Biblio

Over the last decade, a technology called Internet of Things (IoT) has been evolving at a rapid pace. It enables the development of endless applications in view of availability of affordable components which provide smart ecosystems. The IoT devices are constrained devices which are connected to the internet and perform sensing tasks. Each device is identified by their unique address and also makes use of the Constrained Application Protocol (CoAP) as one of the main web transfer protocols. It is an application layer protocol which does not maintain secure channels to transfer information. For authentication and end-to-end security, Datagram Transport Layer Security (DTLS) is one of the possible approaches to boost the security aspect of CoAP, in addition to which there are many suggested ways to protect the transmission of sensitive information. CoAP uses DTLS as a secure protocol and UDP as a transfer protocol. Therefore, the attacks on UDP or DTLS could be assigned as a CoAP attack. An attack on DTLS could possibly be launched in a single session and a strong authentication mechanism is needed. Man-In-The-Middle attack is one the peak security issues in CoAP as cited by Request For Comments(RFC) 7252, which encompasses attacks like Sniffing, Spoofing, Denial of Service (DoS), Hijacking, Cross-Protocol attacks and other attacks including Replay attacks and Relay attacks. In this work, a client-server architecture is setup, whose end devices communicate using CoAP. Also, a proxy system was installed across the client side to launch an active interception between the client and the server. The work will further be enhanced to provide solutions to mitigate these attacks.

Traditional countermeasures to relay attacks are difficult to implement on mobile devices due to hardware limitations. Establishing proximity of a payment device and terminal is the central notion of most relay attack countermeasures, and mobile devices offer new and exciting possibilities in this area of research. One such possibility is the use of on-board sensors to measure ambient data at both the payment device and terminal, with a comparison made to ascertain whether the device and terminal are in close proximity. This project focuses on the iPhone, specifically the iPhone 6S, and the potential use of its sensors to both establish proximity to a payment terminal and protect Apple Pay against relay attacks. The iPhone contains 12 sensors in total, but constraints introduced by payment schemes mean only 5 were deemed suitable to be used for this study. A series of mock transactions and relay attack attempts are enacted using an iOS application written specifically for this study. Sensor data is recorded, and then analysed to ascertain its accuracy and suitability for both proximity detection and relay attack countermeasures.

In the field of smartphones a number of proposals suggest that sensing the ambient environment can act as an effective anti-relay mechanism. However, existing literature is not compliant with industry standards (e.g. EMV and ITSO) that require transactions to complete within a certain time-frame (e.g. 500ms in the case of EMV contactless payments). In previous work the generation of an artificial ambient environment (AAE), and especially the use of infrared light as an AAE actuator was shown to have high success rate in relay attacks detection. In this paper we investigate the application of infrared as a relay attack detection technique in various scenarios, namely, contactless transactions (mobile payments, transportation ticketing, and physical access control), and continuous Two-Factor Authentication. Operating requirements and architectures are proposed for each scenario, while taking into account industry imposed performance requirements, where applicable. Protocols for integrating the solution into the aforementioned scenarios are being proposed, and formally verified. The impact on the performance is assessed through practical implementation. Proposed protocols are verified using Scyther, a formal mechanical verification tool. Finally, additional scenarios, in which this technique can be applied to prevent relay or other types of attacks, are discussed.