‭MODULE 3‬

‭IoT‬
‭PYQ‬
‭ಕರ್ನಾಟಕ‬
‭1. Explain security requirements and threat analysis.‬
‭or‬
‭6.What are the security requirements in IoT architecture and threat analysis using microsoft.‬

‭●‬ I‭ oT reference architecture serves as a guide for architects and comprises three key‬
‭views—functional, information, and deployment and operational.‬
‭●‬ ‭Security Functional group contains five sets of functions which are required for ensuring‬
‭security and privacy.‬
‭●‬ ‭Five functional components (FCs) of security are defined in IoT reference architecture.‬
‭●‬ ‭Following are five functional components (FCs):‬
‭1. Identity management (IdM) - Essential functional component focusing on managing‬
‭identities associated with devices, applications, and services for robust security.‬
‭2. Authentications - A functional component dedicated to establishing entities within the‬
‭IoT ecosystem, ensuring secure and authorized access.‬
‭3. Authorisation - Another critical functional component dealing with defining and‬
‭enforcing access policies and permissions for devices, applications, and services.‬
‭4. Key exchange and management - Addresses the secure exchange and management of‬
‭cryptographic keys, a vital aspect in safeguarding communication and data integrity.‬
‭5. Trust and reputation - Focuses on building and maintaining trust among entities in the‬
‭IoT network, with a reputation system to assess reliability and integrity.‬
‭●‬ ‭Threat analysis‬
‭○‬ ‭A threat-analysis tool first generates the threats and analyzes a system for threat(s).‬
‭○‬ ‭Threat analysis means uncovering the security design flaws after specifying the‬
 ‭‬
■ ‭ tride category - Stride means taking a long step for little steps‬
S
‭■‬ ‭Data flow diagram‬
‭■‬ ‭Elements between that the interactions occurring during the stride‬
‭■‬ ‭Processes which are activated for analysis.‬

‭‬
●
‭●‬ ‭The above figure is an application threat model in Microsoft threat modeling tool.‬
‭○‬ ‭The threat analysis tool comprises three main components:‬
‭■‬ ‭Getting started guide‬
‭■‬ ‭Create a model,‬
‭■‬ ‭Open a model‬
‭■‬ ‭All these provide a structured workflow for users.‬
‭○‬ ‭The model is designed for threat analysis, incorporating definitions of strides and‬
‭elements.‬
‭○‬ ‭Elements can be processes, data stores, flows, boundaries, or external specified‬
‭elements within the system.‬
‭○‬ ‭The tool allows the creation of new threats using a stride category.‬
‭○‬ ‭A stride category is defined for generating a list of active threats based on‬
‭interactions between system elements, as per the model definitions.‬
‭○‬ ‭The tool recognizes various element types, such as processes, data stores, flows,‬
‭boundaries, and external specified elements, enhancing flexibility in threat analysis.‬
‭○‬ ‭The tool comes with predefined threat categories and users can create new ones.‬
‭○‬ ‭Threat definitions and mitigation solutions are suggested automatically.‬
‭○‬ ‭The tool's analysis view displays messages indicating vulnerabilities, the data flow‬
‭diagram, and active/inactive threats.‬
‭○‬ ‭For instance, it shows data flow between devices and applications or services.‬
‭○‬ ‭The tool offers search functionality, and when searching for the element process, the‬
‭view displays active and inactive processes, such as OS process, Thread, Kernel‬
‭Thread, Native Application, Managed Application, and more.‬

‭2. What is IoT security tomography ?Explain in detail the layered attacker model‬
‭●‬ ‭Computational tomography means a computing method of producing a three-dimensional‬
‭picture of the internal structures of an object, by observation‬
‭●‬ ‭Computational security in a complex set of networks utilizes the network tomography‬
‭procedures of identifying the network vulnerabilities.‬
‭●‬ ‭A complex set of networks may be distributed or collaborative.‬
‭●‬ N
‭ etwork tomography refers to the study of vulnerabilities and security aspects for network‬
‭monitoring in a complex system, such as WSNs, RFIDs or IoT networks and allocating‬
‭resources and ensuring network reliability and security.‬

‭‬
●
‭●‬ ‭Layer 1 Attacks Solution:‬
‭○‬ ‭Tailor solutions based on specific devices.‬
‭○‬ ‭Implement BT LE link-level AES-CCM 128 for confidentiality and authentication.‬
‭○‬ ‭Use ZigBee at the link-level security with AES-CCM-128.‬
‭●‬ ‭Layer 2 Attacks Solution:‬
‭○‬ ‭Program network switches to prevent internal node attacks during DHCP or STP.‬
‭○‬ ‭Implement controls such as ARP inspection, disabling unused ports, and enforcing‬
‭VLAN security.‬
‭●‬ ‭Layer 3 Attacks Solution:‬
‭○‬ ‭Utilize tamper-resistant routers.‬
‭○‬ ‭Implement packet filtering, control routing messages, and use firewalls.‬
‭●‬ ‭Layer 4 Attacks Solution:‬
‭○‬ ‭Identify vulnerable ports through port scanning.‬
‭○‬ ‭Configure firewalls effectively, deploy DTLS between layers 5 and 4.‬
‭○‬ ‭Implement SASL for security when using the XMPP protocol.‬
‭●‬ ‭Layers 5 and 6 Attacks Solution:‬
‭○‬ ‭Address application-level attacks due to coding flaws.‬
‭○‬ ‭Use HTTPS for secure communication in web applications.‬
‭○‬ ‭Leverage S-HTTP features, including content privacy, digital signatures, and‬
‭encryption.‬
‭3. Explain five levels for software development for application and services for IoT or M2M.‬

‭●‬ T ‭ he software need are for the devices, local network, gateway, cloud web connectivity and‬
‭web/cloud APIs.‬
‭●‬ ‭The software enables the device gateways connectivity to Internet and cloud server‬
‭●‬ ‭Enables open source implementations of IoT protocols.‬
‭●‬ ‭Connected devices use variety of protocols; LWM2M, CoAP, MQTT, and methods for‬
‭connecting to web‬
‭●‬ ‭Web communication uses the Gateway, SOAP, REST, RESTful HTTP and WebSockets‬
‭functions.‬
‭●‬ ‭Open Services Gateway initiative (OSGi) initiative provides and maintains open standard‬
‭specifications.‬
‭●‬ ‭OSGi describes the specification of management of Java packages/classes in a modular‬
‭system.‬
‭●‬ ‭Physical/Data Link and Adaptation Layers Software using IDE:‬
‭○‬ ‭Physical Layer: Involves software development for hardware interactions, managing‬
‭sensors, actuators, or communication modules.‬
‭○‬ ‭Data Link Layer: Software at this level manages reliable point-to-point‬
‭communication, error detection, and correction, handling data frames.‬
‭○‬ ‭Adaptation Layer: Develops software to adapt data formats and protocols, ensuring‬
‭efficient communication between diverse devices.‬
 ‭○‬ I‭ DE (Integrated Development Environment): Utilizes an IDE tailored for IoT/M2M‬
‭development, providing tools for code editing, debugging, and compilation specific‬
‭to hardware interactions.‬
‭●‬ ‭IoT or M2M Area Local Network and Gateway Software:‬
‭○‬ ‭IoT/M2M Area Local Network: Involves software development for managing the‬
‭local network, including protocols for device discovery, addressing, and‬
‭communication within a confined area.‬
‭○‬ ‭Gateway Software: Develops software for gateways that act as intermediaries‬
‭between local IoT networks and broader networks (e.g., the internet). Manages data‬
‭translation, security, and transmission between local networks and external services.‬
‭●‬ ‭Network and Transport Layers Software:‬
‭○‬ ‭Develops software for the network and transport layers, focusing on protocols,‬
‭routing, and reliable end-to-end communication between devices. Ensures efficient‬
‭and secure data transfer within the broader network.‬
‭●‬ ‭Application Support Layer APIs/Software:‬
‭○‬ ‭Develops APIs (Application Programming Interfaces) and software libraries to‬
‭provide foundational support for IoT/M2M applications. This includes‬
‭functionalities like data storage, security services, and common utilities used by‬
‭higher-level applications.‬
‭●‬ ‭Application Layers APIs/Software:‬
‭○‬ ‭Develops APIs and software specific to the application layer, catering to the unique‬
‭requirements of IoT/M2M applications. This could involve creating interfaces for‬
‭data analytics, user interfaces, business logic, and other application-specific‬
‭functionalities.‬

‭4. Explain the importance of security in IoT.Explain security models in brief.‬

‭5.Discuss about embedded programming . Device arduino platform using IDE.‬
‭●‬ ‭Programming with avr-gcc Tools:‬
‭○‬ ‭Arduino boards are programmed using avr-gcc tools, providing a‬
‭platform-independent development environment.‬
‭○‬ ‭A pre-installed bootloader embedded in the firmware simplifies code uploading onto‬
‭the Arduino board.‬
‭●‬ ‭Arduino IDE and Simplicity:‬
‭○‬ ‭Arduino programmers use a graphical cross-platform IDE for coding, emphasizing‬
‭simplicity.‬
‭○‬ ‭The IDE, based on the Processing language, connects to the board via a computer.‬
‭○‬ ‭The bootloader facilitates multitasking through interrupt-handling functions for each‬
‭task, enhancing event-driven capabilities.‬
‭●‬ ‭IDE Modules and Development Environment:‬
‭○‬ ‭The Arduino IDE consists of software modules creating a development environment‬
‭for specific device platforms.‬
‭○‬ ‭Users download an appropriate IDE version for their OS (Windows, Mac OS X, or‬
‭Linux) from the Arduino website.‬
‭●‬ ‭Uploading Codes and Arduino IDE Features:‬
‭○‬ ‭The Arduino IDE allows the computer to upload developed codes to the board via a‬
‭USB cable or a labeled serial port.‬
‭○‬ ‭It includes a C/C++ library called Wiring, simplifying Arduino IO operations.‬
‭○‬ ‭The editor within the IDE provides automatic indentation, syntax highlighting, and‬
‭error checking, facilitating code development.‬
‭●‬ ‭Code Development Process:‬
‭○‬ ‭Arduino IDE functions as a file editor using the Processing environment and Wiring‬
‭library functions.‬
‭○‬ ‭Codes written in C/C++ are compiled, checked for errors, and, if error-free, can be‬
‭uploaded to the board for embedding.‬
‭●‬ ‭Setup() and Loop() Functions:‬
‭○‬ ‭Arduino programming involves defining two functions: setup() for initializing‬
‭settings and loop() for the main program running in an endless loop.‬
‭○‬ ‭The simplicity of Arduino is reflected in the minimalistic requirements for defining‬
‭executable program functions.‬
‭●‬ ‭Serial Monitor for Debugging:‬
‭○‬ ‭A serial monitor in the IDE allows messages from the embedded software to be‬
‭displayed on the computer screen during testing and debugging.‬
‭7. Write a short note on arduino programming for IoT.‬
‭●‬ ‭Simplicity and Accessibility: Arduino's user-friendly IDE and programming language‬
‭simplify IoT development, making it accessible for beginners.‬
‭●‬ ‭IoT Connectivity: Arduino boards support various communication modules, enabling‬
‭seamless integration into the broader IoT ecosystem.‬
‭●‬ ‭Sensor Integration: Arduino facilitates the integration of diverse sensors for data‬
‭acquisition, a fundamental aspect of IoT applications.‬
‭●‬ ‭Communication Protocols: Arduino supports protocols like MQTT and HTTP for data‬
‭transmission, crucial for interaction with IoT platforms.‬
‭●‬ ‭Actuator Control: Arduino enables the control of actuators, allowing physical actions based‬
‭on IoT application requirements.‬
‭●‬ ‭IoT Prototyping: Arduino's prototyping capabilities and extensive community support‬
‭accelerate the development of IoT concepts.‬
‭●‬ ‭Edge Computing: Arduino boards can perform basic edge computing tasks, reducing the‬
‭reliance on cloud processing for certain applications.‬
‭●‬ ‭Security Considerations: While Arduino simplifies development, security practices,‬
‭including encryption, are essential for protecting IoT devices and data.‬

‭8. Explain how data is read from sensors and devices .‬

‭●‬ ‭Using ADC :‬
‭○‬ ‭Employing analog-to-digital conversion (ADC) for sensors like temperature and‬
‭humidity in the range of 0 to 100 degrees Celsius.‬
‭○‬ ‭Utilizing a 10-bit ADC on the Arduino Uno board to convert analog sensor outputs‬
‭to digital values.‬
‭○‬ ‭Using a Parallel Input to Serial-Output (PISO) converter to convert the digital output‬
‭of the ADC to a serial format.‬
‭○‬ ‭Connecting the serial output to the Serial Peripheral Interface (SPI) input pin on the‬
‭Arduino Uno board.‬
‭○‬ ‭Extending the application to include Relative Humidity (RH%) sensors with a‬
‭similar setup.‬
‭○‬ ‭Demonstrating flexibility by adapting the approach for measuring RH% instead of‬
‭temperature.‬
‭●‬ ‭Using the Libraries‬
‭○‬ ‭Emphasizing the broad application of these libraries in data communication using‬
‭various serial bus protocols.‬
‭○‬ ‭Mentioning specific protocols such as UART, I2C, USB, and CAN, showcasing the‬
‭versatility of the software serial libraries.‬
‭●‬ ‭Using the timers‬
‭○‬ ‭It has two functions set() and start(). First one sets the timer for interrupt after a‬
‭preset interval and second one to start running the timer.‬
‭●‬ ‭Using software serial library‬
 ‭○‬ T ‭ he serial interface library manages serial protocol communication by transmitting‬
‭header bits, data bits, and end-bits in a specific sequence.‬
‭○‬ ‭UART protocol, using Tx and Rx signals, operates at a defined baud rate, with a byte‬
‭representing characters, data, or commands.‬
‭○‬ ‭Arduino's pins 0 and 1 are dedicated to UART serial communication, while the‬
‭Software Serial library enables flexibility in choosing digital IO pins.‬
‭○‬ ‭Communication initiation involves RFID IC connecting to Arduino's digital IO pins,‬
‭transmitting a header, and concluding with an end-character.‬
‭○‬ ‭The Software Serial library facilitates efficient reading and writing of serial data,‬
‭crucial for effective communication between Arduino and devices like RFID ICs.‬
‭●‬ ‭Using Threads‬
‭○‬ ‭Thread Representation: Each delay instruction in the program acts as an individual‬
‭thread.‬
‭○‬ ‭Multitasking Utilization: During delays, the operating system executes other threads‬
‭in sequence or with the next priority.‬
‭○‬ ‭Sleep Function: The OS's sleep() or OS_Delay() function is used for blocking a‬
‭thread during the preset delay, ensuring efficient multitasking.‬
‭8. Define Vulnerability and mention top 10 vulnerability defined by OWASP‬
‭●‬ ‭Vulnerability means weakness to defend oneself or can be easily influenced from‬
‭surrounding unwanted things.‬
‭●‬ ‭OWASP has identified top ten vulnerabilities in IoT applications/services as follows:‬
‭● Insecure web interface‬
‭● Insufficient authentication or authorisation‬
‭● Insecure network services‬
‭● Lack of transport encryption/integrity verification‬
‭● Privacy concerns‬
‭● Insecure cloud interface‬
‭● Insecure mobile interface‬
‭● Insufficient security configurability‬
‭● Insecure software or firmware‬
‭● Poor physical security‬