Security Assessment of Modern Data Aggregation Platforms in the Internet of Things

Abstract

With the popularity of the Internet of Things on the rise, sensor networks have become essential parts of traditional Information and Communication Technology (ICT) infrastructures in a wide variety of applications. However, their increasing complexity, inter-connectivity, and pervasive implementation, exposes these infrastructures to a large variety of security threats. As a result, practical security analysis needs to be performed to evidentiate the possible vulnerable points in IoT infrastructures.
In this work we consider a typical architecture of a data aggregation platform with publish-subscribe support composed of interconnected sensor and ICT infrastructures. We present a comprehensive threat analysis by considering the availability, integrity, and confidentiality security objectives. We describe the experimental results of a case study performed on a real, laboratory-scale implementation of an IoT-based application. Finally, we demonstrate that modern IoT-based software are susceptible to cyber attacks that use traditional attack vectors and recently reported vulnerabilities, e.g., Heartbleed and Shellshock.

Keywords

• —Sensor Data Aggregation, Heterogeneous Infrastructures, Threat Analysis, Attack Tree

References

1. K. Ahmed and M. Gregory, “Integrating wireless sensor net- works with cloud computing,” in Mobile Ad-hoc and Sensor Networks (MSN), 2011 Seventh International Conference on. IEEE, 2011, pp. 364–366.
2. C. Alcaraz and J. Lopez, “A security analysis for wireless sensor mesh networks in highly critical systems,” Systems, Man, and Cybernetics, Part C: Applications and Reviews, IEEE Transactions on, vol. 40, no. 4, pp. 419–428, 2010.
3. T. Bakıcı, E. Almirall, and J. Wareham, “A smart city initiative: the case of barcelona,” Journal of the Knowledge Economy, vol. 4, no. 2, pp. 135–148, 2013.
4. N. Bressan, L. Bazzaco, N. Bui, P. Casari, L. Vangelista, and M. Zorzi, “The deployment of a smart monitoring system using wireless sensor and actuator networks,” in Smart Grid Com- munications (SmartGridComm), 2010 First IEEE International Conference on.
5. Z. Durumeric, J. Kasten, D. Adrian, J. A. Halderman, M. Bailey, F. Li, N. Weaver, J. Amann, J. Beekman, M. Payer et al., “The matter of heartbleed,” in Proceedings of the 2014 Conference on Internet Measurement Conference.
6. A. C. Geary, “Analysis of a man-in-the-middle attack on the diffie-hellman key exchange protocol,” DTIC Document, Tech. Rep., 2009.
7. B. Genge, P. Haller, A. Gligor, and A. Beres, “An approach for cyber security experimentation supporting sensei/iot for smart grid,” in 2nd International Symposium on Digital Forensics and Security, 2014.
8. B. Genge, A. Beres, and P. Haller, “A survey on cloud-based software platforms to implement secure smart grids,” in Power Engineering Conference (UPEC), 2014 49th International Uni- versities.

9. M. M. Hassan, B. Song, and E.-N. Huh, “A framework of sensor-cloud integration opportunities and challenges,” in Pro- ceedings of the 3rd international conference on Ubiquitous information management and communication. pp. 618–626. ACM, 2009,
10. S. Hernan, S. Lambert, T. Ostwald, and A. Shostack, “Threat modeling-uncover security design flaws using the stride ap- proach,” MSDN Magazine-Louisville, pp. 68–75, 2006.
11. J. M. Hern´andez-Mu˜noz, J. B. Vercher, L. Mu˜noz, J. A. Galache, M. Presser, L. A. H. G´omez, and J. Pettersson, Smart cities at the forefront of the future internet.
12. B. M¨oller, T. Duong, and K. Kotowicz, “This poodle bites: Exploiting the ssl 3.0 fallback,” 2014.
13. S. Ozdemir and Y. Xiao, “Secure data aggregation in wireless sensor networks: A comprehensive overview,” Computer Net- works, vol. 53, no. 12, pp. 2022–2037, 2009.
14. S. Roy, M. Conti, S. Setia, and S. Jajodia, “Secure data aggre- gation in wireless sensor networks: Filtering out the attacker’s impact,” Information Forensics and Security, IEEE Transactions on, vol. 9, no. 4, pp. 681–694, 2014.
15. Y. Sang, H. Shen, Y. Inoguchi, Y. Tan, and N. Xiong, “Secure data aggregation in wireless sensor networks: A survey,” in Parallel and Distributed Computing, Applications and Tech- nologies, 2006. PDCAT’06. Seventh International Conference on.
16. B. Schneier, “Attack trees,” Dr. Dobbs journal, vol. 24, no. 12, pp. 21–29, 1999.
17. F. Touati, R. Tabish, and A. Ben Mnaouer, “Towards u-health: an indoor 6lowpan based platform for real-time healthcare monitoring,” in Wireless and Mobile Networking Conference (WMNC), 2013 6th Joint IFIP. [18] D. A. Wheeler, “Shellshock,” http://www.dwheeler.com/essays/shellshock.html, [Online; accessed 22-February-2015]. 2014,
18. M. Yoon, M. Jang, H.-I. Kim, and J.-W. Chang, “A signature- based data security technique for energy-efficient data aggre- gation in wireless sensor networks,” International Journal of Distributed Sensor Networks, vol. 2014, 2014.
19. Q. Zhu, R. Wang, Q. Chen, Y. Liu, and W. Qin, “Iot gateway: Bridgingwireless sensor networks into internet of things,” in Embedded and Ubiquitous Computing (EUC), 2010 IEEE/IFIP 8th International Conference on.