11/16/2021
By Chao Gao
The Kennedy College of Sciences, Department of Computer Science, invites you to doctoral dissertation defense by Chao Gao on "On IoT security from an end-to-end perspective."
Ph.D. Candidate: Chao Gao
Time: Monday, Nov. 29, 2021, 10 a.m.
Location: Southwick Hall 240
Committee Members:
- Xinwen Fu (advisor), Professor, Computer Science Department, University of Massachusetts Lowell
- Benyuan Liu, Professor, Computer Science Department, University of Massachusetts Lowell
- Claire Lee, Assistant Professor, School of Criminology and Justice Studies Department, University of Massachusetts Lowell
Abstract:
With the rapid development of the Internet of Things (IoT), more and more small devices are connected to the Internet for monitoring, control, and data collection. Because of its flexibility, convenience, and intelligence, IoT has attracted great interest in the industry and has broad applications, such as smart home, smart city, smart healthcare, and smart environment. However, security issues are one of the most important issues of the Internet of Things. In this dissertation, we present an end-to-end view of IoT security and privacy as well as multiple case studies.
We first case study the Edimax smart plug system by exploiting its communication protocols and successfully launching four attacks: device scanning attack, brute force attack, spoofing attack, and firmware attack. Our real-world experimental results show that we can obtain the authentication credentials from the users by performing these attacks. We then introduce our end-to-end view of the IoT system, which can guide the risk assessment and design of the IoT system. Based on this view, we systematically present security and privacy requirements in terms of IoT system from five dimensions, including hardware, operating system/firmware, software, networking, and data generated and maintained within the system. Based on our view, we propose a secure lightweight and thing-centered IoT communication system based on MQTT, SecT, in which a device/thing authenticates users. We implemented a prototype of SecT on a $10 Raspberry Pi Zero W and performed extensive experiments to validate its performance. The experiment results show that SecT is both cost-effective and practical. We study the security of microcontroller (MCU) based IoT firmware. We investigate the security issues that may exist in the firmware update process of MCU based IoT applications. We also investigate secure firmware update mechanisms for a legacy MCU ATmega1284P and discuss pitfalls that may occur in implementations. Finally, we introduce a cost-effective system to transform legacy IR controlled devices into Internet connected smart IoT devices through a Raspberry Pi with an IR transceiver module. We analyze the factors that affect the IR transmission range and discuss the security implications of IR communication using our setup and demonstrate attack scenarios.
The overall goal of this dissertation is to discover security issues in the IoT systems from an end-to-end perspective and raise the alarm for the IoT device manufacturers to put security at a higher priority of their products. We propose an end-to-end view of the IoT system, which can guide the design of a secure and privacy preserving IoT system. Based on the end-to-end view of the IoT system, we present some reliable designs for a secure IoT system from different dimensions.