Md. Mahmud Hossain

Towards an Analysis of Security Issues, Challenges, and Open Problems in the Internet of Things

The Internet of Things (IoT) devices have become popular in diverse domains such as e-Health, e-Home, e-Commerce, and e-Trafficking, etc. With increased deployment of IoT devices in the real world, they can be, and in some cases, already are subject to malicious attacks to compromise the security and privacy of the IoT devices. While a number of researchers have explored such security challenges and open problems in IoT, there is an unfortunate lack of a systematic study of the security challenges in the IoT landscape. In this paper, we aim at bridging this gap by conducting a thorough analysis of IoT security challenges and problems. We present a detailed analysis of IoT attack surfaces, threat models, security issues, requirements, forensics, and challenges. We also provide a set of open problems in IoT security and privacy to guide the attention of researchers into solving the most critical problems.

An Internet of Things-based health prescription assistant and its security system design

Abstract Today, telemedicine has a great reputation because of its capacity to provide quality healthcare services to remote locations. To achieve its purposes, telemedicine utilizes a number of wireless technologies as well as the Internet of Things (IoT). The IoT is redefining the capacity of telemedicine in terms of improved and seamless healthcare services. In this regard, this paper contributes to the set of features of telemedicine by proposing a model for an IoT-based health prescription assistant (HPA), which helps each patient to follow the doctors recommendations properly. This paper also designs a security system that ensures user authentication and protected access to resources and services. The security system authenticates a user based on the OpenID standard. An access control mechanism is implemented to prevent unauthorized access to medical devices. Once the authentication is successful, the user is issued an authorization ticket, which this paper calls a security access token (SAT). The SAT contains a set of privileges that grants the user access to medical IoT devices and their services and/or resources. The SAT is cryptographically protected to guard against forgery. A medical IoT device verifies the SAT prior to serving a request, and thus, ensures protected access. A prototype of the proposed system has been implemented to experimentally analyze and compare the resource efficiency of different SAT verification approaches in terms of a number of performance metrics, including computation and communication overhead.

Securing the Internet of Things: A Meta-Study of Challenges, Approaches, and Open Problems

The Internet of Things (IoT) is becoming a key infrastructure for the development of smart ecosystems. However, the increased deployment of IoT devices with poor security has already rendered them increasingly vulnerable to cyber attacks. In some cases, they can be used as a tool for committing serious crimes. Although some researchers have already explored such issues in the IoT domain and provided solutions for them, there remains the need for a thorough analysis of the challenges, solutions, and open problems in this domain. In this paper, we consider this research gap and provide a systematic analysis of security issues of IoT-based systems. Then, we discuss certain existing research projects to resolve the security issues. Finally, we highlight a set of open problems and provide a detailed description for each. We posit that our systematic approach for understanding the nature and challenges in IoT security will motivate researchers to addressing and solving these problems.

Aura: An incentive-driven ad-hoc IoT cloud framework for proximal mobile computation offloading

Abstract The rapid growth of mobile applications requires enhanced computational resources in order to ensure better performance, security, and usability. In recent years, the proliferation of the Internet-of-Things (IoT) devices has caused a paradigm shift in computing and communication. IoT devices are making our physical environment and infrastructures smarter, bringing pervasive computing to the mainstream. Given numerous predictions that we will have billions of such devices deployed in the next five years, we have the opportunity to utilize such IoT devices in converting our physical environment into interactive, smart, and intelligent computing infrastructures. In this paper, we present Aura – a highly localized IoT based cloud computing model. Aura allows mobile clients to create ad hoc and flexible clouds using the IoT and other computing devices in the nearby physical environment. Aura provides localized computational capability from untapped computing resources using a task-offloading model for mobile devices. Computations done in Aura are highly flexible, giving clients full control to start, stop, migrate, and restart computations in localized IoT devices as the mobile users move between different physical locations. As an example application of Aura, we have ported a lightweight version of MapReduce to run on IoT devices powered by Contiki OS. The prototype application was utilized to conduct various experimental measurements to evaluate different performance metrics of the proposed system. The paper presents a detailed comparative analysis of Aura with traditional clouds and applications running natively on mobile phones to assert the benefits and feasibility of the model.

Litigo: A Cost-Driven Model for Opaque Cloud Services

Cloud computing provides software, platform, and infrastructure as a service that helps organizations to perform several resource intensive tasks. The services offered by a cloud service provider are limited by provider-specific options in terms of the pre-specified configurations. Moreover, it is sometimes expensive to pay a fixed amount of money without any format of negotiation or price-matching deals for the cloud-based services and resources. Conversely, the negotiator-based model for opaque services has gained popularity in various markets, such as, for flights, hotels, and rentals. We posit that a similar opaque inventory for cloud-based services and resources is the next generation niche for consumer acquisition and service delivery in the cloud computing market. Such a model will facilitate the clients with flexible resource and service provisioning at reasonable prices, and will also allow a higher revenue and increase resource utilization for cloud service providers. In this paper, we propose Litigo, a cost-driven model for opaque service platforms for cloud computing. The Litigo component acts as a middle-man to deliver cloud-based services from a set of cloud service providers to the end users. We present a detailed cost model and comparison between establishing a cloud service vs. an opaque cloud service. Our empirical framework allows a Litigo service provider to analyze the profit model and creates the market niche accordingly. We performed extensive analysis using simulated model verification for Litigo. The proposed model delivers an opaque cloud as a service to clients at a reasonable price by maximizing the resource utilization and revenue of cloud service providers.

Jugo: A Generic Architecture for Composite Cloud as a Service

Cloud computing has become the industry standard for rapid application deployment, scalable server support, mobile and distributed services, and it provides access to (theoretically) infinite resources. Unfortunately, researchers are still trying to converge towards cross-provider cloud computing frameworks to enable compatibility and seamless resource transition between cloud providers. Moreover, users are restricted to using the provider-specific pre-configured options of resources and services, irrespective of their current needs. At the same time, cloud services are provided as a direct service from the providers to the clients. This creates a segregated cloud market clientele, and non-negotiable pricing strategies for the cloud services. In this paper, we propose Jugo, a generic architecture for cloud composition and negotiated service delivery for cloud users. Jugo acts as a match-maker for service specifications from the users with the currently available assets from the cloud providers. The engagement of a middle-man as an opaque cloud service provider will create a better opportunity for cloud users to find cheaper deals, price-matching, and flexible resource specifications, with increased revenue and higher resource utilization for the cloud service providers.

HSC-IoT: A Hardware and Software Co-Verification Based Authentication Scheme for Internet of Things

The Internet of Things (IoT) have become popular in diverse domains because of their accessibility and mobility as well as cost-efficient manufacturing, deployment, and maintenance process. The widespread deployment of IoT devices makes them an attractive target for an attacker trying to gain unauthorized access to an IoT-based system. An adversary clones a real hardware device or compromises embedded software to impersonate a legitimate device, and thus gains unauthorized access to sensitive information and performs security-critical operations. The existing security schemes for the mobile systems cannot be applied directly to an IoT-enabled infrastructure since devices are resource constrained regarding storage, processing power, and communication bandwidth. Additionally, the current security approaches for the IoT systems are unable to identify physically compromised IoT devices. In this paper, we propose HSC-IoT, a resource-efficient Physical Unclonable Function (PUF)-based security protocol that ensures both software and hardware integrity of IoT devices. HSC-IoT also provides a lightweight mutual authentication scheme for the resource-limited devices based on Elliptic Curve Cryptography. We present a detailed analysis of the security strength of HSC-IoT. We implemented a prototype of HSC-IoT on IoT devices powered by Contiki OS and provided an extensive comparative analysis of HSC-IoT with contemporary IoT security protocols.

SecuPAN: A Security Scheme to Mitigate Fragmentation-Based Network Attacks in 6LoWPAN

6LoWPAN is a widely used protocol for communication over IPV6 Low-power Wireless Personal Area Networks. Unfortunately, the 6LoWPAN packet fragmentation mechanism possesses vulnerabilities that adversaries can exploit to perform network attacks. Lack of fragment authentication, payload integrity verification, and sender IP address validation lead to fabrication, duplication, and impersonation attacks. Moreover, adversaries can abuse the poor reassembly buffer management technique of the 6LoWPAN layer to perform buffer exhaustion and selective forwarding attacks. In this paper, we propose SecuPAN - a security scheme for mitigating fragmentation-based network attacks in 6LoWPAN networks and devices. We propose a Message Authentication Code based per-fragment integrity and authenticity verification scheme to defend against fabrication and duplication attacks. We also present a mechanism for computing datagram-tag and IPv6 address cryptographically to mitigate impersonation attacks. Additionally, our reputation-based buffer management scheme protects 6LoWPAN devices from buffer reservation attacks. We provide an extensive security analysis of SecuPAN to demonstrate that SecuPAN is secure against strong adversarial scenarios. We also implemented a prototype of SecuPAN on Contiki enabled IoT devices and provided a performance analysis of our proposed scheme.

Trust-IoV: A Trustworthy Forensic Investigation Framework for the Internet of Vehicles (IoV)

The Internet of Vehicles (IoV) is a complex and dynamic mobile network system that enables information sharing between vehicles, their surrounding sensors, and clouds. While IoV opens new opportunities in various applications and services to provide safety on the road, it introduces new challenges in the field of digital forensics investigations. The existing tools and procedures of digital forensics cannot meet the highly distributed, decentralized, dynamic, and mobile infrastructures of the IoV. Forensic investigators will face challenges while identifying necessary pieces of evidence from the IoV environment, and collecting and analyzing the evidence. In this article, we propose TrustIoV – a digital forensic framework for the IoV systems that provides mechanisms to collect and store trustworthy evidence from the distributed infrastructure. Trust-IoV maintains a secure provenance of the evidence to ensure the integrity of the stored evidence and allows investigators to verify the integrity of the evidence during an investigation. Our experimental results on a simulated environment suggest that Trust-IoV can operate with minimal overhead while ensuring the trustworthiness of evidence in a strong adversarial scenario.