The 20th World Conference on Information Security Applications: WISA-Workshop 2019, Springer, In Press.
In recent times, smart home devices like Amazon Echo and Google Home have reached mainstream popularity. These devices are intrinsically intrusive, being able to access user’s personal information. There are growing concerns about indiscriminate data collection and invasion of user privacy in smart home devices. Improper trust assumptions and security controls can lead to unauthorized access of the devices, which can have severe consequences (i.e. safety risks). In this paper, we analysed the behaviour of smart home devices with respect to trust relationships. We set up a smart home environment to evaluate how trust is built and managed. Then, we performed a number of interaction tests with different types of users (i.e. owner, guests). As a result, we were able to assess the effectiveness of the provided security controls and identify some relevant security issues. To address them, we defined a trust model and proposed a solution based on it for securing smart home devices.
Advances in Core Computer Science-Based Technologies, Springer International Publishing, pp. 157-173, 2021. DOI
Internet of Things (IoT) technologies have enabled Cyber-Physical Systems (CPS) to become fully interconnected. This connectivity however has radically changed their threat landscape. Existing risk assessment methodologies often fail to identify various attack paths that stem from the new connectivity/functionality features of IoT-enabled CPS. Even worse, due to their inherent characteristics, IoT systems are usually the weakest link in the security chain and thus many attacks utilize IoT technologies as their key enabler. In this paper we review risk assessment methodologies for IoT-enabled CPS. In addition, based on our previous work (Stellios et al. in IEEE Commun Surv Tutor 20:3453–3495, 2018, ) on modeling IoT-enabled cyberattacks, we present a high-level risk assessment approach, specifically suited for IoT-enabled CPS. The mail goal is to enable an assessor to identify and assess non-obvious(indirect or subliminal) attack paths introduced by IoT technologies, that usually target mission critical components of an CPS.
Human-centric Computing and Information Sciences, vol. 10, no. 50, Springer, 12/2020. DOI (I.F.: 5.9)
The Internet of Things (IoT) is a paradigm that permits smart entities to be interconnected anywhere and anyhow. IoT opens new opportunities but also rises new issues.
In this dynamic environment, trust is useful to mitigate these issues. In fact, it is important that the smart entities could know and trust the other smart entities in order to collaborate with them.
So far, there is a lack of research when considering trust through the whole System Development Life Cycle (SDLC) of a smart IoT entity.
In this paper, we suggest a new approach that considers trust not only at the end of the SDLC but also at the start of it. More precisely, we explore the modeling phase proposing a model-driven approach extending UML and SysML considering trust and its related domains, such as security and privacy.
We propose stereotypes for each diagram in order to give developers a way to represent trust elements in an effective way.
Moreover, we propose two new diagrams that are very important for the IoT: a traceability diagram and a context diagram.
This model-driven approach will help developers to model the smart IoT entities according to the requirements elicited in the previous phases of the SDLC.
These models will be a fundamental input for the following and final phases of the SDLC.
International Journal of Information Security , Springer, pp. 111-127, 01/2020, 2019. DOI (I.F.: 1.494)
The Internet of Things (IoT) is an environment of interconnected entities, which are identifiable, usable and controllable via the Internet. Trust is useful for a system such as the IoT as the entities involved would like to know how the other entities they have to interact with are going to perform.
When developing an IoT entity, it will be desirable to guarantee trust during its whole life cycle. Trust domain is strongly dependent on other domains such as security and privacy.
To consider these domains as a whole and to elicit the right requirements since the first phases of the System Development Life Cycle (SDLC) is a key point when developing an IoT entity.
We emphasize on the importance of the concept of traceability. This property permits to connect all the elicited requirements guaranteeing more control on the whole requirements engineering process.