Skip to main content
Log in

Design and Implementation of Hardware-Based Remote Attestation for a Secure Internet of Things

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

In general, Internet of Things (IoT) devices collect status information or operate according to control commands from other devices. If the safety and reliability of externally accessed devices are compromised, the risk of exposure of internally collected privacy information or abnormal operation of internal devices increases. This paper proposes a method of building a safe smart home environment by pre-blocking devices that may cause a risk by performing mutual safety verification between devices prior to data transmission and reception through the Session Initiation Protocol (SIP) of the home network. Using a Samsung’s commercial smartphone, not a development board to implement the device’s own verification function, and using an open source application and a SIP server providing free service, we established a test environment that is practically applicable and proved the feasibility of the attestation operation of the device. As a result of an operation test involving the capturing of packet data on a communication channel between two devices, it was confirmed that the transmission of parameter data for the actual attestation in SIP/Session Description Protocol packets succeeded without any problems. It was also confirmed that the final verification result of the target device was correctly derived. With the proposed method, it is possible to establish a safe trust relationship between smart home devices and external smart devices or between various IoT devices while also securing the smart home environment by blocking communications with devices that intentionally seek to do harm.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17

Similar content being viewed by others

References

  1. ARM TrustZone. Retrieved August 20, 2019 from https://developer.arm.com/ip-products/security-ip/trustzone.

  2. firmware.mobi. Retrieved August 29, 2019 from https://desktop.firmware.mobi.

  3. Gartner statistics for connected things. Retrieved September 4, 2019 from https://www.gartner.com/en/newsroom/press-releases/2017-02-07-gartner-says-8-billion-connected-things-will-be-in-use-in-2017-up-31-percent-from-2016.

  4. Intel Software Guard Extensions (SGX). Retrieved August 20, 2019 from http://software.intel.com/en-us/sgx.

  5. IPTEL. Retrieved August 20, 2019 from https://www.iptel.org.

  6. Linphone. Belledonne Communications SARL. Retrieved August 20, 2019 from https://www.linphone.org.

  7. OkHttp. Retrieved August 20, 2019 from https://square.github.io/okhttp.

  8. Samsung Enterprise Alliance Program. Retrieved August 20, 2019 from https://seap.samsung.com/html-docs/android/Content/knox-attestation.htm.

  9. Team Win Recovery Project. Retrieved August 29, 2019 from https://twrp.me/Devices.

  10. Trusted Platform Module. Retrieved August 20, 2019 from http://trustedcomputinggroup.org/work-groups/trusted-platform-module.

  11. Wireshark. Network protocol analyzer. Retrieved August 20, 2019 from https://www.wireshark.org.

  12. Amiri Sani, A. (2017). SchrodinText: Strong protection of sensitive textual content of mobile applications. In Proceedings of the 15th annual international conference on mobile systems, applications, and services (pp. 197–210). https://doi.org/10.1145/3081333.3081346.

  13. Arbaugh, W., Farber, D. J., & Smith, J. M. (1997). A secure and reliable bootstrap architecture. In Proceedings of 1997 IEEE symposium on security and privacy (pp. 65–71). https://doi.org/10.1109/SECPRI.1997.601317.

  14. Arias, O., Rahman, F., Tehranipoor, M., & Jin, Y. (2018). Device attestation: Past, present, and future. In Proceedings of 2018 design, automation & test in europe conference & exhibition (DATE) (pp. 473–478). https://doi.org/10.23919/DATE.2018.8342055.

  15. Atamli-Reineh, A., Borgaonkar, R., Balisane, R. A., Petracca, G., & Martin, A. (2016). Analysis of trusted execution environment usage in Samsung KNOX. In SysTEX ’16: Proceedings of the 1st workshop on system software for trusted execution (pp. 1–6). https://doi.org/10.1145/3007788.3007795.

  16. Bertran, B., Consel, C., Kadionik, P., & Lamer, B. (2009). A SIP-based home automation platform: An experimental study. In Proceedings of 2009 13th international conference on intelligence in next generation networks (pp. 1–6). https://doi.org/10.1109/ICIN.2009.5357075.

  17. Chifor, B.-C., Bica, I., Patriciu, V.-V., & Pop, F. (2018). A security authorization scheme for smart home Internet of Things devices. Future Generation Computer Systems, 86, 740–749. https://doi.org/10.1016/j.future.2017.05.048.

    Article  Google Scholar 

  18. Daş, R., & Tuna, G. (2015). Machine-to-machine communications for smart homes. International Journal of Computer Networks and Applications, 2(4), 196–202.

    Google Scholar 

  19. Dhanjani, N. (2013). Hacking lightbulbs: Security evaluation of the Philips hue personal wireless lighting system. Retrieved August 29, 2019 from https://www.dhanjani.com/blog/2013/08/hacking-lightbulbs.html.

  20. Eldefrawy, K., Rattanavipanon, N., & Tsudik, G. (2017). HYDRA: HYbrid Design for Remote Attestation using a formally verified microkernel. In Proceedings of the 10th ACM conference on security and privacy in wireless and mobile networks (pp. 99–110). https://doi.org/10.1145/3098243.3098261.

  21. Eldefrawy, K., Tsudik, G., Francillon, A., & Perito, D. (2012). SMART: Secure and Minimal Architecture for (establishing dynamic) Root of Trust. In Proceedings of NDSS (pp. 1–15).

  22. Hammer-Lahav, E. (2010). RFC 5849: The OAuth 1.0 protocol. Internet Engineering Task Force. (IETF), 4. https://doi.org/10.17487/RFC5849.

  23. Handley, M., Jacobson, V., & Perkins, C. (2006). RFC 4566: SDP: Session description protocol. Internet Engineering Task Force (IETF), 7. https://doi.org/10.17487/RFC4566.

  24. Hardt, D. (2012). RFC 6749: The OAuth 2.0 authorization framework. Internet Engineering Task Force (IETF), 10. https://doi.org/10.17487/RFC6749.

  25. Hill, K. (2014). Baby monitor hacker still terrorizing babies and their parents. Forbes online article 2014. Retrieved August 20, 2019 from https://www.forbes.com/sites/kashmirhill/2014/04/29/baby-monitor-hacker-still-terrorizing-babies-and-their-parents.

  26. Hrabovsky, J., Segec, P., Paluch, P., Moravcik, M., & Papan, J. (2016). Usability of the SIP protocol within smart home solutions. Communications-Scientific letters of the University of Zilina, 18(1A), 4–12.

    Google Scholar 

  27. Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handly, M., & Schooler, E. (2002). RFC 3261: SIP: Session initiation protocol. Internet Engineering Task Force (IETF), 6. https://doi.org/10.17487/RFC3261.

  28. Kanonov, U., & Woo, A. (2016). Secure containers in Android: the Samsung KNOX case study. In Proceedings of the 6th workshop on security and privacy in smartphones and mobile devices (pp. 3–12). https://doi.org/10.1145/2994459.2994470.

  29. Kil, C., Sezer, E. C., Azab, A. M., Ning, P., & Zhang, X. (2009). Remote attestation to dynamic system properties: Towards providing complete system integrity evidence. In Proceedings of 2009 IEEE/IFIP international conference on dependable systems & networks (pp. 115–124). https://doi.org/10.1109/DSN.2009.5270348.

  30. Koeberl, P., Schulz, S., Sadeghi, A.-R., & Varadharajan, V. (2014). TrustLite: A security architecture for tiny embedded devices. In Proceedings of the ninth European conference on computer systems (pp. 1–14). https://doi.org/10.1145/2592798.2592824.

  31. Komninos, N., Philippou, E., & Pitsillides, A. (2014). Survey in smart grid and smart home security: Issues, challenges and countermeasures. IEEE Communications Surveys & Tutorials, 16(4), 1933–1954. https://doi.org/10.1109/COMST.2014.2320093.

    Article  Google Scholar 

  32. Li, W., Li, H., Chen, H., & Xia, Y. (2015). AdAttester: Secure online mobile advertisement attestation using TrustZone. In Proceedings of the 13th annual international conference on mobile systems, applications, and services (pp. 75–88). https://doi.org/10.1145/2742647.2742676.

  33. Li, W., Luo, S., Sun, Z., Xia, Y., Lu, L., Chen, H., Zang, B., & Guan, Ha. (2018). VButton: Practical attestation of user-driven operations in mobile apps. In Proceedings of the 16th annual international conference on mobile systems, applications, and services (pp. 28–40). https://doi.org/10.1145/3210240.3210330.

  34. Li, Y., McCune, J. M., & Perrig, A. (2010). SBAP: Software-Based Attestation for Peripherals. In Proceedings of international conference on trust and trustworthy computing (pp. 16–29). https://doi.org/10.1007/978-3-642-13869-0_2.

  35. Li, Y., McCune, J. M., & Perrig, A. (2011). VIPER: Verifying the Integrity of PERipherals’ firmware. In Proceedings of the 18th ACM conference on computer and communications security (pp. 3–16). https://doi.org/10.1145/2046707.2046711.

  36. Lindemann, R., Baghdasaryan, D., & Tiffany, E. (2014). FIDO UAF protocol specification v1.0. FIDO Alliance, 12. https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-protocol-v1.0-ps-20141208.html.

  37. Liu, D. & Cox, L. P. (2014). VeriUI: Attested login for mobile devices. In Proceedings of the 15th workshop on mobile computing systems and applications (pp. 1–6). https://doi.org/10.1145/2565585.2565591.

  38. Liu, H., Spink, T., & Patras, P. (2019). Uncovering security vulnerabilities in the Belkin WeMo home automation ecosystem. In Proceedings of 2019 IEEE international conference on pervasive computing and communications workshops (PerCom workshops) (pp. 894–899). https://doi.org/10.1109/PERCOMW.2019.8730685.

  39. Mendoza, S. (2016). Samsung Pay: Tokenized numbers, flaws and issues. In Proceedings of Black Hat USA (pp. 1–11).

  40. Morgner, P., Mattejat, S., & Benenson, Z. (2016). All your bulbs are belong to us: Investigating the current state of security in connected lighting systems. arXiv preprint arXiv:1608.03732.

  41. Nauman, M., Khan, S., Zhang, X., & Seifert, J.-P. (2010). Beyond Kernel-level integrity measurement: Enabling remote attestation for the android platform. In Proceedings of international conference on trust and trustworthy computing (pp. 1–15). https://doi.org/10.1007/978-3-642-13869-0_1.

  42. Notra, S., Siddiqi, M., Gharakheili, H. H., Sivaraman, V., & Boreli, R. (2014). An experimental study of security and privacy risks with emerging household appliances. In Proceedings of 2014 IEEE conference on communications and network security (pp. 79–84). https://doi.org/10.1109/CNS.2014.6997469.

  43. Schulzrinne, H., Casner, S., Frederick, R., & Jacobson, V. (2003). RFC 3550: RTP: A transport protocol for real-time applications. Internet Engineering Task Force (IETF), 7. https://doi.org/10.17487/RFC3550.

  44. Seshadri, A., Luk, M., & Perrig, A. (2008). SAKE: Software Attestation for Key Establishment in sensor networks. In Proceedings of international conference on distributed computing in sensor systems (pp. 372–385). https://doi.org/10.1007/978-3-540-69170-9_25.

  45. Seshadri, A., Perrig, A., Van Doorn, L., & Khosla, P. (2004). SWATT: SoftWare-based ATTestation for embedded devices. In Proceedings of IEEE symposium on security and privacy (pp. 272–282). https://doi.org/10.1109/SECPRI.2004.1301329.

  46. Ying, K., Ahlawat, A., Alsharifi, B., Jiang, Y., Thavai, P., & Du, W. (2018). TruZ-Droid: Integrating TrustZone with mobile operating system. In Proceedings of the 16th annual international conference on mobile systems, applications, and services (pp. 14–27). https://doi.org/10.1145/3210240.3210338.

  47. Zhang, P.-j., Ji, Y.-F., Liu, Y., & Song, X. (2009). Design and implementation of the middleware for smart home gateway based on SIP. In Proceedings of 2018 33rd youth academic annual conference of chinese association of automation (YAC) (pp. 489–492). https://doi.org/10.1109/YAC.2018.8406424.

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Myungchul Kim.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ahn, J., Lee, IG. & Kim, M. Design and Implementation of Hardware-Based Remote Attestation for a Secure Internet of Things. Wireless Pers Commun 114, 295–327 (2020). https://doi.org/10.1007/s11277-020-07364-5

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-020-07364-5

Keywords

Navigation