Security and Privacy in the IoT

Question 1

Privacy vs. Security

What is security? What is privacy? (or its goal)

Answer 1

Security - protect the data
Privacy - protect the user

Question 2

Issues with the IoT systems (4)

Answer 2

Hardware heterogeneity
Limited resources
Big data generation
Need for complex data protection and access measures

Question 3

Hierarchical IoT System (and give the 3 layers)

Answer 3

• Application layer - Applications/Services, Operation and Management
• Transportation later - Access Network
• Perception layer - WSN

Question 4

“The quality or state of being secure- to be free from danger”

Answer 4

Security

Question 5

A successful organization should have multiple layers of security in place: (6)

Answer 5

Physical security
Personal security
Operations security
Communications security
Network security
Information security

Question 6

The protection of information and its critical elements, including systems and hardware that use, store, and transmit information.

Give its necessary tools (5)

Answer 6

Information security

Necessary tools:
- policy
- awareness
- training
- education
- technology

Question 7

Security Concepts

Question 8

CIA TRIAD

________ - To ensure protection against unauthorized access to or use of confidential information

________ - To ensure that information and vital services are accessible for use when required

________- To ensure the accuracy and completeness of information to protect business processes

Answer 8

Confidentiality-Integrity-Availability (CIA)

1. Confidentiality
2. Availability
3. Integrity

Question 9

Which should weigh more security or usability?

Answer 9

usability

Question 10

Why learn IoT security from payment industry?

IoT systems face the same problems as ___________ faced before
- Initial design was for private point to point network the moved to _______ and later on the ______
- Started with basic security then found the security flaws and attached more complex security requirements later
- Low security devices from early design are still out there and used in compatible _________

Answer 10

card payment systems
IP network; internet
fall-back mode

Question 11

model of payment ecosystem and who are involved

Answer 11

Four-Party Model

• consumer
• merchant
• issuing bank
• acquiring bank

Question 12

Simplified Authorization Flow for Card Payment

1. The customer make a payment. Enter cardholder data into the__________ (POS, e-commerce website).
2. The merchant sends card data to an ________ who will route data to through the payments system for processing. For e-commerce, a _______ may redirect website to the acquirer.
3. The __________ sends the data to Payment brand.
4. __________ forwards the data to the issuer. The _______ verifies and make approval. For e-commerce, a payment gateway may redirect website to the issuer (ex. Verified by ______)
5. If the issuer agrees to fund the purchase, it will generate __________ and routes back to the card brand.
6. Payment brand forwards the authorization code back to acquirer/processor.
7. The acquirer/processor sends the authorization code back to the merchant.
8. The _______ concludes the sale with the customer.

Answer 12

1. merchant payment system
2. acquirer/payment processor, payment gateway
3. acquirer/processor
4. Payment brand; issuer; VISA
5. authorization number
6. merchant

Question 13

________ standard size (normally ID-1) card that has embedded integrated circuit with microprocessor

Answer 13

ISO/IEC 7810

Question 14

What can a smart card provide? (4)

Answer 14

personal identification
authentication
data storage
application processing

Question 15

There are different designs or types of smart cards such as: (3)

Answer 15

• Contact smart card - ISO/IEC 7816
• Contactless smart card - ISO/IEC 14443
• Hybrid

Question 16

Inside a smart card (7)

Answer 16

CPU
Security logic
Serial I/O Interface
Test Logic
ROM
RAM
EEPROM

Question 17

• microprocessor
• cryptographic co-processors
• random number generator

Answer 17

CPU

Question 18

Detects abnormal condition (e.g. low voltage)

Answer 18

security logic

Question 19

contacts the outside world

Answer 19

serial I/O interface

Question 20

Self-test procedure

Answer 20

test logic

Question 21

Basic Security Feature

Hardware (5)
Software (5)

Answer 21

Hardware
- closed package
- memory encapsulation
- fuses
- security logic (sensors)
- cryptographic co-processors and random generator

Software
- decoupling applications and operating system
- application separation (Java card)
- restricted file access
- life cycle control
- various cryptographic algorithms and protocols

Question 22

The two primary types of smart card operating systems are: (2)

Answer 22

Fixed File Structure
Dynamic Application

Question 23

What Card OS?

• files and permissions are set in advances by the issuer
• seldom used for payment cards

Answer 23

Fixed File Structure

Question 24

What Card OS?

• enables developers to build, test, and deploy different card application securely
• updates and security are able to be downloaded and dynamically changed
• ________ and _______ are the two main OS standards

Answer 24

Dynamic Application
- MULTOS and JavaCard

Question 25

• A standard, flexible tool box
• a known language and an easy tool for applet developers in cards
• requires the addition of Global Platform (or similar) to manage the card and its applets

Answer 25

JavaCard

Question 26

• a turn key system
• comes as a complete package for cards issuers, with its certification authority, language, tools and personalization process
• global platform is possible

Answer 26

MULTOS

Question 27

• also known as a point of sale terminal, credit card terminal, EFTPOS terminal, Electronics Data Capture (EDC)

Answer 27

Payment terminal

Question 28

a device which interfaces with payment cards to make electronic fund transfers

Answer 28

Payment terminal

Question 29

• A technical standard for smart payment cards and for payment terminals and automated teller machines (ATM)

Answer 29

EMV

Question 30

The initiative for EMV was taken by _________, __________ and ______ in the 1990s (now managed by EMVCe)

Answer 30

Europay, Mastercard and Visa

Question 31

support both ISO/IEC 7816 for contact cards, and standards based on ISO/IEC 14443 for contactless cards (MasterCard Contactless, Paywave, Expresspay)

Answer 31

EMV

Question 32

EMV current version

Answer 32

4.3

Question 33

EMV consist of four books

________ - application and independent ICC to Terminal Interface Requirements
_______ - security and key management
_______ - application specification
_______ - cardholder, attendant, and acquirer interface requirements

Answer 33

Book 1
Book 2
Book 3
Book 4