Vous êtes sur la page 1sur 23

Security and Ethics in Ubiquitous Computing Environments

Sudantha Gunawardena

Security and Ethics in Ubiquitous Computing Environments

Contents
Abstract...................................................................................................................................... 3 1.0 Introduction .......................................................................................................................... 3 2.0 Properties of Security ........................................................................................................... 4 3.0 Anatomy of a Ubiquitous Environment and Attacks .............................................................. 5 4.0 Authentication and Recognition ............................................................................................ 6 4.1 Spontaneous Interactions ................................................................................................. 7 4.2 Shaking as an authentication .......................................................................................... 8 4.3 Ultrasonic Authentication .................................................................................................10 4.4 Visible Laser for Authentication .......................................................................................11 5.0 Security Vulnerabilities ........................................................................................................12 5.1 Physical Security .............................................................................................................12 5.1.1 Replacing or Modify the Hardware Devices/Software ................................................12 5.2 Wireless attacks ..............................................................................................................13 5.2.1 Denial-of-Service Attacks ( DoS attacks) ...................................................................13 5.2.2 Network eavesdropping.............................................................................................14 5.2.3 Man in the Middle attacks ..........................................................................................15 5. 3 Attacks on Cryptography Schemes .................................................................................16 5.3.1 Bruce-force attacks ...................................................................................................16 5.3.2 Rainbow attacks ........................................................................................................16 5.4 Social engineering attacks ...............................................................................................17 5.4.1 Phishing Attacks........................................................................................................17 6.0 Security Mechanisms ..........................................................................................................18 7.0 Ethics ..................................................................................................................................20 8.0 Conclusion ..........................................................................................................................21 References ...............................................................................................................................22 Bibliography ..............................................................................................................................23

Security and Ethics in Ubiquitous Computing Environments

Abstract
Ubiquitous computing is the approach of human computer interaction with ambient intelligence where users can use computer intelligence in day to day life activities. Many universities and research institutes are working on research projects to make ubiquitous computing a reality. In present the one of the foremost challenge in information technology is security, ethics and privacy which will be left to ubiquitous computing as a key challenge. With ubiquitous computing deals with day to day life activities of people most of their sensitive private information can be exposed which need to be secure in ubiquitous environments.

1.0 Introduction
As Blaauw & Frederick (1997) the first generation of computing is the age of mainframes which multiple users used the same centralized machine. With the beginning of the late 80s the generation of personal computer era embarked with the slogan of make available computers to each person individually. Computer enthusiastic like Steve Wozniak pioneered to fabricate the first personal computer to the world. According to Stajano (2002, p.2) Ubiquitous Computing can be defined as an approach of Everywhere computing and which can be measured as third generation of computer evolution. As focused by Wiess & Craiger (2002, p.1) Ubiquitous Computing can defined as enclose computers in our work and personal lives without concentration of users to improve productivity of regular activities.

Security and Ethics in Ubiquitous Computing Environments

2.0 Properties of Security


According to Stajano (2002, p.4) each secure entity should contain key three properties which are: Security Protect the sensitive data from unauthorized attacks or systems. Integrity Prevent access or modify information by attackers in a secure system in unauthorized techniques. Availability Users will able to access the system within all the times without failures or maintenance interruptions.

Figure 1 - Information Security triangle - Stajano (2002)

A secure system should have equilibrium among these three specifics to make the final system as a secure system. Deprived of equilibrium in these three properties a secure system cannot consider as a prosperous system, as an example reflect a secure system with a large scale of security comparing the availability but there is no productivity of this system because users are not motivated to use system which is not ease of use.

Security and Ethics in Ubiquitous Computing Environments

3.0 Anatomy of a Ubiquitous Environment and Attacks


Users Devices Wireless Network Service Framework Content Providing Services

Social Enginnering Attacks

Physical Attacks

Network eavesdropping

Attacks on Crytography schemes

Figure 2 - Anatomy of a Ubiquitous Environment - Kang (2007)

As Kang (2007) ubiquitous environment deal with several levels of devices and environments. To compose a secure ubiquitous system secure the sub structures at the each level will routinely creates a secure ubiquitous scheme. As described by the above figure from the user to content providing services. By identifying security vulnerabilities at the each level and present the necessary solution. The following tables shows security vulnerabilities at the each level, Level User Device Wireless Network Service Framework Content Providing Services Security Vulnerabilities Social engineering attacks Physical attacks Network eavesdropping / Man in the middle attacks Attacks on cryptography schemes

Table 1 Security Vulnerabilities in each level.

Security and Ethics in Ubiquitous Computing Environments

4.0 Authentication and Recognition


Authentication plays a major role in security but the current approaches for authentication like alphanumeric passwords, biometric recondition, graphical passwords users should enclose to take out an action to be authenticated which will not appropriate for ubiquitous computing environments because the foremost rationale of ubiquity is to formulate computing invisible and found everywhere. According to Mayrhofer (2009, p.4) few researches have designed unique authentication approaches for ubiquitous computing environments. These authentication approaches do not necessitate user involvement to get authenticated. According to Mayrhofer & Welch (2007,p.3) when in view of when two devices required to establish a secure authentication using a symmetric key technique the two users should first agree on a shared common key. When reflect on ubiquity environment these secure key agreement should take in a wireless method which can be expose to various attacks like phishing attacks, Man in the middle attacks. But further described by Mayrhofer & Welch (2007,p.4) to defeat these attacks only trusted devices can be connected each other but however the wireless network will still remain unsecure.

Security and Ethics in Ubiquitous Computing Environments

4.1 Spontaneous Interactions


According to Mayrhofer & Gellersen(2007,p.3) one of the key challenges in designing authentication systems in ubiquitous environment is that when two devices are need to be connected as in the present modern computing these two devices are already has some knowledge about each other. But in a ubiquitous world focusing on every day, everywhere computing where enormous number of devices which does not have pre knowledge communicating each other deprived of human interaction. So in the ubiquitous computing the devices which do not have any prior information should authenticate and interact each other which is according to Mayrhofer & Gellersen (2007) called as spontaneous interactions.

Spontaneous interactions and authetication Device 2

Device 3 Device 1

Figure 3 - Spontaneous Interactions

But the problem is that the current authentication schemes are not spontaneous and researchers have come up with the following types of new authentication schemes which are spontaneous.

Security and Ethics in Ubiquitous Computing Environments

4.2 Shaking as an authentication


Shaking or moving an object in a simple harmonic motion (SHM) can be commonly achieved in likely most of the objects merely. Mayrhofer & Gellersen (2007,p.3) describes that in this approach of a authentication in ubiquitous computing that simple shaking method can use to generate keys and authenticate devices by quantifying the acceleration of the each device.

Device Accelerometer

Figure 4 - Implementation of the 'Shaking' as an authentication

Also further described by Mayrhofer & Gellersen (2007, p.8) this methodology of authentication can be simple, cheaper and a power efficient. The anatomy of this technique can be designated as follows, Mayrhofer & Gellersen (2007, p.147) defines that the core concept of proposed authentication approach is based on an appraisal of an accelerometer. Firstly three preprocessing tasks will take out to intellect and perceive the input by the accelerometer and inputted data will be sampled, synchronized and will align the data in the two devices separately. As a result of these steps following graph is generated to the both devices which need to authenticate.

Security and Ethics in Ubiquitous Computing Environments

Figure 5 - Spectrum of an accelerometer outcomes by 'shaking' the devices - Mayrhofer & Gellersen (2007, p.147)

Finally in the authentication phase these two spectrums will be matched and authentication will be completed. The main advantage of the method is that two devices can be authenticated spatially and foremost disadvantage can be defined as the shaking is done by the human and there can be probability occurrences which both devices are not in the same spectrum.

Security and Ethics in Ubiquitous Computing Environments

4.3 Ultrasonic Authentication


According to Gellersen & Mayrhofer (2007) ultrasonic waves can be used as an authentication approach within two devices. As ultra wave sound travels in the air in a really slow behavior according Gellersen & Mayrhofer (2007, p.1) using ultra wave sound beams the distance, arrival time of the signal and arrival angle of the signal can be calculated. Relative to the position and the angle of the signal of the devices the authentication can be achieved.
Ultrasonic beams
T=t

Device 1

Ultrasonic Device

T=t+1

Device 2

Figure 6 - Ultrasonic Authentication

As the above diagram by transmit an ultrasonic sound wave and at the receivers end the angle of the signal, arrival time can be calculated. With these data two devices can be authenticated.

10

Security and Ethics in Ubiquitous Computing Environments

4.4 Visible Laser for Authentication


According to Mayrhofer & Welch (2007, p.6) visible laser can be generated using a laser diode and could be used to authenticate devices without human interaction in a wireless approach. As Mayrhofer & Welch (2007, p.7) defines that this technique. The devices which required authenticate should be kept in line of sight.

Laser Diode

Device 2
Laser Beam

Device 1
Figure 7 Authentication using visible laser light

But further described by Mayrhofer & Welch (2007, p.7) the visible laser channel cannot be consider as an authentic and confidential because and effortlessly exposed to attackers and even can modify the channel.

Laser Beam Laser Diode

Device 2

Device 1

Attacker

Figure 8 - Attack on visible laser light scheme

Mayrhofer & Welch (2007, p.8) classify that using a cryptography scheme like Diffie Hellman key exchange the data on the laser channel can be secured and authenticate.

11

Security and Ethics in Ubiquitous Computing Environments

5.0 Security Vulnerabilities


5.1 Physical Security
According to Mayrhofer (2009,p.8) as ubiquitous computing environment reflect on many interconnected devices other than the modern computing ubiquitous environments can create more scenarios of security treats specially in devices physical security. As Mayrhofer (2009, p.8) an invader can plan an attack on the ubiquitous devices by following tactics,

5.1.1 Replacing or Modify the Hardware Devices/Software


Reflect on a scenario which several devices are interconnected to provide a ubiquitous service to a user. An attacker gain access to this ubiquitous organism by replacing of modifies one of these devices and remains not informed to the user. Not only hardware devices potions or full software applications in ubiquitous environments can replaced with malicious applications and break the functionalities or steal users sensitive data.

5.1.2 Damage or Destroy Hardware Devices /Software


Even an attacker can damage or destroy or damage the physical properties of hardware devices. Damage to a physical device can halt a procedure of a large ubiquitous component or loss of large sets of users sensitive data and information.

12

Security and Ethics in Ubiquitous Computing Environments

5.2 Wireless attacks


In ubiquitous environments devices and users are interconnected to exchange data and instructions for provide services to the user. Especially in ubiquitous devices will be connected each other using wireless networks.

5.2.1 Denial-of-Service Attacks ( DoS attacks)


According to Hole (2008) DoS attack is an attackers approach to preventing users from accessing a certain service or disrupts or reduces the efficiency of a service by creating unnecessary bulk number of traffic requests. Especially a key symptom of a DoS attack is that the large number of unnecessary data packets travels though the network the network consumption increases and the network becomes slow.

Attacker

Attacker
DoS

atta

ck

Request
k ttac

User

Do

Sa

Network

Target Server

Attacker
Figure 9 Denial-of-Service Attack

Especially in a ubiquitous environment unavailability of a service or a slow access to a service will create large catastrophe because devices will be depended each other for information.
13

Security and Ethics in Ubiquitous Computing Environments

5.2.2 Network eavesdropping


Even wireless network eavesdropping currently a considerable issue. According to Arbaugh (2002) network eavesdropping can be defined as capturing data packets which are transmitted in wireless or wired networks by an attacker.
Receiver Sender

Attacker capturing data packets

Attacker

Figure 10 - Network eavesdropping in a network

An attacker can listen to the network and capture the data packets and by using this information can create attacks or steal user confidential information. Even these attackers can modify the data stream and add malicious code into it.

14

Security and Ethics in Ubiquitous Computing Environments

5.2.3 Man in the Middle attacks


According to Eriksson (n.d, p.7) a common way of network eavesdropping is Man in the Middle attack which an attacker assembles between the sender and receiver and capture the traffic which was transmitted by the sender and modify the information by adding malicious scripts and resend back to the original receiver.

Sender

Original Connection

Receiver

Man in the Middle Connection

Attacker
Figure 11 - Man in the middle attack

In ubiquitous environment when two devices required to transmit sensitive user data an intermediate attacker can capture the data, modify it and communicate back to the original receiver or the sender. Even the man in the middle attacks can be avoided by creating secure channels between the two communication parties comparable to SSL, SSH but this secure communication cannot assure an entirely secure communication because even these channels can be attacked rarely. Also these secure communication channels will be not ready to survive in ubiquitous environments because they are designed for general network communication.

15

Security and Ethics in Ubiquitous Computing Environments

5. 3 Attacks on Cryptography Schemes


Most of the users sensitive information which stored in data repositories are not in plain text because if attackers gain entre to the data repository they can easily manipulate the information. But using cryptography schemes the data can be encrypted and when required data can be decrypted and utilize. But with modern computing these cryptography methods cannot be considered as a secure approach because various attacks have been built to fracture into these cryptography algorithms. 5.3.1 Bruce-force attacks According to Jakobsson & Myers (2006) brute-force attack can be defined as an approach to break encrypted data by checking for possible encryption key of the cipher text. Using a brute-force search the combination can be guessed. With having the encryption key the attacker can decrypt the data from the data repository and gain access. A Bruce-force attack takes large amount of processing time and computation power. 5.3.2 Rainbow attacks As Norbutaite & Jorgensen (2007) confirms rainbow attack can be consider as a variation of a Bruce force attack. As Jakobsson & Myers (2006) brute-force attack searches for the all possible keys in the cipher text but according to Norbutaite & Jorgensen (2007,p.2) claims in rainbow attacks will generate a table with possible selected keys combinations called rainbow table and then create the attack. Relative to Bruce-force attack, rainbow attacks require less computation power and processing time because only selected keys are seek in the searching process.

16

Security and Ethics in Ubiquitous Computing Environments

5.4 Social engineering attacks


5.4.1 Phishing Attacks
According to Jakobsson & Myers (2006) phishing is an attacking approach with combination of spoofing which impress users to steal users sensitive data by faking various services like emails, web sites and telephone calls. Phishing attacks can be transmitted to users by various forms. But the most common way of phishing attack is using e-mails or fake web forms. Other than that phishing attacks can target a specific user group of an organization. In ubiquitous environments phishing can be a devastating attack type because attackers can easily create false web pages or e-mails and other type of approach and gain users authentication details. With having the authentication details attacker have a wide records of users sensitive personal information.

17

Security and Ethics in Ubiquitous Computing Environments

6.0 Security Mechanisms


Security Mechanisms can be considered as according to Sastry & Roosta (2008, p.65) are arrangements of methods to secure the systems from attackers and protect sensitive data. Security mechanisms in computing can be divided in to three core parts as: 1. Prevention 2. Detection 3. Survivability

6.1 Prevention
As described by Sastry & Roosta (2008, p.65) prevention is the technique of secure sensitive data by controlling the access to the data to attackers. Specifically prevention can be achieved by cryptography schemes from encryption ciphers to secure communication channels. Enciphering data using key based cryptography algorithm will prevent the expose of data on unauthenticated hands.

6.2 Detection
Detection is acquiring the knowledge and alert about the unusual activities before a system outbreak will take place .As Sastry & Roosta (2008, p.65) if an attacker trying to break into to a system the malicious activity can be perceived and reported or trigger the security systems.

6.3 Survivability
Keep the common activities preformed while an attack is already placed can be considered survivability. Ubiquitous environments require security from these above mentioned three mechanisms. Especially the secure ubiquitous designs should consider about survivability because as human activities fundamentally depends on these ubiquitous systems failure of a system will be produce frustration in people. Even in some

18

Security and Ethics in Ubiquitous Computing Environments

scenarios data on a one device will be dependent on activities of other several devices so one failure in a device will be a failure to a huge ubiquitous eco system. The following table will describes attack at each level of a ubiquitous environment and security mechanisms. Attacks Physical Security Prevention Implement security locks. Firewalls and block unnecessary inbound traffic to the network. Use encrypted communication channels, SSID hiding. Use of secure communication channels. Detection Security alarms or user authentication. Activity profiling, detection. Using precise timing techniques.(Synchroni zation between the sender and receiver Carl et al.(2006) Perform the normal ubiquitous services. Change point Survivability

Denial-of-Service Attacks

Network eavesdropping

Man in the Middle attacks

Rainbow attacks

Use large key size for the encryption process, Salting techniques.

Provide certain locking mechanisms and detect invalid attempts.

Bruce-force attacks

Table 2 Security mechanisms for various attacks

19

Security and Ethics in Ubiquitous Computing Environments

7.0 Ethics
According to Greenfield (2004) to secure the well being in the ubiquitous environments five major ethical guidelines have introduced. These guiding principles will secure the sensitive user information which set out in the ubiquitous environments. The proposed ethical principals as follows: 1. Default to harmlessness As Greenfield (2004) defines a proposed ubiquitous system should always guarantee the users physical, physiological and financial safely. 2. Be self-disclosing Always the system should hold information of the ownership of the device , its full capabilities and which information will transmit to another device .For an example if there is a device capable of tracking the users geographical location if this device is designed unethically it can transmit the location details to spy personals. 3. Be conservative of face As Greenfield (2004) proposed ubiquitous system should respect all the users without embarrass, humiliate or shame them. 4. Be conservative of time Some ubiquitous applications may root with critical activities of users like medical activities. These vital activities should not deem as ordinary operations and concern totally. 5. Be deniable As Greenfield (2004) clarifies that in a proposed ubiquitous system user have privileges not receive product and service information of service provides marketing campaigns (Opt-out).For example if a device will send service information while the subscriber sleeps it will be irritating to the user.
20

Security and Ethics in Ubiquitous Computing Environments

8.0 Conclusion
Within few years time or few decades ubiquitous computing technologies will lead the day to day human activities and people will depend on these technological expansion. But without security and ethics ubiquitous computing will not reach its goals. A ubiquitous environment consists of its foremost organisms which are devices, networks which interconnect the devices and the service providers. By securing each aspect at each level the entire ubiquitous environment can be secured. Attacks and security harms can be barred using security mechanisms which are prevention, detection and severability. But always the equilibrium in the information security triangle between security, integrity and availability should be preserved because without this equilibrium security entities cannot be consider as a successful system. Also concerning the authentication ubiquitous environments required spontaneous authentication approaches which are beyond biometric authentication methods. Finally a proper format of ethical guidelines are not yet standardized but a strong set of guidelines will strength the security of ubiquitous systems further.

21

Security and Ethics in Ubiquitous Computing Environments

References
Arbaugh, W. (2002) eta al., Your 80211 wireless network has no clothes, Wireless Communications, IEEE. Blaauw, G. & Frederick ,B. (1997),Computer Architecture: Concepts and Evolution,Boston:Addison-Wesley Longman Publishing Co.,Inc. Carl, G et al. (2006), Denial-of-Service Attack-Detection Techniques,Pennsylvania United States: Pennsylvania State University. Eriksson, M (n.d).An Example of a Man-in-the-middle Attack Against Server Authenticated SSL-sessions. Sweden: Simovits Consulting. Gellersen, H. & Mayrhofer, R., On the Security of Ultrasound as Out-of-band Channel ,UK: Computing Department, Lancaster University. Greenfield, A., (2004), Some ethical guidelines for user experience in ubiquitouscomputing,[Online].Available from:http://www.boxesandarrows.com/view/all_watched_over_by_machines_of_loving_ grace_some_ethical_guidelines_for_user_experience_in_ubiquitous_computing_setting s_1.[Acessed: 31st of January 2011]. Hole, K., (2008), Denial of Service Attacks, Bergen: Department of Informatics, University of Bergen. Jakobsson, M. & Myers, S. (2006).Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft,Canada: Wiley-Interscience. Jorgensen, K. H. , Norbutaite, R. (2007).Rainbow attack.Ireland:Dublin City University. Kang, B. , (2007), Ubiquitous Computing Environment Threats and Defensive Measures, Tasmania: School of Computing and Information Systems, University of Tasmania. Mayrhofer, R. & Gellersen, H. (2007).Shake well before use: Authentication based on Accelerometer Data, UK: Lancaster University.

22

Security and Ethics in Ubiquitous Computing Environments

Mayrhofer, R., & Welch M. , (2007),A Human-Verifiable Authentication Protocol Using Visible Laser Light, UK: Computing Department, Lancaster University. Mayrhofer, R., (2009), Ubiquitous Computing Security: Authenticating Spontaneous Interactions, Habilitation Colloquium. Roosta , T. & Sastry S. , (2008),Distributed Reputation System for Tracking Applications in Sensor Networks, California :Department of Electrical Engineering & Computer Science, University of Berkeley. Stajano , F.,(2002),Security for Ubiquitous Computing, USA: John Wiley & Sons,Ltd. Weiss, R., & Craiger, J. (2002), Ubiquitous Computing, Omaha: University of Nebraska.

Bibliography
Lipasti , M., (n.d) ,Role of Ethics in Pervasive Computing Security,Otaniementie:Helsinki University of Technology. Kanai, G. (2004), Ethics for Ubiquitous Computing.[Online].November 2004.Available from:http://kanai.net/weblog/archive/2004/11/01/11h03m19s.[Accesssed: 30th January 2011].

23