DEV Community

Paula
Paula

Posted on

Hive Mind, security in distributed IoT

Hive mind, no, not aliens, we are talking about hardware!

It's been a long time since my security sprint publications (1 2 3 4 5 6 7 8&9 10&11 extra) I took some vacations in order to further studying, work and practice a bit more about some security areas I've been working on. My lasts efforts have been laid over distributed systems and how to apply security in ubiquitous networks. I aim to write a larger paper about this, but for now I'd love to share a sneak of the possibilities surrounding this interesting topic.

Divide to conquer!

Ubiquitous computing is leading us to a brand new relationship between users and technology. Step by step we are forgetting about technology surrounding us and focusing in our goals, and this could means also forgetting about the risk. Security is a main concern in every system and internet of things is uncovering a new horizons of risks, for this I’m investigating about attack response and prevention using low cost hardware in ubiquitous Networks, inspired by a paper [1], I recently found.

The main point of using a decentralized model is to both allowing to use low-cost hardware, as the security is in the model and not the devices and to make attacks more difficult. Not having a centralized point, makes every target equally relevant, and designing a fast attack is way harder. In the model we should consider interconnected nodes that communicate to each other and the message exchanging mush be signed before adding it to the common log.

Using an interconnected network of sensors that sends and receives information, sharing the state content in a common memory log, and randomly checking on the neighbor nodes, would allow a fast attack detection, even considering the false positives. If an area is considered “contaminated”, the rest of the nodes can be banned to sign the exchange of information in order to control and suffocate the attack.

Using evolutionary computation it’s even possible to determine the steps that were made in an area to be considered contaminated and prevent a second attack of the same type.

This prevention and response model could be victim of false nodes that communicate to the rest the area is not contaminated and injecting mistaken content in the network, though.

Ready? attack!

Let's say we have two main kind of possible attacks, passive and active. Passive attacks are performed by spy nodes that catch relevant information in the network, or in any case make the communication slower but doesn't inject mistaken information into the network, which is considered active. Both can perform together to contaminate the whole network, but the work should be carefully build in order to prevent suffocation or isolation. Beware, shitty drawings coming!

In the picture, there's a network with 3 different areas that could perfectly be sensors in a house. All the nodes have a common log of the "transactions" between each others, which have as tokens information of time and content. A range of normal content and response time are supposed to be preset. In the first transaction T1 (A -> B) aims to be a normal, healthy communication. any of the connected nodes which are from the A1 can randomly sign it, and witness the state of the communication. In T2, Not only more nodes are implicated (A1 and A2), but also I wanted to show a false positive, which is considered and alerted, but not labelled as a main contamination. in T3, some new friends are implicated: *, ♥ (active attackers) and ☾ (passive attacker). the influence of ☾ (and other possible passive attackers in other nodes) makes the ♥ sign first the contaminated communication between * and F. If this attack is successful, it will be added to the log as a healthy communication. Yikes!

Even though, the communication is decentralized, so creating a relevant attack implies a combination of timing and resources that should be orchestrated in order to not alert the healthy nodes, which is highly difficult as the transactions are randomly activated. Not impossible, in any case.

I'm still investigating and doing trials, for this I'm using basic open hardware such as arduino nano devices with simple sensors, so they can work concurrently and check their neighbors. Network simulation is also a great cheaper option but what can I say, I love hardware.

I will post some code in an open repo as soon as I have a nice performance working, but I'd love to hear your thoughts and opinions about this!

[1]: 1. Ajith Abraham, Rafael Falcon, Mario Koeppen.: Computational Intelligence in Wireless Sensor Networks, 978-3-319-47715-2.

Top comments (5)

Collapse
 
dallgoot profile image
dallgoot

What comes to my mind from this :

  • if an orchestration of nodes is needed to defeat alerting : very simple if the attacker manages remotely (automatically) passive and active nodes : script the orchestration needed and wait for every order to respond successfully before engaging in the next order.
  • due to this "simplicity" : a sequence of orders, a network monitoring tool (all the nodes) can be triggered as soon as the first order of the sequence of attack is detected.One possible counteraction would be to isolate the responsible node or holding the order for a time period to allow that the next attack order is not present in the network. Just few thoughts...
Collapse
 
terceranexus6 profile image
Paula

This is very interesting but even remotely timing is an important fact as the nodes work concurrently. A script can be written for sure, but if it does fail, the system will not allow the same patron again. Idk if that's what you mean?

Also yes! network monitoring would be required for triggering, that isolation of the nodes you mention is the one I wanted to represent, for sure. In order to avoid constant interruption, false positives should be considered, but a contaminated area should definitely be isolated from transaction signing.

Thank you, such an interesting thoughts

Collapse
 
dallgoot profile image
dallgoot

Yes exactly what I meant: script orders while checking for every result.
My idea was that if there's a "winning sequence" testing for it would require little effort: either attacker remotely send sequences OR better yet it keeps the connection to a passive/active node and program sequences variations and make one attacking-node the coordinator of attacks.
As I understood there's one successful sequence of attack.
From this my point was that from both points of view: attacker and defender it is easy to act.
"Easy" meaning simple logic but of course the attacker has work to do and the network defender has to constantly check for patterns in every node.
I don't know if that monitoring is practical in terms of network resources, however.
Anyway just thinking out loud about this: not an expert in networks at all ;)

Thread Thread
 
terceranexus6 profile image
Paula

Ah! yes, there's a successful sequence that should work once in case we use evolutionary algorithms to avoid it working again (not to mention randomness would try to prevent that, too), but yes, both attacking and defending are "easy", in any case.

thanks, tho, I'd see it further when using a real experiment.

Collapse
 
ben profile image
Ben Halpern

Step by step we are forgetting about technology surrounding us and focusing in our goals, and this could means also forgetting about the risk.

Super well articulated.