Content uploaded by Luca Caviglione
Author content
All content in this area was uploaded by Luca Caviglione on Feb 05, 2015
Content may be subject to copyright.
A preview of the PDF is not available
Analysis of Human Awareness of Security and Privacy Threats in Smart Environments
Abstract and Figures
Smart environments integrate Information and Communica-tion Technologies (ICT) into devices, vehicles, buildings and cities to offer an increased quality of life, energy efficiency and economical sus-tainability. In this perspective, the individual has a core role and so has networking, which enables such entities to cooperate. However, the huge amount of sensitive data, social aspects and the mixed set of protocols offer many opportunities to inject hazards, exfiltrate information, mass profiling of citizens, or produce a new wave of attacks. This work re-views the major risks arising from the usage of ICT-techniques for smart environments, with emphasis on networking. Its main contribution is to explain the role of different stakeholders for causing a lack of security and to envision future threats by considering human aspects.
Figures - uploaded by Luca Caviglione
Author content
All figure content in this area was uploaded by Luca Caviglione
Content may be subject to copyright.
... The Miami TGK prison system also suffered of an incident that led to the system opening the cells doors of prisoners [9]. BACNet devices have already been infected by botnet malwares and used to conduct distributed attacks [10], and some researchers foresee smart building BotNets further arising in the future [11]. ...
... Several publications are fully dedicated to DoS attacks at the automation and management layers [26,27,28,29,10,16,17,11,30,22]. Two main type of DoS attacks can be conducted at this layer [26]: host-based and network-based. ...
... In network-based DoS, the target is the network itself, where the attackers try to waste the network bandwidth up to completely interrupting the communication between the devices located in the affected segment. In terms of particular techniques to effectively launch a DoS, a prominent one was flooding [10], [28], [29], [27], [11]. In this type of DoS attacks, an attacker uses weaknesses of the network or service where they become so overwhelmed with requests that they can no longer process genuine connection requests. ...
Smart Buildings are networks of connected devices and software in charge of automatically managing and controlling several building functions such as HVAC, fire alarms, lighting, shading and more. These systems evolved from mostly electronic and mechanical elements to complex systems relying on IT and wireless technologies and networks. This exposes smart buildings to new risks and threats that need to be enumerated and addressed. Research efforts have been done in several areas related to security in smart buildings but a clear overview of the research field is missing. In this paper, we present the results of a systematic literature review that provides a thorough understanding of the state of the art in research on the security of smart buildings. We found that the field of smart buildings security is growing significantly in complexity due to the many protocols introduced recently and that the research community is already studying. We also found an important lack of empirical evaluations, though evaluations on testbeds and real systems seems to be growing. Finally, we found an almost complete lack of consideration of non-technical aspects, such as social, organisational, and human factors, which are crucial in this type of systems, where ownership and liability is not always clear.
... Our investigation hints at malware increasingly specializing to assault devices, assets and smart scenarios, which are becoming popular and profitable. To give a possible idea of the trends that we expect, we borrow from [185] the following taxonomy highlighting exploitable security risks. In more detail: ...
... Gaming consoles, set-top-boxes, actuators for cyber-physical systems and household appliances can be both weak points exploited by ransomware and weaponized assets to bridge attacks or implement air-gapped covert channels for spreading an infection, even when network connectivity is absent [186]. • smartphones: since they are equipped with a variety of sensors that can be used to gather information, smartphones are prime targets for malware, especially if endowed with steganographic capabilities [41], [185], [187]. Nevertheless, smartphones are centralizing an unprecedented amount of personal data, thus they are prone to mass profiling campaigns or a candidate for becoming the prime source for developing social engineering-based scams, like phishing. ...
Cyber attacks are currently blooming, as the attackers reap significant profits from them and face a limited risk when compared to committing the “classical” crimes. One of the major components that leads to the successful compromising of the targeted system is malicious software. It allows using the victim’s machine for various nefarious purposes, e.g., making it a part of the botnet, mining cryptocurrencies, or holding hostage the data stored there. At present, the complexity, proliferation, and variety of malware pose a real challenge for the existing countermeasures and require their constant improvements. That is why, in this paper we first perform a detailed meta-review of the existing surveys related to malware and its detection techniques. On this basis, we review the evolution of modern threats in the communication networks and we present the bird’s eye view portraying the main development trends in detection methods with a special emphasis on the machine learning techniques.
... With the IoT, technologies are tightly-coupled with their users, especially concerning their behavior, bad habits, and sensitive data. Thus, security and privacy issues can result from all the information collected, transmitted and stored within smart environments [22]. Assets in any IoT ecosystem can be any item that are considered valuable, such as hardware, software, or a piece of data (belonging to individuals or corporate organizations), services, or the data therein. ...
As the Internet of Things (IoT) era raise, billions of additional connected devices in new locations and applications will create new challenges. Security and privacy are among the major challenges in IoT as any breaches and misuse in those aspects will have the adverse impact on users. Among many factors that determine the security of any system, human factor is the most important aspect to be considered; as it is renowned that human is the weakest link in the information security cycle. Experts express the need to increase cyber resilience culture and a focus on the human factors involved in cybersecurity to counter cyber risks. The aim of this study is to propose a conceptual model to improve cyber resilience in IoT users that is adapted from a model in public health sector. Cyber resilience is improved through promoting security behavior by gathering the existing knowledge and gain understanding about every contributing aspects. The proposed approach is expected to be used as foundation for government, especially in Indonesia, to derive strategies in improving cyber resilience of IoT users.
... It is a social process that we call the cycle of blame that prevents the fast integration of security features into smart building products. In this cycle that was initially introduced in [44], vendors state that the integration of security into their products results in decreased sales as their production cost and product prices increase. Customers are not willing to pay the additional cost. ...
... It is a social process that we call the cycle of blame that prevents the fast integration of security features into smart building products. In this cycle that was initially introduced in [44], vendors state that the integration of security into their products results in decreased sales as their production cost and product prices increase. Customers are not willing to pay the additional cost. ...
This chapter introduces the cyber security of smart buildings and their most relevant communication protocols. We explain the fundamentals of a smart building, including their technical components, a brief analysis of their historical developments, the role of smart buildings in smart cities, and known attack cases on smart buildings. Afterwards, we explain the predominant communication protocols of smart buildings and their security features. The succeeding section covers technical aspects of attacks on smart building infrastructure, the implications of such attacks, and reasons for insecure buildings. After these problems were analyzed, solutions for the protection of automated buildings are discussed. Finally, we cover recent trends in smart building security research and conclude.
There are technologies that support intercultural collaboration by allowing people to communicate more easily across the barriers of culture and language. However, sometimes user-sensitive information needs to be accessed. In best-balanced machine translation, a method that recommends the languages and machine translation services that should be used to assist multilingual group communication, user test scores must be disclosed to generate the language recommendations. There are various methods that can protect the data (test scores) and methods that allow simple statistic calculations, however, no existing method supports the complex calculations needed by the best-balanced machine translation method. This paper emphasizes the importance of user privacy in intercultural collaboration. We provide the initial idea and show how user test scores can be protected while supporting the recommendation system. We introduce a detailed example to discuss the design of a suitable user interface.
The appearance of the smart houses, buildings, and cities has defined new attack scenarios targeting industrial information systems. The paper suggests a visualization-driven approach to the analysis of the data from heating, ventilating and conditioning system (HVAC). The key element of the approach is the RadViz visualization that is used to form daily operation patterns and can detect suspicious deviations that could be the signs of fraudulent activity in the system. It is supplemented by a matrix-based representation of the HVAC parameters that is constructed in the way that allows highlighting changes in values of parameters being analyzed. The distinctive feature of the proposed visualization models is the ability to display data from different data sources. To demonstrate and evaluate the efficiency of the proposed approach we used the VAST MiniChallenge-2 2016 data set that contains logs from the HVAC system and the access control system.
Software systems intelligence and complexity have been continuously increasing to deliver more and more features to support business critical and mission critical processes in numerous domains such as defense, health-care, and smart cities. Contemporary software-based solutions are composed of several software systems, that form System-of-Systems (SoS). SoS differentiating characteristics, such as emergent behavior, introduce specific issues that render their security modeling, simulation and analysis a critical challenge. The aim of this work is to investigate how Software Engineering (SE) approaches can be leveraged to model and analyze secure SoS solutions for predicting high impact (cascading) attacks at the architecture stage. In order to achieve this objective, we propose a Model Driven Engineering method, Systems-of-Systems Security (SoSSec), that comprises: (1) a modeling language (SoSSecML) for secure SoS modeling and (2) Multi-Agent Systems (MAS) for security analysis of SoS architectures. To illustrate our proposed approach in terms of modeling, simulating, and discovering attacks, we have conducted a case study on a real-life smart building SoS, the Adelaide University Health and Medical School (AHMS). The results from this case study demonstrate that our proposed method discovers cascading attacks comprising of a number of individual attacks, such as a Denial of Service, that arise from a succession of exploited vulnerabilities through interactions among the constituent systems of SoS. In future work, we intend to extend SoSSec to address diverse unknown emergent behaviors and non-functional properties such as safety and trust.
Increasing utilizations of kill switches, remote deletion, and intelligent agents as a part of “Internet of Things” (IoT) architectures present emerging cybersecurity and privacy challenges. These issues are compounded in complexity by the frequent updates and other controls instituted by the growing assortment of purveyors of household IoT devices and systems. This paper proposes that aspects of user ownership, awareness, and voice be clarified and in some venues fostered in part to expose as quickly as possible potential technological and social dangers. It addresses rights of household participants to obtain knowledge and control over the intelligent IoT agents operating (and perhaps “quartering”) in their personal and intimate spheres, as well as to be free from inappropriately opportunistic applications associated with IoT systems.
The Apple operating system has so far proved resistant to information-hiding techniques, which help attackers communicate covertly. However, Siri-an iOS service that controls iPhones and iPads via voice commands-could change this trend.
By offering sophisticated services and centralizing a huge volume of personal data, modern smartphones changed the way we socialize, entertain and work. To this aim, they rely upon complex hardware/software frameworks leading to a number of vulnerabilities, attacks and hazards to profile individuals or gather sensitive information. However, the majority of works evaluating the security degree of smartphones neglects steganog-raphy, which can be mainly used to: i) exfiltrate confidential data via camouflage methods, and ii) conceal valuable or personal information into innocent looking carriers. Therefore, this paper surveys the state of the art of stegano-graphic techniques for smartphones, with emphasis on methods developed over the period 2005 to the second quarter of 2014. The different approaches are grouped according to the portion of the device used to hide information, leading to three different covert channels, i.e., local, object and network. Also, it reviews the relevant approaches used to detect and mitigate steganographic attacks or threats. Lastly, it showcases the most popular software applications to embed secret data into carriers, as well as possible future directions.
Network steganography is the art of hiding secret information within innocent
network transmissions. Recent findings indicate that novel malware is
increasingly using network steganography. Similarly, other malicious activities
can profit from network steganography, such as data leakage or the exchange of
pedophile data. This paper provides an introduction to network steganography
and highlights its potential application for harmful purposes. We discuss the
issues related to countering network steganography in practice and provide an
outlook on further research directions and problems.
A building automation system (BAS) is the IT equipment within a building that monitors and controls the building (e.g., measuring temperature in a room to configure the heating level within the same room). We discuss the potential and the use of botnets in the context of BAS. Our botnet concept and scenario is novel in the sense that it takes advantage of the phyiscal capabilities of a building and as it has to adapt to a specialized environment being highly deterministic, predictable, simplistic and conservative. These properties make anomalies easy to detect. Smart building botnets allow the monitoring and remote control of (critical) building automation infrastructure in public and private facilities, such as airports or hospitals. We discuss why building automation botnets could thus enable attackers to cause various critical damage on whole regions and economies. Hiding the command and control communication is a highly beneficial step to adapt botnets to the BAS environment. We show that this is not necessarily a big hurdle and can be solved using existing covert channel techniques.
Smartphones are now handling personal and extremely important data and applications. This increases mobile environment threats and makes smartphones one of attackers' preferred targets. To mitigate threats, many proposals and counter-measures have been proposed. In this paper, we focus on one of them, the Trusted Execution Environment (TEE) which is a new family of architecture having its own hardware and software environment completely isolated from the mobile ones. It intends to offer better security than the one provided by mobile platforms. It proposes for example secure storage to applications running on top of the mobile Operating System. We give a complete overview of standardization activities on TEE. We first detail the software and hardware architecture of the TEE as introduced by GlobalPlatform specifications. Then, we describe the different available TEE solutions. Finally, we compare these solutions according to key performance parameters with a special interest to security aspects.
Engineering of building structures is characterized by a standardized process flow which includes feasibility studies, draft and detailed design, construction, operation, conversion and demolition. The main goals are a sufficient quality, economic efficiency and sustainability of the building. However, the process flow is commonly interrupted by individual issues, alterations in use, function and ownership as well as technical developments over the referenced lifetime of 50-100 years.
This contribution focusses on the integration of Resilience Engineering (RE) in the building lifecycle process using trans-disciplinary product lifecycle management (PLM) in Building Information Modeling (BIM). Those methods provide the techniques to solve the current deficiencies in the engineering process flow if they are continuously applied over the whole lifecycle.
An example for critical built infrastructures is presented to point out how multi-hazard risk assessment strategies, scenario definition, design strategies and a performance based design are coped with in BIM-based resilience engineering.
There is a well-known issue facing the industry today of cyber-criminals targeting business websites. This impacts organisations of all sizes and is a growing concern. While there are a number of ways to address this issue, the ‘security as a process’ approach forms the ideal basis for any strategy. Security as a process should be accepted as the norm within every business. It allows operation within areas that previously would have been seen as hostile – for example, running websites on the Internet.
While there are a number of ways to address the issue of cybercrime, the ‘security as a process’ approach forms the ideal basis for any strategy.
Processes such as system hardening, security patching, security testing, log analysis, and so on can all be iterative, feeding back into the security process to improve security in the future, explains Mark Lowe of Portcullis Computer Security.
Cyber situational awareness is attracting much attention. It features prominently in the national cyber strategies of many countries, and there is a considerable body of research dealing with it. However, until now, there has been no systematic and up-to-date review of the scientific literature on cyber situational awareness.
This article presents a review of cyber situational awareness, based on systematic queries in four leading scientific databases. 102 articles were read, clustered, and are succinctly described in the paper. The findings are discussed from the perspective of both national cyber strategies and science, and some directions for future research are examined.