Security of Emerging Connected Systems

Faculty of Engineering, Environment and Computing

7026EM Security of Emerging Connected Systems

Assignment Brief

Module Title

Security of Emerging Connected Systems

Individual

Cohort

January

Module Code

7026CEM

Coursework Title (e.g. CWK1)

Security Investigation –Home IoT System

Hand out date:

30th March 2020

Lecturer

Dr. Basil Elmasri

Due date and time:

Moodle: 18:00:00

17th April 2020

Estimated Time (hrs): 25

Word Limit*: 2500, not including appendices, logs, screenshots, PoC code, etc.

Coursework type: Report

2/3 of Module’s Mark

Submission arrangement online via CUMoodle: Turnitin.

File types and method of recording: PDF, docx.

Mark and Feedback date: 4th May 2020.

Mark and Feedback method (e.g. in lecture, written via Gradebook): turnitin grading.

Module Learning Outcomes Assessed: 3. Propose and implement effective 'defence-in-depth' solutions to mitigate the key technical internet security vulnerabilities that organisations face. 4. Design and implement secure private networks for IoT and BYOD. 5. Discuss and debate a wide range of current research and technological advances in network security.

Task and Mark distribution:

Introduction

You are given access to an IoT environment, representing a home owned by early adopters in the current move to "smart homes". The devices are all from a single manufacturer and you are required to evaluate the security aspects of the system before marketing and sale of the devices.

You will be given access to a testbed network in order to perform a practical security audit as well as associated documentation for review.

This document is for Coventry University students for their own use in completing their

assessed work for this module and should not be passed to third parties or posted on any

website. Any infringements of this rule should be reported to

facultyregistry.eec@coventry.ac.uk.

Task Breakdown

Your work should include:

1. A security evaluation report on the test-bed system. This is a "white-box" analysis, so you

should execute it as a security review rather than penetration test. You can examine any of the

files and materials you are given, but any security vulnerability should be demonstrated with

a prof-of-concept (PoC) attack that would work without the information gained through whitebox

testing. Make sure you consider more than just direct attacks on the devices. Also consider

what information is exposed about the consumer.

2. A report to the manufacturer on your findings that includes a short review of each problem,

along with a brief overview of how it could be solved. For each issue, you should have a more

detailed description of the steps you took to discover it, showing enough detail for it to be

repeated by the developers.

Scope

• You will be given a collection of docker build scripts and Makefiles.

• Although you have access to the non-live versions of the systems, their Dockerfiles, Makefiles

and so on, this does not count as a vulnerability. This is just the mechanism by which you gain

access to the virtualised IoT environment.

o You can, however, examine all of these files to see if there might be vulnerabilities or

security flaws you can demonstrate in the running system.

o This is the equivalent of having the source code for the IoT systems and being able to

review the code, making this a "white box" test.

The system

The system is comprised of:

• An MQTT server that coordinates internal messaging and provides a web front-end for the

user

• A Database server that stores local information, settings and so on

• A number of devices within the system.

o a temperature sensor

o a heating system

o a light sensor

All of the services are containerised in order to minimise platform dependency. For the purposes

of this coursework you can assume that the underlying platform is secure unless the container

itself is compromised. You will be given a separate container for each of the services and they

will function in "virtual mode" while not on actual hardware.

This document is for Coventry University students for their own use in completing their

assessed work for this module and should not be passed to third parties or posted on any

website. Any infringements of this rule should be reported to

facultyregistry.eec@coventry.ac.uk.

You are also provided with a document describing the design of the infrastructure outside of the

containers. You must include this in your assessment, but rather than look for vulnerabilities in

the implementation for this part, you must assess the design decisions presented.

Marking Scheme

Criteria: Security analysis Recommendations Report

ILO 4+5 3+4+5

Weight 40% 40% 20%

Assessment

Criteria

Thorough practical

security review

Recommendations for

technical solutions to the

identified problems

Report structure,

referencing (if any) and

presentation

≈ 40% Some security issues

identified, perhaps

not all implications

described

Basic solutions suggested Poorly presented but

complete report

≈ 50% Good coverage of

issues, with evidence

of the processes of

scanning and

discovery included

Technically correct

solutions and mitigations for

all identified issues, no

demonstration of success

Well-presented report,

with structure, but

presented mostly as a

record of activity rather

than an actionable report

≈ 60% Good coverage of

security issues, well

described and

repeatable work

Solutions given for

prevention and mitigation in

a sophisticated manner,

demonstrated in context

Report has clear structure

and is suitable for a

technical person to read

>70% Investigation

considers more than

just direct attacks

Solutions are given with

demonstration of

understanding of the cost

implication, forward

secrecy/security and

possible legislative issues

Report is well structured,

with thought given to

multiple readers:

management, technical

leadership and

implementation technician

Notes:

1. You are expected to use the Coventry University Harvard Referencing Style. For support and

advice on this students can contact Centre for Academic Writing (CAW).

2. Please notify your registry course support team and module leader for disability support.

3. Any student requiring an extension or deferral should follow the university process as outlined

here.

4. The University cannot take responsibility for any coursework lost or corrupted on disks,

laptops or personal computer. Students should therefore regularly back-up any work and are

advised to save it on the University system.

5. If there are technical or performance issues that prevent students submitting coursework

through the online coursework submission system on the day of a coursework deadline, an

This document is for Coventry University students for their own use in completing their

assessed work for this module and should not be passed to third parties or posted on any

website. Any infringements of this rule should be reported to

facultyregistry.eec@coventry.ac.uk.

appropriate extension to the coursework submission deadline will be agreed. This extension

will normally be 24 hours or the next working day if the deadline falls on a Friday or over the

weekend period. This will be communicated via your Module Leader.

6. You are encouraged to check the originality of your work by using the draft Turnitin links on

your Moodle Web.

7. Collusion between students (where sections of your work are similar to the work submitted

by other students in this or previous module cohorts) is taken extremely seriously and will be

reported to the academic conduct panel. This applies to both coursework submissions and

exam answers.

8. A marked difference between your writing style, knowledge and skill level demonstrated in

class discussion, any test conditions and that demonstrated in a coursework assignment may

result in you having to undertake a Viva Voce in order to prove the coursework assignment is

entirely your own work.

9. If you make use of the services of a proof reader in your work you must keep your original

version and make it available as a demonstration of your written efforts.

10. You must not submit work for assessment that you have already submitted (partially or in

full), either for your current course or for another qualification of this university, unless this

is specifically provided for in your assignment brief or specific course or module information.

Where earlier work by you is citable, i.e. it has already been published/submitted, you must

reference it clearly. Identical pieces of work submitted concurrently will also be considered

to be self-plagiarism.

Mark allocation guidelines are given in the attached coursework brief