Smart Cities: A New Age of Digital Insecurity

SECTION I.

 

Introduction

Smart cities offer unprecedented conveniences and improved quality of life, a successful business operation, speedy transportation, secure financial transaction and educational and scientific research through advent of information technology [1]. The inhabitants of smart city use heterogeneous devices integrated with heterogeneous computing and multi-faceted data communication and network channels that run information systems in virtual mode most frequently to render smart security and cutting-edge analytics along with actions that augment business intelligence [2]. These data are prone to several security attacks since there are several possibilities of data leakage from these smartphones. Numerous assurance strategies (e.g., encryption, biometrics, namelessness) are broadly connected in various application fields. Tragically, these strategies are not adequate for the keen city condition. The principle reason is that the greater part of the sensors and gadgets have constrained computational power, so just straightforward cryptography calculations can be utilized specifically. We can protect data in the cloud by applying access control, encryption, and maintaining protection of sensitive data using VMware, regulatory compliance, data location and segregation, cloud security standards and certifications. It is indeed a fact, ICT has played a significant role in smart economic development, building an infrastructure to enable greater connectivity between citizens, devices and government.

Fig. 1.

IoT elements

Show All

SECTION II.

Security and Privacy Issues in Current Context

In the preceding few years, one of the popular targets for attack is the web server and its content [3]. People frequently change the applications but application also changes the people. Over the past few years, the problems posed by malicious code have been addressed technologically. In addition, new legal remedies have emerged in several countries [4]. The list of pieces of software that can be Trojaned is endless. It includes anything that the creator believes will entice the victim to open the software. Application such as games, chat software, media player. Screen savers and other similar types have been Trojaned. Our proposed onion model can strengthen the existing Network security system and can play a significant role to transform better result in smart city.

Table I: Risk matrix

The list of vulnerabilities found in Risk matrix include SQL injection, password cracking, unprotected sensitive functionality, cross-site scripting (XSS) flaws, DOS and DDOS attacks and various API-related issues. A majority of these security holes have been assigned either a “critical” or “high severity” rating.

Furthermore, there are mainly 3 ways to snuffle a network such as internal sniffing, external sniffing and wireless sniffing. Although, wireless sniffing is the latest form of the sniffing where attackers penetrate the network to get the information.

A. Locating Vulnerabilities in Database

Every database is prone to its own types of vulnerabilities [5]. Some common vulnerabilities includes improper and unused stored procedures and triggers, services account privilege issues, weak authentication methods and limited audit settings. To sort out issues in performing audits 2 pieces of softwares such as NGSSquirrel and AppDetective are quite promising and useful. Missing a patch or update can easily mean the difference between avoiding a problem and having your database server crippled.

B. Network Flaws

Attackers can apply ping of death which involves sending IP packets to target computer of more than 65,535 bytes. In fact, this is the very effective method of attackers to crash a network or system and is very dangerous as it have a very high probability of getting a success. It exploits by sending the IP fragment packets that are very difficult to reassemble. It affects the victim's system resulting operating system to crash.[19] [27] [15] [28].

SECTION III.

Proposed Security Framework

Table 1 advocates numerous procedures of hacking using several hacking techniques executed by hackers. There is no complete solution that can cover all vulnerabilities, therefore in order to plan for a solution within this research, the first requirement is to identify and define the major hacking processes with the widest coverage possible. A multi layered smart security onion model is proposed to guard IoT based applications which share big amount of information getting transferred over heterogeneous devices in smart city [22].

Fig. 2:

Smart security onion model

Show All

The proposed Onion model is shown in the below fig 2. which signifies a security operation center encompassed with Sensor security layer to provide authentication and authorization to use IoT. Network communication security layer is accountable for data filtering and data loss prevention. File and Data encryption is carried out by Data security layer. Exploit writing is getting controlled by Application security layer.

To overcome malicious insiders, Liu and Lam [42] recommend Blackholing and Sinkholing.

As shown in fig - 3. This cube also describes that confidentiality, integrity and availability is smart security requirements of smart citizens of smart city. In the category of Information Technology process and under IDs and IPs.

Fig. 3:

Cobit cube security framework

Show All

SECTION IV.

Securing Smart Cities: Mitigation and Prevent Ative

Message Security Protocol(MSP) can be used to provide authentication, integrity and nonrepudiation services [8]. Secure Shell(SSH) application can be applied to provide secure remote access capabilities. [9]. SQL injections are common and serious issues with any web sites that uses a database as its back end[10]. There is a need to impart proper training to detect and exploit flaws. Challenge Handshake Authentication Protocol can be used to transfer the username and password which uses a hashed value that is valid for a single logon transaction [23]. Point to Point Tunneling Protocol(PPTP) can be used to maintain the virtual connection and the encryption that ensures confidentiality.

A. Password Security

We can use strong passwords that must be a complex string, not less than 16 characters long, and must be changed constantly, and never to allow exposure to others, least privileges, and consider multi-factor authentication, rule-based access control, segregation of network and separation of duties. Limit passwords for low value applications, and SMS challenge response for low value e-commerce, medium and high value applications[13]–​[17] [6]. Limit passwords for low value applications, and SMS challenge response for low value e-commerce, medium and high value applications.

1) To Secure Log in Password Security: Salting Technique of Hashing

importhashlib

def calculate hash(password):

h = hashlib.sha256(password.encode(‘utf-8’))

hexdigest()

return h

def subscribe(user _ name, password):

account = user_name + ‘;’ + calculate _ hash(password)

f= open(‘C:/PythonFile/accounts.txt’, ‘w’)

f. write(account)

f.close()

print (‘ [+] You are registered now! ‘)

def login(user _name, password):

f= open(‘C:/PythonFile/accounts.txt’, ‘r’)

account_file = f.read()

s = account_file.split(‘;’)

user_name_file = s[0]

password_file = s [1]

hashed _password = calculate _ hash(password)

if user_name == user _ name _file and hashed _password

== password_file:

print(‘ You are Authenticated:)’)

else:

print (‘[!] Invalid username or password’)

defmain():

input1 = input(“Enter:\n 1] to subscribe\n 2] to login\nChoice>”)

if input 1 == ‘1 ’:

user_name = input(“Enter a username:”)

password = input(“Enter a password:”)

subscribe(user _ name, password)

elifinputl == ‘2’:

user_name = input(“enter a username:”)

password = input(“Enter a password:”)

login(user _ name, password)

else:

print (‘ [!] Invalid choice’)

main()

B. Data Security

Type Qualifier converts the characteristics of variables into programming language and detects vulnerability according to user defined type qualifier [18] [19]. Data-flow analysis is usually implemented for buffer flow attack detection. When data is received from un-trusted source, it is marked as taint in data flow analysis [20] [21]. Fault injection is applied to find faults in security system by injecting faults in it and then observing system behavior[22]. Pattern Matching searches for pattern string inside the source code of software providing number of times the pattern occur[28].

Sequence Analysis arranges the source code in form of token and matches it with the database filled up with vulnerability possibilities [33]–​[35].

Deep Packet Inspection can be (DPI) can be applied for detection and prevention systems which increases their strength for detection and prevention of intruders [8].

The purpose of implying WIPS(Wireless Intrusion Prevention System) is that any unauthorized person can hack the system within range of wireless router. So WIPS finds the unauthorized access point and kills the connection [23].

C. Data Encryption

Enforcing authentication and authorization by preventing common web attacks, such as man-in-the-middle attacks, man in the browser attacks, phishing and ransomware attacks request forging, and replay by using the latest version of the chosen system, and use of cryptographically strong tokens, and considering careful storing application state as follows, 1) Authorization, credentials and role data should be stored on the server side only. 2) Navigation data is acceptable in the URL as long as validation and authorization checks are effective. 3) Presentation flags such as theme or user language store in cookies. 4) Form data hidden fields are not allowed unless used for sequence protection and to prevent brute force pharming attacks. 5) Data from multi-page forms may be sent back to the user when data is validated after every form submission process, or if there are integrity controls to prevent tampering. [23] [15] [16] [24] [25] [17] [41].

However, there are many advances in the field of encryption, for example Kerberos encryption Technique [7]. Pretty Good Privacy(PGP) can be addressed for e-mail security in smart city which provides authentication through the use of symmetric block encryption, compression using the ZIP algorithm and e-mail compatibility using the radix −64 encoding scheme[11]. On the other hand, steganographic methodologies are used to hide the existence of high capacity data in executable files [12], [26]. EAPOL-Key confirmation key can be used to provide integrity protection for key material distributed during the 4-way Handshake[29] which also supports the integrity and data origin authenticity. Group Temporal Key(GTK) can provide the actual protection for user traffic. In addition, it can also provide confidentiality and integrity protection for multicast or broadcast user traffic[30] in smart city.

2) Application of Securely Exchange Keys Between 2 Users: Using Elliptic Key Cryptography

Elliptic Curve cryptography can be used for

• Encryption and Decryption

• Exchange key

• Digital Signature.

Sender's key Generation:

Select private key nAnA<n

Sender can choose any number as the private key with condition it must be less than n.

Condition is nA(private key of Alice) must be less than n. Where n is the limit on elliptic curve.

Public key of Alice=private key of Alice x Generator Point

Calculation of public key for sender PA=nAxG

Receiver can select any number as the private key with a condition the number must be less than n(where n is limit on elliptic curve).

Public key of Receiver=private key of Receiver x Generator Point

Thus sender is having Private and Public key pair. Receiver is also having Private and Public key pair.

Show All

Secret key calculation by Sender

K=nAx PB

View Source

Sender will have it's own private key (nA) as well as Public Key of Receiver (PB)

Secret key calculation by Receiver

K=nBx PA

View Source

Receiver will have it's own private key (nB) as well as PA as sender's public key.

ECC Encryption:

Here Message M is going to be encrypted on a point in an Elliptic curve. i.e Pm

Once the point is encrypted then it is sent to the receiver.

Cm:	Corresponding cipher point
kG=	Generator Point or Base Point. Here it is first point
Pm	Plain Text message encrypted on a point in an elliptic curve
PB	public key of Bob
K=	random positive integer

Pm+kPB is the second point

Where G is the base point.

Cm={kG, Pm+kPB}

View Source

Pm+kPB is going to be sent to the receiver.

Now Let's see how to decrypt it.

A is sending message to B.

For encryption we are using public key of b For decryption we are using private key of b.

b will take the first point i.e kG which will be multiplied with private key of B.

Decryption

For decryption, multiply first point in the pair with receiver's secret key

i.e kG x nB

View Source

Then subtract it from the pair of 2nd point

i.e Pm+kPB−(Kg x nB)

View Source

Given

PB=nB X G

View Source

SECOND POINT=P + kP B

Pm+kPB−(Kg x nB)Pm+kPB−(KPB)=Pm

View Source

Pm = Plain Text message and it is the original point Now the receiver can decode that message on that particular point

Finally the receiver can decrypt that point and eventually the message can be decoded from that point.

So in fact we are not encrypting the data but actually we are encoding the message on a point then that point is encrypted.

D. Hardening of Authentication

We can encourage good authentication practices, such as: 1) Transmitting credentials only over encrypted links. 2) Passwords must be complex of minimum length of 16 characters, and one-month expiration date. 3) Separation of duty and role-based least privileged (minimum need to know bases) accounts. 4) Must limit the maximum number of authentication attempts, which if exceeded, the system must lock accounts for at least 45 seconds to deter brute force attacks. 5) Use secure links such HTTPS, SSH, SSL, SET, IPSec VPN for remote access [41].

SECTION V.

Conclusion

It is indeed a fact implementing Security and Privacy policies, still poses some challenges and is best implemented as an iterative process. Wireless communication and networking are technologies that have been rapid growth and adoption over the past few years in smart city. This paper explores how to use wireless technology in smart city, reaping its benefits and doing so securely. Data encryption, hardening of authentication, access controls and password security are key points which needs to be addressed in smart city. The method used in protecting the data helps in better performance with feasible and efficient protection using proposed onion model. The numerous security issues and effective defense in depth techniques are presented in this paper. It delivers confidential, authentication and integrity in the exchange of keys(private, public and secret key). The future work includes a method which eradicates the crime attacks and improves the efficiency and implication of ElGamal elliptic curve encryption for encryption of the image in smart city to overcome digital insecurity.