Security of Emerging Connected Systems

This document is for Coventry University students for their own use in completing their
assessed work for this module and should not be passed to third parties or posted on any
website. Any infringements of this rule should be reported to
[email protected].
Faculty of Engineering, Environment and Computing
7026CEM – Security of Emerging Connected
Systems
Assignment Brief

Module Title Security of Emerging Connected Systems	Individual	Cohort 2122JANMAY	Module Code 7026CEM
Coursework Title – Coursework 2 IoT systems design and security evaluation.	Hand out date: 19th Nov 2022
Lecturer Dr. Basil Elmasri	Due date and time: 5th Dec 2022 18:00 UK time.
Estimated Time (hrs): 25 – 30. Word Limit*: 2500, not including appendices, logs, screenshots, PoC code, etc.	Coursework type: Report	This assessment is worth 10 credits
Submission arrangement online: File types and method of recording: docx only. Mark and Feedback date: 10th Jan 2023. Mark and Feedback method: TurnItIn/Aula online grading and feedback.

Module Learning Outcomes Assessed:
3. Propose and implement effective ‘defence-in-depth’ solutions to mitigate
the key technical internet security vulnerabilities that organisations face.
4. Design and implement secure private networks for IoT and Bring Your
Own Device (BYOD).
5. Discuss and debate a wide range of current research and technological
advances in network security.

VERY IMPORTANT NOTES

A zipped file named “domus.zip” is necessary for CW2. You MUST create
a folder in the VM desktop, name it exactly “<first_name> <last_name>-
<ID>”, unzip and place the domus.zip inside the folder you created, the
unzipped folder MUST be the same name, i.e., domus. In each interaction
with the command line that you screenshot, you MUST show this folder
path. Screenshots MUST be clear and easy to read.

For example, if your first name is “Alice” your last name is “Bob”, and your
ID is “123456”, then the folder’s name on the desktop is:

“Alice Bob-123456”

Full path to the given system MUST include:

…/Alice Bob-123456/domus

Task and Mark distribution:
You are given access to an IoT environment named “domus”, representing
a home owned by early adopters in the current move to “smart homes”. The
devices are all from a single manufacturer and you are required to evaluate
the security aspects of the system before marketing and sale of the devices.
You will be given access to a testbed network to perform a practical security
audit as well as associated documentation for review.
There are three pieces in CW2, you MUST do all of them, more details will
follow later in this document:
1. Writing an instruction document or manual to a junior about the
analysis of ALL possible issues or vulnerabilities in the system. (60%).
2. Adding a sensor to the system. (20%).
3. Listing some information related to the system. (10%).
And the report style is (10%). This will be a total of 100%.
Piece 1 – Task Breakdown (60%):
1. Write a report, in a form of tutorial, manual, or instruction book, which
shows how to perform security analysis of domus, to a computer
science or cyber security junior specialist. The report must have detailed
steps of “white-box” analysis.
2. This report should show the junior specialist how to execute the system,
perform detailed security review, examining the given files and
materials, and proposing the technical solutions.
3. The junior specialist must see a detailed demonstration of a proof-of
concept (PoC) attack. Making sure considering more than just direct
attacks on the devices. Also considering what information is exposed
about the consumer. As part of your document, you should also explain

to the junior specialist, the reasons why they need to do each particular
step in the security analysis, and if appropriate, why they need to do the
steps in a particular order.
4. The report must be written to be a guideline and a tutorial article rather
than just a security analysis report of domus (which might be a failure in
this piece in CW2), as well as guiding the junior specialist how to write
such review report. However, if the manufacture or the developer of
domus reads the report, then they should be able to look at it as if it was
a security review of the system, which points out in details the
vulnerabilities and technical recommendations about the vulnerabilities.
• The “domus” zipped file is a collection of docker build scripts and
Makefiles.
• Although you have access to the non-live versions of the systems, their
Dockerfiles, Makefiles and so on, this does not count as a vulnerability.
This is just the mechanism by which you gain access to the virtualised
IoT environment.
o You can, however, examine all these files to see if there might be
vulnerabilities or security flaws you can demonstrate in the running
system.
o This is the equivalent of having the source code for the IoT systems
and being able to review the code, making this a “white box” test.
Domus system
The “domus” system is comprised of:
• An MQTT server that coordinates internal messaging and provides a
web front-end for the user
• A Database server that stores local information, settings and so on
• A number of devices within the system.
o a temperature sensor
o a heating system
o a light sensor
All the services are containerised to minimise platform dependency. For the
purposes of this coursework, you can assume that the underlying platform
is secure unless the container itself is compromised. You will be given a
separate container for each of the services, and they will function in “virtual
mode” while not on actual hardware.
You are also provided with a document describing the design of the
infrastructure outside of the containers. You must include this in your
assessment, but rather than look for vulnerabilities in the implementation
for this part, you must assess the design decisions presented.
Piece 2 – Task Breakdown (20%):
Another sensor is available to be added to the domus system. A partially
prepared set of files has been made available, where you must configure it
in order to make work properly with the rest of the domus system.

You must make sure that the sensor FULLY interacts properly with the rest
of the system.
You should produce either
or
Piece 3 – Task Breakdown (10%):
You MUST discover and report the following information related to the
system:
1. All IP addresses of EVERY entity in the system, including the added
sensor.
2. One of vulnerabilities has detailed leaked information of the users of
the “domus” system. You must list them all in your report.
Report (10%):
A report suitable for both technical staff and non-technical management; the
style/structure of the report, and the use of language and grammar. Use
proper way of citations, check Coventry University’s guide on writing. Style
recommendations:
o Use 3rd person and passive voice rather than 1st and 2nd person.
o Use MS Word with Arial /Sans Serif font or Times New Roman, size
12, and 1.15 line spacing.
o Paragraphs are left alignment or justified.
o Acronyms should be capitalised, explained, and added to a table of
acronyms at the beginning of the report.
o Figures, tables, and graphs should be captioned and added to list of
figures, tables, and graphs.
o Add a table of contents at the beginning of the report.
o Avoid using American English and use British English.
o Wikipedia must not be used as a reference, through it can be used as
a key point or a start for reading and gaining knowledge, with checking
the right references.

Marking scheme and criteria next page…

– a detailed technical design of how the sensor should be implemented
and tested to show that it works with the rest of the system,
– for additional marks, fully implement and test your design. You must
discuss any security concerns and vulnerabilities in the added sensor.

Criteria	Security analysis	sensor	info	Report
Thorough security review	Linking the sensor to domus	Listing related information	Report structure.
Weight	40%	40%	10%	10%
0 ≤ Fail < 40	No security issues were discussed. Or general information about IoT and security.	No sensor was attached. Or no evidence of showing that the sensor is interacting with the domus system.	No or listing only a couple of information	– Poor grammar – INCORRECT citation and referencing… etc. – Blurred or unclear screenshots.
40 ≤ Bare Pass < 50	Some security issues identified. Instructions for the junior specialist are not clear and not all the implications are described	Very basic way of running the extra sensor, such successful general attachment but most components are not working like other sensors. suggested solutions.	Listing only a small number of IP addresses and a small amount of the leaked PII.	– Poorly presented but complete report. – Report way more than the word limit
50 ≤ Pass <60	Fairly good coverage of issues, with evidence of the processes of scanning and discovery included. Junior specialist would be able to follow the instructions, but with difficulty in some cases	Most of the components of the sensor are working, such compiling and initial running. Adding technical suggestions, without testing any implementation.	Listing some IP addresses and some leaked PII.	Well-presented report, with structure, but presented mostly as a record of what stapes you undertook rather than a guide for the junior specialist to follow.
60 ≤ Merit <70	Good coverage of security issues, well described and repeatable work. Clear instructions for the junior specialist and reasonable rationale behind the steps taken.	The sensor does FULLY interact properly with the rest of the system. Extra marks for a successful tested implementation.	Listing most IP addresses and most leaked PII. Or listing either all of one part, and some of the other part.	Report has clear structure and is suitable for a technical person and junior specialist to read
70 ≤ Distinction ≤100	Clear set of instructions that also acts as a clear statement of the issues for the management. The reasoning behind the steps taken and their order is explained well and covers all potential issues.	The sensor does FULLY interact properly with the rest of the system. Details discussion of any security concerns and vulnerabilities of the sensor, as well as any added implemented features or suggestions.	Listing all information; IP addresses and all leaked PII.	Report is well structured, with thought given to multiple readers: junior specialist, management, technical leadership, and implementation technician.

Notes:
1. You are expected to use the Coventry University APA style for
referencing. For support and advice on this students can contact Centre
for Academic Writing (CAW).
2. Please notify your registry course support team and module leader for
disability support.
3. Any student requiring an extension or deferral should follow the
university process as outlined here.
4. The University cannot take responsibility for any coursework lost or
corrupted on disks, laptops or personal computer. Students should
therefore regularly back-up any work and are advised to save it on the
University system.
5. If there are technical or performance issues that prevent submitting
coursework through the online coursework submission system on the
day of a coursework deadline, an appropriate extension to the
coursework submission deadline will be agreed. This extension will
normally be 24 hours or the next working day if the deadline falls on a
Friday or over the weekend period. This will be communicated via your
Module Leader.
6. Assignments that are more than 10% over the word limit will result in a
deduction of 10% of the mark i.e. a mark of 60% will lead to a reduction
of 6% to 54%. The word limit includes quotations, but excludes the
bibliography, reference list and tables.
7. You are encouraged to check the originality of your work by using the
draft Turnitin links on Aula.
8. Collusion between students (where sections of your work are similar to
the work submitted by other students in this or previous module cohorts)
is taken extremely seriously and will be reported to the academic conduct
panel. This applies to both courseworks and exam answers.
9. A marked difference between your writing style, knowledge and skill level
demonstrated in class discussion, any test conditions and that
demonstrated in a coursework assignment may result in you having to
undertake a Viva Voce in order to prove the coursework assignment is
entirely your own work.
10. If you make use of the services of a proof reader in your work you must
keep your original version and make it available as a demonstration of
your written efforts. Also, please read the university Proof Reading
Policy.
11. You must not submit work for assessment that you have already
submitted (partially or in full), either for your current course or for another
qualification of this university, with the exception of resits, where for the
coursework, you maybe asked to rework and improve a previous
attempt. This requirement will be specifically detailed in your
assignment brief or specific course or module information. Where earlier
work by you is citable, i.e. it has already been published/submitted, you
must reference it clearly. Identical pieces of work submitted concurrently
may also be considered to be self-plagiarism.

This document is for Coventry University students for their own use in completing their
assessed work for this module and should not be passed to third parties or posted on any
website. Any infringements of this rule should be reported to
[email protected].
Mark allocation guidelines are given in the attached coursework brief.