skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Building a Low-cost and State-of-the-art IoT Security Hands-on Laboratory
The popularity of IoT has raised grave security and privacy concerns. The huge IoT botnets Mirai and Reaper were built on compromised IoT devices. In this paper, we propose to develop a low-cost platform with an industrial grade microcontroller (MCU) ESP32 equipped with a crypto co-processor ATECC608A and create teaching materials including labs and case studies for IoT security education. MCUs have broad applications in IoT. Sensor nodes in various smart systems such as smart home, smart health and smart grid can use MCUs to process commands and perform automatic control. We will develop effective, engaging and novel teaching materials on IoT hardware security, operating system/firmware/software security, network security, and data security with the low-cost IoT kit and IDE. The teaching materials will contribute to the Cybersecurity Workforce Development Initiative led by NICE and help respond to a dynamic and rapidly developing array of cyber threats including those resulting from IoT.  more » « less
Award ID(s):
1723587 1802701 1916175 1915780
PAR ID:
10161194
Author(s) / Creator(s):
Date Published:
Journal Name:
IFIP International Internet of Things (IoT) Conference
Volume:
574
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ; ; ; (, GLOBECOM 2020 - 2020 IEEE Global Communications Conference)
    null (Ed.)
    Internet of Things (IoT) devices have been increasingly integrated into our daily life. However, such smart devices suffer a broad attack surface. Particularly, attacks targeting the device software at runtime are challenging to defend against if IoT devices use resource-constrained microcontrollers (MCUs). TrustZone-M, a TrustZone extension for MCUs, is an emerging security technique fortifying MCU based IoT devices. This paper presents the first security analysis of potential software security issues in TrustZone-M enabled MCUs. We explore the stack-based buffer overflow (BOF) attack for code injection, return-oriented programming (ROP) attack, heap-based BOF attack, format string attack, and attacks against Non-secure Callable (NSC) functions in the context of TrustZone-M. We validate these attacks using the Microchip SAM L11 MCU, which uses the ARM Cortex-M23 processor with the TrustZone-M technology. Strategies to mitigate these software attacks are also discussed. 
    more » « less
  2. ; ; ; ; (, 2020 IEEE 26th International Conference on Parallel and Distributed Systems (ICPADS))
    null (Ed.)
    In this paper, we explore the use of microcontrollers (MCUs) and crypto coprocessors to secure IoT applications, and show how developers may implement a low-cost platform that provides protects private keys against software attacks. We first demonstrate the plausibility of format string attacks on the ESP32, a popular MCU from Espressif that uses the Harvard architecture. The format string attacks can be used to remotely steal private keys hard-coded in the firmware. We then present a framework termed SIC 2 (Securing IoT with Crypto Coprocessors), for secure key provisioning that protects end users' private keys from both software attacks and untrustworthy manufacturers. As a proof of concept, we pair the ESP32 with the low-cost ATECC608A cryptographic coprocessor by Microchip and connect to Amazon Web Services (AWS) and Amazon Elastic Container Service (EC2) using a hardware-protected private key, which provides the security features of TLS communication including authentication, encryption and integrity. We have developed a prototype and performed extensive experiments to show that the ATECC608A crypto chip may significantly reduce the TLS handshake time by as much as 82% with the remote server, and it may lower the total energy consumption of the system by up to 70%. Our results indicate that securing IoT with crypto coprocessors is a practicable solution for low-cost MCU based IoT devices. 
    more » « less
  3. ; (, 2020 IEEE International Conference on Consumer Electronics (ICCE))
    null (Ed.)
    Internet of Things (IoT) has facilitated the connection of many smart devices via internet. Recent cyberattacks have shown that resource constrained IoT nodes are easy prey that lead towards compromising the secrecy of the data and vulnerabilities could be exploited remotely to take control of safety-critical systems. Photoresistor sensors have applications in IoT systems, such as smart street lighting, intelligent cameras, light activated smart consumer electronics, smart home, smart healthcare, etc. Building hardware security primitives, such as True Random Number Generator (TRNG), based on the intrinsic properties of photoresistor would be a novel direction to develop cost-savvy IoT security primitives. Therefore, this paper proposes a TRNG prototype that is devised from uncertainty presents in photoresistor sensors. The proposed TRNG prototype does not require any complex interfacing for preprocessing the weak signal, thereby reducing the unnecessary delay and the recurring hardware cost. The proposed prototype employs the novel approach of additive scrambling that aids to sample sensors at a higher rate. The proposed TRNG has an average random bit generation rate of 8 kbps that is better than the recent work in the literature. The quality of randomness was validated by 15 test batteries of NIST STS test. 
    more » « less
  4. ; ; (, 2021 International Conference on Computer Communications and Networks (ICCCN))
    Understanding network traffic characteristics of IoT devices plays a critical role in improving both the performance and security of IoT devices, including IoT device identification, classification, and anomaly detection. Although a number of existing research efforts have developed machine-learning based algorithms to help address the challenges in improving the security of IoT devices, none of them have provided detailed studies on the network traffic characteristics of IoT devices. In this paper we collect and analyze the network traffic generated in a typical smart homes environment consisting of a set of common IoT (and non-IoT) devices. We analyze the network traffic characteristics of IoT devices from three complementary aspects: remote network servers and port numbers that IoT devices connect to, flow-level traffic characteristics such as flow duration, and packet-level traffic characteristics such as packet inter-arrival time. Our study provides critical insights into the operational and behavioral characteristics of IoT devices, which can help develop more effective security and performance algorithms for IoT devices. 
    more » « less
  5. (, IEEE transactions on dependable and secure computing)
    Smart homes are interconnected homes in which a wide variety of digital devices with limited resources communicate with multiple users and among themselves using multiple protocols. The deployment of resource-limited devices and the use of a wide range of technologies expand the attack surface and position the smart home as a target for many potential security threats. Access control is among the top security challenges in smart home IoT. Several access control models have been developed or adapted for IoT in general, with a few specifically designed for the smart home IoT domain. Most of these models are built on the role-based access control (RBAC) model or the attribute-based access control (ABAC) model. However, recently some researchers demonstrated that the need arises for a hybrid model combining ABAC and RBAC, thereby incorporating the benefits of both models to better meet IoT access control challenges in general and smart homes requirements in particular. In this paper, we used two approaches to develop two different hybrid models for smart home IoT. We followed a role-centric approach and an attribute-centric approach to develop HyBAC RC and HyBAC AC , respectively. We formally define these models and illustrate their features through a use case scenario demonstration. We further provide a proof-of-concept implementation for each model in Amazon Web Services (AWS) IoT platform. Finally, we conduct a theoretical comparison between the two models proposed in this paper in addition to the EGRBAC model (RBAC model for smart home IoT) and HABAC model (ABAC model for smart home IoT), which were previously developed to meet smart homes’ challenges. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Text Encoded Conversion
  • XML
  • Save / Share this Record
  • Send to Email