Internet of Things

Lecture 0
by Amira Henaien
Dr. Eng. Computer Science
Specialized on IoT
Meet your teacher
Name
• Amira Henaien

Academic background
• Engineer and phD. Holder
• Computer Science

Teaching
• 10 years of teaching

Research and development

• Formel methods
• Internet of Things
• Artificial Intelligence (ML and DL for IoT)

Contact:
[email protected]

• [email protected]
My Works
Healthcare

4
Smart City

5
Smart City

6
RFID IoT Architecture for Smart Inventory
Management: Security Integration

7
Course Presentation
❑Title : IoT security
❑Coefficient : 1 in the unit UEF520, (Coefficient of the unit is 2.5)
❑Targeted students: Computer Science students specializing in Embedded Systems and IoT.
❑Pre-requirements :
❑Basic IoT and Embedded Systems Knowledge: Understanding of IoT architecture, sensors, and actuators.
❑Networking Fundamentals: Familiarity with IP addressing, network protocols, and wireless standards
(e.g., Wi-Fi, Bluetooth).
❑Cybersecurity Basics: Core concepts like encryption, authentication, and the CIA triad.
❑Programming Experience: Skills in languages like C, Python, or Java, and experience with
microcontrollers (Arduino, Raspberry Pi).
❑Cloud and Data Basics: Understanding of cloud platforms (AWS, Azure) and data management.
❑Basic Linux/Unix Knowledge: Familiarity with Linux command line for embedded systems.
Course Content
Common IoT
Introduction to IoT Security Inside-Out Security
Vulnerabilities and
Security Fundamentals Principle
Attack Surfaces

Secure
IoT Security IoT Network
Communication in IoT Device Security
Architecture Security
IoT

Risk Management IoT Security

IoT Cloud and Edge
Privacy in IoT and Incident Standards and
Security
Response Compliance
Tell me

•What IoT devices do you use in

your daily life, such as wearable
devices?
•Have you ever felt concerned
about the security or privacy of
any IoT devices you own?
Tell me
•Do you think about the security
of your IoT devices when you first
set them up? For example, do you
change default passwords or
enable encryption?
•Have you ever been prompted to
update the software or firmware
on your IoT device, and how did
you respond?
Tell me
•Have you ever noticed any
vulnerabilities, such as a smart
device being accessible without
proper authentication?
•Have you ever experienced any
issues with IoT devices, not
working properly or being slow to
respond?
Tell me
•Do you worry about how your
IoT devices might collect and
share your data, like cameras or
voice assistants?
•Have you ever felt uncomfortable
with how much data an IoT device
was collecting? Did you change
any settings to reduce the data
collected?
Tell me
•Have you or anyone you know
ever had an IoT device hacked,
like a smart thermostat being
accessed without permission?
•What would you do if you
suspected your IoT device had
been compromised or hacked?
Tell me
•What steps do you take to protect
your IoT devices, like using
strong passwords or enabling two-
factor authentication?
•Have you ever disconnected an
IoT device because you didn’t
trust its security?
Security
Fundamentals
in IoT
Advanced security concepts specific to
IoT systems
CIA triad (Confidentiality, AAA (Authentication,
Integrity, Availability) and its Authorization, Accounting)
implementation in IoT models and its specification
systems. to IoT devices.

Ethical considerations, Examples of ethical dilemmas

focusing on security issues in smart devices (e.g.,
like data collection, security cameras in shared
surveillance, and privacy. spaces).
 CIA triad
Ensuring that sensitive information is
accessed only by authorized parties.

Confidentiality

Guaranteeing that data

CIA triad Security Ensuring reliable
is accurate, consistent,
access to information
and safeguarded from
and resources for
unauthorized
authorized users.
modifications. Integrity Availibility
CIA triad
Ensuring that sensitive information is
accessed only by authorized parties.

Imagine a smart security camera at home. Confidentiality means

Confidentiality
that only authorized users (e.g., family members) can access the
video feed. If the camera’s feed is not encrypted or password-
protected, an attacker could access and view private footage. To
ensure confidentiality, encryption is applied to the data stream,
and access requires strong passwords or multi-factor
authentication.
CIA triad
Guaranteeing that data is accurate, consistent, and
safeguarded from unauthorized modifications.

Integrity
A smart thermostat is used to control home heating remotely. If
an attacker alters the temperature settings without the
homeowner's knowledge, the integrity of the system is
compromised. To maintain integrity, secure communication
protocols are used so that commands sent to the thermostat
remain unchanged. Digital signatures or checksums ensure that
the data received by the thermostat is the same as what was
sent.
CIA triad
Ensuring reliable access to information and
resources for authorized users.

Availibility
Consider a smart lock at the front door. For availability, the
system must be online and functional whenever the homeowner
needs to lock or unlock the door, whether via an app or voice
assistant. If the smart lock's servers go down or the lock suffers
from a power outage, it could block the user from accessing their
home. To ensure availability, backup systems (e.g., battery
backups or local access) can be implemented.
AAA (Authentication, Authorization,
Accounting) models
Authentication

AAA
Accounting
Authorization
 AAA (Authentication, Authorization,
Accounting) models
Verifies user identity, preventing
unauthorized access.
Authentication

Tracks user activities and

logs them for audit and
review purposes. AAA Ensures users
have the
correct
Accounting permissions
Authorization
based on their
role.
AAA (Authentication, Authorization,
Accounting) models
Verifies user identity, preventing unauthorized access.

❑ Example in IoT: A smart lock requires the user to

authenticate via a password or biometrics to unlock
Authentication the door.
❑ Relation to IoT Security: Ensures that only trusted
devices and users can interact with IoT devices,
preventing unauthorized access.
AAA (Authentication, Authorization,
Accounting) models
Ensures users have the correct permissions based on
their role.

• Example in IoT: A smart thermostat allows the user to

change the temperature but restricts access to system
Authorization settings.
• Relation to IoT Security: Controls what actions
authenticated users can perform on IoT devices,
protecting sensitive operations.
 AAA (Authentication, Authorization,
Accounting) models
Tracks user activities and logs them for audit and review
purposes.

❑ Example in IoT: A smart security camera logs every

Accounting access attempt, tracking both successful and failed
unlocks.
❑ Relation to IoT Security: Provides an audit trail of
user actions on IoT devices, helping to detect and
respond to security incidents.
Ethical
Considerations
in IoT Security:
Key Points
Data Collection
•Ethical Consideration:
• IoT devices often collect massive amounts of personal data from users . The ethical dilemma
lies in how much data should be collected and how it's used.
• Example:
• Devices like Amazon Alexa or Google Home continuously listen for voice commands, and
sometimes they may record conversations that were not intended for the assistant.
• health data from wearables, location data from smart devices.
•Security Issue:
• If this data is not adequately protected, it could be accessed by unauthorized individuals or
entities, leading to potential privacy breaches.
•Questions to Consider:
• Is all the data being collected necessary for the device to function?
• Are users aware of what data is being collected and how it's used?
• Is there transparency in data handling?
Surveillance
•Ethical Consideration:
• Many IoT devices are used for monitoring.
• Example: home security cameras, baby monitors, wearable trackers, which raises
concerns over constant surveillance and the implications for personal freedom.
•Security Issue:
• Improper security measures could lead to unauthorized access to sensitive video feeds or
audio recordings, putting users’ safety and privacy at risk.
•Questions to Consider:
• Is the use of surveillance devices justified?
• Are users fully aware that they are being monitored?
• What happens to the data collected from surveillance (e.g., video storage, third-party
access)?
Privacy
•Ethical Consideration:
• The collection of personal information by IoT devices often leads to concerns about user privacy.
• Example:
• Smart assistants continuously listen for voice commands, which could infringe on the privacy of individuals.
• Installing security cameras in apartment hallways or shared office spaces can enhance security but raises
privacy concerns.
• A smart thermostat may share data about a user's daily routines (like when they are home or away) with
third-party service providers, which could lead to misuse of personal information or privacy breaches.
•Security Issue:
• Without proper encryption or access controls, personal data stored in IoT devices can be exposed to
cyberattacks or leaks, causing identity theft or misuse of personal information.
•Questions to Consider:
• How is user data being secured to ensure privacy?
• Does the device comply with privacy regulations (e.g., GDPR)?
• Is there a way for users to control or limit the amount of personal data collected?
Consent and User Autonomy
•Ethical Consideration:
• Many users may not fully understand what data their IoT devices collect, or how they are being
monitored. Informed consent and user autonomy are essential to ethically using IoT technology.

•Security Issue:
• If users are not fully informed or don’t have the option to opt out, there is a trust deficit between
the device manufacturers and users, leading to potential legal and ethical complications.

•Questions to Consider:
• Do users have clear and accessible choices regarding the collection and use of their data?
• Are users able to revoke consent and have their data erased?
 Data Sharing with Third Parties
•Ethical Consideration:
• Many IoT devices share user data with third parties for marketing, analytics, or other purposes. Users may
not be aware of where their data is going and how it's being used.
• Example:
• Fitness trackers and health wearables collect sensitive data like heart rate, sleep patterns, and physical
activity. If this data is shared with third-party companies, such as insurance providers, without the user's
consent, it could be used to make decisions that affect the user’s premiums or coverage.
• Smart cars collect data on driving habits, routes, and even voice commands. If this information is shared
with insurers or law enforcement without the driver’s knowledge, it could lead to surveillance or
punitive actions (e.g., insurance rate increases based on driving patterns).
•Security Issue:
• If third parties don't have adequate security measures, it increases the risk of data breaches. Sharing
sensitive information without user consent could lead to ethical violations.
•Questions to Consider:
• Who has access to the data, and for what purposes?
• Are third-party companies adhering to the same level of data protection as the primary service provider?
Minimizing Harm
•Ethical Consideration:
• IoT devices must be designed to minimize harm to users, particularly vulnerable groups like
children, the elderly, or individuals with disabilities.
• Example :
• Devices like GPS trackers or smart baby monitors allow parents to monitor their children’s
movements or activities. While useful, these devices raise questions about over-surveillance,
as they may infringe on a child’s privacy or autonomy.
•Security Issue:
• Inadequate security can put these vulnerable groups at greater risk if their personal data is
exposed or misused.
•Questions to Consider:
• How are vulnerable groups protected by IoT devices?
• Is the design of the device taking into account potential harm, and are safeguards in place?
Inside-Out Security
Principle
What is the Inside-Out Security Principle?
•Main Points: Focus on securing critical internal assets first, then
expand outward:
• Step 1: Protect sensitive data, user access, and internal systems.
• Step 2: Secure internal devices and network communication.
• Step 3: Extend security to external devices, networks, and third-
party services.
Focus on Critical Internal Systems First

•Main Points:
• Start by protecting core systems and sensitive data:
• Data encryption: Protect both data at rest and data in transit.
• User authentication: Use multi-factor authentication for strong user
access control.
• Example: In a smart home, secure user access to sensitive data (e.g.,
security camera footage).
Secure Internal Network and Devices
•Main Points:
• Ensure the internal devices and networks are secure:
• Network segmentation: Divide internal networks to reduce the impact of a breach.
• Firewalls and VPNs: Secure communications between IoT devices.
• Example: Segment your network into a private zone for sensitive devices and another
for general use.
Expand to External Devices and Networks
•Main Points:
• Extend protections outward to non-critical devices and third-party services:
• Secure external devices: Apply encryption, change default credentials.
• Secure cloud services: Ensure data sent to and from the cloud is
encrypted.
• Example: In a smart home, secure non-sensitive devices (e.g., smart
lights) and use encrypted cloud storage.