Security & Privacy in Smart Cities and Industrial IoT

The Internet of Things (IoT) technology is now widespread and is indisputably changing our lives. As this technology advances, new security and privacy challenges must be faced. The limitations imposed by resource-constrained devices used in IoT applications play a crucial role and often determine the research directions. This dissertation addresses security problems related to the two main branches of the IoT, namely smart cities and industrial IoT. IoT applications usually rely on input data coming from either provider's smart devices or by end-user's devices, as in mobile participatory sensing. In the latter case, the infrastructure rests on data reported by participants. This paradigm, however, introduces new security problems related to the trustworthiness of the reported data, which might be inaccurate or even counterfeit. Differently, if the data is sensed by trusted devices, the data trustworthiness is not a concern as far as other security properties, e.g., authentication and integrity, are guaranteed. Depending on the scenario, the sensed data can be directly transmitted to the users or stored on cloud servers. Oftentimes, sensed data includes sensitive or valuable information which is intended to be read only by authorized users. If data is stored on the cloud, the owner loses any control on it, and an attack that leads to data disclosure could represent an important loss of money for the data owner or a serious privacy violation for the users. In this dissertation we propose novel solutions to the aforementioned problems. False-measurement reports could be tackled by having a set of trusted verifiers which checks the same measurement. If the measurement cannot be directly checked, the verifiers could at least check the participant's position as an indirect proof. To this aim, we propose an effective and secure location verification solution which uses a swarm of few drones equipped only with common radio-frequency transceivers, e.g., WiFi. Secondly, we propose the use of Attribute-Based Encryption (ABE) in IoT scenarios to protect the data from unauthorized access. We propose ABE-Cities, a secure scheme for smart cities which implements a publish/subscribe-like application in which the data is outsourced to a semi-trusted cloud server. Since ABE encryption might be burdensome for a range of resource-constrained devices, in ABE-Cities, the sensing devices execute only symmetric-key algorithms. Moreover, ABE-Cities leverages the peculiarities of a smart city in order to reduce the complexity of the key revocation operation, which is the most onerous one in ABE systems. In addition, we extend an existing ABE revocation scheme by providing additional security that limits the cloud server capabilities and inhibits it from accessing the data stored on it, when in possession of a revoked key. Finally, we propose fABElous, an ABE scheme for low-bitrate wireless sensor and actuator networks, often used in industrial IoT systems, which aims at minimizing the communication overhead introduced by the adoption of ABE to selectively distribute data through broadcast communications.