Security concerns and countermeasures in IoT-integrated smart buildings

ICT for renewable energy integration into smart buildings: IoT and big data approach An IOT design for smart lighting in green buildings based on environmental factors
Dr.MohitBansal Profile Pic
Dr.MohitBansal,Canada,Teacher
Published Date:26-10-2017
Your Website URL(Optional)
Comment
Privacy Preservation for IoT Used in Smart Buildings7.1 Introduction The proliferation of various Internet of Things (IoT) devices has led to several innovative applications including the development of smart home and buildings. While the use of IoT devices can bring a lot of advantages in terms of effi- ciency, convenience, and cost, their extensive use raises several privacy concerns regarding the users and their activities inside these smart buildings. For instance, through analyzing the smart meter data, one can infer avocations, finances, occu- pation, credit, health, or other similar personal information about the customer or the household. In commercial buildings, the privacy concerns are mostly on user tracking and pattern detection of behavior when employees utilize their smart devices connected to Wi-Fi access points. In the same manner, the use of IoT devices in the workplace may leak information about the social fabric of that organization, which is largely hidden from direct observation. It is the interper- sonal connectivity in a group that is largely created and maintained by physical interactions in the space, which can be monitored in part by analyzing the IoT traffic within the building. The details of these interactions are very sensitive from personal and organizational privacy standpoints, and thus it is important to treat them with great caution. In this chapter, we will first provide an overview of the smart building con- cept and the IoT devices commonly used in smart buildings in Section 7.2. In Section 7.3, the privacy issues regarding the use of IoT devices are discussed. Then, in Section 7.4, a survey of the existing efforts to address these challenges are presented. Finally, we will conclude with future research challenges in this emerging area.Privacy Preservation for IoT Used in Smart Buildings  137 7.2 Overview of Smart Building Concept The intelligent building concept has existed for more than three decades and its definition has evolved over time with new developments in technology 10. As the definitions expanded, the term smart building arose and is used interchangeably with the term intelligent building. However, with the increas- ing use of this new term in industrial reports and academic literature in recent years, the term smart building is more popular and used instead of intelli- gent building. This allows smart building to have a broader scope than intel- ligent building and incorporates the latest trends such as smart grid. Similar to the intelligent building definition, smart building also has various defini- tions, which are introduced by various parties including academic institutions, companies, and organizations. Interested readers are referred to 10 and 55 for a more comprehensive discussion about various intelligent/smart building definitions. In this section, the definition from the Institute for Building Efficiency 20 is presented to give the reader a high-level overview of smart building. Smart building is defined as “buildings that provide lowest cost and environ- ment friendly building services that make occupants productive through the use of information technology in the building operations.” The information tech- nology interconnects various independent subsystems inside the building and enables information sharing between those subsystems. It also interacts with and empowers the building operators and occupants with actionable information. Smart buildings are usually assumed to have their own renewable power gener- ation systems and use smart meter as the gateway to the smart grid as depicted in Figure 7.1. Besides the interchangeable use of the term intelligent and smart, the pres- ence of other building concepts such as green building 59 and net-zero energy building 49 concepts may add further confusion to the existing definitions. Even though an internationally agreed definition for each concept is still lack- ing, all these similar concepts can basically be differentiated from their goals. The green building concept focuses on environmentally friendly aspects and covers the whole building life cycle, including design, construction, opera- tion, maintenance, renovation, and demolition. The net-zero energy building concept, on the other hand, is driven by the availability of distributed renew- able energy generation and conservation efforts in the building to provide self- fulfillment of energy. Finally, the smart/intelligent building concept focuses on intelligence and communications capability for energy-efficient buildings. This may, as well, involve some parts of the building life cycle from design to maintenance. It is worth noting that the latter two are fundamental concepts for successful smart grid implementations. Figure 7.2 shows the distinction between these concepts.138  Security and Privacy in Internet of Things (IoTs) Smart grid Smart buildings PHEV parking deck Renewable energy Internet Power and bidirectional Solar PV data communication HVAC - Dynamic pricing Combined - Curtailment signals Power Security heat and - Load forecasts distribution power plant - Capacity bids - Emission reduction info Lighting Information technology Internet ermal storage Electrical storage Smart Smart grid meter building manager Figure 7.1: Smart buildings and smart grid. (From Institute for Build- ing Efficiency. http://www.institutebe.com/smart-grid-smart-building/What-is-a- Smart-Building.aspx.) 7.2.1 Smart building subsystems Smart building subsystems have evolved over time following the progress in information and communications technology and the development of new con- cepts such as smart grid. Current major subsystems consists of three interrelated fundamental subsystems 47, as depicted in Figure 7.3: 1. Building automation system (BAS). This had a long-standing evolution since the early 1940s, from a centralized control and monitoring panel to the open BAS that is compatible with the Internet or intranets 53. BAS has adopted various commonly used Internet/intranet communications and software technologies for monitoring and controlling various build- ing subsystems such as lighting, heating, ventilation, and air-conditioning (HVAC), security and access, fire and safety, and many more. 2. Building energy management and grid interaction system (BEMGS). This has emerged from building energy management systems in recent yearsIntelligent and green converged building Green building Material, physical design, environment, and sustainability Privacy Preservation for IoT Used in Smart Buildings  139 Energy generation and conservation Net-zero Future capability energy building building Intelligent building Conventional building Figure 7.2: Building concepts classification. (Redrawn from J. Pan et al. Communi- cations Surveys Tutorials, IEEE, 16(3), 2014.) Voice Video Data Other app. Communication backbone Building management IT system ① Multiple IT ③ Modeling and applications; better analysis; policy interaction with and pricing managers and users Intelligent building Energy management Building automation Renewable and grid information system(BAS) Monitoring energy ② Energy operation and generation interaction Control Energy storage Lighting, HVAC, air/water, other Metering Security and Fire and utilities, etc infrastructure access safety Figure 7.3: Intelligent buildings and related systems. (Redrawn from J. Pan et al. Communications Surveys Tutorials, IEEE, 16(3), 2014.) Intelligent and communication capability140  Security and Privacy in Internet of Things (IoTs) following the transformation of the legacy power grid into a smart grid. It is responsible for internal energy-related operations and external interac- tion with the smart grid. 3. Building management information technology (IT) system (BMITS). This enables better building functionalities and performance through two-way communications with the other two subsystems in order to achieve var- ious goals. It provides better presentation of the current building status through video or voice applications, which in turn increases the awareness and involvement of the building manager and occupants in controlling the performance of BAS. BMITS also interacts with BEMGS by collecting power consumption data for further modeling and analysis. The results can be used for in-building energy policies or interaction with the smart grid. These policies are implemented by BAS and building energy man- agement. 7.2.2 IoT devices used in smart buildings The IoT devices used in a smart building environment can be classified into three types: (1) building devices, which are used in the smart building for the purpose of monitoring and controlling the buildings; (2) mobile wireless devices, which are typically used personally by the occupants, such as smartphones, personal digital assistants, personal notebooks, body sensors, digital cameras, portable game consoles, wearable devices, and so on; and (3) smart home appliances, which are typically stationary and mostly found in the residential building, such as televisions, washing machines, refrigerators, and so on. The major IoT build- ing devices that are used in smart buildings include the following: 1. Smart metering is basically an advanced electronic recording device that is used to record energy consumption in the building over a certain interval (in hours or minutes) and reports these data to the utility com- pany at certain time intervals through various types of communications technology (e.g., fiber optics, power line communication PLC, cellu- lar networks, wireless mesh networks, etc.). Even though the term smart metering can also be used for recording water or natural gas consumption, it is often referred to as the electric meter for the recording of electri- cal energy usage. The smart meter replaces the traditional electric meter and offers two-way communications between the utility company and the consumer. 2. Wireless local area networks (LANs) are commonly used to provide wire- less access for people within a smart building. The system consists of a number of wireless access points (AP) distributed throughout the building.Privacy Preservation for IoT Used in Smart Buildings  141 3. Radio Frequency Identification (RFID) is a wireless short-range low- energy device that has been widely used for years. RFID is considered to be one of the enabling technologies for the IoT since it can pro- vide a unique identity for anything (e.g., consumer goods, apparels, cars, animals, human beings, etc.). A typical RFID system consists of two components, a reader and a tag, that operate at a certain frequency. The former is an active device sending queries and the latter is an active or pas- sive device responding to these queries. RFID readers in smart buildings are typically installed for access control, for example, for automatic door entrance. The RFID tag, which may be embedded in the employee’s ID card, is used for identification before providing physical or logical access. The RFID tag can store data and transmit the data to the reader. The com- munications between the tag and the reader does not need to be in the line of sight and may be contactless. 4. Video Surveillance has commonly been used for security and access con- trol for years. These IoT devices provide high spatial resolution for still images and video and produce a wide range of information, such as shape, color, size, texture, and so on from the captured objects. The objects must be in the direct line of sight of the camera. 5. Various Sensors: carbon dioxide (CO ) sensor, passive infrared (PIR) sen- 2 sor, ultrasound sensor, magnetic door sensor, and so on. The CO sensor 2 measures the carbon dioxide concentration in the air and is typically used for monitoring indoor air quality. However, the CO sensor can also be 2 used to collect some indirect occupancy information in certain areas based on the CO concentration in that area. The PIR sensor measures infrared 2 (IR) light radiating from objects in its direct line of sight. Typically, a human emits heat energy invisible to the human eyes, but can be detected by the PIR sensor. However, the direct line of sight and continuous motion requirements are the limitations of the PIR sensor, and therefore, it will not be able to detect stationary occupants. The ultrasound sensor, on the other hand, does not require these. The Ultrasound sensor is an active sen- sor that transmits and receives ultrasonic rays reflected from objects and obstacles. Figure 7.4 illustrates various IoT devices used in smart buildings. 7.2.3 Intelligence in smart buildings A wide variety of research has been conducted in Intelligent/Smart Buildings for more than 30 years from the independent building subsystems to the system integration of those subsystems. Among the building subsystems, the research on142  Security and Privacy in Internet of Things (IoTs) Wireless Meshlium Wi-Fi Sensor camera gateway Data server connections 802.11ac RFID ZigBee wireless PIR sensors access point readers connections Figure 7.4: Examples of IoT devices used in smart buildings. heating, ventilation and air-conditioning (HVAC) subsystems and lighting sub- systems attract a lot of attention, since they contribute to the largest portion of total energy consumption in buildings. It has been shown from previous research that up to 40% energy saving can be achieved by adopting occupancy-based con- trols for HVAC subsystems and a combination of control strategies for lighting subsystems such as daylight harvesting (i.e., exploiting external light sources), occupancy sensing, scheduling, and load shedding 43. Real-time occupancy-based control for HVAC and lighting systems have been the main research focus in Intelligent/Smart Buildings for decades. Vari- ous IoT devices have been used to collect occupancy information. These devices can be used in the form of wireless sensor networks (WSNs) which use either a single sensor type or sensor fusion (i.e., multiple sensor types). A single type of sensor may be adequate to collect the desired occupancy information; how- ever, for most cases employing sensor fusion will give a more accurate result. For instance, binary information generated from PIR and ultrasound sensors are adequate to provide presence/absence information. Nevertheless, a more accu- rate occupancy information can be provided by sensor fusion through the use of PIR and magnetic door sensors 2, or PIR and image sensors 18. Moreover,Privacy Preservation for IoT Used in Smart Buildings  143 a sensor fusion that uses simple binary sensors can also provide more informa- tive occupancy information, such as the occupant’s activities, by employing PIR, chair pressure sensors, and acoustic sensors 42. A wide range of occupancy information is available to support real-time occupancy-based control, ranging from simple binary information about the presence or absence of a person in an observed area, to more significant occupancy information 31, such as where they are (i.e., location), how many people are present (i.e., counting the number of occupants), what they are doing (i.e., activity), who they are (i.e., identity), and where they were before (i.e., tracking). Typically, each IoT device can collect a certain level of occu- pancy information. Additionally, an IoT device can also provide several pieces of occupancy information at once. For instance, RFID is employed in 34 to provide the estimation of the occupants’ activities in real time. Additionally, occupants’ identities, the number of occupants, their location, and presence or absence information can be provided. In recent years, it has also become possible to have occupancy information through implicit occupancy sensing. For instance, occupancy information from the existing IT infrastructure such as Wi-Fi 5, 14. Real-time occupancy-based control can further be classified into two groups: (1) individualized approaches, and (2) nonindividualized approaches 34. Indi- vidualized approaches reveal the occupants’ identities and are able to track indi- vidual occupants, while nonindividualized approaches are only able to provide nonpersonal occupancy information such as presence/absence and number of occupants. Typically, nonindividualized approaches are nonintrusive, scalable, and easy to deploy, but do not work well in virtual environments (i.e., require physical environments). Besides real-time occupancy-based control, two new research directions for smart buildings; namely, real-time occupancy-based control with the occupant’s individual preferences and control based on predicted occupant behavior, have emerged in recent years 43. In the first research direction, instead of provid- ing uniform indoor climate or lighting at certain locations for all occupants and operating according to fixed schedules and maximum occupancy assumptions, control with the occupant’s individual preferences strives to create a microcli- mate zone in a relatively small space around the occupant based on the occu- pant’s personal comfort. For instance, in 12, an RFID is used as the occupant’s identifier and, when the presence of this occupant is detected in a certain loca- tion, the climate and lighting condition in that location are adjusted based on his/her preferences. Interested readers can refer to 52 for a more comprehensive review. The latter research direction is driven due to the fact that climate control has a long response time, unlike lighting control. Hence, it needs to be set in advance in order to meet the occupant’s comfort needs on time. The research in this area is very challenging, since an accurate and powerful predictor is needed to predict occupant behavior, which may involve identifying the occupant’s activ- ities. For instance, a smart thermostat that uses occupancy sensors is introduced144  Security and Privacy in Internet of Things (IoTs) in 36 to automatically turn off the HVAC when the occupant is sleeping or the home is unoccupied. A fusion sensor that consists of wireless motion and door sensors are used to infer occupant activities (e.g., sleeping, left home unoc- cupied, or active). The interested reader may refer to 43 for more detailed information. 7.3 Privacy Threats in Smart Buildings Smart buildings are basically designed to enhance user comfort, to provide bet- ter access control, and security and to deliver efficient building management. As part of numerous processes taking place within a smart building, the information about the presence of the occupants and their behavior should be gathered and processed in order to provide desirable services. However, the collected informa- tion may pose some privacy issues. By using the information collected by several sensors throughout the building or by using the information obtained from per- sonal devices, the physical location of the user can easily be detected. Further- more, the tracking of an individual’s activities can be performed by collecting the physical location information of that individual over a period of time. This would help unauthorized users and attackers to determine the behavior of users and their usage patterns. Compared to other IoT devices used in smart buildings, the smart meter has some specific features and challenges. While all other IoT devices collect occu- pancy information from the building, report, and use them for internal purposes, a smart meter acts as the gateway of the building to the smart grid infrastructure and reports the collected data to the utility company or a third party for external use. Moreover, in contrast to traditional meter reading, which is mainly for billing purposes, with data collection frequency once per billing cycle, the smart meter can collect fine-grained power consumption data and report them to the utility company or a third party at a much higher frequency (e.g., per day/hour/minute) through a communications infrastructure. Such data can be used for various pur- poses by the utility company, such as for real-time dynamic pricing, demand forecasting, and power grid operations. Hence, fine-grained power usage data is available at different locations: at the smart meter, in transit through the com- munications network on its way to the utility company or the third party, and at the utility company or the third party. This situation may have a higher risk of privacy threats due to the various parties involved. For this reason, privacy issues related to the smart meter have been gaining a lot of attention from academic communities in recent years, as well as its vital role for the successful opera- tion of the smart grid. When the real-time fine-grained power usage information is aggregated over time, it can be used to infer the number of occupants, their habits, and the rhythm of their movements. These issues are usually considered in the scope of user behavior privacy.Privacy Preservation for IoT Used in Smart Buildings  145 7.3.1 Privacy of user behavior This type of privacy issue stems from the fact that occupants’ identity can be learned and their activities can be collected, tracked, or deduced from the infor- mation generated by IoT devices. User behavior privacy becomes an issue, in particular, when a smart meter is used in a residential building. The fine-grained energy consumption data generated from the smart meter can be disaggregated into appliance-level infor- mation. The goal of disaggregating power consumption is to provide informa- tion on the breakdown of energy consumption and to profile high-energy-usage appliances. The appliance-level information gives some benefits to many parties 3: The consumer can get direct feedback related to his/her electric consump- tion and receive automated personalized recommendations, which in turn enables his/her active participation in order to reduce or alter his/her electricity demand. The utility company can obtain fine-grained data to improve economic modeling and policy recommendations. Finally, R&D institutions and manufacturers can use the fine-grained data to support redesign of energy-efficient appliances, to support energy-efficient marketing, and to improve building simulation models. However, disaggregation of data also creates privacy issues, since the process is not intrusive. Nonintrusive load monitoring (NILM) or nonintrusive appliance load monitoring (NIALM) is a technique for analyzing and extracting appliance-level information from power consumption in a nonintrusive fashion. There have been various NILM approaches proposed ever since it was first introduced in 26. Figure 7.5 shows an example of activities deduced using an NILM approach. Interested readers may refer to 56 and 3 for more detailed information. 7.3.2 Location privacy Location privacy is defined as “the ability to prevent unauthorized parties from learning someone’s current or past location” 35. Sources of location information can either be various technologies used in smart buildings, such as sensors, RFID readers, video cameras, Wi-Fi access points, PIR sensors, and so on, or personal electronic devices used by the occupants themselves, such as smartphones, notebooks, tablets, body sensors, or wearables. It may not be con- sidered an issue for a relatively small environment, like inside of a house, where a user is already known to be located and does not have a lot of internal space to move around. However, in closed public environments, such as airports or shopping centers, or in big office buildings, location privacy becomes a problem. 7.3.2.1 Privacy issues with wireless LANs Due to the broadcast nature of the wireless LAN technology, it is much eas- ier to obtain private information about the users. The following user data can146  Security and Privacy in Internet of Things (IoTs) 9000 Breakfast Evening activities: dinner, showers, 8000 Getting laundry, working ready to on computer 7000 leave: showers, Shower Water 6000 breakfast, Water Water heater etc. heater heater 5000 4000 3000 Overnight 2000 period 1000 Refrigerator 0 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Time (h) Figure 7.5: An example of activities deduced from NILM approach. (From A. Molina-Markham et al. Proceedings of the 2nd ACM Workshop on Embedded Sensing Systems for Energy-Efficiency in Building, BuildSys ’10, ACM, New York, 2010.) be disclosed to unauthorized parties during wireless communication: content of the communication, who is sending or receiving data (user identity), when the communication takes place (time) and where the communication takes place (location). While the content can be protected using encryption at applica- tion level, the rest of the information may be available to external entities, as explained below: 1. User identity can be determined from the node information (i.e., MAC and IP addresses). 2. Time information can be related to the time of the transmitted or received packet. 3. Location can be inferred from: (i) the single access point (AP) that receives the transmission, providing a rough estimation; (ii) the transmitted signal strength information from multiple APs which receive the transmission, providing more accurate location information, for instance, by the trian- gulation method or by fingerprint-based localization 4, 57. When all this information is combined together, the where, when, and who of a wireless communication event can be used for tracking and inferring user behavior. Power usage (kW)Privacy Preservation for IoT Used in Smart Buildings  147 7.3.2.2 RFID privacy issues The privacy issue comes from the fact that an RFID tag and reader do not have to be in line of sight. An unauthorized RFID reader at a distance or beyond the wall(s) may try to get access to the tag information and the tag owner may not be aware that his/her tag is being read. 7.3.3 Visual privacy Visual privacy refers to the private information in the form of image or video. Today, streets of modern cities and almost all closed public places are equipped with surveillance cameras in order to track suspicious activity and identify crim- inals. We expect that, in the near future, the number of cameras will increase even further with the introduction of smart cameras and vision-based intelligent surveillance systems. Surveillance cameras may also be used as part of ambient- assisted living systems in support of autonomy and well-being of older or dis- abled people. In any case, videos or images of a person carry the richest privacy information about a person and his/her environment. Not only the face of a per- son, but also the clothes, posture, gait, time, and environment can reveal sensitive information. 7.4 Privacy-Preserving Approaches in Smart Buildings 7.4.1 Wireless LAN privacy-preserving approaches The evident solution to the privacy problem is to break the link between the user identity and the time and location information. The best way to achieve this goal is to anonymize the user or node information with frequent disposal of short-lived identifiers or pseudonyms. Factors affecting successful use of frequent disposable identifiers for location privacy in wireless LAN are: (i) the type of environment, (ii) location resolution, and (iii) prior knowledge of the system or user by the attacker. First, if it is an open environment with a high fluctuation of users, such as an office building with several employees or in public areas such as an airport or shopping center, it is difficult to detect the changes in identifiers. However, if the user is located in a closed environment, such as a company network where all authorized clients’ interface identifiers are registered, changes in identifiers are easier to detect. The second factor to consider is the location resolution, which is the accuracy of locating a user. A single access point (AP) connected to the user will provide a rough estimate of the user location. On the other hand, multiple APs may be installed in the area, providing more accurate location information detection (i.e., enabling cooperation between APs through the triangulation approach to deter- mine the user location). The solution to this problem is to control the transmitted148  Security and Privacy in Internet of Things (IoTs) signal strength from the device. This will reduce the number of APs which are able to receive the transmission 28. Finally, if the attacker has prior knowledge about the environment (e.g., building layout, office assignment, working sched- ule of the employees, etc.), he/she can use this information to better identify the user 25. The goals of applying anonymization are threefold. First, the identifier should be unlinkable, that is, the new and old identifiers from the same client node should be dissociated. Secondly, anonymization should cause minimum network disruption. In order to achieve this goal, proper timing is needed. The address switching may close network connections in real-time applications such as voice over IP (VoIP) or long communication sessions like streaming media. Finally, the solution should be readily applicable to the current IEEE 802.11 standard 4. The key challenges in anonymization are 1. Address selection. The addresses (any including fake ones to disguise the real ones) must still be valid and follow the standard, which requires 48-bit MAC addresses, consisting of 24 bits for the Organization Unique Iden- tifier (OUI) and another 24 bits as assigned by the NIC vendor so that it will not be rejected or ignored due to incompatibility reasons. 2. Address uniqueness. All nodes or users sharing a network source should have a unique address. Thus, we need a detection and prevention mech- anism for duplicate addresses. If it is a large network with many users, address collision becomes a problem, especially if each user indepen- dently generates its own fake MAC address. One solution to this problem is to configure the AP to provide a pool of MAC addresses and to assign a MAC address to the node or user that joins it. In this case, the user or client needs to request a MAC address when joining the AP. The problem here is that the request must be attributable, which means it must contain the real MAC address of the user, in which case the user identity will again be revealed. To solve this problem, Jiang et al. 28 proposed using a joint address (i.e., group address) within the request for concealment purposes and a 128-bit nonce (one-time code) to provide uniqueness. 3. Integration with port authentication. Other identifiers besides MAC addresses (in protocols such as EAP-TLS, CHAP, RADIUS) should also be taken into account so that eavesdroppers will not use them to track the user. An important issue to consider is how to unlink different MAC addresses of the same user when frequent address changes are employed, that is, how to reduce the correlation of two addresses of the same user and increase the entropy in address selection. One solution is to use a silent period after performing address changes 27. In this approach, the users intentionally do not transmit within a certainPrivacy Preservation for IoT Used in Smart Buildings  149 period of time after the address change has occurred. The goal is to obscure the address change event by the presence of incoming users or clients. This is, of course, practical when user density is high enough to mask the address change event. Since forced silent periods without user intervention can dis- rupt communications, the concept of an opportunistic silent period is introduced 27, where address changes are performed during the idle time between users’ communications, thus minimizing the negative effect on established communi- cations, and hence enhancing the quality of service. Another solution is employing mix-zone areas 7, 21 which can be described as the spatial version of the silent period approach so that clients are not allowed to transmit in predefined areas. This involves middleware installed on mobile devices to preset the physical location so that all users in this area are indis- cernible. All clients may change their pseudonyms (e.g., MAC addresses) in the mix-zone but they are not allowed to transmit there. A mix-zone for a group of users is defined as a connected spatial region of maximum size where none of these users register for an application. In contrast, an application zone is an area where a user can register for an application callback. When a client that has just changed its pseudonym moves out from the mix-zone and starts to trans- mit again, an adversary or location-based service (LBS) application will not be able to relate the new pseudonym, to a specific old pseudonym, since this new detected pseudonym may come from any client that has just entered the mix- zone. This approach works well when many clients enter or exit the mix-zone at the same time. In order to increase anonymity, the application may be configured not to transmit or not to send any location update if the mix-zone has fewer than k users. 7.4.2 RFID privacy-preserving approaches There are various proposed solutions to privacy problems caused by RFID devices, including (1) hiding and blocking and (2) rewriting and encryption 32. In hiding and blocking, the tag is silenced through jamming the radio channel used for RFID communication and providing the reply only to readers with proper credentials. In rewriting and encryption, the access to the tag is con- trolled securely by using techniques such as anonymization through hash-based approaches. Using a hash-lock scheme 54, unauthorized reader access to the tag is prevented, since the tag is, by default, locked and only opened when the correct key is introduced to it. To open the tag, the reader requests the metaID (hashed ID) and tries to find the key and the ID in the back-end server. The back end sends information (key, ID) to the reader and the reader sends the key to the tag. Then, the tag hashes the key and compares it to the metaID. If there is a match, the tag is unlocked. While preserving privacy at a certain level and having a short search time because the database is implemented by a hash table, tracking is still possible in150  Security and Privacy in Internet of Things (IoTs) Query metaID MetaID Reader Tag Database Key Key ID (a) Query R,h(IDk‖R) Get all IDs Reader Tag Database ID , ID ,…, ID 1 2 n Key (b) Figure 7.6: (a) Hash locking: a reader unlocking a hash-locked tag; (b) randomized hash locking: a reader unlocks a tag whose ID is k in the randomized hash-lock scheme.(Redrawn fromS.A.Weisetal. in D. Hutteretal. eds. Security in Pervasive Computing, Springer, Berlin, 2004.) the hash lock scheme since a fixed metaID is used (i.e., a single pseudonym). To overcome this problem, a randomized hash-lock scheme is proposed. Here, the tag output changes each time it is accessed, since each time a reader accesses the tag, the tag replies with a random string plus the hash of the concatenated tag ID, which means that the pseudonym will change in each access each time the tag is accessed and will prevent unauthorized readers tracking the user. Tags in this randomized scheme ensure full privacy. However, it is not scalable for a large number of tags, since a huge number of hash operations must be performed at the back-end database. Furthermore, this protocol does not guarantee forward privacy, since the stored information in a compromised tag reveals much data about the previous communications of that tag 11. Figure 7.6 shows how these two approaches work. To overcome the forward security issue, a hash-chain scheme is proposed 44, where the basic idea is to refresh the tag identifier each time the tag is queried by a reader. The scheme can be achieved via a low-cost hash-chain mech- anism. However, this scheme is also not scalable because of the exhaustive search process that must be performed by the back-end server.Privacy Preservation for IoT Used in Smart Buildings  151 Statistics Ordinary users Alert me access statistics How many if x shows up e.g., Anonymous people elevator Rerendering Air-conditioning Alert on event Hide Hide Video actions identity Average Hide Hide flow locations Privileged users times patterns access more information Override gives access to video Law enforcement access video on emergency or court order Figure 7.7: Layered approach for accessing video surveillance information. (Redrawn from A. Senior et al. Security Privacy, IEEE, 3(3), 2005). 7.4.3 Video surveillance privacy-preserving approaches Since video surveillance and associated intelligent monitoring systems provide the richest privacy information about subjects, the solutions for preserving visual privacy should be defined accordingly, preferably starting at the design phase, such as whether to choose a high- or low-resolution camera, whether or not to use encryption, and so on. An important issue is the definition of access control for different types of users having access to video surveillance data. As depicted in Figure 7.7, a layered approach is proposed by Senior et al. 50, providing capability to deter- mine who can view what data under what circumstances. In this model, three different types of users have access at three different levels: Ordinary users can only access statistical information about the video; privileged users can access to rerendered and limited information; and finally, law enforcement agencies may have full access, including raw video and related individual identity informa- tion. Such a system should comprise video analysis, encoding/decoding, stor- age facilities, and basic security functions such as authentication, accounting, and encryption. Considering the temporal aspect, visual privacy preservation mechanisms can be applied either in real time during the acquisition of the image or video, or after its acquisition. A real-time example proposed by Zhang et al. 58 uses two cam- eras, IR and RGB, to capture video simultaneously. The thermal IR camera is used to discriminate the face region and other parts of the human body based152  Security and Privacy in Internet of Things (IoTs) Cold mirror IR sensor IR ermal image Generate mask Scene pattern VIS SLM CCD Mask Privacy protected image Figure 7.8: Concept of the anonymous camera system. (From Y. Zhang et al. Pattern Recognition (ICPR), 2014 22nd International Conference on, 2014). on the fact that human skin radiates shorter wavelengths (∼10 μm). Thermal imaging generates a mask pattern corresponding to the position of the face of the subject. A spatial light modulator (SLM) (e.g., LCD) is inserted in front of the CCD/CMOS image sensor of the RGB camera, which applies the thermal imag- ing mask and prevents the face of the subject being recorded (see Figure 7.8). Since this implementation only protects the subject’s face or open extremities, valuable privacy information can still be obtained from the clothing of the sub- ject or the environment if prior information is available. To preserve privacy, applicable methods can be considered in five different categories 45: intervention, blind vision, secure processing, redaction, and data hiding. 1. Intervention methods involve prevention of visual data being captured from the environment by physically interfering with the camera devices, for instance, by creating excessive illumination. 2. Blind vision implementation consists of image or video processing in an anonymous way using cryptographic techniques, such as secure multiparty computation (SMC), where a contributing party is using the algorithm of the another party and does not know the details of it. 3. Secure processing methods involve video processing techniques other than SMC to preserve privacy. 4. Redaction methods, with many subcategories, such as image filtering, encryption, k-same family, object/people removal, and visual abstraction, are the most common preservation methods, of which we will provide some examples in the following paragraphs.Privacy Preservation for IoT Used in Smart Buildings  153 5. Data hiding methods are based on hiding the original image data inside a cover message which can be used for retrieval if needed in the future. In image filtering, a Gaussian blur or Gaussian smoothing filter is applied to modify each pixel in the image by using neighboring pixels. As an example, an image is divided into 8×8 pixel blocks and the average color of the pixels in that block is calculated. The result is then used as the new color for all the pixels in that block. Encryption of video and images uses either traditional encryption, like DES, AES, and RSA, which is generally slow for real time, or lightweight encryp- tion, which is faster but less secure. Encryption techniques help to scramble the region of interest by pseudorandomly flipping bits. They can be used for the compressed video/image (code-stream) domain, the spatial domain, and the fre- quency domain 9, 15. In face deidentification techniques, the goal is to alter the face region so that face recognition systems will be unable to recognize it. One of most robust meth- ods, the k-same family algorithm, which is an implementation of the k-anonymity concept, computes the average of k images in a set and replaces the cluster with the average image obtained (see Figure 7.9) 41. On the other hand, object/peo- ple removal is performed by removing a private object or people from the original image. The issue here is how to refill the void area after removal, and the solu- tion relies on using inpainting methods to restore the damaged portion. While still image inpainting is easier, since it should take care of spatial consistencies only, video inpainting has to deal with both spatial and temporal consistencies 24. Finally, the goal of visual abstraction/object replacement is to protect pri- vacy while maintaining the object activity, including position, pose, and orien- tation. For this purpose, image filtering and deidentification techniques can be used 13. 7.5 Smart Meter Privacy-Preserving Approaches Efforts to preserve privacy for smart meter are based on the following facts: billing requires an association between the meter reading and the consumer identity, but it does not really need fine-grained meter reading. Fine-grained meter readings are necessary for grid operations, and exact consumer identity is barely needed in these cases. When the consumer identity and the fine-grained power consumption are exposed to unauthorized parties, some privacy threats may arise. Efforts to preserve privacy may be classified into three categories: (1) approaches that attempt to disassociate consumer identity from meter-reading data (i.e., working on user identity) through anonymization; (2) approaches that endeavor to prevent NILM from obtaining appliance-level information (i.e.,154  Security and Privacy in Internet of Things (IoTs) Original faces   1 2   c d Figure 7.9: K-anonymity by averaging k distinct faces. (From E.M. Newton et al. Knowledge and Data Engineering, IEEE Transactions on, 17(2), 2005.) working on meter-reading data) through the modification of the meter reading; and (3) encryption-based approaches that employ encryption and data aggrega- tion to provide privacy protection while the data is in transit within the smart grid communications network. In addition, the third party may also be involved in efforts to preserve privacy as the data gateway which can send individual or aggregated meter readings (acting as the data aggregator also) or as an identity generator which can create pseudonym identities for smart meters. 7.5.1 Anonymization approaches The anonymity of the consumer can be achieved by replacing the consumer iden- tity with pseudonym(s) (i.e., identity pseudonymization), employing a trusted data gateway, or using a trusted third party (TTP) as the data collector. 7.5.1.1 Identity pseudonymization Pseudonym(s) can be generated through TTP 16, without TTP involve- ment, by employing the public key infrastructure (PKI) 19 or using group anonymity 51. In 16, TTP generates two distinct pseudonyms for every consumer, anony- mous identity and attributable identity. An anonymous identity is used to send the nonbilling meter reading to the utility company or third party that requires the aggregated meter-reading data, while the attributable identity is used to send the billing meter reading to the utility company. Figure 7.10 illustrates the use of the pseudonyms. These pseudonyms are hard-coded within the smart meter and only the TTP possesses the association information. The utility company only