Architectures for securing low-cost IoT

Student thesis: Doctoral Thesis


This PhD study proposes various solutions to enable low-cost Internet of Things (IoT) devices to employ end-to-end encryption, with consideration to the financial and practical requirements of such devices. Manufacturers of IoT devices often sacrifice security in favour of features, user friendliness, time to market or cost, in order to stay ahead of their competitors. However, numerous recent hacks on IoT devices have shown this is unwise. Extremely low-cost, microcontroller-based devices, in particular struggle to create sufficient random data required for state-of-the-art security features. This is in stark contrast to common internet connected devices such as smartphones, and personal computers, which with their high-performance processors can generate sufficient randomness to implement state of the art security features. Through taking advantage of existing devices this PhD study enables these extremely low-cost devices implement state of the art security features. One such existing device is a smartphone which are abundant and have multiple sources of randomness for strong key generation. This abundance and power enables two discrete architectures to be proposed which offload key generation and transfer to the user's smartphone, removing the requirement for constrained IoT devices to participate in public key infrastructure. The first proposed architecture takes advantage of the ubiquity of Wi-Fi in consumer devices, and employs it as a key transfer mechanism. The design only requires a $1 general-purpose microcontroller and a Wi-Fi module. The performance of such an architecture was modelled, and a threat analysis conducted. The design allows all communication to and from the device to be encrypted, without any additional manufacturing cost or sacrificing user experience. Since the architecture does not require any additional hardware, it can be retroactively applied and deployed to existing devices through a firmware update. This architecture has been integrated into a smart light switch product. The second architecture targeted at increasingly popular low-power wide-area networks (LPWAN) technologies, such as LoRaWAN. Future utility networks will require much greater levels of machine to-machine interaction to enable smart grid applications, and ultimately increase the efficiency of the network. In response a low-cost LPWAN module was developed to be retrofitted to existing monitoring device, Fault Passage Indicators (FPI), creating an automatic remote detection and location system for medium voltage faults, reducing the time to find faults from hours to minutes. This prototype device was then tested on a physical 11kV overhead line network, where the device demonstrated it was robust and suitable for mass deployment on a live network. The finalised prototype module costs roughly 5% of a single FPI unit, making the solution cost effective. The system additionally features the ability to remotely reconfigure the FPI, making the installation and future maintenance more convenient. Two high costs in a full-scale LPWAN deployment are the cost of deployment and the potential cost of re-keying the compromised network. Therefore, this thesis also explores methods of decentralising sensor device deployment using commonly available hardware. It details a procedure which uses a smartphone's camera ash to transfer the necessary credentials to such low-cost sensor devices. As with the domestic Wi-Fi-based solution, smartphones were chosen as a transfer mechanism since they are both abundant and suitably powerful to generate random keys. Using smartphone's LED ash removes the need for a wired connection, a laptop, and programming software, allowing devices to be provisioned out in the _eld without the need for specialised tools or knowledge. An implementation with a Long Range Wide Area Network (LoRaWAN) device was created as this is a prime candidate given its requirement for cryptographic keys and lack of ability to partake in public key infrastructure. The solution allows non-specialists to securely program and re key devices without specialised tools. A security audit is then conducted on the system as a whole. The final part of the thesis considers the dependency IoT devices currently have on centralised architecture. This reliance has made numerous devices non-functional when their infrastructure ceased to operate. Recent research into the security of internet-connected consumer equipment has showed the extent to which many of these devices remain highly vulnerable to remote compromise. The Mirai botnet highlighted this risk of having large numbers of vulnerable devices, all connected to high-speed internet connections, capable of performing Distributed Denial of Service (DDoS) attacks. A distributed hash table (DHT) based architecture is proposed, where an intermediary device provides access control and secure remote access of IoT devices located in the home. This design removes the need for a centrally operated server and improves longevity. Software running the intermediary separates vulnerable IoT devices from the rest of the home network, and coordinates with the DHT to publish and listen for messages. An implementation of this system was created, and demonstrated that the network overhead would be minimal, and the system would be able to integrate with existing IoT ecosystems.
Date of Award31 Jul 2020
Original languageEnglish
Awarding Institution
  • University Of Strathclyde
SponsorsUniversity of Strathclyde
SupervisorJames Irvine (Supervisor) & Christos Tachtatzis (Supervisor)

Cite this