“Internet of Things (IoT)” is a popular term used to describe ubiquitous devices: a broad range of small, connected computing devices that are constrained in memory, processing capacity, and electrical power. The interconnected nature of these devices has significant ramifications for their cybersecurity posture. In 2014, the European Cooperation in Science and Technology (COST) organization funded a four-year research project to help industry and regulators increase security and privacy in ubiquitous computing systems. The consequent Cryptanalysis of Ubiquitous Computing Systems (CRYPTACUS) project is the subject of this book, edited by Avoine and Hernandez-Castro, the project’s chair and vice-chair, respectively.
A preface describes the book’s context and layout, and there is a thorough table of contents. The book is organized into five parts and contains 13 chapters. Each chapter can be read independently, a process assisted by each beginning with a succinct abstract. Part 1 is a general introduction and discussion of two major emerging security challenges for large networks of ubiquitous devices. Part 2 contains three chapters that catalogue existing lightweight symmetric cryptographic algorithms used on ubiquitous devices. Stream and block ciphers (notably the US National Security Agency’s Simon and Speck families), hash functions, message authentication codes, symmetrical encryption schemes, and key generation are discussed and analyzed, along with international standardization efforts for block ciphers.
Part 3 focusses on the implementation of electronic identities (eID) such as ePassports, and lightweight authentication protocols within the memory and processing constraints of ubiquitous devices. The last chapter of Part 3 presents the concept of relay attacks, and discusses the challenges and use of distance-bounding schemes as a countermeasure. The four chapters of Part 4 discuss issues with hardware and systems used for ubiquitous devices, including the consequences of their memory and processing constraints. Side-channel attacks are introduced, and tools for analyzing and addressing the risk of this type of attack are discussed. The unique challenges in identifying bugs in the embedded software used on ubiquitous devices are discussed, as well as the problem of generating truly random numbers on these small devices--a process vital for robust cryptographic systems.
Part 5, the final two chapters, covers issues of privacy and forensics associated with ubiquitous devices. Chapter 12 looks in detail at privacy issues, particularly issues of identity and location tracking and the growing impact of privacy legislation. Chapter 13 provides an overview of the different forensic practices needed for ubiquitous devices compared to “classical” computing systems. The book finishes with a comprehensive list of references.
The book is an interesting examination of the challenges and constraints around secure development and privacy issues for the rapidly growing universe of small ubiquitous devices in the IoT.