Author : Firdous Shaikh

Aim

To study the IoT Security for ruling out threats on every phase of its architecture

Abstract

The advent of massive connectivity and usage of available devices in the form of implementing IoT has brought in the security issues and threats at every patch of its interface, network, agents, database and so on. To be secure from such threats, it is important to be aware of them in the first place. This paper gives examples of the already executed attacks taken place and then studies the vulnerabilities found at interleaving of different IoT architecture phases.

Keywords

IoT Security, IoT Architecture, UPnP, Metasploit.

Introduction

The internet of things is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction. So this has developed more into making devices smart, by enabling them with sensors for the ease of gathering local information, processing and implying the results to its actuators and/or transferring the same to user interfaces, Cloud storage back ends through its gateways or agents. Designing and developing secure applications for the IoT could be a challenging task due to several reasons as, high complexity of distributed computing, lack of general guidelines or frameworks that handle low level communication and simplify high level implementation, multiple programming languages, and various communication protocols. It involves developers to manage the infrastructure and handle both software and hardware layers along with preserving all functional and non-functional software requirements. Professional system design, installation and setup may be available when the smart electronics are included as part of a new project build. However, in most cases, IoT technology is likely to be retrofitted to an existing infrastructure piece by piece as needs arise. Often, there is no ongoing professional support in either the design or operation phases of the IoT deployment in the local technology providers. While there are some reasonably widespread specialized standards, such as X.10 power line-carrier communications, these lack any type of security, and were designed before these control networks were connected to the Internet. There is now a plethora of networking standards that can be used in an IoT Consumer (Zwave, Insteon, Bluetooth, ZigBee, Ethernet, Wifi, RS232, RS485, C-bus, UPB, KNX, EnOcean, Thread). Each has its strengths and weaknesses, and expecting a heterogeneous network with many different protocols to be efficiently and securely managed by a non-expert presents significant challenges. Looking at some Threats, system heterogeneity is a vulnerability, devices come from many manufacturers, with different networking standards and different software update capabilities. Fixed firmware is another issue. Slow uptake of standards is another vulnerability. In general, exploits can be posing to be adversities of the following nature; Confidentiality threats are those that result in the unwanted release of sensitive information. Authentication threats can lead to either sensing or control information being tampered with, with the help of spoofing. Access threats are probably the greatest threats. Unauthorized access to a system controller, particularly at the administrator level, makes the entire system insecure. Even if control cannot be gained, an Unauthorized connection to a network can steal network bandwidth, or result in a denial of service to legitimate users.

Cases that signify the importance of Security of IoT:

The security of this domain is well taken care of in established forums as the AWS IoT(Amazon), Azure IoT(Microsoft), Brillo/Weave(Google), yet complete security is a delusion. The fact that majority mid-scale organisations, households gradually upgrade their IoT Infrastructure as need arises not giving security its rightful weightage. ^[6]Some cases depicting this are: The Mirai botnet that took victim of the servers of Dyn (DNS Server) bringing down sites including Twitter, the Guardian, Netflix, Reddit, CNN and many others in Europe and the US, the attack being a DDoS from insecure IoT devices, was largest of its kind, say the experts [the Guardian Oct 2016].^[6] ^[8]Early last year, CNN wrote, “The FDA confirmed that St. Jude Medical’s implantable cardiac devices have vulnerabilities that could allow a hacker to access a device. Once in, they could deplete the battery or administer incorrect pacing or shocks, the FDA said. The devices, like pacemakers and defibrillators, are used to monitor and control patients’ heart functions and prevent heart attacks” Putting the lives of many at risk. The IBM security intelligence website reported the Jeep hack a few years ago, saying, “It was just one, but it was enough. In July [2015], a team of researchers was able to take total control of a Jeep SUV using the vehicle’s CAN bus.^[8] ^[11] And Over 60 cameras were hijacked and defaced on Sunday, May 6 2018, but dozens more had been hacked [CSO Online]. These are just few of the many instances that, poor security standards paid off.^[11] For an intensive study of IoT Security, it is important to know the building blocks and connections.

The Architecture:

Fig 1. The IoT Architecture.

The main building blocks of any cloud-based IoT framework are the physical objects and the protocols. Physical objects include: (i) Smart devices such as sensors, actuators, etc. (Constrained Devices). (ii) Hubs/gateways for routing, storing, and accessing various pieces of data (Standard Devices) (iii) Storage, Analytics, End-users representations by the applications they use to access data and interact with IoT devices. Protocols run on different layers and provide end-to-end communication. ^[1]Infrastructure protocols such as ZigBee, Z-Wave, Bluetooth Low Energy (BLE), WiFi, and LTE-A are implemented for networking. The interface for end-users to access data and talk to their IoT devices is supported by standard protocols such as Hyper Text Transfer Protocol (HTTP, Constrained Application Protocol (CoAP), Message Queue Telemetry Transport (MQTT), Extensible Messaging and Presence Protocol (XMPP), Advanced Messaging Queuing Protocol (AMQP), and Data Distribution Service (DDS).^[1] Furthermore, to look into the possible exploitations at each phase or transition, the diagram of IoT infrastructure can be viewed in the next given manner. IOT Potential Threats

Fig 2. Potential Threats embedded at every stage of the IoT Architecture

1)Insecure Interfaces^{: [5]}The Web interface - The first point concerns security related issues with the web interfaces that could allow an attacker to gain unauthorised access to the device. The Cloud interface - these are the security issues related to the cloud interface used to interact with the IoT device.^[5] These are -Account Enumeration, Weak Default Credentials, Credentials Exposed in Network Traffic, Cross-site Scripting (XSS), SQL-Injection, Session Management, Weak Account Lockout Settings. 2) Insufficient Authentication/Authorisation: This area deals with ineffective mechanisms being in place to authenticate to the IoT user interface and/or poor authorisation mechanisms whereby a user can gain higher levels of access then allowed. Specific security vulnerabilities that could lead to this issue include the following -Lack of Password Complexity, Poorly Protected Credentials, Lack of Two Factor Authentication, Insecure Password Recovery, Privilege Escalation, Lack of Role Based Access Control. 3)Insecure Network Services: This point relates to vulnerabilities in the network services that are used to access the IoT device that might allow an intruder to gain unauthorised access to the device or associated data. Including Vulnerable Services, Buffer Overflow, Exploitable UDP Services, Denial-of-Service, DoS via Network Device Fuzzing and Open Ports via UPnP. ^[9]Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment. The issue is that Universal Plug and Play does not authenticate, assuming that everything connected within a network is trusted and friendly. This means that if a computer has been compromised by malware or a hacker exploiting security bugs/holes – essentially backdoors that can bypass protective network firewalls – everything else on the network is immediately susceptible.^[9] With Universal Plug and Play, establishing communication between end devices and other network ends, it is easy and convenient. All that has to done is to plug a UPnP-compatible device into an open port on the gateway/hub, and Universal Plug and Play takes care of the rest. 4)Lack of Transport Encryption: This could easily lead to an intruder sniffing the data and either capturing this data for later use or compromising the device itself. They are- Unencrypted Services via the Local Network, Poorly Implemented SSL/TLS, Misconfigured SSL/TLS. 5)Privacy Concerns: Privacy concerns are generated by the collection of personal data in addition to the lack of proper protection of that data. Majorly, Collection, Analysis and sale of Personal Information without the open consent of the owner is the concern. 6)Insufficient Security Configurability: Insufficient security configurability is present when users of the device have limited or no ability to alter its security controls, Lack of Granular Permission Model, Lack of Password Security Options, No Security Monitoring, No Security Logging 7)Insecure Software or Firmware: The inability of software/firmware being updated means that the devices remain vulnerable indefinitely to the security issue that the update is meant to address. Further, if the devices have hardcoded sensitive credentials, if these credentials get exposed as, Encryption is not Used to Fetch Updates, Update Not Verified before Upload, Firmware Contains Sensitive Information, No Obvious Update Functionality. Furthermore, ^[10] Metasploit’s new release ‘Autosploit’ works up well in finding loopholes in the IoT devices. AutoSploit attempts to automate the exploitation of remote hosts. Using the Shodan.io API, the program automatically collects targets and lets users enter platform-specific search queries, for instance, Apache.^[10] Based on the search criteria it retrieves a list of candidates. The tool then runs a set of Metasploit modules – selected by programmatically comparing module names to the search query – against the potential targets in an effort to exploit them. The available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions. The pseudonymous security researcher explained that workspace, local host and local port for MSF facilitated back connections are configured through the dialog that comes up before the ‘Exploit’ component is started. 8)Poor Physical Security: Physical security weaknesses are present when an attacker can disassemble a device to easily access the storage medium and any data stored on that medium. Weaknesses are also present when USB ports or other external ports can be used to access the device using features intended for configuration or maintenance.

Analysis

A 2017 survey by HCL indicates that large enterprises and decision-makers worldwide are still in the early stages of the adoption of the IoT. Among other findings, the study concluded that: About 38% organizations are using the IoT and a further 57% medium scale organisations plan to use it in the future. 49% are struggling to get off the ground with the IoT. 50% believe they are already behind the curve in adopting IoT. These growing organisations are at great risks if their businesses are compromised on account of being vulnerable by adopting technologies to grow. This can prove to be a downgrade rather than increasing credibility of business. And so, to put together, domains that require extensive attention to ensure security of IoT are interfaces of Web, Cloud, Mobile, optimum authentication and authorisation, to secure net services, Encryption, managing privacy concerns, optimum configurability and management of software and firmware. As the statistics convey IoT to be in its expanding phase even for large enterprises, medium scale enterprises are more prone to inefficient planning, insufficient security implementation and adaptation of the same.

Conclusion

Most of the challenges stated in the paper result from the inherent vulnerabilities of IoT objects and the tight coupling of the physical world to the virtual world through intelligent objects. Thus this paper highlighted the security impediments at each level or connection of the blocks in the IoT architecture as verifying the various security threats and need to immunity against attacks is one of the most important contemporary issues facing the Internet of Things.

References

[1] Internet of Things: A survey on the security of IoT frameworks -Mahmoud Ammar a, ∗, Giovanni Russello b, Bruno Crispo a. Journal of Information Security and Applications 38 (2018) 8–27.Elsevier Journals. [2] A roadmap for security challenges in the Internet of Things-Arbia Riahi Sfar a,b, Enrico Natalizio b,*, Yacine Challal c, Zied Chtourou a. Digital Communications and Networks 4 (2018) 118–137.Keai Publishings. [3] Spamming the Internet of Things: A Possibility and its probable Solution-Faisal Razzak. Procedia Computer Science 10(2012)658 – 665. [4] Research and application on the smart home based on component technologies and Internet of Things-Baoan Lia, Jianjun Yub,a. Procedia Engineering 15 (2011) 2087 – 2092. [5] The Internet of Things (IoT) – Threats and Countermeasures https://www.cso.com.au/article/575407/internet-things-iot-threats-countermeasures/ [6] Internet of Things Security Vulnerabilities- https://blog.learningtree.com/10-internet-of-things-security-vulnerabilities/ [7] IoT market research: Which industries are leading the curve? -https://www.iotworldtoday.com/2017/08/23/iot-market-research-which-industries-are-leading-curve/ [8] Cases of worst IoT Hacks- https://www.iotforall.com/5-worst-iot-hacking-vulnerabilities/ [9] Universal PnP Explained- https://www.lifewire.com/universal-plug-and-play-4153001 [10] Metasploit upgraded to sniff out IoT weak spots in corporate networks- https://www.theregister.co.uk/2017/03/22/metasploit_iot_upgrade/ [11] ‘I'm hacked’ message left on dozens of defaced Canon IoT security cameras in Japan-https://www.csoonline.com/article/3271086/security/im-hacked-message-left-on-dozens-of-defaced-canon-iot-security-cameras-in-japan.html

Application error: a client-side exception has occurred (see the browser console for more information).