LegitimateBroker: Mitigando Ataques de Personificação em Broker MQTT na Internet das Coisas
Resumo
A Internet das Coisas (IoT) tem ganhado elevado destaque no âmbito das tecnologias emergentes. Nesse cenário, um problema de segurança relevante que carece de estudos consiste na personificação de dispositivos. Este trabalho propõe um mecanismo, chamado LegitimateBroker, a fim de mitigar ataques de personificação em um dispositivo Broker MQTT na IoT. A proposta fundamenta-se na autenticação mútua entre Publicadores e Broker, armazenamento indireto de chaves no Broker e renovação periódica de chaves no Broker e no Publicador. Experimentos indicam que o mecanismo proposto tem baixa sobrecarga comparado a outras abordagens e pode ser facilmente parametrizado a fim de que a taxa de renovação de chaves se adéque a periodicidade de publicações realizadas pelos nós da rede e ao tempo de efetivação do ataque.
Referências
Bhawiyuga, A., Data, M., and Warda, A. (2017). Architectural design of token based In 11th International authentication of MQTT protocol in constrained IoT device. Conference on Telecommunication Systems Services and Applications (TSSA), pages 1–4. IEEE.
Biju, S. and Shekokar, N. (2017). Security approach on MQTT based smart home. In International Conference on Power, Control, Signals and Instrumentation Engineering (ICPCSI), pages 1106–1114. IEEE.
Bisne, L. and Parmar, M. (2017). Composite secure MQTT for Internet of Things using In Innovations in Power and Advanced Computing ABE and dynamic S-box AES. Technologies (i-PACT), pages 1–5. IEEE.
Borgia, E. (2014). The internet of things vision: Key features, applications and open issues. Computer Communications, 54(1):1–17.
Degirmencioglu, A., Erdogan, H. T., Mizani, M. A., and Ylmaz, O. (2016). A classication approach for adaptive mitigation of SYN ood attacks: Preventing performance loss due to SYN ood attacks. In Network Operations and Management Symposium (NOMS), pages 1109–1112. IEEE/IFIP.
Dudar, A. M., Martin, D. R., and Miller, K. J. (2018). Hydrocarbon sensor diagnostic. US Patent App. 15/435,741.
Empetel (2019). Battery Original Huawei Honor 8X. Disponível em: https://www.empetel.es/Battery-Honor8X. Acessado em: Maio/2019.
Esfahani, A., Mantas, G., Matischek, R., Saghezchi, F. B., Rodriguez, J., Bicaku, A., Maksuti, S., Tauber, M. G., Schmittner, C., and Bastos, J. (2019). A Lightweight Authentication Mechanism for M2M Communications in Industrial IoT Environment. IEEE Internet of Things Journal, 6(1):288–296.
Eugster, P. T., Felber, P. A., Guerraoui, R., and Kermarrec, A. (2003). The Many Faces of Publish/Subscribe. ACM Computing Surveys, 35(2):114–131.
Firdous, S. N., Baig, Z., Valli, C., and Ibrahim, A. (2017). Modelling and Evaluation In International Conference of Malicious Attacks against the IoT MQTT Protocol. on Internet of Things (iThings) and Green Computing and Communications (Green- Com) and IEEE Cyber, Physical and Social Computing (CPSCom) and Smart Data (SmartData), pages 748–755. IEEE.
Foundation, R. P. (2012). Raspberry Pi. Disponível em: https://www.raspberrypi.org/. Acessado em: Maio/2019. (2017).
Gartner (2017). Gartner Says 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31 Percent From 2016. Disponível em: http://www.gartner.com/newsroom/id/3598917. Acessado em: Marc¸o/2019.
HiveMQ (2019). Plugin Developer Guide. Disponível em: https://www.hivemq.com/docs/3.4/plugins/services.html. Acessado: em Maio/2019.
Jerkins, J. A. (2017). Motivating a market or regulatory solution to IoT insecurity with the Mirai botnet code. In 7th Annual Computing and Communication Workshop and Conference (CCWC), pages 1–5. IEEE.
Khemissa, H. and Tandjaoui, D. (2016). A novel lightweight authentication scheme for heterogeneous wireless sensor networks in the context of Internet of Things. In Wireless Telecommunications Symposium (WTS), pages 1–6. IEEE.
OASIS (2019). MQTT Version 5.0 OASIS Standard. Disponível em: https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html. Acessado em: Março/2019.
Santos, B. P., Silva, L., Celes, C., Borges, J. B., Neto, B. S. P., Vieira, M. A. M., Vieira, L. F. M., Goussevskaia, O. N., and Loureiro, A. (2016). Internet das coisas: da teoria à prática. Livro de Minicursos do XXXIV Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos (SBRC), 1:15–52.
Sharafaldin, I., Lashkari, A. H., and Ghorbani, A. A. (2018). Toward Generating a New Intrusion Detection Dataset and Intrusion Trafc Characterization. In Proceedings of the 4th International Conference on Information Systems Security and Privacy (ICISSP), pages 108–116.
Tanenbaum, A. S. and Wetherall, D. J. (2010). Computer Networks. Prentice Hall Press, Upper Saddle River, NJ, USA, 5th edition.
Waher, P. (2015). Learning Internet of Things. Packt Publishing Ltd.
Wander, A. S., Gura, N., Eberle, H., Gupta, V., and Shantz, S. C. (2005). Energy analysis of public-key cryptography for wireless sensor networks. In 3dh International Conference on Pervasive Computing and Communications, pages 324–328. IEEE.
Wells, L. J., Camelio, J. A., Williams, C. B., and White, J. (2014). Cyber-physical security challenges in manufacturing systems. Manufacturing Letters, 2(2):74 – 77.
Biju, S. and Shekokar, N. (2017). Security approach on MQTT based smart home. In International Conference on Power, Control, Signals and Instrumentation Engineering (ICPCSI), pages 1106–1114. IEEE.
Bisne, L. and Parmar, M. (2017). Composite secure MQTT for Internet of Things using In Innovations in Power and Advanced Computing ABE and dynamic S-box AES. Technologies (i-PACT), pages 1–5. IEEE.
Borgia, E. (2014). The internet of things vision: Key features, applications and open issues. Computer Communications, 54(1):1–17.
Degirmencioglu, A., Erdogan, H. T., Mizani, M. A., and Ylmaz, O. (2016). A classication approach for adaptive mitigation of SYN ood attacks: Preventing performance loss due to SYN ood attacks. In Network Operations and Management Symposium (NOMS), pages 1109–1112. IEEE/IFIP.
Dudar, A. M., Martin, D. R., and Miller, K. J. (2018). Hydrocarbon sensor diagnostic. US Patent App. 15/435,741.
Empetel (2019). Battery Original Huawei Honor 8X. Disponível em: https://www.empetel.es/Battery-Honor8X. Acessado em: Maio/2019.
Esfahani, A., Mantas, G., Matischek, R., Saghezchi, F. B., Rodriguez, J., Bicaku, A., Maksuti, S., Tauber, M. G., Schmittner, C., and Bastos, J. (2019). A Lightweight Authentication Mechanism for M2M Communications in Industrial IoT Environment. IEEE Internet of Things Journal, 6(1):288–296.
Eugster, P. T., Felber, P. A., Guerraoui, R., and Kermarrec, A. (2003). The Many Faces of Publish/Subscribe. ACM Computing Surveys, 35(2):114–131.
Firdous, S. N., Baig, Z., Valli, C., and Ibrahim, A. (2017). Modelling and Evaluation In International Conference of Malicious Attacks against the IoT MQTT Protocol. on Internet of Things (iThings) and Green Computing and Communications (Green- Com) and IEEE Cyber, Physical and Social Computing (CPSCom) and Smart Data (SmartData), pages 748–755. IEEE.
Foundation, R. P. (2012). Raspberry Pi. Disponível em: https://www.raspberrypi.org/. Acessado em: Maio/2019. (2017).
Gartner (2017). Gartner Says 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31 Percent From 2016. Disponível em: http://www.gartner.com/newsroom/id/3598917. Acessado em: Marc¸o/2019.
HiveMQ (2019). Plugin Developer Guide. Disponível em: https://www.hivemq.com/docs/3.4/plugins/services.html. Acessado: em Maio/2019.
Jerkins, J. A. (2017). Motivating a market or regulatory solution to IoT insecurity with the Mirai botnet code. In 7th Annual Computing and Communication Workshop and Conference (CCWC), pages 1–5. IEEE.
Khemissa, H. and Tandjaoui, D. (2016). A novel lightweight authentication scheme for heterogeneous wireless sensor networks in the context of Internet of Things. In Wireless Telecommunications Symposium (WTS), pages 1–6. IEEE.
OASIS (2019). MQTT Version 5.0 OASIS Standard. Disponível em: https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html. Acessado em: Março/2019.
Santos, B. P., Silva, L., Celes, C., Borges, J. B., Neto, B. S. P., Vieira, M. A. M., Vieira, L. F. M., Goussevskaia, O. N., and Loureiro, A. (2016). Internet das coisas: da teoria à prática. Livro de Minicursos do XXXIV Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos (SBRC), 1:15–52.
Sharafaldin, I., Lashkari, A. H., and Ghorbani, A. A. (2018). Toward Generating a New Intrusion Detection Dataset and Intrusion Trafc Characterization. In Proceedings of the 4th International Conference on Information Systems Security and Privacy (ICISSP), pages 108–116.
Tanenbaum, A. S. and Wetherall, D. J. (2010). Computer Networks. Prentice Hall Press, Upper Saddle River, NJ, USA, 5th edition.
Waher, P. (2015). Learning Internet of Things. Packt Publishing Ltd.
Wander, A. S., Gura, N., Eberle, H., Gupta, V., and Shantz, S. C. (2005). Energy analysis of public-key cryptography for wireless sensor networks. In 3dh International Conference on Pervasive Computing and Communications, pages 324–328. IEEE.
Wells, L. J., Camelio, J. A., Williams, C. B., and White, J. (2014). Cyber-physical security challenges in manufacturing systems. Manufacturing Letters, 2(2):74 – 77.
Publicado
02/09/2019
Como Citar
RAMPELOTTO JUNIOR, Charles; QUINCOZES, Silvio; KAZIENKO, Juliano.
LegitimateBroker: Mitigando Ataques de Personificação em Broker MQTT na Internet das Coisas. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 19. , 2019, São Paulo.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2019
.
p. 141-154.
DOI: https://doi.org/10.5753/sbseg.2019.13968.
