The security challenges for mobile ubiquitous services

doi:10.1016/j.istr.2007.05.001

Information Security Technical Report

Volume 12, Issue 3, 2007, Pages 162-171

https://doi.org/10.1016/j.istr.2007.05.001 Get rights and content

Abstract

It is envisaged that in future mobile ubiquitous environments, users will be able to seamlessly, search, access and consume a rich offering of services and content from an array of Service/Content Providers, whilst they are on the move, anytime, anywhere. Unfortunately, this new computing paradigm also brings along new and unique security challenges. Novel security solutions are therefore required. But, in order for appropriate security solutions to be devised, all possible security threats must first be thoroughly analysed, and the corresponding security requirements be identified. In this paper, we examine the security issues germane to a mobile ubiquitous environment. We then suggest some possible solutions which may be employed to address these security issues. Open research issues are also highlighted.

Introduction

The vision of mobile ubiquitous access/service is fast becoming a reality. This can be attributed to advances in various wireless networking access technologies (such as Bluetooth, WiFi, WiMAX, UWB), coupled with the increasing computation and communication capability of mobile devices. Apart from innovations in network technologies and mobile applications, good and sound security solutions are also crucial and critical for widespread adoption of such services.

In the Mobile VCE project on ubiquitous services, it is envisaged that users (via their mobile devices and some network access technologies) are able to seamlessly discover, and access a rich offering of services and content from a wide choice of service and content providers (as shown in Fig. 1).

As can be seen from Fig. 1, there are three key perspectives to a mobile ubiquitous environment, namely: User, Network and Service/Content Provider. This paper aims to address the ubiquitous services security issues arising from these three perspectives. We briefly introduce each of the perspectives in the following sub-sections.

From the User Perspective, the fundamental requirement is a user setup that ensures simplicity and consistent service access. The Internet today comprises widely of diverse heterogeneous networks, with very different and varying capabilities (bandwidth, interface speed, edge-to-edge latency and connection type). Also, the usage of laptops, palmtops and mobiles has increased and so has the variety of operating systems. This has lead to a large diversity in end system capabilities. This diversity, combined with the huge amounts of information and services available via these technologies, results in an undesirable level of complexity. Inevitably, in this new environment, users are more vulnerable to being exposed to a variety of security threats and various forms of attacks. It is therefore imperative that the security and privacy of users are protected and not compromised.

From the Network Perspective, the support for Security, Quality of Service (QoS) and Mobility in various participating networks is a key factor in providing an acceptable level of network performance. Heterogeneity has made the co-operation among “Security, QoS, Mobility Management” a complex issue. A common network framework is thus required to integrate Security, QoS and Mobility functions efficiently. The network components incorporating these functionalities, “Security, QoS, Mobility Management”, are also referred to as ‘enhanced nodes’. For example, in Hierarchical Mobile IPv6, the Mobility Anchor Points (MAPs) can act as enhanced nodes.

From the content and service provider perspective, multiple co-operative networks promise the possibility of a range of new ‘ubiquitous services’, including context-aware services. Particularly, the need for content and service providers to support multimedia applications over a range of eligible access network technologies (including ad hoc), each with its own capabilities represent a key challenge to service delivery. In this perspective, security is also important so as to protect the interests of the Service/Content Provider from malicious users and other adversaries.

Section snippets

A ubiquitous services scenario

We now describe a simple ubiquitous services scenario, showing how, a ubiquitous services user/consumer, Jose, is able to receive some digital content while he is on the move. This scenario serves to illustrate the ubiquitous service security threats and requirements.

The sequences of events are as follows (also depicted in Fig. 2):

•
Liverpool (The Reds) and AC Milan are playing in the finals of the 2007 UEFA Champions League.

Security threats

In this section, we separately identify and examine the security threats from each of the three aforementioned perspectives of a mobile ubiquitous environment, namely, the User Perspective, the Network Perspective, and the Service/Content Provider Perspective. To better illustrate the cause and effect of these security threats, they will also be discussed, whenever possible, in relation to the ubiquitous services scenario described in Section 2.

Security requirements

Based on the threat analysis in Section 3, a corresponding set of ubiquitous services security requirements is derived. We first identify the general security requirements, followed by some specific security requirements for the User and Service provider perspective, and for the Network Perspective.

Trusted Computing

Trusted Computing has some interesting security functionalities which may be used to address some of the aforementioned security issues.

Developed by the Trusted Computing Group⁴ (TCG), Trusted Computing (TC) is a new technology that aims to enhance the security of computing platforms in increasingly ubiquitous and heterogeneous environments. This objective is realised through the incorporation of trusted hardware functionality, by means of a special

Privacy preserving (anonymous) authentication

Authentication is an important security requirement, which conventionally requires the identity of a user (or some other identifying information) to be authenticated to a verifier. On the other hand, users and consumers are becoming increasingly concerned about their privacy (Berendt et al., 2005), and the risks (such as identity theft) of leaving any form of digital trail, when making electronic transactions. Hence, given a choice, users may well prefer to interact with service providers

Conclusion

>In the context of a mobile ubiquitous environment, we studied various security threats that are posed to the User, Network, and Service/Content Provider. We also identified a set of security requirements to mitigate these threats. We then suggested some possible solutions, followed by a discussion on the various open issues that are not adequately addressed by current solutions.

The work in this paper showed that many of the security threats in the ubiquitous environment can occur in more than

Acknowledgment

The work reported in this paper has formed part of the Ubiquitous Services Core Research Programme of the Virtual Centre of Excellence in Mobile & Personal Communications, Mobile VCE, www.mobilevce.com. This research has been funded by the DTI-led Technology Programme and by the Industrial Companies who are members of Mobile VCE. Fully detailed technical reports on this research are available to Industrial Members of Mobile VCE.

References (31)

Arkko J, Devarapalli V, Dupont F. Using IPSec to protect Mobile IPv6 signaling between mobile nodes and home agents....
B. Balacheff et al.
Trusted computing platforms: TCPA technology in context
(2003)
Baugher M, Canetti R, Dondeti L, Lindholm F. Multicast Security (MSEC) group key management architecture. RFC 4046;...
B. Berendt et al.
Privacy in e-commerce: stated preferences vs. actual behaviour
Commun. ACM
(2005)
Calhoun P, Loughney J, Guttman E, Zorn G, Arkko J. Diameter base protocol. RFC 3588; Sep....
De Laat C, Gross G, Gommans L, Vollbrecht J, Spence D. Generic AAA architecture. RFC 2903; Aug....
Devarapalli V, Dupont F. Mobile IPv6 operation with IKEv2 and the revised IPSec architecture. RFC 4877; April...
P. Engelstad et al.
Authenticated access for IPv6 supported mobility
Hardjono T, Weis B. The multicast group security architecture. RFC 3740; Mar....
Hoffman P. Cryptographic suites for IPsec. RFC 4308; Dec....

Holbrook H, Cain B. Source-specific multicast for IP. RFC 4607; Aug....

Hyun-Sun Kang et al.

A key management scheme for secure Mobile IP registration based on AAA protocol

IEICE Trans. Fund.

(June 2006)

Karygiannis T, Owens L. Wireless network security: 802.11, bluetooth and handheld devices. In: National institute of...

Kaufman C. Internet Key Exchange (IKEv2) protocol. RFC 4306; Dec....

Kent S. IP Encapsulating Security Payload (ESP). RFC 4303; Dec....

Cited by (23)

Efficient management of security for supporting intrusion detection in ubiquitous and pervasive environments
2019, Procedia Computer Science
Intrusion Detection Systems (IDS) has already been proven to overcome intrusion problems in classical and traditional environments. However, with the new requirements to improve ubiquitous technologies, security problems are becoming more complex and harder to solve. Hence, to face these requirements introduced by ubiquitous computing, new motivations and challenges have been raised, conducting to new research issues, which need appropriate and adequate responses and solutions. In this paper, we tackle intrusion detection problems in Ubicomp- ubiquitous environment from different relevant perspectives. The new intrusion detection approach proposed is based on a dual protection mechanism for preventing inside and outside intrusion of a ubiquitous network. The approach is validated using a set simulations allowing to demonstrate the effectiveness, the feasibility and applicability of the proposed system in detecting intrusive activities.
Playing with multiple wearable devices: Exploring the influence of display, motion and gender
2015, Computers in Human Behavior
Citation Excerpt :
Jeong and Fishbein (2007) identify information processing and enjoyment experience as two types of needs in the context of media multitasking. Leung, Sheng, and Cruickshank (2007) summarize four types of needs in the context of user-generated content on the Internet: cognitive needs, social needs, recognition needs and entertainment needs. Zhang and Zhang (2012) focus on the scenario of multitasking with computers and provide a summary of three groups of needs: convenient/easy/instant; control/habitual; and social/affective/relaxation.
In order to explore the influence of display, motion and gender on the human computer interaction with wearable devices, we recruited participants to wear a smart watch and a smart bracelet to complete tasks including exercise, operating the smart watch and managing fitness information via the smart bracelet. The results showed that females’ needs of information acquisition and emotional experience were more gratified compared with males’ needs in the experiment, and interacting with wearable devices while jogging increased users’ cognitive workload and perceived difficulty and decreased users’ level of flow experience compared with interacting while walking. Despite the superiority of the bracelet with a screen, indicated by the results, it is worth noting that displaying information on a mobile app has a good chance of improving the usage experience of the bracelet without a screen.
Survey on mobile user's data privacy threats and defense mechanisms
2015, Procedia Computer Science
Nowadays, mobile devices have become an integral part of our daily life. These have proven to be an advantageous scientific invention that fillspersonal and business needs in a very efficient manner. In this era, the availability of mobile services has significantly increasedbecause of the rich variety of mobile devices and essential applications provided by mobile device manufacturers. At the same time, numerous mobile security issues and data privacy threats are challenging both manufacturers and users. Therefore, mobile devices are an ideal target for various security issues and data privacy threats in a mobile ecosystem. In this paper, we provide a brief survey of the security challenges, threats, and vulnerabilities of amobile ecosystem. Furthermore, we discussed some key points required to ensure mobile security and defend against data privacy threats. The emphasis of the discussion is, strong protection and the restriction of malicious activity at theapplication developer end, application stores end, and operating system and mobile device manufactures end bypreventing the user from usingnon-recommended applications (which may be malicious) and consideringbiometric features for the authentication of real users in the mobile devices. Alsobriefly discussing the defense mechanismsthat are considered to bea relatively better approach for securing personal and business related data or information in the mobile devices.
Prevention of wormhole attacks in mobile commerce based on non-infrastructure wireless networks
2011, Electronic Commerce Research and Applications
Citation Excerpt :
It is clear that traditional security techniques cannot be directly applied to the mobile commerce system (Galanxhi-Janaqi and Nah 2004). Therefore, several mechanisms have been developed to satisfy vital security requirements for mobile commerce (Kadhiwal and Zulfiquar 2007, Leung et al. 2007), such as authentication, authorization, availability, confidentiality, integrity, and non-repudiation (Lin and Chang 2007, Hwang et al. 2007, Hassinen et al. 2008). Several studies (Hu et al. 2003, 2005, 2006; A´cs et al. 2006; Nait-Abdesselam et al. 2008; Burmester and Medeiros 2009) have dealt with the serious danger posed by the wormhole attack, which is aimed at damaging the routing function of wireless networks, especially non-infrastructure wireless networks.
A number of studies have made progress towards satisfying the vital security requirements of mobile commerce, including identifying and resolving most of the possible flaws. However, recent studies have asserted that a particular attack, called the wormhole attack, can seriously impair the routing protocol. This vulnerability exists in a wireless system and may also exist in ad hoc commerce systems. Although many attempts have been made to confront wormhole attacks in the field of wireless communications, the available solutions are still inadequate and need to be improved. For example, Ariadne-based methods have been confronted with the new insider attacks, but to date the vulnerability has not been fixed. Moreover, those solutions are not tailor-made for a mobile commerce environment. This paper identifies a possible new threat from wormhole attacks in an ad hoc mobile commerce environment and proposes an approach for handling this type of attacks in a way that is not impacted by the new problems facing Ariadne and endairA. Based on cryptographic theory, the proposed method that we discuss can nullify wormhole attacks coming from both the outside involving non-authorized and non-authenticated identities, and the inside for authorized and authenticated identities. The main features of our solution are: (1) in the routing request process, heavy computation can be parallelized among powerful servers; and (2) in the routing reply process, not every source node decrypts all the ciphertext transmitted by intermediate nodes and not every intermediate node needs to execute cryptographic computations. Through theoretical analysis, our approach is shown to be suitable for the mobile commerce environment, and more efficient and robust than Ariadne.
Multitasking with Intelligent Assistant: Effects of Task Relevance and Interruption Mode
2022, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Users’ attitude on perceived security of enterprise systems mobility: an empirical study
2021, Information and Computer Security

View all citing articles on Scopus

¹: This author is supported by the British Chevening/Royal Holloway Scholarship.

View full text