défis en comparant les mesures qu'ils ont mises en oeuvre avec les recommandations de l'UIT en utilisant le processus analytique hiérarchique (AHP). Cette étude nous a permis d'identifier les domaines d'amélioration et les cas d'utilisation de la blockchain. La gestion des identités est un problème récurrent dans la littérature IIoT, nous proposons une approche de gestion des identités pour les systèmes distribués assistés par blockchain afin de garantir l'unicité des identités et l'intégrité de l'annuaire. Sur la base de ce travail, nous avons développé un système de distribution et de validation des mises à jour de micrologiciel sécurisé par blockchain et l'algorithme de machine learning Locality sensitive hashing (LSH)<br>It's been ten years since blockchain technology was created. This amalgam of cryptography and peer-to-peer application brings many innovations and securities services beyond financial services to regular information systems and offers new use cases for distributed applications in industrial context. Meanwhile, IoT became prominent in the industry as the future industrial revolution, bringing new applications but paving the way for security vulnerabilities. During this thesis, we explored the main issues facing the Internet of Things. We studied how IIoT platform providers address these challenges by comparing the measures they have implemented with the ITU recommendations using the Analytic Hierarchical Process (AHP). This study allowed us to identify areas of improvement and use cases for the blockchain. Identity management is a recurring problem in the IIoT literature, and we propose an identity management approach for distributed systems assisted by blockchain to guarantee the uniqueness of identities and the integrity of the directory. From this work, we have developed a blockchain-secured firmware update distribution and validation system using the machine learning algorithm Locality Sensitive Hashing (LSH)

IoT is a rapidly growing area with products in the consumer, commercial and industrial market. Collecting data with multiple small and often battery-powered devices sets new challenges for both security and communication. There has been a distinct lack of a IoT specific communication protocols. The industry has had to use bulky interfaces not suitable for resource-constrained devices. MQTT is a standardised communication protocol made for the IoT industry. MQTT does however not have built-in security and it is up to the developers to implement a suitable security countermeasure. To evaluate how different security countermeasures impact MQTT in complexity, current consumption and security the following research questions are answered. How do you derive a measurement from the SEF that can be compared with a current consumption measurement? Which level of security, according to the SEF, will RSA, AES and TLS provide to MQTT when publishing a message to a broker? What level of complexity is added to MQTT when using chosen security countermeasure? Which of the analysed security countermeasure upholds an adequate security level while also having a low current consumption? To answer the above research questions an experiment approach has been used. Implementations of TLS, RSA and AES have been evaluated to measure how they affect the security level and current consumption of an MQTT publication, compared to no security countermeasures at all.Both RSA and AES had the same security level, but the current consumption for RSA was four times higher. The experiment showed that the security level is significantly higher for TLS, while it also has the highest current consumption. The security countermeasure evaluated differs greatly. TLS provides complete protections, while RSA and AES lacks authentication and does not ensure integrity and non-repudiation.Even if the current consumption for TLS is higher, the security it provides make it unreasonable to recommend any of the other security countermeasure implementations.

Data security plays a central role in the design of Internet of Things (IoT). Since most of the "things" in IoT are embedded computing devices it is appropriate to talk about cryptography in embedded of systems. This kind of devices is based on microcontrollers, which have limited resources (processing power, memory, storage, and energy). Therefore, we can apply only lightweight cryptography. The goal of this work is to find the optimal cryptographic solution for IoT devices. It is expected that perception of this solution would be useful for implementation on “limited” devices. In this study, we investigate which lightweight algorithm is better to implement. Also, how we can combine two different algorithms in a hybrid scheme and modify this scheme due to data sending scenario. Compendex, Inspec, IEEE Xplore, ACM Digital Library, and Springer Link databases are used to conduct a comprehensive literature review. Experimental work adopted in this study involves implementations, measurements, and observations from the results. The experimental research covers implementations of different algorithms and experimental hybrid scheme, which includes additional function. Results show the performance of the considered algorithms and proposed hybrid scheme. According to our results, security solutions for IoT have to utilize algorithms, which have good performance. The combination of symmetric and asymmetric algorithms in the hybrid scheme can be a solution, which provides the main security requirements: confidentiality, integrity, and authenticity. Adaptation of this scheme to the possible IoT scenarios shows the results acceptable for implementation due to limited resources of hardware.

Many conventional forms of communication technology, such as Wi-Fi, 3G/4G or cable, require a lot of power. For battery powered devices that need to last a long time on a single charge, one alternative is the low-power, long range technology LoRaWAN. This thesis tries to answer the question how well do the properties of LoRaWAN meet the requirements for a battery powered security solution? Two identical prototype remote motion detectors were implemented for this purpose. The results show that while the prototypes do not meet the requirements for energy efficiency, LoRaWAN as a technology easily does. The results shows that if a solution to the reliability issues can be found, LoRaWAN would be well suited for battery powered security solutions.<br>Många vanliga teknologier som används för kommunikation, så som Wi-Fi, 3G/4G eller fiber, kan vara väldigt strömkrävande. Ett alternativ för batteridrivna enheter som behöver kunna klara sig på en laddning under lång tid, är att använda en lågenergiteknologi med lång räckvidd LoRaWAN. Den här rapporten försöker att besvara frågan om hur väl LoRaWANs egenskaper tillgodoser de krav som ställs på batteridrivna säkerhetslösningar. För detta ändamål utvecklades två identiska prototyper av en batteridriven rörelsesensor. Resultaten visar på att även om prototyperna inte möter energikonsumptionskraven, så gör själva LoRaWAN-tekniken detta. Resultaten visar att om man kan hitta lösningar på problemen med pålitligheten hos LoRaWAN, så kan LoRaWAN mycket väl vara lämpligt för batteridrivna säkerhetslösningar.

The Internet of things (IoT) is a technology that will enable machine-to-machine communication and eventually set the stage for self-driving cars, smart cities, and remote care for patients. However, some barriers that organizations face prevent them from the adoption of IoT. The purpose of this qualitative exploratory case study was to explore strategies that organization information technology (IT) leaders use for security, privacy, and reliability to enable the adoption of IoT devices. The study population included organization IT leaders who had knowledge or perceptions of security, privacy, and reliability strategies to adopt IoT at an organization in the eastern region of the United States. The diffusion of innovations theory, developed by Rogers, was used as the conceptual framework for the study. The data collection process included interviews with organization IT leaders (n = 8) and company documents and procedures (n = 15). Coding from the interviews and member checking were triangulated with company documents to produce major themes. Through methodological triangulation, 4 major themes emerged during my analysis: securing IoT devices is critical for IoT adoption, separating private and confidential data from analytical data, focusing on customer satisfaction goes beyond reliability, and using IoT to retrofit products. The findings from this study may benefit organization IT leaders by enhancing their security, privacy, and reliability practices and better protect their organization's data. Improved data security practices may contribute to social change by reducing risk in security and privacy vulnerabilities while also contributing to new knowledge and insights that may lead to new discoveries such as a cure for a disease.

Internet of things (IoT) devices are becoming more prevalent. Due to a rapidly growing market of these appliances, improper security measures lead to an expanding range of attacks. There is a devoir of testing and securing these devices to contribute to a more sustainable society. This thesis has evaluated the security of an IoT-refrigerator by using ethical hacking, where a threat model was produced to identify vulnerabilities. Penetration tests were performed based on the threat model. The results from the penetration tests did not find any exploitable vulnerabilities. The conclusion from evaluating the security of this Samsung refrigerator can say the product is secure and contributes to a connected, secure, and sustainable society.<br>Internet of Things (IoT) enheter blir mer allmänt förekommande. På grund av en snabbt expanderande marknad av dessa apparater, har bristfälliga säkerhetsåtgärder resulterat till en mängd olika attacker. Det finns ett behov att testa dessa enheter for att bidra till ett mer säkert och hållbart samhälle. Denna avhandling har utvärderat säkerheten av ett IoT-kylskåp genom att producera en hot modell för att identifiera sårbarheter. Penetrationstester har utförts på enheten, baserade på hot modellen. Resultatet av penetrationstesterna hittade inga utnyttjningsbara sårbarheter. Slutsatsen från utvärderingen av säkerheten på Samsung-kylskåpet är att produkten är säker och bidrar till ett uppkopplat, säkert, och hållbart samhälle.

I dagens samhälle går den tekniska utvecklingen fort framåt. Artificiell intelligens och Internet of Things är två tekniker inom utvecklingen vars popularitet har ökat på senare tid. Dessa tekniker i integration har visat sig kunna bidra med stora verksamhetsnyttor, bland annat i form av ökad precishet vad gäller analyser, bättre kundvärde och effektivisering av ”downtime”. Med ny teknik kommer även utmaningar. I takt med att teknologierna ständigt växer uppstår frågor kring säkerhet och etik och hur detta ska hanteras. Målet med denna studien var att ta reda på hur experter värderar etiska frågor när artificiell intelligens används i kombination med Internet of Things-enheter. Vi fokuserade på följande forskningsfråga för att nå vårt mål: Hur värderas frågor om etik när artificiell intelligens används i kombination med Internet of Things? Resultatet vi kom fram till visar att både forskare och näringslivet värderar de etiska aspekterna högt. Studien visar även att de ansåg att teknikerna kan vara lösningen till många samhällsproblem men att etiken bör vara ett ämne som löpande bör diskuteras.<br>In today's society, technological developments are moving fast. Artificial intelligence and the Internet of Things are two technologies within the development whose popularity has increased in recent years. These technologies in integration have proven to be able to contribute with major business benefits, including in the form of increased precision with regard to analyzes, better customer value and efficiency of downtime. New technology also presents challenges. As the technologies are constantly growing, issues arise regarding safety and ethics and how this should be managed. The aim of this study is to find out how experts value ethical issues when using artificial intelligence in combination with the Internet of Things devices. We focused on the following research question to reach our goal: How are ethical issues evaluated when using artificial intelligence in combination with the Internet of Things? The result we found shows that both researchers and the business world value the ethical aspects highly. The study also shows that they considered the techniques to be the solution to many societal problems, but that ethics should be a topic that should be discussed on an ongoing basis.

Embedded systems have been present in our daily lives for some time, but trends clearly show a rise in inter-connectivity in such devices. This presents promising new applications and possibilities, but also opens up a lot attack surface. Our goal in this thesis is to find out how you can develop such interconnected embedded systems in a way that guarantees the three major components of information security: Confidentialy, Integrity and Availability. The main focus of security is networked security. In this thesis, a dual approach is taken: investigate the development process of building secure systems, and perform such an implementation. The artifacts produced as byproducts, the software itself, deployment instructions and lessons learned are all presented. It is shown that the process used helps businesses find a somewhat deterministic approach to security, have a higher level of confidence, helps justify the costs that security work entails and helps in seeing security as a business decision. Embedded systems were also shown to present unforeseen obstacles, such as how the lack of a motherboard battery clashes with X.509. In the end, a discussion is made about how far the system can guarantee information security, what problems still exist and what could be done to mitigate them.

Da qualche anno si sta affermando nel mondo dell'informatica il trend Internet of Things, che fa riferimento alla possibilità di andare a connettere in rete oggetti dotati di caratteristiche minime per essere indirizzabili, andando potenzialmente a modificare tanti aspetti nella vita di tutti i giorni. La sfida più abilitante per questo trend si gioca sul campo della sicurezza, dei dati e dei dispositivi fisici. La sicurezza delle cose (Safety) e la sicurezza delle reti(Security) per la prima volta nella storia dell’informatica diventano la stessa cosa, con l’amplificazione della gravità delle conseguenze di una violazione. L’obiettivo di questo lavoro di Tesi è stato definire un flusso progettuale per andare a valutare le possibilità di una particolare tecnica di sicurezza applicata ad un prototipo IoT, cercando di capire se attraverso questa tecnica è possibile proporre una soluzione alla problematica della sicurezza in IoT. Nel primo capitolo viene introdotto il trend IoT, i possibili domini di applicazione e il problema della sicurezza come fattore abilitante di questo trend. Nel secondo capitolo verrà presentata l’architettura di riferimento IoT general-purpose e i vari scenari di attacco a questa architettura; verranno inoltre presentati i protocolli di comunicazione utilizzati in IoT, in particolar modo concentrandosi sullo stato dell’arte del Bluetooth Low Energy, e si illustrerà infine la metodologia Agile e in che maniera affrontare un’integrazione della sicurezza nell’ ecosistema di lavoro. Nel terzo capitolo verrà applicata la metodologia in questione su un prototipo IoT aziendale come caso di studio specifico: verrà analizzata, progettata, realizzata e mantenuta una soluzione di sicurezza, motivando a fondo ogni scelta di progettazione, integrandola infine attraverso degli spunti con analitiche di Machine Learning e di gestione di Big Data; verrano valutate poi le conclusioni e i risultati di questa metodologia nella sua applicazione pratica.

Denna undersökning har granskat det problem som uppstår i samband med den snabba utvecklingen utav Internet of Things där de lågenergienheter saknar kraft för att utföra avancerade säkerhetslösningar. På grund av den låga säkerheten och växande användningsområdet så har Internet of Things enheterna blivit ett lockande mål för eventuella attacker. Den systematiska litteraturanalysen har genomförts genom att granska tidigare mer detaljerade analyser av protokollen och dess säkerhet samt utvecklarnas specifikationer. Detta för att bland annat skapa en sammanfattning utav protokollens säkerhet men också för att sedan jämföra protokollen för att kunna ta fram det säkrare protokollet för hemanvändning. Alla protokoll som tas upp har någon form av säkerhet implementerad för att förse med autentisering i form av MAC (i vissa fall HMAC), nyckelhantering, integritet i form av MIC och kommunikationssäkerhet med kryptering. Alla protokoll har stöd för AES-128 kryptering samt användning av IEEE 802.15.4 säkerhetsserie som ytterligare skydd utöver protokollens egna lösningar. Flertalen av protokollen använder sig också av Elleptic Curve för att säkert transportera nycklar. Analysens slutsats visar att Thread och Z-Wave anses som de två säkraste protokollen för hemmaanvändning. Det baserat på hur protokollen hanterar de olika aspekterna med sin märkbara prioritering av säkerhet tillsammans med det få antalet brister som kan skada det smarta hemmet. Bluetooth Low Energy och EnOcean är de två mindre säkra gällande en IoT miljö. Undersökningen tar också med en diskussion kring olika områden som dykt upp under undersökningens gång. Slutligen tas några punkter som dök upp under granskningen som kan vara bra att tänka på vid utveckling av dessa protokoll men säkerhet i tanken.<br>This study has examined the problems that arise in connection with the rapid development of the Internet of Things, where the low-energy units lack the power to implement advanced security solutions. Due to the low security and growing area of use, the Internet of Things units have become an attractive target for any attacks. The systematic literature analysis has been carried out by reviewing previously more detailed analyzes of the protocols and their security as well as the developers' specifications. This is to create a wide summary of the security of the protocols and then to compare the protocols to select one or more as the safer protocol for home use. All protocols that are included have some form of security implemented to provide authentication in the form of MAC, key management, integrity in the form of MIC and communication security with encryption. All protocols support AES-128 encryption and the use of IEEE 802.15.4 security suit as additional protection in addition to the protocol's own solutions. The majority of protocols also use Elleptic Curve to safely transport keys. The analysis concludes that Thread and Z-Wave are considered the two most secure home use protocols. It is based on how the protocols handle the various aspects with their noticeable prioritization of security along with the few deficiencies that can damage the smart home. Bluetooth Low Energy and EnOcean are thetwo less secure regarding an IoT environment. The survey also includes a discussion of various areas that emerged during the course of the investigation. Finally, some points that emerged during the review that may be good to consider when developing these protocols with security as focus.

The growth of Internet of Things is steadily increasing, both in Sweden and globally. This relative new technology improves the lives of many; but at the price of their security, privacy and safety. This thesis consists of a literature study and an online survey. It investigates what security, privacy and safety risks Internet of Things devices may bring, how aware people are about these risks, how the user can minimize the risk of being hacked or attacked and what manufacturers can do to make safer Internet of Thing devices. The survey was created based on the risks related to Internet of Things devices which was found during the literature study. It was possible to identify security, privacy and safety risks related to Internet of Things. It was also possible to find answers of how both users and manufacturers can protect their devices from being hacked. The survey showed that there was a correlation between how interested people are in technology and how aware they are of the risks with Internet of Things. Internet of Things can be used to do DDoS attacks, espionage and eavesdropping. People who are interested in technology tends to protect themselves more actively (by changing default password and updating the software) compared to those who are not interested.

The goal of the thesis was an analysis of IoT communication protocols, their vulnerabilities and the creation of a suitable anomaly detector. It must be possible to run the detector on routers with the OpenWRT system. To create the final solution, it was necessary to analyze the communication protocols BLE and Z-Wave with a focus on their security and vulnerabilities. Furthermore, it was necessary to analyze the possibilities of anomaly detection, design and implement the detection system. The result is a modular detection system based on the NEMEA framework. The detection system is able to detect re-pairing of BLE devices representing a potential pairing attack. The system allows interception of Z-Wave communication using SDR, detection of Z-Wave network scanning and several attacks on network routing. The system extends the existing detector over IoT statistical data with more detailed statistics with a broader view of the network. The original solution had only Z-Wave statistics with a limited view of the network obtained from the Z-Wave controller. The modular solution of the system provides deployment flexibility and easy system scalability. The functionality of the solution was verified by experiments and a set of automated tests. The system was also successfully tested on a router with OpenWRT and in the real world enviroment. The results of the thesis were used within the SIoT project.

The number of Internet of Things (IoT) devices is growing rapidly which introduces plenty of new challenges concerning the security of these devices. This thesis aims to contribute to a more sustainable IoT environment by evaluating the security of a smart plug. The DREAD and STRIDE methods were used to assess the potential threats and the threats with the highest potential impact were penetration tested in order to test if there were any security preventions in place. The results from the penetration tests presented no major vulnerabilities which bring us to the conclusion that the Nedis Smart Plug has implemented enough security measures.<br>Antalet Internet of Things (IoT) -enheter växer snabbt vilket medför många nya utmaningar när det gäller säkerheten för dessa enheter. Denna avhandling syftar till att bidra till en mer hållbar IoT-miljö genom att utvärdera säkerheten för en smart plug. Metoderna DREAD och STRIDE användes för att bedöma de potentiella hoten och hoten med störst potentiell påverkan penetrerades för att testa om det fanns några säkerhetsförebyggande åtgärder. Resultaten från penetrationstesterna presenterade inga större sårbarheter som ledde oss till slutsatsen att Nedis Smart Plug har genomfört tillräckliga säkerhetsåtgärder.

With the constant growth of units connected to the internet, it’s becoming more and more common for private persons to get these units into their homes. With easier accessibility to smart units that can be connected straight to your smart home, and at the same time can make your everyday life easier, may also be the greatest securityrisk of your life. The focus of this essay is about the internet of things-units (IoT-units) that’s considered a large securityrisk. This work is made as a quantitative study about security deficiencies among private persons regarding IoT-units. The data produced from this work can be used as an answer of what a private person needs to be more vigilant of when it comes to IoT-units, and also what actions the manufacturing industry need to take for the connected community to be secured. To delve into this, we have chosen to use the methods literature study and a questionnaire study that will be performed to obtain data to answer our questions. Analysis has been made about what can be seen as an IoT-unit, what security deficiencies there are and then account for how to counteract these risks with help of knowledge. The result of the answers from the surveys and the picture we have received after a search for a sustainable and a more secure solution is that some knowledge exists, although not to the extent needed. The conclusion that can be drawn after the analysis of surveys and in the previous research how it should proceed in the current situation is that significantly more resources need to be spent on the right information for the right purpose, when it comes to this important IT-related issue.

Mestrado em Engenharia de Computadores e Telemática<br>As plataformas IoT (Internet das Coisas) existentes hoje em dia permitem que diversos dispositivos (“coisas”) com uma fraca capacidade de processamento, como sensores, estejam ligados à rede pública que é a Internet. São colhidos e partilhados dados do meio ambiente que nos rodeia permitindonos conhecer melhor o nosso mundo, agir de forma mais informada e garantir a funcionalidade de certos equipamentos. No entanto, atualmente, os dados são armazenados em claro nas plataformas IoT e podem ser acedidos na sua íntegra por terceiros causando diversos problemas de segurança como a falta de privacidade dos donos dos dados que não conseguem ter qualquer controlo sobre os seus dados produzidos. Como tal, é aqui apresentada uma modificação da arquitetura típica de uma plataforma IoT com o objetivo de adicionar a desejada segurança sobre os dados. Foram adicionadas entidades externas confiáveis de forma a que se conseguisse distribuir as chaves, os dados cifrados e a identificação do utilizador. Desta forma nenhuma entidade, por si só, terá o poder de pôr em causa a privacidade dos utilizadores. A entidade de processamento tem o papel de transformar dados criando anonimato. A entidade de certificação tem o papel de certificar código que irá efetuar essa transformação recorrendo a análise humana. A entidade de autorização tem o papel de permitir que o utilizador possa autorizar ou não todo este processo de acesso e obtenção dos seus dados por parte de terceiros.<br>The IoT (Internet of Things) platforms existing today allow multiple devices (“things”) with a low processing capacity, such as sensors, to be connected with the public network that is the Internet. Environmental data from our surrounding is collected and shared allowing us to better understand our world, act in a more informed manner, perform real-time monitoring of humans and ensure the functionality of certain equipment. However, currently, the data is stored in clear text in the IoT platforms and can be fully accessed by third parties causing many security problems as the lack of privacy of the owners of the data that cannot have any control over their production. As such, a modification of the typical IoT platforms architecture is presented here in order to add the desired security to the data. External trusted entities were added so that elements could be distributed such as the keys, the encrypted data and user identification. Thus, no entity alone has the power to undermine the privacy of users. The processing entity has the role of transforming data creating anonymity. The certification entity has the role of certifying the code that will make this transformation using human analysis. The authorization entity has the role of allowing the user to authorize or not all of this process of access and retrieval of their data by third parties.