Unit No.

6
Security in IoT
Prof. Sachin Sambhaji Patil
Zeal College of Engineering and Technology
Pune

Prof.Sachin S. Patil , ZCOER 1

 What is internet of Things Security ?

• IoT security is the practice that keeps your IoT systems safe.

• IoT security tools protect from threats and breaches,

• IoT security tools identify and monitor risks and can help fix
vulnerabilities.

• IoT security ensures the availability, integrity, and confidentiality of

your IoT solution.
Prof.Sachin S. Patil , ZCOER 2
 Application of IoT Security

• Businesses use a wide range of IoT devices, including smart security

cameras,

• Trackers for vehicles,

• ships and goods, as well as sensors that capture data about industrial
machinery.

Prof.Sachin S. Patil , ZCOER 3

 Vulnerabilities of IoT

• Weak guessable Passwords :- Most of IoT devices come with preset

credentials (username and Passwords) that are provided by the
manufacturer.

• Unsecured network services:- One of the core features of IoT devices

involves networking capabilities that allow endpoints to amongst
themselves over a secure internet connection.

Prof.Sachin S. Patil , ZCOER 4

 Vulnerabilities of IoT

• Unhealthy IoT ecosystems:- When IoT device are integrated with

centralized management platforms and legacy systems, users can

unknowingly introduce security vulnerabilities at the application layer.

• These include compromised authentication controls , weak encryption

protocols and optimized input/output filtering.

Prof.Sachin S. Patil , ZCOER 5

 Vulnerabilities of IoT

• Inefficient update mechanism :- To prevent IoT devices from being

compromised , companies must be able to send real time update to each

endpoint as soon as they are made available.

• Lack of Privacy protection:- IoT devices often collect and store users

personal information, which may be compromised if hackers are able to

bypass built in security features and authentication protocols

Prof.Sachin S. Patil , ZCOER 6
 Vulnerabilities of IoT

• Improper data transfer and storage :- Even the most robust IoT

equipment can be exploited if users fail to encrypt data within their IT

ecosystems.

• Sensitive information can be stolen at the point of collection , while its

in transit or during processing.

Prof.Sachin S. Patil , ZCOER 7

 Security Requirements
• Best Secure Coding Practices Should be followed

• Use of TLS for all Network Communications

• Verified Firmware Updates

• Scalable Process for Firmware Updates

• Strong Authentication Mechanisms

• Unique MAC Addresses

• No Communication with third party Servers

• No Hardcoded Credentials
Prof.Sachin S. Patil , ZCOER 8
 Security Requirements
• Unique & Replaceable Certificates

• Commitment to Security Updates:

• Minimum Service Exposure:

• WiFi Must Use WPA2:

• Bluetooth Security:

• Sync Clocks with NTP

• No External Network Connectivity

• Use of Non WiFi Wireless Interfaces

Prof.Sachin S. Patil , ZCOER 9
 Security Requirements
• Identification and Delivery of Open Source Components

• Graceful Degradation

• Test Refilience

Prof.Sachin S. Patil , ZCOER 10

 IoT Security Challenges
• The Rise of Botnet

The botnet exists when hackers remotely control internet connected devices
and use them illegal purposes.

A botnet (short for “robot network”) is a network of computers infected by

malware that are under the control of a single attacking party,

• More IoT Devices

Security professionals were focused solely on protecting mobile devices and

computers Prof.Sachin S. Patil , ZCOER 11
 IoT Security Challenges
• Lack of Encryption

• Outdated Legacy Security

• Weak Default Password

• Unreliable Threat Attacks in IoT

• Phishing Attacks - Phishing is a type of cyber security attack

during which malicious actors send messages pretending to be
a trusted person or entity.

• Inability To Predict Threats Prof.Sachin S. Patil , ZCOER 12

 IoT Security Challenges

• Infrequent Updates

• IoT Financial Related Breaches

• User Privacy

Prof.Sachin S. Patil , ZCOER 13

 What is Threat Modeling

• Threat modeling is a method of optimizing network security by

locating vulnerabilities , identifying objectives and developing
countermeasures to either prevent or mitigate the effect of cyber
attacks against the system.

Prof.Sachin S. Patil , ZCOER 14

 What is Threat Modeling

• While security teams can conduct threat modeling at any point during
development , doing it at the start of the project is best practice.

Prof.Sachin S. Patil , ZCOER 15

 The Threat Modeling Process

• Threat modeling consist of defining an enterprises assest ,

• Identifying What function each application serves in the grand

scheme and assembling a security profile for each application.

Prof.Sachin S. Patil , ZCOER 16

 Need of Security Threat Modeling
• Cybercrime has exacted
• A heavy toll on the online community
• Cybercrime has exacted a heavy toll on the online community in recent
years
• Cyber security is happening all the time and no business organization or
customer is safe.
• Security breaches have increased 11% since 2018

Prof.Sachin S. Patil , ZCOER 17

 Ten Threat Modeling Methodogy
• 1.Stride
• A methodology developed by Microsoft for threat modeling , it offers
a mnemonic for identifying security threats

• Spoofing: Another user component contains an identity in the

modeled system.

• Tampering: The altering of data within a system to achieve a malicious

goal

Prof.Sachin S. Patil , ZCOER 18

 Ten Threat Modeling Mythology
• Repudiation: The ability of an intruder to deny that they
performed some malicious activity, due to the absence of enough
proof
• Information Disclosure : Exposing protected data to a user that
isnot authorized to see it
• Denial of service:
• Elevation of Privilege : Allowing an intruder to execute commands
and functions that they are not allowed
Prof.Sachin S. Patil , ZCOER 19
 Data Vs. User Security Models
1. Integrity

• It is easy to define integrity of data but far less easy to ensure it.

• Only accurate and up-to-date data has data integrity.

2. Privacy

• Data Privacy is a requirement for data to be available only to

authorized users.

• Data Privacy is about keeping data private rather than allowing it to

be available in the public domain.
Prof.Sachin S. Patil , ZCOER 20
 Data Vs. User Security Models
3.Data Privacy is the branch of information security dealing with the
proper handling of data concerning , consent , notices , sensitivity and
regulatory concern.

Practical data Privacy Problems often revolve around:

1.Whether of how data can be shared with third parties

If data can legally be collected or stored

Prof.Sachin S. Patil , ZCOER 21

 Security Challenges within the IoT
• Physical Limitations of Devices and Communications
• Heterogeneity , Scale and Adhoc Nature
• Authentication and Identity Management
• Authorization and Access Control
• Implementation , Updating , Responsibility and
Accountability Security Issues in Health, Well being and
Recreation
• Security Issues in Connected and autonomous vehicles
• Security issues in industry
• Security issues in Logistics
• Security issues in Smart Grid
• Security isses in Homes , Buildings and Offices
Prof.Sachin S. Patil , ZCOER 22
 Challenges in Designing IoT Application

• Connectivity

• Security and Privacy

• Flexibility and Compatibility

• Data Collection and Processing

Prof.Sachin S. Patil , ZCOER 23

 Lightweight Cryptography

• Requirement for Light weight Cryptography

• Size

• Power

• Power Consumption

• Processing Speed (Throughput delay , delay)

Prof.Sachin S. Patil , ZCOER 24

 Lightweight Cryptography

• Symmetric key and Public key cryptographies

• Symmetric can roughly be divided into symmetric key

• Public Key (asymmetric key) cryptographies.

• The symmetric key cryptography uses secrete key for encryption and
decryption.

Prof.Sachin S. Patil , ZCOER 25

 Trends in Lightweight Cryptography

• Lightweight cryptography was established at ISO/IEC JTC1/SC27. The

US National Institute of standards and Technology (NIST).

• A block cipher mode of operation that can achieve both encryption

and message authentication is called authentication encryption.

Prof.Sachin S. Patil , ZCOER 26

 Trends in Lightweight Cryptography

• Lightweight cryptography is an encryption method that features a

small footprint and/or low computational complexity.

• It is aimed at expanding the applications of cryptography to

constrained devices and its related international standardization and
guidelines compilation are currently underway

Prof.Sachin S. Patil , ZCOER 27

 Requirements for Lightweight Cryptography

• Size (circuit size, ROM/RAM sizes)

• Power
• Power consumption
• Processing speed (throughput, delay)

Prof.Sachin S. Patil , ZCOER 28

Fig.1 Lightweight Cryptography

Prof.Sachin S. Patil , ZCOER 29

 Lightweight Cryptography

• Applying encryption to sensor devices means the

implementation of data protection for confidentiality and
integrity, which can be an effective countermeasure against
the threats (Fig.1).
• Lightweight cryptography has the function of enabling the
application of secure encryption, even for devices with
limited resources. Prof.Sachin S. Patil , ZCOER 30
Fig.2 An Example of block cipher mode of
operation.

Prof.Sachin S. Patil , ZCOER 31

 Example of block cipher mode of operation.

• Fig.2 shows an example of the block cipher mode of operation

used for the authentication (called CBC-MAC: cipher block
chaining message authentication code).

• To render a cryptography lightweight, it is required to improve

the efficiency of the block cipher mode of operation as well as
the cryptographic primitives.
Prof.Sachin S. Patil , ZCOER 32
Thank You !

Prof.Sachin S. Patil , ZCOER 33