Professional Documents
Culture Documents
F A C U L T Y O F INFORMATICS
Implementation of Secure
communication for IoT based
on Arduino board
B A C H E L O R ' S THESIS
Hai Yen Le
H a i Yen Le
Advisor: B a c e m M b a r e k , P h D
i
Acknowledgements
ii
Abstract
iii
Keywords
iv
Contents
Introduction 1
1 Arduino 2
1.1 History 2
1.2 The Arduino board 3
1.3 IDE 4
2 Internet Of Things 6
2.1 History 6
2.2 Applications 7
2.2.1 I n d u s t r i a l Internet of T h i n g s 7
2.2.2 C o m m e r c i a l Internet O f T h i n g s 7
2.2.3 C o n s u m e r Internet of T h i n g s 8
3 Attacks on IoT 9
3.1 The pillars of information assurance 9
3.2 Threats, vulnerability and risks 9
3.2.1 Threats 10
3.2.2 Vulnerability 10
3.2.3 Risks 11
3.3 Types of threats on the IoT 11
3.3.1 Botnets 11
3.3.2 D e n i a l of service 13
3.3.3 Man-in-the-Middle 13
3.3.4 Identity a n d data theft 14
3.3.5 Social engineering 15
3.3.6 A d v a n c e d persistent threats 15
3.3.7 Ransomware 16
3.3.8 Remote r e c o r d i n g 16
v
4.3.1 S y m m e t r i e d i g i t a l signature 20
4.3.2 A s y m m e t r i e d i g i t a l signature 20
4.4 Random number generation 21
6 Implementation part 24
6.1 Components 24
6.2 Sensors 25
6.3 Attacker model 25
6.4 Threat modeling 26
6.5 Encryption 26
6.6 Key generation 27
6.7 Key exchange 27
6.8 RFID 28
6.9 Bluetooth 29
7 Conclusion 31
Bibliography 32
A A n appendix 35
vi
Introduction
1
1 Arduino
p r i n t e r s or r o b o t s .
2 3
1.1 History
In 2005 w a s created the first A r d u i n o b o a r d i n Interactive D e s i g n
Institute i n Ivrea, Italy. The core members were M a s s i m o B a n z i , D a v i d
Cuartielles, T o m Igoe, G i a n l u c a M a r t i n o , a n d D a v i d M e l l i s . The n a m e
A r d u i n o is f r o m a b a r w h e r e t h e y u s e d to meet, w h i c h has a n a m e
after k i n g A r d u i n . [1]
A r d u i n o w a s created for students w i t h o u t a n electronics back-
g r o u n d for their fast p r o t o t y p i n g . Before that time, students were u s i n g
the B A S I C Stamp microcontroller, w h i c h has not sufficient c o m p u t i n g
1. h t t p s : / / w w w . m e g u n o l i n k . c o m / a r t i c l e s / a r d u i n o - g a r a g e - d o o r - o p e n e r /
2. h t t p s : / / a l l 3 d p . c o m / 1 / d i y - a r d u i n o - 3 d - p r i n t e r /
3. h t t p s : / / c r e a t e . a r d u i n o . c c / p r o j e c t h u b / p r o j e c t s / t a g s / r o b o t
2
i. ARDUINO
4. h t t p s : / / w w w . p a r a l l a x . c o m / m i c r o c o n t r o l l e r s / b a s i c - s t a m p
5. h t t p s : / / a r d u i n o h i s t o r y . g i t h u b . i o /
3
i. ARDUINO
fritzing
F i g u r e 1.1: Schematic of A r d u i n o U N O b o a r d a
1.3 IDE
T h e A r d u i n o i n t e g r a t e d d e v e l o p m e n t e n v i r o n m e n t ( I D E ) is cross-
p l a t f o r m a n d w o r k s o n W i n d o w s , L i n u x , a n d m a c O S . M o s t of the
microcontroller systems can be u s e d o n l y o n W i n d o w s . This I D E is for
w r i t i n g a n d u p l o a d i n g codes or p r o g r a m s to the b o a r d . The A r d u i n o
I D E is completely free a n d simple for u s i n g . Processing I D E i n s p i r e d 6
the A r d u i n o I D E , a n d the l a n g u a g e is i n s p i r e d b y W i r i n g , w h i c h is
7
6. h t t p s : / / p r o c e s s i n g . o r g /
7. h t t p : / / w i r i n g . o r g . c o /
4
i. ARDUINO
m i n g . E v e r y p r o g r a m w r i t t e n f o r A r d u i n o is c a l l e d a sketch. These
files e n d w i t h extension .ino. E v e r y sketch contains at least these t w o
functions:
• setup () E v e r y reset o r p o w e r - u p of t h e A r d u i n o b o a r d is this
f u n c t i o n called. F o r i n i t i a l i z i n g variables, p i n m o d e s , a n d m a n y
more.
• loop() Is similar as c a l l i n g while(true). For c o n t r o l l i n g the b o a r d ,
a l l t h e t i m e . It is c a l l e d a l l t h e t i m e after of one-time c a l l i n g
setup ().
v o i d s e t u p () {
// p u t y o u r s e t u p code here , to r u n once :
v o i d l o o p () {
// p u t y o u r m a i n code here, to run repeatedly:
5
2 Internet Of Things
2.1 History
6
2. INTERNET O F T H I N G S
2.2 Applications
IoT has m a n y applications w h i c h w e can for simplification segment to:
• I n d u s t r i a l Internet of T h i n g s
• C o m m e r c i a l Internet of T h i n g s
• C o n s u m e r Internet of T h i n g s
7
2. INTERNET O F T H I N G S
8
3 Attacks on IoT
9
3. ATTACKS O N I O T
3.2.1 Threats
3.2.2 Vulnerability
Planning
Threat actor
Execution
Repeat
(as needed)
The compromise, or impact of the
Compromise successful exploitation
Assess
F i g u r e 3 . 1 : R e l a t i o n s h i p s b e t w e e n threats, v u l n e r a b i l i t y , attacks, a n d
compromise. [ 7 ]
10
3. ATTACKS O N I O T
3.2.3 Risks
R i s k s c a n b e e x p r e s s e d as q u a l i t a t i v e o r quantitative, d e p e n d s o n
o u r m e t h o d of m e a s u r i n g . It is different f r o m v u l n e r a b i l i t y because
it measures the p r o b a b i l i t y of danger, loss, o r injury, d e p e n d i n g o n
h o w significant are the consequences. F o r e x a m p l e , the r i s k c a n be
that s o m e o n e h a c k s w e b c a m a n d see w h a t w e are d o i n g , b u t i f the
c o m p u t e r never connects to the internet, t h e n it is n o t a risk.
3.3.1 Botnets
1. https://www.akamai.com/us/en/resources/what-is-a-botnet.j sp
11
3. ATTACKS O N I O T
h a r d w a r e a n d electricity for c r y p t o m i n i n g to e a r n c r y p t o c u r r e n c i e s
l i k e B i t c o i n , M o n e r o , or m a n y others. 2
2. https://www.investopedia.com/tech/what-botnet-mining/
3. h t t p s : / / e n . w i k i p e d i a . o r g / w i k i / B o t n e t
4. h t t p s : / / w w w . c l o u d f l a r e . c o m / l e a r n i n g / d d o s / g l o s s a r y / m i r a i - b o t n e t /
12
3. ATTACKS O N I O T
3.3.3 Man-in-the-Middle
13
3. ATTACKS O NI O T
14
3. ATTACKS O N I O T
15
3. ATTACKS O N I O T
3.3.7 Ransomware
5. h t t p s : / / w w w . k a s p e r s k y . c o m / r e s o u r c e - c e n t e r / d e f i n i t i o n s /
zero-day-exploit
16
4 Cryptographic primitives in IoT
4.1 Encryption
E n c o d i n g a n d d e c o d i n g m e t h o d s h e l p us to protect o u r d a t a stored
o n o u r c o m p u t e r or s e n d i n g t h e m t h r o u g h the internet or a n y other
n e t w o r k . C r y p t o g r a p h y is a science of e n c r y p t i o n a n d d e c r y p t i o n
i n f o r m a t i o n . The e n c r y p t e d text is c a l l e d ciphertext, a n d u n e n c r y p t e d
text is c a l l e d plaintext.
First of a l l , the sender a n d receiver m u s t decide w h i c h cipher a n d
the k e y w i l l use. T h e n t h e n sender e n c r y p t s the p l a i n t e x t w i t h the
k e y i n t o ciphertext a n d sends it to the receiver, w h o k n o w s the k e y
a n d d e c r y p t s ciphertext i n t o p l a i n t e x t . T h i s m e t h o d guarantees the
confidentiality of stored data or data transmitted over the internet or
another n e t w o r k . E v e n the attacker gets the ciphertext, h e does not
k n o w the key, a n d g u e s s i n g the k e y takes too m u c h time. That is the
reason w h y e n c r y p t i o n is so v a l u a b l e . O n e of these m e t h o d s is brute
force, w h i c h is t r y i n g a l l possible combinations u n t i l f i n d i n g the right
one.
T o d a y m a n y processes use the s y m m e t r i c e n c r y p t i o n to e n c r y p t
t r a n s m i t t e d data a n d the a s y m m e t r i c e n c r y p t i o n for e x c h a n g i n g the
secret key.
17
4. C R Y P T O G R A P H I C PRIMITIVES I N IoT
Symmetric Encryption
AK#4Z v Q 0
ov2+s= y
O
TOY/Jli ^
Shared Key
F i g u r e 4.1: D e s c r i p t i o n of s y m m e t r i c e n c r y p t i o n a
a. from: https://hackernoon.com/hn-images/l*m
4.1.1 S y m m e t r i c e n c r y p t i o n
S y m m e t r i c c i p h e r s u s e o n l y a single k e y f o r b o t h e n c r y p t i o n a n d
d e c r y p t i o n . T h i s key is sometimes c a l l e d shared secret because it m u s t
be shared w i t h a l l a u t h o r i z e d entities. Symmetric e n c r y p t i o n is u s u a l l y
faster t h a n a s y m m e t r i c e n c r y p t i o n . T h e most w i d e s p r e a d s y m m e t r i c
cipher is A d v a n c e d E n c r y p t i o n S t a n d a r d ( A E S ) .
4.1.2 A s y m m e t r i c e n c r y p t i o n
18
4- C R Y P T O G R A P H I C P R I M I T I V E S I N I O T
Asymmetric Encryption
Love
you
granny
Í Í
Public Key Private Key
F i g u r e 4.2: D e s c r i p t i o n of a s y m m e t r i c e n c r y p t i o n a
a. from:https://hackernoonxom/hn-images/lV2JprXzMMWWNUlnbZOHTqg.png
4.2 Hashing
19
4 . C R Y P T O G R A P H I C P R I M I T I V E S I N IoT
20
4. C R Y P T O G R A P H I C PRIMITIVES I N I O T
21
5 Bluetooth and RFID in IoT
5.1 Bluetooth
1. h t t p s : / / w w w . i o t f o r a l l . c o m / b l u e t o o t h - i o t - a p p l i c a t i o n s /
22
5- B L U E T O O T H A N D R F I D I N I O T
5.2 RFID
Radio-frequency identification (RFID) is u s e d for i d e n t i f y i n g , control-
l i n g , or t r a c k i n g objects i n r e a l - t i m e if n e e d e d . R F I D is u s i n g r a d i o
waves too.
T h e R F I D s y s t e m is c o m p o s e d of three parts: tag, reader/writer,
a n d a p p l i c a t i o n system. [18] The R F I D tag is u s e d for i d e n t i f y i n g the
objects. There are two types of R F I D tag active a n d passive. A c t i v e has
a n energy source a n d is p o w e r e d so it c a n start to c o m m u n i c a t e w i t h
other tags. Passive has n o battery or energy source, a n d for c o m m u -
n i c a t i o n , the t a g m u s t get the e n e r g y f r o m the reader. T h e reader is
for starting the c o m m u n i c a t i o n a n d transferring the data between the
a p p l i c a t i o n s y s t e m a n d the tag. T h e a p p l i c a t i o n s y s t e m initiates a l l
the activities that the reader a n d tag d o a n d collects the data.
R F I D systems fit for t r a c i n g , m o n i t o r i n g , a n d m a n a g i n g objects.
M a n a g i n g resources can use these systems. S o o n can be R F I D u s e d i n
h o s p i t a l s , each p a t i e n t w i l l get the bracelet w i t h a n R F I D t a g so the
h o s p i t a l can track the movements of the patient, a n d this process can
r e d u c e the r e g i s t r a t i o n t i m e , too, if the p a t i e n t w a s registered once
before. A i r l i n e s c a n track the l u g g a g e for a better o v e r v i e w of their
locations.
Because of the l o w cost of R F I D a n d its resource limitations, there is
still n o appropriate security a n d privacy. M a n y scientists are w o r k i n g
o n creating a low-cost security s o l u t i o n .
23
6 Implementation part
6.1 Components
fritzing
F i g u r e 6.1: Schematics
24
6. I M P L E M E N T A T I O N PART
F i g u r e 6.3: L D R f l
5. L E D lights
6. L C D Display
7. YWRobot LCM1602
8. D H T 2 2 h u m i d i t y a n d temperature sensor
9. Light dependent resistor
6.2 Sensors
The i m p o r t a n t f u n c t i o n of the Internet of T h i n g s is collecting the data
f r o m the sensors, a n a l y z i n g t h e m , a n d deduce solutions for i m p r o v i n g
the c o n d i t i o n s at smart h o m e s or i n i n d u s t r i a l . In this project, w e are
u s i n g d a t a f r o m three sensors. T h e m e a s u r e d v a l u e s w i l l be f r o m
t e m p e r a t u r e , h u m i d i t y , a n d a l i g h t - d e p e n d e n t resistor ( L D R ) . F o r
m e a s u r i n g temperature ( i n C ) a n d h u m i d i t y ( i n percent) w i l l be used
D H T 2 2 sensor. T h e L D R is connected to the a n a l o g p i n a n d measure
values i n range 0-1023.
25
6. I M P L E M E N T A T I O N PART
6.5 Encryption
T h e i m p l e m e n t a t i o n is u s i n g A d v a n c e d E n c r y p t i o n S t a n d a r d ( A E S )
for e n c r y p t i n g f r o m the A r d u i n o C r y p t o g r a p h y Library. A E S is a stan-
d a r d i z e d a l g o r i t h m for e n c r y p t i o n . It is a s y m m e t r i c cipher, so it uses
the s a m e k e y for e n c r y p t i o n a n d d e c r y p t i o n . I n the i m p l e m e n t a t i o n
1. https://www.comparitech.com/blog/information-security/
what-is-relay-attack/
26
6. I M P L E M E N T A T I O N PART
is s p e c i f i c a l l y u s e d AES128[20], w h i c h is a b l o c k c i p h e r u s i n g 128-
bits l o n g key. T h e reason f o r c h o o s i n g this a l g o r i t h m is that it w o r k s
quickly, a n d it is sufficient for short data l i k e ours.
27
6. I M P L E M E N T A T I O N PART
6.8 RFID
F i g u r e 6.4: M F R C 5 2 2 '
a. source: https://raw.githubusercontent.com/playfultechnology/
arduino-rfid-MFRC522/master/documentation/MFRC522.jpg
28
6. I M P L E M E N T A T I O N PART
AE5128
T
<^3
current key
F i g u r e 6.5: D e s c r i p t i o n of u s i n g AES128'•a
6.9 Bluetooth
In the b e g i n n n i n g the d e v i c e m u s t b e p a i r e d w i t h the A r d u i n o . It is
possible to change the P I N for p a i r i n g . [22] But w i t h 10 000 possibilities
it is still easy to crack the P I N w i t h brute-force.
A f t e r c o n n e c t i n g t h e registered t a g to t h e reader, i f this process
w a s successful, temperature, h u m i d i t y , a n d photoresistor v a l u e s are
m e a s u r e d . These v a l u e s are w r i t t e n i n a single s t r i n g , w h i c h w i l l
have the l e n g t h of 16 characters because A E S w e u s e c a n e n c r y p t
o n l y strings w i t h l e n g t h w i t h m u l t i p l e of 16. T h i s s t r i n g is e n c r y p t e d
u s i n g the Bluetooth key. A n d A r d u i n o sends this e n c r y p t e d s t r i n g to
the computer. P y t h o n script w e use c a n decrypt this cipher because it
already k n o w s the Bluetooth key.
29
6. I M P L E M E N T A T I O N PART
Nil
F i g u r e 6.6: H C - 0 5 "
a. source: https://5.imimg.com/data5/AK/TP/MY-9380557/
bluetooth-module-hc-05-500x500.jpg
30
7 Conclusion
31
Bibliography
32
BIBLIOGRAPHY
15. Advanced Persistent Threats and How Your Organization Can Deter
Them [ o n l i n e ] . B r n o : S u s a n H o f f m a n , 2018 [ v i s i t e d o n 2019-10-
20]. A v a i l a b l e f r o m : h t t p s : / / i n c y b e r d e f ense . c o m / f e a t u r e d /
advanced-persistent-threats-deter/.
16. Ransomware. B r n o : A v a s t , available also f r o m : h t t p s : / / www .
avast.com/cs-cz/c-ransomware.
17. B A R K E R , D . M . ; M C M I C H A E L G I L S T E R , Diane. Bluetooth end to
end. 1st e d . N e w York, N Y : M T B o o k s , 2002. I S B N 0-7645-4887-5.
18. JIA, Xiaolin; F E N G , Q u a n y u a n ; F A N , Taihua; L E I , Quanshui.
R F I D technology a n d its applications i n Internet of Things (IoT).
2022 2nd International Conference on Consumer Electronics, Com
munications and Networks, CECNet 2012 - Proceedings. 2012. A v a i l
able f r o m D O I : 10.1109/CECNet. 2012.6201508.
33
BIBLIOGRAPHY
20. Advanced Persistent Threats and How Your Organization Can Deter
Them [ o n l i n e ] . B r n o : S u s a n H o f f m a n [ v i s i t e d o n 2019-09-20].
Available from: h t t p s : //rweather . g i t h u b . i o / a r d u i n o l i b s /
classAES128.html#details.
21. Entropy library [ o n l i n e ] . B r n o : W a l t e r A n d e r s o n , 2012 [ v i s i t e d
o n 2019-09-14]. A v a i l a b l e f r o m : h t t p s : / / s i t e s . g o o g l e . com/
site/astudyofentropy/project-definition/timer-j i t t e r -
entropy-sources/entropy-library.
34
A An appendix
A t t a c h m e n t s contain
• A r d u i n o sketch
• L i b r a r i e s necessary for the sketch
• P y t h o n script for c o m m u n i c a t i n g f r o m the c o m p u t e r