Internet of Things: a Survey on the Security of Iot Frameworks Mahmoud Ammar1, Giovanni Russello2, and Bruno Crispo1

Total Page:16

File Type:pdf, Size:1020Kb

Internet of Things: a Survey on the Security of Iot Frameworks Mahmoud Ammar1, Giovanni Russello2, and Bruno Crispo1 1 Internet of Things: A survey on the Security of IoT Frameworks Mahmoud Ammar1, Giovanni Russello2, and Bruno Crispo1 1Department of Computer Science, KU Leuven University, Heverlee, 3001, Belgium E-mail: ffi[email protected] 2Department of Computer Science, University of Auckland, Private Bag 92019, Auckland 1142, New Zealand E-mail: [email protected] Abstract—The Internet of Things (IoT) is heavily affecting our Very recently, several IoT frameworks have been launched daily lives in many domains, ranging from tiny wearable devices by the major shareholders in the IoT domain and by the to large industrial systems. Consequently, a wide variety of IoT research community in order to support and make it easy to applications have been developed and deployed using different IoT frameworks. An IoT framework is a set of guiding rules, develop, deploy and maintain IoT applications. Each player protocols, and standards which simplify the implementation built his approach depending on his vision towards the IoT of IoT applications. The success of these applications mainly world [1]. In this survey, we compare the properties of a depends on the ecosystem characteristics of the IoT framework, subset of IoT frameworks, targeting in particular their security with the emphasis on the security mechanisms employed in it, features. The selected set of IoT platforms1 includes: AWS IoT where issues related to security and privacy are pivotal. In this Amazon ARM Bed ARM Azure paper, we survey the security of the main IoT frameworks, a total from , from and other partners, of 8 frameworks are considered. For each framework, we clarify IoT Suite from Microsoft, Brillo/Weave from Google, Calvin the proposed architecture, the essentials of developing third- from Ericsson, HomeKit from Apple, Kura from Eclipse, and party smart apps, the compatible hardware, and the security SmartThings from Samsung. features. Comparing security architectures shows that the same standards used for securing communications, whereas different We selected the above frameworks based on the following methodologies followed for providing other security properties. criteria: (i) the reputation of the vendors in the software and electronics industries, (ii) the support of rapid application development and the number of applications on the store, (iii) Index Terms—Internet of Things, IoT, framework, platform, security. the coverage and usage of the framework, and it’s popularity in the IoT market. The objectives of this survey are manifold: I. INTRODUCTION • Giving a picture of the current state of the art IoT The Internet of Things (IoT) plays a remarkable role in all platforms and identifying the trends of current designs aspects of our daily lives. It covers many fields including of such platforms. healthcare, automobiles, entertainments, industrial appliances, • Providing a high level comparison between the different sports, homes, etc. The pervasiveness of IoT eases some architectures of the various frameworks. everyday activities, enriches the way people interact with • Focusing on the models designed and approaches devel- the environment and surroundings, and augments our social oped for ensuring security and privacy in these frame- interactions with other people and objects. This holistic vi- works. sion, however, raises also some concerns, like which level of • Illustrating the pros and cons of each framework in terms security the IoT could provide? and how it offers and protects of fulfilling the security requirements and meeting the the privacy of its users? standard guidelines. Developing applications for the IoT could be a challenging • Exploring the design flaws and opening the door for more task due to several reasons; (i) the high complexity of dis- in depth security analysis against potential threats. tributed computing, (ii) the lack of general guidelines or frame- The remainder of this paper is structured as follows: Section II works that handle low level communication and simplify high describes the general concept of the IoT framework. Related level implementation, (iii) multiple programming languages, works are presented in Section III. Section IV is the backbone and (iv) various communication protocols. It involves devel- of this paper which provides a horizontal overview of the opers to manage the infrastructure and handle both software various IoT frameworks and focuses on the related security and hardware layers along with preserving all functional and features. A discussion is provided in Section V. Finally, non-functional software requirements. This complexity has led Section VI concludes this study. to a quick evolution in terms of introducing IoT programming frameworks that handle the aforementioned challenges. 1In this paper, the terms Framework and Platform are used interchangeably. 2 II. BACKGROUND The very rapid growth of Internet-connected devices, ranging from very simple sensors to highly complex cloud servers, shapes the Internet of Things, where Things, in this con- text, refers to a wide variety of objects (e.g. smart bulbs, public Cloud smart locks, IP cameras, thermostats, electronic appliances, alarm clocks, vending machines, and more). The resemblance IoT devices between all IoT objects is the ability to connect to the Internet and exchange data. The network connectivity feature allows controlling objects remotely across the existing network infrastructure, resulting in more integration with the real world and less human intervention. The IoT transforms these objects GSM Tower from being classical to smart by exploiting its underlying technologies such as pervasive computing, communication User capabilities, Internet protocols, and applications. Protocols are Gateway required in order to identify the spoken language of the IoT devices in terms of the format of exchanged messages, and select the correct boundaries that comply with the various functionality of each device. Applications determine levels of granularity and specialty of the IoT device and how big are Fig. 1: A high level system model of IoT the data generated for analytics purposes. They also indicate Telemetry Transport (MQTT) [10], Extensible Messaging and the general scope of the IoT framework covering the context Presence Protocol (XMPP) [11], Advanced Messaging Queu- of the applied domain. ing Protocol (AMQP) [12], and Data Distribution Service (DDS) [13]. The concept of IoT framework entails identifying a structure which coordinates and controls processes being conducted by The system model, presented in Figure 1, helps to gain a the various IoT elements. This structure is a set of rules, better insight into the real meaning of IoT, and understand protocols and regulations that organize the way of processing the importance of having a framework, in which, hiding the data and exchange messages between all involved parties (e.g. complexity and bringing simplicity to application development embedded devices, cloud, end-users). Also, it should support are axial. The IoT framework should handle the life cycle the high level implementation of IoT applications and hide of sensing, computing, delivering, and presenting data. De- the complexity of infrastructure protocols. There are several pending on their capabilities, some IoT devices can reach approaches that can be followed to build an IoT framework de- the outside world (e.g. the cloud) directly and some others pending on the requirements of the target business [2]. must connect to a hub or a gateway in order to connect to the external world. For the IoT frameworks considered in In this survey, we are targeting IoT frameworks based on this survey, the cloud is the backbone, which offers databases the public cloud approach, as they are the most commonly for storing data, services for data analytics, security modules used and widely available in the IoT market. The main for preserving confidentiality and supports privacy, and other building blocks of any cloud-based IoT framework are the services. Customers use their smart phones, tablets, or laptops physical objects and the protocols. Physical objects include: to interact with other IoT devices indirectly through either a (i) smart devices such as sensors, actuators, etc., (ii) servers cloud backend or a gateway. act as a cloud-backend or hubs/gateways for routing, storing, and accessing various pieces of data, and (iii) end-users In spite of targeting the same objective, different approaches represented by the applications they use to access data and have been designed and followed by vendors in order to build interact with IoT devices. Protocols run on different layers their IoT frameworks. In particular, the following questions and provide end-to-end communication. To the best of our arise regarding the design details of such frameworks: knowledge, there is no a standard IoT architecture yet. For simplicity, we are considering the basic one which is a • How each IoT framework handles the communication 3-layer architecture [3] composed of Application, Network, processes between IoT devices and cloud? Between cloud and Perception layers. The Perception layer belongs to the and end-users? What are the protocols and techniques physical devices that identify and sense analog data and then used? digitize it for transportation purposes. Infrastructure protocols • What are the hardware and software dependencies in each such as ZigBee [4], Z-Wave [5], Bluetooth Low Energy framework? (BLE) [6], WiFi, and LTE-A [7] run in the Network layer. • To which
Recommended publications
  • EPIC Google FTC Complaint
    Before the Federal Trade Commission Washington, DC 20580 In the Matter of ) ) Google, Inc. and ) Cloud Computing Services ) ________________________________ ) Complaint and Request for Injunction, Request for Investigation and for Other Relief SUMMARY OF COMPLAINT 1. This complaint concerns privacy and security risks associated with the provision of “Cloud Computing Services” by Google, Inc. to American consumers, businesses, and federal agencies of the United States government. Recent reports indicate that Google does not adequately safeguard the confidential information that it obtains. Given the previous opinions of the Federal Trade Commission regarding the obligation of service providers to ensure security, EPIC hereby petitions the Federal Trade Commission to open an investigation into Google’s Cloud Computing Services, to determine the adequacy of the privacy and security safeguards, to assess the representations made by the firm regarding these services, to determine whether the firm has engaged in unfair and/or deceptive trade practices, and to take any such measures as are necessary, including to enjoin Google from offering such services until safeguards are verifiably established. Such action by the Commission is necessary to ensure the safety and security of information submitted to Google by American consumers, American businesses, and American federal agencies. PARTIES 1. The Electronic Privacy Information Center (“EPIC”) is a public interest research organization incorporated in Washington, DC. EPIC’s activities include the review of government and private sector policies and practices to determine their impact on the privacy interests of the American public. Among its other activities, EPIC initiated the complaint to the FTC regarding Microsoft Passport in which the Commission subsequently required Microsoft to implement a comprehensive information security program for 1 Passport and similar services.1 EPIC also filed the complaint with the Commission regarding databroker ChoicePoint, Inc.
    [Show full text]
  • Hannes Tschofenig
    Securing IoT applications with Mbed TLS Hannes Tschofenig Part#2: Public Key-based authentication March 2018 © 2018 Arm Limited Munich Agenda • For Part #2 of the webinar we are moving from Pre-Shared Secrets (PSKs) to certificated-based authentication. • TLS-PSK ciphersuites have • great performance, • low overhead, • small code size. • Drawback is the shared key concept. • Public key cryptography was invented to deal with this drawback (but itself has drawbacks). 2 © 2018 Arm Limited Public Key Infrastructure and certificate configuration © 2018 Arm Limited Public Key Infrastructure Various PKI deployments in existence Structure of our PKI The client has to store: self-signed • Client certificate plus corresponding private key. CA cert • CA certificate, which serves as the trust anchor. The server has to store: Signed by CA Signed by CA • Server certificate plus corresponding private key. Client cert Server cert (Some information for authenticating the client) 4 © 2018 Arm Limited Generating certificates (using OpenSSL tools) • When generating certificates you will be prompted to enter info. You are about to be asked to enter information that will be • The CA cert will end up in the trust incorporated into your certificate request. What you are about to enter is what is called a Distinguished anchor store of the client. Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, • The Common Name used in the server If you enter '.', the field will be left blank. ----- cert needs to be resolvable via DNS Country Name (2 letter code) [AU]:.
    [Show full text]
  • Arxiv:1911.09312V2 [Cs.CR] 12 Dec 2019
    Revisiting and Evaluating Software Side-channel Vulnerabilities and Countermeasures in Cryptographic Applications Tianwei Zhang Jun Jiang Yinqian Zhang Nanyang Technological University Two Sigma Investments, LP The Ohio State University [email protected] [email protected] [email protected] Abstract—We systematize software side-channel attacks with three questions: (1) What are the common and distinct a focus on vulnerabilities and countermeasures in the cryp- features of various vulnerabilities? (2) What are common tographic implementations. Particularly, we survey past re- mitigation strategies? (3) What is the status quo of cryp- search literature to categorize vulnerable implementations, tographic applications regarding side-channel vulnerabili- and identify common strategies to eliminate them. We then ties? Past work only surveyed attack techniques and media evaluate popular libraries and applications, quantitatively [20–31], without offering unified summaries for software measuring and comparing the vulnerability severity, re- vulnerabilities and countermeasures that are more useful. sponse time and coverage. Based on these characterizations This paper provides a comprehensive characterization and evaluations, we offer some insights for side-channel of side-channel vulnerabilities and countermeasures, as researchers, cryptographic software developers and users. well as evaluations of cryptographic applications related We hope our study can inspire the side-channel research to side-channel attacks. We present this study in three di- community to discover new vulnerabilities, and more im- rections. (1) Systematization of literature: we characterize portantly, to fortify applications against them. the vulnerabilities from past work with regard to the im- plementations; for each vulnerability, we describe the root cause and the technique required to launch a successful 1.
    [Show full text]
  • Black-Box Security Analysis of State Machine Implementations Joeri De Ruiter
    Black-box security analysis of state machine implementations Joeri de Ruiter 18-03-2019 Agenda 1. Why are state machines interesting? 2. How do we know that the state machine is implemented correctly? 3. What can go wrong if the implementation is incorrect? What are state machines? • Almost every protocol includes some kind of state • State machine is a model of the different states and the transitions between them • When receiving a messages, given the current state: • Decide what action to perform • Which message to respond with • Which state to go the next Why are state machines interesting? • State machines play a very important role in security protocols • For example: • Is the user authenticated? • Did we agree on keys? And if so, which keys? • Are we encrypting our traffic? • Every implementation of a protocol has to include the corresponding state machine • Mistakes can lead to serious security issues! State machine example Confirm transaction Verify PIN 0000 Failed Init Failed Verify PIN 1234 OK Verified Confirm transaction OK State machines in specifications • Often specifications do not explicitly contain a state machine • Mainly explained in lots of prose • Focus usually on happy flow • What to do if protocol flow deviates from this? Client Server ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
    [Show full text]
  • Building Research Tools with Google for Dummies (2005).Pdf
    01_57809x ffirs.qxd 3/3/05 12:46 PM Page i Building Research Tools with Google™ FOR DUMmIES‰ by Harold Davis TEAM LinG - Live, Informative, Non-cost and Genuine ! 01_57809x ffirs.qxd 3/3/05 12:46 PM Page ii Building Research Tools with Google™ For Dummies® Published by Wiley Publishing, Inc. 111 River Street Hoboken, NJ 07030-5774 www.wiley.com Copyright © 2005 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permis- sion of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www. wiley.com/go/permissions. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission.
    [Show full text]
  • No.Ntnu:Inspera:2546742.Pdf (10.61Mb)
    Krishna Shingala An alternative to the Public Key Krishna Shingala Infrastructure for the Internet of Things Master’s thesis in Communication Technology Supervisor: Danilo Gligoroski, Katina Kralevska, Torstein Heggebø Master’s thesis Master’s June 2019 An alternative to PKI for IoT PKI for to An alternative NTNU Engineering Communication Technology Communication Department of Information Security and Department of Information Faculty of Information Technology and Electrical Technology of Information Faculty Norwegian University of Science and Technology of Science University Norwegian An alternative to the Public Key Infras- tructure for the Internet of Things Krishna Shingala Submission date: June 2019 Responsible professor: Danilo Gligoroski, IIK, NTNU Supervisor: Danilo Gligoroski, IIK, NTNU Co-Supervisor: Katina Kralevska, IIK, NTNU Co-Supervisor: Torstein Heggebø, Nordic Semiconductor ASA Norwegian University of Science and Technology Department of Information Technology and Electrical Engineering Title: An alternative to the Public Key Infrastructure for the Internet of Things Student: Krishna Shingala Problem description: Internet of Things(IoT) enables participation of constrained devices on the Internet. Limited resources, bandwidth, and power on the devices have led to new protocols. Some examples of IoT driven and driving protocols are: – MQTT, CoAP that are application protocols for IoT; – 6LoWPAN enables efficient support of IPv6 on low power lossy networks; – CBOR enables concise data formatting; and – DTLS enables secure channel establishment over unreliable transport like the UDP. Security is one of the key factors for the success of IoT. TLS/DTLS secures the channel between the servers and the devices. Confidentiality is an important aspect of such a secure channel. Establishing the identity of an entity another.
    [Show full text]
  • 7) Internet of Things a Survey on the Security of Iot Frameworks
    Journal of Information Security and Applications 38 (2018) 8–27 Contents lists available at ScienceDirect Journal of Information Security and Applications journal homepage: www.elsevier.com/locate/jisa Internet of Things: A survey on the security of IoT frameworks ∗ Mahmoud Ammar a, , Giovanni Russello b, Bruno Crispo a a Department of Computer Science, KU Leuven University, Heverlee, 3001, Belgium b Department of Computer Science, University of Auckland, Private Bag 92019, Auckland 1142, New Zealand a r t i c l e i n f o a b s t r a c t Article history: The Internet of Things (IoT) is heavily affecting our daily lives in many domains, ranging from tiny wear- able devices to large industrial systems. Consequently, a wide variety of IoT applications have been devel- Keywords: oped and deployed using different IoT frameworks. An IoT framework is a set of guiding rules, protocols, Internet of Things and standards which simplify the implementation of IoT applications. The success of these applications IoT mainly depends on the ecosystem characteristics of the IoT framework, with the emphasis on the security Framework mechanisms employed in it, where issues related to security and privacy are pivotal. In this paper, we sur- Platform vey the security of the main IoT frameworks, a total of 8 frameworks are considered. For each framework, Security we clarify the proposed architecture, the essentials of developing third-party smart apps, the compati- ble hardware, and the security features. Comparing security architectures shows that the same standards used for securing communications, whereas different methodologies followed for providing other security properties.
    [Show full text]
  • Performance of State-Of-The-Art Cryptography on ARM-Based Microprocessors
    NIST Lightweight Cryptography Workshop 2015 Session VII: Implementations & Performance Performance of State-of-the-Art Cryptography on ARM-based Microprocessors Hannes Tschofenig & Manuel Pegourie-Gonnard ([email protected], [email protected] ) Presented by Hugo Vincent ([email protected] ) IoT Business Unit Tuesday, July 21, 2015 1 Outline § Why does ARM care about crypto performance? § ARM Cortex-M vs. Cortex-A Class processors. § Short overview of the Cortex-M processor family. § Internet of Things – a world full of constraints. § Performance of crypto on Cortex-M class processors § Assumptions § Hardware used for measurement § Symmetric Key Cryptography § Public Key Crypto (with different curves) § Cortex-M3/M4 Performance § Cortex-M0/M0+ Performance § Curve25519 § RAM Usage § Applying Results to TLS/DTLS § Conclusion & Next Steps 2 Why does ARM care about Crypto Performance? 3 ARM Processors in Smartphones § ARM Cortex-A family: § Applications processors for feature-rich OS and 3rd party applications § ARM Cortex-R family: § Embedded processors for real-time signal processing, control applications § ARM Cortex-M family: § Microcontroller- oriented processors for MCU, ASSP, and SoC applications 4 Cortex-M Processors Maximum Performance Flexible Memory Cache Single & Double Precision FP Digital Signal Control (DSC)/ Examples: Automotive, Processor with DSP High-end audio set Accelerated SIMD Performance & efficiency Floating point (FP) Example: Sensor fusion, Feature rich connectivity motor control Example:
    [Show full text]
  • Performance Investigations
    Performance Investigations Hannes Tschofenig, Manuel Pégourié-Gonnard 25th March 2015 1 Motivation § In <draft-ietf-lwig-tls-minimal> we tried to provide guidance for the use of DTLS (TLS) when used in IoT deployments and included performance data to help understand the design tradeoffs. § Later, work in the IETF DICE was started with the profile draft, which offers detailed guidance concerning credential types, communication patterns. It also indicates which extensions to use or not to use. § Goal of <draft-ietf-lwig-tls-minimal> is to offer performance data based on the recommendations in the profile draft. § This presentation is about the current status of gathering performance data for later inclusion into the <draft-ietf-lwig-tls-minimal> document. 2 Performance Data § This is the data we want: § Flash code size § Message size / Communication Overhead § CPU performance § Energy consumption § RAM usage § Also allows us to judge the improvements of various extensions and gives engineers a rough idea what to expect when planning to use DTLS/TLS in an IoT product. § <draft-ietf-lwig-tls-minimal-01> offers preliminary data about § Code size of various basic building blocks (data from one stack only) § Memory (RAM/flash) (pre-shared secret credential only) § Communication overhead (high level only) 3 Overview § Goal of the authors: Determine performance of asymmetric cryptography on ARM-based processors. § Next slides explains § Assumptions for the measurements, § ARM processors used for the measurements, § Development boards used, § Actual performance data, and § Comparison with other algorithms. 4 Assumptions § Main focus of the measurements so far was on § raw crypto (and not on protocol exchanges) § ECC rather than RSA § Different ECC curves § Run-time performance (not energy consumption, RAM usage, code size) § No hardware acceleration was used.
    [Show full text]
  • Prying Open Pandora's Box: KCI Attacks Against
    Prying open Pandora’s box: KCI attacks against TLS Clemens Hlauschek, Markus Gruber, Florian Fankhauser, Christian Schanes RISE – Research Industrial Systems Engineering GmbH {clemens.hlauschek, markus.gruber, florian.fankhauser, christian.schanes}@rise-world.com Abstract and implementations of the protocol: their utility is ex- tremely limited, their raison d’ˆetre is practically nil, and Protection of Internet communication is becoming more the existence of these insecure key agreement options common in many products, as the demand for privacy only adds to the arsenal of attack vectors against cryp- in an age of state-level adversaries and crime syndi- tographically secured communication on the Internet. cates is steadily increasing. The industry standard for doing this is TLS. The TLS protocol supports a multi- 1 Introduction tude of key agreement and authentication options which provide various different security guarantees. Recent at- The TLS protocol [1, 2, 3] is probably the most tacks showed that this plethora of cryptographic options widely used cryptographic protocol on the Internet. in TLS (including long forgotten government backdoors, It is designed to secure the communication between which have been cunningly inserted via export restric- client/server applications against eavesdropping, tamper- tion laws) is a Pandora’s box, waiting to be pried open by ing, and message forgery, and it also provides additional, heinous computer whizzes. Novel attacks lay hidden in optional security properties such as client authentica- plainsight. Parts of TLS areso oldthat theirfoul smell of tion. TLS is an historically grown giant: its predecessor, rot cannot be easily distinguished from the flowery smell SSL [4,5], was developed more than 20 years ago.
    [Show full text]
  • Architecture, Development and Testing Environment for a Visual Analytics-Based Criminal Intelligence Analysis System
    U N C L A S S I F I E D P U B L I C VALCRI WHITE PAPER SERIES VALCRI-WP-2017-001 1 January 2017 Edited by B.L. William Wong Architecture, Development and Testing Environment for a Visual Analytics-Based Criminal Intelligence Analysis System Rani Pinchuk1, Nick Evers1, Christophe Vandenberghe1. Patrick Aichroth2, Rudolf Schreiner3, and B.L. William Wong4 1Space Applications Services NV/SA Leuvensesteenweg, 325, 1932 Zaventem, BELGIUM 2Fraunhofer Institute for Digital Media Technology Ehrenbergstraße 31 98693 Ilmenau GERMANY 3Object Security, Ltd St John’s Innovation Centre Cowley Road Cambridge CB4 0WS UNITED KINGDOM 4Middlesex University London The Burroughs, Hendon London NW4 4BT UNITED KINGDOM Project Coordinator Middlesex University London Professor B.L. William Wong The Burroughs, Hendon Head, Interaction Design Centre London NW4 4BT Faculty of Science and Technology United Kingdom. Email: [email protected] Copyright © 2016 The Authors and Project VALCRI. All rights reserved. U N C L A S S I F I E D P U B L I C ABSTRACT The VALCRI architecture is built from different Docker containers that speak with each other using mostly REST interfaces. The architecture is designed to incorporating Security, Ethics, Privacy and Legal (SEPL) solutions. The data stores – the Unstructured Database (UDB) and the Structured database (SDB) – used are controlled by SEPL Enforcement components and a Template Engine manages the previously checked and accepted query templates that can be sent to the data stores. The Advanced User Interface (AUI) server is also designed with SEPL in mind: a Jetty (Java HTTP server and Java Servlet container) in- stance is created per user by a Jetty Lifecycle Management component.
    [Show full text]
  • (Attached ) We Described ARM's Approach to Iot Security, a Priority
    Introduction: IoT Security In our previous submission (attached ) we described ARM’s approach to IoT Security, a priority subject for us. In this follow up, we will look briefly at some of the questions, implicit and explicit prosed by the Commerce Department’s January 2017 report ‘Fostering the Advancement of the Internet of Things’. Our focus is on how to promote IoT Security. This is a complex area. IoT Security is composed of many technological facets covering hardware, software, and connectivity. The technology itself is changing fast. There is widespread acceptance that IoT risk levels vary depending on the sensitivity of the IoT installation. But at the same time there is a growing sense that agreement on some level of security is essential in order to minimise the damage that malign hackers might do to an IoT system, and to give citizens and customers confidence in IoT technology and thus expedite its adoption. As the Commerce Department Report makes clear although there is general agreement on a ‘ security by design ‘ approach, there is so far no agreement on how to implement such a concept across the industry. Exactly how to do this is still an open question, but there may be scope for action by Government – and others – to help drive up security awareness and security practices. The State of the Debate The Commerce Department’s Report is not the only Federal Government paper to look at IoT Security in recent months. A number of papers have sought to address this issue, including the Department of Homeland Security’s Nov 2016 paper on Strategic Principles for Securing the IoT, and NHTSA’s Oct 2016 paper on Best Practice for Cybersecurity for Modern Vehicles.
    [Show full text]