Thaier Hayajneh

Healthcare Blockchain System Using Smart Contracts for Secure Automated Remote Patient Monitoring

As Internet of Things (IoT) devices and other remote patient monitoring systems increase in popularity, security concerns about the transfer and logging of data transactions arise. In order to handle the protected health information (PHI) generated by these devices, we propose utilizing blockchain-based smart contracts to facilitate secure analysis and management of medical sensors. Using a private blockchain based on the Ethereum protocol, we created a system where the sensors communicate with a smart device that calls smart contracts and writes records of all events on the blockchain. This smart contract system would support real-time patient monitoring and medical interventions by sending notifications to patients and medical professionals, while also maintaining a secure record of who has initiated these activities. This would resolve many security vulnerabilities associated with remote patient monitoring and automate the delivery of notifications to all involved parties in a HIPAA compliant manner.

Hardware design and modeling of lightweight block ciphers for secure communications

Abstract Lightweight ciphers are essential for secure communication in resource-constrained devices. The objective of this research is to implement lightweight ciphers in hardware; and optimize and model their design metrics. Design metrics are measured by advanced design flow which includes implementing ciphers in hardware and conducting simulations. To achieve the stated objective, the presented study selects one representative cipher–namely the KATAN/KTANTAN algorithms–to be modeled, implemented and optimized on specific hardware technology; the Field Programmable Gate Array (FPGA) platform. Various designs are implemented to exercise numerous options e.g. block sizes, number of implemented rounds and key scheduling. Then, design metrics are measured and modeled. In general, results demonstrate that number of resources and measured power consumption exhibit similar, but not identical, profile against design options. Measured energy trends are more complex. Specifically, results show that employing variable key scheduling increases resources, power and energy by 30%, 42% and 58%, respectively. Further, increasing the block size by 50% increases resources and power by about 53% and 55% respectively, but reduces energy by an average of 10%. Doubling number of implemented rounds in hardware increases resources and power by an average of 43% and 38% respectively. Optimum energy per bit design is produced in the designs with small block size ( i . e . 32-bit) in the cases when number of implemented rounds equals to 32 or 64 rounds. When the energy and area design requirements are to be balanced, the optimum design is the 16-round implementation. Furthermore, developed models are tested on HIGHT cipher and demonstrate good accuracy.

An investigation of Bluetooth security vulnerabilities

As Bluetooth technology has evolved and improved over the years, it has gained widespread acceptance and is increasingly found in many aspects of everyday life. Its convenient and easy to use, but it also has security flaws which make it vulnerable to attacks. In this paper, we discuss and demonstrate some of the tools and techniques that are currently available to attackers to exploit the vulnerabilities in Bluetooth. We also discuss some of the techniques to mitigate those risks to protect data and devices. Yet despite its world-wide acceptance and continued proliferation, as we have learned through our research and analysis, security vulnerabilities in Bluetooth still persist.

Security and Attack Vector Analysis of IoT Devices

The goal of this paper is to research and review through experimental testing the security of home automation devices. The methodology includes analysis and review of these home automation devices through traffic capture, device scanning, and wireless analysis. The devices that will be tested are the Amazon Echo, Osram Smart Lights, and TPLink power switch. We present a classification model to analyze the relation between potential risk and realized risk through potential vulnerabilities in these varying home automation devices. Possible security flaws that might be found include default configurations, easy to crack passwords, unencrypted traffic, responses to forged traffic, and full control of the device without any authentication. We also perform a review of their privacy exposure and outline the security vectors used to attack IoT devices, as well as the most recent malwares in control of over a million IoT devices.

Event Detection through Differential Pattern Mining in Cyber-Physical Systems

Extracting knowledge from sensor data for various purposes has received a great deal of attention by the data mining community. For the purpose of event detection in cyber-physical systems (CPS), e.g., damage in building or aerospace vehicles from the continuous arriving data is challenging due to the detection quality. Traditional data mining schemes are used to reduce data that often use metrics, association rules, and binary values for frequent patterns as indicators for finding interesting knowledge about an event. However, these may not be directly applicable to the network due to certain constraints (communication, computation, bandwidth). We discover that, the indicators may not reveal meaningful information for event detection in practice. In this paper, we propose a comprehensive data mining framework for event detection in the CPS named DPminer, which functions in a distributed and parallel manner (data in a partitioned database processed by one or more sensor processors) and is able to extract a pattern of sensors that may have event information with a low communication cost. To achieve this, we introduce a new sensor behavioral pattern mining technique called differential sensor pattern (DSP) which considers different frequencies and values (non-binary) with a set of sensors, instead of traditional binary patterns. We present an algorithm for data preparation and then use a highly-compact data tree structure (called DP-Tree) for generating the DSP. An important tradeoff between the communication and computation costs for the event detection via data mining is made. Evaluation results show that DPminer can be very useful for networked sensing with a superior performance in terms of communication cost and event detection quality compared to existing data mining schemes.

Heartbleed attacks implementation and vulnerability

Several vulnerabilities were detected in the open SSL connection versions 1.0.1 and 1.0.1f. Usually, in the previous versions of SSL/TLS, once an SSL connection is established between a client and a server, the connection will stay until the client or server is idle for a certain amount of time, after which the connection will be dropped. The idea of keeping the session connected was proposed in 2012. The initial idea introduced Heartbeat Messages that are indirectly called “keep alive packets”. These “keep alive packets” or “heartbeat packets” are transmitted in between client and server when the SSL session is ideal for a certain amount of time. Regarding “keep alive packets” or “heartbeat packets” mechanisms, these packets are stored in the same memory in which most sensitive information of the client and server is stored. When it is one of the peers turn to return the heartbeat message, that peer takes the heartbeat packet saved in its random memory location, which is sent by the other peer, and returns it to the other peer to acknowledge the live session. However, the hackers are able to craft a similar Heartbeat Message in a way that makes the peers store it in the same memory location where the sensitive data is stored. Then it returns back the sensitive data along with the crafted heartbeat message sent by the hackers. In this paper, we studied and implemented the heartbleed attack. We also discussed mitigation solutions for this vulnerability.

CAre: Certificate Authority Rescue Engine for Proactive Security

Cryptography and encryption is a topic that is blurred by its complexity making it difficult for the majority of the public to easily grasp. The focus of our research is based on SSL technology involving CAs, a centralized system that manages and issues certificates to web servers and computers for validation of identity. We first explain how the certificate provides a secure connection creating a trust between two parties looking to communicate with one another over the internet. Then the paper goes into what happens when trust is compromised and how information that is being transmitted could possibly go into the hands of the wrong person. We are proposing a browser plugin, Certificate Authority Rescue Engine (CAre), to serve as an added source of security with simplicity and visibility. In order to see why CAre will be an added benefit to average and technical users of the internet, one must understand what website security entails. Therefore, this paper will dive deep into website security through the use of public key infrastructure and its core components; certificates, certificate authorities, and their relationship with web browsers.

Next generation wireless-LAN: Security issues and performance analysis

Next generation wireless technology is breaking ground with the ability to pass the speeds of a gigabit Ethernet connections. With these technological advances it is important to also take into consideration the security of such technology. In this paper we focus on IEEE 802.11ac standard. We have recorded and analyzed 802.11ac wireless traffic with a packet capture software and compared the results with 2.4 GHZ 802.11n and 5.0 GHZ 802.11n traffic in terms of security improvements. The results of our analysis concluded that 802.11ac does not implement new features in the 802.11 architecture and has the same security weaknesses that exist in 802.11n and 802.11g. This paper also focuses on the performance of 802.11ac as compared to 802.11n 5GHZ and 802.11gn. The results concluded that 802.11ac significantly outperformed 802.11n 5 GHZ and 802.11gn.

Maintaining the Balance between Privacy and Data Integrity in Internet of Things

The recent proliferation of human-carried mobile and smartphone devices has opened up opportunities of using crowd-sensing to collect sensory data in Internet of Things (IoT). As tapping into the sensory data and resources of the smartphones becomes common place, it is necessary to ensure the privacy of the device user while maintaining the accuracy and the integrity of the data collected. IoT system devices often sacrifice either user privacy or data integrity. It has also become important to limit the computational cost and burden on the user devices, as increasingly more services desire to tap into the resource that these devices provide. In this paper we propose a balanced truth discovery (BTD) framework that attempts to meet all three of the aforementioned needs: user privacy, data integrity, and limited computational cost. The BTD framework also reduces user participation in the truth discovery process. The nature of the BTD framework provides the possibility for easy modification (e.g. cryptography and weight assignment). This reduces computation cost for the user device, but also limits the interactions between the devices and the server, which is essential to data integrity. BTD framework also takes steps to blur the user devices original sensory data, by processing results in groups called zones. An enhanced method takes privacy preservation a step further, by protecting the user from an untrusted data-collecting party. Analysis of simulations running the framework provides evidence for the preservation of data integrity.

A Framework for Preventing the Exploitation of IoT Smart Toys for Reconnaissance and Exfiltration

There are many concerns that come along with the Internet of Things that should be addressed because of its growing popularity. One major concern is the security issues related to connected devices. Connected toys are a category of IoT devices that are commonly overlooked when considering these issues, yet they are just as susceptible to attacks as any other device. This paper will look at recent incidents related to security issues involving connected toys and establish a framework with the intention of providing manufacturers with a set of standards that must be adhered to before a device can be marketed. The affected products in the discussed incidents are then tested against the proposed framework.