Browse Prior Art Database

SECURITY FOR INTERNET OF THINGS DEVICES PARTICIPATING IN GROUP COMMUNICATION

IP.com Disclosure Number: IPCOM000248165D
Publication Date: 2016-Nov-02
Document File: 4 page(s) / 222K

Publishing Venue

The IP.com Prior Art Database

Related People

Tirumaleswar Reddy: AUTHOR [+3]

Abstract

A mechanism is presented herein in which a firewall, such as an area border service instantiated as a group member, inspects group communication messages between Internet of Things (IOT) devices and uses machine learning techniques to detect and block compromised IOT devices. These techniques effectively address a number of specific attacks.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 44% of the total text.

Page 01 of 4

SECURITY FOR INTERNET OF THINGS DEVICES PARTICIPATING IN GROUP COMMUNICATION

AUTHORS:

Tirumaleswar Reddy
Dan Wing
Carlos M. Pignataro

CISCO SYSTEMS, INC.

ABSTRACT

    A mechanism is presented herein in which a firewall, such as an area border service instantiated as a group member, inspects group communication messages between Internet of Things (IOT) devices and uses machine learning techniques to detect and block compromised IOT devices. These techniques effectively address a number of specific attacks.

DETAILED DESCRIPTION

    Internet of Things (IOT) devices often use group communications. For example, the lights in a given room or building may need to be switched on/off, have their brightness adjusted, or have their color changed at one time by one or more switches. The following reference discusses group communication under the Constrained Application Protocol (CoAP): https://tools.ietf.org/html/rfc7390. The scope for group communication can be link-local or site-local.

    The Authentication and Authorization for Constrained Environments (ACE) working group (WG) for the Internet Engineering Task Force (IETF) is considering two approaches to solve related security problems:

1. Symmetric group keys.

• Pros: Faster request/response.

• Cons: Low security. For example, consider light A that belongs to a group that includes a light switch and other lights. Typically, only the light switch is authorized to issue on/off commands. However, in this

Copyright 2016 Cisco Systems, Inc.

1


Page 02 of 4

example, light A becomes compromised and is able to issue on/off commands to other lights in the group.

2. Symmetric group keys with digital signature for data origin authentication.
• Pros: High security. This approach does not suffer from the threat in connection with the symmetric group key approach, discussed above.


• Cons: Slow request/response. An elliptic curve digital signature algorithm (ECDSA) can be used to generate a digital signature for multicast CoAP messages. Generating and validating the digital signature incurs a delay.

    A problem with group communication in the lighting domain is that the senders and receivers in various deployments may not be physically secured and, as a result, can become compromised. For example, possible attacks are:


• Attack A: In a lighting domain where light switches are authorized to issue on/off commands and lights are not authorized to control other lights, it may be possible for an attacker to infect the IOT device (e.g., a light), learn the group keying material, and act as the device (e.g., switch) that is supposed to send requests to the IOT devices. Ultimately, the attacker can gain control of the other IOT devices (e.g., other lights).


• Attack B: When the sender (e.g., a switch) in a group communication becomes compromised, the attacker may gain control of the sender and, eventually, the IOT devices (e.g., lights) as well.

    The severity of the attacks depends on the deployment scenario, such...