SECTION A
1. Vehicular communication is an active research area part of the smart city vision, which can help improving the convenience and safety of drivers, such as avoiding road accidents, mitigating traffic congestions, as well as enabling socialising on the road.
a. Provide a definition of vehicle to vehicle (V2V), vehicle to infrastructure (V2I), and vehicle to pedestrian (V2P). (6 marks)
b. Discuss one application area of each V2V, V2I, V2P communication type above. You need to shortly introduce the application areas and discuss the benefits of using the particular communication type in those areas. (9 marks)
c. Vehicular communications can help future cars avoiding accidents by sending or broadcasting alerts to the surrounding cars. However, if the communication protocol is not carefully designed, an attacker can mislead the cars causing more accidents. Assume an infrastructure containing vehicles, road-side-units, and certificate authority. Your task is to propose a communication protocol among them that can be used to (i) avoid car accidents and (ii) which is secure against a Dolev-Yao type attacker. Consider during the design the
• message content, (5 marks)
• message freshness, (5 marks)
• message integrity, (5 marks)
• authenticity, (5 marks)
• privacy aspects. (5 marks) (25 marks) (Total: 40 marks)
SECTION B
2. The ExamHotel hotel is located in Preston and receives a good range of customer coming to town for business with local industries. Customers book their stay online and, upon arrival at the hotel, undergo check-in procedures at the reception including payment with the card they used for booking. The hotel provides a free two-hour Wi-Fi connection to customers; they only need to get a password at the reception and register using their browser. Figure 1 shows the layout of the hotel network. The back-end administration supports the hotel operation in terms of Human Resources, Accounting and Finances. The hotel network is connected to the Internet via a firewall.
a. Provide and discuss 5 characteristics of the internal attackers, and one possible example for each in the hotel scenario. (15 marks)
b. Provide and discuss 5 social engineering methods that can be applied to cause damage to the hotel, and one possible example for each. 15 marks) (Total: 30 marks)
3. SmartMeterXYZ is an energy company in UK that provide smart metering services for households. After registering to the service, smart meters are installed at the customers’ premises to record and monitor their energy consumption, such as electricity, gas, water. The recent consumption information is shown to the customers through a digital panel, so that they know much their temporary bill is. SmartMeterXYZ also aims at implementing end-to-end accountability requirements.
a. Name the five phases of end-to-end accountability based on the entire data life cycle in general. Describe in one sentence the purpose of each accountability phase. (10 marks)
b. How can each phase be applied to the case of SmartMeterXYZ? You should provide and critically discuss at least two aspects for each phase of accountability. (20 marks) (Total: 30 marks)
4. As an Android developer and hacker your aim is to steal contact data and passwords of smartphone users. To do this you develop three applications, a weather application called WeatherApp, a contact manager called ContactM, and a password manager called PasswordM. WeatherApp’s main functionality is to show real-time weather info to users, while ContactM and PasswordM securely store and manage contact and password information on smart phones, respectively.
a. Name and discuss the three security mechanisms that are incorporated into the Android operating system across three layers. (9 marks)
b. Discuss the purpose of permission-based access control in Android operating system. In addition, discuss four sub-categories of permission-based access control in android operating system. (10 marks)
c. Explain the collusion attack problem of Android applications. (See next page for question d.)
d. Assuming that Android smartphones have security mechanism to prevent applications from being over privileged and do not allow internet access for ContactM and PasswordM. Discuss how you should set the permission lists of ContactM, PasswordM and WeatherApp to steal contact data and passwords in smartphones based on the collusion attack method. Provide a possible attacking scenario based on this. (marks)
(Total: 30 marks)