Introduction IoT poses very important safety and

Introduction

The Internet of
Things (IoT) is an emerging concept compromising of wide ecosystem of
interconnected devices and services, such as sensors, consumer products, smart
home objects, cars, industrial components.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

 

Nevertheless, IoT
poses very important safety and security challenges that need to be addressed
for IoT to reach its full potential. The complex implementation of IoT itself
presented new security challenges

 

One of the main
concerns is the impact that the different threats may have since attacks on IoT
deployments could dramatically jeopardise people’s security, privacy and
safety, while additionally IoT in itself can be used as an attack vector
against other critical infrastructures. Addressing these
challenges and ensuring security in IoT products and services is a fundamental
priority

 

IoT security can
be covered with four cornerstones: Protecting Communications, Protecting
Devices, Managing Devices, and Understanding Your System. These cornerstones
can be combined to form powerful and easy-to-deploy foundations of security
architectures to mitigate the vast majority of security threats to the Internet
of Things, including advanced and sophisticated threats

 

 

Objectives

The goal of this document
is to identify cyber security recommendations for IoT devices. These IoT
devices are considered critical because their destruction or disruption could
bring about major consequences for the asset owners who make use of IoT to
provide their services.

 

 

 

 

 

 

 

Assumptions

To move forward we
need assume that the below recommendations do not consider the particular
operating system the connected devices are running and necessary measures
should be taken to prevent the exploitation of vulnerabilities in the
respective operating system

 

Things
in the Internet of Things

 In IoT environments, a thing is a physical or
virtual object capable of being identified and integrated into communication
networks. These things have the capability of communication – exchanging data
over a network between them and/or with the cloud backend services.
Additionally, things may have other optional features, such as sensing and
capturing data, actuating, storing and processing data, executing native or
cloud-based applications, etc.  The set
of ‘things’ that compose an IoT ecosystem can be managed by intelligent
systems, which are able to autonomously connect to things for monitoring and
controlling them.

Security
Considerations

As we become
increasingly reliant on intelligent, interconnected devices in every aspect of
our lives these devices can be the target of intrusions that could jeopardise
personal privacy and safety.

The following are
generic issues identified that are hindering the consolidation of secure IoT
systems:

·      
Very Large attack
surface: The threat landscape related to IoT is very large and they are
not limited to software vulnerabilities like traditional devices

 

·      
Limited Device
Resources: Applying conventional security practices in IoT could require a
substantial reengineering due to technical constraints. The majority of IoT
devices have limited capabilities, e.g. processing, memory and power, and
therefore advanced security controls cannot be effectively applied.

 

·      
Complex ecosystem: Security
concerns should be very high because IoT is not a collection of independent
devices but as a diverse ecosystem involving devices, communications and
people.

 

·      
Lack of expertise:
This is a new domain and there is a lack of people with the
suitable skillset and expertise in IoT cyber security

 

·      
Security Updates: Applying
security updates to IoT is extremely challenging, since the particularity of
the user interfaces available to users does not allow traditional update
mechanisms. Securing of those mechanisms is in itself a daunting task,
especially considering Over-The-Air updates.

·      
Insecure
Programming: Due to the pressure to release the product as
soon as possible and budget issues companies tend to focus more on
functionality of their product rather than securing it.

·      
Low Cost: Due to the low
cost of IoT devices and systems they tend to have implications in terms of
security. Manufacturers are inclined to ensure low cost of products and limit
security features which make these devices a target.

·      
Unclear
liabilities: The lack of clear assignment of liabilities
might lead to conflicts in case of a security incident. So we must clearly
define who is responsible for incidents raised

Identifying Assests

Tackling cyber
security starts from identifying the key asset groups and decomposing them to
identify the assets that needs to be protected. The picture below depicts the
key asset groups and lists some of the decomposed assets too.

 

 

 

Identifying
Threats

The number of
attacks related to IoT have grown over the last years and it became a
mainstream media article in 2016 with Mirai botnet attacks and Dyn attack. The
below picture depicts the threats focused on IoT with some attacks listed

 

 

The below tables
describes the threats identified and the assets affected by them

Category

Threat

Description

Assets
Affected

 
 
Nefarious
Activity
 
 

Malware

These
are programs designed to carry out unwanted actions on a system which may
lead to corruption or information theft

-IoT devices
-Other IoT
Ecosystem devices

Platform & Backend

Exploit
Kits

Takes advantage of vulnerabilities and it is difficult to
detect. This threat is difficult to detect in IoT environment

-IoT devices
-Other IoT
Ecosystem devices

Infrastructure

Targeted
attacks

These
are designed for a specific target and launched over a long period of time
and are carried out in long period of time. Detecting these kind of attacks
is very difficult

– Infrastructure
– Platform &
Backend

Information

DDoS

Multiple
systems bombard a single target machine and disrupt the functioning of the
system

– IoT devices
-Other IoT Ecosystem
devices
 – Platform & Backend

Infrastructure

Attacks
on privacy

This
threat affects the privacy and exposes the private information to
unauthorised personnel

– IoT devices
-Other IoT
Ecosystem devices
– Platform &
Backend
– Information
 

Modification
of Information

In
this the main aim of the perpetrator is to modify the information which may
lead to lead to implications

 – IoT Devices
 -Other IoT Ecosystem devices
 – Platform & Backend
 – Information
 

Eavesdropping/
Interception/
Hijacking

Man
in the Middle

An
attack where the attacker relays and possibly alters the communication
between two parties who believe they are communicating with each other

– Information
 – Communications
 – IoT devices

IoT
communication protocol hijacking

Attacker
takes control of existing communication session between two elements of the
network and can sniff sensible information like passwords

– Information
 – Communications
– IoT devices
– Decision making

Interception
of
Information

Unauthorised
interception of information and sometimes modification of that information
such as messages, emails etc.

– Information
 – Communications
 – IoT devices

Network
reconnaissance

Attacker
passively scans and obtains internal information of the network i.e. devices
connected, open ports etc.

– Information
 – Communications
– IoT devices
 – Infrastructure

Session
hijacking

The
attacker steals session ID of a legitimate user, pretends as the legitimate
user and obtains the required info from the network

– Information
– Communications
– IoT devices

Information
gathering

Acquiring
information about the target i.e. protocols, security mechanism deployed,
services etc.

– Information
– Communications
– IoT devices

Replay
of messages

The
attacker repeatedly transmits or delays a valid data transmission

– Information
 – IoT devices
– Decision making

Outages

Network
Outage

Interruption
or failure in the network supply, either intentional or accidental. Depending
on the network segment affected, and on the time required to recover, the
importance of this threat ranges from high to critical

– Infrastructure
 – Communications

Failure
of
devices

Threat
of failure or malfunction of hardware devices

– IoT devices

Failure
of
system

Threat
of failure of software services or applications

– IoT devices
 – Platform & Backend
 – Other IoT Ecosystem devices

Loss
of support services

Unavailability
of support services required for proper operation of the system

– All assets

Damage
/ Loss
(IT
Assets)

Data/Sensitive

Information

Leakage

Sensitive
data is revealed is revealed to unauthorised personnel

– IoT devices
 – Other IoT Ecosystem devices
 – Platform & Backend
 – Information

Failures
/
Malfunctions

Software
vulnerabilities

Most
IoT devices are vulnerable due to default passwords, software bugs and
configuration errors

– IoT devices
 -Other IoT Ecosystem devices
 – Platform & Backend
 – Infrastructure
 -Applications & Services
 

Third
parties
failures

Errors
or misconfiguration which are caused by the third party elements involved in
the product

– IoT devices
 -Other IoT Ecosystem devices
 – Platform & Backend
 – Infrastructure
-Applications
& Services
 

Disaster

Natural

Disaster

Includes
events like floods, landslides and heavy winds which can physically damage
the devices

– IoT devices
-Other IoT
Ecosystem devices
– Platform &
Backend
– Infrastructure

Physical
Attacks

Device

Modification

Tampering
a device by taking advantage of open
Ports
etc.

-Communications
– IoT devices

Device

Destruction

Incidents
such as theft, destruction

– IoT devices
-Other IoT
Ecosystem devices
– Platform &
Backend
– Infrastructure

 

 

 

Example
IoT attack scenarios

The different
attack scenarios listed below helps to identify where attackers may focus

1.    
Against
sensors, modifying the values read by them or their threshold values and
settings

 

The attacker
manipulates the configuration of the sensors, changing the threshold values of
the sensors, to allow out-of-range values to be accepted when they should not,
posing a severe threat to the system as a whole.

Impact: allowing sensors
to report and accept incorrect values puts the IoT environment at risk; a
malfunctioning sensor may allow a power spike to go through, physically
damaging the systems.

Threats related: attacks on privacy
and leakages of sensitive data/modification of information.

 

2.    
Against the administration systems of IoT

 

An attacker tries to gain full
control over the administration system of an IoT system or device, potentially
compromising the whole environment. It can be quite successful if weak or
default passwords are used. This type of attack comprises different stages and
it is usually launched in a covert manner

 

Impact: the compromise,
manipulation or interruption of certain IoT systems could affect many people,
cause environmental issues and even extend to other systems, affecting their
communications or even disabling them.

Threats related: weak passwords,
exploit kits, attacks on privacy, malware and DDoS.

 

3.    
Exploit Protocol vulnerabilities

 

This type of attack is actually a gateway to launch other
attacks; it means that the attackers exploit to gain access to the system which
then leads to the installation of backdoors etc.

It is difficult to detect these kind of exploits, and
easier to detect after the exploit has been successful.

 

Impact: if successful, the exploit
creates an entry point to a system, in some cases with elevated privileges; if
not, the system is likely to crash or become unstable. This attack is always
used as part of a larger attack, which could be a simple data theft or a
complex Advanced Persistent Threat(APT).

 

Threats related:
exploit kits, malware and APTs.

 

 

 

 

 

4.     Against
devices by injecting commands into the system console

 

This type of attack takes place when an
attacker injects and executes commands with privileges in a compromised system
through its console.

Impact:
if the attacker is able to inject commands into a device, he or she could
manage to breach another machine in the environment. This would produce a devastating
effect on the system, and the attacker would be able to use all these devices
for malicious purposes.

 

Threats related:
Exploit kits, DDoS and network outage.

 

5.    
Stepping
stone attacks

 

This
type of attack is a common way to launch anonymous attacks. They are often used
by network intruders to hide their identities, since they launch attacks not
from their own computer but from intermediary hosts that they previously
compromised.

 

Impact: if an attacker
launches a stepping stone attack, he or she could compromise a collection of hosts,
using them as stepping stones to relay attack commands.

 

Threats
related:
APTs, DDoS, counterfeit by malicious devices.

 

6.    
DDoS
using an IoT botnet

 

This
type of attack does not target IoT devices themselves, but instead it uses them
to attack other devices, not necessarily IoT ones. Firstly, a malware
automatically finds vulnerable Internet of Things devices, infecting and makes them
into a botnet, which then can be used to mount DDoS attacks, flooding the target’s
servers with malicious traffic.

 

Impact: the target device or
service will be flooded with malicious traffic, taking it down.

 

Threats
related:
exploit kits, DDoS and counterfeit by malicious devices

 

7.    
Ransomware

 

These attacks are carried out by a malware that blocks
access to the victim’s data unless a ransom is paid. These kind of attacks can
be evaded by updating vulnerable devices.

 

Impact: There are many possible targets
for ransomware within IoT- an attacker could take control of a smart lock and
demand payment before the lock can be opened etc.

 

Threats related: exploit kits, DDoS, malware,
weak passwords.

 

Critical
attack Scenarios

 

The
attack scenarios that affect the IoT environment most as per the “enisa” report
are

           

1.    
IoT
administration system compromise

2.    
Value
manipulation in IoT devices

3.    
Botnet
/ Commands Injection

 

 

The
Open Web Application Security Project’s (OWASP) List of Top Ten Internet of
Things Vulnerabilities sums up most of the concerns and attack vectors
surrounding this category of devices (as per 2014):


Insecure web interface


Insufficient authentication/authorization


Insecure network services


Lack of transport encryption


Privacy concerns


Insecure cloud interface


Insecure mobile interface


Insufficient security configurability


Insecure software/firmware


Poor physical security

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Communications

Communication
requirements vary widely among the different types of IoT networks, depending
on their purpose and resource constraints. The selection of
protocols to be used in a particular deployment of IoT ecosystems depends on the
requirements of its use-case.