(SEM V) THEORY EXAMINATION 2024-25 PRIVACY AND SECURITY IN IOT

Subject Code: BCIT056
Maximum Marks: 70
Time: 3 Hours
Paper ID: 310324

Question Paper Overview

SECTION A (2 × 7 = 14 Marks)

(Short-answer conceptual questions)

a. Describe the specific attacks unique to IoT systems.
b. How does transport encryption complement secrecy and secret-key capacity in secure communication?
c. How does hashing ensure data integrity in resource-constrained environments?
d. How do cryptographic primitives enable secure communication in IoT?
e. Analyze the challenges of managing authentication credentials in IoT ecosystems.
f. What are the key privacy concerns in IoT data dissemination?
g. How can edge computing complement cloud security in IoT ecosystems?

SECTION B (Attempt any three × 7 = 21 Marks)

a. What are the core security requirements for IoT architecture, and how do they differ across enabling technologies and IoT applications?
b. Discuss the challenges of key management in IoT environments. How do lightweight key management solutions enhance system security?
c. Describe the identity lifecycle in IoT systems and how it ensures secure device onboarding and decommissioning.
d. Discuss the trade-offs between privacy protection and system performance in IoT environments. Provide examples of robust privacy schemes.
e. Discuss the implications of data sovereignty and compliance requirements in cloud-enabled IoT systems.

SECTION C (Attempt one part from each question × 7 = 35 Marks)

Q3

(a) What are the primary barriers to implementing robust access control in IoT, and how can emerging technologies address these challenges?
OR
(b) Using attack and fault trees, evaluate a real-world IoT application to identify potential threats and propose mitigation strategies.

Q4

(a) Analyze the role of random number generation in IoT cryptography. How does it impact the overall security of cryptographic protocols?
OR
(b) How do cryptographic techniques balance security and performance in IoT systems with constrained computational resources?

Q5

(a) How does the concept of least privilege apply to IoT access control? Provide examples of its implementation.
OR
(b) Evaluate the effectiveness of different access control models in IoT systems. Which model is most suitable for a highly dynamic IoT environment?

Q6

(a) How do self-organizing IoT devices ensure security and trust without centralized control? Discuss potential vulnerabilities.
OR
(b) Discuss the importance of transparency in IoT trust models. How does it influence user confidence and system adoption?

Q7

(a) How do cloud service offerings enhance IoT capabilities? Discuss the security implications of integrating IoT with cloud services.
OR
(b) How do cloud service providers address the unique security needs of IoT applications? Provide examples of specific offerings.

Key Topics for Revision

1. IoT Security Challenges

Unique Threats:

Physical tampering                   Man-in-the-middle (MITM) attacks

Device impersonation              Botnets (e.g., Mirai)

Side-channel attacks                Firmware manipulation

Constraints: Limited CPU, memory, and energy make traditional security models unsuitable.

2. Cryptographic Primitives

Hashing: Ensures data integrity by generating unique digests (SHA-256, SHA-3).

Symmetric encryption: AES, lightweight ciphers (SPECK, PRESENT).

Asymmetric encryption: ECC preferred over RSA for low-power IoT.

Transport Encryption: TLS/DTLS ensures confidentiality over insecure networks.

3. Key Management in IoT

Challenges: Device heterogeneity, large-scale deployment, limited processing power.

Solutions:

Lightweight protocols (Elliptic Curve Diffie–Hellman).            Pre-shared keys (PSK).

Group key management.                                                         Blockchain-based key distribution.

4. Identity and Authentication

Identity Lifecycle:

Onboarding → secure registration of device.         Operation → authenticated communication.

Decommissioning → revoke keys, erase data.

Techniques: X.509 certificates, mutual authentication, OAuth 2.0.

5. Privacy Protection vs System Performance

Trade-offs:

Strong encryption improves privacy but increases latency/power usage.

Edge AI helps achieve local processing to minimize data exposure.

Schemes: Differential privacy, homomorphic encryption, federated learning.

6. Data Sovereignty & Compliance

Definition: Legal control over data stored/transferred across borders.

Regulations: GDPR (EU), CCPA (USA), India’s DPDP Act 2023.

Challenge: Ensuring compliance in global IoT-cloud systems.

7. Access Control in IoT

Barriers:                                Dynamic device environments.

Weak authentication.             Resource limitations.

Models:                                 RBAC (Role-Based)

ABAC (Attribute-Based)         CapBAC (Capability-Based) → most flexible for IoT.

Least Privilege Principle: Devices get minimum required permissions only.

8. Random Number Generation

Importance: Used in key generation, nonces, session tokens.

Weak RNG → predictable keys.

Solutions: Hardware RNGs, entropy harvesting, hybrid RNG algorithms.

9. Self-Organizing IoT Security

Mechanisms: Peer-to-peer trust, distributed consensus, local verification.

Vulnerabilities: Sybil attacks, malicious peer injection.

Solution: Blockchain or DLT-based distributed trust.

10. Transparency and Trust Models

Transparency builds user confidence by exposing how data is processed and shared.

Trust Models: Reputation-based, certificate-based, blockchain-based.

Example: Smart city devices use transparent data-sharing logs for auditing.

11. Cloud–IoT Integration

Advantages: Scalability, remote monitoring, AI analytics.

Risks: Data leakage, API vulnerabilities, misconfigurations.

Secure Solutions:

End-to-end encryption.

IAM (Identity and Access Management).

Cloud service models (AWS IoT Core, Azure IoT Hub, Google IoT Core).

12. Attack & Fault Trees

Attack Tree: Hierarchical diagram showing possible ways to exploit a system.

Fault Tree: Shows failures leading to system compromise.

Used to identify vulnerabilities and design countermeasures (e.g., IoT Smart Lock threats).

Key Terms Summary

Exam Preparation Tips

Prepare definitions + real-world examples (Smart Home, Industrial IoT, Healthcare).

Draw diagrams for access control models, attack trees, and IoT architecture layers.

Highlight standards: TLS/DTLS, MQTT over TLS, CoAP with OSCORE, ECC.

Focus on trade-off analysis (privacy vs performance, edge vs cloud).